1 /*
2  * EAP server/peer: EAP-pwd shared routines
3  * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 #include "common.h"
11 #include "utils/const_time.h"
12 #include "common/dragonfly.h"
13 #include "crypto/sha256.h"
14 #include "crypto/crypto.h"
15 #include "eap_defs.h"
16 #include "eap_pwd_common.h"
17 
18 #define MAX_ECC_PRIME_LEN 66
19 
20 
21 /* The random function H(x) = HMAC-SHA256(0^32, x) */
eap_pwd_h_init(void)22 struct crypto_hash * eap_pwd_h_init(void)
23 {
24 	u8 allzero[SHA256_MAC_LEN];
25 	os_memset(allzero, 0, SHA256_MAC_LEN);
26 	return crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256, allzero,
27 				SHA256_MAC_LEN);
28 }
29 
30 
eap_pwd_h_update(struct crypto_hash * hash,const u8 * data,size_t len)31 void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len)
32 {
33 	crypto_hash_update(hash, data, len);
34 }
35 
36 
eap_pwd_h_final(struct crypto_hash * hash,u8 * digest)37 void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest)
38 {
39 	size_t len = SHA256_MAC_LEN;
40 	crypto_hash_finish(hash, digest, &len);
41 }
42 
43 
44 /* a counter-based KDF based on NIST SP800-108 */
eap_pwd_kdf(const u8 * key,size_t keylen,const u8 * label,size_t labellen,u8 * result,size_t resultbitlen)45 static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label,
46 		       size_t labellen, u8 *result, size_t resultbitlen)
47 {
48 	struct crypto_hash *hash;
49 	u8 digest[SHA256_MAC_LEN];
50 	u16 i, ctr, L;
51 	size_t resultbytelen, len = 0, mdlen;
52 
53 	resultbytelen = (resultbitlen + 7) / 8;
54 	ctr = 0;
55 	L = htons(resultbitlen);
56 	while (len < resultbytelen) {
57 		ctr++;
58 		i = htons(ctr);
59 		hash = crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256,
60 					key, keylen);
61 		if (hash == NULL)
62 			return -1;
63 		if (ctr > 1)
64 			crypto_hash_update(hash, digest, SHA256_MAC_LEN);
65 		crypto_hash_update(hash, (u8 *) &i, sizeof(u16));
66 		crypto_hash_update(hash, label, labellen);
67 		crypto_hash_update(hash, (u8 *) &L, sizeof(u16));
68 		mdlen = SHA256_MAC_LEN;
69 		if (crypto_hash_finish(hash, digest, &mdlen) < 0)
70 			return -1;
71 		if ((len + mdlen) > resultbytelen)
72 			os_memcpy(result + len, digest, resultbytelen - len);
73 		else
74 			os_memcpy(result + len, digest, mdlen);
75 		len += mdlen;
76 	}
77 
78 	/* since we're expanding to a bit length, mask off the excess */
79 	if (resultbitlen % 8) {
80 		u8 mask = 0xff;
81 		mask <<= (8 - (resultbitlen % 8));
82 		result[resultbytelen - 1] &= mask;
83 	}
84 
85 	return 0;
86 }
87 
88 
get_eap_pwd_group(u16 num)89 EAP_PWD_group * get_eap_pwd_group(u16 num)
90 {
91 	EAP_PWD_group *grp;
92 
93 	if (!dragonfly_suitable_group(num, 1)) {
94 		wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num);
95 		return NULL;
96 	}
97 	grp = os_zalloc(sizeof(EAP_PWD_group));
98 	if (!grp)
99 		return NULL;
100 	grp->group = crypto_ec_init(num);
101 	if (!grp->group) {
102 		wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");
103 		os_free(grp);
104 		return NULL;
105 	}
106 
107 	grp->group_num = num;
108 	wpa_printf(MSG_INFO, "EAP-pwd: provisioned group %d", num);
109 
110 	return grp;
111 }
112 
113 
114 /*
115  * compute a "random" secret point on an elliptic curve based
116  * on the password and identities.
117  */
compute_password_element(EAP_PWD_group * grp,u16 num,const u8 * password,size_t password_len,const u8 * id_server,size_t id_server_len,const u8 * id_peer,size_t id_peer_len,const u8 * token)118 int compute_password_element(EAP_PWD_group *grp, u16 num,
119 			     const u8 *password, size_t password_len,
120 			     const u8 *id_server, size_t id_server_len,
121 			     const u8 *id_peer, size_t id_peer_len,
122 			     const u8 *token)
123 {
124 	struct crypto_bignum *qr = NULL, *qnr = NULL;
125 	u8 qr_bin[MAX_ECC_PRIME_LEN];
126 	u8 qnr_bin[MAX_ECC_PRIME_LEN];
127 	u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
128 	u8 x_bin[MAX_ECC_PRIME_LEN];
129 	u8 prime_bin[MAX_ECC_PRIME_LEN];
130 	u8 x_y[2 * MAX_ECC_PRIME_LEN];
131 	struct crypto_bignum *tmp2 = NULL, *y = NULL;
132 	struct crypto_hash *hash;
133 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
134 	int ret = 0, res;
135 	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
136 		       * mask */
137 	size_t primebytelen = 0, primebitlen;
138 	struct crypto_bignum *x_candidate = NULL;
139 	const struct crypto_bignum *prime;
140 	u8 found_ctr = 0, is_odd = 0;
141 	int cmp_prime;
142 	unsigned int in_range;
143 	unsigned int is_eq;
144 
145 	if (grp->pwe)
146 		return -1;
147 
148 	os_memset(x_bin, 0, sizeof(x_bin));
149 
150 	prime = crypto_ec_get_prime(grp->group);
151 	primebitlen = crypto_ec_prime_len_bits(grp->group);
152 	primebytelen = crypto_ec_prime_len(grp->group);
153 	if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
154 				 primebytelen) < 0)
155 		return -1;
156 
157 	if ((prfbuf = os_malloc(primebytelen)) == NULL) {
158 		wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
159 			   "buffer");
160 		goto fail;
161 	}
162 
163 	/* get a random quadratic residue and nonresidue */
164 	if (dragonfly_get_random_qr_qnr(prime, &qr, &qnr) < 0 ||
165 	    crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin),
166 				 primebytelen) < 0 ||
167 	    crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin),
168 				 primebytelen) < 0)
169 		goto fail;
170 
171 	os_memset(prfbuf, 0, primebytelen);
172 	ctr = 0;
173 
174 	/*
175 	 * Run through the hunting-and-pecking loop 40 times to mask the time
176 	 * necessary to find PWE. The odds of PWE not being found in 40 loops is
177 	 * roughly 1 in 1 trillion.
178 	 */
179 	while (ctr < 40) {
180 		ctr++;
181 
182 		/*
183 		 * compute counter-mode password value and stretch to prime
184 		 *    pwd-seed = H(token | peer-id | server-id | password |
185 		 *		   counter)
186 		 */
187 		hash = eap_pwd_h_init();
188 		if (hash == NULL)
189 			goto fail;
190 		eap_pwd_h_update(hash, token, sizeof(u32));
191 		eap_pwd_h_update(hash, id_peer, id_peer_len);
192 		eap_pwd_h_update(hash, id_server, id_server_len);
193 		eap_pwd_h_update(hash, password, password_len);
194 		eap_pwd_h_update(hash, &ctr, sizeof(ctr));
195 		eap_pwd_h_final(hash, pwe_digest);
196 
197 		is_odd = const_time_select_u8(
198 			found, is_odd, pwe_digest[SHA256_MAC_LEN - 1] & 0x01);
199 		if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
200 				(u8 *) "EAP-pwd Hunting And Pecking",
201 				os_strlen("EAP-pwd Hunting And Pecking"),
202 				prfbuf, primebitlen) < 0)
203 			goto fail;
204 		if (primebitlen % 8)
205 			buf_shift_right(prfbuf, primebytelen,
206 					8 - primebitlen % 8);
207 		cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
208 		/* Create a const_time mask for selection based on prf result
209 		 * being smaller than prime. */
210 		in_range = const_time_fill_msb((unsigned int) cmp_prime);
211 		/* The algorithm description would skip the next steps if
212 		 * cmp_prime >= 0, but go through them regardless to minimize
213 		 * externally observable differences in behavior. */
214 
215 		crypto_bignum_deinit(x_candidate, 1);
216 		x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
217 		if (!x_candidate) {
218 			wpa_printf(MSG_INFO,
219 				   "EAP-pwd: unable to create x_candidate");
220 			goto fail;
221 		}
222 
223 		wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
224 				prfbuf, primebytelen);
225 		const_time_select_bin(found, x_bin, prfbuf, primebytelen,
226 				      x_bin);
227 
228 		/*
229 		 * compute y^2 using the equation of the curve
230 		 *
231 		 *      y^2 = x^3 + ax + b
232 		 */
233 		crypto_bignum_deinit(tmp2, 1);
234 		tmp2 = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
235 		if (!tmp2)
236 			goto fail;
237 
238 		res = dragonfly_is_quadratic_residue_blind(grp->group, qr_bin,
239 							   qnr_bin, tmp2);
240 		if (res < 0)
241 			goto fail;
242 		found_ctr = const_time_select_u8(found, found_ctr, ctr);
243 		/* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
244 		 * (with res converted to 0/0xff and masked with prf being below
245 		 * prime) handles this in constant time.
246 		 */
247 		found |= (res & in_range) * 0xff;
248 	}
249 	if (found == 0) {
250 		wpa_printf(MSG_INFO,
251 			   "EAP-pwd: unable to find random point on curve for group %d, something's fishy",
252 			   num);
253 		goto fail;
254 	}
255 
256 	/*
257 	 * We know x_candidate is a quadratic residue so set it here.
258 	 */
259 	crypto_bignum_deinit(x_candidate, 1);
260 	x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
261 	if (!x_candidate)
262 		goto fail;
263 
264 	/* y = sqrt(x^3 + ax + b) mod p
265 	 * if LSB(y) == LSB(pwd-seed): PWE = (x, y)
266 	 * else: PWE = (x, p - y)
267 	 *
268 	 * Calculate y and the two possible values for PWE and after that,
269 	 * use constant time selection to copy the correct alternative.
270 	 */
271 	y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
272 	if (!y ||
273 	    dragonfly_sqrt(grp->group, y, y) < 0 ||
274 	    crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 ||
275 	    crypto_bignum_sub(prime, y, y) < 0 ||
276 	    crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN,
277 				 MAX_ECC_PRIME_LEN, primebytelen) < 0) {
278 		wpa_printf(MSG_DEBUG, "EAP-pwd: Could not solve y");
279 		goto fail;
280 	}
281 
282 	/* Constant time selection of the y coordinate from the two
283 	 * options */
284 	is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01);
285 	const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN,
286 			      primebytelen, x_y + primebytelen);
287 	os_memcpy(x_y, x_bin, primebytelen);
288 	wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen);
289 	grp->pwe = crypto_ec_point_from_bin(grp->group, x_y);
290 	if (!grp->pwe) {
291 		wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE");
292 		goto fail;
293 	}
294 
295 	/*
296 	 * If there's a solution to the equation then the point must be on the
297 	 * curve so why check again explicitly? OpenSSL code says this is
298 	 * required by X9.62. We're not X9.62 but it can't hurt just to be sure.
299 	 */
300 	if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
301 		wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
302 		goto fail;
303 	}
304 
305 	wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
306 
307 	if (0) {
308  fail:
309 		crypto_ec_point_deinit(grp->pwe, 1);
310 		grp->pwe = NULL;
311 		ret = 1;
312 	}
313 	/* cleanliness and order.... */
314 	crypto_bignum_deinit(x_candidate, 1);
315 	crypto_bignum_deinit(tmp2, 1);
316 	crypto_bignum_deinit(y, 1);
317 	crypto_bignum_deinit(qr, 1);
318 	crypto_bignum_deinit(qnr, 1);
319 	bin_clear_free(prfbuf, primebytelen);
320 	os_memset(qr_bin, 0, sizeof(qr_bin));
321 	os_memset(qnr_bin, 0, sizeof(qnr_bin));
322 	os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
323 	os_memset(pwe_digest, 0, sizeof(pwe_digest));
324 	forced_memzero(x_y, sizeof(x_y));
325 
326 	return ret;
327 }
328 
329 
compute_keys(EAP_PWD_group * grp,const struct crypto_bignum * k,const struct crypto_bignum * peer_scalar,const struct crypto_bignum * server_scalar,const u8 * confirm_peer,const u8 * confirm_server,const u32 * ciphersuite,u8 * msk,u8 * emsk,u8 * session_id)330 int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
331 		 const struct crypto_bignum *peer_scalar,
332 		 const struct crypto_bignum *server_scalar,
333 		 const u8 *confirm_peer, const u8 *confirm_server,
334 		 const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id)
335 {
336 	struct crypto_hash *hash;
337 	u8 mk[SHA256_MAC_LEN], *cruft;
338 	u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN];
339 	size_t prime_len, order_len;
340 
341 	prime_len = crypto_ec_prime_len(grp->group);
342 	order_len = crypto_ec_order_len(grp->group);
343 
344 	cruft = os_malloc(prime_len);
345 	if (!cruft)
346 		return -1;
347 
348 	/*
349 	 * first compute the session-id = TypeCode | H(ciphersuite | scal_p |
350 	 *	scal_s)
351 	 */
352 	session_id[0] = EAP_TYPE_PWD;
353 	hash = eap_pwd_h_init();
354 	if (hash == NULL) {
355 		os_free(cruft);
356 		return -1;
357 	}
358 	eap_pwd_h_update(hash, (const u8 *) ciphersuite, sizeof(u32));
359 	crypto_bignum_to_bin(peer_scalar, cruft, order_len, order_len);
360 	eap_pwd_h_update(hash, cruft, order_len);
361 	crypto_bignum_to_bin(server_scalar, cruft, order_len, order_len);
362 	eap_pwd_h_update(hash, cruft, order_len);
363 	eap_pwd_h_final(hash, &session_id[1]);
364 
365 	/* then compute MK = H(k | confirm-peer | confirm-server) */
366 	hash = eap_pwd_h_init();
367 	if (hash == NULL) {
368 		os_free(cruft);
369 		return -1;
370 	}
371 	crypto_bignum_to_bin(k, cruft, prime_len, prime_len);
372 	eap_pwd_h_update(hash, cruft, prime_len);
373 	os_free(cruft);
374 	eap_pwd_h_update(hash, confirm_peer, SHA256_MAC_LEN);
375 	eap_pwd_h_update(hash, confirm_server, SHA256_MAC_LEN);
376 	eap_pwd_h_final(hash, mk);
377 
378 	/* stretch the mk with the session-id to get MSK | EMSK */
379 	if (eap_pwd_kdf(mk, SHA256_MAC_LEN,
380 			session_id, SHA256_MAC_LEN + 1,
381 			msk_emsk, (EAP_MSK_LEN + EAP_EMSK_LEN) * 8) < 0) {
382 		return -1;
383 	}
384 
385 	os_memcpy(msk, msk_emsk, EAP_MSK_LEN);
386 	os_memcpy(emsk, msk_emsk + EAP_MSK_LEN, EAP_EMSK_LEN);
387 
388 	return 1;
389 }
390 
391 
eap_pwd_element_coord_ok(const struct crypto_bignum * prime,const u8 * buf,size_t len)392 static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
393 				    const u8 *buf, size_t len)
394 {
395 	struct crypto_bignum *val;
396 	int ok = 1;
397 
398 	val = crypto_bignum_init_set(buf, len);
399 	if (!val || crypto_bignum_is_zero(val) ||
400 	    crypto_bignum_cmp(val, prime) >= 0)
401 		ok = 0;
402 	crypto_bignum_deinit(val, 0);
403 	return ok;
404 }
405 
406 
eap_pwd_get_element(EAP_PWD_group * group,const u8 * buf)407 struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
408 					     const u8 *buf)
409 {
410 	struct crypto_ec_point *element;
411 	const struct crypto_bignum *prime;
412 	size_t prime_len;
413 
414 	prime = crypto_ec_get_prime(group->group);
415 	prime_len = crypto_ec_prime_len(group->group);
416 
417 	/* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
418 	if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
419 	    !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
420 		wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
421 		return NULL;
422 	}
423 
424 	element = crypto_ec_point_from_bin(group->group, buf);
425 	if (!element) {
426 		wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
427 		return NULL;
428 	}
429 
430 	/* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
431 	if (!crypto_ec_point_is_on_curve(group->group, element) ||
432 	    crypto_ec_point_is_at_infinity(group->group, element)) {
433 		wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
434 		goto fail;
435 	}
436 
437 out:
438 	return element;
439 fail:
440 	crypto_ec_point_deinit(element, 0);
441 	element = NULL;
442 	goto out;
443 }
444 
445 
eap_pwd_get_scalar(EAP_PWD_group * group,const u8 * buf)446 struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
447 {
448 	struct crypto_bignum *scalar;
449 	const struct crypto_bignum *order;
450 	size_t order_len;
451 
452 	order = crypto_ec_get_order(group->group);
453 	order_len = crypto_ec_order_len(group->group);
454 
455 	/* RFC 5931, 2.8.5.2: 1 < scalar < r */
456 	scalar = crypto_bignum_init_set(buf, order_len);
457 	if (!scalar || crypto_bignum_is_zero(scalar) ||
458 	    crypto_bignum_is_one(scalar) ||
459 	    crypto_bignum_cmp(scalar, order) >= 0) {
460 		wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
461 		crypto_bignum_deinit(scalar, 0);
462 		scalar = NULL;
463 	}
464 
465 	return scalar;
466 }
467 
468 
eap_pwd_get_rand_mask(EAP_PWD_group * group,struct crypto_bignum * _rand,struct crypto_bignum * _mask,struct crypto_bignum * scalar)469 int eap_pwd_get_rand_mask(EAP_PWD_group *group, struct crypto_bignum *_rand,
470 			  struct crypto_bignum *_mask,
471 			  struct crypto_bignum *scalar)
472 {
473 	return dragonfly_generate_scalar(crypto_ec_get_order(group->group),
474 					 _rand, _mask, scalar);
475 }
476