16d49e1aeSJan Lentfer /*
26d49e1aeSJan Lentfer * EAP server/peer: EAP-SAKE shared routines
3*a1157835SDaniel Fojt * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi>
46d49e1aeSJan Lentfer *
53ff40c12SJohn Marino * This software may be distributed under the terms of the BSD license.
63ff40c12SJohn Marino * See README for more details.
76d49e1aeSJan Lentfer */
86d49e1aeSJan Lentfer
96d49e1aeSJan Lentfer #include "includes.h"
106d49e1aeSJan Lentfer
116d49e1aeSJan Lentfer #include "common.h"
126d49e1aeSJan Lentfer #include "wpabuf.h"
133ff40c12SJohn Marino #include "crypto/sha1.h"
146d49e1aeSJan Lentfer #include "eap_defs.h"
156d49e1aeSJan Lentfer #include "eap_sake_common.h"
166d49e1aeSJan Lentfer
176d49e1aeSJan Lentfer
eap_sake_parse_add_attr(struct eap_sake_parse_attr * attr,u8 attr_id,u8 len,const u8 * data)186d49e1aeSJan Lentfer static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
19*a1157835SDaniel Fojt u8 attr_id, u8 len, const u8 *data)
206d49e1aeSJan Lentfer {
216d49e1aeSJan Lentfer size_t i;
226d49e1aeSJan Lentfer
23*a1157835SDaniel Fojt switch (attr_id) {
246d49e1aeSJan Lentfer case EAP_SAKE_AT_RAND_S:
256d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
26*a1157835SDaniel Fojt if (len != EAP_SAKE_RAND_LEN) {
276d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
28*a1157835SDaniel Fojt "invalid payload length %d", len);
296d49e1aeSJan Lentfer return -1;
306d49e1aeSJan Lentfer }
31*a1157835SDaniel Fojt attr->rand_s = data;
326d49e1aeSJan Lentfer break;
336d49e1aeSJan Lentfer case EAP_SAKE_AT_RAND_P:
346d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
35*a1157835SDaniel Fojt if (len != EAP_SAKE_RAND_LEN) {
366d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
37*a1157835SDaniel Fojt "invalid payload length %d", len);
386d49e1aeSJan Lentfer return -1;
396d49e1aeSJan Lentfer }
40*a1157835SDaniel Fojt attr->rand_p = data;
416d49e1aeSJan Lentfer break;
426d49e1aeSJan Lentfer case EAP_SAKE_AT_MIC_S:
436d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
44*a1157835SDaniel Fojt if (len != EAP_SAKE_MIC_LEN) {
456d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
46*a1157835SDaniel Fojt "invalid payload length %d", len);
476d49e1aeSJan Lentfer return -1;
486d49e1aeSJan Lentfer }
49*a1157835SDaniel Fojt attr->mic_s = data;
506d49e1aeSJan Lentfer break;
516d49e1aeSJan Lentfer case EAP_SAKE_AT_MIC_P:
526d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
53*a1157835SDaniel Fojt if (len != EAP_SAKE_MIC_LEN) {
546d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
55*a1157835SDaniel Fojt "invalid payload length %d", len);
566d49e1aeSJan Lentfer return -1;
576d49e1aeSJan Lentfer }
58*a1157835SDaniel Fojt attr->mic_p = data;
596d49e1aeSJan Lentfer break;
606d49e1aeSJan Lentfer case EAP_SAKE_AT_SERVERID:
616d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
62*a1157835SDaniel Fojt attr->serverid = data;
63*a1157835SDaniel Fojt attr->serverid_len = len;
646d49e1aeSJan Lentfer break;
656d49e1aeSJan Lentfer case EAP_SAKE_AT_PEERID:
666d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
67*a1157835SDaniel Fojt attr->peerid = data;
68*a1157835SDaniel Fojt attr->peerid_len = len;
696d49e1aeSJan Lentfer break;
706d49e1aeSJan Lentfer case EAP_SAKE_AT_SPI_S:
716d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
72*a1157835SDaniel Fojt attr->spi_s = data;
73*a1157835SDaniel Fojt attr->spi_s_len = len;
746d49e1aeSJan Lentfer break;
756d49e1aeSJan Lentfer case EAP_SAKE_AT_SPI_P:
766d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
77*a1157835SDaniel Fojt attr->spi_p = data;
78*a1157835SDaniel Fojt attr->spi_p_len = len;
796d49e1aeSJan Lentfer break;
806d49e1aeSJan Lentfer case EAP_SAKE_AT_ANY_ID_REQ:
816d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
82*a1157835SDaniel Fojt if (len != 2) {
836d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
84*a1157835SDaniel Fojt " payload length %d", len);
856d49e1aeSJan Lentfer return -1;
866d49e1aeSJan Lentfer }
87*a1157835SDaniel Fojt attr->any_id_req = data;
886d49e1aeSJan Lentfer break;
896d49e1aeSJan Lentfer case EAP_SAKE_AT_PERM_ID_REQ:
906d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
91*a1157835SDaniel Fojt if (len != 2) {
926d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
93*a1157835SDaniel Fojt "AT_PERM_ID_REQ payload length %d", len);
946d49e1aeSJan Lentfer return -1;
956d49e1aeSJan Lentfer }
96*a1157835SDaniel Fojt attr->perm_id_req = data;
976d49e1aeSJan Lentfer break;
986d49e1aeSJan Lentfer case EAP_SAKE_AT_ENCR_DATA:
996d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
100*a1157835SDaniel Fojt attr->encr_data = data;
101*a1157835SDaniel Fojt attr->encr_data_len = len;
1026d49e1aeSJan Lentfer break;
1036d49e1aeSJan Lentfer case EAP_SAKE_AT_IV:
1046d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
105*a1157835SDaniel Fojt attr->iv = data;
106*a1157835SDaniel Fojt attr->iv_len = len;
1076d49e1aeSJan Lentfer break;
1086d49e1aeSJan Lentfer case EAP_SAKE_AT_PADDING:
1096d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
110*a1157835SDaniel Fojt for (i = 0; i < len; i++) {
111*a1157835SDaniel Fojt if (data[i]) {
1126d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
1136d49e1aeSJan Lentfer "with non-zero pad byte");
1146d49e1aeSJan Lentfer return -1;
1156d49e1aeSJan Lentfer }
1166d49e1aeSJan Lentfer }
1176d49e1aeSJan Lentfer break;
1186d49e1aeSJan Lentfer case EAP_SAKE_AT_NEXT_TMPID:
1196d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
120*a1157835SDaniel Fojt attr->next_tmpid = data;
121*a1157835SDaniel Fojt attr->next_tmpid_len = len;
1226d49e1aeSJan Lentfer break;
1236d49e1aeSJan Lentfer case EAP_SAKE_AT_MSK_LIFE:
124*a1157835SDaniel Fojt wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MSK_LIFE");
125*a1157835SDaniel Fojt if (len != 4) {
1266d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
127*a1157835SDaniel Fojt "AT_MSK_LIFE payload length %d", len);
1286d49e1aeSJan Lentfer return -1;
1296d49e1aeSJan Lentfer }
130*a1157835SDaniel Fojt attr->msk_life = data;
1316d49e1aeSJan Lentfer break;
1326d49e1aeSJan Lentfer default:
133*a1157835SDaniel Fojt if (attr_id < 128) {
1346d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
135*a1157835SDaniel Fojt " attribute %d", attr_id);
1366d49e1aeSJan Lentfer return -1;
1376d49e1aeSJan Lentfer }
1386d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
139*a1157835SDaniel Fojt "attribute %d", attr_id);
1406d49e1aeSJan Lentfer break;
1416d49e1aeSJan Lentfer }
1426d49e1aeSJan Lentfer
1436d49e1aeSJan Lentfer if (attr->iv && !attr->encr_data) {
1446d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
1456d49e1aeSJan Lentfer "AT_ENCR_DATA");
1466d49e1aeSJan Lentfer return -1;
1476d49e1aeSJan Lentfer }
1486d49e1aeSJan Lentfer
1496d49e1aeSJan Lentfer return 0;
1506d49e1aeSJan Lentfer }
1516d49e1aeSJan Lentfer
1526d49e1aeSJan Lentfer
1536d49e1aeSJan Lentfer /**
1546d49e1aeSJan Lentfer * eap_sake_parse_attributes - Parse EAP-SAKE attributes
1556d49e1aeSJan Lentfer * @buf: Packet payload (starting with the first attribute)
1566d49e1aeSJan Lentfer * @len: Payload length
1576d49e1aeSJan Lentfer * @attr: Structure to be filled with found attributes
1586d49e1aeSJan Lentfer * Returns: 0 on success or -1 on failure
1596d49e1aeSJan Lentfer */
eap_sake_parse_attributes(const u8 * buf,size_t len,struct eap_sake_parse_attr * attr)1606d49e1aeSJan Lentfer int eap_sake_parse_attributes(const u8 *buf, size_t len,
1616d49e1aeSJan Lentfer struct eap_sake_parse_attr *attr)
1626d49e1aeSJan Lentfer {
1636d49e1aeSJan Lentfer const u8 *pos = buf, *end = buf + len;
1646d49e1aeSJan Lentfer
1656d49e1aeSJan Lentfer os_memset(attr, 0, sizeof(*attr));
1666d49e1aeSJan Lentfer while (pos < end) {
1676d49e1aeSJan Lentfer if (end - pos < 2) {
1686d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
1696d49e1aeSJan Lentfer return -1;
1706d49e1aeSJan Lentfer }
1716d49e1aeSJan Lentfer
1726d49e1aeSJan Lentfer if (pos[1] < 2) {
1736d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute "
1746d49e1aeSJan Lentfer "length (%d)", pos[1]);
1756d49e1aeSJan Lentfer return -1;
1766d49e1aeSJan Lentfer }
1776d49e1aeSJan Lentfer
1786d49e1aeSJan Lentfer if (pos + pos[1] > end) {
1796d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
1806d49e1aeSJan Lentfer return -1;
1816d49e1aeSJan Lentfer }
1826d49e1aeSJan Lentfer
183*a1157835SDaniel Fojt if (eap_sake_parse_add_attr(attr, pos[0], pos[1] - 2, pos + 2))
1846d49e1aeSJan Lentfer return -1;
1856d49e1aeSJan Lentfer
1866d49e1aeSJan Lentfer pos += pos[1];
1876d49e1aeSJan Lentfer }
1886d49e1aeSJan Lentfer
1896d49e1aeSJan Lentfer return 0;
1906d49e1aeSJan Lentfer }
1916d49e1aeSJan Lentfer
1926d49e1aeSJan Lentfer
1936d49e1aeSJan Lentfer /**
1946d49e1aeSJan Lentfer * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
1956d49e1aeSJan Lentfer * @key: Key for KDF
1966d49e1aeSJan Lentfer * @key_len: Length of the key in bytes
1976d49e1aeSJan Lentfer * @label: A unique label for each purpose of the KDF
1986d49e1aeSJan Lentfer * @data: Extra data (start) to bind into the key
1996d49e1aeSJan Lentfer * @data_len: Length of the data
2006d49e1aeSJan Lentfer * @data2: Extra data (end) to bind into the key
2016d49e1aeSJan Lentfer * @data2_len: Length of the data2
2026d49e1aeSJan Lentfer * @buf: Buffer for the generated pseudo-random key
2036d49e1aeSJan Lentfer * @buf_len: Number of bytes of key to generate
204*a1157835SDaniel Fojt * Returns: 0 on success or -1 on failure
2056d49e1aeSJan Lentfer *
2066d49e1aeSJan Lentfer * This function is used to derive new, cryptographically separate keys from a
2076d49e1aeSJan Lentfer * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
2086d49e1aeSJan Lentfer */
eap_sake_kdf(const u8 * key,size_t key_len,const char * label,const u8 * data,size_t data_len,const u8 * data2,size_t data2_len,u8 * buf,size_t buf_len)209*a1157835SDaniel Fojt static int eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
2106d49e1aeSJan Lentfer const u8 *data, size_t data_len,
2116d49e1aeSJan Lentfer const u8 *data2, size_t data2_len,
2126d49e1aeSJan Lentfer u8 *buf, size_t buf_len)
2136d49e1aeSJan Lentfer {
2146d49e1aeSJan Lentfer u8 counter = 0;
2156d49e1aeSJan Lentfer size_t pos, plen;
2166d49e1aeSJan Lentfer u8 hash[SHA1_MAC_LEN];
2176d49e1aeSJan Lentfer size_t label_len = os_strlen(label) + 1;
2186d49e1aeSJan Lentfer const unsigned char *addr[4];
2196d49e1aeSJan Lentfer size_t len[4];
2206d49e1aeSJan Lentfer
2216d49e1aeSJan Lentfer addr[0] = (u8 *) label; /* Label | Y */
2226d49e1aeSJan Lentfer len[0] = label_len;
2236d49e1aeSJan Lentfer addr[1] = data; /* Msg[start] */
2246d49e1aeSJan Lentfer len[1] = data_len;
2256d49e1aeSJan Lentfer addr[2] = data2; /* Msg[end] */
2266d49e1aeSJan Lentfer len[2] = data2_len;
2276d49e1aeSJan Lentfer addr[3] = &counter; /* Length */
2286d49e1aeSJan Lentfer len[3] = 1;
2296d49e1aeSJan Lentfer
2306d49e1aeSJan Lentfer pos = 0;
2316d49e1aeSJan Lentfer while (pos < buf_len) {
2326d49e1aeSJan Lentfer plen = buf_len - pos;
2336d49e1aeSJan Lentfer if (plen >= SHA1_MAC_LEN) {
234*a1157835SDaniel Fojt if (hmac_sha1_vector(key, key_len, 4, addr, len,
235*a1157835SDaniel Fojt &buf[pos]) < 0)
236*a1157835SDaniel Fojt return -1;
2376d49e1aeSJan Lentfer pos += SHA1_MAC_LEN;
2386d49e1aeSJan Lentfer } else {
239*a1157835SDaniel Fojt if (hmac_sha1_vector(key, key_len, 4, addr, len,
240*a1157835SDaniel Fojt hash) < 0)
241*a1157835SDaniel Fojt return -1;
2426d49e1aeSJan Lentfer os_memcpy(&buf[pos], hash, plen);
2436d49e1aeSJan Lentfer break;
2446d49e1aeSJan Lentfer }
2456d49e1aeSJan Lentfer counter++;
2466d49e1aeSJan Lentfer }
247*a1157835SDaniel Fojt
248*a1157835SDaniel Fojt return 0;
2496d49e1aeSJan Lentfer }
2506d49e1aeSJan Lentfer
2516d49e1aeSJan Lentfer
2526d49e1aeSJan Lentfer /**
2536d49e1aeSJan Lentfer * eap_sake_derive_keys - Derive EAP-SAKE keys
2546d49e1aeSJan Lentfer * @root_secret_a: 16-byte Root-Secret-A
2556d49e1aeSJan Lentfer * @root_secret_b: 16-byte Root-Secret-B
2566d49e1aeSJan Lentfer * @rand_s: 16-byte RAND_S
2576d49e1aeSJan Lentfer * @rand_p: 16-byte RAND_P
2586d49e1aeSJan Lentfer * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
2596d49e1aeSJan Lentfer * @msk: Buffer for 64-byte MSK
2606d49e1aeSJan Lentfer * @emsk: Buffer for 64-byte EMSK
261*a1157835SDaniel Fojt * Returns: 0 on success or -1 on failure
2626d49e1aeSJan Lentfer *
2636d49e1aeSJan Lentfer * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
2646d49e1aeSJan Lentfer */
eap_sake_derive_keys(const u8 * root_secret_a,const u8 * root_secret_b,const u8 * rand_s,const u8 * rand_p,u8 * tek,u8 * msk,u8 * emsk)265*a1157835SDaniel Fojt int eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
2666d49e1aeSJan Lentfer const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
2676d49e1aeSJan Lentfer u8 *emsk)
2686d49e1aeSJan Lentfer {
2696d49e1aeSJan Lentfer u8 sms_a[EAP_SAKE_SMS_LEN];
2706d49e1aeSJan Lentfer u8 sms_b[EAP_SAKE_SMS_LEN];
2716d49e1aeSJan Lentfer u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
2726d49e1aeSJan Lentfer
2736d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
2746d49e1aeSJan Lentfer
2756d49e1aeSJan Lentfer wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
2766d49e1aeSJan Lentfer root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
277*a1157835SDaniel Fojt if (eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
2786d49e1aeSJan Lentfer "SAKE Master Secret A",
2796d49e1aeSJan Lentfer rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
280*a1157835SDaniel Fojt sms_a, EAP_SAKE_SMS_LEN) < 0)
281*a1157835SDaniel Fojt return -1;
2826d49e1aeSJan Lentfer wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
283*a1157835SDaniel Fojt if (eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
2846d49e1aeSJan Lentfer rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
285*a1157835SDaniel Fojt tek, EAP_SAKE_TEK_LEN) < 0)
286*a1157835SDaniel Fojt return -1;
2876d49e1aeSJan Lentfer wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
2886d49e1aeSJan Lentfer tek, EAP_SAKE_TEK_AUTH_LEN);
2896d49e1aeSJan Lentfer wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
2906d49e1aeSJan Lentfer tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
2916d49e1aeSJan Lentfer
2926d49e1aeSJan Lentfer wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
2936d49e1aeSJan Lentfer root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
294*a1157835SDaniel Fojt if (eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
2956d49e1aeSJan Lentfer "SAKE Master Secret B",
2966d49e1aeSJan Lentfer rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
297*a1157835SDaniel Fojt sms_b, EAP_SAKE_SMS_LEN) < 0)
298*a1157835SDaniel Fojt return -1;
2996d49e1aeSJan Lentfer wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
300*a1157835SDaniel Fojt if (eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
3016d49e1aeSJan Lentfer rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
302*a1157835SDaniel Fojt key_buf, sizeof(key_buf)) < 0)
303*a1157835SDaniel Fojt return -1;
3046d49e1aeSJan Lentfer os_memcpy(msk, key_buf, EAP_MSK_LEN);
3056d49e1aeSJan Lentfer os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
3066d49e1aeSJan Lentfer wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
3076d49e1aeSJan Lentfer wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
308*a1157835SDaniel Fojt return 0;
3096d49e1aeSJan Lentfer }
3106d49e1aeSJan Lentfer
3116d49e1aeSJan Lentfer
3126d49e1aeSJan Lentfer /**
3136d49e1aeSJan Lentfer * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
3146d49e1aeSJan Lentfer * @tek_auth: 16-byte TEK-Auth
3156d49e1aeSJan Lentfer * @rand_s: 16-byte RAND_S
3166d49e1aeSJan Lentfer * @rand_p: 16-byte RAND_P
3176d49e1aeSJan Lentfer * @serverid: SERVERID
3186d49e1aeSJan Lentfer * @serverid_len: SERVERID length
3196d49e1aeSJan Lentfer * @peerid: PEERID
3206d49e1aeSJan Lentfer * @peerid_len: PEERID length
3216d49e1aeSJan Lentfer * @peer: MIC calculation for 0 = Server, 1 = Peer message
3226d49e1aeSJan Lentfer * @eap: EAP packet
3236d49e1aeSJan Lentfer * @eap_len: EAP packet length
3246d49e1aeSJan Lentfer * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
3256d49e1aeSJan Lentfer * @mic: Buffer for the computed 16-byte MIC
326*a1157835SDaniel Fojt * Returns: 0 on success or -1 on failure
3276d49e1aeSJan Lentfer */
eap_sake_compute_mic(const u8 * tek_auth,const u8 * rand_s,const u8 * rand_p,const u8 * serverid,size_t serverid_len,const u8 * peerid,size_t peerid_len,int peer,const u8 * eap,size_t eap_len,const u8 * mic_pos,u8 * mic)3286d49e1aeSJan Lentfer int eap_sake_compute_mic(const u8 *tek_auth,
3296d49e1aeSJan Lentfer const u8 *rand_s, const u8 *rand_p,
3306d49e1aeSJan Lentfer const u8 *serverid, size_t serverid_len,
3316d49e1aeSJan Lentfer const u8 *peerid, size_t peerid_len,
3326d49e1aeSJan Lentfer int peer, const u8 *eap, size_t eap_len,
3336d49e1aeSJan Lentfer const u8 *mic_pos, u8 *mic)
3346d49e1aeSJan Lentfer {
3356d49e1aeSJan Lentfer u8 _rand[2 * EAP_SAKE_RAND_LEN];
3366d49e1aeSJan Lentfer u8 *tmp, *pos;
3376d49e1aeSJan Lentfer size_t tmplen;
338*a1157835SDaniel Fojt int ret;
3396d49e1aeSJan Lentfer
3406d49e1aeSJan Lentfer tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
3416d49e1aeSJan Lentfer tmp = os_malloc(tmplen);
3426d49e1aeSJan Lentfer if (tmp == NULL)
3436d49e1aeSJan Lentfer return -1;
3446d49e1aeSJan Lentfer pos = tmp;
3456d49e1aeSJan Lentfer if (peer) {
3466d49e1aeSJan Lentfer if (peerid) {
3476d49e1aeSJan Lentfer os_memcpy(pos, peerid, peerid_len);
3486d49e1aeSJan Lentfer pos += peerid_len;
3496d49e1aeSJan Lentfer }
3506d49e1aeSJan Lentfer *pos++ = 0x00;
3516d49e1aeSJan Lentfer if (serverid) {
3526d49e1aeSJan Lentfer os_memcpy(pos, serverid, serverid_len);
3536d49e1aeSJan Lentfer pos += serverid_len;
3546d49e1aeSJan Lentfer }
3556d49e1aeSJan Lentfer *pos++ = 0x00;
3566d49e1aeSJan Lentfer
3576d49e1aeSJan Lentfer os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
3586d49e1aeSJan Lentfer os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
3596d49e1aeSJan Lentfer EAP_SAKE_RAND_LEN);
3606d49e1aeSJan Lentfer } else {
3616d49e1aeSJan Lentfer if (serverid) {
3626d49e1aeSJan Lentfer os_memcpy(pos, serverid, serverid_len);
3636d49e1aeSJan Lentfer pos += serverid_len;
3646d49e1aeSJan Lentfer }
3656d49e1aeSJan Lentfer *pos++ = 0x00;
3666d49e1aeSJan Lentfer if (peerid) {
3676d49e1aeSJan Lentfer os_memcpy(pos, peerid, peerid_len);
3686d49e1aeSJan Lentfer pos += peerid_len;
3696d49e1aeSJan Lentfer }
3706d49e1aeSJan Lentfer *pos++ = 0x00;
3716d49e1aeSJan Lentfer
3726d49e1aeSJan Lentfer os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
3736d49e1aeSJan Lentfer os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
3746d49e1aeSJan Lentfer EAP_SAKE_RAND_LEN);
3756d49e1aeSJan Lentfer }
3766d49e1aeSJan Lentfer
3776d49e1aeSJan Lentfer os_memcpy(pos, eap, eap_len);
3786d49e1aeSJan Lentfer os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
3796d49e1aeSJan Lentfer
380*a1157835SDaniel Fojt ret = eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
3816d49e1aeSJan Lentfer peer ? "Peer MIC" : "Server MIC",
3826d49e1aeSJan Lentfer _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
3836d49e1aeSJan Lentfer mic, EAP_SAKE_MIC_LEN);
3846d49e1aeSJan Lentfer
3856d49e1aeSJan Lentfer os_free(tmp);
3866d49e1aeSJan Lentfer
387*a1157835SDaniel Fojt return ret;
3886d49e1aeSJan Lentfer }
3896d49e1aeSJan Lentfer
3906d49e1aeSJan Lentfer
eap_sake_add_attr(struct wpabuf * buf,u8 type,const u8 * data,size_t len)3916d49e1aeSJan Lentfer void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data,
3926d49e1aeSJan Lentfer size_t len)
3936d49e1aeSJan Lentfer {
3946d49e1aeSJan Lentfer wpabuf_put_u8(buf, type);
3956d49e1aeSJan Lentfer wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */
3966d49e1aeSJan Lentfer if (data)
3976d49e1aeSJan Lentfer wpabuf_put_data(buf, data, len);
3986d49e1aeSJan Lentfer else
3996d49e1aeSJan Lentfer os_memset(wpabuf_put(buf, len), 0, len);
4006d49e1aeSJan Lentfer }
401