/* * EAP peer/server: EAP-SIM/AKA/AKA' shared routines * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * Alternatively, this software may be distributed under the terms of BSD * license. * * See README and COPYING for more details. */#include "includes.h"#include "common.h"#include "eap_common/eap_defs.h"#include "sha1.h"#include "sha256.h"#include "crypto.h"#include "aes_wrap.h"#include "wpabuf.h"#include "eap_common/eap_sim_common.h"static int eap_sim_prf(const u8 *key, u8 *x, size_t xlen){	return fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);}void eap_sim_derive_mk(const u8 *identity, size_t identity_len,		       const u8 *nonce_mt, u16 selected_version,		       const u8 *ver_list, size_t ver_list_len,		       int num_chal, const u8 *kc, u8 *mk){	u8 sel_ver[2];	const unsigned char *addr[5];	size_t len[5];	addr[0] = identity;	len[0] = identity_len;	addr[1] = kc;	len[1] = num_chal * EAP_SIM_KC_LEN;	addr[2] = nonce_mt;	len[2] = EAP_SIM_NONCE_MT_LEN;	addr[3] = ver_list;	len[3] = ver_list_len;	addr[4] = sel_ver;	len[4] = 2;	WPA_PUT_BE16(sel_ver, selected_version);	/* MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */	sha1_vector(5, addr, len, mk);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);}void eap_aka_derive_mk(const u8 *identity, size_t identity_len,		       const u8 *ik, const u8 *ck, u8 *mk){	const u8 *addr[3];	size_t len[3];	addr[0] = identity;	len[0] = identity_len;	addr[1] = ik;	len[1] = EAP_AKA_IK_LEN;	addr[2] = ck;	len[2] = EAP_AKA_CK_LEN;	/* MK = SHA1(Identity|IK|CK) */	sha1_vector(3, addr, len, mk);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: IK", ik, EAP_AKA_IK_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: CK", ck, EAP_AKA_CK_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: MK", mk, EAP_SIM_MK_LEN);}int eap_sim_derive_keys(const u8 *mk, u8 *k_encr, u8 *k_aut, u8 *msk, u8 *emsk){	u8 buf[EAP_SIM_K_ENCR_LEN + EAP_SIM_K_AUT_LEN +	       EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN], *pos;	if (eap_sim_prf(mk, buf, sizeof(buf)) < 0) {		wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");		return -1;	}	pos = buf;	os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);	pos += EAP_SIM_K_ENCR_LEN;	os_memcpy(k_aut, pos, EAP_SIM_K_AUT_LEN);	pos += EAP_SIM_K_AUT_LEN;	os_memcpy(msk, pos, EAP_SIM_KEYING_DATA_LEN);	pos += EAP_SIM_KEYING_DATA_LEN;	os_memcpy(emsk, pos, EAP_EMSK_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_encr",			k_encr, EAP_SIM_K_ENCR_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_aut",			k_aut, EAP_SIM_K_AUT_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: keying material (MSK)",			msk, EAP_SIM_KEYING_DATA_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);	os_memset(buf, 0, sizeof(buf));	return 0;}int eap_sim_derive_keys_reauth(u16 _counter,			       const u8 *identity, size_t identity_len,			       const u8 *nonce_s, const u8 *mk, u8 *msk,			       u8 *emsk){	u8 xkey[SHA1_MAC_LEN];	u8 buf[EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN + 32];	u8 counter[2];	const u8 *addr[4];	size_t len[4];	while (identity_len > 0 && identity[identity_len - 1] == 0) {		wpa_printf(MSG_DEBUG, "EAP-SIM: Workaround - drop null "			   "character from the end of identity");		identity_len--;	}	addr[0] = identity;	len[0] = identity_len;	addr[1] = counter;	len[1] = 2;	addr[2] = nonce_s;	len[2] = EAP_SIM_NONCE_S_LEN;	addr[3] = mk;	len[3] = EAP_SIM_MK_LEN;	WPA_PUT_BE16(counter, _counter);	wpa_printf(MSG_DEBUG, "EAP-SIM: Deriving keying data from reauth");	wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity",			  identity, identity_len);	wpa_hexdump(MSG_DEBUG, "EAP-SIM: counter", counter, 2);	wpa_hexdump(MSG_DEBUG, "EAP-SIM: NONCE_S", nonce_s,		    EAP_SIM_NONCE_S_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);	/* XKEY' = SHA1(Identity|counter|NONCE_S|MK) */	sha1_vector(4, addr, len, xkey);	wpa_hexdump(MSG_DEBUG, "EAP-SIM: XKEY'", xkey, SHA1_MAC_LEN);	if (eap_sim_prf(xkey, buf, sizeof(buf)) < 0) {		wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");		return -1;	}	if (msk) {		os_memcpy(msk, buf, EAP_SIM_KEYING_DATA_LEN);		wpa_hexdump(MSG_DEBUG, "EAP-SIM: keying material (MSK)",			    msk, EAP_SIM_KEYING_DATA_LEN);	}	if (emsk) {		os_memcpy(emsk, buf + EAP_SIM_KEYING_DATA_LEN, EAP_EMSK_LEN);		wpa_hexdump(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);	}	os_memset(buf, 0, sizeof(buf));	return 0;}int eap_sim_verify_mac(const u8 *k_aut, const struct wpabuf *req,		       const u8 *mac, const u8 *extra, size_t extra_len){	unsigned char hmac[SHA1_MAC_LEN];	const u8 *addr[2];	size_t len[2];	u8 *tmp;	if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||	    mac < wpabuf_head_u8(req) ||	    mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)		return -1;	tmp = os_malloc(wpabuf_len(req));	if (tmp == NULL)		return -1;	addr[0] = tmp;	len[0] = wpabuf_len(req);	addr[1] = extra;	len[1] = extra_len;	/* HMAC-SHA1-128 */	os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));	os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - msg",		    tmp, wpabuf_len(req));	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - extra data",		    extra, extra_len);	wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Verify MAC - K_aut",			k_aut, EAP_SIM_K_AUT_LEN);	hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC: MAC",		    hmac, EAP_SIM_MAC_LEN);	os_free(tmp);	return (os_memcmp(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;}void eap_sim_add_mac(const u8 *k_aut, const u8 *msg, size_t msg_len, u8 *mac,		     const u8 *extra, size_t extra_len){	unsigned char hmac[SHA1_MAC_LEN];	const u8 *addr[2];	size_t len[2];	addr[0] = msg;	len[0] = msg_len;	addr[1] = extra;	len[1] = extra_len;	/* HMAC-SHA1-128 */	os_memset(mac, 0, EAP_SIM_MAC_LEN);	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - msg", msg, msg_len);	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - extra data",		    extra, extra_len);	wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Add MAC - K_aut",			k_aut, EAP_SIM_K_AUT_LEN);	hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);	os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC: MAC",		    mac, EAP_SIM_MAC_LEN);}#ifdef EAP_AKA_PRIMEstatic void prf_prime(const u8 *k, const char *seed1,		      const u8 *seed2, size_t seed2_len,		      const u8 *seed3, size_t seed3_len,		      u8 *res, size_t res_len){	const u8 *addr[5];	size_t len[5];	u8 hash[SHA256_MAC_LEN];	u8 iter;	/*	 * PRF'(K,S) = T1 | T2 | T3 | T4 | ...	 * T1 = HMAC-SHA-256 (K, S | 0x01)	 * T2 = HMAC-SHA-256 (K, T1 | S | 0x02)	 * T3 = HMAC-SHA-256 (K, T2 | S | 0x03)	 * T4 = HMAC-SHA-256 (K, T3 | S | 0x04)	 * ...	 */	addr[0] = hash;	len[0] = 0;	addr[1] = (const u8 *) seed1;	len[1] = os_strlen(seed1);	addr[2] = seed2;	len[2] = seed2_len;	addr[3] = seed3;	len[3] = seed3_len;	addr[4] = &iter;	len[4] = 1;	iter = 0;	while (res_len) {		size_t hlen;		iter++;		hmac_sha256_vector(k, 32, 5, addr, len, hash);		len[0] = SHA256_MAC_LEN;		hlen = res_len > SHA256_MAC_LEN ? SHA256_MAC_LEN : res_len;		os_memcpy(res, hash, hlen);		res += hlen;		res_len -= hlen;	}}void eap_aka_prime_derive_keys(const u8 *identity, size_t identity_len,			       const u8 *ik, const u8 *ck, u8 *k_encr,			       u8 *k_aut, u8 *k_re, u8 *msk, u8 *emsk){	u8 key[EAP_AKA_IK_LEN + EAP_AKA_CK_LEN];	u8 keys[EAP_SIM_K_ENCR_LEN + EAP_AKA_PRIME_K_AUT_LEN +		EAP_AKA_PRIME_K_RE_LEN + EAP_MSK_LEN + EAP_EMSK_LEN];	u8 *pos;	/*	 * MK = PRF'(IK'|CK',"EAP-AKA'"|Identity)	 * K_encr = MK[0..127]	 * K_aut  = MK[128..383]	 * K_re   = MK[384..639]	 * MSK    = MK[640..1151]	 * EMSK   = MK[1152..1663]	 */	os_memcpy(key, ik, EAP_AKA_IK_LEN);	os_memcpy(key + EAP_AKA_IK_LEN, ck, EAP_AKA_CK_LEN);	prf_prime(key, "EAP-AKA'", identity, identity_len, NULL, 0,		  keys, sizeof(keys));	pos = keys;	os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_encr",			k_encr, EAP_SIM_K_ENCR_LEN);	pos += EAP_SIM_K_ENCR_LEN;	os_memcpy(k_aut, pos, EAP_AKA_PRIME_K_AUT_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_aut",			k_aut, EAP_AKA_PRIME_K_AUT_LEN);	pos += EAP_AKA_PRIME_K_AUT_LEN;	os_memcpy(k_re, pos, EAP_AKA_PRIME_K_RE_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_re",			k_re, EAP_AKA_PRIME_K_RE_LEN);	pos += EAP_AKA_PRIME_K_RE_LEN;	os_memcpy(msk, pos, EAP_MSK_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);	pos += EAP_MSK_LEN;	os_memcpy(emsk, pos, EAP_EMSK_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);}int eap_aka_prime_derive_keys_reauth(const u8 *k_re, u16 counter,				     const u8 *identity, size_t identity_len,				     const u8 *nonce_s, u8 *msk, u8 *emsk){	u8 seed3[2 + EAP_SIM_NONCE_S_LEN];	u8 keys[EAP_MSK_LEN + EAP_EMSK_LEN];	u8 *pos;	/*	 * MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S)	 * MSK  = MK[0..511]	 * EMSK = MK[512..1023]	 */	WPA_PUT_BE16(seed3, counter);	os_memcpy(seed3 + 2, nonce_s, EAP_SIM_NONCE_S_LEN);	prf_prime(k_re, "EAP-AKA' re-auth", identity, identity_len,		  seed3, sizeof(seed3),		  keys, sizeof(keys));	pos = keys;	os_memcpy(msk, pos, EAP_MSK_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);	pos += EAP_MSK_LEN;	os_memcpy(emsk, pos, EAP_EMSK_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);	os_memset(keys, 0, sizeof(keys));	return 0;}int eap_sim_verify_mac_sha256(const u8 *k_aut, const struct wpabuf *req,			      const u8 *mac, const u8 *extra, size_t extra_len){	unsigned char hmac[SHA256_MAC_LEN];	const u8 *addr[2];	size_t len[2];	u8 *tmp;	if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||	    mac < wpabuf_head_u8(req) ||	    mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)		return -1;	tmp = os_malloc(wpabuf_len(req));	if (tmp == NULL)		return -1;	addr[0] = tmp;	len[0] = wpabuf_len(req);	addr[1] = extra;	len[1] = extra_len;	/* HMAC-SHA-256-128 */	os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));	os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - msg",		    tmp, wpabuf_len(req));	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - extra data",		    extra, extra_len);	wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Verify MAC - K_aut",			k_aut, EAP_AKA_PRIME_K_AUT_LEN);	hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC: MAC",		    hmac, EAP_SIM_MAC_LEN);	os_free(tmp);	return (os_memcmp(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;}void eap_sim_add_mac_sha256(const u8 *k_aut, const u8 *msg, size_t msg_len,