1 /*
2 * EAP server/peer: EAP-pwd shared routines
3 * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include "common.h"
11 #include "eap_defs.h"
12 #include "eap_pwd_common.h"
13
14 /* The random function H(x) = HMAC-SHA256(0^32, x) */
H_Init(HMAC_CTX * ctx)15 void H_Init(HMAC_CTX *ctx)
16 {
17 u8 allzero[SHA256_DIGEST_LENGTH];
18
19 os_memset(allzero, 0, SHA256_DIGEST_LENGTH);
20 HMAC_Init(ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256());
21 }
22
23
H_Update(HMAC_CTX * ctx,const u8 * data,int len)24 void H_Update(HMAC_CTX *ctx, const u8 *data, int len)
25 {
26 HMAC_Update(ctx, data, len);
27 }
28
29
H_Final(HMAC_CTX * ctx,u8 * digest)30 void H_Final(HMAC_CTX *ctx, u8 *digest)
31 {
32 unsigned int mdlen = SHA256_DIGEST_LENGTH;
33
34 HMAC_Final(ctx, digest, &mdlen);
35 HMAC_CTX_cleanup(ctx);
36 }
37
38
39 /* a counter-based KDF based on NIST SP800-108 */
eap_pwd_kdf(u8 * key,int keylen,u8 * label,int labellen,u8 * result,int resultbitlen)40 void eap_pwd_kdf(u8 *key, int keylen, u8 *label, int labellen,
41 u8 *result, int resultbitlen)
42 {
43 HMAC_CTX hctx;
44 unsigned char digest[SHA256_DIGEST_LENGTH];
45 u16 i, ctr, L;
46 int resultbytelen, len = 0;
47 unsigned int mdlen = SHA256_DIGEST_LENGTH;
48 unsigned char mask = 0xff;
49
50 resultbytelen = (resultbitlen + 7)/8;
51 ctr = 0;
52 L = htons(resultbitlen);
53 while (len < resultbytelen) {
54 ctr++; i = htons(ctr);
55 HMAC_Init(&hctx, key, keylen, EVP_sha256());
56 if (ctr > 1)
57 HMAC_Update(&hctx, digest, mdlen);
58 HMAC_Update(&hctx, (u8 *) &i, sizeof(u16));
59 HMAC_Update(&hctx, label, labellen);
60 HMAC_Update(&hctx, (u8 *) &L, sizeof(u16));
61 HMAC_Final(&hctx, digest, &mdlen);
62 if ((len + (int) mdlen) > resultbytelen)
63 os_memcpy(result + len, digest, resultbytelen - len);
64 else
65 os_memcpy(result + len, digest, mdlen);
66 len += mdlen;
67 HMAC_CTX_cleanup(&hctx);
68 }
69
70 /* since we're expanding to a bit length, mask off the excess */
71 if (resultbitlen % 8) {
72 mask <<= (8 - (resultbitlen % 8));
73 result[resultbytelen - 1] &= mask;
74 }
75 }
76
77
78 /*
79 * compute a "random" secret point on an elliptic curve based
80 * on the password and identities.
81 */
compute_password_element(EAP_PWD_group * grp,u16 num,u8 * password,int password_len,u8 * id_server,int id_server_len,u8 * id_peer,int id_peer_len,u8 * token)82 int compute_password_element(EAP_PWD_group *grp, u16 num,
83 u8 *password, int password_len,
84 u8 *id_server, int id_server_len,
85 u8 *id_peer, int id_peer_len, u8 *token)
86 {
87 BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
88 HMAC_CTX ctx;
89 unsigned char pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
90 int nid, is_odd, primebitlen, primebytelen, ret = 0;
91
92 switch (num) { /* from IANA registry for IKE D-H groups */
93 case 19:
94 nid = NID_X9_62_prime256v1;
95 break;
96 case 20:
97 nid = NID_secp384r1;
98 break;
99 case 21:
100 nid = NID_secp521r1;
101 break;
102 case 25:
103 nid = NID_X9_62_prime192v1;
104 break;
105 case 26:
106 nid = NID_secp224r1;
107 break;
108 default:
109 wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num);
110 return -1;
111 }
112
113 grp->pwe = NULL;
114 grp->order = NULL;
115 grp->prime = NULL;
116
117 if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
118 wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP");
119 goto fail;
120 }
121
122 if (((rnd = BN_new()) == NULL) ||
123 ((cofactor = BN_new()) == NULL) ||
124 ((grp->pwe = EC_POINT_new(grp->group)) == NULL) ||
125 ((grp->order = BN_new()) == NULL) ||
126 ((grp->prime = BN_new()) == NULL) ||
127 ((x_candidate = BN_new()) == NULL)) {
128 wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
129 goto fail;
130 }
131
132 if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL))
133 {
134 wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp "
135 "curve");
136 goto fail;
137 }
138 if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) {
139 wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve");
140 goto fail;
141 }
142 if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) {
143 wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
144 "curve");
145 goto fail;
146 }
147 primebitlen = BN_num_bits(grp->prime);
148 primebytelen = BN_num_bytes(grp->prime);
149 if ((prfbuf = os_malloc(primebytelen)) == NULL) {
150 wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
151 "buffer");
152 goto fail;
153 }
154 os_memset(prfbuf, 0, primebytelen);
155 ctr = 0;
156 while (1) {
157 if (ctr > 10) {
158 wpa_printf(MSG_INFO, "EAP-pwd: unable to find random "
159 "point on curve for group %d, something's "
160 "fishy", num);
161 goto fail;
162 }
163 ctr++;
164
165 /*
166 * compute counter-mode password value and stretch to prime
167 * pwd-seed = H(token | peer-id | server-id | password |
168 * counter)
169 */
170 H_Init(&ctx);
171 H_Update(&ctx, token, sizeof(u32));
172 H_Update(&ctx, id_peer, id_peer_len);
173 H_Update(&ctx, id_server, id_server_len);
174 H_Update(&ctx, password, password_len);
175 H_Update(&ctx, &ctr, sizeof(ctr));
176 H_Final(&ctx, pwe_digest);
177
178 BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
179
180 eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH,
181 (unsigned char *) "EAP-pwd Hunting And Pecking",
182 os_strlen("EAP-pwd Hunting And Pecking"),
183 prfbuf, primebitlen);
184
185 BN_bin2bn(prfbuf, primebytelen, x_candidate);
186
187 /*
188 * eap_pwd_kdf() returns a string of bits 0..primebitlen but
189 * BN_bin2bn will treat that string of bits as a big endian
190 * number. If the primebitlen is not an even multiple of 8
191 * then excessive bits-- those _after_ primebitlen-- so now
192 * we have to shift right the amount we masked off.
193 */
194 if (primebitlen % 8)
195 BN_rshift(x_candidate, x_candidate,
196 (8 - (primebitlen % 8)));
197
198 if (BN_ucmp(x_candidate, grp->prime) >= 0)
199 continue;
200
201 wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
202 prfbuf, primebytelen);
203
204 /*
205 * need to unambiguously identify the solution, if there is
206 * one...
207 */
208 if (BN_is_odd(rnd))
209 is_odd = 1;
210 else
211 is_odd = 0;
212
213 /*
214 * solve the quadratic equation, if it's not solvable then we
215 * don't have a point
216 */
217 if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,
218 grp->pwe,
219 x_candidate,
220 is_odd, NULL))
221 continue;
222 /*
223 * If there's a solution to the equation then the point must be
224 * on the curve so why check again explicitly? OpenSSL code
225 * says this is required by X9.62. We're not X9.62 but it can't
226 * hurt just to be sure.
227 */
228 if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {
229 wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
230 continue;
231 }
232
233 if (BN_cmp(cofactor, BN_value_one())) {
234 /* make sure the point is not in a small sub-group */
235 if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,
236 cofactor, NULL)) {
237 wpa_printf(MSG_INFO, "EAP-pwd: cannot "
238 "multiply generator by order");
239 continue;
240 }
241 if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {
242 wpa_printf(MSG_INFO, "EAP-pwd: point is at "
243 "infinity");
244 continue;
245 }
246 }
247 /* if we got here then we have a new generator. */
248 break;
249 }
250 wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
251 grp->group_num = num;
252 if (0) {
253 fail:
254 EC_GROUP_free(grp->group);
255 EC_POINT_free(grp->pwe);
256 BN_free(grp->order);
257 BN_free(grp->prime);
258 os_free(grp);
259 grp = NULL;
260 ret = 1;
261 }
262 /* cleanliness and order.... */
263 BN_free(cofactor);
264 BN_free(x_candidate);
265 BN_free(rnd);
266 os_free(prfbuf);
267
268 return ret;
269 }
270
271
compute_keys(EAP_PWD_group * grp,BN_CTX * bnctx,BIGNUM * k,BIGNUM * peer_scalar,BIGNUM * server_scalar,u8 * confirm_peer,u8 * confirm_server,u32 * ciphersuite,u8 * msk,u8 * emsk)272 int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, BIGNUM *k,
273 BIGNUM *peer_scalar, BIGNUM *server_scalar,
274 u8 *confirm_peer, u8 *confirm_server,
275 u32 *ciphersuite, u8 *msk, u8 *emsk)
276 {
277 HMAC_CTX ctx;
278 u8 mk[SHA256_DIGEST_LENGTH], *cruft;
279 u8 session_id[SHA256_DIGEST_LENGTH + 1];
280 u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN];
281 int offset;
282
283 if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL)
284 return -1;
285
286 /*
287 * first compute the session-id = TypeCode | H(ciphersuite | scal_p |
288 * scal_s)
289 */
290 session_id[0] = EAP_TYPE_PWD;
291 H_Init(&ctx);
292 H_Update(&ctx, (u8 *)ciphersuite, sizeof(u32));
293 offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar);
294 os_memset(cruft, 0, BN_num_bytes(grp->prime));
295 BN_bn2bin(peer_scalar, cruft + offset);
296 H_Update(&ctx, cruft, BN_num_bytes(grp->order));
297 offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar);
298 os_memset(cruft, 0, BN_num_bytes(grp->prime));
299 BN_bn2bin(server_scalar, cruft + offset);
300 H_Update(&ctx, cruft, BN_num_bytes(grp->order));
301 H_Final(&ctx, &session_id[1]);
302
303 /* then compute MK = H(k | confirm-peer | confirm-server) */
304 H_Init(&ctx);
305 offset = BN_num_bytes(grp->prime) - BN_num_bytes(k);
306 os_memset(cruft, 0, BN_num_bytes(grp->prime));
307 BN_bn2bin(k, cruft + offset);
308 H_Update(&ctx, cruft, BN_num_bytes(grp->prime));
309 H_Update(&ctx, confirm_peer, SHA256_DIGEST_LENGTH);
310 H_Update(&ctx, confirm_server, SHA256_DIGEST_LENGTH);
311 H_Final(&ctx, mk);
312
313 /* stretch the mk with the session-id to get MSK | EMSK */
314 eap_pwd_kdf(mk, SHA256_DIGEST_LENGTH,
315 session_id, SHA256_DIGEST_LENGTH+1,
316 msk_emsk, (EAP_MSK_LEN + EAP_EMSK_LEN) * 8);
317
318 os_memcpy(msk, msk_emsk, EAP_MSK_LEN);
319 os_memcpy(emsk, msk_emsk + EAP_MSK_LEN, EAP_EMSK_LEN);
320
321 os_free(cruft);
322
323 return 1;
324 }
325