EAP-PEAP: Fixed interop issues in key derivation with cryptobinding

It looks like Microsoft implementation does not match with their
specification as far as PRF+ label usage is concerned.. IPMK|CMK is derived
without null termination on the label, but the label for CSK derivation
must be null terminated.

This allows cryptobinding to be used with PEAPv0 in a way that
interoperates with Windows XP SP3 (RC2) and as such, this functionality is
now enabled as an optional addition to PEAPv0.
This commit is contained in:
Jouni Malinen 2008-03-19 16:58:06 +02:00
parent 32f049b2af
commit e7d8003358
4 changed files with 16 additions and 4 deletions

View file

@ -8,6 +8,7 @@ ChangeLog for hostapd
(this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST
changes needed to run two methods in sequence (IF-T) and the IF-IMV
and IF-TNCCS interfaces from TNCS)
* added support for optional cryptobinding with PEAPv0
2008-02-22 - v0.6.3
* fixed Reassociation Response callback processing when using internal

View file

@ -117,7 +117,7 @@ static void * eap_peap_init(struct eap_sm *sm)
data->peap_version = EAP_PEAP_VERSION;
data->force_peap_version = -1;
data->peap_outer_success = 2;
data->crypto_binding = NO_BINDING;
data->crypto_binding = OPTIONAL_BINDING;
if (config && config->phase1 &&
eap_peap_parse_phase1(data, config->phase1) < 0) {
@ -1249,9 +1249,14 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
if (data->crypto_binding_used) {
u8 csk[128];
/*
* Note: It looks like Microsoft implementation requires null
* termination for this label while the one used for deriving
* IPMK|CMK did not use null termination.
*/
peap_prfplus(data->peap_version, data->ipmk, 40,
"Session Key Generating Function",
(u8 *) "", 0, csk, sizeof(csk));
(u8 *) "\00", 1, csk, sizeof(csk));
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
os_memcpy(key, csk, EAP_TLS_KEY_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",

View file

@ -177,7 +177,7 @@ static void * eap_peap_init(struct eap_sm *sm)
data->peap_version = data->force_version;
}
data->state = START;
data->crypto_binding = NO_BINDING;
data->crypto_binding = OPTIONAL_BINDING;
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
@ -1271,9 +1271,14 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
if (data->crypto_binding_used) {
u8 csk[128];
/*
* Note: It looks like Microsoft implementation requires null
* termination for this label while the one used for deriving
* IPMK|CMK did not use null termination.
*/
peap_prfplus(data->peap_version, data->ipmk, 40,
"Session Key Generating Function",
(u8 *) "", 0, csk, sizeof(csk));
(u8 *) "\00", 1, csk, sizeof(csk));
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
eapKeyData = os_malloc(EAP_TLS_KEY_LEN);
if (eapKeyData) {

View file

@ -4,6 +4,7 @@ ChangeLog for wpa_supplicant
* added support for EAP Sequences in EAP-FAST Phase 2
* added support for using TNC with EAP-FAST
* added driver_ps3 for the PS3 Linux wireless driver
* added support for optional cryptobinding with PEAPv0
2008-02-22 - v0.6.3
* removed 'nai' and 'eappsk' network configuration variables that were