Date: Thu, 6 Mar 2008 23:59:01 GMT From: Sam Leffler <sam@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 137038 for review Message-ID: <200803062359.m26Nx1GO059666@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=137038 Change 137038 by sam@sam_ebb on 2008/03/06 23:58:49 import hostapd 0.5.10 Affected files ... .. //depot/projects/vap/contrib/hostapd/ChangeLog#3 edit .. //depot/projects/vap/contrib/hostapd/README#3 edit .. //depot/projects/vap/contrib/hostapd/aes_wrap.c#3 edit .. //depot/projects/vap/contrib/hostapd/aes_wrap.h#3 edit .. //depot/projects/vap/contrib/hostapd/common.c#3 edit .. //depot/projects/vap/contrib/hostapd/common.h#3 edit .. //depot/projects/vap/contrib/hostapd/driver_test.c#3 edit .. //depot/projects/vap/contrib/hostapd/eap.c#3 edit .. //depot/projects/vap/contrib/hostapd/eap.h#3 edit .. //depot/projects/vap/contrib/hostapd/eap_aka.c#3 edit .. //depot/projects/vap/contrib/hostapd/eap_gpsk.c#3 edit .. //depot/projects/vap/contrib/hostapd/eap_gpsk_common.c#3 edit .. //depot/projects/vap/contrib/hostapd/eap_gpsk_common.h#3 edit .. //depot/projects/vap/contrib/hostapd/eap_sim.c#3 edit .. //depot/projects/vap/contrib/hostapd/eap_sim_common.c#3 edit .. //depot/projects/vap/contrib/hostapd/eap_sim_db.c#3 edit .. //depot/projects/vap/contrib/hostapd/eap_tls_common.c#3 edit .. //depot/projects/vap/contrib/hostapd/eapol_sm.c#3 edit .. //depot/projects/vap/contrib/hostapd/hostapd.c#3 edit .. //depot/projects/vap/contrib/hostapd/hostapd.conf#3 edit .. //depot/projects/vap/contrib/hostapd/ieee802_11.c#3 edit .. //depot/projects/vap/contrib/hostapd/ieee802_1x.c#3 edit .. //depot/projects/vap/contrib/hostapd/ieee802_1x.h#3 edit .. //depot/projects/vap/contrib/hostapd/madwifi.conf#3 edit .. //depot/projects/vap/contrib/hostapd/os.h#3 edit .. //depot/projects/vap/contrib/hostapd/os_unix.c#3 edit .. //depot/projects/vap/contrib/hostapd/radius.c#3 edit .. //depot/projects/vap/contrib/hostapd/radius.h#3 edit .. //depot/projects/vap/contrib/hostapd/radius_client.c#3 edit .. //depot/projects/vap/contrib/hostapd/radius_server.c#3 edit .. //depot/projects/vap/contrib/hostapd/tls_openssl.c#3 edit .. //depot/projects/vap/contrib/hostapd/version.h#3 edit .. //depot/projects/vap/contrib/hostapd/wpa.c#3 edit Differences ... ==== //depot/projects/vap/contrib/hostapd/ChangeLog#3 (text+ko) ==== @@ -1,5 +1,25 @@ ChangeLog for hostapd +2008-02-19 - v0.5.10 + * fixed EAP-SIM and EAP-AKA message parser to validate attribute + lengths properly to avoid potential crash caused by invalid messages + * fixed Reassociation Response callback processing when using internal + MLME (driver_{hostap,devicescape,test}.c) + * fixed EAP-SIM/AKA realm processing to allow decorated usernames to + be used + * added a workaround for EAP-SIM/AKA peers that include incorrect null + termination in the username + * fixed EAP-SIM Start response processing for fast reauthentication + case + * copy optional Proxy-State attributes into RADIUS response when acting + as a RADIUS authentication server + +2007-12-02 - v0.5.9 + * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest + draft (draft-ietf-emu-eap-gpsk-07.txt) + * fixed debugging code not to use potentially unaligned read to fetch + IPv4 addresses + 2007-05-28 - v0.5.8 * updated driver_devicescape.c to build with the current wireless-dev.git tree and net/d80211 changes ==== //depot/projects/vap/contrib/hostapd/README#3 (text+ko) ==== @@ -2,7 +2,7 @@ Authenticator and RADIUS authentication server ================================================================ -Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi> and contributors +Copyright (c) 2002-2008, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. This program is dual-licensed under both the GPL version 2 and BSD ==== //depot/projects/vap/contrib/hostapd/aes_wrap.c#3 (text+ko) ==== @@ -7,7 +7,7 @@ * - AES-128 EAX mode encryption/decryption * - AES-128 CBC * - * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> + * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -34,10 +34,11 @@ /** * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) - * @kek: Key encryption key (KEK) - * @n: Length of the wrapped key in 64-bit units; e.g., 2 = 128-bit = 16 bytes - * @plain: Plaintext key to be wrapped, n * 64 bit - * @cipher: Wrapped key, (n + 1) * 64 bit + * @kek: 16-octet Key encryption key (KEK) + * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 + * bytes + * @plain: Plaintext key to be wrapped, n * 64 bits + * @cipher: Wrapped key, (n + 1) * 64 bits * Returns: 0 on success, -1 on failure */ int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher) @@ -93,9 +94,10 @@ /** * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) * @kek: Key encryption key (KEK) - * @n: Length of the wrapped key in 64-bit units; e.g., 2 = 128-bit = 16 bytes - * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bit - * @plain: Plaintext key, n * 64 bit + * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 + * bytes + * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits + * @plain: Plaintext key, n * 64 bits * Returns: 0 on success, -1 on failure (e.g., integrity verification failed) */ int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain) @@ -167,28 +169,45 @@ /** - * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) + * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 * @key: 128-bit key for the hash operation - * @data: Data buffer for which a MAC is determined - * @data: Length of data buffer in bytes + * @num_elem: Number of elements in the data vector + * @addr: Pointers to the data areas + * @len: Lengths of the data blocks * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) * Returns: 0 on success, -1 on failure */ -int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) +int omac1_aes_128_vector(const u8 *key, size_t num_elem, + const u8 *addr[], const size_t *len, u8 *mac) { void *ctx; u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE]; - const u8 *pos = data; - size_t i, left = data_len; + const u8 *pos, *end; + size_t i, e, left, total_len; ctx = aes_encrypt_init(key, 16); if (ctx == NULL) return -1; os_memset(cbc, 0, BLOCK_SIZE); + total_len = 0; + for (e = 0; e < num_elem; e++) + total_len += len[e]; + left = total_len; + + e = 0; + pos = addr[0]; + end = pos + len[0]; + while (left >= BLOCK_SIZE) { - for (i = 0; i < BLOCK_SIZE; i++) + for (i = 0; i < BLOCK_SIZE; i++) { cbc[i] ^= *pos++; + if (pos >= end) { + e++; + pos = addr[e]; + end = pos + len[e]; + } + } if (left > BLOCK_SIZE) aes_encrypt(ctx, cbc, cbc); left -= BLOCK_SIZE; @@ -198,9 +217,15 @@ aes_encrypt(ctx, pad, pad); gf_mulx(pad); - if (left || data_len == 0) { - for (i = 0; i < left; i++) + if (left || total_len == 0) { + for (i = 0; i < left; i++) { cbc[i] ^= *pos++; + if (pos >= end) { + e++; + pos = addr[e]; + end = pos + len[e]; + } + } cbc[left] ^= 0x80; gf_mulx(pad); } @@ -212,6 +237,24 @@ return 0; } + +/** + * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) + * @key: 128-bit key for the hash operation + * @data: Data buffer for which a MAC is determined + * @data_len: Length of data buffer in bytes + * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) + * Returns: 0 on success, -1 on failure + * + * This is a mode for using block cipher (AES in this case) for authentication. + * OMAC1 was standardized with the name CMAC by NIST in a Special Publication + * (SP) 800-38B. + */ +int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) +{ + return omac1_aes_128_vector(key, 1, &data, &data_len, mac); +} + #endif /* CONFIG_NO_AES_OMAC1 */ ==== //depot/projects/vap/contrib/hostapd/aes_wrap.h#3 (text+ko) ==== @@ -7,7 +7,7 @@ * - AES-128 EAX mode encryption/decryption * - AES-128 CBC * - * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> + * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -24,6 +24,8 @@ int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher); int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain); +int omac1_aes_128_vector(const u8 *key, size_t num_elem, + const u8 *addr[], const size_t *len, u8 *mac); int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac); int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out); int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce, ==== //depot/projects/vap/contrib/hostapd/common.c#3 (text+ko) ==== @@ -20,7 +20,6 @@ #ifdef CONFIG_DEBUG_FILE static FILE *out_file = NULL; #endif /* CONFIG_DEBUG_FILE */ -int wpa_debug_use_file = 0; int wpa_debug_level = MSG_INFO; int wpa_debug_show_keys = 0; int wpa_debug_timestamp = 0; @@ -344,32 +343,29 @@ } -int wpa_debug_open_file(void) +int wpa_debug_open_file(const char *path) { #ifdef CONFIG_DEBUG_FILE - static int count = 0; - char fname[64]; - if (!wpa_debug_use_file) + if (!path) return 0; -#ifdef _WIN32 - os_snprintf(fname, sizeof(fname), "\\Temp\\wpa_supplicant-log-%d.txt", - count++); -#else /* _WIN32 */ - os_snprintf(fname, sizeof(fname), "/tmp/wpa_supplicant-log-%d.txt", - count++); + out_file = fopen(path, "a"); + if (out_file == NULL) { + wpa_printf(MSG_ERROR, "wpa_debug_open_file: Failed to open " + "output file, using standard output"); + return -1; + } +#ifndef _WIN32 + setvbuf(out_file, NULL, _IOLBF, 0); #endif /* _WIN32 */ - out_file = fopen(fname, "w"); - return out_file == NULL ? -1 : 0; -#else /* CONFIG_DEBUG_FILE */ +#endif /* CONFIG_DEBUG_FILE */ return 0; -#endif /* CONFIG_DEBUG_FILE */ } void wpa_debug_close_file(void) { #ifdef CONFIG_DEBUG_FILE - if (!wpa_debug_use_file) + if (!out_file) return; fclose(out_file); out_file = NULL; ==== //depot/projects/vap/contrib/hostapd/common.h#3 (text+ko) ==== @@ -264,12 +264,12 @@ #define wpa_hexdump_key(l,t,b,le) do { } while (0) #define wpa_hexdump_ascii(l,t,b,le) do { } while (0) #define wpa_hexdump_ascii_key(l,t,b,le) do { } while (0) -#define wpa_debug_open_file() do { } while (0) +#define wpa_debug_open_file(p) do { } while (0) #define wpa_debug_close_file() do { } while (0) #else /* CONFIG_NO_STDOUT_DEBUG */ -int wpa_debug_open_file(void); +int wpa_debug_open_file(const char *path); void wpa_debug_close_file(void); /** ==== //depot/projects/vap/contrib/hostapd/driver_test.c#3 (text+ko) ==== @@ -170,9 +170,10 @@ u16 fc; if (drv->test_socket < 0 || len < 10 || drv->socket_dir == NULL) { - wpa_printf(MSG_DEBUG, "%s: invalid parameters (sock=%d len=%d " - "socket_dir=%p)", - __func__, drv->test_socket, len, drv->socket_dir); + wpa_printf(MSG_DEBUG, "%s: invalid parameters (sock=%d len=%lu" + " socket_dir=%p)", + __func__, drv->test_socket, (unsigned long) len, + drv->socket_dir); return -1; } ==== //depot/projects/vap/contrib/hostapd/eap.c#3 (text+ko) ==== @@ -10,8 +10,6 @@ * license. * * See README and COPYING for more details. - * - * $FreeBSD: src/contrib/hostapd/eap.c,v 1.4 2007/07/09 16:20:41 sam Exp $ */ #include "includes.h" ==== //depot/projects/vap/contrib/hostapd/eap.h#3 (text+ko) ==== @@ -1,5 +1,3 @@ -/* $FreeBSD: src/contrib/hostapd/eap.h,v 1.4 2007/07/09 16:20:41 sam Exp $ */ - /* * hostapd / EAP Standalone Authenticator state machine (RFC 4137) * Copyright (c) 2004-2005, Jouni Malinen <j@w1.fi> ==== //depot/projects/vap/contrib/hostapd/eap_aka.c#3 (text+ko) ==== @@ -1,6 +1,6 @@ /* * hostapd / EAP-AKA (RFC 4187) - * Copyright (c) 2005-2007, Jouni Malinen <j@w1.fi> + * Copyright (c) 2005-2008, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -124,6 +124,14 @@ sm->identity_len)) { wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0); + } else { + /* + * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is + * ignored and the AKA/Identity is used to request the + * identity. + */ + wpa_printf(MSG_DEBUG, " AT_ANY_ID_REQ"); + eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0); } return eap_sim_msg_finish(msg, reqDataLen, NULL, NULL, 0); } @@ -445,10 +453,16 @@ sm->method_pending = METHOD_PENDING_NONE; } + identity_len = sm->identity_len; + while (identity_len > 0 && sm->identity[identity_len - 1] == '\0') { + wpa_printf(MSG_DEBUG, "EAP-AKA: Workaround - drop last null " + "character from identity"); + identity_len--; + } wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Identity for MK derivation", - sm->identity, sm->identity_len); + sm->identity, identity_len); - eap_aka_derive_mk(sm->identity, sm->identity_len, data->ik, data->ck, + eap_aka_derive_mk(sm->identity, identity_len, data->ik, data->ck, data->mk); eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk, data->emsk); ==== //depot/projects/vap/contrib/hostapd/eap_gpsk.c#3 (text+ko) ==== @@ -1,5 +1,5 @@ /* - * hostapd / EAP-GPSK (draft-ietf-emu-eap-gpsk-03.txt) server + * hostapd / EAP-GPSK (draft-ietf-emu-eap-gpsk-08.txt) server * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify @@ -23,15 +23,15 @@ struct eap_gpsk_data { enum { GPSK_1, GPSK_3, SUCCESS, FAILURE } state; u8 rand_server[EAP_GPSK_RAND_LEN]; - u8 rand_client[EAP_GPSK_RAND_LEN]; + u8 rand_peer[EAP_GPSK_RAND_LEN]; u8 msk[EAP_MSK_LEN]; u8 emsk[EAP_EMSK_LEN]; u8 sk[EAP_GPSK_MAX_SK_LEN]; size_t sk_len; u8 pk[EAP_GPSK_MAX_PK_LEN]; size_t pk_len; - u8 *id_client; - size_t id_client_len; + u8 *id_peer; + size_t id_peer_len; u8 *id_server; size_t id_server_len; #define MAX_NUM_CSUITES 2 @@ -85,17 +85,17 @@ data->csuite_count = 0; if (eap_gpsk_supported_ciphersuite(EAP_GPSK_VENDOR_IETF, EAP_GPSK_CIPHER_AES)) { - WPA_PUT_BE24(data->csuite_list[data->csuite_count].vendor, + WPA_PUT_BE32(data->csuite_list[data->csuite_count].vendor, EAP_GPSK_VENDOR_IETF); - WPA_PUT_BE24(data->csuite_list[data->csuite_count].specifier, + WPA_PUT_BE16(data->csuite_list[data->csuite_count].specifier, EAP_GPSK_CIPHER_AES); data->csuite_count++; } if (eap_gpsk_supported_ciphersuite(EAP_GPSK_VENDOR_IETF, EAP_GPSK_CIPHER_SHA256)) { - WPA_PUT_BE24(data->csuite_list[data->csuite_count].vendor, + WPA_PUT_BE32(data->csuite_list[data->csuite_count].vendor, EAP_GPSK_VENDOR_IETF); - WPA_PUT_BE24(data->csuite_list[data->csuite_count].specifier, + WPA_PUT_BE16(data->csuite_list[data->csuite_count].specifier, EAP_GPSK_CIPHER_SHA256); data->csuite_count++; } @@ -108,7 +108,7 @@ { struct eap_gpsk_data *data = priv; free(data->id_server); - free(data->id_client); + free(data->id_peer); free(data); } @@ -174,8 +174,8 @@ wpa_printf(MSG_DEBUG, "EAP-GPSK: Request/GPSK-3"); miclen = eap_gpsk_mic_len(data->vendor, data->specifier); - len = 1 + 2 * EAP_GPSK_RAND_LEN + sizeof(struct eap_gpsk_csuite) + 2 + - miclen; + len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + data->id_server_len + + sizeof(struct eap_gpsk_csuite) + 2 + miclen; req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, reqDataLen, len, EAP_CODE_REQUEST, id, &pos); if (req == NULL) { @@ -188,13 +188,18 @@ *pos++ = EAP_GPSK_OPCODE_GPSK_3; start = pos; - memcpy(pos, data->rand_client, EAP_GPSK_RAND_LEN); + memcpy(pos, data->rand_peer, EAP_GPSK_RAND_LEN); pos += EAP_GPSK_RAND_LEN; memcpy(pos, data->rand_server, EAP_GPSK_RAND_LEN); pos += EAP_GPSK_RAND_LEN; + WPA_PUT_BE16(pos, data->id_server_len); + pos += 2; + if (data->id_server) + memcpy(pos, data->id_server, data->id_server_len); + pos += data->id_server_len; csuite = (struct eap_gpsk_csuite *) pos; - WPA_PUT_BE24(csuite->vendor, data->vendor); - WPA_PUT_BE24(csuite->specifier, data->specifier); + WPA_PUT_BE32(csuite->vendor, data->vendor); + WPA_PUT_BE16(csuite->specifier, data->specifier); pos += sizeof(*csuite); /* no PD_Payload_2 */ @@ -282,7 +287,7 @@ if (end - pos < 2) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Too short message for " - "ID_Client length"); + "ID_Peer length"); eap_gpsk_state(data, FAILURE); return; } @@ -290,21 +295,21 @@ pos += 2; if (end - pos < alen) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Too short message for " - "ID_Client"); + "ID_Peer"); eap_gpsk_state(data, FAILURE); return; } - free(data->id_client); - data->id_client = malloc(alen); - if (data->id_client == NULL) { + free(data->id_peer); + data->id_peer = malloc(alen); + if (data->id_peer == NULL) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Not enough memory to store " - "%d-octet ID_Client", alen); + "%d-octet ID_Peer", alen); return; } - memcpy(data->id_client, pos, alen); - data->id_client_len = alen; - wpa_hexdump_ascii(MSG_DEBUG, "EAP-GPSK: ID_Client", - data->id_client, data->id_client_len); + memcpy(data->id_peer, pos, alen); + data->id_peer_len = alen; + wpa_hexdump_ascii(MSG_DEBUG, "EAP-GPSK: ID_Peer", + data->id_peer, data->id_peer_len); pos += alen; if (end - pos < 2) { @@ -332,13 +337,13 @@ if (end - pos < EAP_GPSK_RAND_LEN) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Too short message for " - "RAND_Client"); + "RAND_Peer"); eap_gpsk_state(data, FAILURE); return; } - memcpy(data->rand_client, pos, EAP_GPSK_RAND_LEN); - wpa_hexdump(MSG_DEBUG, "EAP-GPSK: RAND_Client", - data->rand_client, EAP_GPSK_RAND_LEN); + memcpy(data->rand_peer, pos, EAP_GPSK_RAND_LEN); + wpa_hexdump(MSG_DEBUG, "EAP-GPSK: RAND_Peer", + data->rand_peer, EAP_GPSK_RAND_LEN); pos += EAP_GPSK_RAND_LEN; if (end - pos < EAP_GPSK_RAND_LEN) { @@ -397,13 +402,13 @@ if (i == data->csuite_count) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Peer selected unsupported " "ciphersuite %d:%d", - WPA_GET_BE24(csuite->vendor), - WPA_GET_BE24(csuite->specifier)); + WPA_GET_BE32(csuite->vendor), + WPA_GET_BE16(csuite->specifier)); eap_gpsk_state(data, FAILURE); return; } - data->vendor = WPA_GET_BE24(csuite->vendor); - data->specifier = WPA_GET_BE24(csuite->specifier); + data->vendor = WPA_GET_BE32(csuite->vendor); + data->specifier = WPA_GET_BE16(csuite->specifier); wpa_printf(MSG_DEBUG, "EAP-GPSK: CSuite_Sel %d:%d", data->vendor, data->specifier); pos += sizeof(*csuite); @@ -434,8 +439,8 @@ if (eap_gpsk_derive_keys(sm->user->password, sm->user->password_len, data->vendor, data->specifier, - data->rand_client, data->rand_server, - data->id_client, data->id_client_len, + data->rand_peer, data->rand_server, + data->id_peer, data->id_peer_len, data->id_server, data->id_server_len, data->msk, data->emsk, data->sk, &data->sk_len, ==== //depot/projects/vap/contrib/hostapd/eap_gpsk_common.c#3 (text+ko) ==== @@ -18,8 +18,9 @@ #include "eap_defs.h" #include "aes_wrap.h" #include "crypto.h" -#include "sha1.h" +#ifdef EAP_GPSK_SHA256 #include "sha256.h" +#endif /* EAP_GPSK_SHA256 */ #include "eap_gpsk_common.h" @@ -43,31 +44,29 @@ } -static int eap_gpsk_gkdf(const u8 *psk /* Y */, size_t psk_len, - const u8 *data /* Z */, size_t data_len, - u8 *buf, size_t len /* X */) +static int eap_gpsk_gkdf_cmac(const u8 *psk /* Y */, + const u8 *data /* Z */, size_t data_len, + u8 *buf, size_t len /* X */) { u8 *opos; size_t i, n, hashlen, left, clen; - u8 ibuf[2], hash[SHA1_MAC_LEN]; - const u8 *addr[3]; - size_t vlen[3]; + u8 ibuf[2], hash[16]; + const u8 *addr[2]; + size_t vlen[2]; - hashlen = SHA1_MAC_LEN; - /* M_i = Hash-Function (i || Y || Z); */ + hashlen = sizeof(hash); + /* M_i = MAC_Y (i || Z); (MAC = AES-CMAC-128) */ addr[0] = ibuf; vlen[0] = sizeof(ibuf); - addr[1] = psk; - vlen[1] = psk_len; - addr[2] = data; - vlen[2] = data_len; + addr[1] = data; + vlen[1] = data_len; opos = buf; left = len; n = (len + hashlen - 1) / hashlen; for (i = 1; i <= n; i++) { WPA_PUT_BE16(ibuf, i); - sha1_vector(3, addr, vlen, hash); + omac1_aes_128_vector(psk, 2, addr, vlen, hash); clen = left > hashlen ? hashlen : left; os_memcpy(opos, hash, clen); opos += clen; @@ -78,112 +77,30 @@ } -static int eap_gpsk_derive_keys_aes(const u8 *psk, size_t psk_len, - const u8 *seed, size_t seed_len, - u8 *msk, u8 *emsk, u8 *sk, size_t *sk_len, - u8 *pk, size_t *pk_len) -{ -#define EAP_GPSK_SK_LEN_AES 16 -#define EAP_GPSK_PK_LEN_AES 16 - u8 zero_string[1], mk[32], *pos, *data; - u8 kdf_out[EAP_MSK_LEN + EAP_EMSK_LEN + EAP_GPSK_SK_LEN_AES + - EAP_GPSK_PK_LEN_AES]; - size_t data_len; - - /* - * inputString = RAND_Client || ID_Client || RAND_Server || ID_Server - * (= seed) - * KS = 16, PL = psk_len, CSuite_Sel = 0x000000 0x000001 - * MK = GKDF-32 (0x00, PL || PSK || CSuite_Sel || inputString) - * MSK = GKDF-160 (MK, inputString)[0..63] - * EMSK = GKDF-160 (MK, inputString)[64..127] - * SK = GKDF-160 (MK, inputString)[128..143] - * PK = GKDF-160 (MK, inputString)[144..159] - * MID = GKDF-16(0x00, "Method ID" || EAP_Method_Type || CSuite_Sel || - * inputString) - * Hash-Function = SHA-1 (see [RFC3174]) - * hashlen = 20 octets (160 bits) - */ - - os_memset(zero_string, 0, sizeof(zero_string)); - - data_len = 2 + psk_len + 6 + seed_len; - data = os_malloc(data_len); - if (data == NULL) - return -1; - pos = data; - WPA_PUT_BE16(pos, psk_len); - pos += 2; - os_memcpy(pos, psk, psk_len); - pos += psk_len; - WPA_PUT_BE24(pos, 0); /* CSuite/Vendor = IETF */ - pos += 3; - WPA_PUT_BE24(pos, EAP_GPSK_CIPHER_AES); /* CSuite/Specifier */ - pos += 3; - os_memcpy(pos, seed, seed_len); /* inputString */ - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: Data to MK derivation (AES)", - data, data_len); - - if (eap_gpsk_gkdf(zero_string, sizeof(zero_string), data, data_len, - mk, sizeof(mk)) < 0) { - os_free(data); - return -1; - } - os_free(data); - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: MK", mk, sizeof(mk)); - - if (eap_gpsk_gkdf(mk, sizeof(mk), seed, seed_len, - kdf_out, sizeof(kdf_out)) < 0) - return -1; - - pos = kdf_out; - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: MSK", pos, EAP_MSK_LEN); - os_memcpy(msk, pos, EAP_MSK_LEN); - pos += EAP_MSK_LEN; - - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: EMSK", pos, EAP_EMSK_LEN); - os_memcpy(emsk, pos, EAP_EMSK_LEN); - pos += EAP_EMSK_LEN; - - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: SK", pos, EAP_GPSK_SK_LEN_AES); - os_memcpy(sk, pos, EAP_GPSK_SK_LEN_AES); - *sk_len = EAP_GPSK_SK_LEN_AES; - pos += EAP_GPSK_SK_LEN_AES; - - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: PK", pos, EAP_GPSK_PK_LEN_AES); - os_memcpy(pk, pos, EAP_GPSK_PK_LEN_AES); - *pk_len = EAP_GPSK_PK_LEN_AES; - - return 0; -} - - #ifdef EAP_GPSK_SHA256 -static int eap_gpsk_gkdf_sha256(const u8 *psk /* Y */, size_t psk_len, +static int eap_gpsk_gkdf_sha256(const u8 *psk /* Y */, const u8 *data /* Z */, size_t data_len, u8 *buf, size_t len /* X */) { u8 *opos; size_t i, n, hashlen, left, clen; u8 ibuf[2], hash[SHA256_MAC_LEN]; - const u8 *addr[3]; - size_t vlen[3]; + const u8 *addr[2]; + size_t vlen[2]; hashlen = SHA256_MAC_LEN; - /* M_i = Hash-Function (i || Y || Z); */ + /* M_i = MAC_Y (i || Z); (MAC = HMAC-SHA256) */ addr[0] = ibuf; vlen[0] = sizeof(ibuf); - addr[1] = psk; - vlen[1] = psk_len; - addr[2] = data; - vlen[2] = data_len; + addr[1] = data; + vlen[1] = data_len; opos = buf; left = len; n = (len + hashlen - 1) / hashlen; for (i = 1; i <= n; i++) { WPA_PUT_BE16(ibuf, i); - sha256_vector(3, addr, vlen, hash); + hmac_sha256_vector(psk, 32, 2, addr, vlen, hash); clen = left > hashlen ? hashlen : left; os_memcpy(opos, hash, clen); opos += clen; @@ -192,37 +109,40 @@ return 0; } +#endif /* EAP_GPSK_SHA256 */ -static int eap_gpsk_derive_keys_sha256(const u8 *psk, size_t psk_len, +static int eap_gpsk_derive_keys_helper(u32 csuite_specifier, + u8 *kdf_out, size_t kdf_out_len, + const u8 *psk, size_t psk_len, const u8 *seed, size_t seed_len, u8 *msk, u8 *emsk, - u8 *sk, size_t *sk_len, - u8 *pk, size_t *pk_len) + u8 *sk, size_t sk_len, + u8 *pk, size_t pk_len) { -#define EAP_GPSK_SK_LEN_SHA256 SHA256_MAC_LEN -#define EAP_GPSK_PK_LEN_SHA256 SHA256_MAC_LEN - u8 mk[SHA256_MAC_LEN], zero_string[1], *pos, *data; - u8 kdf_out[EAP_MSK_LEN + EAP_EMSK_LEN + EAP_GPSK_SK_LEN_SHA256 + - EAP_GPSK_PK_LEN_SHA256]; - size_t data_len; + u8 mk[32], *pos, *data; + size_t data_len, mk_len; + int (*gkdf)(const u8 *psk, const u8 *data, size_t data_len, + u8 *buf, size_t len); - /* - * inputString = RAND_Client || ID_Client || RAND_Server || ID_Server - * (= seed) - * KS = 32, PL = psk_len, CSuite_Sel = 0x000000 0x000002 - * MK = GKDF-32 (0x00, PL || PSK || CSuite_Sel || inputString) - * MSK = GKDF-192 (MK, inputString)[0..63] - * EMSK = GKDF-192 (MK, inputString)[64..127] - * SK = GKDF-192 (MK, inputString)[128..159] - * PK = GKDF-192 (MK, inputString)[160..191] - * MID = GKDF-16(0x00, "Method ID" || EAP_Method_Type || CSuite_Sel || - * inputString) - * Hash-Function = SHA256 (see [RFC4634]) - * hashlen = 32 octets (256 bits) - */ + gkdf = NULL; + switch (csuite_specifier) { + case EAP_GPSK_CIPHER_AES: + gkdf = eap_gpsk_gkdf_cmac; + mk_len = 16; + break; +#ifdef EAP_GPSK_SHA256 + case EAP_GPSK_CIPHER_SHA256: + gkdf = eap_gpsk_gkdf_sha256; + mk_len = SHA256_MAC_LEN; + break; +#endif /* EAP_GPSK_SHA256 */ + default: + return -1; + } - os_memset(zero_string, 0, sizeof(zero_string)); + if (psk_len < mk_len) + return -1; data_len = 2 + psk_len + 6 + seed_len; data = os_malloc(data_len); @@ -233,24 +153,22 @@ pos += 2; os_memcpy(pos, psk, psk_len); pos += psk_len; - WPA_PUT_BE24(pos, 0); /* CSuite/Vendor = IETF */ - pos += 3; - WPA_PUT_BE24(pos, EAP_GPSK_CIPHER_SHA256); /* CSuite/Specifier */ - pos += 3; + WPA_PUT_BE32(pos, EAP_GPSK_VENDOR_IETF); /* CSuite/Vendor = IETF */ + pos += 4; + WPA_PUT_BE16(pos, csuite_specifier); /* CSuite/Specifier */ + pos += 2; os_memcpy(pos, seed, seed_len); /* inputString */ - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: Data to MK derivation (SHA256)", + wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: Data to MK derivation", data, data_len); - if (eap_gpsk_gkdf_sha256(zero_string, sizeof(zero_string), - data, data_len, mk, sizeof(mk)) < 0) { + if (gkdf(psk, data, data_len, mk, mk_len) < 0) { os_free(data); return -1; } os_free(data); - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: MK", mk, sizeof(mk)); + wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: MK", mk, mk_len); - if (eap_gpsk_gkdf_sha256(mk, sizeof(mk), seed, seed_len, - kdf_out, sizeof(kdf_out)) < 0) + if (gkdf(mk, seed, seed_len, kdf_out, kdf_out_len) < 0) return -1; pos = kdf_out; @@ -262,46 +180,113 @@ os_memcpy(emsk, pos, EAP_EMSK_LEN); pos += EAP_EMSK_LEN; - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: SK", - pos, EAP_GPSK_SK_LEN_SHA256); - os_memcpy(sk, pos, EAP_GPSK_SK_LEN_SHA256); + wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: SK", pos, sk_len); + os_memcpy(sk, pos, sk_len); + pos += sk_len; + + if (pk) { + wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: PK", pos, pk_len); + os_memcpy(pk, pos, pk_len); + } + + return 0; +} + + +static int eap_gpsk_derive_keys_aes(const u8 *psk, size_t psk_len, + const u8 *seed, size_t seed_len, + u8 *msk, u8 *emsk, u8 *sk, size_t *sk_len, + u8 *pk, size_t *pk_len) +{ +#define EAP_GPSK_SK_LEN_AES 16 +#define EAP_GPSK_PK_LEN_AES 16 + u8 kdf_out[EAP_MSK_LEN + EAP_EMSK_LEN + EAP_GPSK_SK_LEN_AES + + EAP_GPSK_PK_LEN_AES]; + + /* + * inputString = RAND_Peer || ID_Peer || RAND_Server || ID_Server + * (= seed) + * KS = 16, PL = psk_len, CSuite_Sel = 0x00000000 0x0001 + * MK = GKDF-16 (PSK[0..15], PL || PSK || CSuite_Sel || inputString) + * MSK = GKDF-160 (MK, inputString)[0..63] + * EMSK = GKDF-160 (MK, inputString)[64..127] + * SK = GKDF-160 (MK, inputString)[128..143] + * PK = GKDF-160 (MK, inputString)[144..159] + * zero = 0x00 || 0x00 || ... || 0x00 (16 times) + * Method-ID = GKDF-16 (zero, "Method ID" || EAP_Method_Type || + * CSuite_Sel || inputString) + */ + *sk_len = EAP_GPSK_SK_LEN_AES; - pos += EAP_GPSK_SK_LEN_AES; + *pk_len = EAP_GPSK_PK_LEN_AES; + + return eap_gpsk_derive_keys_helper(EAP_GPSK_CIPHER_AES, + kdf_out, sizeof(kdf_out), + psk, psk_len, seed, seed_len, + msk, emsk, sk, *sk_len, + pk, *pk_len); +} + + +#ifdef EAP_GPSK_SHA256 +static int eap_gpsk_derive_keys_sha256(const u8 *psk, size_t psk_len, + const u8 *seed, size_t seed_len, + u8 *msk, u8 *emsk, + u8 *sk, size_t *sk_len) +{ +#define EAP_GPSK_SK_LEN_SHA256 SHA256_MAC_LEN +#define EAP_GPSK_PK_LEN_SHA256 SHA256_MAC_LEN + u8 kdf_out[EAP_MSK_LEN + EAP_EMSK_LEN + EAP_GPSK_SK_LEN_SHA256 + + EAP_GPSK_PK_LEN_SHA256]; + + /* + * inputString = RAND_Peer || ID_Peer || RAND_Server || ID_Server + * (= seed) + * KS = 32, PL = psk_len, CSuite_Sel = 0x00000000 0x0002 + * MK = GKDF-32 (PSK[0..31], PL || PSK || CSuite_Sel || inputString) + * MSK = GKDF-160 (MK, inputString)[0..63] + * EMSK = GKDF-160 (MK, inputString)[64..127] + * SK = GKDF-160 (MK, inputString)[128..159] + * zero = 0x00 || 0x00 || ... || 0x00 (32 times) + * Method-ID = GKDF-16 (zero, "Method ID" || EAP_Method_Type || + * CSuite_Sel || inputString) + */ - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: PK", - pos, EAP_GPSK_PK_LEN_SHA256); - os_memcpy(pk, pos, EAP_GPSK_PK_LEN_SHA256); - *pk_len = EAP_GPSK_PK_LEN_SHA256; + *sk_len = EAP_GPSK_SK_LEN_SHA256; - return 0; + return eap_gpsk_derive_keys_helper(EAP_GPSK_CIPHER_SHA256, + kdf_out, sizeof(kdf_out), + psk, psk_len, seed, seed_len, + msk, emsk, sk, *sk_len, + NULL, 0); } #endif /* EAP_GPSK_SHA256 */ /** * eap_gpsk_derive_keys - Derive EAP-GPSK keys - * @psk: Pre-shared key (at least 16 bytes if AES is used) + * @psk: Pre-shared key * @psk_len: Length of psk in bytes * @vendor: CSuite/Vendor * @specifier: CSuite/Specifier - * @rand_client: 32-byte RAND_Client + * @rand_peer: 32-byte RAND_Peer * @rand_server: 32-byte RAND_Server - * @id_client: ID_Client - * @id_client_len: Length of ID_Client + * @id_peer: ID_Peer + * @id_peer_len: Length of ID_Peer * @id_server: ID_Server * @id_server_len: Length of ID_Server * @msk: Buffer for 64-byte MSK * @emsk: Buffer for 64-byte EMSK * @sk: Buffer for SK (at least EAP_GPSK_MAX_SK_LEN bytes) * @sk_len: Buffer for returning length of SK - * @pk: Buffer for SK (at least EAP_GPSK_MAX_PK_LEN bytes) + * @pk: Buffer for PK (at least EAP_GPSK_MAX_PK_LEN bytes) * @pk_len: Buffer for returning length of PK * Returns: 0 on success, -1 on failure */ int eap_gpsk_derive_keys(const u8 *psk, size_t psk_len, int vendor, int specifier, - const u8 *rand_client, const u8 *rand_server, - const u8 *id_client, size_t id_client_len, + const u8 *rand_peer, const u8 *rand_server, + const u8 *id_peer, size_t id_peer_len, const u8 *id_server, size_t id_server_len, u8 *msk, u8 *emsk, u8 *sk, size_t *sk_len, u8 *pk, size_t *pk_len) @@ -318,8 +303,8 @@ wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: PSK", psk, psk_len); - /* Seed = RAND_Client || ID_Client || RAND_Server || ID_Server */ - seed_len = 2 * EAP_GPSK_RAND_LEN + id_server_len + id_client_len; + /* Seed = RAND_Peer || ID_Peer || RAND_Server || ID_Server */ + seed_len = 2 * EAP_GPSK_RAND_LEN + id_server_len + id_peer_len; seed = os_malloc(seed_len); if (seed == NULL) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Failed to allocate memory " @@ -328,10 +313,10 @@ } pos = seed; - os_memcpy(pos, rand_client, EAP_GPSK_RAND_LEN); + os_memcpy(pos, rand_peer, EAP_GPSK_RAND_LEN); >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803062359.m26Nx1GO059666>