1 /*
2  * EAP server/peer: EAP-PAX shared routines
3  * Copyright (c) 2005, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/sha1.h"
13 #include "eap_pax_common.h"
14 
15 
16 /**
17  * eap_pax_kdf - PAX Key Derivation Function
18  * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
19  * @key: Secret key (X)
20  * @key_len: Length of the secret key in bytes
21  * @identifier: Public identifier for the key (Y)
22  * @entropy: Exchanged entropy to seed the KDF (Z)
23  * @entropy_len: Length of the entropy in bytes
24  * @output_len: Output len in bytes (W)
25  * @output: Buffer for the derived key
26  * Returns: 0 on success, -1 failed
27  *
28  * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z)
29  */
eap_pax_kdf(u8 mac_id,const u8 * key,size_t key_len,const char * identifier,const u8 * entropy,size_t entropy_len,size_t output_len,u8 * output)30 int eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len,
31 		const char *identifier,
32 		const u8 *entropy, size_t entropy_len,
33 		size_t output_len, u8 *output)
34 {
35 	u8 mac[SHA1_MAC_LEN];
36 	u8 counter, *pos;
37 	const u8 *addr[3];
38 	size_t len[3];
39 	size_t num_blocks, left;
40 
41 	num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN;
42 	if (identifier == NULL || num_blocks >= 255)
43 		return -1;
44 
45 	/* TODO: add support for EAP_PAX_HMAC_SHA256_128 */
46 	if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128)
47 		return -1;
48 
49 	addr[0] = (const u8 *) identifier;
50 	len[0] = os_strlen(identifier);
51 	addr[1] = entropy;
52 	len[1] = entropy_len;
53 	addr[2] = &counter;
54 	len[2] = 1;
55 
56 	pos = output;
57 	left = output_len;
58 	for (counter = 1; counter <= (u8) num_blocks; counter++) {
59 		size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left;
60 		if (hmac_sha1_vector(key, key_len, 3, addr, len, mac) < 0)
61 			return -1;
62 		os_memcpy(pos, mac, clen);
63 		pos += clen;
64 		left -= clen;
65 	}
66 
67 	return 0;
68 }
69 
70 
71 /**
72  * eap_pax_mac - EAP-PAX MAC
73  * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
74  * @key: Secret key
75  * @key_len: Length of the secret key in bytes
76  * @data1: Optional data, first block; %NULL if not used
77  * @data1_len: Length of data1 in bytes
78  * @data2: Optional data, second block; %NULL if not used
79  * @data2_len: Length of data2 in bytes
80  * @data3: Optional data, third block; %NULL if not used
81  * @data3_len: Length of data3 in bytes
82  * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes)
83  * Returns: 0 on success, -1 on failure
84  *
85  * Wrapper function to calculate EAP-PAX MAC.
86  */
eap_pax_mac(u8 mac_id,const u8 * key,size_t key_len,const u8 * data1,size_t data1_len,const u8 * data2,size_t data2_len,const u8 * data3,size_t data3_len,u8 * mac)87 int eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len,
88 		const u8 *data1, size_t data1_len,
89 		const u8 *data2, size_t data2_len,
90 		const u8 *data3, size_t data3_len,
91 		u8 *mac)
92 {
93 	u8 hash[SHA1_MAC_LEN];
94 	const u8 *addr[3];
95 	size_t len[3];
96 	size_t count;
97 
98 	/* TODO: add support for EAP_PAX_HMAC_SHA256_128 */
99 	if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128)
100 		return -1;
101 
102 	addr[0] = data1;
103 	len[0] = data1_len;
104 	addr[1] = data2;
105 	len[1] = data2_len;
106 	addr[2] = data3;
107 	len[2] = data3_len;
108 
109 	count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0);
110 	if (hmac_sha1_vector(key, key_len, count, addr, len, hash) < 0)
111 		return -1;
112 	os_memcpy(mac, hash, EAP_PAX_MAC_LEN);
113 
114 	return 0;
115 }
116 
117 
118 /**
119  * eap_pax_initial_key_derivation - EAP-PAX initial key derivation
120  * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
121  * @ak: Authentication Key
122  * @e: Entropy
123  * @mk: Buffer for the derived Master Key
124  * @ck: Buffer for the derived Confirmation Key
125  * @ick: Buffer for the derived Integrity Check Key
126  * @mid: Buffer for the derived Method ID
127  * Returns: 0 on success, -1 on failure
128  */
eap_pax_initial_key_derivation(u8 mac_id,const u8 * ak,const u8 * e,u8 * mk,u8 * ck,u8 * ick,u8 * mid)129 int eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e,
130 				   u8 *mk, u8 *ck, u8 *ick, u8 *mid)
131 {
132 	wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation");
133 	if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key",
134 			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) ||
135 	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key",
136 			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) ||
137 	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key",
138 			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick) ||
139 	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Method ID",
140 			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MID_LEN, mid))
141 		return -1;
142 
143 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN);
144 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN);
145 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN);
146 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN);
147 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MID", mid, EAP_PAX_MID_LEN);
148 
149 	return 0;
150 }
151