1 /*
2  * EAP server/peer: EAP-EKE shared routines
3  * Copyright (c) 2011-2013, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/aes.h"
13 #include "crypto/aes_wrap.h"
14 #include "crypto/crypto.h"
15 #include "crypto/dh_groups.h"
16 #include "crypto/random.h"
17 #include "crypto/sha1.h"
18 #include "crypto/sha256.h"
19 #include "eap_common/eap_defs.h"
20 #include "eap_eke_common.h"
21 
22 
eap_eke_dh_len(u8 group)23 static int eap_eke_dh_len(u8 group)
24 {
25           switch (group) {
26           case EAP_EKE_DHGROUP_EKE_2:
27                     return 128;
28           case EAP_EKE_DHGROUP_EKE_5:
29                     return 192;
30           case EAP_EKE_DHGROUP_EKE_14:
31                     return 256;
32           case EAP_EKE_DHGROUP_EKE_15:
33                     return 384;
34           case EAP_EKE_DHGROUP_EKE_16:
35                     return 512;
36           }
37 
38           return -1;
39 }
40 
41 
eap_eke_dhcomp_len(u8 dhgroup,u8 encr)42 static int eap_eke_dhcomp_len(u8 dhgroup, u8 encr)
43 {
44           int dhlen;
45 
46           dhlen = eap_eke_dh_len(dhgroup);
47           if (dhlen < 0 || encr != EAP_EKE_ENCR_AES128_CBC)
48                     return -1;
49           return AES_BLOCK_SIZE + dhlen;
50 }
51 
52 
eap_eke_dh_group(u8 group)53 static const struct dh_group * eap_eke_dh_group(u8 group)
54 {
55           switch (group) {
56           case EAP_EKE_DHGROUP_EKE_2:
57                     return dh_groups_get(2);
58           case EAP_EKE_DHGROUP_EKE_5:
59                     return dh_groups_get(5);
60           case EAP_EKE_DHGROUP_EKE_14:
61                     return dh_groups_get(14);
62           case EAP_EKE_DHGROUP_EKE_15:
63                     return dh_groups_get(15);
64           case EAP_EKE_DHGROUP_EKE_16:
65                     return dh_groups_get(16);
66           }
67 
68           return NULL;
69 }
70 
71 
eap_eke_dh_generator(u8 group)72 static int eap_eke_dh_generator(u8 group)
73 {
74           switch (group) {
75           case EAP_EKE_DHGROUP_EKE_2:
76                     return 5;
77           case EAP_EKE_DHGROUP_EKE_5:
78                     return 31;
79           case EAP_EKE_DHGROUP_EKE_14:
80                     return 11;
81           case EAP_EKE_DHGROUP_EKE_15:
82                     return 5;
83           case EAP_EKE_DHGROUP_EKE_16:
84                     return 5;
85           }
86 
87           return -1;
88 }
89 
90 
eap_eke_pnonce_len(u8 mac)91 static int eap_eke_pnonce_len(u8 mac)
92 {
93           int mac_len;
94 
95           if (mac == EAP_EKE_MAC_HMAC_SHA1)
96                     mac_len = SHA1_MAC_LEN;
97           else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
98                     mac_len = SHA256_MAC_LEN;
99           else
100                     return -1;
101 
102           return AES_BLOCK_SIZE + 16 + mac_len;
103 }
104 
105 
eap_eke_pnonce_ps_len(u8 mac)106 static int eap_eke_pnonce_ps_len(u8 mac)
107 {
108           int mac_len;
109 
110           if (mac == EAP_EKE_MAC_HMAC_SHA1)
111                     mac_len = SHA1_MAC_LEN;
112           else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
113                     mac_len = SHA256_MAC_LEN;
114           else
115                     return -1;
116 
117           return AES_BLOCK_SIZE + 2 * 16 + mac_len;
118 }
119 
120 
eap_eke_prf_len(u8 prf)121 static int eap_eke_prf_len(u8 prf)
122 {
123           if (prf == EAP_EKE_PRF_HMAC_SHA1)
124                     return 20;
125           if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
126                     return 32;
127           return -1;
128 }
129 
130 
eap_eke_nonce_len(u8 prf)131 static int eap_eke_nonce_len(u8 prf)
132 {
133           int prf_len;
134 
135           prf_len = eap_eke_prf_len(prf);
136           if (prf_len < 0)
137                     return -1;
138 
139           if (prf_len > 2 * 16)
140                     return (prf_len + 1) / 2;
141 
142           return 16;
143 }
144 
145 
eap_eke_auth_len(u8 prf)146 static int eap_eke_auth_len(u8 prf)
147 {
148           switch (prf) {
149           case EAP_EKE_PRF_HMAC_SHA1:
150                     return SHA1_MAC_LEN;
151           case EAP_EKE_PRF_HMAC_SHA2_256:
152                     return SHA256_MAC_LEN;
153           }
154 
155           return -1;
156 }
157 
158 
eap_eke_dh_init(u8 group,u8 * ret_priv,u8 * ret_pub)159 int eap_eke_dh_init(u8 group, u8 *ret_priv, u8 *ret_pub)
160 {
161           int generator;
162           u8 gen;
163           const struct dh_group *dh;
164 
165           generator = eap_eke_dh_generator(group);
166           dh = eap_eke_dh_group(group);
167           if (generator < 0 || generator > 255 || !dh)
168                     return -1;
169           gen = generator;
170 
171           if (crypto_dh_init(gen, dh->prime, dh->prime_len, ret_priv,
172                                  ret_pub) < 0)
173                     return -1;
174           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: DH private value",
175                               ret_priv, dh->prime_len);
176           wpa_hexdump(MSG_DEBUG, "EAP-EKE: DH public value",
177                         ret_pub, dh->prime_len);
178 
179           return 0;
180 }
181 
182 
eap_eke_prf(u8 prf,const u8 * key,size_t key_len,const u8 * data,size_t data_len,const u8 * data2,size_t data2_len,u8 * res)183 static int eap_eke_prf(u8 prf, const u8 *key, size_t key_len, const u8 *data,
184                            size_t data_len, const u8 *data2, size_t data2_len,
185                            u8 *res)
186 {
187           const u8 *addr[2];
188           size_t len[2];
189           size_t num_elem = 1;
190 
191           addr[0] = data;
192           len[0] = data_len;
193           if (data2) {
194                     num_elem++;
195                     addr[1] = data2;
196                     len[1] = data2_len;
197           }
198 
199           if (prf == EAP_EKE_PRF_HMAC_SHA1)
200                     return hmac_sha1_vector(key, key_len, num_elem, addr, len, res);
201           if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
202                     return hmac_sha256_vector(key, key_len, num_elem, addr, len,
203                                                     res);
204           return -1;
205 }
206 
207 
eap_eke_prf_hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)208 static int eap_eke_prf_hmac_sha1(const u8 *key, size_t key_len, const u8 *data,
209                                          size_t data_len, u8 *res, size_t len)
210 {
211           u8 hash[SHA1_MAC_LEN];
212           u8 idx;
213           const u8 *addr[3];
214           size_t vlen[3];
215           int ret;
216 
217           idx = 0;
218           addr[0] = hash;
219           vlen[0] = SHA1_MAC_LEN;
220           addr[1] = data;
221           vlen[1] = data_len;
222           addr[2] = &idx;
223           vlen[2] = 1;
224 
225           while (len > 0) {
226                     idx++;
227                     if (idx == 1)
228                               ret = hmac_sha1_vector(key, key_len, 2, &addr[1],
229                                                          &vlen[1], hash);
230                     else
231                               ret = hmac_sha1_vector(key, key_len, 3, addr, vlen,
232                                                          hash);
233                     if (ret < 0)
234                               return -1;
235                     if (len > SHA1_MAC_LEN) {
236                               os_memcpy(res, hash, SHA1_MAC_LEN);
237                               res += SHA1_MAC_LEN;
238                               len -= SHA1_MAC_LEN;
239                     } else {
240                               os_memcpy(res, hash, len);
241                               len = 0;
242                     }
243           }
244 
245           return 0;
246 }
247 
248 
eap_eke_prf_hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)249 static int eap_eke_prf_hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
250                                            size_t data_len, u8 *res, size_t len)
251 {
252           u8 hash[SHA256_MAC_LEN];
253           u8 idx;
254           const u8 *addr[3];
255           size_t vlen[3];
256           int ret;
257 
258           idx = 0;
259           addr[0] = hash;
260           vlen[0] = SHA256_MAC_LEN;
261           addr[1] = data;
262           vlen[1] = data_len;
263           addr[2] = &idx;
264           vlen[2] = 1;
265 
266           while (len > 0) {
267                     idx++;
268                     if (idx == 1)
269                               ret = hmac_sha256_vector(key, key_len, 2, &addr[1],
270                                                              &vlen[1], hash);
271                     else
272                               ret = hmac_sha256_vector(key, key_len, 3, addr, vlen,
273                                                              hash);
274                     if (ret < 0)
275                               return -1;
276                     if (len > SHA256_MAC_LEN) {
277                               os_memcpy(res, hash, SHA256_MAC_LEN);
278                               res += SHA256_MAC_LEN;
279                               len -= SHA256_MAC_LEN;
280                     } else {
281                               os_memcpy(res, hash, len);
282                               len = 0;
283                     }
284           }
285 
286           return 0;
287 }
288 
289 
eap_eke_prfplus(u8 prf,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * res,size_t len)290 static int eap_eke_prfplus(u8 prf, const u8 *key, size_t key_len,
291                                  const u8 *data, size_t data_len, u8 *res, size_t len)
292 {
293           if (prf == EAP_EKE_PRF_HMAC_SHA1)
294                     return eap_eke_prf_hmac_sha1(key, key_len, data, data_len, res,
295                                                        len);
296           if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
297                     return eap_eke_prf_hmac_sha256(key, key_len, data, data_len,
298                                                          res, len);
299           return -1;
300 }
301 
302 
eap_eke_derive_key(struct eap_eke_session * sess,const u8 * password,size_t password_len,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,u8 * key)303 int eap_eke_derive_key(struct eap_eke_session *sess,
304                            const u8 *password, size_t password_len,
305                            const u8 *id_s, size_t id_s_len, const u8 *id_p,
306                            size_t id_p_len, u8 *key)
307 {
308           u8 zeros[EAP_EKE_MAX_HASH_LEN];
309           u8 temp[EAP_EKE_MAX_HASH_LEN];
310           size_t key_len = 16; /* Only AES-128-CBC is used here */
311           u8 *id;
312 
313           /* temp = prf(0+, password) */
314           os_memset(zeros, 0, sess->prf_len);
315           if (eap_eke_prf(sess->prf, zeros, sess->prf_len,
316                               password, password_len, NULL, 0, temp) < 0)
317                     return -1;
318           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: temp = prf(0+, password)",
319                               temp, sess->prf_len);
320 
321           /* key = prf+(temp, ID_S | ID_P) */
322           id = os_malloc(id_s_len + id_p_len);
323           if (id == NULL)
324                     return -1;
325           os_memcpy(id, id_s, id_s_len);
326           os_memcpy(id + id_s_len, id_p, id_p_len);
327           wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: ID_S | ID_P",
328                                 id, id_s_len + id_p_len);
329           if (eap_eke_prfplus(sess->prf, temp, sess->prf_len,
330                                   id, id_s_len + id_p_len, key, key_len) < 0) {
331                     os_free(id);
332                     return -1;
333           }
334           os_free(id);
335           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: key = prf+(temp, ID_S | ID_P)",
336                               key, key_len);
337 
338           return 0;
339 }
340 
341 
eap_eke_dhcomp(struct eap_eke_session * sess,const u8 * key,const u8 * dhpub,u8 * ret_dhcomp)342 int eap_eke_dhcomp(struct eap_eke_session *sess, const u8 *key, const u8 *dhpub,
343                        u8 *ret_dhcomp)
344 {
345           u8 pub[EAP_EKE_MAX_DH_LEN];
346           int dh_len;
347           u8 iv[AES_BLOCK_SIZE];
348 
349           dh_len = eap_eke_dh_len(sess->dhgroup);
350           if (dh_len < 0)
351                     return -1;
352 
353           /*
354            * DHComponent = Encr(key, y)
355            *
356            * All defined DH groups use primes that have length devisible by 16, so
357            * no need to do extra padding for y (= pub).
358            */
359           if (sess->encr != EAP_EKE_ENCR_AES128_CBC)
360                     return -1;
361           if (random_get_bytes(iv, AES_BLOCK_SIZE))
362                     return -1;
363           wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Encr(key, y)",
364                         iv, AES_BLOCK_SIZE);
365           os_memcpy(pub, dhpub, dh_len);
366           if (aes_128_cbc_encrypt(key, iv, pub, dh_len) < 0)
367                     return -1;
368           os_memcpy(ret_dhcomp, iv, AES_BLOCK_SIZE);
369           os_memcpy(ret_dhcomp + AES_BLOCK_SIZE, pub, dh_len);
370           wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent = Encr(key, y)",
371                         ret_dhcomp, AES_BLOCK_SIZE + dh_len);
372 
373           return 0;
374 }
375 
376 
eap_eke_shared_secret(struct eap_eke_session * sess,const u8 * key,const u8 * dhpriv,const u8 * peer_dhcomp)377 int eap_eke_shared_secret(struct eap_eke_session *sess, const u8 *key,
378                                 const u8 *dhpriv, const u8 *peer_dhcomp)
379 {
380           u8 zeros[EAP_EKE_MAX_HASH_LEN];
381           u8 peer_pub[EAP_EKE_MAX_DH_LEN];
382           u8 modexp[EAP_EKE_MAX_DH_LEN];
383           size_t len;
384           const struct dh_group *dh;
385 
386           dh = eap_eke_dh_group(sess->dhgroup);
387           if (sess->encr != EAP_EKE_ENCR_AES128_CBC || !dh)
388                     return -1;
389 
390           /* Decrypt peer DHComponent */
391           os_memcpy(peer_pub, peer_dhcomp + AES_BLOCK_SIZE, dh->prime_len);
392           if (aes_128_cbc_decrypt(key, peer_dhcomp, peer_pub, dh->prime_len) < 0) {
393                     wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt DHComponent");
394                     return -1;
395           }
396           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted peer DH pubkey",
397                               peer_pub, dh->prime_len);
398 
399           /* SharedSecret = prf(0+, g ^ (x_s * x_p) (mod p)) */
400           len = dh->prime_len;
401           if (crypto_dh_derive_secret(*dh->generator, dh->prime, dh->prime_len,
402                                             NULL, 0, dhpriv, dh->prime_len, peer_pub,
403                                             dh->prime_len, modexp, &len) < 0)
404                     return -1;
405           if (len < dh->prime_len) {
406                     size_t pad = dh->prime_len - len;
407                     os_memmove(modexp + pad, modexp, len);
408                     os_memset(modexp, 0, pad);
409           }
410 
411           os_memset(zeros, 0, sess->auth_len);
412           if (eap_eke_prf(sess->prf, zeros, sess->auth_len, modexp, dh->prime_len,
413                               NULL, 0, sess->shared_secret) < 0)
414                     return -1;
415           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: SharedSecret",
416                               sess->shared_secret, sess->auth_len);
417 
418           return 0;
419 }
420 
421 
eap_eke_derive_ke_ki(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len)422 int eap_eke_derive_ke_ki(struct eap_eke_session *sess,
423                                const u8 *id_s, size_t id_s_len,
424                                const u8 *id_p, size_t id_p_len)
425 {
426           u8 buf[EAP_EKE_MAX_KE_LEN + EAP_EKE_MAX_KI_LEN];
427           size_t ke_len, ki_len;
428           u8 *data;
429           size_t data_len;
430           const char *label = "EAP-EKE Keys";
431           size_t label_len;
432 
433           /*
434            * Ke | Ki = prf+(SharedSecret, "EAP-EKE Keys" | ID_S | ID_P)
435            * Ke = encryption key
436            * Ki = integrity protection key
437            * Length of each key depends on the selected algorithms.
438            */
439 
440           if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
441                     ke_len = 16;
442           else
443                     return -1;
444 
445           if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
446                     ki_len = 20;
447           else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
448                     ki_len = 32;
449           else
450                     return -1;
451 
452           label_len = os_strlen(label);
453           data_len = label_len + id_s_len + id_p_len;
454           data = os_malloc(data_len);
455           if (data == NULL)
456                     return -1;
457           os_memcpy(data, label, label_len);
458           os_memcpy(data + label_len, id_s, id_s_len);
459           os_memcpy(data + label_len + id_s_len, id_p, id_p_len);
460           if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
461                                   data, data_len, buf, ke_len + ki_len) < 0) {
462                     os_free(data);
463                     return -1;
464           }
465 
466           os_memcpy(sess->ke, buf, ke_len);
467           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ke", sess->ke, ke_len);
468           os_memcpy(sess->ki, buf + ke_len, ki_len);
469           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ki", sess->ki, ki_len);
470 
471           os_free(data);
472           return 0;
473 }
474 
475 
eap_eke_derive_ka(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,const u8 * nonce_p,const u8 * nonce_s)476 int eap_eke_derive_ka(struct eap_eke_session *sess,
477                           const u8 *id_s, size_t id_s_len,
478                           const u8 *id_p, size_t id_p_len,
479                           const u8 *nonce_p, const u8 *nonce_s)
480 {
481           u8 *data, *pos;
482           size_t data_len;
483           const char *label = "EAP-EKE Ka";
484           size_t label_len;
485 
486           /*
487            * Ka = prf+(SharedSecret, "EAP-EKE Ka" | ID_S | ID_P | Nonce_P |
488            *             Nonce_S)
489            * Ka = authentication key
490            * Length of the key depends on the selected algorithms.
491            */
492 
493           label_len = os_strlen(label);
494           data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
495           data = os_malloc(data_len);
496           if (data == NULL)
497                     return -1;
498           pos = data;
499           os_memcpy(pos, label, label_len);
500           pos += label_len;
501           os_memcpy(pos, id_s, id_s_len);
502           pos += id_s_len;
503           os_memcpy(pos, id_p, id_p_len);
504           pos += id_p_len;
505           os_memcpy(pos, nonce_p, sess->nonce_len);
506           pos += sess->nonce_len;
507           os_memcpy(pos, nonce_s, sess->nonce_len);
508           if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
509                                   data, data_len, sess->ka, sess->prf_len) < 0) {
510                     os_free(data);
511                     return -1;
512           }
513           os_free(data);
514 
515           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka", sess->ka, sess->prf_len);
516 
517           return 0;
518 }
519 
520 
eap_eke_derive_msk(struct eap_eke_session * sess,const u8 * id_s,size_t id_s_len,const u8 * id_p,size_t id_p_len,const u8 * nonce_p,const u8 * nonce_s,u8 * msk,u8 * emsk)521 int eap_eke_derive_msk(struct eap_eke_session *sess,
522                            const u8 *id_s, size_t id_s_len,
523                            const u8 *id_p, size_t id_p_len,
524                            const u8 *nonce_p, const u8 *nonce_s,
525                            u8 *msk, u8 *emsk)
526 {
527           u8 *data, *pos;
528           size_t data_len;
529           const char *label = "EAP-EKE Exported Keys";
530           size_t label_len;
531           u8 buf[EAP_MSK_LEN + EAP_EMSK_LEN];
532 
533           /*
534            * MSK | EMSK = prf+(SharedSecret, "EAP-EKE Exported Keys" | ID_S |
535            *                       ID_P | Nonce_P | Nonce_S)
536            */
537 
538           label_len = os_strlen(label);
539           data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
540           data = os_malloc(data_len);
541           if (data == NULL)
542                     return -1;
543           pos = data;
544           os_memcpy(pos, label, label_len);
545           pos += label_len;
546           os_memcpy(pos, id_s, id_s_len);
547           pos += id_s_len;
548           os_memcpy(pos, id_p, id_p_len);
549           pos += id_p_len;
550           os_memcpy(pos, nonce_p, sess->nonce_len);
551           pos += sess->nonce_len;
552           os_memcpy(pos, nonce_s, sess->nonce_len);
553           if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
554                                   data, data_len, buf, EAP_MSK_LEN + EAP_EMSK_LEN) <
555               0) {
556                     os_free(data);
557                     return -1;
558           }
559           os_free(data);
560 
561           os_memcpy(msk, buf, EAP_MSK_LEN);
562           os_memcpy(emsk, buf + EAP_MSK_LEN, EAP_EMSK_LEN);
563           os_memset(buf, 0, sizeof(buf));
564 
565           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: MSK", msk, EAP_MSK_LEN);
566           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: EMSK", msk, EAP_EMSK_LEN);
567 
568           return 0;
569 }
570 
571 
eap_eke_mac(u8 mac,const u8 * key,const u8 * data,size_t data_len,u8 * res)572 static int eap_eke_mac(u8 mac, const u8 *key, const u8 *data, size_t data_len,
573                            u8 *res)
574 {
575           if (mac == EAP_EKE_MAC_HMAC_SHA1)
576                     return hmac_sha1(key, SHA1_MAC_LEN, data, data_len, res);
577           if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
578                     return hmac_sha256(key, SHA256_MAC_LEN, data, data_len, res);
579           return -1;
580 }
581 
582 
eap_eke_prot(struct eap_eke_session * sess,const u8 * data,size_t data_len,u8 * prot,size_t * prot_len)583 int eap_eke_prot(struct eap_eke_session *sess,
584                      const u8 *data, size_t data_len,
585                      u8 *prot, size_t *prot_len)
586 {
587           size_t block_size, icv_len, pad;
588           u8 *pos, *iv, *e;
589 
590           if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
591                     block_size = AES_BLOCK_SIZE;
592           else
593                     return -1;
594 
595           if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
596                     icv_len = SHA1_MAC_LEN;
597           else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
598                     icv_len = SHA256_MAC_LEN;
599           else
600                     return -1;
601 
602           pad = data_len % block_size;
603           if (pad)
604                     pad = block_size - pad;
605 
606           if (*prot_len < block_size + data_len + pad + icv_len) {
607                     wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for Prot() data");
608                     return -1;
609           }
610           pos = prot;
611 
612           if (random_get_bytes(pos, block_size))
613                     return -1;
614           iv = pos;
615           wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Prot()", iv, block_size);
616           pos += block_size;
617 
618           e = pos;
619           os_memcpy(pos, data, data_len);
620           pos += data_len;
621           if (pad) {
622                     if (random_get_bytes(pos, pad))
623                               return -1;
624                     pos += pad;
625           }
626 
627           if (aes_128_cbc_encrypt(sess->ke, iv, e, data_len + pad) < 0 ||
628               eap_eke_mac(sess->mac, sess->ki, e, data_len + pad, pos) < 0)
629                     return -1;
630           pos += icv_len;
631 
632           *prot_len = pos - prot;
633           return 0;
634 }
635 
636 
eap_eke_decrypt_prot(struct eap_eke_session * sess,const u8 * prot,size_t prot_len,u8 * data,size_t * data_len)637 int eap_eke_decrypt_prot(struct eap_eke_session *sess,
638                                const u8 *prot, size_t prot_len,
639                                u8 *data, size_t *data_len)
640 {
641           size_t block_size, icv_len;
642           u8 icv[EAP_EKE_MAX_HASH_LEN];
643 
644           if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
645                     block_size = AES_BLOCK_SIZE;
646           else
647                     return -1;
648 
649           if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
650                     icv_len = SHA1_MAC_LEN;
651           else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
652                     icv_len = SHA256_MAC_LEN;
653           else
654                     return -1;
655 
656           if (prot_len < 2 * block_size + icv_len ||
657               (prot_len - icv_len) % block_size)
658                     return -1;
659 
660           if (eap_eke_mac(sess->mac, sess->ki, prot + block_size,
661                               prot_len - block_size - icv_len, icv) < 0)
662                     return -1;
663           if (os_memcmp_const(icv, prot + prot_len - icv_len, icv_len) != 0) {
664                     wpa_printf(MSG_INFO, "EAP-EKE: ICV mismatch in Prot() data");
665                     return -1;
666           }
667 
668           if (*data_len < prot_len - block_size - icv_len) {
669                     wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for decrypted Prot() data");
670                     return -1;
671           }
672 
673           *data_len = prot_len - block_size - icv_len;
674           os_memcpy(data, prot + block_size, *data_len);
675           if (aes_128_cbc_decrypt(sess->ke, prot, data, *data_len) < 0) {
676                     wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt Prot() data");
677                     return -1;
678           }
679           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted Prot() data",
680                               data, *data_len);
681 
682           return 0;
683 }
684 
685 
eap_eke_auth(struct eap_eke_session * sess,const char * label,const struct wpabuf * msgs,u8 * auth)686 int eap_eke_auth(struct eap_eke_session *sess, const char *label,
687                      const struct wpabuf *msgs, u8 *auth)
688 {
689           wpa_printf(MSG_DEBUG, "EAP-EKE: Auth(%s)", label);
690           wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka for Auth",
691                               sess->ka, sess->auth_len);
692           wpa_hexdump_buf(MSG_MSGDUMP, "EAP-EKE: Messages for Auth", msgs);
693           return eap_eke_prf(sess->prf, sess->ka, sess->auth_len,
694                                  (const u8 *) label, os_strlen(label),
695                                  wpabuf_head(msgs), wpabuf_len(msgs), auth);
696 }
697 
698 
eap_eke_session_init(struct eap_eke_session * sess,u8 dhgroup,u8 encr,u8 prf,u8 mac)699 int eap_eke_session_init(struct eap_eke_session *sess, u8 dhgroup, u8 encr,
700                                u8 prf, u8 mac)
701 {
702           sess->dhgroup = dhgroup;
703           sess->encr = encr;
704           sess->prf = prf;
705           sess->mac = mac;
706 
707           sess->prf_len = eap_eke_prf_len(prf);
708           sess->nonce_len = eap_eke_nonce_len(prf);
709           sess->auth_len = eap_eke_auth_len(prf);
710           sess->dhcomp_len = eap_eke_dhcomp_len(sess->dhgroup, sess->encr);
711           sess->pnonce_len = eap_eke_pnonce_len(sess->mac);
712           sess->pnonce_ps_len = eap_eke_pnonce_ps_len(sess->mac);
713           if (sess->prf_len < 0 || sess->nonce_len < 0 || sess->auth_len < 0 ||
714               sess->dhcomp_len < 0 || sess->pnonce_len < 0 ||
715               sess->pnonce_ps_len < 0)
716                     return -1;
717 
718           return 0;
719 }
720 
721 
eap_eke_session_clean(struct eap_eke_session * sess)722 void eap_eke_session_clean(struct eap_eke_session *sess)
723 {
724           os_memset(sess->shared_secret, 0, EAP_EKE_MAX_HASH_LEN);
725           os_memset(sess->ke, 0, EAP_EKE_MAX_KE_LEN);
726           os_memset(sess->ki, 0, EAP_EKE_MAX_KI_LEN);
727           os_memset(sess->ka, 0, EAP_EKE_MAX_KA_LEN);
728 }
729