DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-FAST: Moved common peer/server functionality into a shared file

Browse source
This commit is contained in:
Jouni Malinen 2008-02-27 17:57:19 -08:00
parent a4819630f6
commit 7f4c1d4300
4 changed files with 298 additions and 451 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

261
src/eap_common/eap_fast_common.c
View file

@ -15,6 +15,10 @@
#include "includes.h" #include "includes.h"
#include "common.h" #include "common.h"
#include "sha1.h"
#include "tls.h"
#include "eap_defs.h"
#include "eap_tlv_common.h"
#include "eap_fast_common.h" #include "eap_fast_common.h"
@ -41,3 +45,260 @@ void eap_fast_put_tlv_buf(struct wpabuf *buf, u16 type,
eap_fast_put_tlv_hdr(buf, type, wpabuf_len(data)); eap_fast_put_tlv_hdr(buf, type, wpabuf_len(data));
wpabuf_put_buf(buf, data); wpabuf_put_buf(buf, data);
} }
struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf)
{
struct wpabuf *e;
if (buf == NULL)
return NULL;
/* Encapsulate EAP packet in EAP-Payload TLV */
wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV");
e = wpabuf_alloc(sizeof(struct pac_tlv_hdr) + wpabuf_len(buf));
if (e == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
"for TLV encapsulation");
wpabuf_free(buf);
return NULL;
}
eap_fast_put_tlv_buf(e,
EAP_TLV_TYPE_MANDATORY | EAP_TLV_EAP_PAYLOAD_TLV,
buf);
wpabuf_free(buf);
return e;
}
void eap_fast_derive_master_secret(const u8 *pac_key, const u8 *server_random,
const u8 *client_random, u8 *master_secret)
{
#define TLS_RANDOM_LEN 32
#define TLS_MASTER_SECRET_LEN 48
u8 seed[2 * TLS_RANDOM_LEN];
wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random",
client_random, TLS_RANDOM_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random",
server_random, TLS_RANDOM_LEN);
/*
* RFC 4851, Section 5.1:
* master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
* server_random + client_random, 48)
*/
os_memcpy(seed, server_random, TLS_RANDOM_LEN);
os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN);
sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN,
"PAC to master secret label hash",
seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret",
master_secret, TLS_MASTER_SECRET_LEN);
}
u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn,
const char *label, size_t len)
{
struct tls_keys keys;
u8 *rnd = NULL, *out;
int block_size;
block_size = tls_connection_get_keyblock_size(ssl_ctx, conn);
if (block_size < 0)
return NULL;
out = os_malloc(block_size + len);
if (out == NULL)
return NULL;
if (tls_connection_prf(ssl_ctx, conn, label, 1, out, block_size + len)
== 0) {
os_memmove(out, out + block_size, len);
return out;
}
if (tls_connection_get_keys(ssl_ctx, conn, &keys))
goto fail;
rnd = os_malloc(keys.client_random_len + keys.server_random_len);
if (rnd == NULL)
goto fail;
os_memcpy(rnd, keys.server_random, keys.server_random_len);
os_memcpy(rnd + keys.server_random_len, keys.client_random,
keys.client_random_len);
wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: master_secret for key "
"expansion", keys.master_key, keys.master_key_len);
if (tls_prf(keys.master_key, keys.master_key_len,
label, rnd, keys.client_random_len +
keys.server_random_len, out, block_size + len))
goto fail;
os_free(rnd);
os_memmove(out, out + block_size, len);
return out;
fail:
os_free(rnd);
os_free(out);
return NULL;
}
void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk)
{
/*
* RFC 4851, Section 5.4: EAP Master Session Key Generation
* MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64)
*/
sha1_t_prf(simck, EAP_FAST_SIMCK_LEN,
"Session Key Generating Function", (u8 *) "", 0,
msk, EAP_FAST_KEY_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)",
msk, EAP_FAST_KEY_LEN);
}
void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk)
{
/*
* RFC 4851, Section 5.4: EAP Master Session Key Genreration
* EMSK = T-PRF(S-IMCK[j],
* "Extended Session Key Generating Function", 64)
*/
sha1_t_prf(simck, EAP_FAST_SIMCK_LEN,
"Extended Session Key Generating Function", (u8 *) "", 0,
emsk, EAP_EMSK_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)",
emsk, EAP_EMSK_LEN);
}
int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
int tlv_type, u8 *pos, int len)
{
switch (tlv_type) {
case EAP_TLV_EAP_PAYLOAD_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV",
pos, len);
if (tlv->eap_payload_tlv) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"EAP-Payload TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->eap_payload_tlv = pos;
tlv->eap_payload_tlv_len = len;
break;
case EAP_TLV_RESULT_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len);
if (tlv->result) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"Result TLV in the message");
tlv->result = EAP_TLV_RESULT_FAILURE;
return -2;
}
if (len < 2) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Result TLV");
tlv->result = EAP_TLV_RESULT_FAILURE;
break;
}
tlv->result = WPA_GET_BE16(pos);
if (tlv->result != EAP_TLV_RESULT_SUCCESS &&
tlv->result != EAP_TLV_RESULT_FAILURE) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d",
tlv->result);
tlv->result = EAP_TLV_RESULT_FAILURE;
}
wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s",
tlv->result == EAP_TLV_RESULT_SUCCESS ?
"Success" : "Failure");
break;
case EAP_TLV_INTERMEDIATE_RESULT_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV",
pos, len);
if (len < 2) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Intermediate-Result TLV");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
break;
}
if (tlv->iresult) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"Intermediate-Result TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->iresult = WPA_GET_BE16(pos);
if (tlv->iresult != EAP_TLV_RESULT_SUCCESS &&
tlv->iresult != EAP_TLV_RESULT_FAILURE) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate "
"Result %d", tlv->iresult);
tlv->iresult = EAP_TLV_RESULT_FAILURE;
}
wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s",
tlv->iresult == EAP_TLV_RESULT_SUCCESS ?
"Success" : "Failure");
break;
case EAP_TLV_CRYPTO_BINDING_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV",
pos, len);
if (tlv->crypto_binding) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"Crypto-Binding TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len;
if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Crypto-Binding TLV");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->crypto_binding = (struct eap_tlv_crypto_binding__tlv *)
(pos - sizeof(struct eap_tlv_hdr));
break;
case EAP_TLV_REQUEST_ACTION_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV",
pos, len);
if (tlv->request_action) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"Request-Action TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
if (len < 2) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Request-Action TLV");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
break;
}
tlv->request_action = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d",
tlv->request_action);
break;
case EAP_TLV_PAC_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len);
if (tlv->pac) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"PAC TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->pac = pos;
tlv->pac_len = len;
break;
default:
/* Unknown TLV */
return -1;
}
return 0;
}

22
src/eap_common/eap_fast_common.h
View file

@ -84,11 +84,33 @@ struct eap_fast_key_block_provisioning {
struct wpabuf; struct wpabuf;
struct tls_connection;
struct eap_fast_tlv_parse {
u8 *eap_payload_tlv;
size_t eap_payload_tlv_len;
struct eap_tlv_crypto_binding__tlv *crypto_binding;
size_t crypto_binding_len;
int iresult;
int result;
int request_action;
u8 *pac;
size_t pac_len;
};
void eap_fast_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len); void eap_fast_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len);
void eap_fast_put_tlv(struct wpabuf *buf, u16 type, const void *data, void eap_fast_put_tlv(struct wpabuf *buf, u16 type, const void *data,
u16 len); u16 len);
void eap_fast_put_tlv_buf(struct wpabuf *buf, u16 type, void eap_fast_put_tlv_buf(struct wpabuf *buf, u16 type,
const struct wpabuf *data); const struct wpabuf *data);
struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf);
void eap_fast_derive_master_secret(const u8 *pac_key, const u8 *server_random,
const u8 *client_random, u8 *master_secret);
u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn,
const char *label, size_t len);
void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk);
void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk);
int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
int tlv_type, u8 *pos, int len);
#endif /* EAP_FAST_H */ #endif /* EAP_FAST_H */

204
src/eap_peer/eap_fast.c
View file

@ -80,9 +80,6 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
u8 *master_secret) u8 *master_secret)
{ {
struct eap_fast_data *data = ctx; struct eap_fast_data *data = ctx;
#define TLS_RANDOM_LEN 32
#define TLS_MASTER_SECRET_LEN 48
u8 seed[2 * TLS_RANDOM_LEN];
wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback"); wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback");
@ -101,10 +98,6 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
} }
wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket", ticket, len); wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket", ticket, len);
wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random",
client_random, TLS_RANDOM_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random",
server_random, TLS_RANDOM_LEN);
if (data->current_pac == NULL) { if (data->current_pac == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key available for " wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key available for "
@ -113,19 +106,9 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
return 0; return 0;
} }
/* eap_fast_derive_master_secret(data->current_pac->pac_key,
* RFC 4851, Section 5.1: server_random, client_random,
* master_secret = T-PRF(PAC-Key, "PAC to master secret label hash", master_secret);
* server_random + client_random, 48)
*/
os_memcpy(seed, server_random, TLS_RANDOM_LEN);
os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN);
sha1_t_prf(data->current_pac->pac_key, EAP_FAST_PAC_KEY_LEN,
"PAC to master secret label hash",
seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret",
master_secret, TLS_MASTER_SECRET_LEN);
data->session_ticket_used = 1; data->session_ticket_used = 1;
@ -268,74 +251,13 @@ static void eap_fast_deinit(struct eap_sm *sm, void *priv)
static int eap_fast_derive_msk(struct eap_fast_data *data) static int eap_fast_derive_msk(struct eap_fast_data *data)
{ {
/* Derive EAP Master Session Keys (section 5.4) */ eap_fast_derive_eap_msk(data->simck, data->key_data);
sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, eap_fast_derive_eap_emsk(data->simck, data->emsk);
"Session Key Generating Function", (u8 *) "", 0,
data->key_data, EAP_FAST_KEY_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)",
data->key_data, EAP_FAST_KEY_LEN);
sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN,
"Extended Session Key Generating Function",
(u8 *) "", 0, data->emsk, EAP_EMSK_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)",
data->emsk, EAP_EMSK_LEN);
data->success = 1; data->success = 1;
return 0; return 0;
} }
static u8 * eap_fast_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
char *label, size_t len)
{
struct tls_keys keys;
u8 *rnd = NULL, *out;
int block_size;
block_size = tls_connection_get_keyblock_size(sm->ssl_ctx, data->conn);
if (block_size < 0)
return NULL;
out = os_malloc(block_size + len);
if (out == NULL)
return NULL;
if (tls_connection_prf(sm->ssl_ctx, data->conn, label, 1, out,
block_size + len) == 0) {
os_memmove(out, out + block_size, len);
return out;
}
if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys))
goto fail;
rnd = os_malloc(keys.client_random_len + keys.server_random_len);
if (rnd == NULL)
goto fail;
os_memcpy(rnd, keys.server_random, keys.server_random_len);
os_memcpy(rnd + keys.server_random_len, keys.client_random,
keys.client_random_len);
wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: master_secret for key "
"expansion", keys.master_key, keys.master_key_len);
if (tls_prf(keys.master_key, keys.master_key_len,
label, rnd, keys.client_random_len +
keys.server_random_len, out, block_size + len))
goto fail;
os_free(rnd);
os_memmove(out, out + block_size, len);
return out;
fail:
os_free(rnd);
os_free(out);
return NULL;
}
static void eap_fast_derive_key_auth(struct eap_sm *sm, static void eap_fast_derive_key_auth(struct eap_sm *sm,
struct eap_fast_data *data) struct eap_fast_data *data)
{ {
@ -345,7 +267,7 @@ static void eap_fast_derive_key_auth(struct eap_sm *sm,
* Extra key material after TLS key_block: session_key_seed[40] * Extra key material after TLS key_block: session_key_seed[40]
*/ */
sks = eap_fast_derive_key(sm, &data->ssl, "key expansion", sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, "key expansion",
EAP_FAST_SKS_LEN); EAP_FAST_SKS_LEN);
if (sks == NULL) { if (sks == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive "
@ -371,7 +293,8 @@ static void eap_fast_derive_key_provisioning(struct eap_sm *sm,
{ {
os_free(data->key_block_p); os_free(data->key_block_p);
data->key_block_p = (struct eap_fast_key_block_provisioning *) data->key_block_p = (struct eap_fast_key_block_provisioning *)
eap_fast_derive_key(sm, &data->ssl, "key expansion", eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
"key expansion",
sizeof(*data->key_block_p)); sizeof(*data->key_block_p));
if (data->key_block_p == NULL) { if (data->key_block_p == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block");
@ -596,29 +519,6 @@ static struct wpabuf * eap_fast_tlv_pac_ack(void)
} }
static struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf)
{
struct wpabuf *msg;
if (buf == NULL)
return NULL;
/* Encapsulate EAP packet in EAP Payload TLV */
msg = wpabuf_alloc(sizeof(struct pac_tlv_hdr) + wpabuf_len(buf));
if (msg == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
"for TLV encapsulation");
wpabuf_free(buf);
return NULL;
}
eap_fast_put_tlv_buf(msg,
EAP_TLV_TYPE_MANDATORY | EAP_TLV_EAP_PAYLOAD_TLV,
buf);
wpabuf_free(buf);
return msg;
}
static struct wpabuf * eap_fast_process_eap_payload_tlv( static struct wpabuf * eap_fast_process_eap_payload_tlv(
struct eap_sm *sm, struct eap_fast_data *data, struct eap_sm *sm, struct eap_fast_data *data,
struct eap_method_ret *ret, const struct eap_hdr *req, struct eap_method_ret *ret, const struct eap_hdr *req,
@ -1166,94 +1066,6 @@ static struct wpabuf * eap_fast_process_pac(struct eap_sm *sm,
} }
struct eap_fast_tlv_parse {
u8 *eap_payload_tlv;
size_t eap_payload_tlv_len;
u8 *pac;
size_t pac_len;
struct eap_tlv_crypto_binding__tlv *crypto_binding;
size_t crypto_binding_len;
int iresult;
int result;
};
static int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
int tlv_type, u8 *pos, int len)
{
switch (tlv_type) {
case EAP_TLV_EAP_PAYLOAD_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP Payload TLV",
pos, len);
tlv->eap_payload_tlv = pos;
tlv->eap_payload_tlv_len = len;
break;
case EAP_TLV_RESULT_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len);
if (len < 2) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Result TLV");
tlv->result = EAP_TLV_RESULT_FAILURE;
break;
}
tlv->result = WPA_GET_BE16(pos);
if (tlv->result != EAP_TLV_RESULT_SUCCESS &&
tlv->result != EAP_TLV_RESULT_FAILURE) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d",
tlv->result);
tlv->result = EAP_TLV_RESULT_FAILURE;
}
wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s",
tlv->result == EAP_TLV_RESULT_SUCCESS ?
"Success" : "Failure");
break;
case EAP_TLV_INTERMEDIATE_RESULT_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV",
pos, len);
if (len < 2) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Intermediate Result TLV");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
break;
}
tlv->iresult = WPA_GET_BE16(pos);
if (tlv->iresult != EAP_TLV_RESULT_SUCCESS &&
tlv->iresult != EAP_TLV_RESULT_FAILURE) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate "
"Result %d", tlv->iresult);
tlv->iresult = EAP_TLV_RESULT_FAILURE;
}
wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s",
tlv->iresult == EAP_TLV_RESULT_SUCCESS ?
"Success" : "Failure");
break;
case EAP_TLV_CRYPTO_BINDING_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV",
pos, len);
tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len;
if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Crypto-Binding TLV");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->crypto_binding = (struct eap_tlv_crypto_binding__tlv *)
(pos - sizeof(struct eap_tlv_hdr));
break;
case EAP_TLV_PAC_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len);
tlv->pac = pos;
tlv->pac_len = len;
break;
default:
/* Unknown TLV */
return -1;
}
return 0;
}
static int eap_fast_parse_decrypted(struct wpabuf *decrypted, static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
struct eap_fast_tlv_parse *tlv, struct eap_fast_tlv_parse *tlv,
struct wpabuf **resp) struct wpabuf **resp)

262
src/eap_server/eap_fast.c
View file

@ -128,9 +128,6 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
u8 *master_secret) u8 *master_secret)
{ {
struct eap_fast_data *data = ctx; struct eap_fast_data *data = ctx;
#define TLS_RANDOM_LEN 32
#define TLS_MASTER_SECRET_LEN 48
u8 seed[2 * TLS_RANDOM_LEN];
const u8 *pac_opaque; const u8 *pac_opaque;
size_t pac_opaque_len; size_t pac_opaque_len;
u8 *buf, *pos, *end, *pac_key = NULL; u8 *buf, *pos, *end, *pac_key = NULL;
@ -142,10 +139,6 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback"); wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback");
wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)", wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)",
ticket, len); ticket, len);
wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random",
client_random, TLS_RANDOM_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random",
server_random, TLS_RANDOM_LEN);
if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid " wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid "
@ -259,19 +252,8 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
if (lifetime - now.sec < PAC_KEY_REFRESH_TIME) if (lifetime - now.sec < PAC_KEY_REFRESH_TIME)
data->send_new_pac = 1; data->send_new_pac = 1;
/* eap_fast_derive_master_secret(pac_key, server_random, client_random,
* RFC 4851, Section 5.1: master_secret);
* master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
* server_random + client_random, 48)
*/
os_memcpy(seed, server_random, TLS_RANDOM_LEN);
os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN);
sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN,
"PAC to master secret label hash",
seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret",
master_secret, TLS_MASTER_SECRET_LEN);
os_free(buf); os_free(buf);
@ -279,55 +261,6 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
} }
static u8 * eap_fast_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
char *label, size_t len)
{
struct tls_keys keys;
u8 *rnd = NULL, *out;
int block_size;
block_size = tls_connection_get_keyblock_size(sm->ssl_ctx, data->conn);
if (block_size < 0)
return NULL;
out = os_malloc(block_size + len);
if (out == NULL)
return NULL;
if (tls_connection_prf(sm->ssl_ctx, data->conn, label, 1, out,
block_size + len) == 0) {
os_memmove(out, out + block_size, len);
return out;
}
if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys))
goto fail;
rnd = os_malloc(keys.client_random_len + keys.server_random_len);
if (rnd == NULL)
goto fail;
os_memcpy(rnd, keys.server_random, keys.server_random_len);
os_memcpy(rnd + keys.server_random_len, keys.client_random,
keys.client_random_len);
wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: master_secret for key "
"expansion", keys.master_key, keys.master_key_len);
if (tls_prf(keys.master_key, keys.master_key_len,
label, rnd, keys.client_random_len +
keys.server_random_len, out, block_size + len))
goto fail;
os_free(rnd);
os_memmove(out, out + block_size, len);
return out;
fail:
os_free(rnd);
os_free(out);
return NULL;
}
static void eap_fast_derive_key_auth(struct eap_sm *sm, static void eap_fast_derive_key_auth(struct eap_sm *sm,
struct eap_fast_data *data) struct eap_fast_data *data)
{ {
@ -337,7 +270,7 @@ static void eap_fast_derive_key_auth(struct eap_sm *sm,
* Extra key material after TLS key_block: session_key_seed[40] * Extra key material after TLS key_block: session_key_seed[40]
*/ */
sks = eap_fast_derive_key(sm, &data->ssl, "key expansion", sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, "key expansion",
EAP_FAST_SKS_LEN); EAP_FAST_SKS_LEN);
if (sks == NULL) { if (sks == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive "
@ -363,7 +296,8 @@ static void eap_fast_derive_key_provisioning(struct eap_sm *sm,
{ {
os_free(data->key_block_p); os_free(data->key_block_p);
data->key_block_p = (struct eap_fast_key_block_provisioning *) data->key_block_p = (struct eap_fast_key_block_provisioning *)
eap_fast_derive_key(sm, &data->ssl, "key expansion", eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
"key expansion",
sizeof(*data->key_block_p)); sizeof(*data->key_block_p));
if (data->key_block_p == NULL) { if (data->key_block_p == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block");
@ -653,30 +587,6 @@ static struct wpabuf * eap_fast_encrypt(struct eap_sm *sm,
} }
static struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf)
{
struct wpabuf *e;
if (buf == NULL)
return NULL;
/* Encapsulate EAP packet in EAP-Payload TLV */
wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV");
e = wpabuf_alloc(sizeof(struct pac_tlv_hdr) + wpabuf_len(buf));
if (e == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
"for TLV encapsulation");
wpabuf_free(buf);
return NULL;
}
eap_fast_put_tlv_buf(e,
EAP_TLV_TYPE_MANDATORY | EAP_TLV_EAP_PAYLOAD_TLV,
buf);
wpabuf_free(buf);
return e;
}
static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm, static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm,
struct eap_fast_data *data, struct eap_fast_data *data,
u8 id) u8 id)
@ -1121,144 +1031,6 @@ static void eap_fast_process_phase2_eap(struct eap_sm *sm,
} }
struct eap_fast_tlv_parse {
u8 *eap_payload_tlv;
size_t eap_payload_tlv_len;
struct eap_tlv_crypto_binding__tlv *crypto_binding;
size_t crypto_binding_len;
int iresult;
int result;
int request_action;
u8 *pac;
size_t pac_len;
};
static int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
int tlv_type, u8 *pos, int len)
{
switch (tlv_type) {
case EAP_TLV_EAP_PAYLOAD_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV",
pos, len);
if (tlv->eap_payload_tlv) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"EAP-Payload TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->eap_payload_tlv = pos;
tlv->eap_payload_tlv_len = len;
break;
case EAP_TLV_RESULT_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len);
if (tlv->result) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"Result TLV in the message");
tlv->result = EAP_TLV_RESULT_FAILURE;
return -2;
}
if (len < 2) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Result TLV");
tlv->result = EAP_TLV_RESULT_FAILURE;
break;
}
tlv->result = WPA_GET_BE16(pos);
if (tlv->result != EAP_TLV_RESULT_SUCCESS &&
tlv->result != EAP_TLV_RESULT_FAILURE) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d",
tlv->result);
tlv->result = EAP_TLV_RESULT_FAILURE;
}
wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s",
tlv->result == EAP_TLV_RESULT_SUCCESS ?
"Success" : "Failure");
break;
case EAP_TLV_INTERMEDIATE_RESULT_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV",
pos, len);
if (len < 2) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Intermediate-Result TLV");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
break;
}
if (tlv->iresult) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"Intermediate-Result TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->iresult = WPA_GET_BE16(pos);
if (tlv->iresult != EAP_TLV_RESULT_SUCCESS &&
tlv->iresult != EAP_TLV_RESULT_FAILURE) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate "
"Result %d", tlv->iresult);
tlv->iresult = EAP_TLV_RESULT_FAILURE;
}
wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s",
tlv->iresult == EAP_TLV_RESULT_SUCCESS ?
"Success" : "Failure");
break;
case EAP_TLV_CRYPTO_BINDING_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV",
pos, len);
if (tlv->crypto_binding) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"Crypto-Binding TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len;
if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Crypto-Binding TLV");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->crypto_binding = (struct eap_tlv_crypto_binding__tlv *)
(pos - sizeof(struct eap_tlv_hdr));
break;
case EAP_TLV_REQUEST_ACTION_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV",
pos, len);
if (tlv->request_action) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"Request-Action TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
if (len < 2) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
"Request-Action TLV");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
break;
}
tlv->request_action = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d",
tlv->request_action);
break;
case EAP_TLV_PAC_TLV:
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len);
if (tlv->pac) {
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
"PAC TLV in the message");
tlv->iresult = EAP_TLV_RESULT_FAILURE;
return -2;
}
tlv->pac = pos;
tlv->pac_len = len;
break;
default:
/* Unknown TLV */
return -1;
}
return 0;
}
static int eap_fast_parse_tlvs(u8 *data, size_t data_len, static int eap_fast_parse_tlvs(u8 *data, size_t data_len,
struct eap_fast_tlv_parse *tlv) struct eap_fast_tlv_parse *tlv)
{ {
@ -1696,20 +1468,11 @@ static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len)
if (data->state != SUCCESS) if (data->state != SUCCESS)
return NULL; return NULL;
/*
* RFC 4851, Section 5.4: EAP Master Session Key Genreration
* MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64)
*/
eapKeyData = os_malloc(EAP_FAST_KEY_LEN); eapKeyData = os_malloc(EAP_FAST_KEY_LEN);
if (eapKeyData == NULL) if (eapKeyData == NULL)
return NULL; return NULL;
sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, eap_fast_derive_eap_msk(data->simck, eapKeyData);
"Session Key Generating Function", (u8 *) "", 0,
eapKeyData, EAP_FAST_KEY_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)",
eapKeyData, EAP_FAST_KEY_LEN);
*len = EAP_FAST_KEY_LEN; *len = EAP_FAST_KEY_LEN;
return eapKeyData; return eapKeyData;
@ -1724,22 +1487,11 @@ static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
if (data->state != SUCCESS) if (data->state != SUCCESS)
return NULL; return NULL;
/*
* RFC 4851, Section 5.4: EAP Master Session Key Genreration
* EMSK = T-PRF(S-IMCK[j],
* "Extended Session Key Generating Function", 64)
*/
eapKeyData = os_malloc(EAP_EMSK_LEN); eapKeyData = os_malloc(EAP_EMSK_LEN);
if (eapKeyData == NULL) if (eapKeyData == NULL)
return NULL; return NULL;
sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, eap_fast_derive_eap_emsk(data->simck, eapKeyData);
"Extended Session Key Generating Function",
(u8 *) "", 0, eapKeyData, EAP_EMSK_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)",
eapKeyData, EAP_EMSK_LEN);
*len = EAP_EMSK_LEN; *len = EAP_EMSK_LEN;
return eapKeyData; return eapKeyData;