]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | /* |
2 | * EAP server/peer: EAP-PAX shared routines | |
3 | * Copyright (c) 2005, Jouni Malinen <j@w1.fi> | |
4 | * | |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
6fc6879b JM |
7 | */ |
8 | ||
9 | #include "includes.h" | |
10 | ||
11 | #include "common.h" | |
03da66bd | 12 | #include "crypto/sha1.h" |
6fc6879b JM |
13 | #include "eap_pax_common.h" |
14 | ||
15 | ||
16 | /** | |
17 | * eap_pax_kdf - PAX Key Derivation Function | |
18 | * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported | |
19 | * @key: Secret key (X) | |
20 | * @key_len: Length of the secret key in bytes | |
21 | * @identifier: Public identifier for the key (Y) | |
22 | * @entropy: Exchanged entropy to seed the KDF (Z) | |
23 | * @entropy_len: Length of the entropy in bytes | |
24 | * @output_len: Output len in bytes (W) | |
25 | * @output: Buffer for the derived key | |
26 | * Returns: 0 on success, -1 failed | |
27 | * | |
28 | * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z) | |
29 | */ | |
30 | int eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len, | |
31 | const char *identifier, | |
32 | const u8 *entropy, size_t entropy_len, | |
33 | size_t output_len, u8 *output) | |
34 | { | |
35 | u8 mac[SHA1_MAC_LEN]; | |
36 | u8 counter, *pos; | |
37 | const u8 *addr[3]; | |
38 | size_t len[3]; | |
39 | size_t num_blocks, left; | |
40 | ||
41 | num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN; | |
42 | if (identifier == NULL || num_blocks >= 255) | |
43 | return -1; | |
44 | ||
45 | /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ | |
46 | if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) | |
47 | return -1; | |
48 | ||
49 | addr[0] = (const u8 *) identifier; | |
50 | len[0] = os_strlen(identifier); | |
51 | addr[1] = entropy; | |
52 | len[1] = entropy_len; | |
53 | addr[2] = &counter; | |
54 | len[2] = 1; | |
55 | ||
56 | pos = output; | |
57 | left = output_len; | |
58 | for (counter = 1; counter <= (u8) num_blocks; counter++) { | |
59 | size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left; | |
7a36f118 JM |
60 | if (hmac_sha1_vector(key, key_len, 3, addr, len, mac) < 0) |
61 | return -1; | |
6fc6879b JM |
62 | os_memcpy(pos, mac, clen); |
63 | pos += clen; | |
64 | left -= clen; | |
65 | } | |
66 | ||
67 | return 0; | |
68 | } | |
69 | ||
70 | ||
71 | /** | |
72 | * eap_pax_mac - EAP-PAX MAC | |
73 | * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported | |
74 | * @key: Secret key | |
75 | * @key_len: Length of the secret key in bytes | |
76 | * @data1: Optional data, first block; %NULL if not used | |
77 | * @data1_len: Length of data1 in bytes | |
78 | * @data2: Optional data, second block; %NULL if not used | |
79 | * @data2_len: Length of data2 in bytes | |
80 | * @data3: Optional data, third block; %NULL if not used | |
81 | * @data3_len: Length of data3 in bytes | |
82 | * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes) | |
83 | * Returns: 0 on success, -1 on failure | |
84 | * | |
85 | * Wrapper function to calculate EAP-PAX MAC. | |
86 | */ | |
87 | int eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len, | |
88 | const u8 *data1, size_t data1_len, | |
89 | const u8 *data2, size_t data2_len, | |
90 | const u8 *data3, size_t data3_len, | |
91 | u8 *mac) | |
92 | { | |
93 | u8 hash[SHA1_MAC_LEN]; | |
94 | const u8 *addr[3]; | |
95 | size_t len[3]; | |
96 | size_t count; | |
97 | ||
98 | /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ | |
99 | if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) | |
100 | return -1; | |
101 | ||
102 | addr[0] = data1; | |
103 | len[0] = data1_len; | |
104 | addr[1] = data2; | |
105 | len[1] = data2_len; | |
106 | addr[2] = data3; | |
107 | len[2] = data3_len; | |
108 | ||
109 | count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0); | |
7a36f118 JM |
110 | if (hmac_sha1_vector(key, key_len, count, addr, len, hash) < 0) |
111 | return -1; | |
6fc6879b JM |
112 | os_memcpy(mac, hash, EAP_PAX_MAC_LEN); |
113 | ||
114 | return 0; | |
115 | } | |
116 | ||
117 | ||
118 | /** | |
119 | * eap_pax_initial_key_derivation - EAP-PAX initial key derivation | |
120 | * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported | |
121 | * @ak: Authentication Key | |
122 | * @e: Entropy | |
123 | * @mk: Buffer for the derived Master Key | |
124 | * @ck: Buffer for the derived Confirmation Key | |
125 | * @ick: Buffer for the derived Integrity Check Key | |
92e3c0b1 | 126 | * @mid: Buffer for the derived Method ID |
6fc6879b JM |
127 | * Returns: 0 on success, -1 on failure |
128 | */ | |
129 | int eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e, | |
92e3c0b1 | 130 | u8 *mk, u8 *ck, u8 *ick, u8 *mid) |
6fc6879b JM |
131 | { |
132 | wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation"); | |
133 | if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key", | |
134 | e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) || | |
135 | eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key", | |
136 | e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) || | |
137 | eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key", | |
92e3c0b1 JM |
138 | e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick) || |
139 | eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Method ID", | |
140 | e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MID_LEN, mid)) | |
6fc6879b JM |
141 | return -1; |
142 | ||
143 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN); | |
144 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN); | |
145 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN); | |
146 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN); | |
92e3c0b1 | 147 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MID", mid, EAP_PAX_MID_LEN); |
6fc6879b JM |
148 | |
149 | return 0; | |
150 | } |