]>
Commit | Line | Data |
---|---|---|
a4819630 JM |
1 | /* |
2 | * EAP-FAST common helper functions (RFC 4851) | |
3 | * Copyright (c) 2008, Jouni Malinen <j@w1.fi> | |
4 | * | |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
a4819630 JM |
7 | */ |
8 | ||
9 | #include "includes.h" | |
10 | ||
11 | #include "common.h" | |
03da66bd JM |
12 | #include "crypto/sha1.h" |
13 | #include "crypto/tls.h" | |
7f4c1d43 JM |
14 | #include "eap_defs.h" |
15 | #include "eap_tlv_common.h" | |
a4819630 JM |
16 | #include "eap_fast_common.h" |
17 | ||
18 | ||
19 | void eap_fast_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len) | |
20 | { | |
21 | struct pac_tlv_hdr hdr; | |
22 | hdr.type = host_to_be16(type); | |
23 | hdr.len = host_to_be16(len); | |
24 | wpabuf_put_data(buf, &hdr, sizeof(hdr)); | |
25 | } | |
26 | ||
27 | ||
28 | void eap_fast_put_tlv(struct wpabuf *buf, u16 type, const void *data, | |
29 | u16 len) | |
30 | { | |
31 | eap_fast_put_tlv_hdr(buf, type, len); | |
32 | wpabuf_put_data(buf, data, len); | |
33 | } | |
34 | ||
35 | ||
36 | void eap_fast_put_tlv_buf(struct wpabuf *buf, u16 type, | |
37 | const struct wpabuf *data) | |
38 | { | |
39 | eap_fast_put_tlv_hdr(buf, type, wpabuf_len(data)); | |
40 | wpabuf_put_buf(buf, data); | |
41 | } | |
7f4c1d43 JM |
42 | |
43 | ||
44 | struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf) | |
45 | { | |
46 | struct wpabuf *e; | |
47 | ||
48 | if (buf == NULL) | |
49 | return NULL; | |
50 | ||
51 | /* Encapsulate EAP packet in EAP-Payload TLV */ | |
52 | wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV"); | |
53 | e = wpabuf_alloc(sizeof(struct pac_tlv_hdr) + wpabuf_len(buf)); | |
54 | if (e == NULL) { | |
55 | wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory " | |
56 | "for TLV encapsulation"); | |
57 | wpabuf_free(buf); | |
58 | return NULL; | |
59 | } | |
60 | eap_fast_put_tlv_buf(e, | |
61 | EAP_TLV_TYPE_MANDATORY | EAP_TLV_EAP_PAYLOAD_TLV, | |
62 | buf); | |
63 | wpabuf_free(buf); | |
64 | return e; | |
65 | } | |
66 | ||
67 | ||
68 | void eap_fast_derive_master_secret(const u8 *pac_key, const u8 *server_random, | |
69 | const u8 *client_random, u8 *master_secret) | |
70 | { | |
71 | #define TLS_RANDOM_LEN 32 | |
72 | #define TLS_MASTER_SECRET_LEN 48 | |
73 | u8 seed[2 * TLS_RANDOM_LEN]; | |
74 | ||
75 | wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random", | |
76 | client_random, TLS_RANDOM_LEN); | |
77 | wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random", | |
78 | server_random, TLS_RANDOM_LEN); | |
79 | ||
80 | /* | |
81 | * RFC 4851, Section 5.1: | |
82 | * master_secret = T-PRF(PAC-Key, "PAC to master secret label hash", | |
83 | * server_random + client_random, 48) | |
84 | */ | |
85 | os_memcpy(seed, server_random, TLS_RANDOM_LEN); | |
86 | os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN); | |
87 | sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN, | |
88 | "PAC to master secret label hash", | |
89 | seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN); | |
90 | ||
91 | wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret", | |
92 | master_secret, TLS_MASTER_SECRET_LEN); | |
93 | } | |
94 | ||
95 | ||
96 | u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn, | |
97 | const char *label, size_t len) | |
98 | { | |
99 | struct tls_keys keys; | |
100 | u8 *rnd = NULL, *out; | |
101 | int block_size; | |
102 | ||
103 | block_size = tls_connection_get_keyblock_size(ssl_ctx, conn); | |
104 | if (block_size < 0) | |
105 | return NULL; | |
106 | ||
107 | out = os_malloc(block_size + len); | |
108 | if (out == NULL) | |
109 | return NULL; | |
110 | ||
111 | if (tls_connection_prf(ssl_ctx, conn, label, 1, out, block_size + len) | |
112 | == 0) { | |
113 | os_memmove(out, out + block_size, len); | |
114 | return out; | |
115 | } | |
116 | ||
117 | if (tls_connection_get_keys(ssl_ctx, conn, &keys)) | |
118 | goto fail; | |
119 | ||
120 | rnd = os_malloc(keys.client_random_len + keys.server_random_len); | |
121 | if (rnd == NULL) | |
122 | goto fail; | |
123 | ||
124 | os_memcpy(rnd, keys.server_random, keys.server_random_len); | |
125 | os_memcpy(rnd + keys.server_random_len, keys.client_random, | |
126 | keys.client_random_len); | |
127 | ||
128 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: master_secret for key " | |
129 | "expansion", keys.master_key, keys.master_key_len); | |
cd52acec JM |
130 | if (tls_prf_sha1_md5(keys.master_key, keys.master_key_len, |
131 | label, rnd, keys.client_random_len + | |
132 | keys.server_random_len, out, block_size + len)) | |
7f4c1d43 JM |
133 | goto fail; |
134 | os_free(rnd); | |
135 | os_memmove(out, out + block_size, len); | |
136 | return out; | |
137 | ||
138 | fail: | |
139 | os_free(rnd); | |
140 | os_free(out); | |
141 | return NULL; | |
142 | } | |
143 | ||
144 | ||
145 | void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk) | |
146 | { | |
147 | /* | |
148 | * RFC 4851, Section 5.4: EAP Master Session Key Generation | |
149 | * MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64) | |
150 | */ | |
151 | ||
152 | sha1_t_prf(simck, EAP_FAST_SIMCK_LEN, | |
153 | "Session Key Generating Function", (u8 *) "", 0, | |
154 | msk, EAP_FAST_KEY_LEN); | |
155 | wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)", | |
156 | msk, EAP_FAST_KEY_LEN); | |
157 | } | |
158 | ||
159 | ||
160 | void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk) | |
161 | { | |
162 | /* | |
163 | * RFC 4851, Section 5.4: EAP Master Session Key Genreration | |
164 | * EMSK = T-PRF(S-IMCK[j], | |
165 | * "Extended Session Key Generating Function", 64) | |
166 | */ | |
167 | ||
168 | sha1_t_prf(simck, EAP_FAST_SIMCK_LEN, | |
169 | "Extended Session Key Generating Function", (u8 *) "", 0, | |
170 | emsk, EAP_EMSK_LEN); | |
171 | wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)", | |
172 | emsk, EAP_EMSK_LEN); | |
173 | } | |
174 | ||
175 | ||
176 | int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv, | |
2dbc9596 | 177 | int tlv_type, u8 *pos, size_t len) |
7f4c1d43 JM |
178 | { |
179 | switch (tlv_type) { | |
180 | case EAP_TLV_EAP_PAYLOAD_TLV: | |
181 | wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV", | |
182 | pos, len); | |
183 | if (tlv->eap_payload_tlv) { | |
184 | wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " | |
185 | "EAP-Payload TLV in the message"); | |
186 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
187 | return -2; | |
188 | } | |
189 | tlv->eap_payload_tlv = pos; | |
190 | tlv->eap_payload_tlv_len = len; | |
191 | break; | |
192 | case EAP_TLV_RESULT_TLV: | |
193 | wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len); | |
194 | if (tlv->result) { | |
195 | wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " | |
196 | "Result TLV in the message"); | |
197 | tlv->result = EAP_TLV_RESULT_FAILURE; | |
198 | return -2; | |
199 | } | |
200 | if (len < 2) { | |
201 | wpa_printf(MSG_DEBUG, "EAP-FAST: Too short " | |
202 | "Result TLV"); | |
203 | tlv->result = EAP_TLV_RESULT_FAILURE; | |
204 | break; | |
205 | } | |
206 | tlv->result = WPA_GET_BE16(pos); | |
207 | if (tlv->result != EAP_TLV_RESULT_SUCCESS && | |
208 | tlv->result != EAP_TLV_RESULT_FAILURE) { | |
209 | wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d", | |
210 | tlv->result); | |
211 | tlv->result = EAP_TLV_RESULT_FAILURE; | |
212 | } | |
213 | wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s", | |
214 | tlv->result == EAP_TLV_RESULT_SUCCESS ? | |
215 | "Success" : "Failure"); | |
216 | break; | |
217 | case EAP_TLV_INTERMEDIATE_RESULT_TLV: | |
218 | wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV", | |
219 | pos, len); | |
220 | if (len < 2) { | |
221 | wpa_printf(MSG_DEBUG, "EAP-FAST: Too short " | |
222 | "Intermediate-Result TLV"); | |
223 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
224 | break; | |
225 | } | |
226 | if (tlv->iresult) { | |
227 | wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " | |
228 | "Intermediate-Result TLV in the message"); | |
229 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
230 | return -2; | |
231 | } | |
232 | tlv->iresult = WPA_GET_BE16(pos); | |
233 | if (tlv->iresult != EAP_TLV_RESULT_SUCCESS && | |
234 | tlv->iresult != EAP_TLV_RESULT_FAILURE) { | |
235 | wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate " | |
236 | "Result %d", tlv->iresult); | |
237 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
238 | } | |
239 | wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s", | |
240 | tlv->iresult == EAP_TLV_RESULT_SUCCESS ? | |
241 | "Success" : "Failure"); | |
242 | break; | |
243 | case EAP_TLV_CRYPTO_BINDING_TLV: | |
244 | wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV", | |
245 | pos, len); | |
246 | if (tlv->crypto_binding) { | |
247 | wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " | |
248 | "Crypto-Binding TLV in the message"); | |
249 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
250 | return -2; | |
251 | } | |
252 | tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len; | |
253 | if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) { | |
254 | wpa_printf(MSG_DEBUG, "EAP-FAST: Too short " | |
255 | "Crypto-Binding TLV"); | |
256 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
257 | return -2; | |
258 | } | |
ed5a02fd | 259 | tlv->crypto_binding = (struct eap_tlv_crypto_binding_tlv *) |
7f4c1d43 JM |
260 | (pos - sizeof(struct eap_tlv_hdr)); |
261 | break; | |
262 | case EAP_TLV_REQUEST_ACTION_TLV: | |
263 | wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV", | |
264 | pos, len); | |
265 | if (tlv->request_action) { | |
266 | wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " | |
267 | "Request-Action TLV in the message"); | |
268 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
269 | return -2; | |
270 | } | |
271 | if (len < 2) { | |
272 | wpa_printf(MSG_DEBUG, "EAP-FAST: Too short " | |
273 | "Request-Action TLV"); | |
274 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
275 | break; | |
276 | } | |
277 | tlv->request_action = WPA_GET_BE16(pos); | |
278 | wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d", | |
279 | tlv->request_action); | |
280 | break; | |
281 | case EAP_TLV_PAC_TLV: | |
282 | wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len); | |
283 | if (tlv->pac) { | |
284 | wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " | |
285 | "PAC TLV in the message"); | |
286 | tlv->iresult = EAP_TLV_RESULT_FAILURE; | |
287 | return -2; | |
288 | } | |
289 | tlv->pac = pos; | |
290 | tlv->pac_len = len; | |
291 | break; | |
292 | default: | |
293 | /* Unknown TLV */ | |
294 | return -1; | |
295 | } | |
296 | ||
297 | return 0; | |
298 | } |