From 7251f0badc7028448d935d3247ff53fdb5c57b54 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 26 Dec 2018 16:37:49 +0200 Subject: [PATCH] mka: Extend CAK/CKN-from-EAP-MSK API to pass in MSK length This can be used to allow 256-bit key hierarchy to be derived from EAP-based authentication. For now, the MSK length is hardcoded to 128 bits, so the previous behavior is maintained. Signed-off-by: Jouni Malinen --- src/pae/ieee802_1x_kay.c | 4 ++-- src/pae/ieee802_1x_kay_i.h | 7 ++++--- src/pae/ieee802_1x_key.c | 23 +++++++++++------------ src/pae/ieee802_1x_key.h | 10 +++++----- wpa_supplicant/wpas_kay.c | 9 ++++----- 5 files changed, 26 insertions(+), 27 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 3127bf63c..a8b3fc2ae 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -66,8 +66,8 @@ static struct mka_alg mka_alg_tbl[] = { .icv_len = DEFAULT_ICV_LEN, - .cak_trfm = ieee802_1x_cak_128bits_aes_cmac, - .ckn_trfm = ieee802_1x_ckn_128bits_aes_cmac, + .cak_trfm = ieee802_1x_cak_aes_cmac, + .ckn_trfm = ieee802_1x_ckn_aes_cmac, .kek_trfm = ieee802_1x_kek_aes_cmac, .ick_trfm = ieee802_1x_ick_aes_cmac, .icv_hash = ieee802_1x_icv_aes_cmac, diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h index 9799f6251..06eaacfa6 100644 --- a/src/pae/ieee802_1x_kay_i.h +++ b/src/pae/ieee802_1x_kay_i.h @@ -68,9 +68,10 @@ struct mka_alg { u8 parameter[4]; size_t icv_len; - int (*cak_trfm)(const u8 *msk, const u8 *mac1, const u8 *mac2, u8 *cak); - int (*ckn_trfm)(const u8 *msk, const u8 *mac1, const u8 *mac2, - const u8 *sid, size_t sid_len, u8 *ckn); + int (*cak_trfm)(const u8 *msk, size_t msk_bytes, const u8 *mac1, + const u8 *mac2, u8 *cak, size_t cak_bytes); + int (*ckn_trfm)(const u8 *msk, size_t msk_bytes, const u8 *mac1, + const u8 *mac2, const u8 *sid, size_t sid_len, u8 *ckn); int (*kek_trfm)(const u8 *cak, size_t cak_bytes, const u8 *ckn, size_t ckn_len, u8 *kek, size_t kek_bytes); diff --git a/src/pae/ieee802_1x_key.c b/src/pae/ieee802_1x_key.c index 4fafba83a..d63ca7f70 100644 --- a/src/pae/ieee802_1x_key.c +++ b/src/pae/ieee802_1x_key.c @@ -82,33 +82,32 @@ static int aes_kdf(const u8 *kdk, size_t kdk_bits, } -/********** AES-CMAC-128 **********/ /** - * ieee802_1x_cak_128bits_aes_cmac + * ieee802_1x_cak_aes_cmac * * IEEE Std 802.1X-2010, 6.2.2 * CAK = KDF(Key, Label, mac1 | mac2, CAKlength) */ -int ieee802_1x_cak_128bits_aes_cmac(const u8 *msk, const u8 *mac1, - const u8 *mac2, u8 *cak) +int ieee802_1x_cak_aes_cmac(const u8 *msk, size_t msk_bytes, const u8 *mac1, + const u8 *mac2, u8 *cak, size_t cak_bytes) { u8 context[2 * ETH_ALEN]; joint_two_mac(mac1, mac2, context); - return aes_kdf(msk, 128, "IEEE8021 EAP CAK", - context, sizeof(context) * 8, 128, cak); + return aes_kdf(msk, 8 * msk_bytes, "IEEE8021 EAP CAK", + context, sizeof(context) * 8, 8 * cak_bytes, cak); } /** - * ieee802_1x_ckn_128bits_aes_cmac + * ieee802_1x_ckn_aes_cmac * * IEEE Std 802.1X-2010, 6.2.2 * CKN = KDF(Key, Label, ID | mac1 | mac2, CKNlength) */ -int ieee802_1x_ckn_128bits_aes_cmac(const u8 *msk, const u8 *mac1, - const u8 *mac2, const u8 *sid, - size_t sid_bytes, u8 *ckn) +int ieee802_1x_ckn_aes_cmac(const u8 *msk, size_t msk_bytes, const u8 *mac1, + const u8 *mac2, const u8 *sid, + size_t sid_bytes, u8 *ckn) { int res; u8 *context; @@ -122,8 +121,8 @@ int ieee802_1x_ckn_128bits_aes_cmac(const u8 *msk, const u8 *mac1, os_memcpy(context, sid, sid_bytes); joint_two_mac(mac1, mac2, context + sid_bytes); - res = aes_kdf(msk, 128, "IEEE8021 EAP CKN", context, ctx_len * 8, - 128, ckn); + res = aes_kdf(msk, 8 * msk_bytes, "IEEE8021 EAP CKN", + context, ctx_len * 8, 128, ckn); os_free(context); return res; } diff --git a/src/pae/ieee802_1x_key.h b/src/pae/ieee802_1x_key.h index dc6603a17..1f9058de5 100644 --- a/src/pae/ieee802_1x_key.h +++ b/src/pae/ieee802_1x_key.h @@ -9,11 +9,11 @@ #ifndef IEEE802_1X_KEY_H #define IEEE802_1X_KEY_H -int ieee802_1x_cak_128bits_aes_cmac(const u8 *msk, const u8 *mac1, - const u8 *mac2, u8 *cak); -int ieee802_1x_ckn_128bits_aes_cmac(const u8 *msk, const u8 *mac1, - const u8 *mac2, const u8 *sid, - size_t sid_bytes, u8 *ckn); +int ieee802_1x_cak_aes_cmac(const u8 *msk, size_t msk_bytes, const u8 *mac1, + const u8 *mac2, u8 *cak, size_t cak_bytes); +int ieee802_1x_ckn_aes_cmac(const u8 *msk, size_t msk_bytes, const u8 *mac1, + const u8 *mac2, const u8 *sid, + size_t sid_bytes, u8 *ckn); int ieee802_1x_kek_aes_cmac(const u8 *cak, size_t cak_bytes, const u8 *ckn, size_t ckn_bytes, u8 *kek, size_t kek_bytes); int ieee802_1x_ick_aes_cmac(const u8 *cak, size_t cak_bytes, const u8 *ckn, diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c index 707e5bb6d..41477d514 100644 --- a/wpa_supplicant/wpas_kay.c +++ b/wpa_supplicant/wpas_kay.c @@ -357,8 +357,8 @@ void * ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s, /* Derive CAK from MSK */ cak->len = DEFAULT_KEY_LEN; - if (ieee802_1x_cak_128bits_aes_cmac(msk->key, wpa_s->own_addr, - peer_addr, cak->key)) { + if (ieee802_1x_cak_aes_cmac(msk->key, msk->len, wpa_s->own_addr, + peer_addr, cak->key, cak->len)) { wpa_printf(MSG_ERROR, "IEEE 802.1X: Deriving CAK failed"); goto fail; @@ -367,9 +367,8 @@ void * ieee802_1x_notify_create_actor(struct wpa_supplicant *wpa_s, /* Derive CKN from MSK */ ckn->len = DEFAULT_CKN_LEN; - if (ieee802_1x_ckn_128bits_aes_cmac(msk->key, wpa_s->own_addr, - peer_addr, sid, sid_len, - ckn->name)) { + if (ieee802_1x_ckn_aes_cmac(msk->key, msk->len, wpa_s->own_addr, + peer_addr, sid, sid_len, ckn->name)) { wpa_printf(MSG_ERROR, "IEEE 802.1X: Deriving CKN failed"); goto fail;