1189251Ssam/* 2189251Ssam * EAP server/peer: EAP-PAX shared routines 3189251Ssam * Copyright (c) 2005, Jouni Malinen <j@w1.fi> 4189251Ssam * 5252726Srpaulo * This software may be distributed under the terms of the BSD license. 6252726Srpaulo * See README for more details. 7189251Ssam */ 8189251Ssam 9189251Ssam#include "includes.h" 10189251Ssam 11189251Ssam#include "common.h" 12214734Srpaulo#include "crypto/sha1.h" 13189251Ssam#include "eap_pax_common.h" 14189251Ssam 15189251Ssam 16189251Ssam/** 17189251Ssam * eap_pax_kdf - PAX Key Derivation Function 18189251Ssam * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 19189251Ssam * @key: Secret key (X) 20189251Ssam * @key_len: Length of the secret key in bytes 21189251Ssam * @identifier: Public identifier for the key (Y) 22189251Ssam * @entropy: Exchanged entropy to seed the KDF (Z) 23189251Ssam * @entropy_len: Length of the entropy in bytes 24189251Ssam * @output_len: Output len in bytes (W) 25189251Ssam * @output: Buffer for the derived key 26189251Ssam * Returns: 0 on success, -1 failed 27189251Ssam * 28189251Ssam * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z) 29189251Ssam */ 30189251Ssamint eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len, 31189251Ssam const char *identifier, 32189251Ssam const u8 *entropy, size_t entropy_len, 33189251Ssam size_t output_len, u8 *output) 34189251Ssam{ 35189251Ssam u8 mac[SHA1_MAC_LEN]; 36189251Ssam u8 counter, *pos; 37189251Ssam const u8 *addr[3]; 38189251Ssam size_t len[3]; 39189251Ssam size_t num_blocks, left; 40189251Ssam 41189251Ssam num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN; 42189251Ssam if (identifier == NULL || num_blocks >= 255) 43189251Ssam return -1; 44189251Ssam 45189251Ssam /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ 46189251Ssam if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) 47189251Ssam return -1; 48189251Ssam 49189251Ssam addr[0] = (const u8 *) identifier; 50189251Ssam len[0] = os_strlen(identifier); 51189251Ssam addr[1] = entropy; 52189251Ssam len[1] = entropy_len; 53189251Ssam addr[2] = &counter; 54189251Ssam len[2] = 1; 55189251Ssam 56189251Ssam pos = output; 57189251Ssam left = output_len; 58189251Ssam for (counter = 1; counter <= (u8) num_blocks; counter++) { 59189251Ssam size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left; 60189251Ssam hmac_sha1_vector(key, key_len, 3, addr, len, mac); 61189251Ssam os_memcpy(pos, mac, clen); 62189251Ssam pos += clen; 63189251Ssam left -= clen; 64189251Ssam } 65189251Ssam 66189251Ssam return 0; 67189251Ssam} 68189251Ssam 69189251Ssam 70189251Ssam/** 71189251Ssam * eap_pax_mac - EAP-PAX MAC 72189251Ssam * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 73189251Ssam * @key: Secret key 74189251Ssam * @key_len: Length of the secret key in bytes 75189251Ssam * @data1: Optional data, first block; %NULL if not used 76189251Ssam * @data1_len: Length of data1 in bytes 77189251Ssam * @data2: Optional data, second block; %NULL if not used 78189251Ssam * @data2_len: Length of data2 in bytes 79189251Ssam * @data3: Optional data, third block; %NULL if not used 80189251Ssam * @data3_len: Length of data3 in bytes 81189251Ssam * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes) 82189251Ssam * Returns: 0 on success, -1 on failure 83189251Ssam * 84189251Ssam * Wrapper function to calculate EAP-PAX MAC. 85189251Ssam */ 86189251Ssamint eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len, 87189251Ssam const u8 *data1, size_t data1_len, 88189251Ssam const u8 *data2, size_t data2_len, 89189251Ssam const u8 *data3, size_t data3_len, 90189251Ssam u8 *mac) 91189251Ssam{ 92189251Ssam u8 hash[SHA1_MAC_LEN]; 93189251Ssam const u8 *addr[3]; 94189251Ssam size_t len[3]; 95189251Ssam size_t count; 96189251Ssam 97189251Ssam /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ 98189251Ssam if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) 99189251Ssam return -1; 100189251Ssam 101189251Ssam addr[0] = data1; 102189251Ssam len[0] = data1_len; 103189251Ssam addr[1] = data2; 104189251Ssam len[1] = data2_len; 105189251Ssam addr[2] = data3; 106189251Ssam len[2] = data3_len; 107189251Ssam 108189251Ssam count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0); 109189251Ssam hmac_sha1_vector(key, key_len, count, addr, len, hash); 110189251Ssam os_memcpy(mac, hash, EAP_PAX_MAC_LEN); 111189251Ssam 112189251Ssam return 0; 113189251Ssam} 114189251Ssam 115189251Ssam 116189251Ssam/** 117189251Ssam * eap_pax_initial_key_derivation - EAP-PAX initial key derivation 118189251Ssam * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 119189251Ssam * @ak: Authentication Key 120189251Ssam * @e: Entropy 121189251Ssam * @mk: Buffer for the derived Master Key 122189251Ssam * @ck: Buffer for the derived Confirmation Key 123189251Ssam * @ick: Buffer for the derived Integrity Check Key 124189251Ssam * Returns: 0 on success, -1 on failure 125189251Ssam */ 126189251Ssamint eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e, 127189251Ssam u8 *mk, u8 *ck, u8 *ick) 128189251Ssam{ 129189251Ssam wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation"); 130189251Ssam if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key", 131189251Ssam e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) || 132189251Ssam eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key", 133189251Ssam e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) || 134189251Ssam eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key", 135189251Ssam e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick)) 136189251Ssam return -1; 137189251Ssam 138189251Ssam wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN); 139189251Ssam wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN); 140189251Ssam wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN); 141189251Ssam wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN); 142189251Ssam 143189251Ssam return 0; 144189251Ssam} 145