2 * EAP server/peer: EAP-EKE shared routines
3 * Copyright (c) 2011-2013, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/aes.h"
13 #include "crypto/aes_wrap.h"
14 #include "crypto/crypto.h"
15 #include "crypto/dh_groups.h"
16 #include "crypto/random.h"
17 #include "crypto/sha1.h"
18 #include "crypto/sha256.h"
19 #include "eap_common/eap_defs.h"
20 #include "eap_eke_common.h"
23 static int eap_eke_dh_len(u8 group)
26 case EAP_EKE_DHGROUP_EKE_2:
28 case EAP_EKE_DHGROUP_EKE_5:
30 case EAP_EKE_DHGROUP_EKE_14:
32 case EAP_EKE_DHGROUP_EKE_15:
34 case EAP_EKE_DHGROUP_EKE_16:
42 static int eap_eke_dhcomp_len(u8 dhgroup, u8 encr)
46 dhlen = eap_eke_dh_len(dhgroup);
47 if (dhlen < 0 || encr != EAP_EKE_ENCR_AES128_CBC)
49 return AES_BLOCK_SIZE + dhlen;
53 static const struct dh_group * eap_eke_dh_group(u8 group)
56 case EAP_EKE_DHGROUP_EKE_2:
57 return dh_groups_get(2);
58 case EAP_EKE_DHGROUP_EKE_5:
59 return dh_groups_get(5);
60 case EAP_EKE_DHGROUP_EKE_14:
61 return dh_groups_get(14);
62 case EAP_EKE_DHGROUP_EKE_15:
63 return dh_groups_get(15);
64 case EAP_EKE_DHGROUP_EKE_16:
65 return dh_groups_get(16);
72 static int eap_eke_dh_generator(u8 group)
75 case EAP_EKE_DHGROUP_EKE_2:
77 case EAP_EKE_DHGROUP_EKE_5:
79 case EAP_EKE_DHGROUP_EKE_14:
81 case EAP_EKE_DHGROUP_EKE_15:
83 case EAP_EKE_DHGROUP_EKE_16:
91 static int eap_eke_pnonce_len(u8 mac)
95 if (mac == EAP_EKE_MAC_HMAC_SHA1)
96 mac_len = SHA1_MAC_LEN;
97 else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
98 mac_len = SHA256_MAC_LEN;
102 return AES_BLOCK_SIZE + 16 + mac_len;
106 static int eap_eke_pnonce_ps_len(u8 mac)
110 if (mac == EAP_EKE_MAC_HMAC_SHA1)
111 mac_len = SHA1_MAC_LEN;
112 else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
113 mac_len = SHA256_MAC_LEN;
117 return AES_BLOCK_SIZE + 2 * 16 + mac_len;
121 static int eap_eke_prf_len(u8 prf)
123 if (prf == EAP_EKE_PRF_HMAC_SHA1)
125 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
131 static int eap_eke_nonce_len(u8 prf)
135 prf_len = eap_eke_prf_len(prf);
139 if (prf_len > 2 * 16)
140 return (prf_len + 1) / 2;
146 static int eap_eke_auth_len(u8 prf)
149 case EAP_EKE_PRF_HMAC_SHA1:
151 case EAP_EKE_PRF_HMAC_SHA2_256:
152 return SHA256_MAC_LEN;
159 int eap_eke_dh_init(u8 group, u8 *ret_priv, u8 *ret_pub)
163 const struct dh_group *dh;
165 generator = eap_eke_dh_generator(group);
166 dh = eap_eke_dh_group(group);
167 if (generator < 0 || generator > 255 || !dh)
171 if (crypto_dh_init(gen, dh->prime, dh->prime_len, ret_priv,
174 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: DH private value",
175 ret_priv, dh->prime_len);
176 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DH public value",
177 ret_pub, dh->prime_len);
183 static int eap_eke_prf(u8 prf, const u8 *key, size_t key_len, const u8 *data,
184 size_t data_len, const u8 *data2, size_t data2_len,
199 if (prf == EAP_EKE_PRF_HMAC_SHA1)
200 return hmac_sha1_vector(key, key_len, num_elem, addr, len, res);
201 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
202 return hmac_sha256_vector(key, key_len, num_elem, addr, len,
208 static int eap_eke_prf_hmac_sha1(const u8 *key, size_t key_len, const u8 *data,
209 size_t data_len, u8 *res, size_t len)
211 u8 hash[SHA1_MAC_LEN];
219 vlen[0] = SHA1_MAC_LEN;
228 ret = hmac_sha1_vector(key, key_len, 2, &addr[1],
231 ret = hmac_sha1_vector(key, key_len, 3, addr, vlen,
235 if (len > SHA1_MAC_LEN) {
236 os_memcpy(res, hash, SHA1_MAC_LEN);
240 os_memcpy(res, hash, len);
249 static int eap_eke_prf_hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
250 size_t data_len, u8 *res, size_t len)
252 u8 hash[SHA256_MAC_LEN];
260 vlen[0] = SHA256_MAC_LEN;
269 ret = hmac_sha256_vector(key, key_len, 2, &addr[1],
272 ret = hmac_sha256_vector(key, key_len, 3, addr, vlen,
276 if (len > SHA256_MAC_LEN) {
277 os_memcpy(res, hash, SHA256_MAC_LEN);
278 res += SHA256_MAC_LEN;
279 len -= SHA256_MAC_LEN;
281 os_memcpy(res, hash, len);
290 static int eap_eke_prfplus(u8 prf, const u8 *key, size_t key_len,
291 const u8 *data, size_t data_len, u8 *res, size_t len)
293 if (prf == EAP_EKE_PRF_HMAC_SHA1)
294 return eap_eke_prf_hmac_sha1(key, key_len, data, data_len, res,
296 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
297 return eap_eke_prf_hmac_sha256(key, key_len, data, data_len,
303 int eap_eke_derive_key(struct eap_eke_session *sess,
304 const u8 *password, size_t password_len,
305 const u8 *id_s, size_t id_s_len, const u8 *id_p,
306 size_t id_p_len, u8 *key)
308 u8 zeros[EAP_EKE_MAX_HASH_LEN];
309 u8 temp[EAP_EKE_MAX_HASH_LEN];
310 size_t key_len = 16; /* Only AES-128-CBC is used here */
313 /* temp = prf(0+, password) */
314 os_memset(zeros, 0, sess->prf_len);
315 if (eap_eke_prf(sess->prf, zeros, sess->prf_len,
316 password, password_len, NULL, 0, temp) < 0)
318 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: temp = prf(0+, password)",
319 temp, sess->prf_len);
321 /* key = prf+(temp, ID_S | ID_P) */
322 id = os_malloc(id_s_len + id_p_len);
325 os_memcpy(id, id_s, id_s_len);
326 os_memcpy(id + id_s_len, id_p, id_p_len);
327 wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: ID_S | ID_P",
328 id, id_s_len + id_p_len);
329 if (eap_eke_prfplus(sess->prf, temp, sess->prf_len,
330 id, id_s_len + id_p_len, key, key_len) < 0) {
335 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: key = prf+(temp, ID_S | ID_P)",
342 int eap_eke_dhcomp(struct eap_eke_session *sess, const u8 *key, const u8 *dhpub,
345 u8 pub[EAP_EKE_MAX_DH_LEN];
347 u8 iv[AES_BLOCK_SIZE];
349 dh_len = eap_eke_dh_len(sess->dhgroup);
354 * DHComponent = Encr(key, y)
356 * All defined DH groups use primes that have length devisible by 16, so
357 * no need to do extra padding for y (= pub).
359 if (sess->encr != EAP_EKE_ENCR_AES128_CBC)
361 if (random_get_bytes(iv, AES_BLOCK_SIZE))
363 wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Encr(key, y)",
365 os_memcpy(pub, dhpub, dh_len);
366 if (aes_128_cbc_encrypt(key, iv, pub, dh_len) < 0)
368 os_memcpy(ret_dhcomp, iv, AES_BLOCK_SIZE);
369 os_memcpy(ret_dhcomp + AES_BLOCK_SIZE, pub, dh_len);
370 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent = Encr(key, y)",
371 ret_dhcomp, AES_BLOCK_SIZE + dh_len);
377 int eap_eke_shared_secret(struct eap_eke_session *sess, const u8 *key,
378 const u8 *dhpriv, const u8 *peer_dhcomp)
380 u8 zeros[EAP_EKE_MAX_HASH_LEN];
381 u8 peer_pub[EAP_EKE_MAX_DH_LEN];
382 u8 modexp[EAP_EKE_MAX_DH_LEN];
384 const struct dh_group *dh;
386 dh = eap_eke_dh_group(sess->dhgroup);
387 if (sess->encr != EAP_EKE_ENCR_AES128_CBC || !dh)
390 /* Decrypt peer DHComponent */
391 os_memcpy(peer_pub, peer_dhcomp + AES_BLOCK_SIZE, dh->prime_len);
392 if (aes_128_cbc_decrypt(key, peer_dhcomp, peer_pub, dh->prime_len) < 0) {
393 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt DHComponent");
396 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted peer DH pubkey",
397 peer_pub, dh->prime_len);
399 /* SharedSecret = prf(0+, g ^ (x_s * x_p) (mod p)) */
401 if (crypto_dh_derive_secret(*dh->generator, dh->prime, dh->prime_len,
402 NULL, 0, dhpriv, dh->prime_len, peer_pub,
403 dh->prime_len, modexp, &len) < 0)
405 if (len < dh->prime_len) {
406 size_t pad = dh->prime_len - len;
407 os_memmove(modexp + pad, modexp, len);
408 os_memset(modexp, 0, pad);
411 os_memset(zeros, 0, sess->auth_len);
412 if (eap_eke_prf(sess->prf, zeros, sess->auth_len, modexp, dh->prime_len,
413 NULL, 0, sess->shared_secret) < 0)
415 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: SharedSecret",
416 sess->shared_secret, sess->auth_len);
422 int eap_eke_derive_ke_ki(struct eap_eke_session *sess,
423 const u8 *id_s, size_t id_s_len,
424 const u8 *id_p, size_t id_p_len)
426 u8 buf[EAP_EKE_MAX_KE_LEN + EAP_EKE_MAX_KI_LEN];
427 size_t ke_len, ki_len;
430 const char *label = "EAP-EKE Keys";
434 * Ke | Ki = prf+(SharedSecret, "EAP-EKE Keys" | ID_S | ID_P)
435 * Ke = encryption key
436 * Ki = integrity protection key
437 * Length of each key depends on the selected algorithms.
440 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
445 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
447 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
452 label_len = os_strlen(label);
453 data_len = label_len + id_s_len + id_p_len;
454 data = os_malloc(data_len);
457 os_memcpy(data, label, label_len);
458 os_memcpy(data + label_len, id_s, id_s_len);
459 os_memcpy(data + label_len + id_s_len, id_p, id_p_len);
460 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
461 data, data_len, buf, ke_len + ki_len) < 0) {
466 os_memcpy(sess->ke, buf, ke_len);
467 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ke", sess->ke, ke_len);
468 os_memcpy(sess->ki, buf + ke_len, ki_len);
469 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ki", sess->ki, ki_len);
476 int eap_eke_derive_ka(struct eap_eke_session *sess,
477 const u8 *id_s, size_t id_s_len,
478 const u8 *id_p, size_t id_p_len,
479 const u8 *nonce_p, const u8 *nonce_s)
483 const char *label = "EAP-EKE Ka";
487 * Ka = prf+(SharedSecret, "EAP-EKE Ka" | ID_S | ID_P | Nonce_P |
489 * Ka = authentication key
490 * Length of the key depends on the selected algorithms.
493 label_len = os_strlen(label);
494 data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
495 data = os_malloc(data_len);
499 os_memcpy(pos, label, label_len);
501 os_memcpy(pos, id_s, id_s_len);
503 os_memcpy(pos, id_p, id_p_len);
505 os_memcpy(pos, nonce_p, sess->nonce_len);
506 pos += sess->nonce_len;
507 os_memcpy(pos, nonce_s, sess->nonce_len);
508 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
509 data, data_len, sess->ka, sess->prf_len) < 0) {
515 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka", sess->ka, sess->prf_len);
521 int eap_eke_derive_msk(struct eap_eke_session *sess,
522 const u8 *id_s, size_t id_s_len,
523 const u8 *id_p, size_t id_p_len,
524 const u8 *nonce_p, const u8 *nonce_s,
529 const char *label = "EAP-EKE Exported Keys";
531 u8 buf[EAP_MSK_LEN + EAP_EMSK_LEN];
534 * MSK | EMSK = prf+(SharedSecret, "EAP-EKE Exported Keys" | ID_S |
535 * ID_P | Nonce_P | Nonce_S)
538 label_len = os_strlen(label);
539 data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
540 data = os_malloc(data_len);
544 os_memcpy(pos, label, label_len);
546 os_memcpy(pos, id_s, id_s_len);
548 os_memcpy(pos, id_p, id_p_len);
550 os_memcpy(pos, nonce_p, sess->nonce_len);
551 pos += sess->nonce_len;
552 os_memcpy(pos, nonce_s, sess->nonce_len);
553 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
554 data, data_len, buf, EAP_MSK_LEN + EAP_EMSK_LEN) <
561 os_memcpy(msk, buf, EAP_MSK_LEN);
562 os_memcpy(emsk, buf + EAP_MSK_LEN, EAP_EMSK_LEN);
563 os_memset(buf, 0, sizeof(buf));
565 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: MSK", msk, EAP_MSK_LEN);
566 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: EMSK", msk, EAP_EMSK_LEN);
572 static int eap_eke_mac(u8 mac, const u8 *key, const u8 *data, size_t data_len,
575 if (mac == EAP_EKE_MAC_HMAC_SHA1)
576 return hmac_sha1(key, SHA1_MAC_LEN, data, data_len, res);
577 if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
578 return hmac_sha256(key, SHA256_MAC_LEN, data, data_len, res);
583 int eap_eke_prot(struct eap_eke_session *sess,
584 const u8 *data, size_t data_len,
585 u8 *prot, size_t *prot_len)
587 size_t block_size, icv_len, pad;
590 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
591 block_size = AES_BLOCK_SIZE;
595 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
596 icv_len = SHA1_MAC_LEN;
597 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
598 icv_len = SHA256_MAC_LEN;
602 pad = data_len % block_size;
604 pad = block_size - pad;
606 if (*prot_len < block_size + data_len + pad + icv_len) {
607 wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for Prot() data");
612 if (random_get_bytes(pos, block_size))
615 wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Prot()", iv, block_size);
619 os_memcpy(pos, data, data_len);
622 if (random_get_bytes(pos, pad))
627 if (aes_128_cbc_encrypt(sess->ke, iv, e, data_len + pad) < 0 ||
628 eap_eke_mac(sess->mac, sess->ki, e, data_len + pad, pos) < 0)
632 *prot_len = pos - prot;
637 int eap_eke_decrypt_prot(struct eap_eke_session *sess,
638 const u8 *prot, size_t prot_len,
639 u8 *data, size_t *data_len)
641 size_t block_size, icv_len;
642 u8 icv[EAP_EKE_MAX_HASH_LEN];
644 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
645 block_size = AES_BLOCK_SIZE;
649 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
650 icv_len = SHA1_MAC_LEN;
651 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
652 icv_len = SHA256_MAC_LEN;
656 if (prot_len < 2 * block_size + icv_len ||
657 (prot_len - icv_len) % block_size)
660 if (eap_eke_mac(sess->mac, sess->ki, prot + block_size,
661 prot_len - block_size - icv_len, icv) < 0)
663 if (os_memcmp_const(icv, prot + prot_len - icv_len, icv_len) != 0) {
664 wpa_printf(MSG_INFO, "EAP-EKE: ICV mismatch in Prot() data");
668 if (*data_len < prot_len - block_size - icv_len) {
669 wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for decrypted Prot() data");
673 *data_len = prot_len - block_size - icv_len;
674 os_memcpy(data, prot + block_size, *data_len);
675 if (aes_128_cbc_decrypt(sess->ke, prot, data, *data_len) < 0) {
676 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt Prot() data");
679 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted Prot() data",
686 int eap_eke_auth(struct eap_eke_session *sess, const char *label,
687 const struct wpabuf *msgs, u8 *auth)
689 wpa_printf(MSG_DEBUG, "EAP-EKE: Auth(%s)", label);
690 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka for Auth",
691 sess->ka, sess->auth_len);
692 wpa_hexdump_buf(MSG_MSGDUMP, "EAP-EKE: Messages for Auth", msgs);
693 return eap_eke_prf(sess->prf, sess->ka, sess->auth_len,
694 (const u8 *) label, os_strlen(label),
695 wpabuf_head(msgs), wpabuf_len(msgs), auth);
699 int eap_eke_session_init(struct eap_eke_session *sess, u8 dhgroup, u8 encr,
702 sess->dhgroup = dhgroup;
707 sess->prf_len = eap_eke_prf_len(prf);
708 sess->nonce_len = eap_eke_nonce_len(prf);
709 sess->auth_len = eap_eke_auth_len(prf);
710 sess->dhcomp_len = eap_eke_dhcomp_len(sess->dhgroup, sess->encr);
711 sess->pnonce_len = eap_eke_pnonce_len(sess->mac);
712 sess->pnonce_ps_len = eap_eke_pnonce_ps_len(sess->mac);
713 if (sess->prf_len < 0 || sess->nonce_len < 0 || sess->auth_len < 0 ||
714 sess->dhcomp_len < 0 || sess->pnonce_len < 0 ||
715 sess->pnonce_ps_len < 0)
722 void eap_eke_session_clean(struct eap_eke_session *sess)
724 os_memset(sess->shared_secret, 0, EAP_EKE_MAX_HASH_LEN);
725 os_memset(sess->ke, 0, EAP_EKE_MAX_KE_LEN);
726 os_memset(sess->ki, 0, EAP_EKE_MAX_KI_LEN);
727 os_memset(sess->ka, 0, EAP_EKE_MAX_KA_LEN);