1 /* 2 * EAP server/peer: EAP-EKE shared routines 3 * Copyright (c) 2011-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/aes.h" 13 #include "crypto/aes_wrap.h" 14 #include "crypto/crypto.h" 15 #include "crypto/dh_groups.h" 16 #include "crypto/random.h" 17 #include "crypto/sha1.h" 18 #include "crypto/sha256.h" 19 #include "eap_common/eap_defs.h" 20 #include "eap_eke_common.h" 21 22 eap_eke_dh_len(u8 group)23 static int eap_eke_dh_len(u8 group) 24 { 25 switch (group) { 26 case EAP_EKE_DHGROUP_EKE_2: 27 return 128; 28 case EAP_EKE_DHGROUP_EKE_5: 29 return 192; 30 case EAP_EKE_DHGROUP_EKE_14: 31 return 256; 32 case EAP_EKE_DHGROUP_EKE_15: 33 return 384; 34 case EAP_EKE_DHGROUP_EKE_16: 35 return 512; 36 } 37 38 return -1; 39 } 40 41 eap_eke_dhcomp_len(u8 dhgroup,u8 encr)42 static int eap_eke_dhcomp_len(u8 dhgroup, u8 encr) 43 { 44 int dhlen; 45 46 dhlen = eap_eke_dh_len(dhgroup); 47 if (dhlen < 0 || encr != EAP_EKE_ENCR_AES128_CBC) 48 return -1; 49 return AES_BLOCK_SIZE + dhlen; 50 } 51 52 eap_eke_dh_group(u8 group)53 static const struct dh_group * eap_eke_dh_group(u8 group) 54 { 55 switch (group) { 56 case EAP_EKE_DHGROUP_EKE_2: 57 return dh_groups_get(2); 58 case EAP_EKE_DHGROUP_EKE_5: 59 return dh_groups_get(5); 60 case EAP_EKE_DHGROUP_EKE_14: 61 return dh_groups_get(14); 62 case EAP_EKE_DHGROUP_EKE_15: 63 return dh_groups_get(15); 64 case EAP_EKE_DHGROUP_EKE_16: 65 return dh_groups_get(16); 66 } 67 68 return NULL; 69 } 70 71 eap_eke_dh_generator(u8 group)72 static int eap_eke_dh_generator(u8 group) 73 { 74 switch (group) { 75 case EAP_EKE_DHGROUP_EKE_2: 76 return 5; 77 case EAP_EKE_DHGROUP_EKE_5: 78 return 31; 79 case EAP_EKE_DHGROUP_EKE_14: 80 return 11; 81 case EAP_EKE_DHGROUP_EKE_15: 82 return 5; 83 case EAP_EKE_DHGROUP_EKE_16: 84 return 5; 85 } 86 87 return -1; 88 } 89 90 eap_eke_pnonce_len(u8 mac)91 static int eap_eke_pnonce_len(u8 mac) 92 { 93 int mac_len; 94 95 if (mac == EAP_EKE_MAC_HMAC_SHA1) 96 mac_len = SHA1_MAC_LEN; 97 else if (mac == EAP_EKE_MAC_HMAC_SHA2_256) 98 mac_len = SHA256_MAC_LEN; 99 else 100 return -1; 101 102 return AES_BLOCK_SIZE + 16 + mac_len; 103 } 104 105 eap_eke_pnonce_ps_len(u8 mac)106 static int eap_eke_pnonce_ps_len(u8 mac) 107 { 108 int mac_len; 109 110 if (mac == EAP_EKE_MAC_HMAC_SHA1) 111 mac_len = SHA1_MAC_LEN; 112 else if (mac == EAP_EKE_MAC_HMAC_SHA2_256) 113 mac_len = SHA256_MAC_LEN; 114 else 115 return -1; 116 117 return AES_BLOCK_SIZE + 2 * 16 + mac_len; 118 } 119 120 eap_eke_prf_len(u8 prf)121 static int eap_eke_prf_len(u8 prf) 122 { 123 if (prf == EAP_EKE_PRF_HMAC_SHA1) 124 return 20; 125 if (prf == EAP_EKE_PRF_HMAC_SHA2_256) 126 return 32; 127 return -1; 128 } 129 130 eap_eke_nonce_len(u8 prf)131 static int eap_eke_nonce_len(u8 prf) 132 { 133 int prf_len; 134 135 prf_len = eap_eke_prf_len(prf); 136 if (prf_len < 0) 137 return -1; 138 139 if (prf_len > 2 * 16) 140 return (prf_len + 1) / 2; 141 142 return 16; 143 } 144 145 eap_eke_auth_len(u8 prf)146 static int eap_eke_auth_len(u8 prf) 147 { 148 switch (prf) { 149 case EAP_EKE_PRF_HMAC_SHA1: 150 return SHA1_MAC_LEN; 151 case EAP_EKE_PRF_HMAC_SHA2_256: 152 return SHA256_MAC_LEN; 153 } 154 155 return -1; 156 } 157 158 eap_eke_dh_init(u8 group,u8 * ret_priv,u8 * ret_pub)159 int eap_eke_dh_init(u8 group, u8 *ret_priv, u8 *ret_pub) 160 { 161 int generator; 162 u8 gen; 163 const struct dh_group *dh; 164 165 generator = eap_eke_dh_generator(group); 166 dh = eap_eke_dh_group(group); 167 if (generator < 0 || generator > 255 || !dh) 168 return -1; 169 gen = generator; 170 171 if (crypto_dh_init(gen, dh->prime, dh->prime_len, ret_priv, 172 ret_pub) < 0) 173 return -1; 174 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: DH private value", 175 ret_priv, dh->prime_len); 176 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DH public value", 177 ret_pub, dh->prime_len); 178 179 return 0; 180 } 181 182 eap_eke_prf(u8 prf,const u8 * key,size_t key_len,const u8 * data,size_t data_len,const u8 * data2,size_t data2_len,u8 * res)183 static int eap_eke_prf(u8 prf, const u8 *key, size_t key_len, const u8 *data, 184 size_t data_len, const u8 *data2, size_t data2_len, 185 u8 *res) 186 { 187 const u8 *addr[2]; 188 size_t len[2]; 189 size_t num_elem = 1; 190 191 addr[0] = data; 192 len[0] = data_len; 193 if (data2) { 194 num_elem++; 195 addr[1] = data2; 196 len[1] = data2_len; 197 } 198 199 if (prf == EAP_EKE_PRF_HMAC_SHA1) 200 return hmac_sha1_vector(key, key_len, num_elem, addr, len, res); 201 if (prf == EAP_EKE_PRF_HMAC_SHA2_256) 202 return hmac_sha256_vector(key, key_len, num_elem, addr, len, 203 res); 204 return -1; 205 } 206 207 eap_eke_prf_hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)208 static int eap_eke_prf_hmac_sha1(const u8 *key, size_t key_len, const u8 *data, 209 size_t data_len, u8 *res, size_t len) 210 { 211 u8 hash[SHA1_MAC_LEN]; 212 u8 idx; 213 const u8 *addr[3]; 214 size_t vlen[3]; 215 int ret; 216 217 idx = 0; 218 addr[0] = hash; 219 vlen[0] = SHA1_MAC_LEN; 220 addr[1] = data; 221 vlen[1] = data_len; 222 addr[2] = &idx; 223 vlen[2] = 1; 224 225 while (len > 0) { 226 idx++; 227 if (idx == 1) 228 ret = hmac_sha1_vector(key, key_len, 2, &addr[1], 229 &vlen[1], hash); 230 else 231 ret = hmac_sha1_vector(key, key_len, 3, addr, vlen, 232 hash); 233 if (ret < 0) 234 return -1; 235 if (len > SHA1_MAC_LEN) { 236 os_memcpy(res, hash, SHA1_MAC_LEN); 237 res += SHA1_MAC_LEN; 238 len -= SHA1_MAC_LEN; 239 } else { 240 os_memcpy(res, hash, len); 241 len = 0; 242 } 243 } 244 245 return 0; 246 } 247 248 eap_eke_prf_hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)249 static int eap_eke_prf_hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 250 size_t data_len, u8 *res, size_t len) 251 { 252 u8 hash[SHA256_MAC_LEN]; 253 u8 idx; 254 const u8 *addr[3]; 255 size_t vlen[3]; 256 int ret; 257 258 idx = 0; 259 addr[0] = hash; 260 vlen[0] = SHA256_MAC_LEN; 261 addr[1] = data; 262 vlen[1] = data_len; 263 addr[2] = &idx; 264 vlen[2] = 1; 265 266 while (len > 0) { 267 idx++; 268 if (idx == 1) 269 ret = hmac_sha256_vector(key, key_len, 2, &addr[1], 270 &vlen[1], hash); 271 else 272 ret = hmac_sha256_vector(key, key_len, 3, addr, vlen, 273 hash); 274 if (ret < 0) 275 return -1; 276 if (len > SHA256_MAC_LEN) { 277 os_memcpy(res, hash, SHA256_MAC_LEN); 278 res += SHA256_MAC_LEN; 279 len -= SHA256_MAC_LEN; 280 } else { 281 os_memcpy(res, hash, len); 282 len = 0; 283 } 284 } 285 286 return 0; 287 } 288 289 eap_eke_prfplus(u8 prf,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)290 static int eap_eke_prfplus(u8 prf, const u8 *key, size_t key_len, 291 const u8 *data, size_t data_len, u8 *res, size_t len) 292 { 293 if (prf == EAP_EKE_PRF_HMAC_SHA1) 294 return eap_eke_prf_hmac_sha1(key, key_len, data, data_len, res, 295 len); 296 if (prf == EAP_EKE_PRF_HMAC_SHA2_256) 297 return eap_eke_prf_hmac_sha256(key, key_len, data, data_len, 298 res, len); 299 return -1; 300 } 301 302 eap_eke_derive_key(struct eap_eke_session * sess,const u8 * password,size_t password_len,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,u8 * key)303 int eap_eke_derive_key(struct eap_eke_session *sess, 304 const u8 *password, size_t password_len, 305 const u8 *id_s, size_t id_s_len, const u8 *id_p, 306 size_t id_p_len, u8 *key) 307 { 308 u8 zeros[EAP_EKE_MAX_HASH_LEN]; 309 u8 temp[EAP_EKE_MAX_HASH_LEN]; 310 size_t key_len = 16; /* Only AES-128-CBC is used here */ 311 u8 *id; 312 313 /* temp = prf(0+, password) */ 314 os_memset(zeros, 0, sess->prf_len); 315 if (eap_eke_prf(sess->prf, zeros, sess->prf_len, 316 password, password_len, NULL, 0, temp) < 0) 317 return -1; 318 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: temp = prf(0+, password)", 319 temp, sess->prf_len); 320 321 /* key = prf+(temp, ID_S | ID_P) */ 322 id = os_malloc(id_s_len + id_p_len); 323 if (id == NULL) 324 return -1; 325 os_memcpy(id, id_s, id_s_len); 326 os_memcpy(id + id_s_len, id_p, id_p_len); 327 wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: ID_S | ID_P", 328 id, id_s_len + id_p_len); 329 if (eap_eke_prfplus(sess->prf, temp, sess->prf_len, 330 id, id_s_len + id_p_len, key, key_len) < 0) { 331 os_free(id); 332 return -1; 333 } 334 os_free(id); 335 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: key = prf+(temp, ID_S | ID_P)", 336 key, key_len); 337 338 return 0; 339 } 340 341 eap_eke_dhcomp(struct eap_eke_session * sess,const u8 * key,const u8 * dhpub,u8 * ret_dhcomp)342 int eap_eke_dhcomp(struct eap_eke_session *sess, const u8 *key, const u8 *dhpub, 343 u8 *ret_dhcomp) 344 { 345 u8 pub[EAP_EKE_MAX_DH_LEN]; 346 int dh_len; 347 u8 iv[AES_BLOCK_SIZE]; 348 349 dh_len = eap_eke_dh_len(sess->dhgroup); 350 if (dh_len < 0) 351 return -1; 352 353 /* 354 * DHComponent = Encr(key, y) 355 * 356 * All defined DH groups use primes that have length devisible by 16, so 357 * no need to do extra padding for y (= pub). 358 */ 359 if (sess->encr != EAP_EKE_ENCR_AES128_CBC) 360 return -1; 361 if (random_get_bytes(iv, AES_BLOCK_SIZE)) 362 return -1; 363 wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Encr(key, y)", 364 iv, AES_BLOCK_SIZE); 365 os_memcpy(pub, dhpub, dh_len); 366 if (aes_128_cbc_encrypt(key, iv, pub, dh_len) < 0) 367 return -1; 368 os_memcpy(ret_dhcomp, iv, AES_BLOCK_SIZE); 369 os_memcpy(ret_dhcomp + AES_BLOCK_SIZE, pub, dh_len); 370 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent = Encr(key, y)", 371 ret_dhcomp, AES_BLOCK_SIZE + dh_len); 372 373 return 0; 374 } 375 376 eap_eke_shared_secret(struct eap_eke_session * sess,const u8 * key,const u8 * dhpriv,const u8 * peer_dhcomp)377 int eap_eke_shared_secret(struct eap_eke_session *sess, const u8 *key, 378 const u8 *dhpriv, const u8 *peer_dhcomp) 379 { 380 u8 zeros[EAP_EKE_MAX_HASH_LEN]; 381 u8 peer_pub[EAP_EKE_MAX_DH_LEN]; 382 u8 modexp[EAP_EKE_MAX_DH_LEN]; 383 size_t len; 384 const struct dh_group *dh; 385 386 dh = eap_eke_dh_group(sess->dhgroup); 387 if (sess->encr != EAP_EKE_ENCR_AES128_CBC || !dh) 388 return -1; 389 390 /* Decrypt peer DHComponent */ 391 os_memcpy(peer_pub, peer_dhcomp + AES_BLOCK_SIZE, dh->prime_len); 392 if (aes_128_cbc_decrypt(key, peer_dhcomp, peer_pub, dh->prime_len) < 0) { 393 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt DHComponent"); 394 return -1; 395 } 396 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted peer DH pubkey", 397 peer_pub, dh->prime_len); 398 399 /* SharedSecret = prf(0+, g ^ (x_s * x_p) (mod p)) */ 400 len = dh->prime_len; 401 if (crypto_dh_derive_secret(*dh->generator, dh->prime, dh->prime_len, 402 NULL, 0, dhpriv, dh->prime_len, peer_pub, 403 dh->prime_len, modexp, &len) < 0) 404 return -1; 405 if (len < dh->prime_len) { 406 size_t pad = dh->prime_len - len; 407 os_memmove(modexp + pad, modexp, len); 408 os_memset(modexp, 0, pad); 409 } 410 411 os_memset(zeros, 0, sess->auth_len); 412 if (eap_eke_prf(sess->prf, zeros, sess->auth_len, modexp, dh->prime_len, 413 NULL, 0, sess->shared_secret) < 0) 414 return -1; 415 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: SharedSecret", 416 sess->shared_secret, sess->auth_len); 417 418 return 0; 419 } 420 421 eap_eke_derive_ke_ki(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len)422 int eap_eke_derive_ke_ki(struct eap_eke_session *sess, 423 const u8 *id_s, size_t id_s_len, 424 const u8 *id_p, size_t id_p_len) 425 { 426 u8 buf[EAP_EKE_MAX_KE_LEN + EAP_EKE_MAX_KI_LEN]; 427 size_t ke_len, ki_len; 428 u8 *data; 429 size_t data_len; 430 const char *label = "EAP-EKE Keys"; 431 size_t label_len; 432 433 /* 434 * Ke | Ki = prf+(SharedSecret, "EAP-EKE Keys" | ID_S | ID_P) 435 * Ke = encryption key 436 * Ki = integrity protection key 437 * Length of each key depends on the selected algorithms. 438 */ 439 440 if (sess->encr == EAP_EKE_ENCR_AES128_CBC) 441 ke_len = 16; 442 else 443 return -1; 444 445 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1) 446 ki_len = 20; 447 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256) 448 ki_len = 32; 449 else 450 return -1; 451 452 label_len = os_strlen(label); 453 data_len = label_len + id_s_len + id_p_len; 454 data = os_malloc(data_len); 455 if (data == NULL) 456 return -1; 457 os_memcpy(data, label, label_len); 458 os_memcpy(data + label_len, id_s, id_s_len); 459 os_memcpy(data + label_len + id_s_len, id_p, id_p_len); 460 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len, 461 data, data_len, buf, ke_len + ki_len) < 0) { 462 os_free(data); 463 return -1; 464 } 465 466 os_memcpy(sess->ke, buf, ke_len); 467 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ke", sess->ke, ke_len); 468 os_memcpy(sess->ki, buf + ke_len, ki_len); 469 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ki", sess->ki, ki_len); 470 471 os_free(data); 472 return 0; 473 } 474 475 eap_eke_derive_ka(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,const u8 * nonce_p,const u8 * nonce_s)476 int eap_eke_derive_ka(struct eap_eke_session *sess, 477 const u8 *id_s, size_t id_s_len, 478 const u8 *id_p, size_t id_p_len, 479 const u8 *nonce_p, const u8 *nonce_s) 480 { 481 u8 *data, *pos; 482 size_t data_len; 483 const char *label = "EAP-EKE Ka"; 484 size_t label_len; 485 486 /* 487 * Ka = prf+(SharedSecret, "EAP-EKE Ka" | ID_S | ID_P | Nonce_P | 488 * Nonce_S) 489 * Ka = authentication key 490 * Length of the key depends on the selected algorithms. 491 */ 492 493 label_len = os_strlen(label); 494 data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len; 495 data = os_malloc(data_len); 496 if (data == NULL) 497 return -1; 498 pos = data; 499 os_memcpy(pos, label, label_len); 500 pos += label_len; 501 os_memcpy(pos, id_s, id_s_len); 502 pos += id_s_len; 503 os_memcpy(pos, id_p, id_p_len); 504 pos += id_p_len; 505 os_memcpy(pos, nonce_p, sess->nonce_len); 506 pos += sess->nonce_len; 507 os_memcpy(pos, nonce_s, sess->nonce_len); 508 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len, 509 data, data_len, sess->ka, sess->prf_len) < 0) { 510 os_free(data); 511 return -1; 512 } 513 os_free(data); 514 515 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka", sess->ka, sess->prf_len); 516 517 return 0; 518 } 519 520 eap_eke_derive_msk(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,const u8 * nonce_p,const u8 * nonce_s,u8 * msk,u8 * emsk)521 int eap_eke_derive_msk(struct eap_eke_session *sess, 522 const u8 *id_s, size_t id_s_len, 523 const u8 *id_p, size_t id_p_len, 524 const u8 *nonce_p, const u8 *nonce_s, 525 u8 *msk, u8 *emsk) 526 { 527 u8 *data, *pos; 528 size_t data_len; 529 const char *label = "EAP-EKE Exported Keys"; 530 size_t label_len; 531 u8 buf[EAP_MSK_LEN + EAP_EMSK_LEN]; 532 533 /* 534 * MSK | EMSK = prf+(SharedSecret, "EAP-EKE Exported Keys" | ID_S | 535 * ID_P | Nonce_P | Nonce_S) 536 */ 537 538 label_len = os_strlen(label); 539 data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len; 540 data = os_malloc(data_len); 541 if (data == NULL) 542 return -1; 543 pos = data; 544 os_memcpy(pos, label, label_len); 545 pos += label_len; 546 os_memcpy(pos, id_s, id_s_len); 547 pos += id_s_len; 548 os_memcpy(pos, id_p, id_p_len); 549 pos += id_p_len; 550 os_memcpy(pos, nonce_p, sess->nonce_len); 551 pos += sess->nonce_len; 552 os_memcpy(pos, nonce_s, sess->nonce_len); 553 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len, 554 data, data_len, buf, EAP_MSK_LEN + EAP_EMSK_LEN) < 555 0) { 556 os_free(data); 557 return -1; 558 } 559 os_free(data); 560 561 os_memcpy(msk, buf, EAP_MSK_LEN); 562 os_memcpy(emsk, buf + EAP_MSK_LEN, EAP_EMSK_LEN); 563 os_memset(buf, 0, sizeof(buf)); 564 565 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: MSK", msk, EAP_MSK_LEN); 566 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: EMSK", msk, EAP_EMSK_LEN); 567 568 return 0; 569 } 570 571 eap_eke_mac(u8 mac,const u8 * key,const u8 * data,size_t data_len,u8 * res)572 static int eap_eke_mac(u8 mac, const u8 *key, const u8 *data, size_t data_len, 573 u8 *res) 574 { 575 if (mac == EAP_EKE_MAC_HMAC_SHA1) 576 return hmac_sha1(key, SHA1_MAC_LEN, data, data_len, res); 577 if (mac == EAP_EKE_MAC_HMAC_SHA2_256) 578 return hmac_sha256(key, SHA256_MAC_LEN, data, data_len, res); 579 return -1; 580 } 581 582 eap_eke_prot(struct eap_eke_session * sess,const u8 * data,size_t data_len,u8 * prot,size_t * prot_len)583 int eap_eke_prot(struct eap_eke_session *sess, 584 const u8 *data, size_t data_len, 585 u8 *prot, size_t *prot_len) 586 { 587 size_t block_size, icv_len, pad; 588 u8 *pos, *iv, *e; 589 590 if (sess->encr == EAP_EKE_ENCR_AES128_CBC) 591 block_size = AES_BLOCK_SIZE; 592 else 593 return -1; 594 595 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1) 596 icv_len = SHA1_MAC_LEN; 597 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256) 598 icv_len = SHA256_MAC_LEN; 599 else 600 return -1; 601 602 pad = data_len % block_size; 603 if (pad) 604 pad = block_size - pad; 605 606 if (*prot_len < block_size + data_len + pad + icv_len) { 607 wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for Prot() data"); 608 return -1; 609 } 610 pos = prot; 611 612 if (random_get_bytes(pos, block_size)) 613 return -1; 614 iv = pos; 615 wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Prot()", iv, block_size); 616 pos += block_size; 617 618 e = pos; 619 os_memcpy(pos, data, data_len); 620 pos += data_len; 621 if (pad) { 622 if (random_get_bytes(pos, pad)) 623 return -1; 624 pos += pad; 625 } 626 627 if (aes_128_cbc_encrypt(sess->ke, iv, e, data_len + pad) < 0 || 628 eap_eke_mac(sess->mac, sess->ki, e, data_len + pad, pos) < 0) 629 return -1; 630 pos += icv_len; 631 632 *prot_len = pos - prot; 633 return 0; 634 } 635 636 eap_eke_decrypt_prot(struct eap_eke_session * sess,const u8 * prot,size_t prot_len,u8 * data,size_t * data_len)637 int eap_eke_decrypt_prot(struct eap_eke_session *sess, 638 const u8 *prot, size_t prot_len, 639 u8 *data, size_t *data_len) 640 { 641 size_t block_size, icv_len; 642 u8 icv[EAP_EKE_MAX_HASH_LEN]; 643 644 if (sess->encr == EAP_EKE_ENCR_AES128_CBC) 645 block_size = AES_BLOCK_SIZE; 646 else 647 return -1; 648 649 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1) 650 icv_len = SHA1_MAC_LEN; 651 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256) 652 icv_len = SHA256_MAC_LEN; 653 else 654 return -1; 655 656 if (prot_len < 2 * block_size + icv_len || 657 (prot_len - icv_len) % block_size) 658 return -1; 659 660 if (eap_eke_mac(sess->mac, sess->ki, prot + block_size, 661 prot_len - block_size - icv_len, icv) < 0) 662 return -1; 663 if (os_memcmp_const(icv, prot + prot_len - icv_len, icv_len) != 0) { 664 wpa_printf(MSG_INFO, "EAP-EKE: ICV mismatch in Prot() data"); 665 return -1; 666 } 667 668 if (*data_len < prot_len - block_size - icv_len) { 669 wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for decrypted Prot() data"); 670 return -1; 671 } 672 673 *data_len = prot_len - block_size - icv_len; 674 os_memcpy(data, prot + block_size, *data_len); 675 if (aes_128_cbc_decrypt(sess->ke, prot, data, *data_len) < 0) { 676 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt Prot() data"); 677 return -1; 678 } 679 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted Prot() data", 680 data, *data_len); 681 682 return 0; 683 } 684 685 eap_eke_auth(struct eap_eke_session * sess,const char * label,const struct wpabuf * msgs,u8 * auth)686 int eap_eke_auth(struct eap_eke_session *sess, const char *label, 687 const struct wpabuf *msgs, u8 *auth) 688 { 689 wpa_printf(MSG_DEBUG, "EAP-EKE: Auth(%s)", label); 690 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka for Auth", 691 sess->ka, sess->auth_len); 692 wpa_hexdump_buf(MSG_MSGDUMP, "EAP-EKE: Messages for Auth", msgs); 693 return eap_eke_prf(sess->prf, sess->ka, sess->auth_len, 694 (const u8 *) label, os_strlen(label), 695 wpabuf_head(msgs), wpabuf_len(msgs), auth); 696 } 697 698 eap_eke_session_init(struct eap_eke_session * sess,u8 dhgroup,u8 encr,u8 prf,u8 mac)699 int eap_eke_session_init(struct eap_eke_session *sess, u8 dhgroup, u8 encr, 700 u8 prf, u8 mac) 701 { 702 sess->dhgroup = dhgroup; 703 sess->encr = encr; 704 sess->prf = prf; 705 sess->mac = mac; 706 707 sess->prf_len = eap_eke_prf_len(prf); 708 sess->nonce_len = eap_eke_nonce_len(prf); 709 sess->auth_len = eap_eke_auth_len(prf); 710 sess->dhcomp_len = eap_eke_dhcomp_len(sess->dhgroup, sess->encr); 711 sess->pnonce_len = eap_eke_pnonce_len(sess->mac); 712 sess->pnonce_ps_len = eap_eke_pnonce_ps_len(sess->mac); 713 if (sess->prf_len < 0 || sess->nonce_len < 0 || sess->auth_len < 0 || 714 sess->dhcomp_len < 0 || sess->pnonce_len < 0 || 715 sess->pnonce_ps_len < 0) 716 return -1; 717 718 return 0; 719 } 720 721 eap_eke_session_clean(struct eap_eke_session * sess)722 void eap_eke_session_clean(struct eap_eke_session *sess) 723 { 724 os_memset(sess->shared_secret, 0, EAP_EKE_MAX_HASH_LEN); 725 os_memset(sess->ke, 0, EAP_EKE_MAX_KE_LEN); 726 os_memset(sess->ki, 0, EAP_EKE_MAX_KI_LEN); 727 os_memset(sess->ka, 0, EAP_EKE_MAX_KA_LEN); 728 } 729