1/* 2 * EAP server/peer: EAP-PAX shared routines 3 * Copyright (c) 2005, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/sha1.h" 13#include "eap_pax_common.h" 14 15 16/** 17 * eap_pax_kdf - PAX Key Derivation Function 18 * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 19 * @key: Secret key (X) 20 * @key_len: Length of the secret key in bytes 21 * @identifier: Public identifier for the key (Y) 22 * @entropy: Exchanged entropy to seed the KDF (Z) 23 * @entropy_len: Length of the entropy in bytes 24 * @output_len: Output len in bytes (W) 25 * @output: Buffer for the derived key 26 * Returns: 0 on success, -1 failed 27 * 28 * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z) 29 */ 30int eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len, 31 const char *identifier, 32 const u8 *entropy, size_t entropy_len, 33 size_t output_len, u8 *output) 34{ 35 u8 mac[SHA1_MAC_LEN]; 36 u8 counter, *pos; 37 const u8 *addr[3]; 38 size_t len[3]; 39 size_t num_blocks, left; 40 41 num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN; 42 if (identifier == NULL || num_blocks >= 255) 43 return -1; 44 45 /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ 46 if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) 47 return -1; 48 49 addr[0] = (const u8 *) identifier; 50 len[0] = os_strlen(identifier); 51 addr[1] = entropy; 52 len[1] = entropy_len; 53 addr[2] = &counter; 54 len[2] = 1; 55 56 pos = output; 57 left = output_len; 58 for (counter = 1; counter <= (u8) num_blocks; counter++) { 59 size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left; 60 if (hmac_sha1_vector(key, key_len, 3, addr, len, mac) < 0) 61 return -1; 62 os_memcpy(pos, mac, clen); 63 pos += clen; 64 left -= clen; 65 } 66 67 return 0; 68} 69 70 71/** 72 * eap_pax_mac - EAP-PAX MAC 73 * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 74 * @key: Secret key 75 * @key_len: Length of the secret key in bytes 76 * @data1: Optional data, first block; %NULL if not used 77 * @data1_len: Length of data1 in bytes 78 * @data2: Optional data, second block; %NULL if not used 79 * @data2_len: Length of data2 in bytes 80 * @data3: Optional data, third block; %NULL if not used 81 * @data3_len: Length of data3 in bytes 82 * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes) 83 * Returns: 0 on success, -1 on failure 84 * 85 * Wrapper function to calculate EAP-PAX MAC. 86 */ 87int eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len, 88 const u8 *data1, size_t data1_len, 89 const u8 *data2, size_t data2_len, 90 const u8 *data3, size_t data3_len, 91 u8 *mac) 92{ 93 u8 hash[SHA1_MAC_LEN]; 94 const u8 *addr[3]; 95 size_t len[3]; 96 size_t count; 97 98 /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ 99 if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) 100 return -1; 101 102 addr[0] = data1; 103 len[0] = data1_len; 104 addr[1] = data2; 105 len[1] = data2_len; 106 addr[2] = data3; 107 len[2] = data3_len; 108 109 count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0); 110 if (hmac_sha1_vector(key, key_len, count, addr, len, hash) < 0) 111 return -1; 112 os_memcpy(mac, hash, EAP_PAX_MAC_LEN); 113 114 return 0; 115} 116 117 118/** 119 * eap_pax_initial_key_derivation - EAP-PAX initial key derivation 120 * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 121 * @ak: Authentication Key 122 * @e: Entropy 123 * @mk: Buffer for the derived Master Key 124 * @ck: Buffer for the derived Confirmation Key 125 * @ick: Buffer for the derived Integrity Check Key 126 * @mid: Buffer for the derived Method ID 127 * Returns: 0 on success, -1 on failure 128 */ 129int eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e, 130 u8 *mk, u8 *ck, u8 *ick, u8 *mid) 131{ 132 wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation"); 133 if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key", 134 e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) || 135 eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key", 136 e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) || 137 eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key", 138 e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick) || 139 eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Method ID", 140 e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MID_LEN, mid)) 141 return -1; 142 143 wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN); 144 wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN); 145 wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN); 146 wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN); 147 wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MID", mid, EAP_PAX_MID_LEN); 148 149 return 0; 150} 151