1 /*
2 * WPA/RSN - Shared functions for supplicant and authenticator
3 * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/sha384.h"
16 #include "crypto/sha512.h"
17 #include "crypto/aes_wrap.h"
18 #include "crypto/crypto.h"
19 #include "ieee802_11_defs.h"
20 #include "defs.h"
21 #include "wpa_common.h"
22
23
wpa_kck_len(int akmp,size_t pmk_len)24 static unsigned int wpa_kck_len(int akmp, size_t pmk_len)
25 {
26 switch (akmp) {
27 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
28 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
29 return 24;
30 case WPA_KEY_MGMT_FILS_SHA256:
31 case WPA_KEY_MGMT_FT_FILS_SHA256:
32 case WPA_KEY_MGMT_FILS_SHA384:
33 case WPA_KEY_MGMT_FT_FILS_SHA384:
34 return 0;
35 case WPA_KEY_MGMT_DPP:
36 return pmk_len / 2;
37 case WPA_KEY_MGMT_OWE:
38 return pmk_len / 2;
39 default:
40 return 16;
41 }
42 }
43
44
45 #ifdef CONFIG_IEEE80211R
wpa_kck2_len(int akmp)46 static unsigned int wpa_kck2_len(int akmp)
47 {
48 switch (akmp) {
49 case WPA_KEY_MGMT_FT_FILS_SHA256:
50 return 16;
51 case WPA_KEY_MGMT_FT_FILS_SHA384:
52 return 24;
53 default:
54 return 0;
55 }
56 }
57 #endif /* CONFIG_IEEE80211R */
58
59
wpa_kek_len(int akmp,size_t pmk_len)60 static unsigned int wpa_kek_len(int akmp, size_t pmk_len)
61 {
62 switch (akmp) {
63 case WPA_KEY_MGMT_FILS_SHA384:
64 case WPA_KEY_MGMT_FT_FILS_SHA384:
65 return 64;
66 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
67 case WPA_KEY_MGMT_FILS_SHA256:
68 case WPA_KEY_MGMT_FT_FILS_SHA256:
69 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
70 return 32;
71 case WPA_KEY_MGMT_DPP:
72 return pmk_len <= 32 ? 16 : 32;
73 case WPA_KEY_MGMT_OWE:
74 return pmk_len <= 32 ? 16 : 32;
75 default:
76 return 16;
77 }
78 }
79
80
81 #ifdef CONFIG_IEEE80211R
wpa_kek2_len(int akmp)82 static unsigned int wpa_kek2_len(int akmp)
83 {
84 switch (akmp) {
85 case WPA_KEY_MGMT_FT_FILS_SHA256:
86 return 16;
87 case WPA_KEY_MGMT_FT_FILS_SHA384:
88 return 32;
89 default:
90 return 0;
91 }
92 }
93 #endif /* CONFIG_IEEE80211R */
94
95
wpa_mic_len(int akmp,size_t pmk_len)96 unsigned int wpa_mic_len(int akmp, size_t pmk_len)
97 {
98 switch (akmp) {
99 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
100 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
101 return 24;
102 case WPA_KEY_MGMT_FILS_SHA256:
103 case WPA_KEY_MGMT_FILS_SHA384:
104 case WPA_KEY_MGMT_FT_FILS_SHA256:
105 case WPA_KEY_MGMT_FT_FILS_SHA384:
106 return 0;
107 case WPA_KEY_MGMT_DPP:
108 return pmk_len / 2;
109 case WPA_KEY_MGMT_OWE:
110 return pmk_len / 2;
111 default:
112 return 16;
113 }
114 }
115
116
117 /**
118 * wpa_use_akm_defined - Is AKM-defined Key Descriptor Version used
119 * @akmp: WPA_KEY_MGMT_* used in key derivation
120 * Returns: 1 if AKM-defined Key Descriptor Version is used; 0 otherwise
121 */
wpa_use_akm_defined(int akmp)122 int wpa_use_akm_defined(int akmp)
123 {
124 return akmp == WPA_KEY_MGMT_OSEN ||
125 akmp == WPA_KEY_MGMT_OWE ||
126 akmp == WPA_KEY_MGMT_DPP ||
127 akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 ||
128 wpa_key_mgmt_sae(akmp) ||
129 wpa_key_mgmt_suite_b(akmp) ||
130 wpa_key_mgmt_fils(akmp);
131 }
132
133
134 /**
135 * wpa_use_cmac - Is CMAC integrity algorithm used for EAPOL-Key MIC
136 * @akmp: WPA_KEY_MGMT_* used in key derivation
137 * Returns: 1 if CMAC is used; 0 otherwise
138 */
wpa_use_cmac(int akmp)139 int wpa_use_cmac(int akmp)
140 {
141 return akmp == WPA_KEY_MGMT_OSEN ||
142 akmp == WPA_KEY_MGMT_OWE ||
143 akmp == WPA_KEY_MGMT_DPP ||
144 wpa_key_mgmt_ft(akmp) ||
145 wpa_key_mgmt_sha256(akmp) ||
146 wpa_key_mgmt_sae(akmp) ||
147 wpa_key_mgmt_suite_b(akmp);
148 }
149
150
151 /**
152 * wpa_use_aes_key_wrap - Is AES Keywrap algorithm used for EAPOL-Key Key Data
153 * @akmp: WPA_KEY_MGMT_* used in key derivation
154 * Returns: 1 if AES Keywrap is used; 0 otherwise
155 *
156 * Note: AKM 00-0F-AC:1 and 00-0F-AC:2 have special rules for selecting whether
157 * to use AES Keywrap based on the negotiated pairwise cipher. This function
158 * does not cover those special cases.
159 */
wpa_use_aes_key_wrap(int akmp)160 int wpa_use_aes_key_wrap(int akmp)
161 {
162 return akmp == WPA_KEY_MGMT_OSEN ||
163 akmp == WPA_KEY_MGMT_OWE ||
164 akmp == WPA_KEY_MGMT_DPP ||
165 wpa_key_mgmt_ft(akmp) ||
166 wpa_key_mgmt_sha256(akmp) ||
167 wpa_key_mgmt_sae(akmp) ||
168 wpa_key_mgmt_suite_b(akmp);
169 }
170
171
172 /**
173 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
174 * @key: EAPOL-Key Key Confirmation Key (KCK)
175 * @key_len: KCK length in octets
176 * @akmp: WPA_KEY_MGMT_* used in key derivation
177 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
178 * @buf: Pointer to the beginning of the EAPOL header (version field)
179 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
180 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
181 * Returns: 0 on success, -1 on failure
182 *
183 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
184 * to be cleared (all zeroes) when calling this function.
185 *
186 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
187 * description of the Key MIC calculation. It includes packet data from the
188 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
189 * happened during final editing of the standard and the correct behavior is
190 * defined in the last draft (IEEE 802.11i/D10).
191 */
wpa_eapol_key_mic(const u8 * key,size_t key_len,int akmp,int ver,const u8 * buf,size_t len,u8 * mic)192 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
193 const u8 *buf, size_t len, u8 *mic)
194 {
195 u8 hash[SHA512_MAC_LEN];
196
197 if (key_len == 0) {
198 wpa_printf(MSG_DEBUG,
199 "WPA: KCK not set - cannot calculate MIC");
200 return -1;
201 }
202
203 switch (ver) {
204 #ifndef CONFIG_FIPS
205 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
206 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-MD5");
207 return hmac_md5(key, key_len, buf, len, mic);
208 #endif /* CONFIG_FIPS */
209 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
210 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-SHA1");
211 if (hmac_sha1(key, key_len, buf, len, hash))
212 return -1;
213 os_memcpy(mic, hash, MD5_MAC_LEN);
214 break;
215 case WPA_KEY_INFO_TYPE_AES_128_CMAC:
216 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using AES-CMAC");
217 return omac1_aes_128(key, buf, len, mic);
218 case WPA_KEY_INFO_TYPE_AKM_DEFINED:
219 switch (akmp) {
220 #ifdef CONFIG_SAE
221 case WPA_KEY_MGMT_SAE:
222 case WPA_KEY_MGMT_FT_SAE:
223 wpa_printf(MSG_DEBUG,
224 "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - SAE)");
225 return omac1_aes_128(key, buf, len, mic);
226 #endif /* CONFIG_SAE */
227 #ifdef CONFIG_HS20
228 case WPA_KEY_MGMT_OSEN:
229 wpa_printf(MSG_DEBUG,
230 "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - OSEN)");
231 return omac1_aes_128(key, buf, len, mic);
232 #endif /* CONFIG_HS20 */
233 #ifdef CONFIG_SUITEB
234 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
235 wpa_printf(MSG_DEBUG,
236 "WPA: EAPOL-Key MIC using HMAC-SHA256 (AKM-defined - Suite B)");
237 if (hmac_sha256(key, key_len, buf, len, hash))
238 return -1;
239 os_memcpy(mic, hash, MD5_MAC_LEN);
240 break;
241 #endif /* CONFIG_SUITEB */
242 #ifdef CONFIG_SUITEB192
243 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
244 wpa_printf(MSG_DEBUG,
245 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - Suite B 192-bit)");
246 if (hmac_sha384(key, key_len, buf, len, hash))
247 return -1;
248 os_memcpy(mic, hash, 24);
249 break;
250 #endif /* CONFIG_SUITEB192 */
251 #ifdef CONFIG_OWE
252 case WPA_KEY_MGMT_OWE:
253 wpa_printf(MSG_DEBUG,
254 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - OWE)",
255 (unsigned int) key_len * 8 * 2);
256 if (key_len == 128 / 8) {
257 if (hmac_sha256(key, key_len, buf, len, hash))
258 return -1;
259 } else if (key_len == 192 / 8) {
260 if (hmac_sha384(key, key_len, buf, len, hash))
261 return -1;
262 } else if (key_len == 256 / 8) {
263 if (hmac_sha512(key, key_len, buf, len, hash))
264 return -1;
265 } else {
266 wpa_printf(MSG_INFO,
267 "OWE: Unsupported KCK length: %u",
268 (unsigned int) key_len);
269 return -1;
270 }
271 os_memcpy(mic, hash, key_len);
272 break;
273 #endif /* CONFIG_OWE */
274 #ifdef CONFIG_DPP
275 case WPA_KEY_MGMT_DPP:
276 wpa_printf(MSG_DEBUG,
277 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - DPP)",
278 (unsigned int) key_len * 8 * 2);
279 if (key_len == 128 / 8) {
280 if (hmac_sha256(key, key_len, buf, len, hash))
281 return -1;
282 } else if (key_len == 192 / 8) {
283 if (hmac_sha384(key, key_len, buf, len, hash))
284 return -1;
285 } else if (key_len == 256 / 8) {
286 if (hmac_sha512(key, key_len, buf, len, hash))
287 return -1;
288 } else {
289 wpa_printf(MSG_INFO,
290 "DPP: Unsupported KCK length: %u",
291 (unsigned int) key_len);
292 return -1;
293 }
294 os_memcpy(mic, hash, key_len);
295 break;
296 #endif /* CONFIG_DPP */
297 #if defined(CONFIG_IEEE80211R) && defined(CONFIG_SHA384)
298 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
299 wpa_printf(MSG_DEBUG,
300 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - FT 802.1X SHA384)");
301 if (hmac_sha384(key, key_len, buf, len, hash))
302 return -1;
303 os_memcpy(mic, hash, 24);
304 break;
305 #endif /* CONFIG_IEEE80211R && CONFIG_SHA384 */
306 default:
307 wpa_printf(MSG_DEBUG,
308 "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)",
309 akmp);
310 return -1;
311 }
312 break;
313 default:
314 wpa_printf(MSG_DEBUG,
315 "WPA: EAPOL-Key MIC algorithm not known (ver=%d)",
316 ver);
317 return -1;
318 }
319
320 return 0;
321 }
322
323
324 /**
325 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
326 * @pmk: Pairwise master key
327 * @pmk_len: Length of PMK
328 * @label: Label to use in derivation
329 * @addr1: AA or SA
330 * @addr2: SA or AA
331 * @nonce1: ANonce or SNonce
332 * @nonce2: SNonce or ANonce
333 * @ptk: Buffer for pairwise transient key
334 * @akmp: Negotiated AKM
335 * @cipher: Negotiated pairwise cipher
336 * Returns: 0 on success, -1 on failure
337 *
338 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
339 * PTK = PRF-X(PMK, "Pairwise key expansion",
340 * Min(AA, SA) || Max(AA, SA) ||
341 * Min(ANonce, SNonce) || Max(ANonce, SNonce)
342 * [ || Z.x ])
343 *
344 * The optional Z.x component is used only with DPP and that part is not defined
345 * in IEEE 802.11.
346 */
wpa_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const char * label,const u8 * addr1,const u8 * addr2,const u8 * nonce1,const u8 * nonce2,struct wpa_ptk * ptk,int akmp,int cipher,const u8 * z,size_t z_len)347 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
348 const u8 *addr1, const u8 *addr2,
349 const u8 *nonce1, const u8 *nonce2,
350 struct wpa_ptk *ptk, int akmp, int cipher,
351 const u8 *z, size_t z_len)
352 {
353 #define MAX_Z_LEN 66 /* with NIST P-521 */
354 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN + MAX_Z_LEN];
355 size_t data_len = 2 * ETH_ALEN + 2 * WPA_NONCE_LEN;
356 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
357 size_t ptk_len;
358 #ifdef CONFIG_OWE
359 int owe_ptk_workaround = 0;
360
361 if (akmp == (WPA_KEY_MGMT_OWE | WPA_KEY_MGMT_PSK_SHA256)) {
362 owe_ptk_workaround = 1;
363 akmp = WPA_KEY_MGMT_OWE;
364 }
365 #endif /* CONFIG_OWE */
366
367 if (pmk_len == 0) {
368 wpa_printf(MSG_ERROR, "WPA: No PMK set for PTK derivation");
369 return -1;
370 }
371
372 if (z_len > MAX_Z_LEN)
373 return -1;
374
375 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
376 os_memcpy(data, addr1, ETH_ALEN);
377 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
378 } else {
379 os_memcpy(data, addr2, ETH_ALEN);
380 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
381 }
382
383 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
384 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
385 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
386 WPA_NONCE_LEN);
387 } else {
388 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
389 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
390 WPA_NONCE_LEN);
391 }
392
393 if (z && z_len) {
394 os_memcpy(data + 2 * ETH_ALEN + 2 * WPA_NONCE_LEN, z, z_len);
395 data_len += z_len;
396 }
397
398 ptk->kck_len = wpa_kck_len(akmp, pmk_len);
399 ptk->kek_len = wpa_kek_len(akmp, pmk_len);
400 ptk->tk_len = wpa_cipher_key_len(cipher);
401 if (ptk->tk_len == 0) {
402 wpa_printf(MSG_ERROR,
403 "WPA: Unsupported cipher (0x%x) used in PTK derivation",
404 cipher);
405 return -1;
406 }
407 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
408
409 if (wpa_key_mgmt_sha384(akmp)) {
410 #if defined(CONFIG_SUITEB192) || defined(CONFIG_FILS)
411 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
412 if (sha384_prf(pmk, pmk_len, label, data, data_len,
413 tmp, ptk_len) < 0)
414 return -1;
415 #else /* CONFIG_SUITEB192 || CONFIG_FILS */
416 return -1;
417 #endif /* CONFIG_SUITEB192 || CONFIG_FILS */
418 } else if (wpa_key_mgmt_sha256(akmp)) {
419 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
420 if (sha256_prf(pmk, pmk_len, label, data, data_len,
421 tmp, ptk_len) < 0)
422 return -1;
423 #ifdef CONFIG_OWE
424 } else if (akmp == WPA_KEY_MGMT_OWE && (pmk_len == 32 ||
425 owe_ptk_workaround)) {
426 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
427 if (sha256_prf(pmk, pmk_len, label, data, data_len,
428 tmp, ptk_len) < 0)
429 return -1;
430 } else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 48) {
431 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
432 if (sha384_prf(pmk, pmk_len, label, data, data_len,
433 tmp, ptk_len) < 0)
434 return -1;
435 } else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 64) {
436 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
437 if (sha512_prf(pmk, pmk_len, label, data, data_len,
438 tmp, ptk_len) < 0)
439 return -1;
440 } else if (akmp == WPA_KEY_MGMT_OWE) {
441 wpa_printf(MSG_INFO, "OWE: Unknown PMK length %u",
442 (unsigned int) pmk_len);
443 return -1;
444 #endif /* CONFIG_OWE */
445 #ifdef CONFIG_DPP
446 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 32) {
447 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
448 if (sha256_prf(pmk, pmk_len, label, data, data_len,
449 tmp, ptk_len) < 0)
450 return -1;
451 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 48) {
452 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
453 if (sha384_prf(pmk, pmk_len, label, data, data_len,
454 tmp, ptk_len) < 0)
455 return -1;
456 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 64) {
457 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
458 if (sha512_prf(pmk, pmk_len, label, data, data_len,
459 tmp, ptk_len) < 0)
460 return -1;
461 } else if (akmp == WPA_KEY_MGMT_DPP) {
462 wpa_printf(MSG_INFO, "DPP: Unknown PMK length %u",
463 (unsigned int) pmk_len);
464 return -1;
465 #endif /* CONFIG_DPP */
466 } else {
467 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA1)");
468 if (sha1_prf(pmk, pmk_len, label, data, data_len, tmp,
469 ptk_len) < 0)
470 return -1;
471 }
472
473 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
474 MAC2STR(addr1), MAC2STR(addr2));
475 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
476 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
477 if (z && z_len)
478 wpa_hexdump_key(MSG_DEBUG, "WPA: Z.x", z, z_len);
479 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
480 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len);
481
482 os_memcpy(ptk->kck, tmp, ptk->kck_len);
483 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len);
484
485 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
486 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
487
488 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
489 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len);
490
491 ptk->kek2_len = 0;
492 ptk->kck2_len = 0;
493
494 os_memset(tmp, 0, sizeof(tmp));
495 os_memset(data, 0, data_len);
496 return 0;
497 }
498
499 #ifdef CONFIG_FILS
500
fils_rmsk_to_pmk(int akmp,const u8 * rmsk,size_t rmsk_len,const u8 * snonce,const u8 * anonce,const u8 * dh_ss,size_t dh_ss_len,u8 * pmk,size_t * pmk_len)501 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len,
502 const u8 *snonce, const u8 *anonce, const u8 *dh_ss,
503 size_t dh_ss_len, u8 *pmk, size_t *pmk_len)
504 {
505 u8 nonces[2 * FILS_NONCE_LEN];
506 const u8 *addr[2];
507 size_t len[2];
508 size_t num_elem;
509 int res;
510
511 /* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */
512 wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation");
513
514 if (wpa_key_mgmt_sha384(akmp))
515 *pmk_len = SHA384_MAC_LEN;
516 else if (wpa_key_mgmt_sha256(akmp))
517 *pmk_len = SHA256_MAC_LEN;
518 else
519 return -1;
520
521 wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len);
522 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
523 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
524 wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len);
525
526 os_memcpy(nonces, snonce, FILS_NONCE_LEN);
527 os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN);
528 addr[0] = rmsk;
529 len[0] = rmsk_len;
530 num_elem = 1;
531 if (dh_ss) {
532 addr[1] = dh_ss;
533 len[1] = dh_ss_len;
534 num_elem++;
535 }
536 if (wpa_key_mgmt_sha384(akmp))
537 res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
538 addr, len, pmk);
539 else
540 res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
541 addr, len, pmk);
542 if (res == 0)
543 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len);
544 else
545 *pmk_len = 0;
546 return res;
547 }
548
549
fils_pmkid_erp(int akmp,const u8 * reauth,size_t reauth_len,u8 * pmkid)550 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len,
551 u8 *pmkid)
552 {
553 const u8 *addr[1];
554 size_t len[1];
555 u8 hash[SHA384_MAC_LEN];
556 int res;
557
558 /* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */
559 addr[0] = reauth;
560 len[0] = reauth_len;
561 if (wpa_key_mgmt_sha384(akmp))
562 res = sha384_vector(1, addr, len, hash);
563 else if (wpa_key_mgmt_sha256(akmp))
564 res = sha256_vector(1, addr, len, hash);
565 else
566 return -1;
567 if (res)
568 return res;
569 os_memcpy(pmkid, hash, PMKID_LEN);
570 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
571 return 0;
572 }
573
574
fils_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * aa,const u8 * snonce,const u8 * anonce,const u8 * dhss,size_t dhss_len,struct wpa_ptk * ptk,u8 * ick,size_t * ick_len,int akmp,int cipher,u8 * fils_ft,size_t * fils_ft_len)575 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa,
576 const u8 *snonce, const u8 *anonce, const u8 *dhss,
577 size_t dhss_len, struct wpa_ptk *ptk,
578 u8 *ick, size_t *ick_len, int akmp, int cipher,
579 u8 *fils_ft, size_t *fils_ft_len)
580 {
581 u8 *data, *pos;
582 size_t data_len;
583 u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
584 FILS_FT_MAX_LEN];
585 size_t key_data_len;
586 const char *label = "FILS PTK Derivation";
587 int ret = -1;
588
589 /*
590 * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation",
591 * SPA || AA || SNonce || ANonce [ || DHss ])
592 * ICK = L(FILS-Key-Data, 0, ICK_bits)
593 * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits)
594 * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits)
595 * If doing FT initial mobility domain association:
596 * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits,
597 * FILS-FT_bits)
598 */
599 data_len = 2 * ETH_ALEN + 2 * FILS_NONCE_LEN + dhss_len;
600 data = os_malloc(data_len);
601 if (!data)
602 goto err;
603 pos = data;
604 os_memcpy(pos, spa, ETH_ALEN);
605 pos += ETH_ALEN;
606 os_memcpy(pos, aa, ETH_ALEN);
607 pos += ETH_ALEN;
608 os_memcpy(pos, snonce, FILS_NONCE_LEN);
609 pos += FILS_NONCE_LEN;
610 os_memcpy(pos, anonce, FILS_NONCE_LEN);
611 pos += FILS_NONCE_LEN;
612 if (dhss)
613 os_memcpy(pos, dhss, dhss_len);
614
615 ptk->kck_len = 0;
616 ptk->kek_len = wpa_kek_len(akmp, pmk_len);
617 ptk->tk_len = wpa_cipher_key_len(cipher);
618 if (wpa_key_mgmt_sha384(akmp))
619 *ick_len = 48;
620 else if (wpa_key_mgmt_sha256(akmp))
621 *ick_len = 32;
622 else
623 goto err;
624 key_data_len = *ick_len + ptk->kek_len + ptk->tk_len;
625
626 if (fils_ft && fils_ft_len) {
627 if (akmp == WPA_KEY_MGMT_FT_FILS_SHA256) {
628 *fils_ft_len = 32;
629 } else if (akmp == WPA_KEY_MGMT_FT_FILS_SHA384) {
630 *fils_ft_len = 48;
631 } else {
632 *fils_ft_len = 0;
633 fils_ft = NULL;
634 }
635 key_data_len += *fils_ft_len;
636 }
637
638 if (wpa_key_mgmt_sha384(akmp)) {
639 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA384)");
640 if (sha384_prf(pmk, pmk_len, label, data, data_len,
641 tmp, key_data_len) < 0)
642 goto err;
643 } else {
644 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA256)");
645 if (sha256_prf(pmk, pmk_len, label, data, data_len,
646 tmp, key_data_len) < 0)
647 goto err;
648 }
649
650 wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR
651 " AA=" MACSTR, MAC2STR(spa), MAC2STR(aa));
652 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
653 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
654 if (dhss)
655 wpa_hexdump_key(MSG_DEBUG, "FILS: DHss", dhss, dhss_len);
656 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len);
657 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len);
658
659 os_memcpy(ick, tmp, *ick_len);
660 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len);
661
662 os_memcpy(ptk->kek, tmp + *ick_len, ptk->kek_len);
663 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len);
664
665 os_memcpy(ptk->tk, tmp + *ick_len + ptk->kek_len, ptk->tk_len);
666 wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len);
667
668 if (fils_ft && fils_ft_len) {
669 os_memcpy(fils_ft, tmp + *ick_len + ptk->kek_len + ptk->tk_len,
670 *fils_ft_len);
671 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-FT",
672 fils_ft, *fils_ft_len);
673 }
674
675 ptk->kek2_len = 0;
676 ptk->kck2_len = 0;
677
678 os_memset(tmp, 0, sizeof(tmp));
679 ret = 0;
680 err:
681 bin_clear_free(data, data_len);
682 return ret;
683 }
684
685
fils_key_auth_sk(const u8 * ick,size_t ick_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * g_sta,size_t g_sta_len,const u8 * g_ap,size_t g_ap_len,int akmp,u8 * key_auth_sta,u8 * key_auth_ap,size_t * key_auth_len)686 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce,
687 const u8 *anonce, const u8 *sta_addr, const u8 *bssid,
688 const u8 *g_sta, size_t g_sta_len,
689 const u8 *g_ap, size_t g_ap_len,
690 int akmp, u8 *key_auth_sta, u8 *key_auth_ap,
691 size_t *key_auth_len)
692 {
693 const u8 *addr[6];
694 size_t len[6];
695 size_t num_elem = 4;
696 int res;
697
698 wpa_printf(MSG_DEBUG, "FILS: Key-Auth derivation: STA-MAC=" MACSTR
699 " AP-BSSID=" MACSTR, MAC2STR(sta_addr), MAC2STR(bssid));
700 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, ick_len);
701 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
702 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
703 wpa_hexdump(MSG_DEBUG, "FILS: gSTA", g_sta, g_sta_len);
704 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
705
706 /*
707 * For (Re)Association Request frame (STA->AP):
708 * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID
709 * [ || gSTA || gAP ])
710 */
711 addr[0] = snonce;
712 len[0] = FILS_NONCE_LEN;
713 addr[1] = anonce;
714 len[1] = FILS_NONCE_LEN;
715 addr[2] = sta_addr;
716 len[2] = ETH_ALEN;
717 addr[3] = bssid;
718 len[3] = ETH_ALEN;
719 if (g_sta && g_sta_len && g_ap && g_ap_len) {
720 addr[4] = g_sta;
721 len[4] = g_sta_len;
722 addr[5] = g_ap;
723 len[5] = g_ap_len;
724 num_elem = 6;
725 }
726
727 if (wpa_key_mgmt_sha384(akmp)) {
728 *key_auth_len = 48;
729 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
730 key_auth_sta);
731 } else if (wpa_key_mgmt_sha256(akmp)) {
732 *key_auth_len = 32;
733 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
734 key_auth_sta);
735 } else {
736 return -1;
737 }
738 if (res < 0)
739 return res;
740
741 /*
742 * For (Re)Association Response frame (AP->STA):
743 * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC
744 * [ || gAP || gSTA ])
745 */
746 addr[0] = anonce;
747 addr[1] = snonce;
748 addr[2] = bssid;
749 addr[3] = sta_addr;
750 if (g_sta && g_sta_len && g_ap && g_ap_len) {
751 addr[4] = g_ap;
752 len[4] = g_ap_len;
753 addr[5] = g_sta;
754 len[5] = g_sta_len;
755 }
756
757 if (wpa_key_mgmt_sha384(akmp))
758 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
759 key_auth_ap);
760 else if (wpa_key_mgmt_sha256(akmp))
761 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
762 key_auth_ap);
763 if (res < 0)
764 return res;
765
766 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)",
767 key_auth_sta, *key_auth_len);
768 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)",
769 key_auth_ap, *key_auth_len);
770
771 return 0;
772 }
773
774 #endif /* CONFIG_FILS */
775
776
777 #ifdef CONFIG_IEEE80211R
wpa_ft_mic(const u8 * kck,size_t kck_len,const u8 * sta_addr,const u8 * ap_addr,u8 transaction_seqnum,const u8 * mdie,size_t mdie_len,const u8 * ftie,size_t ftie_len,const u8 * rsnie,size_t rsnie_len,const u8 * ric,size_t ric_len,const u8 * rsnxe,size_t rsnxe_len,u8 * mic)778 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr,
779 const u8 *ap_addr, u8 transaction_seqnum,
780 const u8 *mdie, size_t mdie_len,
781 const u8 *ftie, size_t ftie_len,
782 const u8 *rsnie, size_t rsnie_len,
783 const u8 *ric, size_t ric_len,
784 const u8 *rsnxe, size_t rsnxe_len,
785 u8 *mic)
786 {
787 const u8 *addr[10];
788 size_t len[10];
789 size_t i, num_elem = 0;
790 u8 zero_mic[24];
791 size_t mic_len, fte_fixed_len;
792
793 if (kck_len == 16) {
794 mic_len = 16;
795 #ifdef CONFIG_SHA384
796 } else if (kck_len == 24) {
797 mic_len = 24;
798 #endif /* CONFIG_SHA384 */
799 } else {
800 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u",
801 (unsigned int) kck_len);
802 return -1;
803 }
804
805 fte_fixed_len = sizeof(struct rsn_ftie) - 16 + mic_len;
806
807 addr[num_elem] = sta_addr;
808 len[num_elem] = ETH_ALEN;
809 num_elem++;
810
811 addr[num_elem] = ap_addr;
812 len[num_elem] = ETH_ALEN;
813 num_elem++;
814
815 addr[num_elem] = &transaction_seqnum;
816 len[num_elem] = 1;
817 num_elem++;
818
819 if (rsnie) {
820 addr[num_elem] = rsnie;
821 len[num_elem] = rsnie_len;
822 num_elem++;
823 }
824 if (mdie) {
825 addr[num_elem] = mdie;
826 len[num_elem] = mdie_len;
827 num_elem++;
828 }
829 if (ftie) {
830 if (ftie_len < 2 + fte_fixed_len)
831 return -1;
832
833 /* IE hdr and mic_control */
834 addr[num_elem] = ftie;
835 len[num_elem] = 2 + 2;
836 num_elem++;
837
838 /* MIC field with all zeros */
839 os_memset(zero_mic, 0, mic_len);
840 addr[num_elem] = zero_mic;
841 len[num_elem] = mic_len;
842 num_elem++;
843
844 /* Rest of FTIE */
845 addr[num_elem] = ftie + 2 + 2 + mic_len;
846 len[num_elem] = ftie_len - (2 + 2 + mic_len);
847 num_elem++;
848 }
849 if (ric) {
850 addr[num_elem] = ric;
851 len[num_elem] = ric_len;
852 num_elem++;
853 }
854
855 if (rsnxe) {
856 addr[num_elem] = rsnxe;
857 len[num_elem] = rsnxe_len;
858 num_elem++;
859 }
860
861 for (i = 0; i < num_elem; i++)
862 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]);
863 #ifdef CONFIG_SHA384
864 if (kck_len == 24) {
865 u8 hash[SHA384_MAC_LEN];
866
867 if (hmac_sha384_vector(kck, kck_len, num_elem, addr, len, hash))
868 return -1;
869 os_memcpy(mic, hash, 24);
870 }
871 #endif /* CONFIG_SHA384 */
872 if (kck_len == 16 &&
873 omac1_aes_128_vector(kck, num_elem, addr, len, mic))
874 return -1;
875
876 return 0;
877 }
878
879
wpa_ft_parse_ftie(const u8 * ie,size_t ie_len,struct wpa_ft_ies * parse,int use_sha384)880 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
881 struct wpa_ft_ies *parse, int use_sha384)
882 {
883 const u8 *end, *pos;
884
885 parse->ftie = ie;
886 parse->ftie_len = ie_len;
887
888 pos = ie + (use_sha384 ? sizeof(struct rsn_ftie_sha384) :
889 sizeof(struct rsn_ftie));
890 end = ie + ie_len;
891 wpa_hexdump(MSG_DEBUG, "FT: Parse FTE subelements", pos, end - pos);
892
893 while (end - pos >= 2) {
894 u8 id, len;
895
896 id = *pos++;
897 len = *pos++;
898 if (len > end - pos) {
899 wpa_printf(MSG_DEBUG, "FT: Truncated subelement");
900 break;
901 }
902
903 switch (id) {
904 case FTIE_SUBELEM_R1KH_ID:
905 if (len != FT_R1KH_ID_LEN) {
906 wpa_printf(MSG_DEBUG,
907 "FT: Invalid R1KH-ID length in FTIE: %d",
908 len);
909 return -1;
910 }
911 parse->r1kh_id = pos;
912 break;
913 case FTIE_SUBELEM_GTK:
914 parse->gtk = pos;
915 parse->gtk_len = len;
916 break;
917 case FTIE_SUBELEM_R0KH_ID:
918 if (len < 1 || len > FT_R0KH_ID_MAX_LEN) {
919 wpa_printf(MSG_DEBUG,
920 "FT: Invalid R0KH-ID length in FTIE: %d",
921 len);
922 return -1;
923 }
924 parse->r0kh_id = pos;
925 parse->r0kh_id_len = len;
926 break;
927 case FTIE_SUBELEM_IGTK:
928 parse->igtk = pos;
929 parse->igtk_len = len;
930 break;
931 #ifdef CONFIG_OCV
932 case FTIE_SUBELEM_OCI:
933 parse->oci = pos;
934 parse->oci_len = len;
935 break;
936 #endif /* CONFIG_OCV */
937 case FTIE_SUBELEM_BIGTK:
938 parse->bigtk = pos;
939 parse->bigtk_len = len;
940 break;
941 default:
942 wpa_printf(MSG_DEBUG, "FT: Unknown subelem id %u", id);
943 break;
944 }
945
946 pos += len;
947 }
948
949 return 0;
950 }
951
952
wpa_ft_parse_ies(const u8 * ies,size_t ies_len,struct wpa_ft_ies * parse,int use_sha384)953 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
954 struct wpa_ft_ies *parse, int use_sha384)
955 {
956 const u8 *end, *pos;
957 struct wpa_ie_data data;
958 int ret;
959 const struct rsn_ftie *ftie;
960 int prot_ie_count = 0;
961 int update_use_sha384 = 0;
962
963 if (use_sha384 < 0) {
964 use_sha384 = 0;
965 update_use_sha384 = 1;
966 }
967
968 os_memset(parse, 0, sizeof(*parse));
969 if (ies == NULL)
970 return 0;
971
972 pos = ies;
973 end = ies + ies_len;
974 while (end - pos >= 2) {
975 u8 id, len;
976
977 id = *pos++;
978 len = *pos++;
979 if (len > end - pos)
980 break;
981
982 switch (id) {
983 case WLAN_EID_RSN:
984 wpa_hexdump(MSG_DEBUG, "FT: RSNE", pos, len);
985 parse->rsn = pos;
986 parse->rsn_len = len;
987 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
988 parse->rsn_len + 2,
989 &data);
990 if (ret < 0) {
991 wpa_printf(MSG_DEBUG, "FT: Failed to parse "
992 "RSN IE: %d", ret);
993 return -1;
994 }
995 parse->rsn_capab = data.capabilities;
996 if (data.num_pmkid == 1 && data.pmkid)
997 parse->rsn_pmkid = data.pmkid;
998 parse->key_mgmt = data.key_mgmt;
999 parse->pairwise_cipher = data.pairwise_cipher;
1000 if (update_use_sha384) {
1001 use_sha384 =
1002 wpa_key_mgmt_sha384(parse->key_mgmt);
1003 update_use_sha384 = 0;
1004 }
1005 break;
1006 case WLAN_EID_RSNX:
1007 wpa_hexdump(MSG_DEBUG, "FT: RSNXE", pos, len);
1008 if (len < 1)
1009 break;
1010 parse->rsnxe = pos;
1011 parse->rsnxe_len = len;
1012 break;
1013 case WLAN_EID_MOBILITY_DOMAIN:
1014 wpa_hexdump(MSG_DEBUG, "FT: MDE", pos, len);
1015 if (len < sizeof(struct rsn_mdie))
1016 return -1;
1017 parse->mdie = pos;
1018 parse->mdie_len = len;
1019 break;
1020 case WLAN_EID_FAST_BSS_TRANSITION:
1021 wpa_hexdump(MSG_DEBUG, "FT: FTE", pos, len);
1022 if (use_sha384) {
1023 const struct rsn_ftie_sha384 *ftie_sha384;
1024
1025 if (len < sizeof(*ftie_sha384))
1026 return -1;
1027 ftie_sha384 =
1028 (const struct rsn_ftie_sha384 *) pos;
1029 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control",
1030 ftie_sha384->mic_control, 2);
1031 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC",
1032 ftie_sha384->mic,
1033 sizeof(ftie_sha384->mic));
1034 parse->fte_anonce = ftie_sha384->anonce;
1035 wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce",
1036 ftie_sha384->anonce,
1037 WPA_NONCE_LEN);
1038 parse->fte_snonce = ftie_sha384->snonce;
1039 wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce",
1040 ftie_sha384->snonce,
1041 WPA_NONCE_LEN);
1042 prot_ie_count = ftie_sha384->mic_control[1];
1043 if (wpa_ft_parse_ftie(pos, len, parse, 1) < 0)
1044 return -1;
1045 break;
1046 }
1047
1048 if (len < sizeof(*ftie))
1049 return -1;
1050 ftie = (const struct rsn_ftie *) pos;
1051 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control",
1052 ftie->mic_control, 2);
1053 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC",
1054 ftie->mic, sizeof(ftie->mic));
1055 parse->fte_anonce = ftie->anonce;
1056 wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce",
1057 ftie->anonce, WPA_NONCE_LEN);
1058 parse->fte_snonce = ftie->snonce;
1059 wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce",
1060 ftie->snonce, WPA_NONCE_LEN);
1061 prot_ie_count = ftie->mic_control[1];
1062 if (wpa_ft_parse_ftie(pos, len, parse, 0) < 0)
1063 return -1;
1064 break;
1065 case WLAN_EID_TIMEOUT_INTERVAL:
1066 wpa_hexdump(MSG_DEBUG, "FT: Timeout Interval",
1067 pos, len);
1068 if (len != 5)
1069 break;
1070 parse->tie = pos;
1071 parse->tie_len = len;
1072 break;
1073 case WLAN_EID_RIC_DATA:
1074 if (parse->ric == NULL)
1075 parse->ric = pos - 2;
1076 break;
1077 }
1078
1079 pos += len;
1080 }
1081
1082 if (prot_ie_count == 0)
1083 return 0; /* no MIC */
1084
1085 /*
1086 * Check that the protected IE count matches with IEs included in the
1087 * frame.
1088 */
1089 if (parse->rsn)
1090 prot_ie_count--;
1091 if (parse->mdie)
1092 prot_ie_count--;
1093 if (parse->ftie)
1094 prot_ie_count--;
1095 if (parse->rsnxe)
1096 prot_ie_count--;
1097 if (prot_ie_count < 0) {
1098 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
1099 "the protected IE count");
1100 return -1;
1101 }
1102
1103 if (prot_ie_count == 0 && parse->ric) {
1104 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
1105 "included in protected IE count");
1106 return -1;
1107 }
1108
1109 /* Determine the end of the RIC IE(s) */
1110 if (parse->ric) {
1111 pos = parse->ric;
1112 while (end - pos >= 2 && 2 + pos[1] <= end - pos &&
1113 prot_ie_count) {
1114 prot_ie_count--;
1115 pos += 2 + pos[1];
1116 }
1117 parse->ric_len = pos - parse->ric;
1118 }
1119 if (prot_ie_count) {
1120 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
1121 "frame", (int) prot_ie_count);
1122 return -1;
1123 }
1124
1125 return 0;
1126 }
1127 #endif /* CONFIG_IEEE80211R */
1128
1129
rsn_selector_to_bitfield(const u8 * s)1130 static int rsn_selector_to_bitfield(const u8 *s)
1131 {
1132 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
1133 return WPA_CIPHER_NONE;
1134 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
1135 return WPA_CIPHER_TKIP;
1136 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
1137 return WPA_CIPHER_CCMP;
1138 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
1139 return WPA_CIPHER_AES_128_CMAC;
1140 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP)
1141 return WPA_CIPHER_GCMP;
1142 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256)
1143 return WPA_CIPHER_CCMP_256;
1144 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256)
1145 return WPA_CIPHER_GCMP_256;
1146 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128)
1147 return WPA_CIPHER_BIP_GMAC_128;
1148 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256)
1149 return WPA_CIPHER_BIP_GMAC_256;
1150 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256)
1151 return WPA_CIPHER_BIP_CMAC_256;
1152 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED)
1153 return WPA_CIPHER_GTK_NOT_USED;
1154 return 0;
1155 }
1156
1157
rsn_key_mgmt_to_bitfield(const u8 * s)1158 static int rsn_key_mgmt_to_bitfield(const u8 *s)
1159 {
1160 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
1161 return WPA_KEY_MGMT_IEEE8021X;
1162 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
1163 return WPA_KEY_MGMT_PSK;
1164 #ifdef CONFIG_IEEE80211R
1165 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
1166 return WPA_KEY_MGMT_FT_IEEE8021X;
1167 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
1168 return WPA_KEY_MGMT_FT_PSK;
1169 #ifdef CONFIG_SHA384
1170 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384)
1171 return WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
1172 #endif /* CONFIG_SHA384 */
1173 #endif /* CONFIG_IEEE80211R */
1174 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
1175 return WPA_KEY_MGMT_IEEE8021X_SHA256;
1176 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
1177 return WPA_KEY_MGMT_PSK_SHA256;
1178 #ifdef CONFIG_SAE
1179 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
1180 return WPA_KEY_MGMT_SAE;
1181 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
1182 return WPA_KEY_MGMT_FT_SAE;
1183 #endif /* CONFIG_SAE */
1184 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
1185 return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
1186 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
1187 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
1188 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256)
1189 return WPA_KEY_MGMT_FILS_SHA256;
1190 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384)
1191 return WPA_KEY_MGMT_FILS_SHA384;
1192 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256)
1193 return WPA_KEY_MGMT_FT_FILS_SHA256;
1194 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
1195 return WPA_KEY_MGMT_FT_FILS_SHA384;
1196 #ifdef CONFIG_OWE
1197 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE)
1198 return WPA_KEY_MGMT_OWE;
1199 #endif /* CONFIG_OWE */
1200 #ifdef CONFIG_DPP
1201 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP)
1202 return WPA_KEY_MGMT_DPP;
1203 #endif /* CONFIG_DPP */
1204 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
1205 return WPA_KEY_MGMT_OSEN;
1206 return 0;
1207 }
1208
1209
wpa_cipher_valid_group(int cipher)1210 int wpa_cipher_valid_group(int cipher)
1211 {
1212 return wpa_cipher_valid_pairwise(cipher) ||
1213 cipher == WPA_CIPHER_GTK_NOT_USED;
1214 }
1215
1216
wpa_cipher_valid_mgmt_group(int cipher)1217 int wpa_cipher_valid_mgmt_group(int cipher)
1218 {
1219 return cipher == WPA_CIPHER_AES_128_CMAC ||
1220 cipher == WPA_CIPHER_BIP_GMAC_128 ||
1221 cipher == WPA_CIPHER_BIP_GMAC_256 ||
1222 cipher == WPA_CIPHER_BIP_CMAC_256;
1223 }
1224
1225
1226 /**
1227 * wpa_parse_wpa_ie_rsn - Parse RSN IE
1228 * @rsn_ie: Buffer containing RSN IE
1229 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
1230 * @data: Pointer to structure that will be filled in with parsed data
1231 * Returns: 0 on success, <0 on failure
1232 */
wpa_parse_wpa_ie_rsn(const u8 * rsn_ie,size_t rsn_ie_len,struct wpa_ie_data * data)1233 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
1234 struct wpa_ie_data *data)
1235 {
1236 const u8 *pos;
1237 int left;
1238 int i, count;
1239
1240 os_memset(data, 0, sizeof(*data));
1241 data->proto = WPA_PROTO_RSN;
1242 data->pairwise_cipher = WPA_CIPHER_CCMP;
1243 data->group_cipher = WPA_CIPHER_CCMP;
1244 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1245 data->capabilities = 0;
1246 data->pmkid = NULL;
1247 data->num_pmkid = 0;
1248 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
1249
1250 if (rsn_ie_len == 0) {
1251 /* No RSN IE - fail silently */
1252 return -1;
1253 }
1254
1255 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
1256 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1257 __func__, (unsigned long) rsn_ie_len);
1258 return -1;
1259 }
1260
1261 if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 &&
1262 rsn_ie[1] == rsn_ie_len - 2 &&
1263 WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) {
1264 pos = rsn_ie + 6;
1265 left = rsn_ie_len - 6;
1266
1267 data->group_cipher = WPA_CIPHER_GTK_NOT_USED;
1268 data->has_group = 1;
1269 data->key_mgmt = WPA_KEY_MGMT_OSEN;
1270 data->proto = WPA_PROTO_OSEN;
1271 } else {
1272 const struct rsn_ie_hdr *hdr;
1273
1274 hdr = (const struct rsn_ie_hdr *) rsn_ie;
1275
1276 if (hdr->elem_id != WLAN_EID_RSN ||
1277 hdr->len != rsn_ie_len - 2 ||
1278 WPA_GET_LE16(hdr->version) != RSN_VERSION) {
1279 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1280 __func__);
1281 return -2;
1282 }
1283
1284 pos = (const u8 *) (hdr + 1);
1285 left = rsn_ie_len - sizeof(*hdr);
1286 }
1287
1288 if (left >= RSN_SELECTOR_LEN) {
1289 data->group_cipher = rsn_selector_to_bitfield(pos);
1290 data->has_group = 1;
1291 if (!wpa_cipher_valid_group(data->group_cipher)) {
1292 wpa_printf(MSG_DEBUG,
1293 "%s: invalid group cipher 0x%x (%08x)",
1294 __func__, data->group_cipher,
1295 WPA_GET_BE32(pos));
1296 return -1;
1297 }
1298 pos += RSN_SELECTOR_LEN;
1299 left -= RSN_SELECTOR_LEN;
1300 } else if (left > 0) {
1301 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1302 __func__, left);
1303 return -3;
1304 }
1305
1306 if (left >= 2) {
1307 data->pairwise_cipher = 0;
1308 count = WPA_GET_LE16(pos);
1309 pos += 2;
1310 left -= 2;
1311 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1312 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1313 "count %u left %u", __func__, count, left);
1314 return -4;
1315 }
1316 if (count)
1317 data->has_pairwise = 1;
1318 for (i = 0; i < count; i++) {
1319 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
1320 pos += RSN_SELECTOR_LEN;
1321 left -= RSN_SELECTOR_LEN;
1322 }
1323 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
1324 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
1325 "pairwise cipher", __func__);
1326 return -1;
1327 }
1328 } else if (left == 1) {
1329 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1330 __func__);
1331 return -5;
1332 }
1333
1334 if (left >= 2) {
1335 data->key_mgmt = 0;
1336 count = WPA_GET_LE16(pos);
1337 pos += 2;
1338 left -= 2;
1339 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1340 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1341 "count %u left %u", __func__, count, left);
1342 return -6;
1343 }
1344 for (i = 0; i < count; i++) {
1345 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
1346 pos += RSN_SELECTOR_LEN;
1347 left -= RSN_SELECTOR_LEN;
1348 }
1349 } else if (left == 1) {
1350 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1351 __func__);
1352 return -7;
1353 }
1354
1355 if (left >= 2) {
1356 data->capabilities = WPA_GET_LE16(pos);
1357 pos += 2;
1358 left -= 2;
1359 }
1360
1361 if (left >= 2) {
1362 u16 num_pmkid = WPA_GET_LE16(pos);
1363 pos += 2;
1364 left -= 2;
1365 if (num_pmkid > (unsigned int) left / PMKID_LEN) {
1366 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
1367 "(num_pmkid=%u left=%d)",
1368 __func__, num_pmkid, left);
1369 data->num_pmkid = 0;
1370 return -9;
1371 } else {
1372 data->num_pmkid = num_pmkid;
1373 data->pmkid = pos;
1374 pos += data->num_pmkid * PMKID_LEN;
1375 left -= data->num_pmkid * PMKID_LEN;
1376 }
1377 }
1378
1379 if (left >= 4) {
1380 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
1381 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
1382 wpa_printf(MSG_DEBUG,
1383 "%s: Unsupported management group cipher 0x%x (%08x)",
1384 __func__, data->mgmt_group_cipher,
1385 WPA_GET_BE32(pos));
1386 return -10;
1387 }
1388 pos += RSN_SELECTOR_LEN;
1389 left -= RSN_SELECTOR_LEN;
1390 }
1391
1392 if (left > 0) {
1393 wpa_hexdump(MSG_DEBUG,
1394 "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
1395 pos, left);
1396 }
1397
1398 return 0;
1399 }
1400
1401
wpa_selector_to_bitfield(const u8 * s)1402 static int wpa_selector_to_bitfield(const u8 *s)
1403 {
1404 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
1405 return WPA_CIPHER_NONE;
1406 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
1407 return WPA_CIPHER_TKIP;
1408 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
1409 return WPA_CIPHER_CCMP;
1410 return 0;
1411 }
1412
1413
wpa_key_mgmt_to_bitfield(const u8 * s)1414 static int wpa_key_mgmt_to_bitfield(const u8 *s)
1415 {
1416 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
1417 return WPA_KEY_MGMT_IEEE8021X;
1418 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
1419 return WPA_KEY_MGMT_PSK;
1420 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
1421 return WPA_KEY_MGMT_WPA_NONE;
1422 return 0;
1423 }
1424
1425
wpa_parse_wpa_ie_wpa(const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ie_data * data)1426 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
1427 struct wpa_ie_data *data)
1428 {
1429 const struct wpa_ie_hdr *hdr;
1430 const u8 *pos;
1431 int left;
1432 int i, count;
1433
1434 os_memset(data, 0, sizeof(*data));
1435 data->proto = WPA_PROTO_WPA;
1436 data->pairwise_cipher = WPA_CIPHER_TKIP;
1437 data->group_cipher = WPA_CIPHER_TKIP;
1438 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1439 data->capabilities = 0;
1440 data->pmkid = NULL;
1441 data->num_pmkid = 0;
1442 data->mgmt_group_cipher = 0;
1443
1444 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
1445 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1446 __func__, (unsigned long) wpa_ie_len);
1447 return -1;
1448 }
1449
1450 hdr = (const struct wpa_ie_hdr *) wpa_ie;
1451
1452 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
1453 hdr->len != wpa_ie_len - 2 ||
1454 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
1455 WPA_GET_LE16(hdr->version) != WPA_VERSION) {
1456 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1457 __func__);
1458 return -2;
1459 }
1460
1461 pos = (const u8 *) (hdr + 1);
1462 left = wpa_ie_len - sizeof(*hdr);
1463
1464 if (left >= WPA_SELECTOR_LEN) {
1465 data->group_cipher = wpa_selector_to_bitfield(pos);
1466 pos += WPA_SELECTOR_LEN;
1467 left -= WPA_SELECTOR_LEN;
1468 } else if (left > 0) {
1469 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1470 __func__, left);
1471 return -3;
1472 }
1473
1474 if (left >= 2) {
1475 data->pairwise_cipher = 0;
1476 count = WPA_GET_LE16(pos);
1477 pos += 2;
1478 left -= 2;
1479 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1480 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1481 "count %u left %u", __func__, count, left);
1482 return -4;
1483 }
1484 for (i = 0; i < count; i++) {
1485 data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
1486 pos += WPA_SELECTOR_LEN;
1487 left -= WPA_SELECTOR_LEN;
1488 }
1489 } else if (left == 1) {
1490 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1491 __func__);
1492 return -5;
1493 }
1494
1495 if (left >= 2) {
1496 data->key_mgmt = 0;
1497 count = WPA_GET_LE16(pos);
1498 pos += 2;
1499 left -= 2;
1500 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1501 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1502 "count %u left %u", __func__, count, left);
1503 return -6;
1504 }
1505 for (i = 0; i < count; i++) {
1506 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
1507 pos += WPA_SELECTOR_LEN;
1508 left -= WPA_SELECTOR_LEN;
1509 }
1510 } else if (left == 1) {
1511 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1512 __func__);
1513 return -7;
1514 }
1515
1516 if (left >= 2) {
1517 data->capabilities = WPA_GET_LE16(pos);
1518 pos += 2;
1519 left -= 2;
1520 }
1521
1522 if (left > 0) {
1523 wpa_hexdump(MSG_DEBUG,
1524 "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
1525 pos, left);
1526 }
1527
1528 return 0;
1529 }
1530
1531
wpa_default_rsn_cipher(int freq)1532 int wpa_default_rsn_cipher(int freq)
1533 {
1534 if (freq > 56160)
1535 return WPA_CIPHER_GCMP; /* DMG */
1536
1537 return WPA_CIPHER_CCMP;
1538 }
1539
1540
1541 #ifdef CONFIG_IEEE80211R
1542
1543 /**
1544 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
1545 *
1546 * IEEE Std 802.11r-2008 - 8.5.1.5.3
1547 */
wpa_derive_pmk_r0(const u8 * xxkey,size_t xxkey_len,const u8 * ssid,size_t ssid_len,const u8 * mdid,const u8 * r0kh_id,size_t r0kh_id_len,const u8 * s0kh_id,u8 * pmk_r0,u8 * pmk_r0_name,int use_sha384)1548 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
1549 const u8 *ssid, size_t ssid_len,
1550 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
1551 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name,
1552 int use_sha384)
1553 {
1554 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
1555 FT_R0KH_ID_MAX_LEN + ETH_ALEN];
1556 u8 *pos, r0_key_data[64], hash[48];
1557 const u8 *addr[2];
1558 size_t len[2];
1559 size_t q = use_sha384 ? 48 : 32;
1560 size_t r0_key_data_len = q + 16;
1561
1562 /*
1563 * R0-Key-Data = KDF-384(XXKey, "FT-R0",
1564 * SSIDlength || SSID || MDID || R0KHlength ||
1565 * R0KH-ID || S0KH-ID)
1566 * XXKey is either the second 256 bits of MSK or PSK; or the first
1567 * 384 bits of MSK for FT-EAP-SHA384.
1568 * PMK-R0 = L(R0-Key-Data, 0, Q)
1569 * PMK-R0Name-Salt = L(R0-Key-Data, Q, 128)
1570 * Q = 384 for FT-EAP-SHA384; otherwise, 256
1571 */
1572 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
1573 return -1;
1574 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R0 using KDF-%s",
1575 use_sha384 ? "SHA384" : "SHA256");
1576 wpa_hexdump_key(MSG_DEBUG, "FT: XXKey", xxkey, xxkey_len);
1577 wpa_hexdump_ascii(MSG_DEBUG, "FT: SSID", ssid, ssid_len);
1578 wpa_hexdump(MSG_DEBUG, "FT: MDID", mdid, MOBILITY_DOMAIN_ID_LEN);
1579 wpa_hexdump_ascii(MSG_DEBUG, "FT: R0KH-ID", r0kh_id, r0kh_id_len);
1580 wpa_printf(MSG_DEBUG, "FT: S0KH-ID: " MACSTR, MAC2STR(s0kh_id));
1581 pos = buf;
1582 *pos++ = ssid_len;
1583 os_memcpy(pos, ssid, ssid_len);
1584 pos += ssid_len;
1585 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
1586 pos += MOBILITY_DOMAIN_ID_LEN;
1587 *pos++ = r0kh_id_len;
1588 os_memcpy(pos, r0kh_id, r0kh_id_len);
1589 pos += r0kh_id_len;
1590 os_memcpy(pos, s0kh_id, ETH_ALEN);
1591 pos += ETH_ALEN;
1592
1593 #ifdef CONFIG_SHA384
1594 if (use_sha384) {
1595 if (xxkey_len != SHA384_MAC_LEN) {
1596 wpa_printf(MSG_ERROR,
1597 "FT: Unexpected XXKey length %d (expected %d)",
1598 (int) xxkey_len, SHA384_MAC_LEN);
1599 return -1;
1600 }
1601 if (sha384_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
1602 r0_key_data, r0_key_data_len) < 0)
1603 return -1;
1604 }
1605 #endif /* CONFIG_SHA384 */
1606 if (!use_sha384) {
1607 if (xxkey_len != PMK_LEN) {
1608 wpa_printf(MSG_ERROR,
1609 "FT: Unexpected XXKey length %d (expected %d)",
1610 (int) xxkey_len, PMK_LEN);
1611 return -1;
1612 }
1613 if (sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
1614 r0_key_data, r0_key_data_len) < 0)
1615 return -1;
1616 }
1617 os_memcpy(pmk_r0, r0_key_data, q);
1618 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, q);
1619 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0Name-Salt", &r0_key_data[q], 16);
1620
1621 /*
1622 * PMKR0Name = Truncate-128(Hash("FT-R0N" || PMK-R0Name-Salt)
1623 */
1624 addr[0] = (const u8 *) "FT-R0N";
1625 len[0] = 6;
1626 addr[1] = &r0_key_data[q];
1627 len[1] = 16;
1628
1629 #ifdef CONFIG_SHA384
1630 if (use_sha384 && sha384_vector(2, addr, len, hash) < 0)
1631 return -1;
1632 #endif /* CONFIG_SHA384 */
1633 if (!use_sha384 && sha256_vector(2, addr, len, hash) < 0)
1634 return -1;
1635 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
1636 os_memset(r0_key_data, 0, sizeof(r0_key_data));
1637 return 0;
1638 }
1639
1640
1641 /**
1642 * wpa_derive_pmk_r1_name - Derive PMKR1Name
1643 *
1644 * IEEE Std 802.11r-2008 - 8.5.1.5.4
1645 */
wpa_derive_pmk_r1_name(const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1_name,int use_sha384)1646 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
1647 const u8 *s1kh_id, u8 *pmk_r1_name, int use_sha384)
1648 {
1649 u8 hash[48];
1650 const u8 *addr[4];
1651 size_t len[4];
1652
1653 /*
1654 * PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name ||
1655 * R1KH-ID || S1KH-ID))
1656 */
1657 addr[0] = (const u8 *) "FT-R1N";
1658 len[0] = 6;
1659 addr[1] = pmk_r0_name;
1660 len[1] = WPA_PMK_NAME_LEN;
1661 addr[2] = r1kh_id;
1662 len[2] = FT_R1KH_ID_LEN;
1663 addr[3] = s1kh_id;
1664 len[3] = ETH_ALEN;
1665
1666 #ifdef CONFIG_SHA384
1667 if (use_sha384 && sha384_vector(4, addr, len, hash) < 0)
1668 return -1;
1669 #endif /* CONFIG_SHA384 */
1670 if (!use_sha384 && sha256_vector(4, addr, len, hash) < 0)
1671 return -1;
1672 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
1673 return 0;
1674 }
1675
1676
1677 /**
1678 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
1679 *
1680 * IEEE Std 802.11r-2008 - 8.5.1.5.4
1681 */
wpa_derive_pmk_r1(const u8 * pmk_r0,size_t pmk_r0_len,const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1,u8 * pmk_r1_name)1682 int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len,
1683 const u8 *pmk_r0_name,
1684 const u8 *r1kh_id, const u8 *s1kh_id,
1685 u8 *pmk_r1, u8 *pmk_r1_name)
1686 {
1687 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
1688 u8 *pos;
1689
1690 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
1691 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R1 using KDF-%s",
1692 pmk_r0_len == SHA384_MAC_LEN ? "SHA384" : "SHA256");
1693 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, pmk_r0_len);
1694 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", r1kh_id, FT_R1KH_ID_LEN);
1695 wpa_printf(MSG_DEBUG, "FT: S1KH-ID: " MACSTR, MAC2STR(s1kh_id));
1696 pos = buf;
1697 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
1698 pos += FT_R1KH_ID_LEN;
1699 os_memcpy(pos, s1kh_id, ETH_ALEN);
1700 pos += ETH_ALEN;
1701
1702 #ifdef CONFIG_SHA384
1703 if (pmk_r0_len == SHA384_MAC_LEN &&
1704 sha384_prf(pmk_r0, pmk_r0_len, "FT-R1",
1705 buf, pos - buf, pmk_r1, pmk_r0_len) < 0)
1706 return -1;
1707 #endif /* CONFIG_SHA384 */
1708 if (pmk_r0_len == PMK_LEN &&
1709 sha256_prf(pmk_r0, pmk_r0_len, "FT-R1",
1710 buf, pos - buf, pmk_r1, pmk_r0_len) < 0)
1711 return -1;
1712 if (pmk_r0_len != SHA384_MAC_LEN && pmk_r0_len != PMK_LEN) {
1713 wpa_printf(MSG_ERROR, "FT: Unexpected PMK-R0 length %d",
1714 (int) pmk_r0_len);
1715 return -1;
1716 }
1717 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len);
1718
1719 return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
1720 pmk_r1_name,
1721 pmk_r0_len == SHA384_MAC_LEN);
1722 }
1723
1724
1725 /**
1726 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
1727 *
1728 * IEEE Std 802.11r-2008 - 8.5.1.5.5
1729 */
wpa_pmk_r1_to_ptk(const u8 * pmk_r1,size_t pmk_r1_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * pmk_r1_name,struct wpa_ptk * ptk,u8 * ptk_name,int akmp,int cipher)1730 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, size_t pmk_r1_len,
1731 const u8 *snonce, const u8 *anonce,
1732 const u8 *sta_addr, const u8 *bssid,
1733 const u8 *pmk_r1_name,
1734 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher)
1735 {
1736 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
1737 u8 *pos, hash[32];
1738 const u8 *addr[6];
1739 size_t len[6];
1740 u8 tmp[2 * WPA_KCK_MAX_LEN + 2 * WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
1741 size_t ptk_len, offset;
1742 int use_sha384 = wpa_key_mgmt_sha384(akmp);
1743
1744 /*
1745 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
1746 * BSSID || STA-ADDR)
1747 */
1748 wpa_printf(MSG_DEBUG, "FT: Derive PTK using KDF-%s",
1749 use_sha384 ? "SHA384" : "SHA256");
1750 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r1_len);
1751 wpa_hexdump(MSG_DEBUG, "FT: SNonce", snonce, WPA_NONCE_LEN);
1752 wpa_hexdump(MSG_DEBUG, "FT: ANonce", anonce, WPA_NONCE_LEN);
1753 wpa_printf(MSG_DEBUG, "FT: BSSID=" MACSTR " STA-ADDR=" MACSTR,
1754 MAC2STR(bssid), MAC2STR(sta_addr));
1755 pos = buf;
1756 os_memcpy(pos, snonce, WPA_NONCE_LEN);
1757 pos += WPA_NONCE_LEN;
1758 os_memcpy(pos, anonce, WPA_NONCE_LEN);
1759 pos += WPA_NONCE_LEN;
1760 os_memcpy(pos, bssid, ETH_ALEN);
1761 pos += ETH_ALEN;
1762 os_memcpy(pos, sta_addr, ETH_ALEN);
1763 pos += ETH_ALEN;
1764
1765 ptk->kck_len = wpa_kck_len(akmp, PMK_LEN);
1766 ptk->kck2_len = wpa_kck2_len(akmp);
1767 ptk->kek_len = wpa_kek_len(akmp, PMK_LEN);
1768 ptk->kek2_len = wpa_kek2_len(akmp);
1769 ptk->tk_len = wpa_cipher_key_len(cipher);
1770 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len +
1771 ptk->kck2_len + ptk->kek2_len;
1772
1773 #ifdef CONFIG_SHA384
1774 if (use_sha384) {
1775 if (pmk_r1_len != SHA384_MAC_LEN) {
1776 wpa_printf(MSG_ERROR,
1777 "FT: Unexpected PMK-R1 length %d (expected %d)",
1778 (int) pmk_r1_len, SHA384_MAC_LEN);
1779 return -1;
1780 }
1781 if (sha384_prf(pmk_r1, pmk_r1_len, "FT-PTK",
1782 buf, pos - buf, tmp, ptk_len) < 0)
1783 return -1;
1784 }
1785 #endif /* CONFIG_SHA384 */
1786 if (!use_sha384) {
1787 if (pmk_r1_len != PMK_LEN) {
1788 wpa_printf(MSG_ERROR,
1789 "FT: Unexpected PMK-R1 length %d (expected %d)",
1790 (int) pmk_r1_len, PMK_LEN);
1791 return -1;
1792 }
1793 if (sha256_prf(pmk_r1, pmk_r1_len, "FT-PTK",
1794 buf, pos - buf, tmp, ptk_len) < 0)
1795 return -1;
1796 }
1797 wpa_hexdump_key(MSG_DEBUG, "FT: PTK", tmp, ptk_len);
1798
1799 /*
1800 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
1801 * ANonce || BSSID || STA-ADDR))
1802 */
1803 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN);
1804 addr[0] = pmk_r1_name;
1805 len[0] = WPA_PMK_NAME_LEN;
1806 addr[1] = (const u8 *) "FT-PTKN";
1807 len[1] = 7;
1808 addr[2] = snonce;
1809 len[2] = WPA_NONCE_LEN;
1810 addr[3] = anonce;
1811 len[3] = WPA_NONCE_LEN;
1812 addr[4] = bssid;
1813 len[4] = ETH_ALEN;
1814 addr[5] = sta_addr;
1815 len[5] = ETH_ALEN;
1816
1817 if (sha256_vector(6, addr, len, hash) < 0)
1818 return -1;
1819 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
1820
1821 os_memcpy(ptk->kck, tmp, ptk->kck_len);
1822 offset = ptk->kck_len;
1823 os_memcpy(ptk->kek, tmp + offset, ptk->kek_len);
1824 offset += ptk->kek_len;
1825 os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
1826 offset += ptk->tk_len;
1827 os_memcpy(ptk->kck2, tmp + offset, ptk->kck2_len);
1828 offset += ptk->kck2_len;
1829 os_memcpy(ptk->kek2, tmp + offset, ptk->kek2_len);
1830
1831 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);
1832 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len);
1833 if (ptk->kck2_len)
1834 wpa_hexdump_key(MSG_DEBUG, "FT: KCK2",
1835 ptk->kck2, ptk->kck2_len);
1836 if (ptk->kek2_len)
1837 wpa_hexdump_key(MSG_DEBUG, "FT: KEK2",
1838 ptk->kek2, ptk->kek2_len);
1839 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len);
1840 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
1841
1842 os_memset(tmp, 0, sizeof(tmp));
1843
1844 return 0;
1845 }
1846
1847 #endif /* CONFIG_IEEE80211R */
1848
1849
1850 /**
1851 * rsn_pmkid - Calculate PMK identifier
1852 * @pmk: Pairwise master key
1853 * @pmk_len: Length of pmk in bytes
1854 * @aa: Authenticator address
1855 * @spa: Supplicant address
1856 * @pmkid: Buffer for PMKID
1857 * @akmp: Negotiated key management protocol
1858 *
1859 * IEEE Std 802.11-2016 - 12.7.1.3 Pairwise key hierarchy
1860 * AKM: 00-0F-AC:5, 00-0F-AC:6, 00-0F-AC:14, 00-0F-AC:16
1861 * PMKID = Truncate-128(HMAC-SHA-256(PMK, "PMK Name" || AA || SPA))
1862 * AKM: 00-0F-AC:11
1863 * See rsn_pmkid_suite_b()
1864 * AKM: 00-0F-AC:12
1865 * See rsn_pmkid_suite_b_192()
1866 * AKM: 00-0F-AC:13, 00-0F-AC:15, 00-0F-AC:17
1867 * PMKID = Truncate-128(HMAC-SHA-384(PMK, "PMK Name" || AA || SPA))
1868 * Otherwise:
1869 * PMKID = Truncate-128(HMAC-SHA-1(PMK, "PMK Name" || AA || SPA))
1870 */
rsn_pmkid(const u8 * pmk,size_t pmk_len,const u8 * aa,const u8 * spa,u8 * pmkid,int akmp)1871 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
1872 u8 *pmkid, int akmp)
1873 {
1874 char *title = "PMK Name";
1875 const u8 *addr[3];
1876 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1877 unsigned char hash[SHA384_MAC_LEN];
1878
1879 addr[0] = (u8 *) title;
1880 addr[1] = aa;
1881 addr[2] = spa;
1882
1883 if (0) {
1884 #if defined(CONFIG_FILS) || defined(CONFIG_SHA384)
1885 } else if (wpa_key_mgmt_sha384(akmp)) {
1886 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-384");
1887 hmac_sha384_vector(pmk, pmk_len, 3, addr, len, hash);
1888 #endif /* CONFIG_FILS || CONFIG_SHA384 */
1889 } else if (wpa_key_mgmt_sha256(akmp)) {
1890 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-256");
1891 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
1892 } else {
1893 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-1");
1894 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
1895 }
1896 wpa_hexdump(MSG_DEBUG, "RSN: Derived PMKID", hash, PMKID_LEN);
1897 os_memcpy(pmkid, hash, PMKID_LEN);
1898 }
1899
1900
1901 #ifdef CONFIG_SUITEB
1902 /**
1903 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM
1904 * @kck: Key confirmation key
1905 * @kck_len: Length of kck in bytes
1906 * @aa: Authenticator address
1907 * @spa: Supplicant address
1908 * @pmkid: Buffer for PMKID
1909 * Returns: 0 on success, -1 on failure
1910 *
1911 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1912 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
1913 */
rsn_pmkid_suite_b(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)1914 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa,
1915 const u8 *spa, u8 *pmkid)
1916 {
1917 char *title = "PMK Name";
1918 const u8 *addr[3];
1919 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1920 unsigned char hash[SHA256_MAC_LEN];
1921
1922 addr[0] = (u8 *) title;
1923 addr[1] = aa;
1924 addr[2] = spa;
1925
1926 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0)
1927 return -1;
1928 os_memcpy(pmkid, hash, PMKID_LEN);
1929 return 0;
1930 }
1931 #endif /* CONFIG_SUITEB */
1932
1933
1934 #ifdef CONFIG_SUITEB192
1935 /**
1936 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM
1937 * @kck: Key confirmation key
1938 * @kck_len: Length of kck in bytes
1939 * @aa: Authenticator address
1940 * @spa: Supplicant address
1941 * @pmkid: Buffer for PMKID
1942 * Returns: 0 on success, -1 on failure
1943 *
1944 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1945 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
1946 */
rsn_pmkid_suite_b_192(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)1947 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa,
1948 const u8 *spa, u8 *pmkid)
1949 {
1950 char *title = "PMK Name";
1951 const u8 *addr[3];
1952 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1953 unsigned char hash[SHA384_MAC_LEN];
1954
1955 addr[0] = (u8 *) title;
1956 addr[1] = aa;
1957 addr[2] = spa;
1958
1959 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0)
1960 return -1;
1961 os_memcpy(pmkid, hash, PMKID_LEN);
1962 return 0;
1963 }
1964 #endif /* CONFIG_SUITEB192 */
1965
1966
1967 /**
1968 * wpa_cipher_txt - Convert cipher suite to a text string
1969 * @cipher: Cipher suite (WPA_CIPHER_* enum)
1970 * Returns: Pointer to a text string of the cipher suite name
1971 */
wpa_cipher_txt(int cipher)1972 const char * wpa_cipher_txt(int cipher)
1973 {
1974 switch (cipher) {
1975 case WPA_CIPHER_NONE:
1976 return "NONE";
1977 #ifdef CONFIG_WEP
1978 case WPA_CIPHER_WEP40:
1979 return "WEP-40";
1980 case WPA_CIPHER_WEP104:
1981 return "WEP-104";
1982 #endif /* CONFIG_WEP */
1983 case WPA_CIPHER_TKIP:
1984 return "TKIP";
1985 case WPA_CIPHER_CCMP:
1986 return "CCMP";
1987 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
1988 return "CCMP+TKIP";
1989 case WPA_CIPHER_GCMP:
1990 return "GCMP";
1991 case WPA_CIPHER_GCMP_256:
1992 return "GCMP-256";
1993 case WPA_CIPHER_CCMP_256:
1994 return "CCMP-256";
1995 case WPA_CIPHER_AES_128_CMAC:
1996 return "BIP";
1997 case WPA_CIPHER_BIP_GMAC_128:
1998 return "BIP-GMAC-128";
1999 case WPA_CIPHER_BIP_GMAC_256:
2000 return "BIP-GMAC-256";
2001 case WPA_CIPHER_BIP_CMAC_256:
2002 return "BIP-CMAC-256";
2003 case WPA_CIPHER_GTK_NOT_USED:
2004 return "GTK_NOT_USED";
2005 default:
2006 return "UNKNOWN";
2007 }
2008 }
2009
2010
2011 /**
2012 * wpa_key_mgmt_txt - Convert key management suite to a text string
2013 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
2014 * @proto: WPA/WPA2 version (WPA_PROTO_*)
2015 * Returns: Pointer to a text string of the key management suite name
2016 */
wpa_key_mgmt_txt(int key_mgmt,int proto)2017 const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
2018 {
2019 switch (key_mgmt) {
2020 case WPA_KEY_MGMT_IEEE8021X:
2021 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
2022 return "WPA2+WPA/IEEE 802.1X/EAP";
2023 return proto == WPA_PROTO_RSN ?
2024 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
2025 case WPA_KEY_MGMT_PSK:
2026 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
2027 return "WPA2-PSK+WPA-PSK";
2028 return proto == WPA_PROTO_RSN ?
2029 "WPA2-PSK" : "WPA-PSK";
2030 case WPA_KEY_MGMT_NONE:
2031 return "NONE";
2032 case WPA_KEY_MGMT_WPA_NONE:
2033 return "WPA-NONE";
2034 case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
2035 return "IEEE 802.1X (no WPA)";
2036 #ifdef CONFIG_IEEE80211R
2037 case WPA_KEY_MGMT_FT_IEEE8021X:
2038 return "FT-EAP";
2039 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2040 return "FT-EAP-SHA384";
2041 case WPA_KEY_MGMT_FT_PSK:
2042 return "FT-PSK";
2043 #endif /* CONFIG_IEEE80211R */
2044 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2045 return "WPA2-EAP-SHA256";
2046 case WPA_KEY_MGMT_PSK_SHA256:
2047 return "WPA2-PSK-SHA256";
2048 case WPA_KEY_MGMT_WPS:
2049 return "WPS";
2050 case WPA_KEY_MGMT_SAE:
2051 return "SAE";
2052 case WPA_KEY_MGMT_FT_SAE:
2053 return "FT-SAE";
2054 case WPA_KEY_MGMT_OSEN:
2055 return "OSEN";
2056 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2057 return "WPA2-EAP-SUITE-B";
2058 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2059 return "WPA2-EAP-SUITE-B-192";
2060 case WPA_KEY_MGMT_FILS_SHA256:
2061 return "FILS-SHA256";
2062 case WPA_KEY_MGMT_FILS_SHA384:
2063 return "FILS-SHA384";
2064 case WPA_KEY_MGMT_FT_FILS_SHA256:
2065 return "FT-FILS-SHA256";
2066 case WPA_KEY_MGMT_FT_FILS_SHA384:
2067 return "FT-FILS-SHA384";
2068 case WPA_KEY_MGMT_OWE:
2069 return "OWE";
2070 case WPA_KEY_MGMT_DPP:
2071 return "DPP";
2072 default:
2073 return "UNKNOWN";
2074 }
2075 }
2076
2077
wpa_akm_to_suite(int akm)2078 u32 wpa_akm_to_suite(int akm)
2079 {
2080 if (akm & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
2081 return RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384;
2082 if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
2083 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2084 if (akm & WPA_KEY_MGMT_FT_PSK)
2085 return RSN_AUTH_KEY_MGMT_FT_PSK;
2086 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
2087 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2088 if (akm & WPA_KEY_MGMT_IEEE8021X)
2089 return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
2090 if (akm & WPA_KEY_MGMT_PSK_SHA256)
2091 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2092 if (akm & WPA_KEY_MGMT_PSK)
2093 return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
2094 if (akm & WPA_KEY_MGMT_CCKM)
2095 return RSN_AUTH_KEY_MGMT_CCKM;
2096 if (akm & WPA_KEY_MGMT_OSEN)
2097 return RSN_AUTH_KEY_MGMT_OSEN;
2098 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
2099 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2100 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
2101 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2102 if (akm & WPA_KEY_MGMT_FILS_SHA256)
2103 return RSN_AUTH_KEY_MGMT_FILS_SHA256;
2104 if (akm & WPA_KEY_MGMT_FILS_SHA384)
2105 return RSN_AUTH_KEY_MGMT_FILS_SHA384;
2106 if (akm & WPA_KEY_MGMT_FT_FILS_SHA256)
2107 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
2108 if (akm & WPA_KEY_MGMT_FT_FILS_SHA384)
2109 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
2110 if (akm & WPA_KEY_MGMT_SAE)
2111 return RSN_AUTH_KEY_MGMT_SAE;
2112 if (akm & WPA_KEY_MGMT_FT_SAE)
2113 return RSN_AUTH_KEY_MGMT_FT_SAE;
2114 if (akm & WPA_KEY_MGMT_OWE)
2115 return RSN_AUTH_KEY_MGMT_OWE;
2116 if (akm & WPA_KEY_MGMT_DPP)
2117 return RSN_AUTH_KEY_MGMT_DPP;
2118 return 0;
2119 }
2120
2121
wpa_compare_rsn_ie(int ft_initial_assoc,const u8 * ie1,size_t ie1len,const u8 * ie2,size_t ie2len)2122 int wpa_compare_rsn_ie(int ft_initial_assoc,
2123 const u8 *ie1, size_t ie1len,
2124 const u8 *ie2, size_t ie2len)
2125 {
2126 if (ie1 == NULL || ie2 == NULL)
2127 return -1;
2128
2129 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
2130 return 0; /* identical IEs */
2131
2132 #ifdef CONFIG_IEEE80211R
2133 if (ft_initial_assoc) {
2134 struct wpa_ie_data ie1d, ie2d;
2135 /*
2136 * The PMKID-List in RSN IE is different between Beacon/Probe
2137 * Response/(Re)Association Request frames and EAPOL-Key
2138 * messages in FT initial mobility domain association. Allow
2139 * for this, but verify that other parts of the RSN IEs are
2140 * identical.
2141 */
2142 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
2143 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
2144 return -1;
2145 if (ie1d.proto == ie2d.proto &&
2146 ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
2147 ie1d.group_cipher == ie2d.group_cipher &&
2148 ie1d.key_mgmt == ie2d.key_mgmt &&
2149 ie1d.capabilities == ie2d.capabilities &&
2150 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
2151 return 0;
2152 }
2153 #endif /* CONFIG_IEEE80211R */
2154
2155 return -1;
2156 }
2157
2158
wpa_insert_pmkid(u8 * ies,size_t * ies_len,const u8 * pmkid)2159 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid)
2160 {
2161 u8 *start, *end, *rpos, *rend;
2162 int added = 0;
2163
2164 start = ies;
2165 end = ies + *ies_len;
2166
2167 while (start < end) {
2168 if (*start == WLAN_EID_RSN)
2169 break;
2170 start += 2 + start[1];
2171 }
2172 if (start >= end) {
2173 wpa_printf(MSG_ERROR, "RSN: Could not find RSNE in IEs data");
2174 return -1;
2175 }
2176 wpa_hexdump(MSG_DEBUG, "RSN: RSNE before modification",
2177 start, 2 + start[1]);
2178
2179 /* Find start of PMKID-Count */
2180 rpos = start + 2;
2181 rend = rpos + start[1];
2182
2183 /* Skip Version and Group Data Cipher Suite */
2184 rpos += 2 + 4;
2185 /* Skip Pairwise Cipher Suite Count and List */
2186 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2187 /* Skip AKM Suite Count and List */
2188 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2189
2190 if (rpos == rend) {
2191 /* Add RSN Capabilities */
2192 os_memmove(rpos + 2, rpos, end - rpos);
2193 *rpos++ = 0;
2194 *rpos++ = 0;
2195 added += 2;
2196 start[1] += 2;
2197 rend = rpos;
2198 } else {
2199 /* Skip RSN Capabilities */
2200 rpos += 2;
2201 if (rpos > rend) {
2202 wpa_printf(MSG_ERROR,
2203 "RSN: Could not parse RSNE in IEs data");
2204 return -1;
2205 }
2206 }
2207
2208 if (rpos == rend) {
2209 /* No PMKID-Count field included; add it */
2210 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
2211 WPA_PUT_LE16(rpos, 1);
2212 rpos += 2;
2213 os_memcpy(rpos, pmkid, PMKID_LEN);
2214 added += 2 + PMKID_LEN;
2215 start[1] += 2 + PMKID_LEN;
2216 } else {
2217 u16 num_pmkid;
2218
2219 if (rend - rpos < 2)
2220 return -1;
2221 num_pmkid = WPA_GET_LE16(rpos);
2222 /* PMKID-Count was included; use it */
2223 if (num_pmkid != 0) {
2224 u8 *after;
2225
2226 if (num_pmkid * PMKID_LEN > rend - rpos - 2)
2227 return -1;
2228 /*
2229 * PMKID may have been included in RSN IE in
2230 * (Re)Association Request frame, so remove the old
2231 * PMKID(s) first before adding the new one.
2232 */
2233 wpa_printf(MSG_DEBUG,
2234 "RSN: Remove %u old PMKID(s) from RSNE",
2235 num_pmkid);
2236 after = rpos + 2 + num_pmkid * PMKID_LEN;
2237 os_memmove(rpos + 2, after, end - after);
2238 start[1] -= num_pmkid * PMKID_LEN;
2239 added -= num_pmkid * PMKID_LEN;
2240 }
2241 WPA_PUT_LE16(rpos, 1);
2242 rpos += 2;
2243 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
2244 os_memcpy(rpos, pmkid, PMKID_LEN);
2245 added += PMKID_LEN;
2246 start[1] += PMKID_LEN;
2247 }
2248
2249 wpa_hexdump(MSG_DEBUG, "RSN: RSNE after modification (PMKID inserted)",
2250 start, 2 + start[1]);
2251
2252 *ies_len += added;
2253
2254 return 0;
2255 }
2256
2257
wpa_cipher_key_len(int cipher)2258 int wpa_cipher_key_len(int cipher)
2259 {
2260 switch (cipher) {
2261 case WPA_CIPHER_CCMP_256:
2262 case WPA_CIPHER_GCMP_256:
2263 case WPA_CIPHER_BIP_GMAC_256:
2264 case WPA_CIPHER_BIP_CMAC_256:
2265 return 32;
2266 case WPA_CIPHER_CCMP:
2267 case WPA_CIPHER_GCMP:
2268 case WPA_CIPHER_AES_128_CMAC:
2269 case WPA_CIPHER_BIP_GMAC_128:
2270 return 16;
2271 case WPA_CIPHER_TKIP:
2272 return 32;
2273 }
2274
2275 return 0;
2276 }
2277
2278
wpa_cipher_rsc_len(int cipher)2279 int wpa_cipher_rsc_len(int cipher)
2280 {
2281 switch (cipher) {
2282 case WPA_CIPHER_CCMP_256:
2283 case WPA_CIPHER_GCMP_256:
2284 case WPA_CIPHER_CCMP:
2285 case WPA_CIPHER_GCMP:
2286 case WPA_CIPHER_TKIP:
2287 return 6;
2288 }
2289
2290 return 0;
2291 }
2292
2293
wpa_cipher_to_alg(int cipher)2294 enum wpa_alg wpa_cipher_to_alg(int cipher)
2295 {
2296 switch (cipher) {
2297 case WPA_CIPHER_CCMP_256:
2298 return WPA_ALG_CCMP_256;
2299 case WPA_CIPHER_GCMP_256:
2300 return WPA_ALG_GCMP_256;
2301 case WPA_CIPHER_CCMP:
2302 return WPA_ALG_CCMP;
2303 case WPA_CIPHER_GCMP:
2304 return WPA_ALG_GCMP;
2305 case WPA_CIPHER_TKIP:
2306 return WPA_ALG_TKIP;
2307 case WPA_CIPHER_AES_128_CMAC:
2308 return WPA_ALG_BIP_CMAC_128;
2309 case WPA_CIPHER_BIP_GMAC_128:
2310 return WPA_ALG_BIP_GMAC_128;
2311 case WPA_CIPHER_BIP_GMAC_256:
2312 return WPA_ALG_BIP_GMAC_256;
2313 case WPA_CIPHER_BIP_CMAC_256:
2314 return WPA_ALG_BIP_CMAC_256;
2315 }
2316 return WPA_ALG_NONE;
2317 }
2318
2319
wpa_cipher_valid_pairwise(int cipher)2320 int wpa_cipher_valid_pairwise(int cipher)
2321 {
2322 #ifdef CONFIG_NO_TKIP
2323 return cipher == WPA_CIPHER_CCMP_256 ||
2324 cipher == WPA_CIPHER_GCMP_256 ||
2325 cipher == WPA_CIPHER_CCMP ||
2326 cipher == WPA_CIPHER_GCMP;
2327 #else /* CONFIG_NO_TKIP */
2328 return cipher == WPA_CIPHER_CCMP_256 ||
2329 cipher == WPA_CIPHER_GCMP_256 ||
2330 cipher == WPA_CIPHER_CCMP ||
2331 cipher == WPA_CIPHER_GCMP ||
2332 cipher == WPA_CIPHER_TKIP;
2333 #endif /* CONFIG_NO_TKIP */
2334 }
2335
2336
wpa_cipher_to_suite(int proto,int cipher)2337 u32 wpa_cipher_to_suite(int proto, int cipher)
2338 {
2339 if (cipher & WPA_CIPHER_CCMP_256)
2340 return RSN_CIPHER_SUITE_CCMP_256;
2341 if (cipher & WPA_CIPHER_GCMP_256)
2342 return RSN_CIPHER_SUITE_GCMP_256;
2343 if (cipher & WPA_CIPHER_CCMP)
2344 return (proto == WPA_PROTO_RSN ?
2345 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
2346 if (cipher & WPA_CIPHER_GCMP)
2347 return RSN_CIPHER_SUITE_GCMP;
2348 if (cipher & WPA_CIPHER_TKIP)
2349 return (proto == WPA_PROTO_RSN ?
2350 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
2351 if (cipher & WPA_CIPHER_NONE)
2352 return (proto == WPA_PROTO_RSN ?
2353 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
2354 if (cipher & WPA_CIPHER_GTK_NOT_USED)
2355 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED;
2356 if (cipher & WPA_CIPHER_AES_128_CMAC)
2357 return RSN_CIPHER_SUITE_AES_128_CMAC;
2358 if (cipher & WPA_CIPHER_BIP_GMAC_128)
2359 return RSN_CIPHER_SUITE_BIP_GMAC_128;
2360 if (cipher & WPA_CIPHER_BIP_GMAC_256)
2361 return RSN_CIPHER_SUITE_BIP_GMAC_256;
2362 if (cipher & WPA_CIPHER_BIP_CMAC_256)
2363 return RSN_CIPHER_SUITE_BIP_CMAC_256;
2364 return 0;
2365 }
2366
2367
rsn_cipher_put_suites(u8 * start,int ciphers)2368 int rsn_cipher_put_suites(u8 *start, int ciphers)
2369 {
2370 u8 *pos = start;
2371
2372 if (ciphers & WPA_CIPHER_CCMP_256) {
2373 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
2374 pos += RSN_SELECTOR_LEN;
2375 }
2376 if (ciphers & WPA_CIPHER_GCMP_256) {
2377 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
2378 pos += RSN_SELECTOR_LEN;
2379 }
2380 if (ciphers & WPA_CIPHER_CCMP) {
2381 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2382 pos += RSN_SELECTOR_LEN;
2383 }
2384 if (ciphers & WPA_CIPHER_GCMP) {
2385 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
2386 pos += RSN_SELECTOR_LEN;
2387 }
2388 if (ciphers & WPA_CIPHER_TKIP) {
2389 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
2390 pos += RSN_SELECTOR_LEN;
2391 }
2392 if (ciphers & WPA_CIPHER_NONE) {
2393 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
2394 pos += RSN_SELECTOR_LEN;
2395 }
2396
2397 return (pos - start) / RSN_SELECTOR_LEN;
2398 }
2399
2400
wpa_cipher_put_suites(u8 * start,int ciphers)2401 int wpa_cipher_put_suites(u8 *start, int ciphers)
2402 {
2403 u8 *pos = start;
2404
2405 if (ciphers & WPA_CIPHER_CCMP) {
2406 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
2407 pos += WPA_SELECTOR_LEN;
2408 }
2409 if (ciphers & WPA_CIPHER_TKIP) {
2410 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
2411 pos += WPA_SELECTOR_LEN;
2412 }
2413 if (ciphers & WPA_CIPHER_NONE) {
2414 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
2415 pos += WPA_SELECTOR_LEN;
2416 }
2417
2418 return (pos - start) / RSN_SELECTOR_LEN;
2419 }
2420
2421
wpa_pick_pairwise_cipher(int ciphers,int none_allowed)2422 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
2423 {
2424 if (ciphers & WPA_CIPHER_CCMP_256)
2425 return WPA_CIPHER_CCMP_256;
2426 if (ciphers & WPA_CIPHER_GCMP_256)
2427 return WPA_CIPHER_GCMP_256;
2428 if (ciphers & WPA_CIPHER_CCMP)
2429 return WPA_CIPHER_CCMP;
2430 if (ciphers & WPA_CIPHER_GCMP)
2431 return WPA_CIPHER_GCMP;
2432 if (ciphers & WPA_CIPHER_TKIP)
2433 return WPA_CIPHER_TKIP;
2434 if (none_allowed && (ciphers & WPA_CIPHER_NONE))
2435 return WPA_CIPHER_NONE;
2436 return -1;
2437 }
2438
2439
wpa_pick_group_cipher(int ciphers)2440 int wpa_pick_group_cipher(int ciphers)
2441 {
2442 if (ciphers & WPA_CIPHER_CCMP_256)
2443 return WPA_CIPHER_CCMP_256;
2444 if (ciphers & WPA_CIPHER_GCMP_256)
2445 return WPA_CIPHER_GCMP_256;
2446 if (ciphers & WPA_CIPHER_CCMP)
2447 return WPA_CIPHER_CCMP;
2448 if (ciphers & WPA_CIPHER_GCMP)
2449 return WPA_CIPHER_GCMP;
2450 if (ciphers & WPA_CIPHER_GTK_NOT_USED)
2451 return WPA_CIPHER_GTK_NOT_USED;
2452 if (ciphers & WPA_CIPHER_TKIP)
2453 return WPA_CIPHER_TKIP;
2454 return -1;
2455 }
2456
2457
wpa_parse_cipher(const char * value)2458 int wpa_parse_cipher(const char *value)
2459 {
2460 int val = 0, last;
2461 char *start, *end, *buf;
2462
2463 buf = os_strdup(value);
2464 if (buf == NULL)
2465 return -1;
2466 start = buf;
2467
2468 while (*start != '\0') {
2469 while (*start == ' ' || *start == '\t')
2470 start++;
2471 if (*start == '\0')
2472 break;
2473 end = start;
2474 while (*end != ' ' && *end != '\t' && *end != '\0')
2475 end++;
2476 last = *end == '\0';
2477 *end = '\0';
2478 if (os_strcmp(start, "CCMP-256") == 0)
2479 val |= WPA_CIPHER_CCMP_256;
2480 else if (os_strcmp(start, "GCMP-256") == 0)
2481 val |= WPA_CIPHER_GCMP_256;
2482 else if (os_strcmp(start, "CCMP") == 0)
2483 val |= WPA_CIPHER_CCMP;
2484 else if (os_strcmp(start, "GCMP") == 0)
2485 val |= WPA_CIPHER_GCMP;
2486 #ifndef CONFIG_NO_TKIP
2487 else if (os_strcmp(start, "TKIP") == 0)
2488 val |= WPA_CIPHER_TKIP;
2489 #endif /* CONFIG_NO_TKIP */
2490 #ifdef CONFIG_WEP
2491 else if (os_strcmp(start, "WEP104") == 0)
2492 val |= WPA_CIPHER_WEP104;
2493 else if (os_strcmp(start, "WEP40") == 0)
2494 val |= WPA_CIPHER_WEP40;
2495 #endif /* CONFIG_WEP */
2496 else if (os_strcmp(start, "NONE") == 0)
2497 val |= WPA_CIPHER_NONE;
2498 else if (os_strcmp(start, "GTK_NOT_USED") == 0)
2499 val |= WPA_CIPHER_GTK_NOT_USED;
2500 else if (os_strcmp(start, "AES-128-CMAC") == 0)
2501 val |= WPA_CIPHER_AES_128_CMAC;
2502 else if (os_strcmp(start, "BIP-GMAC-128") == 0)
2503 val |= WPA_CIPHER_BIP_GMAC_128;
2504 else if (os_strcmp(start, "BIP-GMAC-256") == 0)
2505 val |= WPA_CIPHER_BIP_GMAC_256;
2506 else if (os_strcmp(start, "BIP-CMAC-256") == 0)
2507 val |= WPA_CIPHER_BIP_CMAC_256;
2508 else {
2509 os_free(buf);
2510 return -1;
2511 }
2512
2513 if (last)
2514 break;
2515 start = end + 1;
2516 }
2517 os_free(buf);
2518
2519 return val;
2520 }
2521
2522
wpa_write_ciphers(char * start,char * end,int ciphers,const char * delim)2523 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
2524 {
2525 char *pos = start;
2526 int ret;
2527
2528 if (ciphers & WPA_CIPHER_CCMP_256) {
2529 ret = os_snprintf(pos, end - pos, "%sCCMP-256",
2530 pos == start ? "" : delim);
2531 if (os_snprintf_error(end - pos, ret))
2532 return -1;
2533 pos += ret;
2534 }
2535 if (ciphers & WPA_CIPHER_GCMP_256) {
2536 ret = os_snprintf(pos, end - pos, "%sGCMP-256",
2537 pos == start ? "" : delim);
2538 if (os_snprintf_error(end - pos, ret))
2539 return -1;
2540 pos += ret;
2541 }
2542 if (ciphers & WPA_CIPHER_CCMP) {
2543 ret = os_snprintf(pos, end - pos, "%sCCMP",
2544 pos == start ? "" : delim);
2545 if (os_snprintf_error(end - pos, ret))
2546 return -1;
2547 pos += ret;
2548 }
2549 if (ciphers & WPA_CIPHER_GCMP) {
2550 ret = os_snprintf(pos, end - pos, "%sGCMP",
2551 pos == start ? "" : delim);
2552 if (os_snprintf_error(end - pos, ret))
2553 return -1;
2554 pos += ret;
2555 }
2556 if (ciphers & WPA_CIPHER_TKIP) {
2557 ret = os_snprintf(pos, end - pos, "%sTKIP",
2558 pos == start ? "" : delim);
2559 if (os_snprintf_error(end - pos, ret))
2560 return -1;
2561 pos += ret;
2562 }
2563 if (ciphers & WPA_CIPHER_AES_128_CMAC) {
2564 ret = os_snprintf(pos, end - pos, "%sAES-128-CMAC",
2565 pos == start ? "" : delim);
2566 if (os_snprintf_error(end - pos, ret))
2567 return -1;
2568 pos += ret;
2569 }
2570 if (ciphers & WPA_CIPHER_BIP_GMAC_128) {
2571 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-128",
2572 pos == start ? "" : delim);
2573 if (os_snprintf_error(end - pos, ret))
2574 return -1;
2575 pos += ret;
2576 }
2577 if (ciphers & WPA_CIPHER_BIP_GMAC_256) {
2578 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-256",
2579 pos == start ? "" : delim);
2580 if (os_snprintf_error(end - pos, ret))
2581 return -1;
2582 pos += ret;
2583 }
2584 if (ciphers & WPA_CIPHER_BIP_CMAC_256) {
2585 ret = os_snprintf(pos, end - pos, "%sBIP-CMAC-256",
2586 pos == start ? "" : delim);
2587 if (os_snprintf_error(end - pos, ret))
2588 return -1;
2589 pos += ret;
2590 }
2591 if (ciphers & WPA_CIPHER_NONE) {
2592 ret = os_snprintf(pos, end - pos, "%sNONE",
2593 pos == start ? "" : delim);
2594 if (os_snprintf_error(end - pos, ret))
2595 return -1;
2596 pos += ret;
2597 }
2598
2599 return pos - start;
2600 }
2601
2602
wpa_select_ap_group_cipher(int wpa,int wpa_pairwise,int rsn_pairwise)2603 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise)
2604 {
2605 int pairwise = 0;
2606
2607 /* Select group cipher based on the enabled pairwise cipher suites */
2608 if (wpa & 1)
2609 pairwise |= wpa_pairwise;
2610 if (wpa & 2)
2611 pairwise |= rsn_pairwise;
2612
2613 if (pairwise & WPA_CIPHER_TKIP)
2614 return WPA_CIPHER_TKIP;
2615 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP)
2616 return WPA_CIPHER_GCMP;
2617 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP |
2618 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256)
2619 return WPA_CIPHER_GCMP_256;
2620 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
2621 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256)
2622 return WPA_CIPHER_CCMP_256;
2623 return WPA_CIPHER_CCMP;
2624 }
2625
2626
2627 #ifdef CONFIG_FILS
fils_domain_name_hash(const char * domain,u8 * hash)2628 int fils_domain_name_hash(const char *domain, u8 *hash)
2629 {
2630 char buf[255], *wpos = buf;
2631 const char *pos = domain;
2632 size_t len;
2633 const u8 *addr[1];
2634 u8 mac[SHA256_MAC_LEN];
2635
2636 for (len = 0; len < sizeof(buf) && *pos; len++) {
2637 if (isalpha(*pos) && isupper(*pos))
2638 *wpos++ = tolower(*pos);
2639 else
2640 *wpos++ = *pos;
2641 pos++;
2642 }
2643
2644 addr[0] = (const u8 *) buf;
2645 if (sha256_vector(1, addr, &len, mac) < 0)
2646 return -1;
2647 os_memcpy(hash, mac, 2);
2648 return 0;
2649 }
2650 #endif /* CONFIG_FILS */
2651
2652
2653 /**
2654 * wpa_parse_vendor_specific - Parse Vendor Specific IEs
2655 * @pos: Pointer to the IE header
2656 * @end: Pointer to the end of the Key Data buffer
2657 * @ie: Pointer to parsed IE data
2658 */
wpa_parse_vendor_specific(const u8 * pos,const u8 * end,struct wpa_eapol_ie_parse * ie)2659 static void wpa_parse_vendor_specific(const u8 *pos, const u8 *end,
2660 struct wpa_eapol_ie_parse *ie)
2661 {
2662 unsigned int oui;
2663
2664 if (pos[1] < 4) {
2665 wpa_printf(MSG_MSGDUMP,
2666 "Too short vendor specific IE ignored (len=%u)",
2667 pos[1]);
2668 return;
2669 }
2670
2671 oui = WPA_GET_BE24(&pos[2]);
2672 if (oui == OUI_MICROSOFT && pos[5] == WMM_OUI_TYPE && pos[1] > 4) {
2673 if (pos[6] == WMM_OUI_SUBTYPE_INFORMATION_ELEMENT) {
2674 ie->wmm = &pos[2];
2675 ie->wmm_len = pos[1];
2676 wpa_hexdump(MSG_DEBUG, "WPA: WMM IE",
2677 ie->wmm, ie->wmm_len);
2678 } else if (pos[6] == WMM_OUI_SUBTYPE_PARAMETER_ELEMENT) {
2679 ie->wmm = &pos[2];
2680 ie->wmm_len = pos[1];
2681 wpa_hexdump(MSG_DEBUG, "WPA: WMM Parameter Element",
2682 ie->wmm, ie->wmm_len);
2683 }
2684 }
2685 }
2686
2687
2688 /**
2689 * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
2690 * @pos: Pointer to the IE header
2691 * @ie: Pointer to parsed IE data
2692 * Returns: 0 on success, 1 if end mark is found, 2 if KDE is not recognized
2693 */
wpa_parse_generic(const u8 * pos,struct wpa_eapol_ie_parse * ie)2694 static int wpa_parse_generic(const u8 *pos, struct wpa_eapol_ie_parse *ie)
2695 {
2696 if (pos[1] == 0)
2697 return 1;
2698
2699 if (pos[1] >= 6 &&
2700 RSN_SELECTOR_GET(pos + 2) == WPA_OUI_TYPE &&
2701 pos[2 + WPA_SELECTOR_LEN] == 1 &&
2702 pos[2 + WPA_SELECTOR_LEN + 1] == 0) {
2703 ie->wpa_ie = pos;
2704 ie->wpa_ie_len = pos[1] + 2;
2705 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE in EAPOL-Key",
2706 ie->wpa_ie, ie->wpa_ie_len);
2707 return 0;
2708 }
2709
2710 if (pos[1] >= 4 && WPA_GET_BE32(pos + 2) == OSEN_IE_VENDOR_TYPE) {
2711 ie->osen = pos;
2712 ie->osen_len = pos[1] + 2;
2713 return 0;
2714 }
2715
2716 if (pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
2717 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
2718 ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
2719 wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key",
2720 pos, pos[1] + 2);
2721 return 0;
2722 }
2723
2724 if (pos[1] >= RSN_SELECTOR_LEN + 2 &&
2725 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_KEYID) {
2726 ie->key_id = pos + 2 + RSN_SELECTOR_LEN;
2727 wpa_hexdump(MSG_DEBUG, "WPA: KeyID in EAPOL-Key",
2728 pos, pos[1] + 2);
2729 return 0;
2730 }
2731
2732 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
2733 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_GROUPKEY) {
2734 ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
2735 ie->gtk_len = pos[1] - RSN_SELECTOR_LEN;
2736 wpa_hexdump_key(MSG_DEBUG, "WPA: GTK in EAPOL-Key",
2737 pos, pos[1] + 2);
2738 return 0;
2739 }
2740
2741 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
2742 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_MAC_ADDR) {
2743 ie->mac_addr = pos + 2 + RSN_SELECTOR_LEN;
2744 ie->mac_addr_len = pos[1] - RSN_SELECTOR_LEN;
2745 wpa_hexdump(MSG_DEBUG, "WPA: MAC Address in EAPOL-Key",
2746 pos, pos[1] + 2);
2747 return 0;
2748 }
2749
2750 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
2751 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_IGTK) {
2752 ie->igtk = pos + 2 + RSN_SELECTOR_LEN;
2753 ie->igtk_len = pos[1] - RSN_SELECTOR_LEN;
2754 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK in EAPOL-Key",
2755 pos, pos[1] + 2);
2756 return 0;
2757 }
2758
2759 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
2760 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_BIGTK) {
2761 ie->bigtk = pos + 2 + RSN_SELECTOR_LEN;
2762 ie->bigtk_len = pos[1] - RSN_SELECTOR_LEN;
2763 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK in EAPOL-Key",
2764 pos, pos[1] + 2);
2765 return 0;
2766 }
2767
2768 if (pos[1] >= RSN_SELECTOR_LEN + 1 &&
2769 RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_IP_ADDR_REQ) {
2770 ie->ip_addr_req = pos + 2 + RSN_SELECTOR_LEN;
2771 wpa_hexdump(MSG_DEBUG, "WPA: IP Address Request in EAPOL-Key",
2772 ie->ip_addr_req, pos[1] - RSN_SELECTOR_LEN);
2773 return 0;
2774 }
2775
2776 if (pos[1] >= RSN_SELECTOR_LEN + 3 * 4 &&
2777 RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_IP_ADDR_ALLOC) {
2778 ie->ip_addr_alloc = pos + 2 + RSN_SELECTOR_LEN;
2779 wpa_hexdump(MSG_DEBUG,
2780 "WPA: IP Address Allocation in EAPOL-Key",
2781 ie->ip_addr_alloc, pos[1] - RSN_SELECTOR_LEN);
2782 return 0;
2783 }
2784
2785 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
2786 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_OCI) {
2787 ie->oci = pos + 2 + RSN_SELECTOR_LEN;
2788 ie->oci_len = pos[1] - RSN_SELECTOR_LEN;
2789 wpa_hexdump(MSG_DEBUG, "WPA: OCI KDE in EAPOL-Key",
2790 pos, pos[1] + 2);
2791 return 0;
2792 }
2793
2794 if (pos[1] >= RSN_SELECTOR_LEN + 1 &&
2795 RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_TRANSITION_DISABLE) {
2796 ie->transition_disable = pos + 2 + RSN_SELECTOR_LEN;
2797 ie->transition_disable_len = pos[1] - RSN_SELECTOR_LEN;
2798 wpa_hexdump(MSG_DEBUG,
2799 "WPA: Transition Disable KDE in EAPOL-Key",
2800 pos, pos[1] + 2);
2801 return 0;
2802 }
2803
2804 if (pos[1] >= RSN_SELECTOR_LEN + 2 &&
2805 RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_DPP) {
2806 ie->dpp_kde = pos + 2 + RSN_SELECTOR_LEN;
2807 ie->dpp_kde_len = pos[1] - RSN_SELECTOR_LEN;
2808 wpa_hexdump(MSG_DEBUG, "WPA: DPP KDE in EAPOL-Key",
2809 pos, pos[1] + 2);
2810 return 0;
2811 }
2812
2813 return 2;
2814 }
2815
2816
2817 /**
2818 * wpa_parse_kde_ies - Parse EAPOL-Key Key Data IEs
2819 * @buf: Pointer to the Key Data buffer
2820 * @len: Key Data Length
2821 * @ie: Pointer to parsed IE data
2822 * Returns: 0 on success, -1 on failure
2823 */
wpa_parse_kde_ies(const u8 * buf,size_t len,struct wpa_eapol_ie_parse * ie)2824 int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie)
2825 {
2826 const u8 *pos, *end;
2827 int ret = 0;
2828
2829 os_memset(ie, 0, sizeof(*ie));
2830 for (pos = buf, end = pos + len; end - pos > 1; pos += 2 + pos[1]) {
2831 if (pos[0] == 0xdd &&
2832 ((pos == buf + len - 1) || pos[1] == 0)) {
2833 /* Ignore padding */
2834 break;
2835 }
2836 if (2 + pos[1] > end - pos) {
2837 wpa_printf(MSG_DEBUG,
2838 "WPA: EAPOL-Key Key Data underflow (ie=%d len=%d pos=%d)",
2839 pos[0], pos[1], (int) (pos - buf));
2840 wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data", buf, len);
2841 ret = -1;
2842 break;
2843 }
2844 if (*pos == WLAN_EID_RSN) {
2845 ie->rsn_ie = pos;
2846 ie->rsn_ie_len = pos[1] + 2;
2847 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
2848 ie->rsn_ie, ie->rsn_ie_len);
2849 } else if (*pos == WLAN_EID_RSNX) {
2850 ie->rsnxe = pos;
2851 ie->rsnxe_len = pos[1] + 2;
2852 wpa_hexdump(MSG_DEBUG, "WPA: RSNXE in EAPOL-Key",
2853 ie->rsnxe, ie->rsnxe_len);
2854 } else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
2855 ie->mdie = pos;
2856 ie->mdie_len = pos[1] + 2;
2857 wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
2858 ie->mdie, ie->mdie_len);
2859 } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
2860 ie->ftie = pos;
2861 ie->ftie_len = pos[1] + 2;
2862 wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
2863 ie->ftie, ie->ftie_len);
2864 } else if (*pos == WLAN_EID_TIMEOUT_INTERVAL && pos[1] >= 5) {
2865 if (pos[2] == WLAN_TIMEOUT_REASSOC_DEADLINE) {
2866 ie->reassoc_deadline = pos;
2867 wpa_hexdump(MSG_DEBUG, "WPA: Reassoc Deadline "
2868 "in EAPOL-Key",
2869 ie->reassoc_deadline, pos[1] + 2);
2870 } else if (pos[2] == WLAN_TIMEOUT_KEY_LIFETIME) {
2871 ie->key_lifetime = pos;
2872 wpa_hexdump(MSG_DEBUG, "WPA: KeyLifetime "
2873 "in EAPOL-Key",
2874 ie->key_lifetime, pos[1] + 2);
2875 } else {
2876 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized "
2877 "EAPOL-Key Key Data IE",
2878 pos, 2 + pos[1]);
2879 }
2880 } else if (*pos == WLAN_EID_LINK_ID) {
2881 if (pos[1] >= 18) {
2882 ie->lnkid = pos;
2883 ie->lnkid_len = pos[1] + 2;
2884 }
2885 } else if (*pos == WLAN_EID_EXT_CAPAB) {
2886 ie->ext_capab = pos;
2887 ie->ext_capab_len = pos[1] + 2;
2888 } else if (*pos == WLAN_EID_SUPP_RATES) {
2889 ie->supp_rates = pos;
2890 ie->supp_rates_len = pos[1] + 2;
2891 } else if (*pos == WLAN_EID_EXT_SUPP_RATES) {
2892 ie->ext_supp_rates = pos;
2893 ie->ext_supp_rates_len = pos[1] + 2;
2894 } else if (*pos == WLAN_EID_HT_CAP &&
2895 pos[1] >= sizeof(struct ieee80211_ht_capabilities)) {
2896 ie->ht_capabilities = pos + 2;
2897 } else if (*pos == WLAN_EID_VHT_AID) {
2898 if (pos[1] >= 2)
2899 ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;
2900 } else if (*pos == WLAN_EID_VHT_CAP &&
2901 pos[1] >= sizeof(struct ieee80211_vht_capabilities))
2902 {
2903 ie->vht_capabilities = pos + 2;
2904 } else if (*pos == WLAN_EID_QOS && pos[1] >= 1) {
2905 ie->qosinfo = pos[2];
2906 } else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) {
2907 ie->supp_channels = pos + 2;
2908 ie->supp_channels_len = pos[1];
2909 } else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
2910 /*
2911 * The value of the Length field of the Supported
2912 * Operating Classes element is between 2 and 253.
2913 * Silently skip invalid elements to avoid interop
2914 * issues when trying to use the value.
2915 */
2916 if (pos[1] >= 2 && pos[1] <= 253) {
2917 ie->supp_oper_classes = pos + 2;
2918 ie->supp_oper_classes_len = pos[1];
2919 }
2920 } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
2921 ret = wpa_parse_generic(pos, ie);
2922 if (ret == 1) {
2923 /* end mark found */
2924 ret = 0;
2925 break;
2926 }
2927
2928 if (ret == 2) {
2929 /* not a known KDE */
2930 wpa_parse_vendor_specific(pos, end, ie);
2931 }
2932
2933 ret = 0;
2934 } else {
2935 wpa_hexdump(MSG_DEBUG,
2936 "WPA: Unrecognized EAPOL-Key Key Data IE",
2937 pos, 2 + pos[1]);
2938 }
2939 }
2940
2941 return ret;
2942 }
2943