1 /*
2 * WPA/RSN - Shared functions for supplicant and authenticator
3 * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/sha384.h"
16 #include "crypto/sha512.h"
17 #include "crypto/aes_wrap.h"
18 #include "crypto/crypto.h"
19 #include "ieee802_11_defs.h"
20 #include "ieee802_11_common.h"
21 #include "defs.h"
22 #include "wpa_common.h"
23 #ifdef CONFIG_WAPI
24 #include "securec.h"
25 #endif
26
27
wpa_kck_len(int akmp,size_t pmk_len)28 static unsigned int wpa_kck_len(int akmp, size_t pmk_len)
29 {
30 switch (akmp) {
31 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
32 case WPA_KEY_MGMT_IEEE8021X_SHA384:
33 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
34 return 24;
35 case WPA_KEY_MGMT_FILS_SHA256:
36 case WPA_KEY_MGMT_FT_FILS_SHA256:
37 case WPA_KEY_MGMT_FILS_SHA384:
38 case WPA_KEY_MGMT_FT_FILS_SHA384:
39 return 0;
40 case WPA_KEY_MGMT_DPP:
41 return pmk_len / 2;
42 case WPA_KEY_MGMT_OWE:
43 return pmk_len / 2;
44 case WPA_KEY_MGMT_SAE_EXT_KEY:
45 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
46 return pmk_len / 2;
47 default:
48 return 16;
49 }
50 }
51
52
53 #ifdef CONFIG_IEEE80211R
wpa_kck2_len(int akmp)54 static unsigned int wpa_kck2_len(int akmp)
55 {
56 switch (akmp) {
57 case WPA_KEY_MGMT_FT_FILS_SHA256:
58 return 16;
59 case WPA_KEY_MGMT_FT_FILS_SHA384:
60 return 24;
61 default:
62 return 0;
63 }
64 }
65 #endif /* CONFIG_IEEE80211R */
66
67
wpa_kek_len(int akmp,size_t pmk_len)68 static unsigned int wpa_kek_len(int akmp, size_t pmk_len)
69 {
70 switch (akmp) {
71 case WPA_KEY_MGMT_FILS_SHA384:
72 case WPA_KEY_MGMT_FT_FILS_SHA384:
73 return 64;
74 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
75 case WPA_KEY_MGMT_FILS_SHA256:
76 case WPA_KEY_MGMT_FT_FILS_SHA256:
77 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
78 case WPA_KEY_MGMT_IEEE8021X_SHA384:
79 return 32;
80 case WPA_KEY_MGMT_DPP:
81 return pmk_len <= 32 ? 16 : 32;
82 case WPA_KEY_MGMT_OWE:
83 return pmk_len <= 32 ? 16 : 32;
84 case WPA_KEY_MGMT_SAE_EXT_KEY:
85 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
86 return pmk_len <= 32 ? 16 : 32;
87 default:
88 return 16;
89 }
90 }
91
92
93 #ifdef CONFIG_IEEE80211R
wpa_kek2_len(int akmp)94 static unsigned int wpa_kek2_len(int akmp)
95 {
96 switch (akmp) {
97 case WPA_KEY_MGMT_FT_FILS_SHA256:
98 return 16;
99 case WPA_KEY_MGMT_FT_FILS_SHA384:
100 return 32;
101 default:
102 return 0;
103 }
104 }
105 #endif /* CONFIG_IEEE80211R */
106
107
wpa_mic_len(int akmp,size_t pmk_len)108 unsigned int wpa_mic_len(int akmp, size_t pmk_len)
109 {
110 switch (akmp) {
111 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
112 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
113 case WPA_KEY_MGMT_IEEE8021X_SHA384:
114 return 24;
115 case WPA_KEY_MGMT_FILS_SHA256:
116 case WPA_KEY_MGMT_FILS_SHA384:
117 case WPA_KEY_MGMT_FT_FILS_SHA256:
118 case WPA_KEY_MGMT_FT_FILS_SHA384:
119 return 0;
120 case WPA_KEY_MGMT_DPP:
121 return pmk_len / 2;
122 case WPA_KEY_MGMT_OWE:
123 return pmk_len / 2;
124 case WPA_KEY_MGMT_SAE_EXT_KEY:
125 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
126 return pmk_len / 2;
127 default:
128 return 16;
129 }
130 }
131
132
133 /**
134 * wpa_use_akm_defined - Is AKM-defined Key Descriptor Version used
135 * @akmp: WPA_KEY_MGMT_* used in key derivation
136 * Returns: 1 if AKM-defined Key Descriptor Version is used; 0 otherwise
137 */
wpa_use_akm_defined(int akmp)138 int wpa_use_akm_defined(int akmp)
139 {
140 return akmp == WPA_KEY_MGMT_OSEN ||
141 akmp == WPA_KEY_MGMT_OWE ||
142 akmp == WPA_KEY_MGMT_DPP ||
143 akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 ||
144 akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 ||
145 wpa_key_mgmt_sae(akmp) ||
146 wpa_key_mgmt_suite_b(akmp) ||
147 wpa_key_mgmt_fils(akmp);
148 }
149
150
151 /**
152 * wpa_use_cmac - Is CMAC integrity algorithm used for EAPOL-Key MIC
153 * @akmp: WPA_KEY_MGMT_* used in key derivation
154 * Returns: 1 if CMAC is used; 0 otherwise
155 */
wpa_use_cmac(int akmp)156 int wpa_use_cmac(int akmp)
157 {
158 return akmp == WPA_KEY_MGMT_OSEN ||
159 akmp == WPA_KEY_MGMT_OWE ||
160 akmp == WPA_KEY_MGMT_DPP ||
161 wpa_key_mgmt_ft(akmp) ||
162 wpa_key_mgmt_sha256(akmp) ||
163 (wpa_key_mgmt_sae(akmp) &&
164 !wpa_key_mgmt_sae_ext_key(akmp)) ||
165 wpa_key_mgmt_suite_b(akmp);
166 }
167
168
169 /**
170 * wpa_use_aes_key_wrap - Is AES Keywrap algorithm used for EAPOL-Key Key Data
171 * @akmp: WPA_KEY_MGMT_* used in key derivation
172 * Returns: 1 if AES Keywrap is used; 0 otherwise
173 *
174 * Note: AKM 00-0F-AC:1 and 00-0F-AC:2 have special rules for selecting whether
175 * to use AES Keywrap based on the negotiated pairwise cipher. This function
176 * does not cover those special cases.
177 */
wpa_use_aes_key_wrap(int akmp)178 int wpa_use_aes_key_wrap(int akmp)
179 {
180 return akmp == WPA_KEY_MGMT_OSEN ||
181 akmp == WPA_KEY_MGMT_OWE ||
182 akmp == WPA_KEY_MGMT_DPP ||
183 akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 ||
184 wpa_key_mgmt_ft(akmp) ||
185 wpa_key_mgmt_sha256(akmp) ||
186 wpa_key_mgmt_sae(akmp) ||
187 wpa_key_mgmt_suite_b(akmp);
188 }
189
190
191 /**
192 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
193 * @key: EAPOL-Key Key Confirmation Key (KCK)
194 * @key_len: KCK length in octets
195 * @akmp: WPA_KEY_MGMT_* used in key derivation
196 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
197 * @buf: Pointer to the beginning of the EAPOL header (version field)
198 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
199 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
200 * Returns: 0 on success, -1 on failure
201 *
202 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
203 * to be cleared (all zeroes) when calling this function.
204 *
205 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
206 * description of the Key MIC calculation. It includes packet data from the
207 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
208 * happened during final editing of the standard and the correct behavior is
209 * defined in the last draft (IEEE 802.11i/D10).
210 */
wpa_eapol_key_mic(const u8 * key,size_t key_len,int akmp,int ver,const u8 * buf,size_t len,u8 * mic)211 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
212 const u8 *buf, size_t len, u8 *mic)
213 {
214 u8 hash[SHA512_MAC_LEN];
215
216 if (key_len == 0) {
217 wpa_printf(MSG_DEBUG,
218 "WPA: KCK not set - cannot calculate MIC");
219 return -1;
220 }
221
222 switch (ver) {
223 #ifndef CONFIG_FIPS
224 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
225 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-MD5");
226 return hmac_md5(key, key_len, buf, len, mic);
227 #endif /* CONFIG_FIPS */
228 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
229 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-SHA1");
230 if (hmac_sha1(key, key_len, buf, len, hash))
231 return -1;
232 os_memcpy(mic, hash, MD5_MAC_LEN);
233 break;
234 case WPA_KEY_INFO_TYPE_AES_128_CMAC:
235 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using AES-CMAC");
236 return omac1_aes_128(key, buf, len, mic);
237 case WPA_KEY_INFO_TYPE_AKM_DEFINED:
238 switch (akmp) {
239 #ifdef CONFIG_SAE
240 case WPA_KEY_MGMT_SAE:
241 case WPA_KEY_MGMT_FT_SAE:
242 wpa_printf(MSG_DEBUG,
243 "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - SAE)");
244 return omac1_aes_128(key, buf, len, mic);
245 case WPA_KEY_MGMT_SAE_EXT_KEY:
246 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
247 wpa_printf(MSG_DEBUG,
248 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - SAE-EXT-KEY)",
249 (unsigned int) key_len * 8 * 2);
250 if (key_len == 128 / 8) {
251 if (hmac_sha256(key, key_len, buf, len, hash))
252 return -1;
253 #ifdef CONFIG_SHA384
254 } else if (key_len == 192 / 8) {
255 if (hmac_sha384(key, key_len, buf, len, hash))
256 return -1;
257 #endif /* CONFIG_SHA384 */
258 #ifdef CONFIG_SHA512
259 } else if (key_len == 256 / 8) {
260 if (hmac_sha512(key, key_len, buf, len, hash))
261 return -1;
262 #endif /* CONFIG_SHA512 */
263 } else {
264 wpa_printf(MSG_INFO,
265 "SAE: Unsupported KCK length: %u",
266 (unsigned int) key_len);
267 return -1;
268 }
269 os_memcpy(mic, hash, key_len);
270 break;
271 #endif /* CONFIG_SAE */
272 #ifdef CONFIG_HS20
273 case WPA_KEY_MGMT_OSEN:
274 wpa_printf(MSG_DEBUG,
275 "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - OSEN)");
276 return omac1_aes_128(key, buf, len, mic);
277 #endif /* CONFIG_HS20 */
278 #ifdef CONFIG_SUITEB
279 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
280 wpa_printf(MSG_DEBUG,
281 "WPA: EAPOL-Key MIC using HMAC-SHA256 (AKM-defined - Suite B)");
282 if (hmac_sha256(key, key_len, buf, len, hash))
283 return -1;
284 os_memcpy(mic, hash, MD5_MAC_LEN);
285 break;
286 #endif /* CONFIG_SUITEB */
287 #ifdef CONFIG_SUITEB192
288 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
289 wpa_printf(MSG_DEBUG,
290 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - Suite B 192-bit)");
291 if (hmac_sha384(key, key_len, buf, len, hash))
292 return -1;
293 os_memcpy(mic, hash, 24);
294 break;
295 #endif /* CONFIG_SUITEB192 */
296 #ifdef CONFIG_OWE
297 case WPA_KEY_MGMT_OWE:
298 wpa_printf(MSG_DEBUG,
299 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - OWE)",
300 (unsigned int) key_len * 8 * 2);
301 if (key_len == 128 / 8) {
302 if (hmac_sha256(key, key_len, buf, len, hash))
303 return -1;
304 } else if (key_len == 192 / 8) {
305 if (hmac_sha384(key, key_len, buf, len, hash))
306 return -1;
307 } else if (key_len == 256 / 8) {
308 if (hmac_sha512(key, key_len, buf, len, hash))
309 return -1;
310 } else {
311 wpa_printf(MSG_INFO,
312 "OWE: Unsupported KCK length: %u",
313 (unsigned int) key_len);
314 return -1;
315 }
316 os_memcpy(mic, hash, key_len);
317 break;
318 #endif /* CONFIG_OWE */
319 #ifdef CONFIG_DPP
320 case WPA_KEY_MGMT_DPP:
321 wpa_printf(MSG_DEBUG,
322 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - DPP)",
323 (unsigned int) key_len * 8 * 2);
324 if (key_len == 128 / 8) {
325 if (hmac_sha256(key, key_len, buf, len, hash))
326 return -1;
327 } else if (key_len == 192 / 8) {
328 if (hmac_sha384(key, key_len, buf, len, hash))
329 return -1;
330 } else if (key_len == 256 / 8) {
331 if (hmac_sha512(key, key_len, buf, len, hash))
332 return -1;
333 } else {
334 wpa_printf(MSG_INFO,
335 "DPP: Unsupported KCK length: %u",
336 (unsigned int) key_len);
337 return -1;
338 }
339 os_memcpy(mic, hash, key_len);
340 break;
341 #endif /* CONFIG_DPP */
342 #ifdef CONFIG_SHA384
343 case WPA_KEY_MGMT_IEEE8021X_SHA384:
344 #ifdef CONFIG_IEEE80211R
345 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
346 #endif /* CONFIG_IEEE80211R */
347 wpa_printf(MSG_DEBUG,
348 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - 802.1X SHA384)");
349 if (hmac_sha384(key, key_len, buf, len, hash))
350 return -1;
351 os_memcpy(mic, hash, 24);
352 break;
353 #endif /* CONFIG_SHA384 */
354 default:
355 wpa_printf(MSG_DEBUG,
356 "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)",
357 akmp);
358 return -1;
359 }
360 break;
361 default:
362 wpa_printf(MSG_DEBUG,
363 "WPA: EAPOL-Key MIC algorithm not known (ver=%d)",
364 ver);
365 return -1;
366 }
367
368 return 0;
369 }
370
371
372 /**
373 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
374 * @pmk: Pairwise master key
375 * @pmk_len: Length of PMK
376 * @label: Label to use in derivation
377 * @addr1: AA or SA
378 * @addr2: SA or AA
379 * @nonce1: ANonce or SNonce
380 * @nonce2: SNonce or ANonce
381 * @ptk: Buffer for pairwise transient key
382 * @akmp: Negotiated AKM
383 * @cipher: Negotiated pairwise cipher
384 * @kdk_len: The length in octets that should be derived for KDK
385 * Returns: 0 on success, -1 on failure
386 *
387 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
388 * PTK = PRF-X(PMK, "Pairwise key expansion",
389 * Min(AA, SA) || Max(AA, SA) ||
390 * Min(ANonce, SNonce) || Max(ANonce, SNonce)
391 * [ || Z.x ])
392 *
393 * The optional Z.x component is used only with DPP and that part is not defined
394 * in IEEE 802.11.
395 */
wpa_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const char * label,const u8 * addr1,const u8 * addr2,const u8 * nonce1,const u8 * nonce2,struct wpa_ptk * ptk,int akmp,int cipher,const u8 * z,size_t z_len,size_t kdk_len)396 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
397 const u8 *addr1, const u8 *addr2,
398 const u8 *nonce1, const u8 *nonce2,
399 struct wpa_ptk *ptk, int akmp, int cipher,
400 const u8 *z, size_t z_len, size_t kdk_len)
401 {
402 #define MAX_Z_LEN 66 /* with NIST P-521 */
403 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN + MAX_Z_LEN];
404 size_t data_len = 2 * ETH_ALEN + 2 * WPA_NONCE_LEN;
405 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
406 WPA_KDK_MAX_LEN];
407 size_t ptk_len;
408 #ifdef CONFIG_OWE
409 int owe_ptk_workaround = 0;
410
411 if (akmp == (WPA_KEY_MGMT_OWE | WPA_KEY_MGMT_PSK_SHA256)) {
412 owe_ptk_workaround = 1;
413 akmp = WPA_KEY_MGMT_OWE;
414 }
415 #endif /* CONFIG_OWE */
416
417 if (pmk_len == 0) {
418 wpa_printf(MSG_ERROR, "WPA: No PMK set for PTK derivation");
419 return -1;
420 }
421
422 if (z_len > MAX_Z_LEN)
423 return -1;
424
425 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
426 os_memcpy(data, addr1, ETH_ALEN);
427 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
428 } else {
429 os_memcpy(data, addr2, ETH_ALEN);
430 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
431 }
432
433 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
434 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
435 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
436 WPA_NONCE_LEN);
437 } else {
438 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
439 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
440 WPA_NONCE_LEN);
441 }
442
443 if (z && z_len) {
444 os_memcpy(data + 2 * ETH_ALEN + 2 * WPA_NONCE_LEN, z, z_len);
445 data_len += z_len;
446 }
447
448 if (kdk_len > WPA_KDK_MAX_LEN) {
449 wpa_printf(MSG_ERROR,
450 "WPA: KDK len=%zu exceeds max supported len",
451 kdk_len);
452 return -1;
453 }
454
455 ptk->kck_len = wpa_kck_len(akmp, pmk_len);
456 ptk->kek_len = wpa_kek_len(akmp, pmk_len);
457 ptk->tk_len = wpa_cipher_key_len(cipher);
458 ptk->kdk_len = kdk_len;
459 if (ptk->tk_len == 0) {
460 wpa_printf(MSG_ERROR,
461 "WPA: Unsupported cipher (0x%x) used in PTK derivation",
462 cipher);
463 return -1;
464 }
465 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + ptk->kdk_len;
466
467 if (wpa_key_mgmt_sha384(akmp)) {
468 #ifdef CONFIG_SHA384
469 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
470 if (sha384_prf(pmk, pmk_len, label, data, data_len,
471 tmp, ptk_len) < 0)
472 return -1;
473 #else /* CONFIG_SHA384 */
474 return -1;
475 #endif /* CONFIG_SHA384 */
476 } else if (wpa_key_mgmt_sha256(akmp)) {
477 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
478 if (sha256_prf(pmk, pmk_len, label, data, data_len,
479 tmp, ptk_len) < 0)
480 return -1;
481 #ifdef CONFIG_OWE
482 } else if (akmp == WPA_KEY_MGMT_OWE && (pmk_len == 32 ||
483 owe_ptk_workaround)) {
484 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
485 if (sha256_prf(pmk, pmk_len, label, data, data_len,
486 tmp, ptk_len) < 0)
487 return -1;
488 } else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 48) {
489 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
490 if (sha384_prf(pmk, pmk_len, label, data, data_len,
491 tmp, ptk_len) < 0)
492 return -1;
493 } else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 64) {
494 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
495 if (sha512_prf(pmk, pmk_len, label, data, data_len,
496 tmp, ptk_len) < 0)
497 return -1;
498 } else if (akmp == WPA_KEY_MGMT_OWE) {
499 wpa_printf(MSG_INFO, "OWE: Unknown PMK length %u",
500 (unsigned int) pmk_len);
501 return -1;
502 #endif /* CONFIG_OWE */
503 #ifdef CONFIG_DPP
504 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 32) {
505 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
506 if (sha256_prf(pmk, pmk_len, label, data, data_len,
507 tmp, ptk_len) < 0)
508 return -1;
509 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 48) {
510 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
511 if (sha384_prf(pmk, pmk_len, label, data, data_len,
512 tmp, ptk_len) < 0)
513 return -1;
514 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 64) {
515 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
516 if (sha512_prf(pmk, pmk_len, label, data, data_len,
517 tmp, ptk_len) < 0)
518 return -1;
519 } else if (akmp == WPA_KEY_MGMT_DPP) {
520 wpa_printf(MSG_INFO, "DPP: Unknown PMK length %u",
521 (unsigned int) pmk_len);
522 return -1;
523 #endif /* CONFIG_DPP */
524 #ifdef CONFIG_SAE
525 } else if (wpa_key_mgmt_sae_ext_key(akmp)) {
526 if (pmk_len == 32) {
527 wpa_printf(MSG_DEBUG,
528 "SAE: PTK derivation using PRF(SHA256)");
529 if (sha256_prf(pmk, pmk_len, label, data, data_len,
530 tmp, ptk_len) < 0)
531 return -1;
532 #ifdef CONFIG_SHA384
533 } else if (pmk_len == 48) {
534 wpa_printf(MSG_DEBUG,
535 "SAE: PTK derivation using PRF(SHA384)");
536 if (sha384_prf(pmk, pmk_len, label, data, data_len,
537 tmp, ptk_len) < 0)
538 return -1;
539 #endif /* CONFIG_SHA384 */
540 #ifdef CONFIG_SHA512
541 } else if (pmk_len == 64) {
542 wpa_printf(MSG_DEBUG,
543 "SAE: PTK derivation using PRF(SHA512)");
544 if (sha512_prf(pmk, pmk_len, label, data, data_len,
545 tmp, ptk_len) < 0)
546 return -1;
547 #endif /* CONFIG_SHA512 */
548 } else {
549 wpa_printf(MSG_INFO, "SAE: Unknown PMK length %u",
550 (unsigned int) pmk_len);
551 return -1;
552 }
553 #endif /* CONFIG_SAE */
554 } else {
555 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA1)");
556 if (sha1_prf(pmk, pmk_len, label, data, data_len, tmp,
557 ptk_len) < 0)
558 return -1;
559 }
560
561 wpa_printf(MSG_EXCESSIVE, "WPA: PTK derivation - A1=" MACSTR_SEC " A2=" MACSTR_SEC,
562 MAC2STR_SEC(addr1), MAC2STR_SEC(addr2));
563 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
564 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
565 if (z && z_len)
566 wpa_hexdump_key(MSG_DEBUG, "WPA: Z.x", z, z_len);
567 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
568 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len);
569
570 os_memcpy(ptk->kck, tmp, ptk->kck_len);
571 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len);
572
573 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
574 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
575
576 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
577 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len);
578
579 if (kdk_len) {
580 os_memcpy(ptk->kdk, tmp + ptk->kck_len + ptk->kek_len +
581 ptk->tk_len, ptk->kdk_len);
582 wpa_hexdump_key(MSG_DEBUG, "WPA: KDK", ptk->kdk, ptk->kdk_len);
583 }
584
585 ptk->kek2_len = 0;
586 ptk->kck2_len = 0;
587
588 os_memset(tmp, 0, sizeof(tmp));
589 os_memset(data, 0, data_len);
590 return 0;
591 }
592
593 #ifdef CONFIG_FILS
594
fils_rmsk_to_pmk(int akmp,const u8 * rmsk,size_t rmsk_len,const u8 * snonce,const u8 * anonce,const u8 * dh_ss,size_t dh_ss_len,u8 * pmk,size_t * pmk_len)595 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len,
596 const u8 *snonce, const u8 *anonce, const u8 *dh_ss,
597 size_t dh_ss_len, u8 *pmk, size_t *pmk_len)
598 {
599 u8 nonces[2 * FILS_NONCE_LEN];
600 const u8 *addr[2];
601 size_t len[2];
602 size_t num_elem;
603 int res;
604
605 /* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */
606 wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation");
607
608 if (wpa_key_mgmt_sha384(akmp))
609 *pmk_len = SHA384_MAC_LEN;
610 else if (wpa_key_mgmt_sha256(akmp))
611 *pmk_len = SHA256_MAC_LEN;
612 else
613 return -1;
614
615 wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len);
616 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
617 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
618 wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len);
619
620 os_memcpy(nonces, snonce, FILS_NONCE_LEN);
621 os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN);
622 addr[0] = rmsk;
623 len[0] = rmsk_len;
624 num_elem = 1;
625 if (dh_ss) {
626 addr[1] = dh_ss;
627 len[1] = dh_ss_len;
628 num_elem++;
629 }
630 if (wpa_key_mgmt_sha384(akmp))
631 res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
632 addr, len, pmk);
633 else
634 res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
635 addr, len, pmk);
636 if (res == 0)
637 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len);
638 else
639 *pmk_len = 0;
640 return res;
641 }
642
643
fils_pmkid_erp(int akmp,const u8 * reauth,size_t reauth_len,u8 * pmkid)644 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len,
645 u8 *pmkid)
646 {
647 const u8 *addr[1];
648 size_t len[1];
649 u8 hash[SHA384_MAC_LEN];
650 int res;
651
652 /* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */
653 addr[0] = reauth;
654 len[0] = reauth_len;
655 if (wpa_key_mgmt_sha384(akmp))
656 res = sha384_vector(1, addr, len, hash);
657 else if (wpa_key_mgmt_sha256(akmp))
658 res = sha256_vector(1, addr, len, hash);
659 else
660 return -1;
661 if (res)
662 return res;
663 os_memcpy(pmkid, hash, PMKID_LEN);
664 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
665 return 0;
666 }
667
668
fils_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * aa,const u8 * snonce,const u8 * anonce,const u8 * dhss,size_t dhss_len,struct wpa_ptk * ptk,u8 * ick,size_t * ick_len,int akmp,int cipher,u8 * fils_ft,size_t * fils_ft_len,size_t kdk_len)669 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa,
670 const u8 *snonce, const u8 *anonce, const u8 *dhss,
671 size_t dhss_len, struct wpa_ptk *ptk,
672 u8 *ick, size_t *ick_len, int akmp, int cipher,
673 u8 *fils_ft, size_t *fils_ft_len, size_t kdk_len)
674 {
675 u8 *data, *pos;
676 size_t data_len;
677 u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
678 FILS_FT_MAX_LEN + WPA_KDK_MAX_LEN];
679 size_t key_data_len;
680 const char *label = "FILS PTK Derivation";
681 int ret = -1;
682 size_t offset;
683
684 /*
685 * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation",
686 * SPA || AA || SNonce || ANonce [ || DHss ])
687 * ICK = L(FILS-Key-Data, 0, ICK_bits)
688 * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits)
689 * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits)
690 * If doing FT initial mobility domain association:
691 * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits,
692 * FILS-FT_bits)
693 * When a KDK is derived:
694 * KDK = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits + FILS-FT_bits,
695 * KDK_bits)
696 */
697 data_len = 2 * ETH_ALEN + 2 * FILS_NONCE_LEN + dhss_len;
698 data = os_malloc(data_len);
699 if (!data)
700 goto err;
701 pos = data;
702 os_memcpy(pos, spa, ETH_ALEN);
703 pos += ETH_ALEN;
704 os_memcpy(pos, aa, ETH_ALEN);
705 pos += ETH_ALEN;
706 os_memcpy(pos, snonce, FILS_NONCE_LEN);
707 pos += FILS_NONCE_LEN;
708 os_memcpy(pos, anonce, FILS_NONCE_LEN);
709 pos += FILS_NONCE_LEN;
710 if (dhss)
711 os_memcpy(pos, dhss, dhss_len);
712
713 ptk->kck_len = 0;
714 ptk->kek_len = wpa_kek_len(akmp, pmk_len);
715 ptk->tk_len = wpa_cipher_key_len(cipher);
716 if (wpa_key_mgmt_sha384(akmp))
717 *ick_len = 48;
718 else if (wpa_key_mgmt_sha256(akmp))
719 *ick_len = 32;
720 else
721 goto err;
722 key_data_len = *ick_len + ptk->kek_len + ptk->tk_len;
723
724 if (kdk_len) {
725 if (kdk_len > WPA_KDK_MAX_LEN) {
726 wpa_printf(MSG_ERROR, "FILS: KDK len=%zu too big",
727 kdk_len);
728 goto err;
729 }
730
731 ptk->kdk_len = kdk_len;
732 key_data_len += kdk_len;
733 } else {
734 ptk->kdk_len = 0;
735 }
736
737 if (fils_ft && fils_ft_len) {
738 if (akmp == WPA_KEY_MGMT_FT_FILS_SHA256) {
739 *fils_ft_len = 32;
740 } else if (akmp == WPA_KEY_MGMT_FT_FILS_SHA384) {
741 *fils_ft_len = 48;
742 } else {
743 *fils_ft_len = 0;
744 fils_ft = NULL;
745 }
746 key_data_len += *fils_ft_len;
747 }
748
749 if (wpa_key_mgmt_sha384(akmp)) {
750 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA384)");
751 if (sha384_prf(pmk, pmk_len, label, data, data_len,
752 tmp, key_data_len) < 0)
753 goto err;
754 } else {
755 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA256)");
756 if (sha256_prf(pmk, pmk_len, label, data, data_len,
757 tmp, key_data_len) < 0)
758 goto err;
759 }
760
761 wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR_SEC
762 " AA=" MACSTR_SEC, MAC2STR_SEC(spa), MAC2STR_SEC(aa));
763 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
764 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
765 if (dhss)
766 wpa_hexdump_key(MSG_DEBUG, "FILS: DHss", dhss, dhss_len);
767 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len);
768 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len);
769
770 os_memcpy(ick, tmp, *ick_len);
771 offset = *ick_len;
772 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len);
773
774 os_memcpy(ptk->kek, tmp + offset, ptk->kek_len);
775 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len);
776 offset += ptk->kek_len;
777
778 os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
779 wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len);
780 offset += ptk->tk_len;
781
782 if (fils_ft && fils_ft_len) {
783 os_memcpy(fils_ft, tmp + offset, *fils_ft_len);
784 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-FT",
785 fils_ft, *fils_ft_len);
786 offset += *fils_ft_len;
787 }
788
789 if (ptk->kdk_len) {
790 os_memcpy(ptk->kdk, tmp + offset, ptk->kdk_len);
791 wpa_hexdump_key(MSG_DEBUG, "FILS: KDK", ptk->kdk, ptk->kdk_len);
792 }
793
794 ptk->kek2_len = 0;
795 ptk->kck2_len = 0;
796
797 os_memset(tmp, 0, sizeof(tmp));
798 ret = 0;
799 err:
800 bin_clear_free(data, data_len);
801 return ret;
802 }
803
804
fils_key_auth_sk(const u8 * ick,size_t ick_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * g_sta,size_t g_sta_len,const u8 * g_ap,size_t g_ap_len,int akmp,u8 * key_auth_sta,u8 * key_auth_ap,size_t * key_auth_len)805 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce,
806 const u8 *anonce, const u8 *sta_addr, const u8 *bssid,
807 const u8 *g_sta, size_t g_sta_len,
808 const u8 *g_ap, size_t g_ap_len,
809 int akmp, u8 *key_auth_sta, u8 *key_auth_ap,
810 size_t *key_auth_len)
811 {
812 const u8 *addr[6];
813 size_t len[6];
814 size_t num_elem = 4;
815 int res;
816
817 wpa_printf(MSG_DEBUG, "FILS: Key-Auth derivation: STA-MAC=" MACSTR_SEC
818 " AP-BSSID=" MACSTR_SEC, MAC2STR_SEC(sta_addr), MAC2STR_SEC(bssid));
819 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, ick_len);
820 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
821 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
822 wpa_hexdump(MSG_DEBUG, "FILS: gSTA", g_sta, g_sta_len);
823 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
824
825 /*
826 * For (Re)Association Request frame (STA->AP):
827 * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID
828 * [ || gSTA || gAP ])
829 */
830 addr[0] = snonce;
831 len[0] = FILS_NONCE_LEN;
832 addr[1] = anonce;
833 len[1] = FILS_NONCE_LEN;
834 addr[2] = sta_addr;
835 len[2] = ETH_ALEN;
836 addr[3] = bssid;
837 len[3] = ETH_ALEN;
838 if (g_sta && g_sta_len && g_ap && g_ap_len) {
839 addr[4] = g_sta;
840 len[4] = g_sta_len;
841 addr[5] = g_ap;
842 len[5] = g_ap_len;
843 num_elem = 6;
844 }
845
846 if (wpa_key_mgmt_sha384(akmp)) {
847 *key_auth_len = 48;
848 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
849 key_auth_sta);
850 } else if (wpa_key_mgmt_sha256(akmp)) {
851 *key_auth_len = 32;
852 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
853 key_auth_sta);
854 } else {
855 return -1;
856 }
857 if (res < 0)
858 return res;
859
860 /*
861 * For (Re)Association Response frame (AP->STA):
862 * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC
863 * [ || gAP || gSTA ])
864 */
865 addr[0] = anonce;
866 addr[1] = snonce;
867 addr[2] = bssid;
868 addr[3] = sta_addr;
869 if (g_sta && g_sta_len && g_ap && g_ap_len) {
870 addr[4] = g_ap;
871 len[4] = g_ap_len;
872 addr[5] = g_sta;
873 len[5] = g_sta_len;
874 }
875
876 if (wpa_key_mgmt_sha384(akmp))
877 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
878 key_auth_ap);
879 else if (wpa_key_mgmt_sha256(akmp))
880 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
881 key_auth_ap);
882 if (res < 0)
883 return res;
884
885 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)",
886 key_auth_sta, *key_auth_len);
887 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)",
888 key_auth_ap, *key_auth_len);
889
890 return 0;
891 }
892
893 #endif /* CONFIG_FILS */
894
895
896 #ifdef CONFIG_IEEE80211R
wpa_ft_mic(int key_mgmt,const u8 * kck,size_t kck_len,const u8 * sta_addr,const u8 * ap_addr,u8 transaction_seqnum,const u8 * mdie,size_t mdie_len,const u8 * ftie,size_t ftie_len,const u8 * rsnie,size_t rsnie_len,const u8 * ric,size_t ric_len,const u8 * rsnxe,size_t rsnxe_len,const struct wpabuf * extra,u8 * mic)897 int wpa_ft_mic(int key_mgmt, const u8 *kck, size_t kck_len, const u8 *sta_addr,
898 const u8 *ap_addr, u8 transaction_seqnum,
899 const u8 *mdie, size_t mdie_len,
900 const u8 *ftie, size_t ftie_len,
901 const u8 *rsnie, size_t rsnie_len,
902 const u8 *ric, size_t ric_len,
903 const u8 *rsnxe, size_t rsnxe_len,
904 const struct wpabuf *extra,
905 u8 *mic)
906 {
907 const u8 *addr[11];
908 size_t len[11];
909 size_t i, num_elem = 0;
910 u8 zero_mic[32];
911 size_t mic_len, fte_fixed_len;
912 int res;
913
914 if (kck_len == 16) {
915 mic_len = 16;
916 #ifdef CONFIG_SHA384
917 } else if (kck_len == 24) {
918 mic_len = 24;
919 #endif /* CONFIG_SHA384 */
920 #ifdef CONFIG_SHA512
921 } else if (kck_len == 32) {
922 mic_len = 32;
923 #endif /* CONFIG_SHA512 */
924 } else {
925 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u",
926 (unsigned int) kck_len);
927 return -1;
928 }
929
930 fte_fixed_len = sizeof(struct rsn_ftie) - 16 + mic_len;
931
932 addr[num_elem] = sta_addr;
933 len[num_elem] = ETH_ALEN;
934 num_elem++;
935
936 addr[num_elem] = ap_addr;
937 len[num_elem] = ETH_ALEN;
938 num_elem++;
939
940 addr[num_elem] = &transaction_seqnum;
941 len[num_elem] = 1;
942 num_elem++;
943
944 if (rsnie) {
945 addr[num_elem] = rsnie;
946 len[num_elem] = rsnie_len;
947 num_elem++;
948 }
949 if (mdie) {
950 addr[num_elem] = mdie;
951 len[num_elem] = mdie_len;
952 num_elem++;
953 }
954 if (ftie) {
955 if (ftie_len < 2 + fte_fixed_len)
956 return -1;
957
958 /* IE hdr and mic_control */
959 addr[num_elem] = ftie;
960 len[num_elem] = 2 + 2;
961 num_elem++;
962
963 /* MIC field with all zeros */
964 os_memset(zero_mic, 0, mic_len);
965 addr[num_elem] = zero_mic;
966 len[num_elem] = mic_len;
967 num_elem++;
968
969 /* Rest of FTIE */
970 addr[num_elem] = ftie + 2 + 2 + mic_len;
971 len[num_elem] = ftie_len - (2 + 2 + mic_len);
972 num_elem++;
973 }
974 if (ric) {
975 addr[num_elem] = ric;
976 len[num_elem] = ric_len;
977 num_elem++;
978 }
979
980 if (rsnxe) {
981 addr[num_elem] = rsnxe;
982 len[num_elem] = rsnxe_len;
983 num_elem++;
984 }
985
986 if (extra) {
987 addr[num_elem] = wpabuf_head(extra);
988 len[num_elem] = wpabuf_len(extra);
989 num_elem++;
990 }
991
992 for (i = 0; i < num_elem; i++)
993 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]);
994 res = -1;
995 #ifdef CONFIG_SHA512
996 if (kck_len == 32) {
997 u8 hash[SHA512_MAC_LEN];
998
999 if (hmac_sha512_vector(kck, kck_len, num_elem, addr, len, hash))
1000 return -1;
1001 os_memcpy(mic, hash, 32);
1002 res = 0;
1003 }
1004 #endif /* CONFIG_SHA384 */
1005 #ifdef CONFIG_SHA384
1006 if (kck_len == 24) {
1007 u8 hash[SHA384_MAC_LEN];
1008
1009 if (hmac_sha384_vector(kck, kck_len, num_elem, addr, len, hash))
1010 return -1;
1011 os_memcpy(mic, hash, 24);
1012 res = 0;
1013 }
1014 #endif /* CONFIG_SHA384 */
1015 if (kck_len == 16 && key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
1016 u8 hash[SHA256_MAC_LEN];
1017
1018 if (hmac_sha256_vector(kck, kck_len, num_elem, addr, len, hash))
1019 return -1;
1020 os_memcpy(mic, hash, 16);
1021 res = 0;
1022 }
1023 if (kck_len == 16 && key_mgmt != WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
1024 omac1_aes_128_vector(kck, num_elem, addr, len, mic) == 0)
1025 res = 0;
1026
1027 return res;
1028 }
1029
1030
wpa_ft_parse_ftie(const u8 * ie,size_t ie_len,struct wpa_ft_ies * parse,const u8 * opt)1031 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
1032 struct wpa_ft_ies *parse, const u8 *opt)
1033 {
1034 const u8 *end, *pos;
1035 u8 link_id;
1036
1037 pos = opt;
1038 end = ie + ie_len;
1039 wpa_hexdump(MSG_DEBUG, "FT: Parse FTE subelements", pos, end - pos);
1040
1041 while (end - pos >= 2) {
1042 u8 id, len;
1043
1044 id = *pos++;
1045 len = *pos++;
1046 if (len > end - pos) {
1047 wpa_printf(MSG_DEBUG, "FT: Truncated subelement");
1048 return -1;
1049 }
1050
1051 switch (id) {
1052 case FTIE_SUBELEM_R1KH_ID:
1053 if (len != FT_R1KH_ID_LEN) {
1054 wpa_printf(MSG_DEBUG,
1055 "FT: Invalid R1KH-ID length in FTIE: %d",
1056 len);
1057 return -1;
1058 }
1059 parse->r1kh_id = pos;
1060 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID",
1061 parse->r1kh_id, FT_R1KH_ID_LEN);
1062 break;
1063 case FTIE_SUBELEM_GTK:
1064 wpa_printf(MSG_DEBUG, "FT: GTK");
1065 parse->gtk = pos;
1066 parse->gtk_len = len;
1067 break;
1068 case FTIE_SUBELEM_R0KH_ID:
1069 if (len < 1 || len > FT_R0KH_ID_MAX_LEN) {
1070 wpa_printf(MSG_DEBUG,
1071 "FT: Invalid R0KH-ID length in FTIE: %d",
1072 len);
1073 return -1;
1074 }
1075 parse->r0kh_id = pos;
1076 parse->r0kh_id_len = len;
1077 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID",
1078 parse->r0kh_id, parse->r0kh_id_len);
1079 break;
1080 case FTIE_SUBELEM_IGTK:
1081 wpa_printf(MSG_DEBUG, "FT: IGTK");
1082 parse->igtk = pos;
1083 parse->igtk_len = len;
1084 break;
1085 #ifdef CONFIG_OCV
1086 case FTIE_SUBELEM_OCI:
1087 parse->oci = pos;
1088 parse->oci_len = len;
1089 wpa_hexdump(MSG_DEBUG, "FT: OCI",
1090 parse->oci, parse->oci_len);
1091 break;
1092 #endif /* CONFIG_OCV */
1093 case FTIE_SUBELEM_BIGTK:
1094 wpa_printf(MSG_DEBUG, "FT: BIGTK");
1095 parse->bigtk = pos;
1096 parse->bigtk_len = len;
1097 break;
1098 case FTIE_SUBELEM_MLO_GTK:
1099 if (len < 2 + 1 + 1 + 8) {
1100 wpa_printf(MSG_DEBUG,
1101 "FT: Too short MLO GTK in FTE");
1102 return -1;
1103 }
1104 link_id = pos[2] & 0x0f;
1105 wpa_printf(MSG_DEBUG, "FT: MLO GTK (Link ID %u)",
1106 link_id);
1107 if (link_id >= MAX_NUM_MLD_LINKS)
1108 break;
1109 parse->valid_mlo_gtks |= BIT(link_id);
1110 parse->mlo_gtk[link_id] = pos;
1111 parse->mlo_gtk_len[link_id] = len;
1112 break;
1113 case FTIE_SUBELEM_MLO_IGTK:
1114 if (len < 2 + 6 + 1 + 1) {
1115 wpa_printf(MSG_DEBUG,
1116 "FT: Too short MLO IGTK in FTE");
1117 return -1;
1118 }
1119 link_id = pos[2 + 6] & 0x0f;
1120 wpa_printf(MSG_DEBUG, "FT: MLO IGTK (Link ID %u)",
1121 link_id);
1122 if (link_id >= MAX_NUM_MLD_LINKS)
1123 break;
1124 parse->valid_mlo_igtks |= BIT(link_id);
1125 parse->mlo_igtk[link_id] = pos;
1126 parse->mlo_igtk_len[link_id] = len;
1127 break;
1128 case FTIE_SUBELEM_MLO_BIGTK:
1129 if (len < 2 + 6 + 1 + 1) {
1130 wpa_printf(MSG_DEBUG,
1131 "FT: Too short MLO BIGTK in FTE");
1132 return -1;
1133 }
1134 link_id = pos[2 + 6] & 0x0f;
1135 wpa_printf(MSG_DEBUG, "FT: MLO BIGTK (Link ID %u)",
1136 link_id);
1137 if (link_id >= MAX_NUM_MLD_LINKS)
1138 break;
1139 parse->valid_mlo_bigtks |= BIT(link_id);
1140 parse->mlo_bigtk[link_id] = pos;
1141 parse->mlo_bigtk_len[link_id] = len;
1142 break;
1143 default:
1144 wpa_printf(MSG_DEBUG, "FT: Unknown subelem id %u", id);
1145 break;
1146 }
1147
1148 pos += len;
1149 }
1150
1151 return 0;
1152 }
1153
1154
wpa_ft_parse_fte(int key_mgmt,const u8 * ie,size_t len,struct wpa_ft_ies * parse)1155 static int wpa_ft_parse_fte(int key_mgmt, const u8 *ie, size_t len,
1156 struct wpa_ft_ies *parse)
1157 {
1158 size_t mic_len;
1159 u8 mic_len_info;
1160 const u8 *pos = ie;
1161 const u8 *end = pos + len;
1162
1163 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control", pos, 2);
1164 parse->fte_rsnxe_used = pos[0] & FTE_MIC_CTRL_RSNXE_USED;
1165 mic_len_info = (pos[0] & FTE_MIC_CTRL_MIC_LEN_MASK) >>
1166 FTE_MIC_CTRL_MIC_LEN_SHIFT;
1167 parse->fte_elem_count = pos[1];
1168 pos += 2;
1169
1170 if (key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
1171 switch (mic_len_info) {
1172 case FTE_MIC_LEN_16:
1173 mic_len = 16;
1174 break;
1175 case FTE_MIC_LEN_24:
1176 mic_len = 24;
1177 break;
1178 case FTE_MIC_LEN_32:
1179 mic_len = 32;
1180 break;
1181 default:
1182 wpa_printf(MSG_DEBUG,
1183 "FT: Unknown MIC Length subfield value %u",
1184 mic_len_info);
1185 return -1;
1186 }
1187 } else {
1188 mic_len = wpa_key_mgmt_sha384(key_mgmt) ? 24 : 16;
1189 }
1190 if (mic_len > (size_t) (end - pos)) {
1191 wpa_printf(MSG_DEBUG, "FT: No room for %zu octet MIC in FTE",
1192 mic_len);
1193 return -1;
1194 }
1195 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC", pos, mic_len);
1196 parse->fte_mic = pos;
1197 parse->fte_mic_len = mic_len;
1198 pos += mic_len;
1199
1200 if (2 * WPA_NONCE_LEN > end - pos)
1201 return -1;
1202 parse->fte_anonce = pos;
1203 wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce",
1204 parse->fte_anonce, WPA_NONCE_LEN);
1205 pos += WPA_NONCE_LEN;
1206 parse->fte_snonce = pos;
1207 wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce",
1208 parse->fte_snonce, WPA_NONCE_LEN);
1209 pos += WPA_NONCE_LEN;
1210
1211 return wpa_ft_parse_ftie(ie, len, parse, pos);
1212 }
1213
1214
wpa_ft_parse_ies(const u8 * ies,size_t ies_len,struct wpa_ft_ies * parse,int key_mgmt,bool reassoc_resp)1215 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, struct wpa_ft_ies *parse,
1216 int key_mgmt, bool reassoc_resp)
1217 {
1218 const u8 *end, *pos;
1219 struct wpa_ie_data data;
1220 int ret;
1221 int prot_ie_count = 0;
1222 const u8 *fte = NULL;
1223 size_t fte_len = 0;
1224 bool is_fte = false;
1225 struct ieee802_11_elems elems;
1226
1227 os_memset(parse, 0, sizeof(*parse));
1228 if (ies == NULL)
1229 return 0;
1230
1231 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == ParseFailed) {
1232 wpa_printf(MSG_DEBUG, "FT: Failed to parse elements");
1233 goto fail;
1234 }
1235
1236 pos = ies;
1237 end = ies + ies_len;
1238 while (end - pos >= 2) {
1239 u8 id, len;
1240
1241 id = *pos++;
1242 len = *pos++;
1243 if (len > end - pos)
1244 break;
1245
1246 if (id != WLAN_EID_FAST_BSS_TRANSITION &&
1247 id != WLAN_EID_FRAGMENT)
1248 is_fte = false;
1249
1250 switch (id) {
1251 case WLAN_EID_RSN:
1252 wpa_hexdump(MSG_DEBUG, "FT: RSNE", pos, len);
1253 parse->rsn = pos;
1254 parse->rsn_len = len;
1255 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
1256 parse->rsn_len + 2,
1257 &data);
1258 if (ret < 0) {
1259 wpa_printf(MSG_DEBUG, "FT: Failed to parse "
1260 "RSN IE: %d", ret);
1261 goto fail;
1262 }
1263 parse->rsn_capab = data.capabilities;
1264 if (data.num_pmkid == 1 && data.pmkid)
1265 parse->rsn_pmkid = data.pmkid;
1266 parse->key_mgmt = data.key_mgmt;
1267 parse->pairwise_cipher = data.pairwise_cipher;
1268 if (!key_mgmt)
1269 key_mgmt = parse->key_mgmt;
1270 break;
1271 case WLAN_EID_RSNX:
1272 wpa_hexdump(MSG_DEBUG, "FT: RSNXE", pos, len);
1273 if (len < 1)
1274 break;
1275 parse->rsnxe = pos;
1276 parse->rsnxe_len = len;
1277 break;
1278 case WLAN_EID_MOBILITY_DOMAIN:
1279 wpa_hexdump(MSG_DEBUG, "FT: MDE", pos, len);
1280 if (len < sizeof(struct rsn_mdie))
1281 goto fail;
1282 parse->mdie = pos;
1283 parse->mdie_len = len;
1284 break;
1285 case WLAN_EID_FAST_BSS_TRANSITION:
1286 wpa_hexdump(MSG_DEBUG, "FT: FTE", pos, len);
1287 /* The first two octets (MIC Control field) is in the
1288 * same offset for all cases, but the second field (MIC)
1289 * has variable length with three different values.
1290 * In particular the FT-SAE-EXT-KEY is inconvinient to
1291 * parse, so try to handle this in pieces instead of
1292 * using the struct rsn_ftie* definitions. */
1293
1294 if (len < 2)
1295 goto fail;
1296 prot_ie_count = pos[1]; /* Element Count field in
1297 * MIC Control */
1298 is_fte = true;
1299 fte = pos;
1300 fte_len = len;
1301 break;
1302 case WLAN_EID_FRAGMENT:
1303 if (is_fte) {
1304 wpa_hexdump(MSG_DEBUG, "FT: FTE fragment",
1305 pos, len);
1306 fte_len += 2 + len;
1307 }
1308 break;
1309 case WLAN_EID_TIMEOUT_INTERVAL:
1310 wpa_hexdump(MSG_DEBUG, "FT: Timeout Interval",
1311 pos, len);
1312 if (len != 5)
1313 break;
1314 parse->tie = pos;
1315 parse->tie_len = len;
1316 break;
1317 case WLAN_EID_RIC_DATA:
1318 if (parse->ric == NULL)
1319 parse->ric = pos - 2;
1320 break;
1321 }
1322
1323 pos += len;
1324 }
1325
1326 if (fte) {
1327 int res;
1328
1329 if (fte_len < 255) {
1330 res = wpa_ft_parse_fte(key_mgmt, fte, fte_len, parse);
1331 } else {
1332 parse->fte_buf = ieee802_11_defrag(fte, fte_len, false);
1333 if (!parse->fte_buf)
1334 goto fail;
1335 res = wpa_ft_parse_fte(key_mgmt,
1336 wpabuf_head(parse->fte_buf),
1337 wpabuf_len(parse->fte_buf),
1338 parse);
1339 }
1340 if (res < 0)
1341 goto fail;
1342
1343 /* FTE might be fragmented. If it is, the separate Fragment
1344 * elements are included in MIC calculation as full elements. */
1345 parse->ftie = fte;
1346 parse->ftie_len = fte_len;
1347 }
1348
1349 if (prot_ie_count == 0)
1350 return 0; /* no MIC */
1351
1352 /*
1353 * Check that the protected IE count matches with IEs included in the
1354 * frame.
1355 */
1356 if (reassoc_resp && elems.basic_mle) {
1357 unsigned int link_id;
1358
1359 /* TODO: This count should be done based on all _requested_,
1360 * not _accepted_ links. */
1361 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
1362 if (parse->mlo_gtk[link_id]) {
1363 if (parse->rsn)
1364 prot_ie_count--;
1365 if (parse->rsnxe)
1366 prot_ie_count--;
1367 }
1368 }
1369 } else {
1370 if (parse->rsn)
1371 prot_ie_count--;
1372 if (parse->rsnxe)
1373 prot_ie_count--;
1374 }
1375 if (parse->mdie)
1376 prot_ie_count--;
1377 if (parse->ftie)
1378 prot_ie_count--;
1379 if (prot_ie_count < 0) {
1380 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
1381 "the protected IE count");
1382 goto fail;
1383 }
1384
1385 if (prot_ie_count == 0 && parse->ric) {
1386 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
1387 "included in protected IE count");
1388 goto fail;
1389 }
1390
1391 /* Determine the end of the RIC IE(s) */
1392 if (parse->ric) {
1393 pos = parse->ric;
1394 while (end - pos >= 2 && 2 + pos[1] <= end - pos &&
1395 prot_ie_count) {
1396 prot_ie_count--;
1397 pos += 2 + pos[1];
1398 }
1399 parse->ric_len = pos - parse->ric;
1400 }
1401 if (prot_ie_count) {
1402 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
1403 "frame", (int) prot_ie_count);
1404 goto fail;
1405 }
1406
1407 return 0;
1408
1409 fail:
1410 wpa_ft_parse_ies_free(parse);
1411 return -1;
1412 }
1413
1414
wpa_ft_parse_ies_free(struct wpa_ft_ies * parse)1415 void wpa_ft_parse_ies_free(struct wpa_ft_ies *parse)
1416 {
1417 if (!parse)
1418 return;
1419 wpabuf_free(parse->fte_buf);
1420 parse->fte_buf = NULL;
1421 }
1422
1423 #endif /* CONFIG_IEEE80211R */
1424
1425
1426 #ifdef CONFIG_PASN
1427
1428 /*
1429 * pasn_use_sha384 - Should SHA384 be used or SHA256
1430 *
1431 * @akmp: Authentication and key management protocol
1432 * @cipher: The cipher suite
1433 *
1434 * According to IEEE P802.11az/D2.7, 12.12.7, the hash algorithm to use is the
1435 * hash algorithm defined for the Base AKM (see Table 9-151 (AKM suite
1436 * selectors)). When there is no Base AKM, the hash algorithm is selected based
1437 * on the pairwise cipher suite provided in the RSNE by the AP in the second
1438 * PASN frame. SHA-256 is used as the hash algorithm, except for the ciphers
1439 * 00-0F-AC:9 and 00-0F-AC:10 for which SHA-384 is used.
1440 */
pasn_use_sha384(int akmp,int cipher)1441 bool pasn_use_sha384(int akmp, int cipher)
1442 {
1443 return (akmp == WPA_KEY_MGMT_PASN && (cipher == WPA_CIPHER_CCMP_256 ||
1444 cipher == WPA_CIPHER_GCMP_256)) ||
1445 wpa_key_mgmt_sha384(akmp);
1446 }
1447
1448
1449 /**
1450 * pasn_pmk_to_ptk - Calculate PASN PTK from PMK, addresses, etc.
1451 * @pmk: Pairwise master key
1452 * @pmk_len: Length of PMK
1453 * @spa: Suppplicant address
1454 * @bssid: AP BSSID
1455 * @dhss: Is the shared secret (DHss) derived from the PASN ephemeral key
1456 * exchange encoded as an octet string
1457 * @dhss_len: The length of dhss in octets
1458 * @ptk: Buffer for pairwise transient key
1459 * @akmp: Negotiated AKM
1460 * @cipher: Negotiated pairwise cipher
1461 * @kdk_len: the length in octets that should be derived for HTLK. Can be zero.
1462 * Returns: 0 on success, -1 on failure
1463 */
pasn_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * bssid,const u8 * dhss,size_t dhss_len,struct wpa_ptk * ptk,int akmp,int cipher,size_t kdk_len)1464 int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
1465 const u8 *spa, const u8 *bssid,
1466 const u8 *dhss, size_t dhss_len,
1467 struct wpa_ptk *ptk, int akmp, int cipher,
1468 size_t kdk_len)
1469 {
1470 u8 tmp[WPA_KCK_MAX_LEN + WPA_TK_MAX_LEN + WPA_KDK_MAX_LEN];
1471 u8 *data;
1472 size_t data_len, ptk_len;
1473 int ret = -1;
1474 const char *label = "PASN PTK Derivation";
1475
1476 if (!pmk || !pmk_len) {
1477 wpa_printf(MSG_ERROR, "PASN: No PMK set for PTK derivation");
1478 return -1;
1479 }
1480
1481 if (!dhss || !dhss_len) {
1482 wpa_printf(MSG_ERROR, "PASN: No DHss set for PTK derivation");
1483 return -1;
1484 }
1485
1486 /*
1487 * PASN-PTK = KDF(PMK, “PASN PTK Derivation”, SPA || BSSID || DHss)
1488 *
1489 * KCK = L(PASN-PTK, 0, 256)
1490 * TK = L(PASN-PTK, 256, TK_bits)
1491 * KDK = L(PASN-PTK, 256 + TK_bits, kdk_len * 8)
1492 */
1493 data_len = 2 * ETH_ALEN + dhss_len;
1494 data = os_zalloc(data_len);
1495 if (!data)
1496 return -1;
1497
1498 os_memcpy(data, spa, ETH_ALEN);
1499 os_memcpy(data + ETH_ALEN, bssid, ETH_ALEN);
1500 os_memcpy(data + 2 * ETH_ALEN, dhss, dhss_len);
1501
1502 ptk->kck_len = WPA_PASN_KCK_LEN;
1503 ptk->tk_len = wpa_cipher_key_len(cipher);
1504 ptk->kdk_len = kdk_len;
1505 ptk->kek_len = 0;
1506 ptk->kek2_len = 0;
1507 ptk->kck2_len = 0;
1508
1509 if (ptk->tk_len == 0) {
1510 wpa_printf(MSG_ERROR,
1511 "PASN: Unsupported cipher (0x%x) used in PTK derivation",
1512 cipher);
1513 goto err;
1514 }
1515
1516 ptk_len = ptk->kck_len + ptk->tk_len + ptk->kdk_len;
1517 if (ptk_len > sizeof(tmp))
1518 goto err;
1519
1520 if (pasn_use_sha384(akmp, cipher)) {
1521 wpa_printf(MSG_DEBUG, "PASN: PTK derivation using SHA384");
1522
1523 if (sha384_prf(pmk, pmk_len, label, data, data_len, tmp,
1524 ptk_len) < 0)
1525 goto err;
1526 } else {
1527 wpa_printf(MSG_DEBUG, "PASN: PTK derivation using SHA256");
1528
1529 if (sha256_prf(pmk, pmk_len, label, data, data_len, tmp,
1530 ptk_len) < 0)
1531 goto err;
1532 }
1533
1534 wpa_printf(MSG_DEBUG,
1535 "PASN: PTK derivation: SPA=" MACSTR_SEC " BSSID=" MACSTR_SEC,
1536 MAC2STR_SEC(spa), MAC2STR_SEC(bssid));
1537
1538 wpa_hexdump_key(MSG_DEBUG, "PASN: DHss", dhss, dhss_len);
1539 wpa_hexdump_key(MSG_DEBUG, "PASN: PMK", pmk, pmk_len);
1540 wpa_hexdump_key(MSG_DEBUG, "PASN: PASN-PTK", tmp, ptk_len);
1541
1542 os_memcpy(ptk->kck, tmp, WPA_PASN_KCK_LEN);
1543 wpa_hexdump_key(MSG_DEBUG, "PASN: KCK:", ptk->kck, WPA_PASN_KCK_LEN);
1544
1545 os_memcpy(ptk->tk, tmp + WPA_PASN_KCK_LEN, ptk->tk_len);
1546 wpa_hexdump_key(MSG_DEBUG, "PASN: TK:", ptk->tk, ptk->tk_len);
1547
1548 if (kdk_len) {
1549 os_memcpy(ptk->kdk, tmp + WPA_PASN_KCK_LEN + ptk->tk_len,
1550 ptk->kdk_len);
1551 wpa_hexdump_key(MSG_DEBUG, "PASN: KDK:",
1552 ptk->kdk, ptk->kdk_len);
1553 }
1554
1555 forced_memzero(tmp, sizeof(tmp));
1556 ret = 0;
1557 err:
1558 bin_clear_free(data, data_len);
1559 return ret;
1560 }
1561
1562
1563 /*
1564 * pasn_mic_len - Returns the MIC length for PASN authentication
1565 */
pasn_mic_len(int akmp,int cipher)1566 u8 pasn_mic_len(int akmp, int cipher)
1567 {
1568 if (pasn_use_sha384(akmp, cipher))
1569 return 24;
1570
1571 return 16;
1572 }
1573
1574
1575 /**
1576 * wpa_ltf_keyseed - Compute LTF keyseed from KDK
1577 * @ptk: Buffer that holds pairwise transient key
1578 * @akmp: Negotiated AKM
1579 * @cipher: Negotiated pairwise cipher
1580 * Returns: 0 on success, -1 on failure
1581 */
wpa_ltf_keyseed(struct wpa_ptk * ptk,int akmp,int cipher)1582 int wpa_ltf_keyseed(struct wpa_ptk *ptk, int akmp, int cipher)
1583 {
1584 u8 *buf;
1585 size_t buf_len;
1586 u8 hash[SHA384_MAC_LEN];
1587 const u8 *kdk = ptk->kdk;
1588 size_t kdk_len = ptk->kdk_len;
1589 const char *label = "Secure LTF key seed";
1590
1591 if (!kdk || !kdk_len) {
1592 wpa_printf(MSG_ERROR, "WPA: No KDK for LTF keyseed generation");
1593 return -1;
1594 }
1595
1596 buf = (u8 *)label;
1597 buf_len = os_strlen(label);
1598
1599 if (pasn_use_sha384(akmp, cipher)) {
1600 wpa_printf(MSG_DEBUG,
1601 "WPA: Secure LTF keyseed using HMAC-SHA384");
1602
1603 if (hmac_sha384(kdk, kdk_len, buf, buf_len, hash)) {
1604 wpa_printf(MSG_ERROR,
1605 "WPA: HMAC-SHA384 compute failed");
1606 return -1;
1607 }
1608 os_memcpy(ptk->ltf_keyseed, hash, SHA384_MAC_LEN);
1609 ptk->ltf_keyseed_len = SHA384_MAC_LEN;
1610 wpa_hexdump_key(MSG_DEBUG, "WPA: Secure LTF keyseed: ",
1611 ptk->ltf_keyseed, ptk->ltf_keyseed_len);
1612
1613 } else {
1614 wpa_printf(MSG_DEBUG, "WPA: LTF keyseed using HMAC-SHA256");
1615
1616 if (hmac_sha256(kdk, kdk_len, buf, buf_len, hash)) {
1617 wpa_printf(MSG_ERROR,
1618 "WPA: HMAC-SHA256 compute failed");
1619 return -1;
1620 }
1621 os_memcpy(ptk->ltf_keyseed, hash, SHA256_MAC_LEN);
1622 ptk->ltf_keyseed_len = SHA256_MAC_LEN;
1623 wpa_hexdump_key(MSG_DEBUG, "WPA: Secure LTF keyseed: ",
1624 ptk->ltf_keyseed, ptk->ltf_keyseed_len);
1625 }
1626
1627 return 0;
1628 }
1629
1630
1631 /**
1632 * pasn_mic - Calculate PASN MIC
1633 * @kck: The key confirmation key for the PASN PTKSA
1634 * @akmp: Negotiated AKM
1635 * @cipher: Negotiated pairwise cipher
1636 * @addr1: For the 2nd PASN frame supplicant address; for the 3rd frame the
1637 * BSSID
1638 * @addr2: For the 2nd PASN frame the BSSID; for the 3rd frame the supplicant
1639 * address
1640 * @data: For calculating the MIC for the 2nd PASN frame, this should hold the
1641 * Beacon frame RSNE + RSNXE. For calculating the MIC for the 3rd PASN
1642 * frame, this should hold the hash of the body of the PASN 1st frame.
1643 * @data_len: The length of data
1644 * @frame: The body of the PASN frame including the MIC element with the octets
1645 * in the MIC field of the MIC element set to 0.
1646 * @frame_len: The length of frame
1647 * @mic: Buffer to hold the MIC on success. Should be big enough to handle the
1648 * maximal MIC length
1649 * Returns: 0 on success, -1 on failure
1650 */
pasn_mic(const u8 * kck,int akmp,int cipher,const u8 * addr1,const u8 * addr2,const u8 * data,size_t data_len,const u8 * frame,size_t frame_len,u8 * mic)1651 int pasn_mic(const u8 *kck, int akmp, int cipher,
1652 const u8 *addr1, const u8 *addr2,
1653 const u8 *data, size_t data_len,
1654 const u8 *frame, size_t frame_len, u8 *mic)
1655 {
1656 u8 *buf;
1657 u8 hash[SHA384_MAC_LEN];
1658 size_t buf_len = 2 * ETH_ALEN + data_len + frame_len;
1659 int ret = -1;
1660
1661 if (!kck) {
1662 wpa_printf(MSG_ERROR, "PASN: No KCK for MIC calculation");
1663 return -1;
1664 }
1665
1666 if (!data || !data_len) {
1667 wpa_printf(MSG_ERROR, "PASN: invalid data for MIC calculation");
1668 return -1;
1669 }
1670
1671 if (!frame || !frame_len) {
1672 wpa_printf(MSG_ERROR, "PASN: invalid data for MIC calculation");
1673 return -1;
1674 }
1675
1676 buf = os_zalloc(buf_len);
1677 if (!buf)
1678 return -1;
1679
1680 os_memcpy(buf, addr1, ETH_ALEN);
1681 os_memcpy(buf + ETH_ALEN, addr2, ETH_ALEN);
1682
1683 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: data", data, data_len);
1684 os_memcpy(buf + 2 * ETH_ALEN, data, data_len);
1685
1686 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: frame", frame, frame_len);
1687 os_memcpy(buf + 2 * ETH_ALEN + data_len, frame, frame_len);
1688
1689 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: KCK", kck, WPA_PASN_KCK_LEN);
1690 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: buf", buf, buf_len);
1691
1692 if (pasn_use_sha384(akmp, cipher)) {
1693 wpa_printf(MSG_DEBUG, "PASN: MIC using HMAC-SHA384");
1694
1695 if (hmac_sha384(kck, WPA_PASN_KCK_LEN, buf, buf_len, hash))
1696 goto err;
1697
1698 os_memcpy(mic, hash, 24);
1699 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: mic: ", mic, 24);
1700 } else {
1701 wpa_printf(MSG_DEBUG, "PASN: MIC using HMAC-SHA256");
1702
1703 if (hmac_sha256(kck, WPA_PASN_KCK_LEN, buf, buf_len, hash))
1704 goto err;
1705
1706 os_memcpy(mic, hash, 16);
1707 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: mic: ", mic, 16);
1708 }
1709
1710 ret = 0;
1711 err:
1712 bin_clear_free(buf, buf_len);
1713 return ret;
1714 }
1715
1716
1717 /**
1718 * pasn_auth_frame_hash - Computes a hash of an Authentication frame body
1719 * @akmp: Negotiated AKM
1720 * @cipher: Negotiated pairwise cipher
1721 * @data: Pointer to the Authentication frame body
1722 * @len: Length of the Authentication frame body
1723 * @hash: On return would hold the computed hash. Should be big enough to handle
1724 * SHA384.
1725 * Returns: 0 on success, -1 on failure
1726 */
pasn_auth_frame_hash(int akmp,int cipher,const u8 * data,size_t len,u8 * hash)1727 int pasn_auth_frame_hash(int akmp, int cipher, const u8 *data, size_t len,
1728 u8 *hash)
1729 {
1730 if (pasn_use_sha384(akmp, cipher)) {
1731 wpa_printf(MSG_DEBUG, "PASN: Frame hash using SHA-384");
1732 return sha384_vector(1, &data, &len, hash);
1733 } else {
1734 wpa_printf(MSG_DEBUG, "PASN: Frame hash using SHA-256");
1735 return sha256_vector(1, &data, &len, hash);
1736 }
1737 }
1738
1739 #endif /* CONFIG_PASN */
1740
1741
rsn_selector_to_bitfield(const u8 * s)1742 static int rsn_selector_to_bitfield(const u8 *s)
1743 {
1744 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
1745 return WPA_CIPHER_NONE;
1746 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
1747 return WPA_CIPHER_TKIP;
1748 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
1749 return WPA_CIPHER_CCMP;
1750 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
1751 return WPA_CIPHER_AES_128_CMAC;
1752 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP)
1753 return WPA_CIPHER_GCMP;
1754 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256)
1755 return WPA_CIPHER_CCMP_256;
1756 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256)
1757 return WPA_CIPHER_GCMP_256;
1758 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128)
1759 return WPA_CIPHER_BIP_GMAC_128;
1760 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256)
1761 return WPA_CIPHER_BIP_GMAC_256;
1762 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256)
1763 return WPA_CIPHER_BIP_CMAC_256;
1764 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED)
1765 return WPA_CIPHER_GTK_NOT_USED;
1766 return 0;
1767 }
1768
1769
rsn_key_mgmt_to_bitfield(const u8 * s)1770 static int rsn_key_mgmt_to_bitfield(const u8 *s)
1771 {
1772 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
1773 return WPA_KEY_MGMT_IEEE8021X;
1774 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
1775 return WPA_KEY_MGMT_PSK;
1776 #ifdef CONFIG_IEEE80211R
1777 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
1778 return WPA_KEY_MGMT_FT_IEEE8021X;
1779 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
1780 return WPA_KEY_MGMT_FT_PSK;
1781 #ifdef CONFIG_SHA384
1782 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384)
1783 return WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
1784 #endif /* CONFIG_SHA384 */
1785 #endif /* CONFIG_IEEE80211R */
1786 #ifdef CONFIG_SHA384
1787 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA384)
1788 return WPA_KEY_MGMT_IEEE8021X_SHA384;
1789 #endif /* CONFIG_SHA384 */
1790 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
1791 return WPA_KEY_MGMT_IEEE8021X_SHA256;
1792 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
1793 return WPA_KEY_MGMT_PSK_SHA256;
1794 #ifdef CONFIG_SAE
1795 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
1796 return WPA_KEY_MGMT_SAE;
1797 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE_EXT_KEY)
1798 return WPA_KEY_MGMT_SAE_EXT_KEY;
1799 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
1800 return WPA_KEY_MGMT_FT_SAE;
1801 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY)
1802 return WPA_KEY_MGMT_FT_SAE_EXT_KEY;
1803 #endif /* CONFIG_SAE */
1804 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
1805 return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
1806 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
1807 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
1808 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256)
1809 return WPA_KEY_MGMT_FILS_SHA256;
1810 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384)
1811 return WPA_KEY_MGMT_FILS_SHA384;
1812 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256)
1813 return WPA_KEY_MGMT_FT_FILS_SHA256;
1814 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
1815 return WPA_KEY_MGMT_FT_FILS_SHA384;
1816 #ifdef CONFIG_OWE
1817 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE)
1818 return WPA_KEY_MGMT_OWE;
1819 #endif /* CONFIG_OWE */
1820 #ifdef CONFIG_DPP
1821 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP)
1822 return WPA_KEY_MGMT_DPP;
1823 #endif /* CONFIG_DPP */
1824 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
1825 return WPA_KEY_MGMT_OSEN;
1826 #ifdef CONFIG_PASN
1827 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PASN)
1828 return WPA_KEY_MGMT_PASN;
1829 #endif /* CONFIG_PASN */
1830 return 0;
1831 }
1832
1833
wpa_cipher_valid_group(int cipher)1834 int wpa_cipher_valid_group(int cipher)
1835 {
1836 return wpa_cipher_valid_pairwise(cipher) ||
1837 cipher == WPA_CIPHER_GTK_NOT_USED;
1838 }
1839
1840
wpa_cipher_valid_mgmt_group(int cipher)1841 int wpa_cipher_valid_mgmt_group(int cipher)
1842 {
1843 return cipher == WPA_CIPHER_GTK_NOT_USED ||
1844 cipher == WPA_CIPHER_AES_128_CMAC ||
1845 cipher == WPA_CIPHER_BIP_GMAC_128 ||
1846 cipher == WPA_CIPHER_BIP_GMAC_256 ||
1847 cipher == WPA_CIPHER_BIP_CMAC_256;
1848 }
1849
1850
1851 /**
1852 * wpa_parse_wpa_ie_rsn - Parse RSN IE
1853 * @rsn_ie: Buffer containing RSN IE
1854 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
1855 * @data: Pointer to structure that will be filled in with parsed data
1856 * Returns: 0 on success, <0 on failure
1857 */
wpa_parse_wpa_ie_rsn(const u8 * rsn_ie,size_t rsn_ie_len,struct wpa_ie_data * data)1858 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
1859 struct wpa_ie_data *data)
1860 {
1861 const u8 *pos;
1862 int left;
1863 int i, count;
1864
1865 os_memset(data, 0, sizeof(*data));
1866 data->proto = WPA_PROTO_RSN;
1867 data->pairwise_cipher = WPA_CIPHER_CCMP;
1868 data->group_cipher = WPA_CIPHER_CCMP;
1869 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1870 data->capabilities = 0;
1871 data->pmkid = NULL;
1872 data->num_pmkid = 0;
1873 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
1874
1875 if (rsn_ie_len == 0) {
1876 /* No RSN IE - fail silently */
1877 return -1;
1878 }
1879
1880 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
1881 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1882 __func__, (unsigned long) rsn_ie_len);
1883 return -1;
1884 }
1885
1886 if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 &&
1887 rsn_ie[1] == rsn_ie_len - 2 &&
1888 WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) {
1889 pos = rsn_ie + 6;
1890 left = rsn_ie_len - 6;
1891
1892 data->group_cipher = WPA_CIPHER_GTK_NOT_USED;
1893 data->has_group = 1;
1894 data->key_mgmt = WPA_KEY_MGMT_OSEN;
1895 data->proto = WPA_PROTO_OSEN;
1896 } else {
1897 const struct rsn_ie_hdr *hdr;
1898
1899 hdr = (const struct rsn_ie_hdr *) rsn_ie;
1900
1901 if (hdr->elem_id != WLAN_EID_RSN ||
1902 hdr->len != rsn_ie_len - 2 ||
1903 WPA_GET_LE16(hdr->version) != RSN_VERSION) {
1904 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1905 __func__);
1906 return -2;
1907 }
1908
1909 pos = (const u8 *) (hdr + 1);
1910 left = rsn_ie_len - sizeof(*hdr);
1911 }
1912
1913 if (left >= RSN_SELECTOR_LEN) {
1914 data->group_cipher = rsn_selector_to_bitfield(pos);
1915 data->has_group = 1;
1916 if (!wpa_cipher_valid_group(data->group_cipher)) {
1917 wpa_printf(MSG_DEBUG,
1918 "%s: invalid group cipher 0x%x (%08x)",
1919 __func__, data->group_cipher,
1920 WPA_GET_BE32(pos));
1921 #ifdef CONFIG_NO_TKIP
1922 if (RSN_SELECTOR_GET(pos) == RSN_CIPHER_SUITE_TKIP) {
1923 wpa_printf(MSG_DEBUG,
1924 "%s: TKIP as group cipher not supported in CONFIG_NO_TKIP=y build",
1925 __func__);
1926 }
1927 #endif /* CONFIG_NO_TKIP */
1928 return -1;
1929 }
1930 pos += RSN_SELECTOR_LEN;
1931 left -= RSN_SELECTOR_LEN;
1932 } else if (left > 0) {
1933 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1934 __func__, left);
1935 return -3;
1936 }
1937
1938 if (left >= 2) {
1939 data->pairwise_cipher = 0;
1940 count = WPA_GET_LE16(pos);
1941 pos += 2;
1942 left -= 2;
1943 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1944 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1945 "count %u left %u", __func__, count, left);
1946 return -4;
1947 }
1948 if (count)
1949 data->has_pairwise = 1;
1950 for (i = 0; i < count; i++) {
1951 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
1952 pos += RSN_SELECTOR_LEN;
1953 left -= RSN_SELECTOR_LEN;
1954 }
1955 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
1956 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
1957 "pairwise cipher", __func__);
1958 return -1;
1959 }
1960 } else if (left == 1) {
1961 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1962 __func__);
1963 return -5;
1964 }
1965
1966 if (left >= 2) {
1967 data->key_mgmt = 0;
1968 count = WPA_GET_LE16(pos);
1969 pos += 2;
1970 left -= 2;
1971 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1972 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1973 "count %u left %u", __func__, count, left);
1974 return -6;
1975 }
1976 for (i = 0; i < count; i++) {
1977 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
1978 pos += RSN_SELECTOR_LEN;
1979 left -= RSN_SELECTOR_LEN;
1980 }
1981 } else if (left == 1) {
1982 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1983 __func__);
1984 return -7;
1985 }
1986
1987 if (left >= 2) {
1988 data->capabilities = WPA_GET_LE16(pos);
1989 pos += 2;
1990 left -= 2;
1991 }
1992
1993 if (left >= 2) {
1994 u16 num_pmkid = WPA_GET_LE16(pos);
1995 pos += 2;
1996 left -= 2;
1997 if (num_pmkid > (unsigned int) left / PMKID_LEN) {
1998 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
1999 "(num_pmkid=%u left=%d)",
2000 __func__, num_pmkid, left);
2001 data->num_pmkid = 0;
2002 return -9;
2003 } else {
2004 data->num_pmkid = num_pmkid;
2005 data->pmkid = pos;
2006 pos += data->num_pmkid * PMKID_LEN;
2007 left -= data->num_pmkid * PMKID_LEN;
2008 }
2009 }
2010
2011 if (left >= 4) {
2012 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
2013 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
2014 wpa_printf(MSG_DEBUG,
2015 "%s: Unsupported management group cipher 0x%x (%08x)",
2016 __func__, data->mgmt_group_cipher,
2017 WPA_GET_BE32(pos));
2018 return -10;
2019 }
2020 pos += RSN_SELECTOR_LEN;
2021 left -= RSN_SELECTOR_LEN;
2022 }
2023
2024 if (left > 0) {
2025 wpa_hexdump(MSG_DEBUG,
2026 "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
2027 pos, left);
2028 }
2029
2030 return 0;
2031 }
2032
2033
wpa_selector_to_bitfield(const u8 * s)2034 static int wpa_selector_to_bitfield(const u8 *s)
2035 {
2036 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
2037 return WPA_CIPHER_NONE;
2038 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
2039 return WPA_CIPHER_TKIP;
2040 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
2041 return WPA_CIPHER_CCMP;
2042 return 0;
2043 }
2044
2045
wpa_key_mgmt_to_bitfield(const u8 * s)2046 static int wpa_key_mgmt_to_bitfield(const u8 *s)
2047 {
2048 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
2049 return WPA_KEY_MGMT_IEEE8021X;
2050 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
2051 return WPA_KEY_MGMT_PSK;
2052 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
2053 return WPA_KEY_MGMT_WPA_NONE;
2054 return 0;
2055 }
2056
2057
wpa_parse_wpa_ie_wpa(const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ie_data * data)2058 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
2059 struct wpa_ie_data *data)
2060 {
2061 const struct wpa_ie_hdr *hdr;
2062 const u8 *pos;
2063 int left;
2064 int i, count;
2065
2066 os_memset(data, 0, sizeof(*data));
2067 data->proto = WPA_PROTO_WPA;
2068 data->pairwise_cipher = WPA_CIPHER_TKIP;
2069 data->group_cipher = WPA_CIPHER_TKIP;
2070 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
2071 data->capabilities = 0;
2072 data->pmkid = NULL;
2073 data->num_pmkid = 0;
2074 data->mgmt_group_cipher = 0;
2075
2076 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
2077 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
2078 __func__, (unsigned long) wpa_ie_len);
2079 return -1;
2080 }
2081
2082 hdr = (const struct wpa_ie_hdr *) wpa_ie;
2083
2084 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
2085 hdr->len != wpa_ie_len - 2 ||
2086 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
2087 WPA_GET_LE16(hdr->version) != WPA_VERSION) {
2088 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
2089 __func__);
2090 return -2;
2091 }
2092
2093 pos = (const u8 *) (hdr + 1);
2094 left = wpa_ie_len - sizeof(*hdr);
2095
2096 if (left >= WPA_SELECTOR_LEN) {
2097 data->group_cipher = wpa_selector_to_bitfield(pos);
2098 pos += WPA_SELECTOR_LEN;
2099 left -= WPA_SELECTOR_LEN;
2100 } else if (left > 0) {
2101 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
2102 __func__, left);
2103 return -3;
2104 }
2105
2106 if (left >= 2) {
2107 data->pairwise_cipher = 0;
2108 count = WPA_GET_LE16(pos);
2109 pos += 2;
2110 left -= 2;
2111 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
2112 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
2113 "count %u left %u", __func__, count, left);
2114 return -4;
2115 }
2116 for (i = 0; i < count; i++) {
2117 data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
2118 pos += WPA_SELECTOR_LEN;
2119 left -= WPA_SELECTOR_LEN;
2120 }
2121 } else if (left == 1) {
2122 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
2123 __func__);
2124 return -5;
2125 }
2126
2127 if (left >= 2) {
2128 data->key_mgmt = 0;
2129 count = WPA_GET_LE16(pos);
2130 pos += 2;
2131 left -= 2;
2132 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
2133 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
2134 "count %u left %u", __func__, count, left);
2135 return -6;
2136 }
2137 for (i = 0; i < count; i++) {
2138 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
2139 pos += WPA_SELECTOR_LEN;
2140 left -= WPA_SELECTOR_LEN;
2141 }
2142 } else if (left == 1) {
2143 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
2144 __func__);
2145 return -7;
2146 }
2147
2148 if (left >= 2) {
2149 data->capabilities = WPA_GET_LE16(pos);
2150 pos += 2;
2151 left -= 2;
2152 }
2153
2154 if (left > 0) {
2155 wpa_hexdump(MSG_DEBUG,
2156 "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
2157 pos, left);
2158 }
2159
2160 return 0;
2161 }
2162
2163
wpa_default_rsn_cipher(int freq)2164 int wpa_default_rsn_cipher(int freq)
2165 {
2166 if (freq > 56160)
2167 return WPA_CIPHER_GCMP; /* DMG */
2168
2169 return WPA_CIPHER_CCMP;
2170 }
2171
2172
2173 #ifdef CONFIG_IEEE80211R
2174
2175 /**
2176 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
2177 *
2178 * IEEE Std 802.11r-2008 - 8.5.1.5.3
2179 */
wpa_derive_pmk_r0(const u8 * xxkey,size_t xxkey_len,const u8 * ssid,size_t ssid_len,const u8 * mdid,const u8 * r0kh_id,size_t r0kh_id_len,const u8 * s0kh_id,u8 * pmk_r0,u8 * pmk_r0_name,int key_mgmt)2180 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
2181 const u8 *ssid, size_t ssid_len,
2182 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
2183 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name,
2184 int key_mgmt)
2185 {
2186 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
2187 FT_R0KH_ID_MAX_LEN + ETH_ALEN];
2188 u8 *pos, r0_key_data[64 + 16], hash[64];
2189 const u8 *addr[2];
2190 size_t len[2];
2191 size_t q, r0_key_data_len;
2192 int res;
2193
2194 if (key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
2195 (xxkey_len == SHA256_MAC_LEN || xxkey_len == SHA384_MAC_LEN ||
2196 xxkey_len == SHA512_MAC_LEN))
2197 q = xxkey_len;
2198 else if (wpa_key_mgmt_sha384(key_mgmt))
2199 q = SHA384_MAC_LEN;
2200 else
2201 q = SHA256_MAC_LEN;
2202 r0_key_data_len = q + 16;
2203
2204 /*
2205 * R0-Key-Data = KDF-Hash-Length(XXKey, "FT-R0",
2206 * SSIDlength || SSID || MDID || R0KHlength ||
2207 * R0KH-ID || S0KH-ID)
2208 * XXKey is either the second 256 bits of MSK or PSK; or the first
2209 * 384 bits of MSK for FT-EAP-SHA384; or PMK from SAE.
2210 * PMK-R0 = L(R0-Key-Data, 0, Q)
2211 * PMK-R0Name-Salt = L(R0-Key-Data, Q, 128)
2212 * Q = 384 for FT-EAP-SHA384; the length of the digest generated by H()
2213 * for FT-SAE-EXT-KEY; or otherwise, 256
2214 */
2215 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
2216 return -1;
2217 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R0 using KDF-SHA%zu", q * 8);
2218 wpa_hexdump_key(MSG_DEBUG, "FT: XXKey", xxkey, xxkey_len);
2219 wpa_hexdump_ascii(MSG_DEBUG, "FT: SSID", ssid, ssid_len);
2220 wpa_hexdump(MSG_DEBUG, "FT: MDID", mdid, MOBILITY_DOMAIN_ID_LEN);
2221 wpa_hexdump_ascii(MSG_DEBUG, "FT: R0KH-ID", r0kh_id, r0kh_id_len);
2222 wpa_printf(MSG_DEBUG, "FT: S0KH-ID: " MACSTR_SEC, MAC2STR_SEC(s0kh_id));
2223 pos = buf;
2224 *pos++ = ssid_len;
2225 os_memcpy(pos, ssid, ssid_len);
2226 pos += ssid_len;
2227 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
2228 pos += MOBILITY_DOMAIN_ID_LEN;
2229 *pos++ = r0kh_id_len;
2230 os_memcpy(pos, r0kh_id, r0kh_id_len);
2231 pos += r0kh_id_len;
2232 os_memcpy(pos, s0kh_id, ETH_ALEN);
2233 pos += ETH_ALEN;
2234
2235 res = -1;
2236 #ifdef CONFIG_SHA512
2237 if (q == SHA512_MAC_LEN) {
2238 if (xxkey_len != SHA512_MAC_LEN) {
2239 wpa_printf(MSG_ERROR,
2240 "FT: Unexpected XXKey length %d (expected %d)",
2241 (int) xxkey_len, SHA512_MAC_LEN);
2242 return -1;
2243 }
2244 res = sha512_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
2245 r0_key_data, r0_key_data_len);
2246 }
2247 #endif /* CONFIG_SHA512 */
2248 #ifdef CONFIG_SHA384
2249 if (q == SHA384_MAC_LEN) {
2250 if (xxkey_len != SHA384_MAC_LEN) {
2251 wpa_printf(MSG_ERROR,
2252 "FT: Unexpected XXKey length %d (expected %d)",
2253 (int) xxkey_len, SHA384_MAC_LEN);
2254 return -1;
2255 }
2256 res = sha384_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
2257 r0_key_data, r0_key_data_len);
2258 }
2259 #endif /* CONFIG_SHA384 */
2260 if (q == SHA256_MAC_LEN) {
2261 if (xxkey_len != PMK_LEN) {
2262 wpa_printf(MSG_ERROR,
2263 "FT: Unexpected XXKey length %d (expected %d)",
2264 (int) xxkey_len, PMK_LEN);
2265 return -1;
2266 }
2267 res = sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
2268 r0_key_data, r0_key_data_len);
2269 }
2270 if (res < 0)
2271 return res;
2272 os_memcpy(pmk_r0, r0_key_data, q);
2273 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, q);
2274 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0Name-Salt", &r0_key_data[q], 16);
2275
2276 /*
2277 * PMKR0Name = Truncate-128(Hash("FT-R0N" || PMK-R0Name-Salt)
2278 */
2279 addr[0] = (const u8 *) "FT-R0N";
2280 len[0] = 6;
2281 addr[1] = &r0_key_data[q];
2282 len[1] = 16;
2283
2284 res = -1;
2285 #ifdef CONFIG_SHA512
2286 if (q == SHA512_MAC_LEN)
2287 res = sha512_vector(2, addr, len, hash);
2288 #endif /* CONFIG_SHA512 */
2289 #ifdef CONFIG_SHA384
2290 if (q == SHA384_MAC_LEN)
2291 res = sha384_vector(2, addr, len, hash);
2292 #endif /* CONFIG_SHA384 */
2293 if (q == SHA256_MAC_LEN)
2294 res = sha256_vector(2, addr, len, hash);
2295 if (res < 0) {
2296 wpa_printf(MSG_DEBUG,
2297 "FT: Failed to derive PMKR0Name (PMK-R0 len %zu)",
2298 q);
2299 return res;
2300 }
2301 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
2302 wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
2303 forced_memzero(r0_key_data, sizeof(r0_key_data));
2304 return 0;
2305 }
2306
2307
2308 /**
2309 * wpa_derive_pmk_r1_name - Derive PMKR1Name
2310 *
2311 * IEEE Std 802.11r-2008 - 8.5.1.5.4
2312 */
wpa_derive_pmk_r1_name(const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1_name,size_t pmk_r1_len)2313 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
2314 const u8 *s1kh_id, u8 *pmk_r1_name,
2315 size_t pmk_r1_len)
2316 {
2317 u8 hash[64];
2318 const u8 *addr[4];
2319 size_t len[4];
2320 int res;
2321 const char *title;
2322
2323 /*
2324 * PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name ||
2325 * R1KH-ID || S1KH-ID))
2326 */
2327 addr[0] = (const u8 *) "FT-R1N";
2328 len[0] = 6;
2329 addr[1] = pmk_r0_name;
2330 len[1] = WPA_PMK_NAME_LEN;
2331 addr[2] = r1kh_id;
2332 len[2] = FT_R1KH_ID_LEN;
2333 addr[3] = s1kh_id;
2334 len[3] = ETH_ALEN;
2335
2336 res = -1;
2337 #ifdef CONFIG_SHA512
2338 if (pmk_r1_len == SHA512_MAC_LEN) {
2339 title = "FT: PMKR1Name (using SHA512)";
2340 res = sha512_vector(4, addr, len, hash);
2341 }
2342 #endif /* CONFIG_SHA512 */
2343 #ifdef CONFIG_SHA384
2344 if (pmk_r1_len == SHA384_MAC_LEN) {
2345 title = "FT: PMKR1Name (using SHA384)";
2346 res = sha384_vector(4, addr, len, hash);
2347 }
2348 #endif /* CONFIG_SHA384 */
2349 if (pmk_r1_len == SHA256_MAC_LEN) {
2350 title = "FT: PMKR1Name (using SHA256)";
2351 res = sha256_vector(4, addr, len, hash);
2352 }
2353 if (res < 0) {
2354 wpa_printf(MSG_DEBUG,
2355 "FT: Failed to derive PMKR1Name (PMK-R1 len %zu)",
2356 pmk_r1_len);
2357 return res;
2358 }
2359 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
2360 wpa_hexdump(MSG_DEBUG, title, pmk_r1_name, WPA_PMK_NAME_LEN);
2361 return 0;
2362 }
2363
2364
2365 /**
2366 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
2367 *
2368 * IEEE Std 802.11r-2008 - 8.5.1.5.4
2369 */
wpa_derive_pmk_r1(const u8 * pmk_r0,size_t pmk_r0_len,const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1,u8 * pmk_r1_name)2370 int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len,
2371 const u8 *pmk_r0_name,
2372 const u8 *r1kh_id, const u8 *s1kh_id,
2373 u8 *pmk_r1, u8 *pmk_r1_name)
2374 {
2375 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
2376 u8 *pos;
2377 int res;
2378
2379 /* PMK-R1 = KDF-Hash(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
2380 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R1 using KDF-SHA%zu",
2381 pmk_r0_len * 8);
2382 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, pmk_r0_len);
2383 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", r1kh_id, FT_R1KH_ID_LEN);
2384 wpa_printf(MSG_DEBUG, "FT: S1KH-ID: " MACSTR_SEC, MAC2STR_SEC(s1kh_id));
2385 pos = buf;
2386 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
2387 pos += FT_R1KH_ID_LEN;
2388 os_memcpy(pos, s1kh_id, ETH_ALEN);
2389 pos += ETH_ALEN;
2390
2391 res = -1;
2392 #ifdef CONFIG_SHA512
2393 if (pmk_r0_len == SHA512_MAC_LEN)
2394 res = sha512_prf(pmk_r0, pmk_r0_len, "FT-R1",
2395 buf, pos - buf, pmk_r1, pmk_r0_len);
2396 #endif /* CONFIG_SHA512 */
2397 #ifdef CONFIG_SHA384
2398 if (pmk_r0_len == SHA384_MAC_LEN)
2399 res = sha384_prf(pmk_r0, pmk_r0_len, "FT-R1",
2400 buf, pos - buf, pmk_r1, pmk_r0_len);
2401 #endif /* CONFIG_SHA384 */
2402 if (pmk_r0_len == SHA256_MAC_LEN)
2403 res = sha256_prf(pmk_r0, pmk_r0_len, "FT-R1",
2404 buf, pos - buf, pmk_r1, pmk_r0_len);
2405 if (res < 0) {
2406 wpa_printf(MSG_ERROR, "FT: Failed to derive PMK-R1");
2407 return res;
2408 }
2409 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len);
2410
2411 return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
2412 pmk_r1_name, pmk_r0_len);
2413 }
2414
2415
2416 /**
2417 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
2418 *
2419 * IEEE Std 802.11r-2008 - 8.5.1.5.5
2420 */
wpa_pmk_r1_to_ptk(const u8 * pmk_r1,size_t pmk_r1_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * pmk_r1_name,struct wpa_ptk * ptk,u8 * ptk_name,int akmp,int cipher,size_t kdk_len)2421 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, size_t pmk_r1_len,
2422 const u8 *snonce, const u8 *anonce,
2423 const u8 *sta_addr, const u8 *bssid,
2424 const u8 *pmk_r1_name,
2425 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher,
2426 size_t kdk_len)
2427 {
2428 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
2429 u8 *pos, hash[32];
2430 const u8 *addr[6];
2431 size_t len[6];
2432 u8 tmp[2 * WPA_KCK_MAX_LEN + 2 * WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
2433 WPA_KDK_MAX_LEN];
2434 size_t ptk_len, offset;
2435 size_t key_len;
2436 int res;
2437
2438 if (kdk_len > WPA_KDK_MAX_LEN) {
2439 wpa_printf(MSG_ERROR,
2440 "FT: KDK len=%zu exceeds max supported len",
2441 kdk_len);
2442 return -1;
2443 }
2444
2445 if (akmp == WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
2446 (pmk_r1_len == SHA256_MAC_LEN || pmk_r1_len == SHA384_MAC_LEN ||
2447 pmk_r1_len == SHA512_MAC_LEN))
2448 key_len = pmk_r1_len;
2449 else if (wpa_key_mgmt_sha384(akmp))
2450 key_len = SHA384_MAC_LEN;
2451 else
2452 key_len = SHA256_MAC_LEN;
2453
2454 /*
2455 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
2456 * BSSID || STA-ADDR)
2457 */
2458 wpa_printf(MSG_DEBUG, "FT: Derive PTK using KDF-SHA%zu", key_len * 8);
2459 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r1_len);
2460 wpa_hexdump(MSG_DEBUG, "FT: SNonce", snonce, WPA_NONCE_LEN);
2461 wpa_hexdump(MSG_DEBUG, "FT: ANonce", anonce, WPA_NONCE_LEN);
2462 wpa_printf(MSG_DEBUG, "FT: BSSID=" MACSTR_SEC " STA-ADDR=" MACSTR_SEC,
2463 MAC2STR_SEC(bssid), MAC2STR_SEC(sta_addr));
2464 pos = buf;
2465 os_memcpy(pos, snonce, WPA_NONCE_LEN);
2466 pos += WPA_NONCE_LEN;
2467 os_memcpy(pos, anonce, WPA_NONCE_LEN);
2468 pos += WPA_NONCE_LEN;
2469 os_memcpy(pos, bssid, ETH_ALEN);
2470 pos += ETH_ALEN;
2471 os_memcpy(pos, sta_addr, ETH_ALEN);
2472 pos += ETH_ALEN;
2473
2474 ptk->kck_len = wpa_kck_len(akmp, key_len);
2475 ptk->kck2_len = wpa_kck2_len(akmp);
2476 ptk->kek_len = wpa_kek_len(akmp, key_len);
2477 ptk->kek2_len = wpa_kek2_len(akmp);
2478 ptk->tk_len = wpa_cipher_key_len(cipher);
2479 ptk->kdk_len = kdk_len;
2480 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len +
2481 ptk->kck2_len + ptk->kek2_len + ptk->kdk_len;
2482
2483 res = -1;
2484 #ifdef CONFIG_SHA512
2485 if (key_len == SHA512_MAC_LEN) {
2486 if (pmk_r1_len != SHA512_MAC_LEN) {
2487 wpa_printf(MSG_ERROR,
2488 "FT: Unexpected PMK-R1 length %d (expected %d)",
2489 (int) pmk_r1_len, SHA512_MAC_LEN);
2490 return -1;
2491 }
2492 res = sha512_prf(pmk_r1, pmk_r1_len, "FT-PTK",
2493 buf, pos - buf, tmp, ptk_len);
2494 }
2495 #endif /* CONFIG_SHA512 */
2496 #ifdef CONFIG_SHA384
2497 if (key_len == SHA384_MAC_LEN) {
2498 if (pmk_r1_len != SHA384_MAC_LEN) {
2499 wpa_printf(MSG_ERROR,
2500 "FT: Unexpected PMK-R1 length %d (expected %d)",
2501 (int) pmk_r1_len, SHA384_MAC_LEN);
2502 return -1;
2503 }
2504 res = sha384_prf(pmk_r1, pmk_r1_len, "FT-PTK",
2505 buf, pos - buf, tmp, ptk_len);
2506 }
2507 #endif /* CONFIG_SHA384 */
2508 if (key_len == SHA256_MAC_LEN) {
2509 if (pmk_r1_len != PMK_LEN) {
2510 wpa_printf(MSG_ERROR,
2511 "FT: Unexpected PMK-R1 length %d (expected %d)",
2512 (int) pmk_r1_len, PMK_LEN);
2513 return -1;
2514 }
2515 res = sha256_prf(pmk_r1, pmk_r1_len, "FT-PTK",
2516 buf, pos - buf, tmp, ptk_len);
2517 }
2518 if (res < 0)
2519 return -1;
2520 wpa_hexdump_key(MSG_DEBUG, "FT: PTK", tmp, ptk_len);
2521
2522 /*
2523 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
2524 * ANonce || BSSID || STA-ADDR))
2525 */
2526 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN);
2527 addr[0] = pmk_r1_name;
2528 len[0] = WPA_PMK_NAME_LEN;
2529 addr[1] = (const u8 *) "FT-PTKN";
2530 len[1] = 7;
2531 addr[2] = snonce;
2532 len[2] = WPA_NONCE_LEN;
2533 addr[3] = anonce;
2534 len[3] = WPA_NONCE_LEN;
2535 addr[4] = bssid;
2536 len[4] = ETH_ALEN;
2537 addr[5] = sta_addr;
2538 len[5] = ETH_ALEN;
2539
2540 if (sha256_vector(6, addr, len, hash) < 0)
2541 return -1;
2542 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
2543
2544 os_memcpy(ptk->kck, tmp, ptk->kck_len);
2545 offset = ptk->kck_len;
2546 os_memcpy(ptk->kek, tmp + offset, ptk->kek_len);
2547 offset += ptk->kek_len;
2548 os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
2549 offset += ptk->tk_len;
2550 os_memcpy(ptk->kck2, tmp + offset, ptk->kck2_len);
2551 offset += ptk->kck2_len;
2552 os_memcpy(ptk->kek2, tmp + offset, ptk->kek2_len);
2553 offset += ptk->kek2_len;
2554 os_memcpy(ptk->kdk, tmp + offset, ptk->kdk_len);
2555
2556 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);
2557 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len);
2558 if (ptk->kck2_len)
2559 wpa_hexdump_key(MSG_DEBUG, "FT: KCK2",
2560 ptk->kck2, ptk->kck2_len);
2561 if (ptk->kek2_len)
2562 wpa_hexdump_key(MSG_DEBUG, "FT: KEK2",
2563 ptk->kek2, ptk->kek2_len);
2564 if (ptk->kdk_len)
2565 wpa_hexdump_key(MSG_DEBUG, "FT: KDK", ptk->kdk, ptk->kdk_len);
2566
2567 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len);
2568 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
2569
2570 forced_memzero(tmp, sizeof(tmp));
2571
2572 return 0;
2573 }
2574
2575 #endif /* CONFIG_IEEE80211R */
2576
2577
2578 /**
2579 * rsn_pmkid - Calculate PMK identifier
2580 * @pmk: Pairwise master key
2581 * @pmk_len: Length of pmk in bytes
2582 * @aa: Authenticator address
2583 * @spa: Supplicant address
2584 * @pmkid: Buffer for PMKID
2585 * @akmp: Negotiated key management protocol
2586 *
2587 * IEEE Std 802.11-2016 - 12.7.1.3 Pairwise key hierarchy
2588 * AKM: 00-0F-AC:3, 00-0F-AC:5, 00-0F-AC:6, 00-0F-AC:14, 00-0F-AC:16
2589 * PMKID = Truncate-128(HMAC-SHA-256(PMK, "PMK Name" || AA || SPA))
2590 * AKM: 00-0F-AC:11
2591 * See rsn_pmkid_suite_b()
2592 * AKM: 00-0F-AC:12
2593 * See rsn_pmkid_suite_b_192()
2594 * AKM: 00-0F-AC:13, 00-0F-AC:15, 00-0F-AC:17
2595 * PMKID = Truncate-128(HMAC-SHA-384(PMK, "PMK Name" || AA || SPA))
2596 * Otherwise:
2597 * PMKID = Truncate-128(HMAC-SHA-1(PMK, "PMK Name" || AA || SPA))
2598 */
rsn_pmkid(const u8 * pmk,size_t pmk_len,const u8 * aa,const u8 * spa,u8 * pmkid,int akmp)2599 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
2600 u8 *pmkid, int akmp)
2601 {
2602 char *title = "PMK Name";
2603 const u8 *addr[3];
2604 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2605 unsigned char hash[SHA384_MAC_LEN];
2606
2607 addr[0] = (u8 *) title;
2608 addr[1] = aa;
2609 addr[2] = spa;
2610
2611 if (0) {
2612 #if defined(CONFIG_FILS) || defined(CONFIG_SHA384)
2613 } else if (wpa_key_mgmt_sha384(akmp)) {
2614 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-384");
2615 hmac_sha384_vector(pmk, pmk_len, 3, addr, len, hash);
2616 #endif /* CONFIG_FILS || CONFIG_SHA384 */
2617 } else if (wpa_key_mgmt_sha256(akmp)) {
2618 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-256");
2619 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
2620 } else {
2621 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-1");
2622 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
2623 }
2624 wpa_hexdump(MSG_DEBUG, "RSN: Derived PMKID", hash, PMKID_LEN);
2625 os_memcpy(pmkid, hash, PMKID_LEN);
2626 }
2627
2628
2629 #ifdef CONFIG_SUITEB
2630 /**
2631 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM
2632 * @kck: Key confirmation key
2633 * @kck_len: Length of kck in bytes
2634 * @aa: Authenticator address
2635 * @spa: Supplicant address
2636 * @pmkid: Buffer for PMKID
2637 * Returns: 0 on success, -1 on failure
2638 *
2639 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
2640 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
2641 */
rsn_pmkid_suite_b(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)2642 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa,
2643 const u8 *spa, u8 *pmkid)
2644 {
2645 char *title = "PMK Name";
2646 const u8 *addr[3];
2647 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2648 unsigned char hash[SHA256_MAC_LEN];
2649
2650 addr[0] = (u8 *) title;
2651 addr[1] = aa;
2652 addr[2] = spa;
2653
2654 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0)
2655 return -1;
2656 os_memcpy(pmkid, hash, PMKID_LEN);
2657 return 0;
2658 }
2659 #endif /* CONFIG_SUITEB */
2660
2661
2662 #ifdef CONFIG_SUITEB192
2663 /**
2664 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM
2665 * @kck: Key confirmation key
2666 * @kck_len: Length of kck in bytes
2667 * @aa: Authenticator address
2668 * @spa: Supplicant address
2669 * @pmkid: Buffer for PMKID
2670 * Returns: 0 on success, -1 on failure
2671 *
2672 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
2673 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
2674 */
rsn_pmkid_suite_b_192(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)2675 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa,
2676 const u8 *spa, u8 *pmkid)
2677 {
2678 char *title = "PMK Name";
2679 const u8 *addr[3];
2680 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2681 unsigned char hash[SHA384_MAC_LEN];
2682
2683 addr[0] = (u8 *) title;
2684 addr[1] = aa;
2685 addr[2] = spa;
2686
2687 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0)
2688 return -1;
2689 os_memcpy(pmkid, hash, PMKID_LEN);
2690 return 0;
2691 }
2692 #endif /* CONFIG_SUITEB192 */
2693
2694
2695 /**
2696 * wpa_cipher_txt - Convert cipher suite to a text string
2697 * @cipher: Cipher suite (WPA_CIPHER_* enum)
2698 * Returns: Pointer to a text string of the cipher suite name
2699 */
wpa_cipher_txt(int cipher)2700 const char * wpa_cipher_txt(int cipher)
2701 {
2702 switch (cipher) {
2703 case WPA_CIPHER_NONE:
2704 return "NONE";
2705 #ifdef CONFIG_WEP
2706 case WPA_CIPHER_WEP40:
2707 return "WEP-40";
2708 case WPA_CIPHER_WEP104:
2709 return "WEP-104";
2710 #endif /* CONFIG_WEP */
2711 case WPA_CIPHER_TKIP:
2712 return "TKIP";
2713 case WPA_CIPHER_CCMP:
2714 return "CCMP";
2715 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
2716 return "CCMP+TKIP";
2717 case WPA_CIPHER_GCMP:
2718 return "GCMP";
2719 case WPA_CIPHER_GCMP_256:
2720 return "GCMP-256";
2721 case WPA_CIPHER_CCMP_256:
2722 return "CCMP-256";
2723 case WPA_CIPHER_AES_128_CMAC:
2724 return "BIP";
2725 case WPA_CIPHER_BIP_GMAC_128:
2726 return "BIP-GMAC-128";
2727 case WPA_CIPHER_BIP_GMAC_256:
2728 return "BIP-GMAC-256";
2729 case WPA_CIPHER_BIP_CMAC_256:
2730 return "BIP-CMAC-256";
2731 #ifdef CONFIG_WAPI
2732 case WPA_CIPHER_SMS4:
2733 return "SMS4";
2734 #endif
2735 case WPA_CIPHER_GTK_NOT_USED:
2736 return "GTK_NOT_USED";
2737 default:
2738 return "UNKNOWN";
2739 }
2740 }
2741
2742
2743 /**
2744 * wpa_key_mgmt_txt - Convert key management suite to a text string
2745 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
2746 * @proto: WPA/WPA2 version (WPA_PROTO_*)
2747 * Returns: Pointer to a text string of the key management suite name
2748 */
wpa_key_mgmt_txt(int key_mgmt,int proto)2749 const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
2750 {
2751 switch (key_mgmt) {
2752 case WPA_KEY_MGMT_IEEE8021X:
2753 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
2754 return "WPA2+WPA/IEEE 802.1X/EAP";
2755 return proto == WPA_PROTO_RSN ?
2756 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
2757 case WPA_KEY_MGMT_PSK:
2758 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
2759 return "WPA2-PSK+WPA-PSK";
2760 return proto == WPA_PROTO_RSN ?
2761 "WPA2-PSK" : "WPA-PSK";
2762 case WPA_KEY_MGMT_NONE:
2763 return "NONE";
2764 case WPA_KEY_MGMT_WPA_NONE:
2765 return "WPA-NONE";
2766 case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
2767 return "IEEE 802.1X (no WPA)";
2768 #ifdef CONFIG_IEEE80211R
2769 case WPA_KEY_MGMT_FT_IEEE8021X:
2770 return "FT-EAP";
2771 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2772 return "FT-EAP-SHA384";
2773 case WPA_KEY_MGMT_FT_PSK:
2774 return "FT-PSK";
2775 #endif /* CONFIG_IEEE80211R */
2776 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2777 return "WPA2-EAP-SHA256";
2778 case WPA_KEY_MGMT_PSK_SHA256:
2779 return "WPA2-PSK-SHA256";
2780 case WPA_KEY_MGMT_WPS:
2781 return "WPS";
2782 case WPA_KEY_MGMT_SAE:
2783 return "SAE";
2784 case WPA_KEY_MGMT_SAE_EXT_KEY:
2785 return "SAE-EXT-KEY";
2786 case WPA_KEY_MGMT_FT_SAE:
2787 return "FT-SAE";
2788 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
2789 return "FT-SAE-EXT-KEY";
2790 case WPA_KEY_MGMT_OSEN:
2791 return "OSEN";
2792 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2793 return "WPA2-EAP-SUITE-B";
2794 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2795 return "WPA2-EAP-SUITE-B-192";
2796 case WPA_KEY_MGMT_FILS_SHA256:
2797 return "FILS-SHA256";
2798 case WPA_KEY_MGMT_FILS_SHA384:
2799 return "FILS-SHA384";
2800 case WPA_KEY_MGMT_FT_FILS_SHA256:
2801 return "FT-FILS-SHA256";
2802 case WPA_KEY_MGMT_FT_FILS_SHA384:
2803 return "FT-FILS-SHA384";
2804 case WPA_KEY_MGMT_OWE:
2805 return "OWE";
2806 case WPA_KEY_MGMT_DPP:
2807 return "DPP";
2808 case WPA_KEY_MGMT_PASN:
2809 return "PASN";
2810 case WPA_KEY_MGMT_IEEE8021X_SHA384:
2811 return "WPA2-EAP-SHA384";
2812 default:
2813 return "UNKNOWN";
2814 }
2815 }
2816
2817
wpa_akm_to_suite(int akm)2818 u32 wpa_akm_to_suite(int akm)
2819 {
2820 if (akm & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
2821 return RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384;
2822 if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
2823 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2824 if (akm & WPA_KEY_MGMT_FT_PSK)
2825 return RSN_AUTH_KEY_MGMT_FT_PSK;
2826 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA384)
2827 return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
2828 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
2829 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2830 if (akm & WPA_KEY_MGMT_IEEE8021X)
2831 return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
2832 if (akm & WPA_KEY_MGMT_PSK_SHA256)
2833 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2834 if (akm & WPA_KEY_MGMT_PSK)
2835 return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
2836 if (akm & WPA_KEY_MGMT_CCKM)
2837 return RSN_AUTH_KEY_MGMT_CCKM;
2838 if (akm & WPA_KEY_MGMT_OSEN)
2839 return RSN_AUTH_KEY_MGMT_OSEN;
2840 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
2841 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2842 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
2843 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2844 if (akm & WPA_KEY_MGMT_FILS_SHA256)
2845 return RSN_AUTH_KEY_MGMT_FILS_SHA256;
2846 if (akm & WPA_KEY_MGMT_FILS_SHA384)
2847 return RSN_AUTH_KEY_MGMT_FILS_SHA384;
2848 if (akm & WPA_KEY_MGMT_FT_FILS_SHA256)
2849 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
2850 if (akm & WPA_KEY_MGMT_FT_FILS_SHA384)
2851 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
2852 if (akm & WPA_KEY_MGMT_SAE)
2853 return RSN_AUTH_KEY_MGMT_SAE;
2854 if (akm & WPA_KEY_MGMT_SAE_EXT_KEY)
2855 return RSN_AUTH_KEY_MGMT_SAE_EXT_KEY;
2856 if (akm & WPA_KEY_MGMT_FT_SAE)
2857 return RSN_AUTH_KEY_MGMT_FT_SAE;
2858 if (akm & WPA_KEY_MGMT_FT_SAE_EXT_KEY)
2859 return RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY;
2860 if (akm & WPA_KEY_MGMT_OWE)
2861 return RSN_AUTH_KEY_MGMT_OWE;
2862 if (akm & WPA_KEY_MGMT_DPP)
2863 return RSN_AUTH_KEY_MGMT_DPP;
2864 return 0;
2865 }
2866
2867
wpa_compare_rsn_ie(int ft_initial_assoc,const u8 * ie1,size_t ie1len,const u8 * ie2,size_t ie2len)2868 int wpa_compare_rsn_ie(int ft_initial_assoc,
2869 const u8 *ie1, size_t ie1len,
2870 const u8 *ie2, size_t ie2len)
2871 {
2872 if (ie1 == NULL || ie2 == NULL)
2873 return -1;
2874
2875 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
2876 return 0; /* identical IEs */
2877
2878 #ifdef CONFIG_IEEE80211R
2879 if (ft_initial_assoc) {
2880 struct wpa_ie_data ie1d, ie2d;
2881 /*
2882 * The PMKID-List in RSN IE is different between Beacon/Probe
2883 * Response/(Re)Association Request frames and EAPOL-Key
2884 * messages in FT initial mobility domain association. Allow
2885 * for this, but verify that other parts of the RSN IEs are
2886 * identical.
2887 */
2888 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
2889 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
2890 return -1;
2891 if (ie1d.proto == ie2d.proto &&
2892 ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
2893 ie1d.group_cipher == ie2d.group_cipher &&
2894 ie1d.key_mgmt == ie2d.key_mgmt &&
2895 ie1d.capabilities == ie2d.capabilities &&
2896 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
2897 return 0;
2898 }
2899 #endif /* CONFIG_IEEE80211R */
2900
2901 return -1;
2902 }
2903
2904
wpa_insert_pmkid(u8 * ies,size_t * ies_len,const u8 * pmkid,bool replace)2905 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid, bool replace)
2906 {
2907 u8 *start, *end, *rpos, *rend;
2908 int added = 0;
2909
2910 start = ies;
2911 end = ies + *ies_len;
2912
2913 while (start < end) {
2914 if (*start == WLAN_EID_RSN)
2915 break;
2916 start += 2 + start[1];
2917 }
2918 if (start >= end) {
2919 wpa_printf(MSG_ERROR, "RSN: Could not find RSNE in IEs data");
2920 return -1;
2921 }
2922 wpa_hexdump(MSG_DEBUG, "RSN: RSNE before modification",
2923 start, 2 + start[1]);
2924
2925 /* Find start of PMKID-Count */
2926 rpos = start + 2;
2927 rend = rpos + start[1];
2928
2929 /* Skip Version and Group Data Cipher Suite */
2930 rpos += 2 + 4;
2931 /* Skip Pairwise Cipher Suite Count and List */
2932 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2933 /* Skip AKM Suite Count and List */
2934 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2935
2936 if (rpos == rend) {
2937 /* Add RSN Capabilities */
2938 os_memmove(rpos + 2, rpos, end - rpos);
2939 *rpos++ = 0;
2940 *rpos++ = 0;
2941 added += 2;
2942 start[1] += 2;
2943 rend = rpos;
2944 } else {
2945 /* Skip RSN Capabilities */
2946 rpos += 2;
2947 if (rpos > rend) {
2948 wpa_printf(MSG_ERROR,
2949 "RSN: Could not parse RSNE in IEs data");
2950 return -1;
2951 }
2952 }
2953
2954 if (rpos == rend) {
2955 /* No PMKID-Count field included; add it */
2956 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
2957 WPA_PUT_LE16(rpos, 1);
2958 rpos += 2;
2959 os_memcpy(rpos, pmkid, PMKID_LEN);
2960 added += 2 + PMKID_LEN;
2961 start[1] += 2 + PMKID_LEN;
2962 } else {
2963 u16 num_pmkid;
2964
2965 if (rend - rpos < 2)
2966 return -1;
2967 num_pmkid = WPA_GET_LE16(rpos);
2968 if (num_pmkid * PMKID_LEN > rend - rpos - 2)
2969 return -1;
2970 /* PMKID-Count was included; use it */
2971 if (replace && num_pmkid != 0) {
2972 u8 *after;
2973
2974 /*
2975 * PMKID may have been included in RSN IE in
2976 * (Re)Association Request frame, so remove the old
2977 * PMKID(s) first before adding the new one.
2978 */
2979 wpa_printf(MSG_DEBUG,
2980 "RSN: Remove %u old PMKID(s) from RSNE",
2981 num_pmkid);
2982 after = rpos + 2 + num_pmkid * PMKID_LEN;
2983 os_memmove(rpos + 2, after, end - after);
2984 start[1] -= num_pmkid * PMKID_LEN;
2985 added -= num_pmkid * PMKID_LEN;
2986 num_pmkid = 0;
2987 }
2988 WPA_PUT_LE16(rpos, num_pmkid + 1);
2989 rpos += 2;
2990 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
2991 os_memcpy(rpos, pmkid, PMKID_LEN);
2992 added += PMKID_LEN;
2993 start[1] += PMKID_LEN;
2994 }
2995
2996 wpa_hexdump(MSG_DEBUG, "RSN: RSNE after modification (PMKID inserted)",
2997 start, 2 + start[1]);
2998
2999 *ies_len += added;
3000
3001 return 0;
3002 }
3003
3004
wpa_cipher_key_len(int cipher)3005 int wpa_cipher_key_len(int cipher)
3006 {
3007 switch (cipher) {
3008 case WPA_CIPHER_CCMP_256:
3009 case WPA_CIPHER_GCMP_256:
3010 case WPA_CIPHER_BIP_GMAC_256:
3011 case WPA_CIPHER_BIP_CMAC_256:
3012 return 32;
3013 case WPA_CIPHER_CCMP:
3014 case WPA_CIPHER_GCMP:
3015 case WPA_CIPHER_AES_128_CMAC:
3016 case WPA_CIPHER_BIP_GMAC_128:
3017 return 16;
3018 case WPA_CIPHER_TKIP:
3019 return 32;
3020 default:
3021 return 0;
3022 }
3023 }
3024
3025
wpa_cipher_rsc_len(int cipher)3026 int wpa_cipher_rsc_len(int cipher)
3027 {
3028 switch (cipher) {
3029 case WPA_CIPHER_CCMP_256:
3030 case WPA_CIPHER_GCMP_256:
3031 case WPA_CIPHER_CCMP:
3032 case WPA_CIPHER_GCMP:
3033 case WPA_CIPHER_TKIP:
3034 return 6;
3035 default:
3036 return 0;
3037 }
3038 }
3039
3040
wpa_cipher_to_alg(int cipher)3041 enum wpa_alg wpa_cipher_to_alg(int cipher)
3042 {
3043 switch (cipher) {
3044 case WPA_CIPHER_CCMP_256:
3045 return WPA_ALG_CCMP_256;
3046 case WPA_CIPHER_GCMP_256:
3047 return WPA_ALG_GCMP_256;
3048 case WPA_CIPHER_CCMP:
3049 return WPA_ALG_CCMP;
3050 case WPA_CIPHER_GCMP:
3051 return WPA_ALG_GCMP;
3052 case WPA_CIPHER_TKIP:
3053 return WPA_ALG_TKIP;
3054 case WPA_CIPHER_AES_128_CMAC:
3055 return WPA_ALG_BIP_CMAC_128;
3056 case WPA_CIPHER_BIP_GMAC_128:
3057 return WPA_ALG_BIP_GMAC_128;
3058 case WPA_CIPHER_BIP_GMAC_256:
3059 return WPA_ALG_BIP_GMAC_256;
3060 case WPA_CIPHER_BIP_CMAC_256:
3061 return WPA_ALG_BIP_CMAC_256;
3062 default:
3063 return WPA_ALG_NONE;
3064 }
3065 }
3066
3067
wpa_cipher_valid_pairwise(int cipher)3068 int wpa_cipher_valid_pairwise(int cipher)
3069 {
3070 #ifdef CONFIG_NO_TKIP
3071 return cipher == WPA_CIPHER_CCMP_256 ||
3072 cipher == WPA_CIPHER_GCMP_256 ||
3073 cipher == WPA_CIPHER_CCMP ||
3074 #ifdef CONFIG_WAPI
3075 cipher == WPA_CIPHER_SMS4 ||
3076 #endif
3077 cipher == WPA_CIPHER_GCMP;
3078 #else /* CONFIG_NO_TKIP */
3079 return cipher == WPA_CIPHER_CCMP_256 ||
3080 cipher == WPA_CIPHER_GCMP_256 ||
3081 cipher == WPA_CIPHER_CCMP ||
3082 cipher == WPA_CIPHER_GCMP ||
3083 #ifdef CONFIG_WAPI
3084 cipher == WPA_CIPHER_SMS4 ||
3085 #endif
3086 cipher == WPA_CIPHER_TKIP;
3087 #endif /* CONFIG_NO_TKIP */
3088 }
3089
3090
wpa_cipher_to_suite(int proto,int cipher)3091 u32 wpa_cipher_to_suite(int proto, int cipher)
3092 {
3093 if (cipher & WPA_CIPHER_CCMP_256)
3094 return RSN_CIPHER_SUITE_CCMP_256;
3095 if (cipher & WPA_CIPHER_GCMP_256)
3096 return RSN_CIPHER_SUITE_GCMP_256;
3097 if (cipher & WPA_CIPHER_CCMP)
3098 return (proto == WPA_PROTO_RSN ?
3099 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
3100 if (cipher & WPA_CIPHER_GCMP)
3101 return RSN_CIPHER_SUITE_GCMP;
3102 if (cipher & WPA_CIPHER_TKIP)
3103 return (proto == WPA_PROTO_RSN ?
3104 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
3105 if (cipher & WPA_CIPHER_NONE)
3106 return (proto == WPA_PROTO_RSN ?
3107 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
3108 if (cipher & WPA_CIPHER_GTK_NOT_USED)
3109 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED;
3110 if (cipher & WPA_CIPHER_AES_128_CMAC)
3111 return RSN_CIPHER_SUITE_AES_128_CMAC;
3112 if (cipher & WPA_CIPHER_BIP_GMAC_128)
3113 return RSN_CIPHER_SUITE_BIP_GMAC_128;
3114 if (cipher & WPA_CIPHER_BIP_GMAC_256)
3115 return RSN_CIPHER_SUITE_BIP_GMAC_256;
3116 if (cipher & WPA_CIPHER_BIP_CMAC_256)
3117 return RSN_CIPHER_SUITE_BIP_CMAC_256;
3118 #ifdef CONFIG_WAPI
3119 if (cipher & WPA_CIPHER_SMS4)
3120 return RSN_CIPHER_SUITE_SMS4;
3121 #endif
3122 return 0;
3123 }
3124
3125
rsn_cipher_put_suites(u8 * start,int ciphers)3126 int rsn_cipher_put_suites(u8 *start, int ciphers)
3127 {
3128 u8 *pos = start;
3129
3130 if (ciphers & WPA_CIPHER_CCMP_256) {
3131 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
3132 pos += RSN_SELECTOR_LEN;
3133 }
3134 if (ciphers & WPA_CIPHER_GCMP_256) {
3135 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
3136 pos += RSN_SELECTOR_LEN;
3137 }
3138 if (ciphers & WPA_CIPHER_CCMP) {
3139 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
3140 pos += RSN_SELECTOR_LEN;
3141 }
3142 if (ciphers & WPA_CIPHER_GCMP) {
3143 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
3144 pos += RSN_SELECTOR_LEN;
3145 }
3146 if (ciphers & WPA_CIPHER_TKIP) {
3147 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
3148 pos += RSN_SELECTOR_LEN;
3149 }
3150 if (ciphers & WPA_CIPHER_NONE) {
3151 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
3152 pos += RSN_SELECTOR_LEN;
3153 }
3154
3155 return (pos - start) / RSN_SELECTOR_LEN;
3156 }
3157
3158
wpa_cipher_put_suites(u8 * start,int ciphers)3159 int wpa_cipher_put_suites(u8 *start, int ciphers)
3160 {
3161 u8 *pos = start;
3162
3163 if (ciphers & WPA_CIPHER_CCMP) {
3164 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
3165 pos += WPA_SELECTOR_LEN;
3166 }
3167 if (ciphers & WPA_CIPHER_TKIP) {
3168 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
3169 pos += WPA_SELECTOR_LEN;
3170 }
3171 if (ciphers & WPA_CIPHER_NONE) {
3172 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
3173 pos += WPA_SELECTOR_LEN;
3174 }
3175
3176 return (pos - start) / RSN_SELECTOR_LEN;
3177 }
3178
3179
wpa_pick_pairwise_cipher(int ciphers,int none_allowed)3180 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
3181 {
3182 if (ciphers & WPA_CIPHER_CCMP_256)
3183 return WPA_CIPHER_CCMP_256;
3184 if (ciphers & WPA_CIPHER_GCMP_256)
3185 return WPA_CIPHER_GCMP_256;
3186 if (ciphers & WPA_CIPHER_CCMP)
3187 return WPA_CIPHER_CCMP;
3188 if (ciphers & WPA_CIPHER_GCMP)
3189 return WPA_CIPHER_GCMP;
3190 if (ciphers & WPA_CIPHER_TKIP)
3191 return WPA_CIPHER_TKIP;
3192 #ifdef CONFIG_WAPI
3193 if (ciphers & WPA_CIPHER_SMS4)
3194 return WPA_CIPHER_SMS4;
3195 #endif
3196 if (none_allowed && (ciphers & WPA_CIPHER_NONE))
3197 return WPA_CIPHER_NONE;
3198 return -1;
3199 }
3200
3201
wpa_pick_group_cipher(int ciphers)3202 int wpa_pick_group_cipher(int ciphers)
3203 {
3204 if (ciphers & WPA_CIPHER_CCMP_256)
3205 return WPA_CIPHER_CCMP_256;
3206 if (ciphers & WPA_CIPHER_GCMP_256)
3207 return WPA_CIPHER_GCMP_256;
3208 if (ciphers & WPA_CIPHER_CCMP)
3209 return WPA_CIPHER_CCMP;
3210 if (ciphers & WPA_CIPHER_GCMP)
3211 return WPA_CIPHER_GCMP;
3212 if (ciphers & WPA_CIPHER_GTK_NOT_USED)
3213 return WPA_CIPHER_GTK_NOT_USED;
3214 if (ciphers & WPA_CIPHER_TKIP)
3215 return WPA_CIPHER_TKIP;
3216 #ifdef CONFIG_WAPI
3217 if (ciphers & WPA_CIPHER_SMS4)
3218 return WPA_CIPHER_SMS4;
3219 #endif
3220 return -1;
3221 }
3222
3223
wpa_parse_cipher(const char * value)3224 int wpa_parse_cipher(const char *value)
3225 {
3226 int val = 0, last;
3227 char *start, *end, *buf;
3228
3229 buf = os_strdup(value);
3230 if (buf == NULL)
3231 return -1;
3232 start = buf;
3233
3234 while (*start != '\0') {
3235 while (*start == ' ' || *start == '\t')
3236 start++;
3237 if (*start == '\0')
3238 break;
3239 end = start;
3240 while (*end != ' ' && *end != '\t' && *end != '\0')
3241 end++;
3242 last = *end == '\0';
3243 *end = '\0';
3244 if (os_strcmp(start, "CCMP-256") == 0)
3245 val |= WPA_CIPHER_CCMP_256;
3246 else if (os_strcmp(start, "GCMP-256") == 0)
3247 val |= WPA_CIPHER_GCMP_256;
3248 else if (os_strcmp(start, "CCMP") == 0)
3249 val |= WPA_CIPHER_CCMP;
3250 else if (os_strcmp(start, "GCMP") == 0)
3251 val |= WPA_CIPHER_GCMP;
3252 #ifndef CONFIG_NO_TKIP
3253 else if (os_strcmp(start, "TKIP") == 0)
3254 val |= WPA_CIPHER_TKIP;
3255 #endif /* CONFIG_NO_TKIP */
3256 #ifdef CONFIG_WEP
3257 else if (os_strcmp(start, "WEP104") == 0)
3258 val |= WPA_CIPHER_WEP104;
3259 else if (os_strcmp(start, "WEP40") == 0)
3260 val |= WPA_CIPHER_WEP40;
3261 #endif /* CONFIG_WEP */
3262 else if (os_strcmp(start, "NONE") == 0)
3263 val |= WPA_CIPHER_NONE;
3264 #ifdef CONFIG_WAPI
3265 else if (os_strcmp(start, "SMS4") == 0)
3266 val |= WPA_CIPHER_SMS4;
3267 #endif
3268 else if (os_strcmp(start, "GTK_NOT_USED") == 0)
3269 val |= WPA_CIPHER_GTK_NOT_USED;
3270 else if (os_strcmp(start, "AES-128-CMAC") == 0)
3271 val |= WPA_CIPHER_AES_128_CMAC;
3272 else if (os_strcmp(start, "BIP-GMAC-128") == 0)
3273 val |= WPA_CIPHER_BIP_GMAC_128;
3274 else if (os_strcmp(start, "BIP-GMAC-256") == 0)
3275 val |= WPA_CIPHER_BIP_GMAC_256;
3276 else if (os_strcmp(start, "BIP-CMAC-256") == 0)
3277 val |= WPA_CIPHER_BIP_CMAC_256;
3278 else {
3279 os_free(buf);
3280 return -1;
3281 }
3282
3283 if (last)
3284 break;
3285 start = end + 1;
3286 }
3287 os_free(buf);
3288
3289 return val;
3290 }
3291
3292
wpa_write_ciphers(char * start,char * end,int ciphers,const char * delim)3293 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
3294 {
3295 char *pos = start;
3296 int ret;
3297
3298 if (ciphers & WPA_CIPHER_CCMP_256) {
3299 ret = os_snprintf(pos, end - pos, "%sCCMP-256",
3300 pos == start ? "" : delim);
3301 if (os_snprintf_error(end - pos, ret))
3302 return -1;
3303 pos += ret;
3304 }
3305 if (ciphers & WPA_CIPHER_GCMP_256) {
3306 ret = os_snprintf(pos, end - pos, "%sGCMP-256",
3307 pos == start ? "" : delim);
3308 if (os_snprintf_error(end - pos, ret))
3309 return -1;
3310 pos += ret;
3311 }
3312 if (ciphers & WPA_CIPHER_CCMP) {
3313 ret = os_snprintf(pos, end - pos, "%sCCMP",
3314 pos == start ? "" : delim);
3315 if (os_snprintf_error(end - pos, ret))
3316 return -1;
3317 pos += ret;
3318 }
3319 if (ciphers & WPA_CIPHER_GCMP) {
3320 ret = os_snprintf(pos, end - pos, "%sGCMP",
3321 pos == start ? "" : delim);
3322 if (os_snprintf_error(end - pos, ret))
3323 return -1;
3324 pos += ret;
3325 }
3326 if (ciphers & WPA_CIPHER_TKIP) {
3327 ret = os_snprintf(pos, end - pos, "%sTKIP",
3328 pos == start ? "" : delim);
3329 if (os_snprintf_error(end - pos, ret))
3330 return -1;
3331 pos += ret;
3332 }
3333 if (ciphers & WPA_CIPHER_AES_128_CMAC) {
3334 ret = os_snprintf(pos, end - pos, "%sAES-128-CMAC",
3335 pos == start ? "" : delim);
3336 if (os_snprintf_error(end - pos, ret))
3337 return -1;
3338 pos += ret;
3339 }
3340 if (ciphers & WPA_CIPHER_BIP_GMAC_128) {
3341 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-128",
3342 pos == start ? "" : delim);
3343 if (os_snprintf_error(end - pos, ret))
3344 return -1;
3345 pos += ret;
3346 }
3347 if (ciphers & WPA_CIPHER_BIP_GMAC_256) {
3348 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-256",
3349 pos == start ? "" : delim);
3350 if (os_snprintf_error(end - pos, ret))
3351 return -1;
3352 pos += ret;
3353 }
3354 if (ciphers & WPA_CIPHER_BIP_CMAC_256) {
3355 ret = os_snprintf(pos, end - pos, "%sBIP-CMAC-256",
3356 pos == start ? "" : delim);
3357 if (os_snprintf_error(end - pos, ret))
3358 return -1;
3359 pos += ret;
3360 }
3361 if (ciphers & WPA_CIPHER_NONE) {
3362 ret = os_snprintf(pos, end - pos, "%sNONE",
3363 pos == start ? "" : delim);
3364 if (os_snprintf_error(end - pos, ret))
3365 return -1;
3366 pos += ret;
3367 }
3368 #ifdef CONFIG_WAPI
3369 if (ciphers & WPA_CIPHER_SMS4) {
3370 ret = os_snprintf(pos, end - pos, "%sSMS4",
3371 pos == start ? "" : delim);
3372 if (os_snprintf_error(end - pos, ret)) {
3373 return -1;
3374 }
3375 pos += ret;
3376 }
3377 #endif
3378
3379 return pos - start;
3380 }
3381
3382
wpa_select_ap_group_cipher(int wpa,int wpa_pairwise,int rsn_pairwise)3383 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise)
3384 {
3385 int pairwise = 0;
3386
3387 /* Select group cipher based on the enabled pairwise cipher suites */
3388 if (wpa & 1)
3389 pairwise |= wpa_pairwise;
3390 if (wpa & 2)
3391 pairwise |= rsn_pairwise;
3392
3393 if (pairwise & WPA_CIPHER_TKIP)
3394 return WPA_CIPHER_TKIP;
3395 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP)
3396 return WPA_CIPHER_GCMP;
3397 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP |
3398 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256)
3399 return WPA_CIPHER_GCMP_256;
3400 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
3401 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256)
3402 return WPA_CIPHER_CCMP_256;
3403 return WPA_CIPHER_CCMP;
3404 }
3405
3406
3407 #ifdef CONFIG_FILS
fils_domain_name_hash(const char * domain,u8 * hash)3408 int fils_domain_name_hash(const char *domain, u8 *hash)
3409 {
3410 char buf[255], *wpos = buf;
3411 const char *pos = domain;
3412 size_t len;
3413 const u8 *addr[1];
3414 u8 mac[SHA256_MAC_LEN];
3415
3416 for (len = 0; len < sizeof(buf) && *pos; len++) {
3417 if (isalpha(*pos) && isupper(*pos))
3418 *wpos++ = tolower(*pos);
3419 else
3420 *wpos++ = *pos;
3421 pos++;
3422 }
3423
3424 addr[0] = (const u8 *) buf;
3425 if (sha256_vector(1, addr, &len, mac) < 0)
3426 return -1;
3427 os_memcpy(hash, mac, 2);
3428 return 0;
3429 }
3430 #endif /* CONFIG_FILS */
3431
3432
3433 /**
3434 * wpa_parse_vendor_specific - Parse Vendor Specific IEs
3435 * @pos: Pointer to the IE header
3436 * @end: Pointer to the end of the Key Data buffer
3437 * @ie: Pointer to parsed IE data
3438 */
wpa_parse_vendor_specific(const u8 * pos,const u8 * end,struct wpa_eapol_ie_parse * ie)3439 static void wpa_parse_vendor_specific(const u8 *pos, const u8 *end,
3440 struct wpa_eapol_ie_parse *ie)
3441 {
3442 unsigned int oui;
3443
3444 if (pos[1] < 4) {
3445 wpa_printf(MSG_MSGDUMP,
3446 "Too short vendor specific IE ignored (len=%u)",
3447 pos[1]);
3448 return;
3449 }
3450
3451 oui = WPA_GET_BE24(&pos[2]);
3452 if (oui == OUI_MICROSOFT && pos[5] == WMM_OUI_TYPE && pos[1] > 4) {
3453 if (pos[6] == WMM_OUI_SUBTYPE_INFORMATION_ELEMENT) {
3454 ie->wmm = &pos[2];
3455 ie->wmm_len = pos[1];
3456 wpa_hexdump(MSG_DEBUG, "WPA: WMM IE",
3457 ie->wmm, ie->wmm_len);
3458 } else if (pos[6] == WMM_OUI_SUBTYPE_PARAMETER_ELEMENT) {
3459 ie->wmm = &pos[2];
3460 ie->wmm_len = pos[1];
3461 wpa_hexdump(MSG_DEBUG, "WPA: WMM Parameter Element",
3462 ie->wmm, ie->wmm_len);
3463 }
3464 }
3465 }
3466
3467
3468 /**
3469 * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
3470 * @pos: Pointer to the IE header
3471 * @ie: Pointer to parsed IE data
3472 * Returns: 0 on success, 1 if end mark is found, 2 if KDE is not recognized
3473 */
wpa_parse_generic(const u8 * pos,struct wpa_eapol_ie_parse * ie)3474 static int wpa_parse_generic(const u8 *pos, struct wpa_eapol_ie_parse *ie)
3475 {
3476 u8 len = pos[1];
3477 size_t dlen = 2 + len;
3478 u32 selector;
3479 const u8 *p;
3480 size_t left;
3481 u8 link_id;
3482 char title[50];
3483 int ret;
3484
3485 if (len == 0)
3486 return 1;
3487
3488 if (len < RSN_SELECTOR_LEN)
3489 return 2;
3490
3491 p = pos + 2;
3492 selector = RSN_SELECTOR_GET(p);
3493 p += RSN_SELECTOR_LEN;
3494 left = len - RSN_SELECTOR_LEN;
3495
3496 if (left >= 2 && selector == WPA_OUI_TYPE && p[0] == 1 && p[1] == 0) {
3497 ie->wpa_ie = pos;
3498 ie->wpa_ie_len = dlen;
3499 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE in EAPOL-Key",
3500 ie->wpa_ie, ie->wpa_ie_len);
3501 return 0;
3502 }
3503
3504 if (selector == OSEN_IE_VENDOR_TYPE) {
3505 ie->osen = pos;
3506 ie->osen_len = dlen;
3507 return 0;
3508 }
3509
3510 if (left >= PMKID_LEN && selector == RSN_KEY_DATA_PMKID) {
3511 ie->pmkid = p;
3512 wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key", pos, dlen);
3513 return 0;
3514 }
3515
3516 if (left >= 2 && selector == RSN_KEY_DATA_KEYID) {
3517 ie->key_id = p;
3518 wpa_hexdump(MSG_DEBUG, "WPA: KeyID in EAPOL-Key", pos, dlen);
3519 return 0;
3520 }
3521
3522 if (left > 2 && selector == RSN_KEY_DATA_GROUPKEY) {
3523 ie->gtk = p;
3524 ie->gtk_len = left;
3525 wpa_hexdump_key(MSG_DEBUG, "WPA: GTK in EAPOL-Key", pos, dlen);
3526 return 0;
3527 }
3528
3529 if (left >= ETH_ALEN && selector == RSN_KEY_DATA_MAC_ADDR) {
3530 ie->mac_addr = p;
3531 wpa_printf(MSG_DEBUG, "WPA: MAC Address in EAPOL-Key: " MACSTR_SEC,
3532 MAC2STR_SEC(ie->mac_addr));
3533 return 0;
3534 }
3535
3536 if (left > 2 && selector == RSN_KEY_DATA_IGTK) {
3537 ie->igtk = p;
3538 ie->igtk_len = left;
3539 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK in EAPOL-Key",
3540 pos, dlen);
3541 return 0;
3542 }
3543
3544 if (left > 2 && selector == RSN_KEY_DATA_BIGTK) {
3545 ie->bigtk = p;
3546 ie->bigtk_len = left;
3547 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK in EAPOL-Key",
3548 pos, dlen);
3549 return 0;
3550 }
3551
3552 if (left >= 1 && selector == WFA_KEY_DATA_IP_ADDR_REQ) {
3553 ie->ip_addr_req = p;
3554 wpa_hexdump(MSG_DEBUG, "WPA: IP Address Request in EAPOL-Key",
3555 ie->ip_addr_req, left);
3556 return 0;
3557 }
3558
3559 if (left >= 3 * 4 && selector == WFA_KEY_DATA_IP_ADDR_ALLOC) {
3560 ie->ip_addr_alloc = p;
3561 wpa_hexdump(MSG_DEBUG,
3562 "WPA: IP Address Allocation in EAPOL-Key",
3563 ie->ip_addr_alloc, left);
3564 return 0;
3565 }
3566
3567 if (left > 2 && selector == RSN_KEY_DATA_OCI) {
3568 ie->oci = p;
3569 ie->oci_len = left;
3570 wpa_hexdump(MSG_DEBUG, "WPA: OCI KDE in EAPOL-Key",
3571 pos, dlen);
3572 return 0;
3573 }
3574
3575 if (left >= 1 && selector == WFA_KEY_DATA_TRANSITION_DISABLE) {
3576 ie->transition_disable = p;
3577 ie->transition_disable_len = left;
3578 wpa_hexdump(MSG_DEBUG,
3579 "WPA: Transition Disable KDE in EAPOL-Key",
3580 pos, dlen);
3581 return 0;
3582 }
3583
3584 if (left >= 2 && selector == WFA_KEY_DATA_DPP) {
3585 ie->dpp_kde = p;
3586 ie->dpp_kde_len = left;
3587 wpa_hexdump(MSG_DEBUG, "WPA: DPP KDE in EAPOL-Key", pos, dlen);
3588 return 0;
3589 }
3590
3591 if (left >= RSN_MLO_GTK_KDE_PREFIX_LENGTH &&
3592 selector == RSN_KEY_DATA_MLO_GTK) {
3593 link_id = (p[0] & RSN_MLO_GTK_KDE_PREFIX0_LINK_ID_MASK) >>
3594 RSN_MLO_GTK_KDE_PREFIX0_LINK_ID_SHIFT;
3595 if (link_id >= MAX_NUM_MLD_LINKS)
3596 return 2;
3597
3598 ie->valid_mlo_gtks |= BIT(link_id);
3599 ie->mlo_gtk[link_id] = p;
3600 ie->mlo_gtk_len[link_id] = left;
3601 ret = os_snprintf(title, sizeof(title),
3602 "RSN: Link ID %u - MLO GTK KDE in EAPOL-Key",
3603 link_id);
3604 if (!os_snprintf_error(sizeof(title), ret))
3605 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen);
3606 return 0;
3607 }
3608
3609 if (left >= RSN_MLO_IGTK_KDE_PREFIX_LENGTH &&
3610 selector == RSN_KEY_DATA_MLO_IGTK) {
3611 link_id = (p[8] & RSN_MLO_IGTK_KDE_PREFIX8_LINK_ID_MASK) >>
3612 RSN_MLO_IGTK_KDE_PREFIX8_LINK_ID_SHIFT;
3613 if (link_id >= MAX_NUM_MLD_LINKS)
3614 return 2;
3615
3616 ie->valid_mlo_igtks |= BIT(link_id);
3617 ie->mlo_igtk[link_id] = p;
3618 ie->mlo_igtk_len[link_id] = left;
3619 ret = os_snprintf(title, sizeof(title),
3620 "RSN: Link ID %u - MLO IGTK KDE in EAPOL-Key",
3621 link_id);
3622 if (!os_snprintf_error(sizeof(title), ret))
3623 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen);
3624 return 0;
3625 }
3626
3627 if (left >= RSN_MLO_BIGTK_KDE_PREFIX_LENGTH &&
3628 selector == RSN_KEY_DATA_MLO_BIGTK) {
3629 link_id = (p[8] & RSN_MLO_BIGTK_KDE_PREFIX8_LINK_ID_MASK) >>
3630 RSN_MLO_BIGTK_KDE_PREFIX8_LINK_ID_SHIFT;
3631 if (link_id >= MAX_NUM_MLD_LINKS)
3632 return 2;
3633
3634 ie->valid_mlo_bigtks |= BIT(link_id);
3635 ie->mlo_bigtk[link_id] = p;
3636 ie->mlo_bigtk_len[link_id] = left;
3637 ret = os_snprintf(title, sizeof(title),
3638 "RSN: Link ID %u - MLO BIGTK KDE in EAPOL-Key",
3639 link_id);
3640 if (!os_snprintf_error(sizeof(title), ret))
3641 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen);
3642 return 0;
3643 }
3644
3645 if (left >= RSN_MLO_LINK_KDE_FIXED_LENGTH &&
3646 selector == RSN_KEY_DATA_MLO_LINK) {
3647 link_id = (p[0] & RSN_MLO_LINK_KDE_LI_LINK_ID_MASK) >>
3648 RSN_MLO_LINK_KDE_LI_LINK_ID_SHIFT;
3649 if (link_id >= MAX_NUM_MLD_LINKS)
3650 return 2;
3651
3652 ie->valid_mlo_links |= BIT(link_id);
3653 ie->mlo_link[link_id] = p;
3654 ie->mlo_link_len[link_id] = left;
3655 ret = os_snprintf(title, sizeof(title),
3656 "RSN: Link ID %u - MLO Link KDE in EAPOL-Key",
3657 link_id);
3658 if (!os_snprintf_error(sizeof(title), ret))
3659 wpa_hexdump(MSG_DEBUG, title, pos, dlen);
3660 return 0;
3661 }
3662
3663 return 2;
3664 }
3665
3666
3667 /**
3668 * wpa_parse_kde_ies - Parse EAPOL-Key Key Data IEs
3669 * @buf: Pointer to the Key Data buffer
3670 * @len: Key Data Length
3671 * @ie: Pointer to parsed IE data
3672 * Returns: 0 on success, -1 on failure
3673 */
wpa_parse_kde_ies(const u8 * buf,size_t len,struct wpa_eapol_ie_parse * ie)3674 int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie)
3675 {
3676 const u8 *pos, *end;
3677 int ret = 0;
3678 size_t dlen = 0;
3679
3680 os_memset(ie, 0, sizeof(*ie));
3681 for (pos = buf, end = pos + len; end - pos > 1; pos += dlen) {
3682 if (pos[0] == 0xdd &&
3683 ((pos == buf + len - 1) || pos[1] == 0)) {
3684 /* Ignore padding */
3685 break;
3686 }
3687 dlen = 2 + pos[1];
3688 if ((int) dlen > end - pos) {
3689 wpa_printf(MSG_INFO,
3690 "WPA: EAPOL-Key Key Data underflow (ie=%d len=%d pos=%d)",
3691 pos[0], pos[1], (int) (pos - buf));
3692 wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data", buf, len);
3693 ret = -1;
3694 break;
3695 }
3696 if (*pos == WLAN_EID_RSN) {
3697 ie->rsn_ie = pos;
3698 ie->rsn_ie_len = dlen;
3699 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
3700 ie->rsn_ie, ie->rsn_ie_len);
3701 } else if (*pos == WLAN_EID_RSNX) {
3702 ie->rsnxe = pos;
3703 ie->rsnxe_len = dlen;
3704 wpa_hexdump(MSG_DEBUG, "WPA: RSNXE in EAPOL-Key",
3705 ie->rsnxe, ie->rsnxe_len);
3706 } else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
3707 ie->mdie = pos;
3708 ie->mdie_len = dlen;
3709 wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
3710 ie->mdie, ie->mdie_len);
3711 } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
3712 ie->ftie = pos;
3713 ie->ftie_len = dlen;
3714 wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
3715 ie->ftie, ie->ftie_len);
3716 } else if (*pos == WLAN_EID_TIMEOUT_INTERVAL && pos[1] >= 5) {
3717 if (pos[2] == WLAN_TIMEOUT_REASSOC_DEADLINE) {
3718 ie->reassoc_deadline = pos;
3719 wpa_hexdump(MSG_DEBUG, "WPA: Reassoc Deadline "
3720 "in EAPOL-Key",
3721 ie->reassoc_deadline, dlen);
3722 } else if (pos[2] == WLAN_TIMEOUT_KEY_LIFETIME) {
3723 ie->key_lifetime = pos;
3724 wpa_hexdump(MSG_DEBUG, "WPA: KeyLifetime "
3725 "in EAPOL-Key",
3726 ie->key_lifetime, dlen);
3727 } else {
3728 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized "
3729 "EAPOL-Key Key Data IE",
3730 pos, dlen);
3731 }
3732 } else if (*pos == WLAN_EID_LINK_ID) {
3733 if (pos[1] >= 18) {
3734 ie->lnkid = pos;
3735 ie->lnkid_len = dlen;
3736 }
3737 } else if (*pos == WLAN_EID_EXT_CAPAB) {
3738 ie->ext_capab = pos;
3739 ie->ext_capab_len = dlen;
3740 } else if (*pos == WLAN_EID_SUPP_RATES) {
3741 ie->supp_rates = pos;
3742 ie->supp_rates_len = dlen;
3743 } else if (*pos == WLAN_EID_EXT_SUPP_RATES) {
3744 ie->ext_supp_rates = pos;
3745 ie->ext_supp_rates_len = dlen;
3746 } else if (*pos == WLAN_EID_HT_CAP &&
3747 pos[1] >= sizeof(struct ieee80211_ht_capabilities)) {
3748 ie->ht_capabilities = pos + 2;
3749 } else if (*pos == WLAN_EID_AID) {
3750 if (pos[1] >= 2)
3751 ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;
3752 } else if (*pos == WLAN_EID_VHT_CAP &&
3753 pos[1] >= sizeof(struct ieee80211_vht_capabilities))
3754 {
3755 ie->vht_capabilities = pos + 2;
3756 } else if (*pos == WLAN_EID_EXTENSION &&
3757 pos[1] >= 1 + IEEE80211_HE_CAPAB_MIN_LEN &&
3758 pos[2] == WLAN_EID_EXT_HE_CAPABILITIES) {
3759 ie->he_capabilities = pos + 3;
3760 ie->he_capab_len = pos[1] - 1;
3761 } else if (*pos == WLAN_EID_EXTENSION &&
3762 pos[1] >= 1 +
3763 sizeof(struct ieee80211_he_6ghz_band_cap) &&
3764 pos[2] == WLAN_EID_EXT_HE_6GHZ_BAND_CAP) {
3765 ie->he_6ghz_capabilities = pos + 3;
3766 } else if (*pos == WLAN_EID_EXTENSION &&
3767 pos[1] >= 1 + IEEE80211_EHT_CAPAB_MIN_LEN &&
3768 pos[2] == WLAN_EID_EXT_EHT_CAPABILITIES) {
3769 ie->eht_capabilities = pos + 3;
3770 ie->eht_capab_len = pos[1] - 1;
3771 } else if (*pos == WLAN_EID_QOS && pos[1] >= 1) {
3772 ie->qosinfo = pos[2];
3773 } else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) {
3774 ie->supp_channels = pos + 2;
3775 ie->supp_channels_len = pos[1];
3776 } else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
3777 /*
3778 * The value of the Length field of the Supported
3779 * Operating Classes element is between 2 and 253.
3780 * Silently skip invalid elements to avoid interop
3781 * issues when trying to use the value.
3782 */
3783 if (pos[1] >= 2 && pos[1] <= 253) {
3784 ie->supp_oper_classes = pos + 2;
3785 ie->supp_oper_classes_len = pos[1];
3786 }
3787 } else if (*pos == WLAN_EID_SSID) {
3788 ie->ssid = pos + 2;
3789 ie->ssid_len = pos[1];
3790 wpa_hexdump_ascii(MSG_DEBUG, "RSN: SSID in EAPOL-Key",
3791 ie->ssid, ie->ssid_len);
3792 } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
3793 ret = wpa_parse_generic(pos, ie);
3794 if (ret == 1) {
3795 /* end mark found */
3796 ret = 0;
3797 break;
3798 }
3799
3800 if (ret == 2) {
3801 /* not a known KDE */
3802 wpa_parse_vendor_specific(pos, end, ie);
3803 }
3804
3805 ret = 0;
3806 } else {
3807 wpa_hexdump(MSG_DEBUG,
3808 "WPA: Unrecognized EAPOL-Key Key Data IE",
3809 pos, dlen);
3810 }
3811 }
3812
3813 return ret;
3814 }
3815
3816
3817 #ifdef CONFIG_PASN
3818
3819 /*
3820 * wpa_pasn_build_auth_header - Add the MAC header and initialize Authentication
3821 * frame for PASN
3822 *
3823 * @buf: Buffer in which the header will be added
3824 * @bssid: The BSSID of the AP
3825 * @src: Source address
3826 * @dst: Destination address
3827 * @trans_seq: Authentication transaction sequence number
3828 * @status: Authentication status
3829 */
wpa_pasn_build_auth_header(struct wpabuf * buf,const u8 * bssid,const u8 * src,const u8 * dst,u8 trans_seq,u16 status)3830 void wpa_pasn_build_auth_header(struct wpabuf *buf, const u8 *bssid,
3831 const u8 *src, const u8 *dst,
3832 u8 trans_seq, u16 status)
3833 {
3834 struct ieee80211_mgmt *auth;
3835
3836 wpa_printf(MSG_DEBUG, "PASN: Add authentication header. trans_seq=%u",
3837 trans_seq);
3838
3839 auth = wpabuf_put(buf, offsetof(struct ieee80211_mgmt,
3840 u.auth.variable));
3841
3842 auth->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
3843 (WLAN_FC_STYPE_AUTH << 4));
3844
3845 os_memcpy(auth->da, dst, ETH_ALEN);
3846 os_memcpy(auth->sa, src, ETH_ALEN);
3847 os_memcpy(auth->bssid, bssid, ETH_ALEN);
3848 auth->seq_ctrl = 0;
3849
3850 auth->u.auth.auth_alg = host_to_le16(WLAN_AUTH_PASN);
3851 auth->u.auth.auth_transaction = host_to_le16(trans_seq);
3852 auth->u.auth.status_code = host_to_le16(status);
3853 }
3854
3855
3856 /*
3857 * wpa_pasn_add_rsne - Add an RSNE for PASN authentication
3858 * @buf: Buffer in which the IE will be added
3859 * @pmkid: Optional PMKID. Can be NULL.
3860 * @akmp: Authentication and key management protocol
3861 * @cipher: The cipher suite
3862 */
wpa_pasn_add_rsne(struct wpabuf * buf,const u8 * pmkid,int akmp,int cipher)3863 int wpa_pasn_add_rsne(struct wpabuf *buf, const u8 *pmkid, int akmp, int cipher)
3864 {
3865 struct rsn_ie_hdr *hdr;
3866 u32 suite;
3867 u16 capab;
3868 u8 *pos;
3869 u8 rsne_len;
3870
3871 wpa_printf(MSG_DEBUG, "PASN: Add RSNE");
3872
3873 rsne_len = sizeof(*hdr) + RSN_SELECTOR_LEN +
3874 2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN +
3875 2 + RSN_SELECTOR_LEN + 2 + (pmkid ? PMKID_LEN : 0);
3876
3877 if (wpabuf_tailroom(buf) < rsne_len)
3878 return -1;
3879 hdr = wpabuf_put(buf, rsne_len);
3880 hdr->elem_id = WLAN_EID_RSN;
3881 hdr->len = rsne_len - 2;
3882 WPA_PUT_LE16(hdr->version, RSN_VERSION);
3883 pos = (u8 *) (hdr + 1);
3884
3885 /* Group addressed data is not allowed */
3886 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
3887 pos += RSN_SELECTOR_LEN;
3888
3889 /* Add the pairwise cipher */
3890 WPA_PUT_LE16(pos, 1);
3891 pos += 2;
3892 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, cipher);
3893 RSN_SELECTOR_PUT(pos, suite);
3894 pos += RSN_SELECTOR_LEN;
3895
3896 /* Add the AKM suite */
3897 WPA_PUT_LE16(pos, 1);
3898 pos += 2;
3899
3900 switch (akmp) {
3901 case WPA_KEY_MGMT_PASN:
3902 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PASN);
3903 break;
3904 #ifdef CONFIG_SAE
3905 case WPA_KEY_MGMT_SAE:
3906 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE);
3907 break;
3908 case WPA_KEY_MGMT_SAE_EXT_KEY:
3909 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY);
3910 break;
3911 #endif /* CONFIG_SAE */
3912 #ifdef CONFIG_FILS
3913 case WPA_KEY_MGMT_FILS_SHA256:
3914 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA256);
3915 break;
3916 case WPA_KEY_MGMT_FILS_SHA384:
3917 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA384);
3918 break;
3919 #endif /* CONFIG_FILS */
3920 #ifdef CONFIG_IEEE80211R
3921 case WPA_KEY_MGMT_FT_PSK:
3922 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
3923 break;
3924 case WPA_KEY_MGMT_FT_IEEE8021X:
3925 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
3926 break;
3927 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
3928 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384);
3929 break;
3930 #endif /* CONFIG_IEEE80211R */
3931 default:
3932 wpa_printf(MSG_ERROR, "PASN: Invalid AKMP=0x%x", akmp);
3933 return -1;
3934 }
3935 pos += RSN_SELECTOR_LEN;
3936
3937 /* RSN Capabilities: PASN mandates both MFP capable and required */
3938 capab = WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR;
3939 WPA_PUT_LE16(pos, capab);
3940 pos += 2;
3941
3942 if (pmkid) {
3943 wpa_printf(MSG_DEBUG, "PASN: Adding PMKID");
3944
3945 WPA_PUT_LE16(pos, 1);
3946 pos += 2;
3947 os_memcpy(pos, pmkid, PMKID_LEN);
3948 pos += PMKID_LEN;
3949 } else {
3950 WPA_PUT_LE16(pos, 0);
3951 pos += 2;
3952 }
3953
3954 /* Group addressed management is not allowed */
3955 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
3956
3957 return 0;
3958 }
3959
3960
3961 /*
3962 * wpa_pasn_add_parameter_ie - Add PASN Parameters IE for PASN authentication
3963 * @buf: Buffer in which the IE will be added
3964 * @pasn_group: Finite Cyclic Group ID for PASN authentication
3965 * @wrapped_data_format: Format of the data in the Wrapped Data IE
3966 * @pubkey: A buffer holding the local public key. Can be NULL
3967 * @compressed: In case pubkey is included, indicates if the public key is
3968 * compressed (only x coordinate is included) or not (both x and y
3969 * coordinates are included)
3970 * @comeback: A buffer holding the comeback token. Can be NULL
3971 * @after: If comeback is set, defined the comeback time in seconds. -1 to not
3972 * include the Comeback After field (frames from non-AP STA).
3973 */
wpa_pasn_add_parameter_ie(struct wpabuf * buf,u16 pasn_group,u8 wrapped_data_format,const struct wpabuf * pubkey,bool compressed,const struct wpabuf * comeback,int after)3974 void wpa_pasn_add_parameter_ie(struct wpabuf *buf, u16 pasn_group,
3975 u8 wrapped_data_format,
3976 const struct wpabuf *pubkey, bool compressed,
3977 const struct wpabuf *comeback, int after)
3978 {
3979 struct pasn_parameter_ie *params;
3980
3981 wpa_printf(MSG_DEBUG, "PASN: Add PASN Parameters element");
3982
3983 params = wpabuf_put(buf, sizeof(*params));
3984
3985 params->id = WLAN_EID_EXTENSION;
3986 params->len = sizeof(*params) - 2;
3987 params->id_ext = WLAN_EID_EXT_PASN_PARAMS;
3988 params->control = 0;
3989 params->wrapped_data_format = wrapped_data_format;
3990
3991 if (comeback) {
3992 wpa_printf(MSG_DEBUG, "PASN: Adding comeback data");
3993
3994 /*
3995 * 2 octets for the 'after' field + 1 octet for the length +
3996 * actual cookie data
3997 */
3998 if (after >= 0)
3999 params->len += 2;
4000 params->len += 1 + wpabuf_len(comeback);
4001 params->control |= WPA_PASN_CTRL_COMEBACK_INFO_PRESENT;
4002
4003 if (after >= 0)
4004 wpabuf_put_le16(buf, after);
4005 wpabuf_put_u8(buf, wpabuf_len(comeback));
4006 wpabuf_put_buf(buf, comeback);
4007 }
4008
4009 if (pubkey) {
4010 wpa_printf(MSG_DEBUG,
4011 "PASN: Adding public key and group ID %u",
4012 pasn_group);
4013
4014 /*
4015 * 2 octets for the finite cyclic group + 2 octets public key
4016 * length + 1 octet for the compressed/uncompressed indication +
4017 * the actual key.
4018 */
4019 params->len += 2 + 1 + 1 + wpabuf_len(pubkey);
4020 params->control |= WPA_PASN_CTRL_GROUP_AND_KEY_PRESENT;
4021
4022 wpabuf_put_le16(buf, pasn_group);
4023
4024 /*
4025 * The first octet indicates whether the public key is
4026 * compressed, as defined in RFC 5480 section 2.2.
4027 */
4028 wpabuf_put_u8(buf, wpabuf_len(pubkey) + 1);
4029 wpabuf_put_u8(buf, compressed ? WPA_PASN_PUBKEY_COMPRESSED_0 :
4030 WPA_PASN_PUBKEY_UNCOMPRESSED);
4031
4032 wpabuf_put_buf(buf, pubkey);
4033 }
4034 }
4035
4036 /*
4037 * wpa_pasn_add_wrapped_data - Add a Wrapped Data IE to PASN Authentication
4038 * frame. If needed, the Wrapped Data IE would be fragmented.
4039 *
4040 * @buf: Buffer in which the IE will be added
4041 * @wrapped_data_buf: Buffer holding the wrapped data
4042 */
wpa_pasn_add_wrapped_data(struct wpabuf * buf,struct wpabuf * wrapped_data_buf)4043 int wpa_pasn_add_wrapped_data(struct wpabuf *buf,
4044 struct wpabuf *wrapped_data_buf)
4045 {
4046 const u8 *data;
4047 size_t data_len;
4048 u8 len;
4049
4050 if (!wrapped_data_buf)
4051 return 0;
4052
4053 wpa_printf(MSG_DEBUG, "PASN: Add wrapped data");
4054
4055 data = wpabuf_head_u8(wrapped_data_buf);
4056 data_len = wpabuf_len(wrapped_data_buf);
4057
4058 /* nothing to add */
4059 if (!data_len)
4060 return 0;
4061
4062 if (data_len <= 254)
4063 len = 1 + data_len;
4064 else
4065 len = 255;
4066
4067 if (wpabuf_tailroom(buf) < 3 + data_len)
4068 return -1;
4069
4070 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
4071 wpabuf_put_u8(buf, len);
4072 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
4073 wpabuf_put_data(buf, data, len - 1);
4074
4075 data += len - 1;
4076 data_len -= len - 1;
4077
4078 while (data_len) {
4079 if (wpabuf_tailroom(buf) < 1 + data_len)
4080 return -1;
4081 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
4082 len = data_len > 255 ? 255 : data_len;
4083 wpabuf_put_u8(buf, len);
4084 wpabuf_put_data(buf, data, len);
4085 data += len;
4086 data_len -= len;
4087 }
4088
4089 return 0;
4090 }
4091
4092
4093 /*
4094 * wpa_pasn_validate_rsne - Validate PSAN specific data of RSNE
4095 * @data: Parsed representation of an RSNE
4096 * Returns -1 for invalid data; otherwise 0
4097 */
wpa_pasn_validate_rsne(const struct wpa_ie_data * data)4098 int wpa_pasn_validate_rsne(const struct wpa_ie_data *data)
4099 {
4100 u16 capab = WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR;
4101
4102 if (data->proto != WPA_PROTO_RSN)
4103 return -1;
4104
4105 if ((data->capabilities & capab) != capab) {
4106 wpa_printf(MSG_DEBUG, "PASN: Invalid RSNE capabilities");
4107 return -1;
4108 }
4109
4110 if (!data->has_group || data->group_cipher != WPA_CIPHER_GTK_NOT_USED) {
4111 wpa_printf(MSG_DEBUG, "PASN: Invalid group data cipher");
4112 return -1;
4113 }
4114
4115 if (!data->has_pairwise || !data->pairwise_cipher ||
4116 (data->pairwise_cipher & (data->pairwise_cipher - 1))) {
4117 wpa_printf(MSG_DEBUG, "PASN: No valid pairwise suite");
4118 return -1;
4119 }
4120
4121 switch (data->key_mgmt) {
4122 #ifdef CONFIG_SAE
4123 case WPA_KEY_MGMT_SAE:
4124 case WPA_KEY_MGMT_SAE_EXT_KEY:
4125 __attribute__((fallthrough));
4126 #endif /* CONFIG_SAE */
4127 #ifdef CONFIG_FILS
4128 case WPA_KEY_MGMT_FILS_SHA256:
4129 case WPA_KEY_MGMT_FILS_SHA384:
4130 __attribute__((fallthrough));
4131 #endif /* CONFIG_FILS */
4132 #ifdef CONFIG_IEEE80211R
4133 case WPA_KEY_MGMT_FT_PSK:
4134 case WPA_KEY_MGMT_FT_IEEE8021X:
4135 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
4136 __attribute__((fallthrough));
4137 #endif /* CONFIG_IEEE80211R */
4138 case WPA_KEY_MGMT_PASN:
4139 break;
4140 default:
4141 wpa_printf(MSG_ERROR, "PASN: invalid key_mgmt: 0x%0x",
4142 data->key_mgmt);
4143 return -1;
4144 }
4145
4146 if (data->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED) {
4147 wpa_printf(MSG_DEBUG, "PASN: Invalid group mgmt cipher");
4148 return -1;
4149 }
4150
4151 if (data->num_pmkid > 1) {
4152 wpa_printf(MSG_DEBUG, "PASN: Invalid number of PMKIDs");
4153 return -1;
4154 }
4155
4156 return 0;
4157 }
4158
4159
4160 /*
4161 * wpa_pasn_parse_parameter_ie - Validates PASN Parameters IE
4162 * @data: Pointer to the PASN Parameters IE (starting with the EID).
4163 * @len: Length of the data in the PASN Parameters IE
4164 * @from_ap: Whether this was received from an AP
4165 * @pasn_params: On successful return would hold the parsed PASN parameters.
4166 * Returns: -1 for invalid data; otherwise 0
4167 *
4168 * Note: On successful return, the pointers in &pasn_params point to the data in
4169 * the IE and are not locally allocated (so they should not be freed etc.).
4170 */
wpa_pasn_parse_parameter_ie(const u8 * data,u8 len,bool from_ap,struct wpa_pasn_params_data * pasn_params)4171 int wpa_pasn_parse_parameter_ie(const u8 *data, u8 len, bool from_ap,
4172 struct wpa_pasn_params_data *pasn_params)
4173 {
4174 struct pasn_parameter_ie *params = (struct pasn_parameter_ie *) data;
4175 const u8 *pos = (const u8 *) (params + 1);
4176
4177 if (!pasn_params) {
4178 wpa_printf(MSG_DEBUG, "PASN: Invalid params");
4179 return -1;
4180 }
4181
4182 if (!params || ((size_t) (params->len + 2) < sizeof(*params)) ||
4183 len < sizeof(*params) || params->len + 2 != len) {
4184 wpa_printf(MSG_DEBUG,
4185 "PASN: Invalid parameters IE. len=(%u, %u)",
4186 params ? params->len : 0, len);
4187 return -1;
4188 }
4189
4190 os_memset(pasn_params, 0, sizeof(*pasn_params));
4191
4192 switch (params->wrapped_data_format) {
4193 case WPA_PASN_WRAPPED_DATA_NO:
4194 case WPA_PASN_WRAPPED_DATA_SAE:
4195 case WPA_PASN_WRAPPED_DATA_FILS_SK:
4196 case WPA_PASN_WRAPPED_DATA_FT:
4197 break;
4198 default:
4199 wpa_printf(MSG_DEBUG, "PASN: Invalid wrapped data format");
4200 return -1;
4201 }
4202
4203 pasn_params->wrapped_data_format = params->wrapped_data_format;
4204
4205 len -= sizeof(*params);
4206
4207 if (params->control & WPA_PASN_CTRL_COMEBACK_INFO_PRESENT) {
4208 if (from_ap) {
4209 if (len < 2) {
4210 wpa_printf(MSG_DEBUG,
4211 "PASN: Invalid Parameters IE: Truncated Comeback After");
4212 return -1;
4213 }
4214 pasn_params->after = WPA_GET_LE16(pos);
4215 pos += 2;
4216 len -= 2;
4217 }
4218
4219 if (len < 1 || len < 1 + *pos) {
4220 wpa_printf(MSG_DEBUG,
4221 "PASN: Invalid Parameters IE: comeback len");
4222 return -1;
4223 }
4224
4225 pasn_params->comeback_len = *pos++;
4226 len--;
4227 pasn_params->comeback = pos;
4228 len -= pasn_params->comeback_len;
4229 pos += pasn_params->comeback_len;
4230 }
4231
4232 if (params->control & WPA_PASN_CTRL_GROUP_AND_KEY_PRESENT) {
4233 if (len < 3 || len < 3 + pos[2]) {
4234 wpa_printf(MSG_DEBUG,
4235 "PASN: Invalid Parameters IE: group and key");
4236 return -1;
4237 }
4238
4239 pasn_params->group = WPA_GET_LE16(pos);
4240 pos += 2;
4241 len -= 2;
4242 pasn_params->pubkey_len = *pos++;
4243 len--;
4244 pasn_params->pubkey = pos;
4245 len -= pasn_params->pubkey_len;
4246 pos += pasn_params->pubkey_len;
4247 }
4248
4249 if (len) {
4250 wpa_printf(MSG_DEBUG,
4251 "PASN: Invalid Parameters IE. Bytes left=%u", len);
4252 return -1;
4253 }
4254
4255 return 0;
4256 }
4257
4258
wpa_pasn_add_rsnxe(struct wpabuf * buf,u16 capab)4259 void wpa_pasn_add_rsnxe(struct wpabuf *buf, u16 capab)
4260 {
4261 size_t flen;
4262
4263 flen = (capab & 0xff00) ? 2 : 1;
4264 if (!capab)
4265 return; /* no supported extended RSN capabilities */
4266 if (wpabuf_tailroom(buf) < 2 + flen)
4267 return;
4268 capab |= flen - 1; /* bit 0-3 = Field length (n - 1) */
4269
4270 wpabuf_put_u8(buf, WLAN_EID_RSNX);
4271 wpabuf_put_u8(buf, flen);
4272 wpabuf_put_u8(buf, capab & 0x00ff);
4273 capab >>= 8;
4274 if (capab)
4275 wpabuf_put_u8(buf, capab);
4276 }
4277
4278
4279 /*
4280 * wpa_pasn_add_extra_ies - Add protocol specific IEs in Authentication
4281 * frame for PASN.
4282 *
4283 * @buf: Buffer in which the elements will be added
4284 * @extra_ies: Protocol specific elements to add
4285 * @len: Length of the elements
4286 * Returns: 0 on success, -1 on failure
4287 */
4288
wpa_pasn_add_extra_ies(struct wpabuf * buf,const u8 * extra_ies,size_t len)4289 int wpa_pasn_add_extra_ies(struct wpabuf *buf, const u8 *extra_ies, size_t len)
4290 {
4291 if (!len || !extra_ies || !buf)
4292 return 0;
4293
4294 if (wpabuf_tailroom(buf) < sizeof(len))
4295 return -1;
4296
4297 wpabuf_put_data(buf, extra_ies, len);
4298 return 0;
4299 }
4300
4301 #endif /* CONFIG_PASN */
4302