The Android Open Source Project | 845e012 | 2009-03-03 19:31:34 -0800 | [diff] [blame] | 1 | /* |
| 2 | * EAP server/peer: EAP-PAX shared routines |
| 3 | * Copyright (c) 2005, Jouni Malinen <j@w1.fi> |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License version 2 as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * Alternatively, this software may be distributed under the terms of BSD |
| 10 | * license. |
| 11 | * |
| 12 | * See README and COPYING for more details. |
| 13 | */ |
| 14 | |
| 15 | #include "includes.h" |
| 16 | |
| 17 | #include "common.h" |
| 18 | #include "sha1.h" |
| 19 | #include "eap_pax_common.h" |
| 20 | |
| 21 | |
| 22 | /** |
| 23 | * eap_pax_kdf - PAX Key Derivation Function |
| 24 | * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported |
| 25 | * @key: Secret key (X) |
| 26 | * @key_len: Length of the secret key in bytes |
| 27 | * @identifier: Public identifier for the key (Y) |
| 28 | * @entropy: Exchanged entropy to seed the KDF (Z) |
| 29 | * @entropy_len: Length of the entropy in bytes |
| 30 | * @output_len: Output len in bytes (W) |
| 31 | * @output: Buffer for the derived key |
| 32 | * Returns: 0 on success, -1 failed |
| 33 | * |
| 34 | * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z) |
| 35 | */ |
| 36 | int eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len, |
| 37 | const char *identifier, |
| 38 | const u8 *entropy, size_t entropy_len, |
| 39 | size_t output_len, u8 *output) |
| 40 | { |
| 41 | u8 mac[SHA1_MAC_LEN]; |
| 42 | u8 counter, *pos; |
| 43 | const u8 *addr[3]; |
| 44 | size_t len[3]; |
| 45 | size_t num_blocks, left; |
| 46 | |
| 47 | num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN; |
| 48 | if (identifier == NULL || num_blocks >= 255) |
| 49 | return -1; |
| 50 | |
| 51 | /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ |
| 52 | if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) |
| 53 | return -1; |
| 54 | |
| 55 | addr[0] = (const u8 *) identifier; |
| 56 | len[0] = os_strlen(identifier); |
| 57 | addr[1] = entropy; |
| 58 | len[1] = entropy_len; |
| 59 | addr[2] = &counter; |
| 60 | len[2] = 1; |
| 61 | |
| 62 | pos = output; |
| 63 | left = output_len; |
| 64 | for (counter = 1; counter <= (u8) num_blocks; counter++) { |
| 65 | size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left; |
| 66 | hmac_sha1_vector(key, key_len, 3, addr, len, mac); |
| 67 | os_memcpy(pos, mac, clen); |
| 68 | pos += clen; |
| 69 | left -= clen; |
| 70 | } |
| 71 | |
| 72 | return 0; |
| 73 | } |
| 74 | |
| 75 | |
| 76 | /** |
| 77 | * eap_pax_mac - EAP-PAX MAC |
| 78 | * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported |
| 79 | * @key: Secret key |
| 80 | * @key_len: Length of the secret key in bytes |
| 81 | * @data1: Optional data, first block; %NULL if not used |
| 82 | * @data1_len: Length of data1 in bytes |
| 83 | * @data2: Optional data, second block; %NULL if not used |
| 84 | * @data2_len: Length of data2 in bytes |
| 85 | * @data3: Optional data, third block; %NULL if not used |
| 86 | * @data3_len: Length of data3 in bytes |
| 87 | * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes) |
| 88 | * Returns: 0 on success, -1 on failure |
| 89 | * |
| 90 | * Wrapper function to calculate EAP-PAX MAC. |
| 91 | */ |
| 92 | int eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len, |
| 93 | const u8 *data1, size_t data1_len, |
| 94 | const u8 *data2, size_t data2_len, |
| 95 | const u8 *data3, size_t data3_len, |
| 96 | u8 *mac) |
| 97 | { |
| 98 | u8 hash[SHA1_MAC_LEN]; |
| 99 | const u8 *addr[3]; |
| 100 | size_t len[3]; |
| 101 | size_t count; |
| 102 | |
| 103 | /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ |
| 104 | if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) |
| 105 | return -1; |
| 106 | |
| 107 | addr[0] = data1; |
| 108 | len[0] = data1_len; |
| 109 | addr[1] = data2; |
| 110 | len[1] = data2_len; |
| 111 | addr[2] = data3; |
| 112 | len[2] = data3_len; |
| 113 | |
| 114 | count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0); |
| 115 | hmac_sha1_vector(key, key_len, count, addr, len, hash); |
| 116 | os_memcpy(mac, hash, EAP_PAX_MAC_LEN); |
| 117 | |
| 118 | return 0; |
| 119 | } |
| 120 | |
| 121 | |
| 122 | /** |
| 123 | * eap_pax_initial_key_derivation - EAP-PAX initial key derivation |
| 124 | * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported |
| 125 | * @ak: Authentication Key |
| 126 | * @e: Entropy |
| 127 | * @mk: Buffer for the derived Master Key |
| 128 | * @ck: Buffer for the derived Confirmation Key |
| 129 | * @ick: Buffer for the derived Integrity Check Key |
| 130 | * Returns: 0 on success, -1 on failure |
| 131 | */ |
| 132 | int eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e, |
| 133 | u8 *mk, u8 *ck, u8 *ick) |
| 134 | { |
| 135 | wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation"); |
| 136 | if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key", |
| 137 | e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) || |
| 138 | eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key", |
| 139 | e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) || |
| 140 | eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key", |
| 141 | e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick)) |
| 142 | return -1; |
| 143 | |
| 144 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN); |
| 145 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN); |
| 146 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN); |
| 147 | wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN); |
| 148 | |
| 149 | return 0; |
| 150 | } |