LCOV - code coverage report
Current view: top level - src/eap_common - eap_pwd_common.c (source / functions) Hit Total Coverage
Test: wpa_supplicant/hostapd combined for hwsim test run 1422976643 Lines: 132 174 75.9 %
Date: 2015-02-03 Functions: 6 6 100.0 %

          Line data    Source code
       1             : /*
       2             :  * EAP server/peer: EAP-pwd shared routines
       3             :  * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
       4             :  *
       5             :  * This software may be distributed under the terms of the BSD license.
       6             :  * See README for more details.
       7             :  */
       8             : 
       9             : #include "includes.h"
      10             : #include "common.h"
      11             : #include "crypto/sha256.h"
      12             : #include "crypto/crypto.h"
      13             : #include "eap_defs.h"
      14             : #include "eap_pwd_common.h"
      15             : 
      16             : /* The random function H(x) = HMAC-SHA256(0^32, x) */
      17         136 : struct crypto_hash * eap_pwd_h_init(void)
      18             : {
      19             :         u8 allzero[SHA256_MAC_LEN];
      20         136 :         os_memset(allzero, 0, SHA256_MAC_LEN);
      21         136 :         return crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256, allzero,
      22             :                                 SHA256_MAC_LEN);
      23             : }
      24             : 
      25             : 
      26         730 : void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len)
      27             : {
      28         730 :         crypto_hash_update(hash, data, len);
      29         730 : }
      30             : 
      31             : 
      32         136 : void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest)
      33             : {
      34         136 :         size_t len = SHA256_MAC_LEN;
      35         136 :         crypto_hash_finish(hash, digest, &len);
      36         136 : }
      37             : 
      38             : 
      39             : /* a counter-based KDF based on NIST SP800-108 */
      40          68 : static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label,
      41             :                        size_t labellen, u8 *result, size_t resultbitlen)
      42             : {
      43             :         struct crypto_hash *hash;
      44             :         u8 digest[SHA256_MAC_LEN];
      45             :         u16 i, ctr, L;
      46          68 :         size_t resultbytelen, len = 0, mdlen;
      47             : 
      48          68 :         resultbytelen = (resultbitlen + 7) / 8;
      49          68 :         ctr = 0;
      50          68 :         L = htons(resultbitlen);
      51         276 :         while (len < resultbytelen) {
      52         140 :                 ctr++;
      53         140 :                 i = htons(ctr);
      54         140 :                 hash = crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256,
      55             :                                         key, keylen);
      56         140 :                 if (hash == NULL)
      57           0 :                         return -1;
      58         140 :                 if (ctr > 1)
      59          72 :                         crypto_hash_update(hash, digest, SHA256_MAC_LEN);
      60         140 :                 crypto_hash_update(hash, (u8 *) &i, sizeof(u16));
      61         140 :                 crypto_hash_update(hash, label, labellen);
      62         140 :                 crypto_hash_update(hash, (u8 *) &L, sizeof(u16));
      63         140 :                 mdlen = SHA256_MAC_LEN;
      64         140 :                 if (crypto_hash_finish(hash, digest, &mdlen) < 0)
      65           0 :                         return -1;
      66         140 :                 if ((len + mdlen) > resultbytelen)
      67          18 :                         os_memcpy(result + len, digest, resultbytelen - len);
      68             :                 else
      69         122 :                         os_memcpy(result + len, digest, mdlen);
      70         140 :                 len += mdlen;
      71             :         }
      72             : 
      73             :         /* since we're expanding to a bit length, mask off the excess */
      74          68 :         if (resultbitlen % 8) {
      75           2 :                 u8 mask = 0xff;
      76           2 :                 mask <<= (8 - (resultbitlen % 8));
      77           2 :                 result[resultbytelen - 1] &= mask;
      78             :         }
      79             : 
      80          68 :         return 0;
      81             : }
      82             : 
      83             : 
      84             : /*
      85             :  * compute a "random" secret point on an elliptic curve based
      86             :  * on the password and identities.
      87             :  */
      88          25 : int compute_password_element(EAP_PWD_group *grp, u16 num,
      89             :                              u8 *password, int password_len,
      90             :                              u8 *id_server, int id_server_len,
      91             :                              u8 *id_peer, int id_peer_len, u8 *token)
      92             : {
      93          25 :         BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
      94             :         struct crypto_hash *hash;
      95          25 :         unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
      96          25 :         int nid, is_odd, ret = 0;
      97             :         size_t primebytelen, primebitlen;
      98             : 
      99          25 :         switch (num) { /* from IANA registry for IKE D-H groups */
     100             :         case 19:
     101          16 :                 nid = NID_X9_62_prime256v1;
     102          16 :                 break;
     103             :         case 20:
     104           2 :                 nid = NID_secp384r1;
     105           2 :                 break;
     106             :         case 21:
     107           2 :                 nid = NID_secp521r1;
     108           2 :                 break;
     109             : #ifndef OPENSSL_IS_BORINGSSL
     110             :         case 25:
     111           2 :                 nid = NID_X9_62_prime192v1;
     112           2 :                 break;
     113             : #endif /* OPENSSL_IS_BORINGSSL */
     114             :         case 26:
     115           2 :                 nid = NID_secp224r1;
     116           2 :                 break;
     117             :         default:
     118           1 :                 wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num);
     119           1 :                 return -1;
     120             :         }
     121             : 
     122          24 :         grp->pwe = NULL;
     123          24 :         grp->order = NULL;
     124          24 :         grp->prime = NULL;
     125             : 
     126          24 :         if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
     127           0 :                 wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP");
     128           0 :                 goto fail;
     129             :         }
     130             : 
     131          24 :         if (((rnd = BN_new()) == NULL) ||
     132          24 :             ((cofactor = BN_new()) == NULL) ||
     133          48 :             ((grp->pwe = EC_POINT_new(grp->group)) == NULL) ||
     134          48 :             ((grp->order = BN_new()) == NULL) ||
     135          48 :             ((grp->prime = BN_new()) == NULL) ||
     136             :             ((x_candidate = BN_new()) == NULL)) {
     137           0 :                 wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
     138           0 :                 goto fail;
     139             :         }
     140             : 
     141          24 :         if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL))
     142             :         {
     143           0 :                 wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp "
     144             :                            "curve");
     145           0 :                 goto fail;
     146             :         }
     147          24 :         if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) {
     148           0 :                 wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve");
     149           0 :                 goto fail;
     150             :         }
     151          24 :         if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) {
     152           0 :                 wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
     153             :                            "curve");
     154           0 :                 goto fail;
     155             :         }
     156          24 :         primebitlen = BN_num_bits(grp->prime);
     157          24 :         primebytelen = BN_num_bytes(grp->prime);
     158          24 :         if ((prfbuf = os_malloc(primebytelen)) == NULL) {
     159           0 :                 wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
     160             :                            "buffer");
     161           0 :                 goto fail;
     162             :         }
     163          24 :         os_memset(prfbuf, 0, primebytelen);
     164          24 :         ctr = 0;
     165             :         while (1) {
     166          46 :                 if (ctr > 30) {
     167           0 :                         wpa_printf(MSG_INFO, "EAP-pwd: unable to find random "
     168             :                                    "point on curve for group %d, something's "
     169             :                                    "fishy", num);
     170           0 :                         goto fail;
     171             :                 }
     172          46 :                 ctr++;
     173             : 
     174             :                 /*
     175             :                  * compute counter-mode password value and stretch to prime
     176             :                  *    pwd-seed = H(token | peer-id | server-id | password |
     177             :                  *                 counter)
     178             :                  */
     179          46 :                 hash = eap_pwd_h_init();
     180          46 :                 if (hash == NULL)
     181           0 :                         goto fail;
     182          46 :                 eap_pwd_h_update(hash, token, sizeof(u32));
     183          46 :                 eap_pwd_h_update(hash, id_peer, id_peer_len);
     184          46 :                 eap_pwd_h_update(hash, id_server, id_server_len);
     185          46 :                 eap_pwd_h_update(hash, password, password_len);
     186          46 :                 eap_pwd_h_update(hash, &ctr, sizeof(ctr));
     187          46 :                 eap_pwd_h_final(hash, pwe_digest);
     188             : 
     189          46 :                 BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd);
     190             : 
     191          46 :                 if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
     192             :                                 (u8 *) "EAP-pwd Hunting And Pecking",
     193             :                                 os_strlen("EAP-pwd Hunting And Pecking"),
     194             :                                 prfbuf, primebitlen) < 0)
     195           0 :                         goto fail;
     196             : 
     197          46 :                 BN_bin2bn(prfbuf, primebytelen, x_candidate);
     198             : 
     199             :                 /*
     200             :                  * eap_pwd_kdf() returns a string of bits 0..primebitlen but
     201             :                  * BN_bin2bn will treat that string of bits as a big endian
     202             :                  * number. If the primebitlen is not an even multiple of 8
     203             :                  * then excessive bits-- those _after_ primebitlen-- so now
     204             :                  * we have to shift right the amount we masked off.
     205             :                  */
     206          46 :                 if (primebitlen % 8)
     207           2 :                         BN_rshift(x_candidate, x_candidate,
     208             :                                   (8 - (primebitlen % 8)));
     209             : 
     210          46 :                 if (BN_ucmp(x_candidate, grp->prime) >= 0)
     211           0 :                         continue;
     212             : 
     213          46 :                 wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
     214             :                             prfbuf, primebytelen);
     215             : 
     216             :                 /*
     217             :                  * need to unambiguously identify the solution, if there is
     218             :                  * one...
     219             :                  */
     220          46 :                 if (BN_is_odd(rnd))
     221          25 :                         is_odd = 1;
     222             :                 else
     223          21 :                         is_odd = 0;
     224             : 
     225             :                 /*
     226             :                  * solve the quadratic equation, if it's not solvable then we
     227             :                  * don't have a point
     228             :                  */
     229          46 :                 if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,
     230             :                                                              grp->pwe,
     231             :                                                              x_candidate,
     232             :                                                              is_odd, NULL))
     233          22 :                         continue;
     234             :                 /*
     235             :                  * If there's a solution to the equation then the point must be
     236             :                  * on the curve so why check again explicitly? OpenSSL code
     237             :                  * says this is required by X9.62. We're not X9.62 but it can't
     238             :                  * hurt just to be sure.
     239             :                  */
     240          24 :                 if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {
     241           0 :                         wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
     242           0 :                         continue;
     243             :                 }
     244             : 
     245          24 :                 if (BN_cmp(cofactor, BN_value_one())) {
     246             :                         /* make sure the point is not in a small sub-group */
     247           0 :                         if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,
     248             :                                           cofactor, NULL)) {
     249           0 :                                 wpa_printf(MSG_INFO, "EAP-pwd: cannot "
     250             :                                            "multiply generator by order");
     251           0 :                                 continue;
     252             :                         }
     253           0 :                         if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {
     254           0 :                                 wpa_printf(MSG_INFO, "EAP-pwd: point is at "
     255             :                                            "infinity");
     256           0 :                                 continue;
     257             :                         }
     258             :                 }
     259             :                 /* if we got here then we have a new generator. */
     260          24 :                 break;
     261          22 :         }
     262          24 :         wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
     263          24 :         grp->group_num = num;
     264             :         if (0) {
     265             :  fail:
     266           0 :                 EC_GROUP_free(grp->group);
     267           0 :                 grp->group = NULL;
     268           0 :                 EC_POINT_clear_free(grp->pwe);
     269           0 :                 grp->pwe = NULL;
     270           0 :                 BN_clear_free(grp->order);
     271           0 :                 grp->order = NULL;
     272           0 :                 BN_clear_free(grp->prime);
     273           0 :                 grp->prime = NULL;
     274           0 :                 ret = 1;
     275             :         }
     276             :         /* cleanliness and order.... */
     277          24 :         BN_clear_free(cofactor);
     278          24 :         BN_clear_free(x_candidate);
     279          24 :         BN_clear_free(rnd);
     280          24 :         os_free(prfbuf);
     281             : 
     282          24 :         return ret;
     283             : }
     284             : 
     285             : 
     286          22 : int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, BIGNUM *k,
     287             :                  BIGNUM *peer_scalar, BIGNUM *server_scalar,
     288             :                  u8 *confirm_peer, u8 *confirm_server,
     289             :                  u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id)
     290             : {
     291             :         struct crypto_hash *hash;
     292             :         u8 mk[SHA256_MAC_LEN], *cruft;
     293             :         u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN];
     294             :         int offset;
     295             : 
     296          22 :         if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL)
     297           0 :                 return -1;
     298             : 
     299             :         /*
     300             :          * first compute the session-id = TypeCode | H(ciphersuite | scal_p |
     301             :          *      scal_s)
     302             :          */
     303          22 :         session_id[0] = EAP_TYPE_PWD;
     304          22 :         hash = eap_pwd_h_init();
     305          22 :         if (hash == NULL) {
     306           0 :                 os_free(cruft);
     307           0 :                 return -1;
     308             :         }
     309          22 :         eap_pwd_h_update(hash, (u8 *) ciphersuite, sizeof(u32));
     310          22 :         offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar);
     311          22 :         os_memset(cruft, 0, BN_num_bytes(grp->prime));
     312          22 :         BN_bn2bin(peer_scalar, cruft + offset);
     313          22 :         eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order));
     314          22 :         offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar);
     315          22 :         os_memset(cruft, 0, BN_num_bytes(grp->prime));
     316          22 :         BN_bn2bin(server_scalar, cruft + offset);
     317          22 :         eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order));
     318          22 :         eap_pwd_h_final(hash, &session_id[1]);
     319             : 
     320             :         /* then compute MK = H(k | confirm-peer | confirm-server) */
     321          22 :         hash = eap_pwd_h_init();
     322          22 :         if (hash == NULL) {
     323           0 :                 os_free(cruft);
     324           0 :                 return -1;
     325             :         }
     326          22 :         offset = BN_num_bytes(grp->prime) - BN_num_bytes(k);
     327          22 :         os_memset(cruft, 0, BN_num_bytes(grp->prime));
     328          22 :         BN_bn2bin(k, cruft + offset);
     329          22 :         eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->prime));
     330          22 :         os_free(cruft);
     331          22 :         eap_pwd_h_update(hash, confirm_peer, SHA256_MAC_LEN);
     332          22 :         eap_pwd_h_update(hash, confirm_server, SHA256_MAC_LEN);
     333          22 :         eap_pwd_h_final(hash, mk);
     334             : 
     335             :         /* stretch the mk with the session-id to get MSK | EMSK */
     336          22 :         if (eap_pwd_kdf(mk, SHA256_MAC_LEN,
     337             :                         session_id, SHA256_MAC_LEN + 1,
     338             :                         msk_emsk, (EAP_MSK_LEN + EAP_EMSK_LEN) * 8) < 0) {
     339           0 :                 return -1;
     340             :         }
     341             : 
     342          22 :         os_memcpy(msk, msk_emsk, EAP_MSK_LEN);
     343          22 :         os_memcpy(emsk, msk_emsk + EAP_MSK_LEN, EAP_EMSK_LEN);
     344             : 
     345          22 :         return 1;
     346             : }

Generated by: LCOV version 1.10