libeap/src/eap_common/eap_pwd_common.c

   1 /*
   2  * EAP server/peer: EAP-pwd shared routines
   3  * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10 #include "common.h"
  11 #include "crypto/sha256.h"
  12 #include "crypto/crypto.h"
  13 #include "eap_defs.h"
  14 #include "eap_pwd_common.h"
  15
  16 /* The random function H(x) = HMAC-SHA256(0^32, x) */
  17 struct crypto_hash * eap_pwd_h_init(void)
  18 {
  19         u8 allzero[SHA256_MAC_LEN];
  20         os_memset(allzero, 0, SHA256_MAC_LEN);
  21         return crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256, allzero,
  22                                 SHA256_MAC_LEN);
  23 }
  24
  25
  26 void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len)
  27 {
  28         crypto_hash_update(hash, data, len);
  29 }
  30
  31
  32 void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest)
  33 {
  34         size_t len = SHA256_MAC_LEN;
  35         crypto_hash_finish(hash, digest, &len);
  36 }
  37
  38
  39 /* a counter-based KDF based on NIST SP800-108 */
  40 static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label,
  41                        size_t labellen, u8 *result, size_t resultbitlen)
  42 {
  43         struct crypto_hash *hash;
  44         u8 digest[SHA256_MAC_LEN];
  45         u16 i, ctr, L;
  46         size_t resultbytelen, len = 0, mdlen;
  47
  48         resultbytelen = (resultbitlen + 7) / 8;
  49         ctr = 0;
  50         L = htons(resultbitlen);
  51         while (len < resultbytelen) {
  52                 ctr++;
  53                 i = htons(ctr);
  54                 hash = crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256,
  55                                         key, keylen);
  56                 if (hash == NULL)
  57                         return -1;
  58                 if (ctr > 1)
  59                         crypto_hash_update(hash, digest, SHA256_MAC_LEN);
  60                 crypto_hash_update(hash, (u8 *) &i, sizeof(u16));
  61                 crypto_hash_update(hash, label, labellen);
  62                 crypto_hash_update(hash, (u8 *) &L, sizeof(u16));
  63                 mdlen = SHA256_MAC_LEN;
  64                 if (crypto_hash_finish(hash, digest, &mdlen) < 0)
  65                         return -1;
  66                 if ((len + mdlen) > resultbytelen)
  67                         os_memcpy(result + len, digest, resultbytelen - len);
  68                 else
  69                         os_memcpy(result + len, digest, mdlen);
  70                 len += mdlen;
  71         }
  72
  73         /* since we're expanding to a bit length, mask off the excess */
  74         if (resultbitlen % 8) {
  75                 u8 mask = 0xff;
  76                 mask <<= (8 - (resultbitlen % 8));
  77                 result[resultbytelen - 1] &= mask;
  78         }
  79
  80         return 0;
  81 }
  82
  83
  84 /*
  85  * compute a "random" secret point on an elliptic curve based
  86  * on the password and identities.
  87  */
  88 int compute_password_element(EAP_PWD_group *grp, u16 num,
  89                              const u8 *password, size_t password_len,
  90                              const u8 *id_server, size_t id_server_len,
  91                              const u8 *id_peer, size_t id_peer_len,
  92                              const u8 *token)
  93 {
  94         BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
  95         struct crypto_hash *hash;
  96         unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
  97         int nid, is_odd, ret = 0;
  98         size_t primebytelen, primebitlen;
  99
 100         switch (num) { /* from IANA registry for IKE D-H groups */
 101         case 19:
 102                 nid = NID_X9_62_prime256v1;
 103                 break;
 104         case 20:
 105                 nid = NID_secp384r1;
 106                 break;
 107         case 21:
 108                 nid = NID_secp521r1;
 109                 break;
 110 #ifndef OPENSSL_IS_BORINGSSL
 111         case 25:
 112                 nid = NID_X9_62_prime192v1;
 113                 break;
 114 #endif /* OPENSSL_IS_BORINGSSL */
 115         case 26:
 116                 nid = NID_secp224r1;
 117                 break;
 118 #ifdef NID_brainpoolP224r1
 119         case 27:
 120                 nid = NID_brainpoolP224r1;
 121                 break;
 122 #endif /* NID_brainpoolP224r1 */
 123 #ifdef NID_brainpoolP256r1
 124         case 28:
 125                 nid = NID_brainpoolP256r1;
 126                 break;
 127 #endif /* NID_brainpoolP256r1 */
 128 #ifdef NID_brainpoolP384r1
 129         case 29:
 130                 nid = NID_brainpoolP384r1;
 131                 break;
 132 #endif /* NID_brainpoolP384r1 */
 133 #ifdef NID_brainpoolP512r1
 134         case 30:
 135                 nid = NID_brainpoolP512r1;
 136                 break;
 137 #endif /* NID_brainpoolP512r1 */
 138         default:
 139                 wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num);
 140                 return -1;
 141         }
 142
 143         grp->pwe = NULL;
 144         grp->order = NULL;
 145         grp->prime = NULL;
 146
 147         if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
 148                 wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP");
 149                 goto fail;
 150         }
 151
 152         if (((rnd = BN_new()) == NULL) ||
 153             ((cofactor = BN_new()) == NULL) ||
 154             ((grp->pwe = EC_POINT_new(grp->group)) == NULL) ||
 155             ((grp->order = BN_new()) == NULL) ||
 156             ((grp->prime = BN_new()) == NULL) ||
 157             ((x_candidate = BN_new()) == NULL)) {
 158                 wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
 159                 goto fail;
 160         }
 161
 162         if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL))
 163         {
 164                 wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp "
 165                            "curve");
 166                 goto fail;
 167         }
 168         if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) {
 169                 wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve");
 170                 goto fail;
 171         }
 172         if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) {
 173                 wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
 174                            "curve");
 175                 goto fail;
 176         }
 177         primebitlen = BN_num_bits(grp->prime);
 178         primebytelen = BN_num_bytes(grp->prime);
 179         if ((prfbuf = os_malloc(primebytelen)) == NULL) {
 180                 wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
 181                            "buffer");
 182                 goto fail;
 183         }
 184         os_memset(prfbuf, 0, primebytelen);
 185         ctr = 0;
 186         while (1) {
 187                 if (ctr > 30) {
 188                         wpa_printf(MSG_INFO, "EAP-pwd: unable to find random "
 189                                    "point on curve for group %d, something's "
 190                                    "fishy", num);
 191                         goto fail;
 192                 }
 193                 ctr++;
 194
 195                 /*
 196                  * compute counter-mode password value and stretch to prime
 197                  *    pwd-seed = H(token | peer-id | server-id | password |
 198                  *                 counter)
 199                  */
 200                 hash = eap_pwd_h_init();
 201                 if (hash == NULL)
 202                         goto fail;
 203                 eap_pwd_h_update(hash, token, sizeof(u32));
 204                 eap_pwd_h_update(hash, id_peer, id_peer_len);
 205                 eap_pwd_h_update(hash, id_server, id_server_len);
 206                 eap_pwd_h_update(hash, password, password_len);
 207                 eap_pwd_h_update(hash, &ctr, sizeof(ctr));
 208                 eap_pwd_h_final(hash, pwe_digest);
 209
 210                 BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd);
 211
 212                 if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
 213                                 (u8 *) "EAP-pwd Hunting And Pecking",
 214                                 os_strlen("EAP-pwd Hunting And Pecking"),
 215                                 prfbuf, primebitlen) < 0)
 216                         goto fail;
 217
 218                 BN_bin2bn(prfbuf, primebytelen, x_candidate);
 219
 220                 /*
 221                  * eap_pwd_kdf() returns a string of bits 0..primebitlen but
 222                  * BN_bin2bn will treat that string of bits as a big endian
 223                  * number. If the primebitlen is not an even multiple of 8
 224                  * then excessive bits-- those _after_ primebitlen-- so now
 225                  * we have to shift right the amount we masked off.
 226                  */
 227                 if (primebitlen % 8)
 228                         BN_rshift(x_candidate, x_candidate,
 229                                   (8 - (primebitlen % 8)));
 230
 231                 if (BN_ucmp(x_candidate, grp->prime) >= 0)
 232                         continue;
 233
 234                 wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
 235                             prfbuf, primebytelen);
 236
 237                 /*
 238                  * need to unambiguously identify the solution, if there is
 239                  * one...
 240                  */
 241                 if (BN_is_odd(rnd))
 242                         is_odd = 1;
 243                 else
 244                         is_odd = 0;
 245
 246                 /*
 247                  * solve the quadratic equation, if it's not solvable then we
 248                  * don't have a point
 249                  */
 250                 if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,
 251                                                              grp->pwe,
 252                                                              x_candidate,
 253                                                              is_odd, NULL))
 254                         continue;
 255                 /*
 256                  * If there's a solution to the equation then the point must be
 257                  * on the curve so why check again explicitly? OpenSSL code
 258                  * says this is required by X9.62. We're not X9.62 but it can't
 259                  * hurt just to be sure.
 260                  */
 261                 if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {
 262                         wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
 263                         continue;
 264                 }
 265
 266                 if (BN_cmp(cofactor, BN_value_one())) {
 267                         /* make sure the point is not in a small sub-group */
 268                         if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,
 269                                           cofactor, NULL)) {
 270                                 wpa_printf(MSG_INFO, "EAP-pwd: cannot "
 271                                            "multiply generator by order");
 272                                 continue;
 273                         }
 274                         if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {
 275                                 wpa_printf(MSG_INFO, "EAP-pwd: point is at "
 276                                            "infinity");
 277                                 continue;
 278                         }
 279                 }
 280                 /* if we got here then we have a new generator. */
 281                 break;
 282         }
 283         wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
 284         grp->group_num = num;
 285         if (0) {
 286  fail:
 287                 EC_GROUP_free(grp->group);
 288                 grp->group = NULL;
 289                 EC_POINT_clear_free(grp->pwe);
 290                 grp->pwe = NULL;
 291                 BN_clear_free(grp->order);
 292                 grp->order = NULL;
 293                 BN_clear_free(grp->prime);
 294                 grp->prime = NULL;
 295                 ret = 1;
 296         }
 297         /* cleanliness and order.... */
 298         BN_clear_free(cofactor);
 299         BN_clear_free(x_candidate);
 300         BN_clear_free(rnd);
 301         os_free(prfbuf);
 302
 303         return ret;
 304 }
 305
 306
 307 int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
 308                  const BIGNUM *peer_scalar, const BIGNUM *server_scalar,
 309                  const u8 *confirm_peer, const u8 *confirm_server,
 310                  const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id)
 311 {
 312         struct crypto_hash *hash;
 313         u8 mk[SHA256_MAC_LEN], *cruft;
 314         u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN];
 315         int offset;
 316
 317         if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL)
 318                 return -1;
 319
 320         /*
 321          * first compute the session-id = TypeCode | H(ciphersuite | scal_p |
 322          *      scal_s)
 323          */
 324         session_id[0] = EAP_TYPE_PWD;
 325         hash = eap_pwd_h_init();
 326         if (hash == NULL) {
 327                 os_free(cruft);
 328                 return -1;
 329         }
 330         eap_pwd_h_update(hash, (const u8 *) ciphersuite, sizeof(u32));
 331         offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar);
 332         os_memset(cruft, 0, BN_num_bytes(grp->prime));
 333         BN_bn2bin(peer_scalar, cruft + offset);
 334         eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order));
 335         offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar);
 336         os_memset(cruft, 0, BN_num_bytes(grp->prime));
 337         BN_bn2bin(server_scalar, cruft + offset);
 338         eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order));
 339         eap_pwd_h_final(hash, &session_id[1]);
 340
 341         /* then compute MK = H(k | confirm-peer | confirm-server) */
 342         hash = eap_pwd_h_init();
 343         if (hash == NULL) {
 344                 os_free(cruft);
 345                 return -1;
 346         }
 347         offset = BN_num_bytes(grp->prime) - BN_num_bytes(k);
 348         os_memset(cruft, 0, BN_num_bytes(grp->prime));
 349         BN_bn2bin(k, cruft + offset);
 350         eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->prime));
 351         os_free(cruft);
 352         eap_pwd_h_update(hash, confirm_peer, SHA256_MAC_LEN);
 353         eap_pwd_h_update(hash, confirm_server, SHA256_MAC_LEN);
 354         eap_pwd_h_final(hash, mk);
 355
 356         /* stretch the mk with the session-id to get MSK | EMSK */
 357         if (eap_pwd_kdf(mk, SHA256_MAC_LEN,
 358                         session_id, SHA256_MAC_LEN + 1,
 359                         msk_emsk, (EAP_MSK_LEN + EAP_EMSK_LEN) * 8) < 0) {
 360                 return -1;
 361         }
 362
 363         os_memcpy(msk, msk_emsk, EAP_MSK_LEN);
 364         os_memcpy(emsk, msk_emsk + EAP_MSK_LEN, EAP_EMSK_LEN);
 365
 366         return 1;
 367 }