EAP-pwd: Use abstract crypto API
This makes it easier to use EAP-pwd with other crypto libraries than OpenSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
This commit is contained in:
Sean Parkinson
Jouni Malinen
parent
0c3d49afd8
commit
04b1bcc5f3
8 changed files with 319 additions and 541 deletions
|
|
@ -91,91 +91,33 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
const u8 *id_peer, size_t id_peer_len,
|
||||
const u8 *token)
|
||||
{
|
||||
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||
struct crypto_hash *hash;
|
||||
unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
|
||||
int nid, is_odd, ret = 0;
|
||||
int is_odd, ret = 0;
|
||||
size_t primebytelen, primebitlen;
|
||||
|
||||
switch (num) { /* from IANA registry for IKE D-H groups */
|
||||
case 19:
|
||||
nid = NID_X9_62_prime256v1;
|
||||
break;
|
||||
case 20:
|
||||
nid = NID_secp384r1;
|
||||
break;
|
||||
case 21:
|
||||
nid = NID_secp521r1;
|
||||
break;
|
||||
#ifndef OPENSSL_IS_BORINGSSL
|
||||
case 25:
|
||||
nid = NID_X9_62_prime192v1;
|
||||
break;
|
||||
#endif /* OPENSSL_IS_BORINGSSL */
|
||||
case 26:
|
||||
nid = NID_secp224r1;
|
||||
break;
|
||||
#ifdef NID_brainpoolP224r1
|
||||
case 27:
|
||||
nid = NID_brainpoolP224r1;
|
||||
break;
|
||||
#endif /* NID_brainpoolP224r1 */
|
||||
#ifdef NID_brainpoolP256r1
|
||||
case 28:
|
||||
nid = NID_brainpoolP256r1;
|
||||
break;
|
||||
#endif /* NID_brainpoolP256r1 */
|
||||
#ifdef NID_brainpoolP384r1
|
||||
case 29:
|
||||
nid = NID_brainpoolP384r1;
|
||||
break;
|
||||
#endif /* NID_brainpoolP384r1 */
|
||||
#ifdef NID_brainpoolP512r1
|
||||
case 30:
|
||||
nid = NID_brainpoolP512r1;
|
||||
break;
|
||||
#endif /* NID_brainpoolP512r1 */
|
||||
default:
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num);
|
||||
return -1;
|
||||
}
|
||||
struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||
|
||||
grp->pwe = NULL;
|
||||
grp->order = NULL;
|
||||
grp->prime = NULL;
|
||||
|
||||
if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP");
|
||||
grp->group = crypto_ec_init(num);
|
||||
if (!grp->group) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (((rnd = BN_new()) == NULL) ||
|
||||
((cofactor = BN_new()) == NULL) ||
|
||||
((grp->pwe = EC_POINT_new(grp->group)) == NULL) ||
|
||||
((grp->order = BN_new()) == NULL) ||
|
||||
((grp->prime = BN_new()) == NULL) ||
|
||||
((x_candidate = BN_new()) == NULL)) {
|
||||
cofactor = crypto_bignum_init();
|
||||
grp->pwe = crypto_ec_point_init(grp->group);
|
||||
if (!cofactor || !grp->pwe) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL))
|
||||
{
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp "
|
||||
"curve");
|
||||
goto fail;
|
||||
}
|
||||
if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve");
|
||||
goto fail;
|
||||
}
|
||||
if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) {
|
||||
if (crypto_ec_cofactor(grp->group, cofactor) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
|
||||
"curve");
|
||||
goto fail;
|
||||
}
|
||||
primebitlen = BN_num_bits(grp->prime);
|
||||
primebytelen = BN_num_bytes(grp->prime);
|
||||
primebitlen = crypto_ec_prime_len_bits(grp->group);
|
||||
primebytelen = crypto_ec_prime_len(grp->group);
|
||||
if ((prfbuf = os_malloc(primebytelen)) == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
|
||||
"buffer");
|
||||
|
|
@ -207,15 +149,25 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
eap_pwd_h_update(hash, &ctr, sizeof(ctr));
|
||||
eap_pwd_h_final(hash, pwe_digest);
|
||||
|
||||
BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd);
|
||||
|
||||
crypto_bignum_deinit(rnd, 1);
|
||||
rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN);
|
||||
if (!rnd) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd");
|
||||
goto fail;
|
||||
}
|
||||
if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
|
||||
(u8 *) "EAP-pwd Hunting And Pecking",
|
||||
os_strlen("EAP-pwd Hunting And Pecking"),
|
||||
prfbuf, primebitlen) < 0)
|
||||
goto fail;
|
||||
|
||||
BN_bin2bn(prfbuf, primebytelen, x_candidate);
|
||||
crypto_bignum_deinit(x_candidate, 1);
|
||||
x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
|
||||
if (!x_candidate) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"EAP-pwd: unable to create x_candidate");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/*
|
||||
* eap_pwd_kdf() returns a string of bits 0..primebitlen but
|
||||
|
|
@ -224,11 +176,14 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
* then excessive bits-- those _after_ primebitlen-- so now
|
||||
* we have to shift right the amount we masked off.
|
||||
*/
|
||||
if (primebitlen % 8)
|
||||
BN_rshift(x_candidate, x_candidate,
|
||||
(8 - (primebitlen % 8)));
|
||||
if ((primebitlen % 8) &&
|
||||
crypto_bignum_rshift(x_candidate,
|
||||
(8 - (primebitlen % 8)),
|
||||
x_candidate) < 0)
|
||||
goto fail;
|
||||
|
||||
if (BN_ucmp(x_candidate, grp->prime) >= 0)
|
||||
if (crypto_bignum_cmp(x_candidate,
|
||||
crypto_ec_get_prime(grp->group)) >= 0)
|
||||
continue;
|
||||
|
||||
wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
|
||||
|
|
@ -238,40 +193,38 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
* need to unambiguously identify the solution, if there is
|
||||
* one...
|
||||
*/
|
||||
if (BN_is_odd(rnd))
|
||||
is_odd = 1;
|
||||
else
|
||||
is_odd = 0;
|
||||
is_odd = crypto_bignum_is_odd(rnd);
|
||||
|
||||
/*
|
||||
* solve the quadratic equation, if it's not solvable then we
|
||||
* don't have a point
|
||||
*/
|
||||
if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,
|
||||
grp->pwe,
|
||||
x_candidate,
|
||||
is_odd, NULL))
|
||||
if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
|
||||
x_candidate, is_odd) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
* If there's a solution to the equation then the point must be
|
||||
* on the curve so why check again explicitly? OpenSSL code
|
||||
* says this is required by X9.62. We're not X9.62 but it can't
|
||||
* hurt just to be sure.
|
||||
*/
|
||||
if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {
|
||||
if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
|
||||
continue;
|
||||
}
|
||||
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!crypto_bignum_is_one(cofactor)) {
|
||||
/* make sure the point is not in a small sub-group */
|
||||
if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,
|
||||
cofactor, NULL)) {
|
||||
if (crypto_ec_point_mul(grp->group, grp->pwe,
|
||||
cofactor, grp->pwe) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: cannot "
|
||||
"multiply generator by order");
|
||||
continue;
|
||||
}
|
||||
if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {
|
||||
if (crypto_ec_point_is_at_infinity(grp->group,
|
||||
grp->pwe)) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: point is at "
|
||||
"infinity");
|
||||
continue;
|
||||
|
|
@ -284,37 +237,38 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
grp->group_num = num;
|
||||
if (0) {
|
||||
fail:
|
||||
EC_GROUP_free(grp->group);
|
||||
crypto_ec_deinit(grp->group);
|
||||
grp->group = NULL;
|
||||
EC_POINT_clear_free(grp->pwe);
|
||||
crypto_ec_point_deinit(grp->pwe, 1);
|
||||
grp->pwe = NULL;
|
||||
BN_clear_free(grp->order);
|
||||
grp->order = NULL;
|
||||
BN_clear_free(grp->prime);
|
||||
grp->prime = NULL;
|
||||
ret = 1;
|
||||
}
|
||||
/* cleanliness and order.... */
|
||||
BN_clear_free(cofactor);
|
||||
BN_clear_free(x_candidate);
|
||||
BN_clear_free(rnd);
|
||||
crypto_bignum_deinit(cofactor, 1);
|
||||
crypto_bignum_deinit(x_candidate, 1);
|
||||
crypto_bignum_deinit(rnd, 1);
|
||||
os_free(prfbuf);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
|
||||
const BIGNUM *peer_scalar, const BIGNUM *server_scalar,
|
||||
int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
|
||||
const struct crypto_bignum *peer_scalar,
|
||||
const struct crypto_bignum *server_scalar,
|
||||
const u8 *confirm_peer, const u8 *confirm_server,
|
||||
const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id)
|
||||
{
|
||||
struct crypto_hash *hash;
|
||||
u8 mk[SHA256_MAC_LEN], *cruft;
|
||||
u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN];
|
||||
int offset;
|
||||
size_t prime_len, order_len;
|
||||
|
||||
if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL)
|
||||
prime_len = crypto_ec_prime_len(grp->group);
|
||||
order_len = crypto_ec_order_len(grp->group);
|
||||
|
||||
cruft = os_malloc(prime_len);
|
||||
if (!cruft)
|
||||
return -1;
|
||||
|
||||
/*
|
||||
|
|
@ -328,14 +282,10 @@ int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
|
|||
return -1;
|
||||
}
|
||||
eap_pwd_h_update(hash, (const u8 *) ciphersuite, sizeof(u32));
|
||||
offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar);
|
||||
os_memset(cruft, 0, BN_num_bytes(grp->prime));
|
||||
BN_bn2bin(peer_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order));
|
||||
offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar);
|
||||
os_memset(cruft, 0, BN_num_bytes(grp->prime));
|
||||
BN_bn2bin(server_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order));
|
||||
crypto_bignum_to_bin(peer_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
crypto_bignum_to_bin(server_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
eap_pwd_h_final(hash, &session_id[1]);
|
||||
|
||||
/* then compute MK = H(k | confirm-peer | confirm-server) */
|
||||
|
|
@ -344,10 +294,8 @@ int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
|
|||
os_free(cruft);
|
||||
return -1;
|
||||
}
|
||||
offset = BN_num_bytes(grp->prime) - BN_num_bytes(k);
|
||||
os_memset(cruft, 0, BN_num_bytes(grp->prime));
|
||||
BN_bn2bin(k, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->prime));
|
||||
crypto_bignum_to_bin(k, cruft, prime_len, prime_len);
|
||||
eap_pwd_h_update(hash, cruft, prime_len);
|
||||
os_free(cruft);
|
||||
eap_pwd_h_update(hash, confirm_peer, SHA256_MAC_LEN);
|
||||
eap_pwd_h_update(hash, confirm_server, SHA256_MAC_LEN);
|
||||
|
|
|
|||
|
|
@ -9,20 +9,14 @@
|
|||
#ifndef EAP_PWD_COMMON_H
|
||||
#define EAP_PWD_COMMON_H
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
/*
|
||||
* definition of a finite cyclic group
|
||||
* TODO: support one based on a prime field
|
||||
*/
|
||||
typedef struct group_definition_ {
|
||||
u16 group_num;
|
||||
EC_GROUP *group;
|
||||
EC_POINT *pwe;
|
||||
BIGNUM *order;
|
||||
BIGNUM *prime;
|
||||
struct crypto_ec *group;
|
||||
struct crypto_ec_point *pwe;
|
||||
} EAP_PWD_group;
|
||||
|
||||
/*
|
||||
|
|
@ -61,8 +55,9 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
const u8 *id_server, size_t id_server_len,
|
||||
const u8 *id_peer, size_t id_peer_len,
|
||||
const u8 *token);
|
||||
int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
|
||||
const BIGNUM *peer_scalar, const BIGNUM *server_scalar,
|
||||
int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
|
||||
const struct crypto_bignum *peer_scalar,
|
||||
const struct crypto_bignum *server_scalar,
|
||||
const u8 *confirm_peer, const u8 *confirm_server,
|
||||
const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id);
|
||||
struct crypto_hash * eap_pwd_h_init(void);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue