EAP-PEAP: Fixed interop issues in key derivation with cryptobinding

It looks like Microsoft implementation does not match with their
specification as far as PRF+ label usage is concerned.. IPMK|CMK is derived
without null termination on the label, but the label for CSK derivation
must be null terminated.

This allows cryptobinding to be used with PEAPv0 in a way that
interoperates with Windows XP SP3 (RC2) and as such, this functionality is
now enabled as an optional addition to PEAPv0.

hostapd/ChangeLog

@@ -8,6 +8,7 @@ ChangeLog for hostapd
 	  (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST
 	  changes needed to run two methods in sequence (IF-T) and the IF-IMV
 	  and IF-TNCCS interfaces from TNCS)
+	* added support for optional cryptobinding with PEAPv0
 
 2008-02-22 - v0.6.3
 	* fixed Reassociation Response callback processing when using internal

src/eap_peer/eap_peap.c

@@ -117,7 +117,7 @@ static void * eap_peap_init(struct eap_sm *sm)
 	data->peap_version = EAP_PEAP_VERSION;
 	data->force_peap_version = -1;
 	data->peap_outer_success = 2;
-	data->crypto_binding = NO_BINDING;
+	data->crypto_binding = OPTIONAL_BINDING;
 
 	if (config && config->phase1 &&
 	    eap_peap_parse_phase1(data, config->phase1) < 0) {
@@ -1249,9 +1249,14 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
 
 	if (data->crypto_binding_used) {
 		u8 csk[128];
+		/*
+		 * Note: It looks like Microsoft implementation requires null
+		 * termination for this label while the one used for deriving
+		 * IPMK|CMK did not use null termination.
+		 */
 		peap_prfplus(data->peap_version, data->ipmk, 40,
 			     "Session Key Generating Function",
-			     (u8 *) "", 0, csk, sizeof(csk));
+			     (u8 *) "\00", 1, csk, sizeof(csk));
 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
 		os_memcpy(key, csk, EAP_TLS_KEY_LEN);
 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",

src/eap_server/eap_peap.c

@@ -177,7 +177,7 @@ static void * eap_peap_init(struct eap_sm *sm)
 		data->peap_version = data->force_version;
 	}
 	data->state = START;
-	data->crypto_binding = NO_BINDING;
+	data->crypto_binding = OPTIONAL_BINDING;
 
 	if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
 		wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
@@ -1271,9 +1271,14 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
 
 	if (data->crypto_binding_used) {
 		u8 csk[128];
+		/*
+		 * Note: It looks like Microsoft implementation requires null
+		 * termination for this label while the one used for deriving
+		 * IPMK|CMK did not use null termination.
+		 */
 		peap_prfplus(data->peap_version, data->ipmk, 40,
 			     "Session Key Generating Function",
-			     (u8 *) "", 0, csk, sizeof(csk));
+			     (u8 *) "\00", 1, csk, sizeof(csk));
 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
 		eapKeyData = os_malloc(EAP_TLS_KEY_LEN);
 		if (eapKeyData) {

wpa_supplicant/ChangeLog

@@ -4,6 +4,7 @@ ChangeLog for wpa_supplicant
 	* added support for EAP Sequences in EAP-FAST Phase 2
 	* added support for using TNC with EAP-FAST
 	* added driver_ps3 for the PS3 Linux wireless driver
+	* added support for optional cryptobinding with PEAPv0
 
 2008-02-22 - v0.6.3
 	* removed 'nai' and 'eappsk' network configuration variables that were