|
1 /* |
|
2 * Copyright (c) 2001-2006 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: EAP and WLAN authentication protocols. |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 // This is enumeration of EAPOL source code. |
|
20 #if defined(USE_EAP_MINIMUM_RELEASE_TRACES) |
|
21 #undef EAP_FILE_NUMBER_ENUM |
|
22 #define EAP_FILE_NUMBER_ENUM 8 |
|
23 #undef EAP_FILE_NUMBER_DATE |
|
24 #define EAP_FILE_NUMBER_DATE 1127594498 |
|
25 #endif //#if defined(USE_EAP_MINIMUM_RELEASE_TRACES) |
|
26 |
|
27 |
|
28 #include "eap_am_memory.h" |
|
29 |
|
30 #include "dss_random.h" |
|
31 |
|
32 #include "eap_am_assert.h" |
|
33 #include "abs_eap_am_crypto.h" |
|
34 |
|
35 #include <openssl/bn.h> |
|
36 |
|
37 #include "eap_am_crypto_sha1.h" |
|
38 |
|
39 /** @file */ |
|
40 |
|
41 /** This is the block size in bytes. */ |
|
42 static const u32_t BLOCK_SIZE = 160/8; |
|
43 |
|
44 static const u32_t DEBUG_BUFFER_SIZE = 80; |
|
45 |
|
46 /** |
|
47 * dss_random_G() implements the G() function using modified SHA-1. |
|
48 * @code |
|
49 * Copied from "Multiple Examples of DSA" http://csrc.nist.gov/encryption/dss/Examples-1024bit.pdf. |
|
50 * Using the revised algorithm found in the Change Notice for the generation of x values: |
|
51 * XKEY= bd029bbe 7f51960b cf9edb2b 61f06f0f eb5a38b6 |
|
52 * XSEED= 00000000 00000000 00000000 00000000 00000000 |
|
53 * The first loop through step 3.2 provides: |
|
54 * XVAL= bd029bbe 7f51960b cf9edb2b 61f06f0f eb5a38b6 |
|
55 * Using the routine in Appendix 3.3 Constructing The Function G From SHA-1 |
|
56 * provides: |
|
57 * w[0]= 2070b322 3dba372f de1c0ffc 7b2e3b49 8b260614 |
|
58 * The following value is the updated XKEY value from step 3.2.c: |
|
59 * XKEY= dd734ee0 bd0bcd3b adbaeb27 dd1eaa59 76803ecb |
|
60 * The second loop through step 3.2 provides: |
|
61 * XVAL= dd734ee0 bd0bcd3b adbaeb27 dd1eaa59 76803ecb |
|
62 * Using the routine in Appendix 3.3 Constructing The Function G From SHA-1 |
|
63 * provides: |
|
64 * w[1]= 3c6c18ba cb0f6c55 babb1378 8e20d737 a3275116 |
|
65 * The following value is the updated XKEY value from step 3.2.c: |
|
66 * XKEY= 19df679b 881b3991 6875fea0 6b3f8191 19a78fe2 |
|
67 * Step 3.3 provides the following values: |
|
68 * w[0] || w[1]= 2070b322 3dba372f de1c0ffc 7b2e3b49 8b260614 |
|
69 * 3c6c18ba cb0f6c55 babb1378 8e20d737 a3275116 |
|
70 * X= 47c27eb6 16dba413 91e5165b e9c5e397 7e39a15d |
|
71 * @endcode |
|
72 */ |
|
73 void dss_random_G(abs_eap_am_tools_c * const m_am_tools, u8_t *out, u32_t out_length, u8_t *c, u32_t c_length) |
|
74 { |
|
75 u32_t *out_array = reinterpret_cast<u32_t *>(out); |
|
76 |
|
77 EAP_ASSERT(out_length == BLOCK_SIZE); |
|
78 EAP_ASSERT(c_length == BLOCK_SIZE); |
|
79 |
|
80 { |
|
81 eap_am_crypto_sha1_c sha1(m_am_tools); |
|
82 u32_t output_length = out_length; |
|
83 |
|
84 eap_status_e status = sha1.eap_sha1_dss_G_function( |
|
85 c, |
|
86 c_length, |
|
87 out_array, |
|
88 &output_length |
|
89 ); |
|
90 if (status != eap_status_ok) |
|
91 { |
|
92 EAP_TRACE_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (EAPL("eap_sha1_dss_G_function(): status = %d"), |
|
93 status)); |
|
94 } |
|
95 } |
|
96 } |
|
97 |
|
98 /** |
|
99 * dss_pseudo_random() implements pseudo random function for key genearation of EAP/SIM. |
|
100 * @code |
|
101 * Random generator becomes as follows: |
|
102 * Step 1. Choose a new, secret value for the seed-key, XKEY. |
|
103 * Step 2. In hexadecimal notation let |
|
104 * t = 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0. |
|
105 * This is the initial value for H0 || H1 || H2 || H3 || H4 in the SHS. |
|
106 * Step 3. For j = 0 to m - 1 do |
|
107 * c. xj = G(t,XKEY). |
|
108 * d. XKEY = (1 + XKEY + xj) mod 2^b. |
|
109 * @endcode |
|
110 */ |
|
111 eap_status_e dss_pseudo_random(abs_eap_am_tools_c * const m_am_tools, u8_t *out, u32_t out_length, u8_t *xkey, u32_t xkey_length) |
|
112 { |
|
113 u32_t block_count = out_length/BLOCK_SIZE; |
|
114 if ((out_length % BLOCK_SIZE) != 0) |
|
115 { |
|
116 EAP_TRACE_DEBUG( |
|
117 m_am_tools, |
|
118 TRACE_FLAGS_DEFAULT, |
|
119 (EAPL("ERROR: dss_pseudo_random(): out buffer length 0x%08x not aligned to 0x%08x.\n"), |
|
120 out_length, BLOCK_SIZE)); |
|
121 return eap_status_data_length_not_aligned_to_block_size; |
|
122 } |
|
123 |
|
124 if (xkey == 0 |
|
125 || out == 0) |
|
126 { |
|
127 return eap_status_illegal_parameter; |
|
128 } |
|
129 |
|
130 u8_t tmp_xkey[BLOCK_SIZE]; |
|
131 |
|
132 m_am_tools->memmove(tmp_xkey, xkey, BLOCK_SIZE); |
|
133 |
|
134 BN_CTX *ctx; |
|
135 BIGNUM bn_mod, bn_xkey, bn_xj, bn_one, bn_160, bn_tmp; |
|
136 |
|
137 ctx=BN_CTX_new(); |
|
138 BN_init(&bn_mod); |
|
139 BN_init(&bn_tmp); |
|
140 BN_init(&bn_xkey); |
|
141 BN_init(&bn_xj); |
|
142 BN_init(&bn_one); |
|
143 BN_init(&bn_160); |
|
144 |
|
145 BN_set_word(&bn_one, 1); |
|
146 BN_set_word(&bn_mod, 2); |
|
147 BN_set_word(&bn_160, 160); |
|
148 |
|
149 // bn_mod = 2^160 |
|
150 BN_exp(&bn_mod, &bn_mod, &bn_160, ctx); |
|
151 |
|
152 EAP_TRACE_DATA_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (EAPL("dss_pseudo_random(): mod"), |
|
153 bn_mod.d, bn_mod.top*sizeof(BN_ULONG))); |
|
154 |
|
155 EAP_TRACE_DATA_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (EAPL("xkey[0]"), |
|
156 xkey, xkey_length)); |
|
157 |
|
158 for (u32_t ind = 0; ind < block_count; ind++) |
|
159 { |
|
160 u8_t debug_buffer[DEBUG_BUFFER_SIZE]; |
|
161 EAP_UNREFERENCED_PARAMETER(debug_buffer); |
|
162 |
|
163 dss_random_G(m_am_tools, &(out[ind*BLOCK_SIZE]), BLOCK_SIZE, tmp_xkey, BLOCK_SIZE); |
|
164 |
|
165 EAP_TRACE_FORMAT(m_am_tools, (debug_buffer, DEBUG_BUFFER_SIZE, EAPL("w[%d] "), ind)); |
|
166 EAP_TRACE_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (EAPL("dss_pseudo_random(): %s = G(xkey[%d])\n"), |
|
167 debug_buffer, |
|
168 ind)); |
|
169 EAP_TRACE_DATA_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (reinterpret_cast<eap_format_string>(debug_buffer), |
|
170 &(out[ind*BLOCK_SIZE]), BLOCK_SIZE)); |
|
171 |
|
172 if (ind+1u >= block_count) |
|
173 { |
|
174 break; |
|
175 } |
|
176 |
|
177 BN_bin2bn(static_cast<u8_t *>(tmp_xkey), BLOCK_SIZE, &bn_xkey); |
|
178 |
|
179 // tmp = (xkey + 1) % mod |
|
180 BN_mod_add(&bn_tmp, &bn_xkey, &bn_one, &bn_mod, ctx); |
|
181 |
|
182 EAP_TRACE_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (EAPL("dss_pseudo_random(): tmp[%d] = (xkey[%d] + 1) % mod\n"), |
|
183 ind, |
|
184 ind)); |
|
185 EAP_TRACE_FORMAT(m_am_tools, (debug_buffer, DEBUG_BUFFER_SIZE, EAPL("tmp[%d] "), ind)); |
|
186 EAP_TRACE_DATA_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (reinterpret_cast<eap_format_string>(debug_buffer), |
|
187 bn_tmp.d, bn_tmp.top*sizeof(BN_ULONG))); |
|
188 |
|
189 BN_bin2bn(static_cast<u8_t *>(&(out[ind*BLOCK_SIZE])), BLOCK_SIZE, &bn_xj); |
|
190 |
|
191 // xkey = (tmp + xj) % mod |
|
192 BN_mod_add(&bn_xkey, &bn_tmp, &bn_xj, &bn_mod, ctx); |
|
193 |
|
194 BN_bn2bin(&bn_xkey, static_cast<u8_t *>(tmp_xkey)); |
|
195 |
|
196 EAP_TRACE_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (EAPL("dss_pseudo_random(): xkey[%d] = (tmp + x[%d]) % mod\n"), |
|
197 ind+1u, |
|
198 ind)); |
|
199 EAP_TRACE_FORMAT(m_am_tools, (debug_buffer, DEBUG_BUFFER_SIZE, EAPL("xkey[%d]"), ind+1u)); |
|
200 EAP_TRACE_DATA_DEBUG(m_am_tools, TRACE_FLAGS_EAP_AM_CRYPTO, (reinterpret_cast<eap_format_string>(debug_buffer), |
|
201 tmp_xkey, sizeof(tmp_xkey))); |
|
202 } |
|
203 |
|
204 BN_free(&bn_mod); |
|
205 BN_free(&bn_tmp); |
|
206 BN_free(&bn_xkey); |
|
207 BN_free(&bn_xj); |
|
208 BN_free(&bn_one); |
|
209 BN_free(&bn_160); |
|
210 |
|
211 BN_CTX_free(ctx); |
|
212 |
|
213 return eap_status_ok; |
|
214 } |
|
215 |
|
216 // End. |