EAP-PEAP: Key derivation per draft-ietf-emu-tls-eap-types-00

Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for PEAP with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>

diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
index a13428d374490e0652fe620cb4c758ab5763508f..12e30df295fc6a021bbba22977eb1ebed1073dfe 100644 (file)
--- a/src/eap_peer/eap_peap.c
+++ b/src/eap_peer/eap_peap.c
@@ -1085,7 +1085,11 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
                }
 
                if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
-                       char *label;
+                       const char *label;
+                       const u8 eap_tls13_context[1] = { EAP_TYPE_PEAP };
+                       const u8 *context = NULL;
+                       size_t context_len = 0;
+
                        wpa_printf(MSG_DEBUG,
                                   "EAP-PEAP: TLS done, proceed to Phase 2");
                        eap_peap_free_key(data);
@@ -1095,16 +1099,25 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
                         * PEAPv1 implementations seem to be using the old
                         * label, "client EAP encryption", instead. Use the old
                         * label by default, but allow it to be configured with
-                        * phase1 parameter peaplabel=1. */
-                       if (data->force_new_label)
+                        * phase1 parameter peaplabel=1.
+                        *
+                        * When using TLS 1.3, draft-ietf-emu-tls-eap-types
+                        * defines a new set of label and context parameters.
+                        */
+                       if (data->ssl.tls_v13) {
+                               label = "EXPORTER_EAP_TLS_Key_Material";
+                               context = eap_tls13_context;
+                               context_len = sizeof(eap_tls13_context);
+                       } else if (data->force_new_label) {
                                label = "client PEAP encryption";
-                       else
+                       } else {
                                label = "client EAP encryption";
+                       }
                        wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in "
                                   "key derivation", label);
                        data->key_data =
                                eap_peer_tls_derive_key(sm, &data->ssl, label,
-                                                       NULL, 0,
+                                                       context, context_len,
                                                        EAP_TLS_KEY_LEN +
                                                        EAP_EMSK_LEN);
                        if (data->key_data) {

diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
index f234f6fa534f83dd77cf71bd7696f77c3e18d955..fdfc14b0a1320113831266a5b6c262ac1a814186 100644 (file)
--- a/src/eap_server/eap_server_peap.c
+++ b/src/eap_server/eap_server_peap.c
@@ -325,13 +325,27 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
        u8 *tk;
        u8 isk[32], imck[60];
        int res;
+       const char *label;
+       const u8 eap_tls13_context[1] = { EAP_TYPE_PEAP };
+       const u8 *context = NULL;
+       size_t context_len = 0;
+
+       if (data->ssl.tls_v13) {
+               label = "EXPORTER_EAP_TLS_Key_Material";
+               context = eap_tls13_context;
+               context_len = sizeof(eap_tls13_context);
+       } else {
+               /* TODO: PEAPv1 - different label in some cases */
+               label = "client EAP encryption";
+       }
 
        /*
         * Tunnel key (TK) is the first 60 octets of the key generated by
         * phase 1 of PEAP (based on TLS).
         */
-       tk = eap_server_tls_derive_key(sm, &data->ssl, "client EAP encryption",
-                                      NULL, 0, EAP_TLS_KEY_LEN);
+       tk = eap_server_tls_derive_key(sm, &data->ssl, label,
+                                      context, context_len,
+                                      EAP_TLS_KEY_LEN);
        if (tk == NULL)
                return -1;
        wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
@@ -1300,6 +1314,10 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
 {
        struct eap_peap_data *data = priv;
        u8 *eapKeyData;
+       const char *label;
+       const u8 eap_tls13_context[1] = { EAP_TYPE_PEAP };
+       const u8 *context = NULL;
+       size_t context_len = 0;
 
        if (data->state != SUCCESS)
                return NULL;
@@ -1332,9 +1350,17 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
                return eapKeyData;
        }
 
-       /* TODO: PEAPv1 - different label in some cases */
+       if (data->ssl.tls_v13) {
+               label = "EXPORTER_EAP_TLS_Key_Material";
+               context = eap_tls13_context;
+               context_len = sizeof(eap_tls13_context);
+       } else {
+               /* TODO: PEAPv1 - different label in some cases */
+               label = "client EAP encryption";
+       }
+
        eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
-                                              "client EAP encryption", NULL, 0,
+                                              label, context, context_len,
                                               EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
        if (eapKeyData) {
                os_memset(eapKeyData + EAP_TLS_KEY_LEN, 0, EAP_EMSK_LEN);
@@ -1353,6 +1379,10 @@ static u8 * eap_peap_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
 {
        struct eap_peap_data *data = priv;
        u8 *eapKeyData, *emsk;
+       const char *label;
+       const u8 eap_tls13_context[1] = { EAP_TYPE_PEAP };
+       const u8 *context = NULL;
+       size_t context_len = 0;
 
        if (data->state != SUCCESS)
                return NULL;
@@ -1362,9 +1392,17 @@ static u8 * eap_peap_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
                return NULL;
        }
 
-       /* TODO: PEAPv1 - different label in some cases */
+       if (data->ssl.tls_v13) {
+               label = "EXPORTER_EAP_TLS_Key_Material";
+               context = eap_tls13_context;
+               context_len = sizeof(eap_tls13_context);
+       } else {
+               /* TODO: PEAPv1 - different label in some cases */
+               label = "client EAP encryption";
+       }
+
        eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
-                                              "client EAP encryption", NULL, 0,
+                                              label, context, context_len,
                                               EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
        if (eapKeyData) {
                emsk = os_memdup(eapKeyData + EAP_TLS_KEY_LEN, EAP_EMSK_LEN);