Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b3a6d9d400
Branches Tags
krackattacks
/
src
/
eap_common
/
eap_pwd_common.c

eap_pwd_common.c 9.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345 
  1. /*
    2. 

  2.  * EAP server/peer: EAP-pwd shared routines
    3. 

  3.  * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
    4. 

  4.  *
    5. 

  5.  * This program is free software; you can redistribute it and/or modify
    6. 

  6.  * it under the terms of the BSD license.
    7. 

  7.  *
    8. 

  8.  * Alternatively, this software may be distributed under the terms of the
    9. 

  9.  * GNU General Public License version 2 as published by the Free Software
    10. 

  10.  * Foundation.
    11. 

  11.  *
    12. 

  12.  * See README and COPYING for more details.
    13. 

  13.  */
    14. 

  14. 

  15. #include "includes.h"
    16. 

  16. #include "common.h"
    17. 

  17. #include "eap_defs.h"
    18. 

  18. #include "eap_pwd_common.h"
    19. 

  19. 

  20. /* The random function H(x) = HMAC-SHA256(0^32, x) */
    21. 

  21. void H_Init(HMAC_CTX *ctx)
    22. 

  22. {
    23. 

  23. 	u8 allzero[SHA256_DIGEST_LENGTH];
    24. 

  24. 

  25. 	os_memset(allzero, 0, SHA256_DIGEST_LENGTH);
    26. 

  26. 	HMAC_Init(ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256());
    27. 

  27. }
    28. 

  28. 

  29. 

  30. void H_Update(HMAC_CTX *ctx, const u8 *data, int len)
    31. 

  31. {
    32. 

  32. 	HMAC_Update(ctx, data, len);
    33. 

  33. }
    34. 

  34. 

  35. 

  36. void H_Final(HMAC_CTX *ctx, u8 *digest)
    37. 

  37. {
    38. 

  38. 	unsigned int mdlen = SHA256_DIGEST_LENGTH;
    39. 

  39. 

  40. 	HMAC_Final(ctx, digest, &mdlen);
    41. 

  41. 	HMAC_CTX_cleanup(ctx);
    42. 

  42. }
    43. 

  43. 

  44. 

  45. /* a counter-based KDF based on NIST SP800-108 */
    46. 

  46. void eap_pwd_kdf(u8 *key, int keylen, u8 *label, int labellen,
    47. 

  47. 		 u8 *result, int resultbitlen)
    48. 

  48. {
    49. 

  49. 	HMAC_CTX hctx;
    50. 

  50. 	unsigned char digest[SHA256_DIGEST_LENGTH];
    51. 

  51. 	u16 i, ctr, L;
    52. 

  52. 	int resultbytelen, len = 0;
    53. 

  53. 	unsigned int mdlen = SHA256_DIGEST_LENGTH;
    54. 

  54. 	unsigned char mask = 0xff;
    55. 

  55. 

  56. 	resultbytelen = (resultbitlen + 7)/8;
    57. 

  57. 	ctr = 0;
    58. 

  58. 	L = htons(resultbitlen);
    59. 

  59. 	while (len < resultbytelen) {
    60. 

  60. 		ctr++; i = htons(ctr);
    61. 

  61. 		HMAC_Init(&hctx, key, keylen, EVP_sha256());
    62. 

  62. 		if (ctr > 1)
    63. 

  63. 			HMAC_Update(&hctx, digest, mdlen);
    64. 

  64. 		HMAC_Update(&hctx, (u8 *) &i, sizeof(u16));
    65. 

  65. 		HMAC_Update(&hctx, label, labellen);
    66. 

  66. 		HMAC_Update(&hctx, (u8 *) &L, sizeof(u16));
    67. 

  67. 		HMAC_Final(&hctx, digest, &mdlen);
    68. 

  68. 		if ((len + (int) mdlen) > resultbytelen)
    69. 

  69. 			os_memcpy(result + len, digest, resultbytelen - len);
    70. 

  70. 		else
    71. 

  71. 			os_memcpy(result + len, digest, mdlen);
    72. 

  72. 		len += mdlen;
    73. 

  73. 		HMAC_CTX_cleanup(&hctx);
    74. 

  74. 	}
    75. 

  75. 

  76. 	/* since we're expanding to a bit length, mask off the excess */
    77. 

  77. 	if (resultbitlen % 8) {
    78. 

  78. 		mask >>= ((resultbytelen * 8) - resultbitlen);
    79. 

  79. 		result[0] &= mask;
    80. 

  80. 	}
    81. 

  81. }
    82. 

  82. 

  83. 

  84. /*
    85. 

  85.  * compute a "random" secret point on an elliptic curve based
    86. 

  86.  * on the password and identities.
    87. 

  87.  */
    88. 

  88. int compute_password_element(EAP_PWD_group *grp, u16 num,
    89. 

  89. 			     u8 *password, int password_len,
    90. 

  90. 			     u8 *id_server, int id_server_len,
    91. 

  91. 			     u8 *id_peer, int id_peer_len, u8 *token)
    92. 

  92. {
    93. 

  93. 	BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
    94. 

  94. 	HMAC_CTX ctx;
    95. 

  95. 	unsigned char pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
    96. 

  96. 	int nid, is_odd, primebitlen, primebytelen, ret = 0;
    97. 

  97. 

  98. 	switch (num) { /* from IANA registry for IKE D-H groups */
    99. 

  99.         case 19:
    100. 

  100. 		nid = NID_X9_62_prime256v1;
    101. 

  101. 		break;
    102. 

  102.         case 20:
    103. 

  103. 		nid = NID_secp384r1;
    104. 

  104. 		break;
    105. 

  105.         case 21:
    106. 

  106. 		nid = NID_secp521r1;
    107. 

  107. 		break;
    108. 

  108.         case 25:
    109. 

  109. 		nid = NID_X9_62_prime192v1;
    110. 

  110. 		break;
    111. 

  111.         case 26:
    112. 

  112. 		nid = NID_secp224r1;
    113. 

  113. 		break;
    114. 

  114.         default:
    115. 

  115. 		wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num);
    116. 

  116. 		return -1;
    117. 

  117. 	}
    118. 

  118. 

  119. 	grp->pwe = NULL;
    120. 

  120. 	grp->order = NULL;
    121. 

  121. 	grp->prime = NULL;
    122. 

  122. 

  123. 	if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
    124. 

  124. 		wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP");
    125. 

  125. 		goto fail;
    126. 

  126. 	}
    127. 

  127. 

  128. 	if (((rnd = BN_new()) == NULL) ||
    129. 

  129. 	    ((cofactor = BN_new()) == NULL) ||
    130. 

  130. 	    ((grp->pwe = EC_POINT_new(grp->group)) == NULL) ||
    131. 

  131. 	    ((grp->order = BN_new()) == NULL) ||
    132. 

  132. 	    ((grp->prime = BN_new()) == NULL) ||
    133. 

  133. 	    ((x_candidate = BN_new()) == NULL)) {
    134. 

  134. 		wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
    135. 

  135. 		goto fail;
    136. 

  136. 	}
    137. 

  137. 

  138. 	if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL))
    139. 

  139. 	{
    140. 

  140. 		wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp "
    141. 

  141. 			   "curve");
    142. 

  142. 		goto fail;
    143. 

  143. 	}
    144. 

  144. 	if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) {
    145. 

  145. 		wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve");
    146. 

  146. 		goto fail;
    147. 

  147. 	}
    148. 

  148. 	if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) {
    149. 

  149. 		wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
    150. 

  150. 			   "curve");
    151. 

  151. 		goto fail;
    152. 

  152. 	}
    153. 

  153. 	primebitlen = BN_num_bits(grp->prime);
    154. 

  154. 	primebytelen = BN_num_bytes(grp->prime);
    155. 

  155. 	if ((prfbuf = os_malloc(primebytelen)) == NULL) {
    156. 

  156. 		wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
    157. 

  157. 			   "buffer");
    158. 

  158. 		goto fail;
    159. 

  159. 	}
    160. 

  160. 	os_memset(prfbuf, 0, primebytelen);
    161. 

  161. 	ctr = 0;
    162. 

  162. 	while (1) {
    163. 

  163. 		if (ctr > 10) {
    164. 

  164. 			wpa_printf(MSG_INFO, "EAP-pwd: unable to find random "
    165. 

  165. 				   "point on curve for group %d, something's "
    166. 

  166. 				   "fishy", num);
    167. 

  167. 			goto fail;
    168. 

  168. 		}
    169. 

  169. 		ctr++;
    170. 

  170. 

  171. 		/*
    172. 

  172. 		 * compute counter-mode password value and stretch to prime
    173. 

  173. 		 *    pwd-seed = H(token | peer-id | server-id | password |
    174. 

  174. 		 *		   counter)
    175. 

  175. 		 */
    176. 

  176. 		H_Init(&ctx);
    177. 

  177. 		H_Update(&ctx, token, sizeof(u32));
    178. 

  178. 		H_Update(&ctx, id_peer, id_peer_len);
    179. 

  179. 		H_Update(&ctx, id_server, id_server_len);
    180. 

  180. 		H_Update(&ctx, password, password_len);
    181. 

  181. 		H_Update(&ctx, &ctr, sizeof(ctr));
    182. 

  182. 		H_Final(&ctx, pwe_digest);
    183. 

  183. 

  184. 		BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
    185. 

  185. 

  186. 		eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH,
    187. 

  187. 			    (unsigned char *) "EAP-pwd Hunting and Pecking",
    188. 

  188. 			    os_strlen("EAP-pwd Hunting and Pecking"),
    189. 

  189. 			    prfbuf, primebitlen);
    190. 

  190. 

  191. 		BN_bin2bn(prfbuf, primebytelen, x_candidate);
    192. 

  192. 		if (BN_ucmp(x_candidate, grp->prime) >= 0)
    193. 

  193. 			continue;
    194. 

  194. 

  195. 		wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
    196. 

  196. 			    prfbuf, primebytelen);
    197. 

  197. 

  198. 		/*
    199. 

  199. 		 * need to unambiguously identify the solution, if there is
    200. 

  200. 		 * one...
    201. 

  201. 		 */
    202. 

  202. 		if (BN_is_odd(rnd))
    203. 

  203. 			is_odd = 1;
    204. 

  204. 		else
    205. 

  205. 			is_odd = 0;
    206. 

  206. 

  207. 		/*
    208. 

  208. 		 * solve the quadratic equation, if it's not solvable then we
    209. 

  209. 		 * don't have a point
    210. 

  210. 		 */
    211. 

  211. 		if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,
    212. 

  212. 							     grp->pwe,
    213. 

  213. 							     x_candidate,
    214. 

  214. 							     is_odd, NULL))
    215. 

  215. 			continue;
    216. 

  216. 		/*
    217. 

  217. 		 * If there's a solution to the equation then the point must be
    218. 

  218. 		 * on the curve so why check again explicitly? OpenSSL code
    219. 

  219. 		 * says this is required by X9.62. We're not X9.62 but it can't
    220. 

  220. 		 * hurt just to be sure.
    221. 

  221. 		 */
    222. 

  222. 		if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {
    223. 

  223. 			wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
    224. 

  224. 			continue;
    225. 

  225. 		}
    226. 

  226. 

  227. 		if (BN_cmp(cofactor, BN_value_one())) {
    228. 

  228. 			/* make sure the point is not in a small sub-group */
    229. 

  229. 			if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,
    230. 

  230. 					  cofactor, NULL)) {
    231. 

  231. 				wpa_printf(MSG_INFO, "EAP-pwd: cannot "
    232. 

  232. 					   "multiply generator by order");
    233. 

  233. 				continue;
    234. 

  234. 			}
    235. 

  235. 			if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {
    236. 

  236. 				wpa_printf(MSG_INFO, "EAP-pwd: point is at "
    237. 

  237. 					   "infinity");
    238. 

  238. 				continue;
    239. 

  239. 			}
    240. 

  240. 		}
    241. 

  241. 		/* if we got here then we have a new generator. */
    242. 

  242. 		break;
    243. 

  243. 	}
    244. 

  244. 	wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
    245. 

  245. 	grp->group_num = num;
    246. 

  246. 	if (0) {
    247. 

  247.  fail:
    248. 

  248. 		EC_GROUP_free(grp->group);
    249. 

  249. 		EC_POINT_free(grp->pwe);
    250. 

  250. 		BN_free(grp->order);
    251. 

  251. 		BN_free(grp->prime);
    252. 

  252. 		os_free(grp);
    253. 

  253. 		grp = NULL;
    254. 

  254. 		ret = 1;
    255. 

  255. 	}
    256. 

  256. 	/* cleanliness and order.... */
    257. 

  257. 	BN_free(cofactor);
    258. 

  258. 	BN_free(x_candidate);
    259. 

  259. 	BN_free(rnd);
    260. 

  260. 	free(prfbuf);
    261. 

  261. 

  262. 	return ret;
    263. 

  263. }
    264. 

  264. 

  265. 

  266. int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, BIGNUM *k,
    267. 

  267. 		 EC_POINT *server_element, EC_POINT *peer_element,
    268. 

  268. 		 BIGNUM *server_scalar, BIGNUM *peer_scalar, u32 *ciphersuite,
    269. 

  269. 		 u8 *msk, u8 *emsk)
    270. 

  270. {
    271. 

  271. 	BIGNUM *scalar_sum, *x;
    272. 

  272. 	EC_POINT *element_sum;
    273. 

  273. 	HMAC_CTX ctx;
    274. 

  274. 	u8 mk[SHA256_DIGEST_LENGTH], *cruft;
    275. 

  275. 	u8 session_id[SHA256_DIGEST_LENGTH + 1];
    276. 

  276. 	u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN];
    277. 

  277. 	int ret = -1;
    278. 

  278. 

  279. 	if (((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL) ||
    280. 

  280. 	    ((x = BN_new()) == NULL) ||
    281. 

  281. 	    ((scalar_sum = BN_new()) == NULL) ||
    282. 

  282. 	    ((element_sum = EC_POINT_new(grp->group)) == NULL))
    283. 

  283. 		return -1;
    284. 

  284. 

  285. 	/*
    286. 

  286. 	 * first compute the session-id = TypeCode | H(ciphersuite | scal_p |
    287. 

  287. 	 *	scal_s)
    288. 

  288. 	 */
    289. 

  289. 	session_id[0] = EAP_TYPE_PWD;
    290. 

  290. 	H_Init(&ctx);
    291. 

  291. 	H_Update(&ctx, (u8 *)ciphersuite, sizeof(u32));
    292. 

  292. 	BN_bn2bin(peer_scalar, cruft);
    293. 

  293. 	H_Update(&ctx, cruft, BN_num_bytes(grp->order));
    294. 

  294. 	BN_bn2bin(server_scalar, cruft);
    295. 

  295. 	H_Update(&ctx, cruft, BN_num_bytes(grp->order));
    296. 

  296. 	H_Final(&ctx, &session_id[1]);
    297. 

  297. 

  298. 	/*
    299. 

  299. 	 * then compute MK = H(k | F(elem_p + elem_s) |
    300. 

  300. 	 *		       (scal_p + scal_s) mod r)
    301. 

  301. 	 */
    302. 

  302. 	H_Init(&ctx);
    303. 

  303. 

  304. 	/* k */
    305. 

  305. 	os_memset(cruft, 0, BN_num_bytes(grp->prime));
    306. 

  306. 	BN_bn2bin(k, cruft);
    307. 

  307. 	H_Update(&ctx, cruft, BN_num_bytes(grp->prime));
    308. 

  308. 

  309. 	/* x = F(elem_p + elem_s) */
    310. 

  310. 	if ((!EC_POINT_add(grp->group, element_sum, server_element,
    311. 

  311. 			   peer_element, bnctx)) ||
    312. 

  312. 	    (!EC_POINT_get_affine_coordinates_GFp(grp->group, element_sum, x,
    313. 

  313. 						  NULL, bnctx)))
    314. 

  314. 		goto fail;
    315. 

  315. 

  316. 	os_memset(cruft, 0, BN_num_bytes(grp->prime));
    317. 

  317. 	BN_bn2bin(x, cruft);
    318. 

  318. 	H_Update(&ctx, cruft, BN_num_bytes(grp->prime));
    319. 

  319. 

  320. 	/* (scal_p + scal_s) mod r */
    321. 

  321. 	BN_add(scalar_sum, server_scalar, peer_scalar);
    322. 

  322. 	BN_mod(scalar_sum, scalar_sum, grp->order, bnctx);
    323. 

  323. 	os_memset(cruft, 0, BN_num_bytes(grp->prime));
    324. 

  324. 	BN_bn2bin(scalar_sum, cruft);
    325. 

  325. 	H_Update(&ctx, cruft, BN_num_bytes(grp->order));
    326. 

  326. 	H_Final(&ctx, mk);
    327. 

  327. 

  328. 	/* stretch the mk with the session-id to get MSK | EMSK */
    329. 

  329. 	eap_pwd_kdf(mk, SHA256_DIGEST_LENGTH,
    330. 

  330. 		    session_id, SHA256_DIGEST_LENGTH+1,
    331. 

  331. 		    msk_emsk, (EAP_MSK_LEN + EAP_EMSK_LEN) * 8);
    332. 

  332. 

  333. 	os_memcpy(msk, msk_emsk, EAP_MSK_LEN);
    334. 

  334. 	os_memcpy(emsk, msk_emsk + EAP_MSK_LEN, EAP_EMSK_LEN);
    335. 

  335. 

  336. 	ret = 1;
    337. 

  337. 

  338. fail:
    339. 

  339. 	BN_free(x);
    340. 

  340. 	BN_free(scalar_sum);
    341. 

  341. 	EC_POINT_free(element_sum);
    342. 

  342. 	os_free(cruft);
    343. 

  343. 

  344. 	return ret;
    345. 

  345. }
    346.