1 /*
2 * EAP server/peer: EAP-EKE shared routines
3 * Copyright (c) 2011-2013, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/aes.h"
13 #include "crypto/aes_wrap.h"
14 #include "crypto/crypto.h"
15 #include "crypto/dh_groups.h"
16 #include "crypto/random.h"
17 #include "crypto/sha1.h"
18 #include "crypto/sha256.h"
19 #include "eap_common/eap_defs.h"
20 #include "eap_eke_common.h"
21
22
eap_eke_dh_len(u8 group)23 static int eap_eke_dh_len(u8 group)
24 {
25 switch (group) {
26 case EAP_EKE_DHGROUP_EKE_2:
27 return 128;
28 case EAP_EKE_DHGROUP_EKE_5:
29 return 192;
30 case EAP_EKE_DHGROUP_EKE_14:
31 return 256;
32 case EAP_EKE_DHGROUP_EKE_15:
33 return 384;
34 case EAP_EKE_DHGROUP_EKE_16:
35 return 512;
36 }
37
38 return -1;
39 }
40
41
eap_eke_dhcomp_len(u8 dhgroup,u8 encr)42 static int eap_eke_dhcomp_len(u8 dhgroup, u8 encr)
43 {
44 int dhlen;
45
46 dhlen = eap_eke_dh_len(dhgroup);
47 if (dhlen < 0 || encr != EAP_EKE_ENCR_AES128_CBC)
48 return -1;
49 return AES_BLOCK_SIZE + dhlen;
50 }
51
52
eap_eke_dh_group(u8 group)53 static const struct dh_group * eap_eke_dh_group(u8 group)
54 {
55 switch (group) {
56 case EAP_EKE_DHGROUP_EKE_2:
57 return dh_groups_get(2);
58 case EAP_EKE_DHGROUP_EKE_5:
59 return dh_groups_get(5);
60 case EAP_EKE_DHGROUP_EKE_14:
61 return dh_groups_get(14);
62 case EAP_EKE_DHGROUP_EKE_15:
63 return dh_groups_get(15);
64 case EAP_EKE_DHGROUP_EKE_16:
65 return dh_groups_get(16);
66 }
67
68 return NULL;
69 }
70
71
eap_eke_dh_generator(u8 group)72 static int eap_eke_dh_generator(u8 group)
73 {
74 switch (group) {
75 case EAP_EKE_DHGROUP_EKE_2:
76 return 5;
77 case EAP_EKE_DHGROUP_EKE_5:
78 return 31;
79 case EAP_EKE_DHGROUP_EKE_14:
80 return 11;
81 case EAP_EKE_DHGROUP_EKE_15:
82 return 5;
83 case EAP_EKE_DHGROUP_EKE_16:
84 return 5;
85 }
86
87 return -1;
88 }
89
90
eap_eke_pnonce_len(u8 mac)91 static int eap_eke_pnonce_len(u8 mac)
92 {
93 int mac_len;
94
95 if (mac == EAP_EKE_MAC_HMAC_SHA1)
96 mac_len = SHA1_MAC_LEN;
97 else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
98 mac_len = SHA256_MAC_LEN;
99 else
100 return -1;
101
102 return AES_BLOCK_SIZE + 16 + mac_len;
103 }
104
105
eap_eke_pnonce_ps_len(u8 mac)106 static int eap_eke_pnonce_ps_len(u8 mac)
107 {
108 int mac_len;
109
110 if (mac == EAP_EKE_MAC_HMAC_SHA1)
111 mac_len = SHA1_MAC_LEN;
112 else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
113 mac_len = SHA256_MAC_LEN;
114 else
115 return -1;
116
117 return AES_BLOCK_SIZE + 2 * 16 + mac_len;
118 }
119
120
eap_eke_prf_len(u8 prf)121 static int eap_eke_prf_len(u8 prf)
122 {
123 if (prf == EAP_EKE_PRF_HMAC_SHA1)
124 return 20;
125 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
126 return 32;
127 return -1;
128 }
129
130
eap_eke_nonce_len(u8 prf)131 static int eap_eke_nonce_len(u8 prf)
132 {
133 int prf_len;
134
135 prf_len = eap_eke_prf_len(prf);
136 if (prf_len < 0)
137 return -1;
138
139 if (prf_len > 2 * 16)
140 return (prf_len + 1) / 2;
141
142 return 16;
143 }
144
145
eap_eke_auth_len(u8 prf)146 static int eap_eke_auth_len(u8 prf)
147 {
148 switch (prf) {
149 case EAP_EKE_PRF_HMAC_SHA1:
150 return SHA1_MAC_LEN;
151 case EAP_EKE_PRF_HMAC_SHA2_256:
152 return SHA256_MAC_LEN;
153 }
154
155 return -1;
156 }
157
158
eap_eke_dh_init(u8 group,u8 * ret_priv,u8 * ret_pub)159 int eap_eke_dh_init(u8 group, u8 *ret_priv, u8 *ret_pub)
160 {
161 int generator;
162 u8 gen;
163 const struct dh_group *dh;
164
165 generator = eap_eke_dh_generator(group);
166 dh = eap_eke_dh_group(group);
167 if (generator < 0 || generator > 255 || !dh)
168 return -1;
169 gen = generator;
170
171 if (crypto_dh_init(gen, dh->prime, dh->prime_len, ret_priv,
172 ret_pub) < 0)
173 return -1;
174 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: DH private value",
175 ret_priv, dh->prime_len);
176 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DH public value",
177 ret_pub, dh->prime_len);
178
179 return 0;
180 }
181
182
eap_eke_prf(u8 prf,const u8 * key,size_t key_len,const u8 * data,size_t data_len,const u8 * data2,size_t data2_len,u8 * res)183 static int eap_eke_prf(u8 prf, const u8 *key, size_t key_len, const u8 *data,
184 size_t data_len, const u8 *data2, size_t data2_len,
185 u8 *res)
186 {
187 const u8 *addr[2];
188 size_t len[2];
189 size_t num_elem = 1;
190
191 addr[0] = data;
192 len[0] = data_len;
193 if (data2) {
194 num_elem++;
195 addr[1] = data2;
196 len[1] = data2_len;
197 }
198
199 if (prf == EAP_EKE_PRF_HMAC_SHA1)
200 return hmac_sha1_vector(key, key_len, num_elem, addr, len, res);
201 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
202 return hmac_sha256_vector(key, key_len, num_elem, addr, len,
203 res);
204 return -1;
205 }
206
207
eap_eke_prf_hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)208 static int eap_eke_prf_hmac_sha1(const u8 *key, size_t key_len, const u8 *data,
209 size_t data_len, u8 *res, size_t len)
210 {
211 u8 hash[SHA1_MAC_LEN];
212 u8 idx;
213 const u8 *addr[3];
214 size_t vlen[3];
215 int ret;
216
217 idx = 0;
218 addr[0] = hash;
219 vlen[0] = SHA1_MAC_LEN;
220 addr[1] = data;
221 vlen[1] = data_len;
222 addr[2] = &idx;
223 vlen[2] = 1;
224
225 while (len > 0) {
226 idx++;
227 if (idx == 1)
228 ret = hmac_sha1_vector(key, key_len, 2, &addr[1],
229 &vlen[1], hash);
230 else
231 ret = hmac_sha1_vector(key, key_len, 3, addr, vlen,
232 hash);
233 if (ret < 0)
234 return -1;
235 if (len > SHA1_MAC_LEN) {
236 os_memcpy(res, hash, SHA1_MAC_LEN);
237 res += SHA1_MAC_LEN;
238 len -= SHA1_MAC_LEN;
239 } else {
240 os_memcpy(res, hash, len);
241 len = 0;
242 }
243 }
244
245 return 0;
246 }
247
248
eap_eke_prf_hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)249 static int eap_eke_prf_hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
250 size_t data_len, u8 *res, size_t len)
251 {
252 u8 hash[SHA256_MAC_LEN];
253 u8 idx;
254 const u8 *addr[3];
255 size_t vlen[3];
256 int ret;
257
258 idx = 0;
259 addr[0] = hash;
260 vlen[0] = SHA256_MAC_LEN;
261 addr[1] = data;
262 vlen[1] = data_len;
263 addr[2] = &idx;
264 vlen[2] = 1;
265
266 while (len > 0) {
267 idx++;
268 if (idx == 1)
269 ret = hmac_sha256_vector(key, key_len, 2, &addr[1],
270 &vlen[1], hash);
271 else
272 ret = hmac_sha256_vector(key, key_len, 3, addr, vlen,
273 hash);
274 if (ret < 0)
275 return -1;
276 if (len > SHA256_MAC_LEN) {
277 os_memcpy(res, hash, SHA256_MAC_LEN);
278 res += SHA256_MAC_LEN;
279 len -= SHA256_MAC_LEN;
280 } else {
281 os_memcpy(res, hash, len);
282 len = 0;
283 }
284 }
285
286 return 0;
287 }
288
289
eap_eke_prfplus(u8 prf,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)290 static int eap_eke_prfplus(u8 prf, const u8 *key, size_t key_len,
291 const u8 *data, size_t data_len, u8 *res, size_t len)
292 {
293 if (prf == EAP_EKE_PRF_HMAC_SHA1)
294 return eap_eke_prf_hmac_sha1(key, key_len, data, data_len, res,
295 len);
296 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
297 return eap_eke_prf_hmac_sha256(key, key_len, data, data_len,
298 res, len);
299 return -1;
300 }
301
302
eap_eke_derive_key(struct eap_eke_session * sess,const u8 * password,size_t password_len,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,u8 * key)303 int eap_eke_derive_key(struct eap_eke_session *sess,
304 const u8 *password, size_t password_len,
305 const u8 *id_s, size_t id_s_len, const u8 *id_p,
306 size_t id_p_len, u8 *key)
307 {
308 u8 zeros[EAP_EKE_MAX_HASH_LEN];
309 u8 temp[EAP_EKE_MAX_HASH_LEN];
310 size_t key_len = 16; /* Only AES-128-CBC is used here */
311 u8 *id;
312
313 /* temp = prf(0+, password) */
314 os_memset(zeros, 0, sess->prf_len);
315 if (eap_eke_prf(sess->prf, zeros, sess->prf_len,
316 password, password_len, NULL, 0, temp) < 0)
317 return -1;
318 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: temp = prf(0+, password)",
319 temp, sess->prf_len);
320
321 /* key = prf+(temp, ID_S | ID_P) */
322 id = os_malloc(id_s_len + id_p_len);
323 if (id == NULL)
324 return -1;
325 os_memcpy(id, id_s, id_s_len);
326 os_memcpy(id + id_s_len, id_p, id_p_len);
327 wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: ID_S | ID_P",
328 id, id_s_len + id_p_len);
329 if (eap_eke_prfplus(sess->prf, temp, sess->prf_len,
330 id, id_s_len + id_p_len, key, key_len) < 0) {
331 os_free(id);
332 return -1;
333 }
334 os_free(id);
335 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: key = prf+(temp, ID_S | ID_P)",
336 key, key_len);
337
338 return 0;
339 }
340
341
eap_eke_dhcomp(struct eap_eke_session * sess,const u8 * key,const u8 * dhpub,u8 * ret_dhcomp)342 int eap_eke_dhcomp(struct eap_eke_session *sess, const u8 *key, const u8 *dhpub,
343 u8 *ret_dhcomp)
344 {
345 u8 pub[EAP_EKE_MAX_DH_LEN];
346 int dh_len;
347 u8 iv[AES_BLOCK_SIZE];
348
349 dh_len = eap_eke_dh_len(sess->dhgroup);
350 if (dh_len < 0)
351 return -1;
352
353 /*
354 * DHComponent = Encr(key, y)
355 *
356 * All defined DH groups use primes that have length devisible by 16, so
357 * no need to do extra padding for y (= pub).
358 */
359 if (sess->encr != EAP_EKE_ENCR_AES128_CBC)
360 return -1;
361 if (random_get_bytes(iv, AES_BLOCK_SIZE))
362 return -1;
363 wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Encr(key, y)",
364 iv, AES_BLOCK_SIZE);
365 os_memcpy(pub, dhpub, dh_len);
366 if (aes_128_cbc_encrypt(key, iv, pub, dh_len) < 0)
367 return -1;
368 os_memcpy(ret_dhcomp, iv, AES_BLOCK_SIZE);
369 os_memcpy(ret_dhcomp + AES_BLOCK_SIZE, pub, dh_len);
370 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent = Encr(key, y)",
371 ret_dhcomp, AES_BLOCK_SIZE + dh_len);
372
373 return 0;
374 }
375
376
eap_eke_shared_secret(struct eap_eke_session * sess,const u8 * key,const u8 * dhpriv,const u8 * peer_dhcomp)377 int eap_eke_shared_secret(struct eap_eke_session *sess, const u8 *key,
378 const u8 *dhpriv, const u8 *peer_dhcomp)
379 {
380 u8 zeros[EAP_EKE_MAX_HASH_LEN];
381 u8 peer_pub[EAP_EKE_MAX_DH_LEN];
382 u8 modexp[EAP_EKE_MAX_DH_LEN];
383 size_t len;
384 const struct dh_group *dh;
385
386 dh = eap_eke_dh_group(sess->dhgroup);
387 if (sess->encr != EAP_EKE_ENCR_AES128_CBC || !dh)
388 return -1;
389
390 /* Decrypt peer DHComponent */
391 os_memcpy(peer_pub, peer_dhcomp + AES_BLOCK_SIZE, dh->prime_len);
392 if (aes_128_cbc_decrypt(key, peer_dhcomp, peer_pub, dh->prime_len) < 0) {
393 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt DHComponent");
394 return -1;
395 }
396 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted peer DH pubkey",
397 peer_pub, dh->prime_len);
398
399 /* SharedSecret = prf(0+, g ^ (x_s * x_p) (mod p)) */
400 len = dh->prime_len;
401 if (crypto_dh_derive_secret(*dh->generator, dh->prime, dh->prime_len,
402 NULL, 0, dhpriv, dh->prime_len, peer_pub,
403 dh->prime_len, modexp, &len) < 0)
404 return -1;
405 if (len < dh->prime_len) {
406 size_t pad = dh->prime_len - len;
407 os_memmove(modexp + pad, modexp, len);
408 os_memset(modexp, 0, pad);
409 }
410
411 os_memset(zeros, 0, sess->auth_len);
412 if (eap_eke_prf(sess->prf, zeros, sess->auth_len, modexp, dh->prime_len,
413 NULL, 0, sess->shared_secret) < 0)
414 return -1;
415 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: SharedSecret",
416 sess->shared_secret, sess->auth_len);
417
418 return 0;
419 }
420
421
eap_eke_derive_ke_ki(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len)422 int eap_eke_derive_ke_ki(struct eap_eke_session *sess,
423 const u8 *id_s, size_t id_s_len,
424 const u8 *id_p, size_t id_p_len)
425 {
426 u8 buf[EAP_EKE_MAX_KE_LEN + EAP_EKE_MAX_KI_LEN];
427 size_t ke_len, ki_len;
428 u8 *data;
429 size_t data_len;
430 const char *label = "EAP-EKE Keys";
431 size_t label_len;
432
433 /*
434 * Ke | Ki = prf+(SharedSecret, "EAP-EKE Keys" | ID_S | ID_P)
435 * Ke = encryption key
436 * Ki = integrity protection key
437 * Length of each key depends on the selected algorithms.
438 */
439
440 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
441 ke_len = 16;
442 else
443 return -1;
444
445 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
446 ki_len = 20;
447 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
448 ki_len = 32;
449 else
450 return -1;
451
452 label_len = os_strlen(label);
453 data_len = label_len + id_s_len + id_p_len;
454 data = os_malloc(data_len);
455 if (data == NULL)
456 return -1;
457 os_memcpy(data, label, label_len);
458 os_memcpy(data + label_len, id_s, id_s_len);
459 os_memcpy(data + label_len + id_s_len, id_p, id_p_len);
460 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
461 data, data_len, buf, ke_len + ki_len) < 0) {
462 os_free(data);
463 return -1;
464 }
465
466 os_memcpy(sess->ke, buf, ke_len);
467 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ke", sess->ke, ke_len);
468 os_memcpy(sess->ki, buf + ke_len, ki_len);
469 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ki", sess->ki, ki_len);
470
471 os_free(data);
472 return 0;
473 }
474
475
eap_eke_derive_ka(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,const u8 * nonce_p,const u8 * nonce_s)476 int eap_eke_derive_ka(struct eap_eke_session *sess,
477 const u8 *id_s, size_t id_s_len,
478 const u8 *id_p, size_t id_p_len,
479 const u8 *nonce_p, const u8 *nonce_s)
480 {
481 u8 *data, *pos;
482 size_t data_len;
483 const char *label = "EAP-EKE Ka";
484 size_t label_len;
485
486 /*
487 * Ka = prf+(SharedSecret, "EAP-EKE Ka" | ID_S | ID_P | Nonce_P |
488 * Nonce_S)
489 * Ka = authentication key
490 * Length of the key depends on the selected algorithms.
491 */
492
493 label_len = os_strlen(label);
494 data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
495 data = os_malloc(data_len);
496 if (data == NULL)
497 return -1;
498 pos = data;
499 os_memcpy(pos, label, label_len);
500 pos += label_len;
501 os_memcpy(pos, id_s, id_s_len);
502 pos += id_s_len;
503 os_memcpy(pos, id_p, id_p_len);
504 pos += id_p_len;
505 os_memcpy(pos, nonce_p, sess->nonce_len);
506 pos += sess->nonce_len;
507 os_memcpy(pos, nonce_s, sess->nonce_len);
508 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
509 data, data_len, sess->ka, sess->prf_len) < 0) {
510 os_free(data);
511 return -1;
512 }
513 os_free(data);
514
515 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka", sess->ka, sess->prf_len);
516
517 return 0;
518 }
519
520
eap_eke_derive_msk(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,const u8 * nonce_p,const u8 * nonce_s,u8 * msk,u8 * emsk)521 int eap_eke_derive_msk(struct eap_eke_session *sess,
522 const u8 *id_s, size_t id_s_len,
523 const u8 *id_p, size_t id_p_len,
524 const u8 *nonce_p, const u8 *nonce_s,
525 u8 *msk, u8 *emsk)
526 {
527 u8 *data, *pos;
528 size_t data_len;
529 const char *label = "EAP-EKE Exported Keys";
530 size_t label_len;
531 u8 buf[EAP_MSK_LEN + EAP_EMSK_LEN];
532
533 /*
534 * MSK | EMSK = prf+(SharedSecret, "EAP-EKE Exported Keys" | ID_S |
535 * ID_P | Nonce_P | Nonce_S)
536 */
537
538 label_len = os_strlen(label);
539 data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
540 data = os_malloc(data_len);
541 if (data == NULL)
542 return -1;
543 pos = data;
544 os_memcpy(pos, label, label_len);
545 pos += label_len;
546 os_memcpy(pos, id_s, id_s_len);
547 pos += id_s_len;
548 os_memcpy(pos, id_p, id_p_len);
549 pos += id_p_len;
550 os_memcpy(pos, nonce_p, sess->nonce_len);
551 pos += sess->nonce_len;
552 os_memcpy(pos, nonce_s, sess->nonce_len);
553 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
554 data, data_len, buf, EAP_MSK_LEN + EAP_EMSK_LEN) <
555 0) {
556 os_free(data);
557 return -1;
558 }
559 os_free(data);
560
561 os_memcpy(msk, buf, EAP_MSK_LEN);
562 os_memcpy(emsk, buf + EAP_MSK_LEN, EAP_EMSK_LEN);
563 os_memset(buf, 0, sizeof(buf));
564
565 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: MSK", msk, EAP_MSK_LEN);
566 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: EMSK", msk, EAP_EMSK_LEN);
567
568 return 0;
569 }
570
571
eap_eke_mac(u8 mac,const u8 * key,const u8 * data,size_t data_len,u8 * res)572 static int eap_eke_mac(u8 mac, const u8 *key, const u8 *data, size_t data_len,
573 u8 *res)
574 {
575 if (mac == EAP_EKE_MAC_HMAC_SHA1)
576 return hmac_sha1(key, SHA1_MAC_LEN, data, data_len, res);
577 if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
578 return hmac_sha256(key, SHA256_MAC_LEN, data, data_len, res);
579 return -1;
580 }
581
582
eap_eke_prot(struct eap_eke_session * sess,const u8 * data,size_t data_len,u8 * prot,size_t * prot_len)583 int eap_eke_prot(struct eap_eke_session *sess,
584 const u8 *data, size_t data_len,
585 u8 *prot, size_t *prot_len)
586 {
587 size_t block_size, icv_len, pad;
588 u8 *pos, *iv, *e;
589
590 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
591 block_size = AES_BLOCK_SIZE;
592 else
593 return -1;
594
595 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
596 icv_len = SHA1_MAC_LEN;
597 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
598 icv_len = SHA256_MAC_LEN;
599 else
600 return -1;
601
602 pad = data_len % block_size;
603 if (pad)
604 pad = block_size - pad;
605
606 if (*prot_len < block_size + data_len + pad + icv_len) {
607 wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for Prot() data");
608 return -1;
609 }
610 pos = prot;
611
612 if (random_get_bytes(pos, block_size))
613 return -1;
614 iv = pos;
615 wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Prot()", iv, block_size);
616 pos += block_size;
617
618 e = pos;
619 os_memcpy(pos, data, data_len);
620 pos += data_len;
621 if (pad) {
622 if (random_get_bytes(pos, pad))
623 return -1;
624 pos += pad;
625 }
626
627 if (aes_128_cbc_encrypt(sess->ke, iv, e, data_len + pad) < 0 ||
628 eap_eke_mac(sess->mac, sess->ki, e, data_len + pad, pos) < 0)
629 return -1;
630 pos += icv_len;
631
632 *prot_len = pos - prot;
633 return 0;
634 }
635
636
eap_eke_decrypt_prot(struct eap_eke_session * sess,const u8 * prot,size_t prot_len,u8 * data,size_t * data_len)637 int eap_eke_decrypt_prot(struct eap_eke_session *sess,
638 const u8 *prot, size_t prot_len,
639 u8 *data, size_t *data_len)
640 {
641 size_t block_size, icv_len;
642 u8 icv[EAP_EKE_MAX_HASH_LEN];
643
644 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
645 block_size = AES_BLOCK_SIZE;
646 else
647 return -1;
648
649 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
650 icv_len = SHA1_MAC_LEN;
651 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
652 icv_len = SHA256_MAC_LEN;
653 else
654 return -1;
655
656 if (prot_len < 2 * block_size + icv_len ||
657 (prot_len - icv_len) % block_size)
658 return -1;
659
660 if (eap_eke_mac(sess->mac, sess->ki, prot + block_size,
661 prot_len - block_size - icv_len, icv) < 0)
662 return -1;
663 if (os_memcmp_const(icv, prot + prot_len - icv_len, icv_len) != 0) {
664 wpa_printf(MSG_INFO, "EAP-EKE: ICV mismatch in Prot() data");
665 return -1;
666 }
667
668 if (*data_len < prot_len - block_size - icv_len) {
669 wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for decrypted Prot() data");
670 return -1;
671 }
672
673 *data_len = prot_len - block_size - icv_len;
674 os_memcpy(data, prot + block_size, *data_len);
675 if (aes_128_cbc_decrypt(sess->ke, prot, data, *data_len) < 0) {
676 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt Prot() data");
677 return -1;
678 }
679 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted Prot() data",
680 data, *data_len);
681
682 return 0;
683 }
684
685
eap_eke_auth(struct eap_eke_session * sess,const char * label,const struct wpabuf * msgs,u8 * auth)686 int eap_eke_auth(struct eap_eke_session *sess, const char *label,
687 const struct wpabuf *msgs, u8 *auth)
688 {
689 wpa_printf(MSG_DEBUG, "EAP-EKE: Auth(%s)", label);
690 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka for Auth",
691 sess->ka, sess->auth_len);
692 wpa_hexdump_buf(MSG_MSGDUMP, "EAP-EKE: Messages for Auth", msgs);
693 return eap_eke_prf(sess->prf, sess->ka, sess->auth_len,
694 (const u8 *) label, os_strlen(label),
695 wpabuf_head(msgs), wpabuf_len(msgs), auth);
696 }
697
698
eap_eke_session_init(struct eap_eke_session * sess,u8 dhgroup,u8 encr,u8 prf,u8 mac)699 int eap_eke_session_init(struct eap_eke_session *sess, u8 dhgroup, u8 encr,
700 u8 prf, u8 mac)
701 {
702 sess->dhgroup = dhgroup;
703 sess->encr = encr;
704 sess->prf = prf;
705 sess->mac = mac;
706
707 sess->prf_len = eap_eke_prf_len(prf);
708 sess->nonce_len = eap_eke_nonce_len(prf);
709 sess->auth_len = eap_eke_auth_len(prf);
710 sess->dhcomp_len = eap_eke_dhcomp_len(sess->dhgroup, sess->encr);
711 sess->pnonce_len = eap_eke_pnonce_len(sess->mac);
712 sess->pnonce_ps_len = eap_eke_pnonce_ps_len(sess->mac);
713 if (sess->prf_len < 0 || sess->nonce_len < 0 || sess->auth_len < 0 ||
714 sess->dhcomp_len < 0 || sess->pnonce_len < 0 ||
715 sess->pnonce_ps_len < 0)
716 return -1;
717
718 return 0;
719 }
720
721
eap_eke_session_clean(struct eap_eke_session * sess)722 void eap_eke_session_clean(struct eap_eke_session *sess)
723 {
724 os_memset(sess->shared_secret, 0, EAP_EKE_MAX_HASH_LEN);
725 os_memset(sess->ke, 0, EAP_EKE_MAX_KE_LEN);
726 os_memset(sess->ki, 0, EAP_EKE_MAX_KI_LEN);
727 os_memset(sess->ka, 0, EAP_EKE_MAX_KA_LEN);
728 }
729