• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * WPA/RSN - Shared functions for supplicant and authenticator
3  * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/sha384.h"
16 #include "crypto/aes_wrap.h"
17 #include "crypto/crypto.h"
18 #include "ieee802_11_defs.h"
19 #include "defs.h"
20 #include "wpa_common.h"
21 
22 
wpa_kck_len(int akmp)23 static unsigned int wpa_kck_len(int akmp)
24 {
25 	switch (akmp) {
26 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
27 		return 24;
28 	case WPA_KEY_MGMT_FILS_SHA256:
29 	case WPA_KEY_MGMT_FT_FILS_SHA256:
30 	case WPA_KEY_MGMT_FILS_SHA384:
31 	case WPA_KEY_MGMT_FT_FILS_SHA384:
32 		return 0;
33 	default:
34 		return 16;
35 	}
36 }
37 
38 
wpa_kek_len(int akmp)39 static unsigned int wpa_kek_len(int akmp)
40 {
41 	switch (akmp) {
42 	case WPA_KEY_MGMT_FILS_SHA384:
43 	case WPA_KEY_MGMT_FT_FILS_SHA384:
44 		return 64;
45 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
46 	case WPA_KEY_MGMT_FILS_SHA256:
47 	case WPA_KEY_MGMT_FT_FILS_SHA256:
48 		return 32;
49 	default:
50 		return 16;
51 	}
52 }
53 
54 
wpa_mic_len(int akmp)55 unsigned int wpa_mic_len(int akmp)
56 {
57 	switch (akmp) {
58 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
59 		return 24;
60 	case WPA_KEY_MGMT_FILS_SHA256:
61 	case WPA_KEY_MGMT_FILS_SHA384:
62 	case WPA_KEY_MGMT_FT_FILS_SHA256:
63 	case WPA_KEY_MGMT_FT_FILS_SHA384:
64 		return 0;
65 	default:
66 		return 16;
67 	}
68 }
69 
70 
71 /**
72  * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
73  * @key: EAPOL-Key Key Confirmation Key (KCK)
74  * @key_len: KCK length in octets
75  * @akmp: WPA_KEY_MGMT_* used in key derivation
76  * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
77  * @buf: Pointer to the beginning of the EAPOL header (version field)
78  * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
79  * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
80  * Returns: 0 on success, -1 on failure
81  *
82  * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
83  * to be cleared (all zeroes) when calling this function.
84  *
85  * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
86  * description of the Key MIC calculation. It includes packet data from the
87  * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
88  * happened during final editing of the standard and the correct behavior is
89  * defined in the last draft (IEEE 802.11i/D10).
90  */
wpa_eapol_key_mic(const u8 * key,size_t key_len,int akmp,int ver,const u8 * buf,size_t len,u8 * mic)91 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
92 		      const u8 *buf, size_t len, u8 *mic)
93 {
94 	u8 hash[SHA384_MAC_LEN];
95 
96 	switch (ver) {
97 #ifndef CONFIG_FIPS
98 	case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
99 		return hmac_md5(key, key_len, buf, len, mic);
100 #endif /* CONFIG_FIPS */
101 	case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
102 		if (hmac_sha1(key, key_len, buf, len, hash))
103 			return -1;
104 		os_memcpy(mic, hash, MD5_MAC_LEN);
105 		break;
106 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
107 	case WPA_KEY_INFO_TYPE_AES_128_CMAC:
108 		return omac1_aes_128(key, buf, len, mic);
109 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
110 	case WPA_KEY_INFO_TYPE_AKM_DEFINED:
111 		switch (akmp) {
112 #ifdef CONFIG_HS20
113 		case WPA_KEY_MGMT_OSEN:
114 			return omac1_aes_128(key, buf, len, mic);
115 #endif /* CONFIG_HS20 */
116 #ifdef CONFIG_SUITEB
117 		case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
118 			if (hmac_sha256(key, key_len, buf, len, hash))
119 				return -1;
120 			os_memcpy(mic, hash, MD5_MAC_LEN);
121 			break;
122 #endif /* CONFIG_SUITEB */
123 #ifdef CONFIG_SUITEB192
124 		case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
125 			if (hmac_sha384(key, key_len, buf, len, hash))
126 				return -1;
127 			os_memcpy(mic, hash, 24);
128 			break;
129 #endif /* CONFIG_SUITEB192 */
130 		default:
131 			return -1;
132 		}
133 		break;
134 	default:
135 		return -1;
136 	}
137 
138 	return 0;
139 }
140 
141 
142 /**
143  * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
144  * @pmk: Pairwise master key
145  * @pmk_len: Length of PMK
146  * @label: Label to use in derivation
147  * @addr1: AA or SA
148  * @addr2: SA or AA
149  * @nonce1: ANonce or SNonce
150  * @nonce2: SNonce or ANonce
151  * @ptk: Buffer for pairwise transient key
152  * @akmp: Negotiated AKM
153  * @cipher: Negotiated pairwise cipher
154  * Returns: 0 on success, -1 on failure
155  *
156  * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
157  * PTK = PRF-X(PMK, "Pairwise key expansion",
158  *             Min(AA, SA) || Max(AA, SA) ||
159  *             Min(ANonce, SNonce) || Max(ANonce, SNonce))
160  *
161  * STK = PRF-X(SMK, "Peer key expansion",
162  *             Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) ||
163  *             Min(INonce, PNonce) || Max(INonce, PNonce))
164  */
wpa_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const char * label,const u8 * addr1,const u8 * addr2,const u8 * nonce1,const u8 * nonce2,struct wpa_ptk * ptk,int akmp,int cipher)165 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
166 		   const u8 *addr1, const u8 *addr2,
167 		   const u8 *nonce1, const u8 *nonce2,
168 		   struct wpa_ptk *ptk, int akmp, int cipher)
169 {
170 	u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN];
171 	u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
172 	size_t ptk_len;
173 
174 	if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
175 		os_memcpy(data, addr1, ETH_ALEN);
176 		os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
177 	} else {
178 		os_memcpy(data, addr2, ETH_ALEN);
179 		os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
180 	}
181 
182 	if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
183 		os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
184 		os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
185 			  WPA_NONCE_LEN);
186 	} else {
187 		os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
188 		os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
189 			  WPA_NONCE_LEN);
190 	}
191 
192 	ptk->kck_len = wpa_kck_len(akmp);
193 	ptk->kek_len = wpa_kek_len(akmp);
194 	ptk->tk_len = wpa_cipher_key_len(cipher);
195 	ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
196 
197 #if defined(CONFIG_SUITEB192) || defined(CONFIG_FILS)
198 	if (wpa_key_mgmt_sha384(akmp))
199 		sha384_prf(pmk, pmk_len, label, data, sizeof(data),
200 			   tmp, ptk_len);
201 	else
202 #endif /* CONFIG_SUITEB192 || CONFIG_FILS */
203 #ifdef CONFIG_IEEE80211W
204 	if (wpa_key_mgmt_sha256(akmp))
205 		sha256_prf(pmk, pmk_len, label, data, sizeof(data),
206 			   tmp, ptk_len);
207 	else
208 #endif /* CONFIG_IEEE80211W */
209 		sha1_prf(pmk, pmk_len, label, data, sizeof(data), tmp, ptk_len);
210 
211 	wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
212 		   MAC2STR(addr1), MAC2STR(addr2));
213 	wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
214 	wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
215 	wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
216 	wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len);
217 
218 	os_memcpy(ptk->kck, tmp, ptk->kck_len);
219 	wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len);
220 
221 	os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
222 	wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
223 
224 	os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
225 	wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len);
226 
227 	os_memset(tmp, 0, sizeof(tmp));
228 	return 0;
229 }
230 
231 #ifdef CONFIG_FILS
232 
fils_rmsk_to_pmk(int akmp,const u8 * rmsk,size_t rmsk_len,const u8 * snonce,const u8 * anonce,const u8 * dh_ss,size_t dh_ss_len,u8 * pmk,size_t * pmk_len)233 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len,
234 		     const u8 *snonce, const u8 *anonce, const u8 *dh_ss,
235 		     size_t dh_ss_len, u8 *pmk, size_t *pmk_len)
236 {
237 	u8 nonces[2 * FILS_NONCE_LEN];
238 	const u8 *addr[2];
239 	size_t len[2];
240 	size_t num_elem;
241 	int res;
242 
243 	/* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */
244 	wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation");
245 
246 	if (wpa_key_mgmt_sha384(akmp))
247 		*pmk_len = SHA384_MAC_LEN;
248 	else if (wpa_key_mgmt_sha256(akmp))
249 		*pmk_len = SHA256_MAC_LEN;
250 	else
251 		return -1;
252 
253 	wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len);
254 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
255 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
256 	wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len);
257 
258 	os_memcpy(nonces, snonce, FILS_NONCE_LEN);
259 	os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN);
260 	addr[0] = rmsk;
261 	len[0] = rmsk_len;
262 	num_elem = 1;
263 	if (dh_ss) {
264 		addr[1] = dh_ss;
265 		len[1] = dh_ss_len;
266 		num_elem++;
267 	}
268 	if (wpa_key_mgmt_sha384(akmp))
269 		res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
270 					 addr, len, pmk);
271 	else
272 		res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
273 					 addr, len, pmk);
274 	if (res == 0)
275 		wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len);
276 	return res;
277 }
278 
279 
fils_pmkid_erp(int akmp,const u8 * reauth,size_t reauth_len,u8 * pmkid)280 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len,
281 		   u8 *pmkid)
282 {
283 	const u8 *addr[1];
284 	size_t len[1];
285 	u8 hash[SHA384_MAC_LEN];
286 	int res;
287 
288 	/* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */
289 	addr[0] = reauth;
290 	len[0] = reauth_len;
291 	if (wpa_key_mgmt_sha384(akmp))
292 		res = sha384_vector(1, addr, len, hash);
293 	else if (wpa_key_mgmt_sha256(akmp))
294 		res = sha256_vector(1, addr, len, hash);
295 	else
296 		return -1;
297 	if (res)
298 		return res;
299 	os_memcpy(pmkid, hash, PMKID_LEN);
300 	wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
301 	return 0;
302 }
303 
304 
fils_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * aa,const u8 * snonce,const u8 * anonce,struct wpa_ptk * ptk,u8 * ick,size_t * ick_len,int akmp,int cipher)305 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa,
306 		    const u8 *snonce, const u8 *anonce, struct wpa_ptk *ptk,
307 		    u8 *ick, size_t *ick_len, int akmp, int cipher)
308 {
309 	u8 data[2 * ETH_ALEN + 2 * FILS_NONCE_LEN];
310 	u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
311 	size_t key_data_len;
312 	const char *label = "FILS PTK Derivation";
313 
314 	/*
315 	 * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation",
316 	 *                       SPA || AA || SNonce || ANonce)
317 	 * ICK = L(FILS-Key-Data, 0, ICK_bits)
318 	 * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits)
319 	 * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits)
320 	 * If doing FT initial mobility domain association:
321 	 * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits,
322 	 *             FILS-FT_bits)
323 	 */
324 	os_memcpy(data, spa, ETH_ALEN);
325 	os_memcpy(data + ETH_ALEN, aa, ETH_ALEN);
326 	os_memcpy(data + 2 * ETH_ALEN, snonce, FILS_NONCE_LEN);
327 	os_memcpy(data + 2 * ETH_ALEN + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN);
328 
329 	ptk->kck_len = 0;
330 	ptk->kek_len = wpa_kek_len(akmp);
331 	ptk->tk_len = wpa_cipher_key_len(cipher);
332 	if (wpa_key_mgmt_sha384(akmp))
333 		*ick_len = 48;
334 	else if (wpa_key_mgmt_sha256(akmp))
335 		*ick_len = 32;
336 	else
337 		return -1;
338 	key_data_len = *ick_len + ptk->kek_len + ptk->tk_len;
339 
340 	if (wpa_key_mgmt_sha384(akmp))
341 		sha384_prf(pmk, pmk_len, label, data, sizeof(data),
342 			   tmp, key_data_len);
343 	else if (sha256_prf(pmk, pmk_len, label, data, sizeof(data),
344 			    tmp, key_data_len) < 0)
345 		return -1;
346 
347 	wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR
348 		   " AA=" MACSTR, MAC2STR(spa), MAC2STR(aa));
349 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
350 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
351 	wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len);
352 	wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len);
353 
354 	os_memcpy(ick, tmp, *ick_len);
355 	wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len);
356 
357 	os_memcpy(ptk->kek, tmp + *ick_len, ptk->kek_len);
358 	wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len);
359 
360 	os_memcpy(ptk->tk, tmp + *ick_len + ptk->kek_len, ptk->tk_len);
361 	wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len);
362 
363 	/* TODO: FILS-FT */
364 
365 	os_memset(tmp, 0, sizeof(tmp));
366 	return 0;
367 }
368 
369 
fils_key_auth_sk(const u8 * ick,size_t ick_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * g_sta,size_t g_sta_len,const u8 * g_ap,size_t g_ap_len,int akmp,u8 * key_auth_sta,u8 * key_auth_ap,size_t * key_auth_len)370 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce,
371 		     const u8 *anonce, const u8 *sta_addr, const u8 *bssid,
372 		     const u8 *g_sta, size_t g_sta_len,
373 		     const u8 *g_ap, size_t g_ap_len,
374 		     int akmp, u8 *key_auth_sta, u8 *key_auth_ap,
375 		     size_t *key_auth_len)
376 {
377 	const u8 *addr[6];
378 	size_t len[6];
379 	size_t num_elem = 4;
380 	int res;
381 
382 	/*
383 	 * For (Re)Association Request frame (STA->AP):
384 	 * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID
385 	 *                      [ || gSTA || gAP ])
386 	 */
387 	addr[0] = snonce;
388 	len[0] = FILS_NONCE_LEN;
389 	addr[1] = anonce;
390 	len[1] = FILS_NONCE_LEN;
391 	addr[2] = sta_addr;
392 	len[2] = ETH_ALEN;
393 	addr[3] = bssid;
394 	len[3] = ETH_ALEN;
395 	if (g_sta && g_ap_len && g_ap && g_ap_len) {
396 		addr[4] = g_sta;
397 		len[4] = g_sta_len;
398 		addr[5] = g_ap;
399 		len[5] = g_ap_len;
400 		num_elem = 6;
401 	}
402 
403 	if (wpa_key_mgmt_sha384(akmp)) {
404 		*key_auth_len = 48;
405 		res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
406 					 key_auth_sta);
407 	} else if (wpa_key_mgmt_sha256(akmp)) {
408 		*key_auth_len = 32;
409 		res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
410 					 key_auth_sta);
411 	} else {
412 		return -1;
413 	}
414 	if (res < 0)
415 		return res;
416 
417 	/*
418 	 * For (Re)Association Response frame (AP->STA):
419 	 * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC
420 	 *                      [ || gAP || gSTA ])
421 	 */
422 	addr[0] = anonce;
423 	addr[1] = snonce;
424 	addr[2] = bssid;
425 	addr[3] = sta_addr;
426 	if (g_sta && g_ap_len && g_ap && g_ap_len) {
427 		addr[4] = g_ap;
428 		len[4] = g_ap_len;
429 		addr[5] = g_sta;
430 		len[5] = g_sta_len;
431 	}
432 
433 	if (wpa_key_mgmt_sha384(akmp))
434 		res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
435 					 key_auth_ap);
436 	else if (wpa_key_mgmt_sha256(akmp))
437 		res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
438 					 key_auth_ap);
439 	if (res < 0)
440 		return res;
441 
442 	wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)",
443 		    key_auth_sta, *key_auth_len);
444 	wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)",
445 		    key_auth_ap, *key_auth_len);
446 
447 	return 0;
448 }
449 
450 #endif /* CONFIG_FILS */
451 
452 
453 #ifdef CONFIG_IEEE80211R
wpa_ft_mic(const u8 * kck,size_t kck_len,const u8 * sta_addr,const u8 * ap_addr,u8 transaction_seqnum,const u8 * mdie,size_t mdie_len,const u8 * ftie,size_t ftie_len,const u8 * rsnie,size_t rsnie_len,const u8 * ric,size_t ric_len,u8 * mic)454 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr,
455 	       const u8 *ap_addr, u8 transaction_seqnum,
456 	       const u8 *mdie, size_t mdie_len,
457 	       const u8 *ftie, size_t ftie_len,
458 	       const u8 *rsnie, size_t rsnie_len,
459 	       const u8 *ric, size_t ric_len, u8 *mic)
460 {
461 	const u8 *addr[9];
462 	size_t len[9];
463 	size_t i, num_elem = 0;
464 	u8 zero_mic[16];
465 
466 	if (kck_len != 16) {
467 		wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u",
468 			   (unsigned int) kck_len);
469 		return -1;
470 	}
471 
472 	addr[num_elem] = sta_addr;
473 	len[num_elem] = ETH_ALEN;
474 	num_elem++;
475 
476 	addr[num_elem] = ap_addr;
477 	len[num_elem] = ETH_ALEN;
478 	num_elem++;
479 
480 	addr[num_elem] = &transaction_seqnum;
481 	len[num_elem] = 1;
482 	num_elem++;
483 
484 	if (rsnie) {
485 		addr[num_elem] = rsnie;
486 		len[num_elem] = rsnie_len;
487 		num_elem++;
488 	}
489 	if (mdie) {
490 		addr[num_elem] = mdie;
491 		len[num_elem] = mdie_len;
492 		num_elem++;
493 	}
494 	if (ftie) {
495 		if (ftie_len < 2 + sizeof(struct rsn_ftie))
496 			return -1;
497 
498 		/* IE hdr and mic_control */
499 		addr[num_elem] = ftie;
500 		len[num_elem] = 2 + 2;
501 		num_elem++;
502 
503 		/* MIC field with all zeros */
504 		os_memset(zero_mic, 0, sizeof(zero_mic));
505 		addr[num_elem] = zero_mic;
506 		len[num_elem] = sizeof(zero_mic);
507 		num_elem++;
508 
509 		/* Rest of FTIE */
510 		addr[num_elem] = ftie + 2 + 2 + 16;
511 		len[num_elem] = ftie_len - (2 + 2 + 16);
512 		num_elem++;
513 	}
514 	if (ric) {
515 		addr[num_elem] = ric;
516 		len[num_elem] = ric_len;
517 		num_elem++;
518 	}
519 
520 	for (i = 0; i < num_elem; i++)
521 		wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]);
522 	if (omac1_aes_128_vector(kck, num_elem, addr, len, mic))
523 		return -1;
524 
525 	return 0;
526 }
527 
528 
wpa_ft_parse_ftie(const u8 * ie,size_t ie_len,struct wpa_ft_ies * parse)529 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
530 			     struct wpa_ft_ies *parse)
531 {
532 	const u8 *end, *pos;
533 
534 	parse->ftie = ie;
535 	parse->ftie_len = ie_len;
536 
537 	pos = ie + sizeof(struct rsn_ftie);
538 	end = ie + ie_len;
539 
540 	while (end - pos >= 2) {
541 		u8 id, len;
542 
543 		id = *pos++;
544 		len = *pos++;
545 		if (len > end - pos)
546 			break;
547 
548 		switch (id) {
549 		case FTIE_SUBELEM_R1KH_ID:
550 			if (len != FT_R1KH_ID_LEN) {
551 				wpa_printf(MSG_DEBUG,
552 					   "FT: Invalid R1KH-ID length in FTIE: %d",
553 					   len);
554 				return -1;
555 			}
556 			parse->r1kh_id = pos;
557 			break;
558 		case FTIE_SUBELEM_GTK:
559 			parse->gtk = pos;
560 			parse->gtk_len = len;
561 			break;
562 		case FTIE_SUBELEM_R0KH_ID:
563 			if (len < 1 || len > FT_R0KH_ID_MAX_LEN) {
564 				wpa_printf(MSG_DEBUG,
565 					   "FT: Invalid R0KH-ID length in FTIE: %d",
566 					   len);
567 				return -1;
568 			}
569 			parse->r0kh_id = pos;
570 			parse->r0kh_id_len = len;
571 			break;
572 #ifdef CONFIG_IEEE80211W
573 		case FTIE_SUBELEM_IGTK:
574 			parse->igtk = pos;
575 			parse->igtk_len = len;
576 			break;
577 #endif /* CONFIG_IEEE80211W */
578 		}
579 
580 		pos += len;
581 	}
582 
583 	return 0;
584 }
585 
586 
wpa_ft_parse_ies(const u8 * ies,size_t ies_len,struct wpa_ft_ies * parse)587 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
588 		     struct wpa_ft_ies *parse)
589 {
590 	const u8 *end, *pos;
591 	struct wpa_ie_data data;
592 	int ret;
593 	const struct rsn_ftie *ftie;
594 	int prot_ie_count = 0;
595 
596 	os_memset(parse, 0, sizeof(*parse));
597 	if (ies == NULL)
598 		return 0;
599 
600 	pos = ies;
601 	end = ies + ies_len;
602 	while (end - pos >= 2) {
603 		u8 id, len;
604 
605 		id = *pos++;
606 		len = *pos++;
607 		if (len > end - pos)
608 			break;
609 
610 		switch (id) {
611 		case WLAN_EID_RSN:
612 			parse->rsn = pos;
613 			parse->rsn_len = len;
614 			ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
615 						   parse->rsn_len + 2,
616 						   &data);
617 			if (ret < 0) {
618 				wpa_printf(MSG_DEBUG, "FT: Failed to parse "
619 					   "RSN IE: %d", ret);
620 				return -1;
621 			}
622 			if (data.num_pmkid == 1 && data.pmkid)
623 				parse->rsn_pmkid = data.pmkid;
624 			parse->key_mgmt = data.key_mgmt;
625 			parse->pairwise_cipher = data.pairwise_cipher;
626 			break;
627 		case WLAN_EID_MOBILITY_DOMAIN:
628 			if (len < sizeof(struct rsn_mdie))
629 				return -1;
630 			parse->mdie = pos;
631 			parse->mdie_len = len;
632 			break;
633 		case WLAN_EID_FAST_BSS_TRANSITION:
634 			if (len < sizeof(*ftie))
635 				return -1;
636 			ftie = (const struct rsn_ftie *) pos;
637 			prot_ie_count = ftie->mic_control[1];
638 			if (wpa_ft_parse_ftie(pos, len, parse) < 0)
639 				return -1;
640 			break;
641 		case WLAN_EID_TIMEOUT_INTERVAL:
642 			if (len != 5)
643 				break;
644 			parse->tie = pos;
645 			parse->tie_len = len;
646 			break;
647 		case WLAN_EID_RIC_DATA:
648 			if (parse->ric == NULL)
649 				parse->ric = pos - 2;
650 			break;
651 		}
652 
653 		pos += len;
654 	}
655 
656 	if (prot_ie_count == 0)
657 		return 0; /* no MIC */
658 
659 	/*
660 	 * Check that the protected IE count matches with IEs included in the
661 	 * frame.
662 	 */
663 	if (parse->rsn)
664 		prot_ie_count--;
665 	if (parse->mdie)
666 		prot_ie_count--;
667 	if (parse->ftie)
668 		prot_ie_count--;
669 	if (prot_ie_count < 0) {
670 		wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
671 			   "the protected IE count");
672 		return -1;
673 	}
674 
675 	if (prot_ie_count == 0 && parse->ric) {
676 		wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
677 			   "included in protected IE count");
678 		return -1;
679 	}
680 
681 	/* Determine the end of the RIC IE(s) */
682 	if (parse->ric) {
683 		pos = parse->ric;
684 		while (end - pos >= 2 && 2 + pos[1] <= end - pos &&
685 		       prot_ie_count) {
686 			prot_ie_count--;
687 			pos += 2 + pos[1];
688 		}
689 		parse->ric_len = pos - parse->ric;
690 	}
691 	if (prot_ie_count) {
692 		wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
693 			   "frame", (int) prot_ie_count);
694 		return -1;
695 	}
696 
697 	return 0;
698 }
699 #endif /* CONFIG_IEEE80211R */
700 
701 
rsn_selector_to_bitfield(const u8 * s)702 static int rsn_selector_to_bitfield(const u8 *s)
703 {
704 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
705 		return WPA_CIPHER_NONE;
706 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
707 		return WPA_CIPHER_TKIP;
708 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
709 		return WPA_CIPHER_CCMP;
710 #ifdef CONFIG_IEEE80211W
711 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
712 		return WPA_CIPHER_AES_128_CMAC;
713 #endif /* CONFIG_IEEE80211W */
714 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP)
715 		return WPA_CIPHER_GCMP;
716 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256)
717 		return WPA_CIPHER_CCMP_256;
718 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256)
719 		return WPA_CIPHER_GCMP_256;
720 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128)
721 		return WPA_CIPHER_BIP_GMAC_128;
722 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256)
723 		return WPA_CIPHER_BIP_GMAC_256;
724 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256)
725 		return WPA_CIPHER_BIP_CMAC_256;
726 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED)
727 		return WPA_CIPHER_GTK_NOT_USED;
728 	return 0;
729 }
730 
731 
rsn_key_mgmt_to_bitfield(const u8 * s)732 static int rsn_key_mgmt_to_bitfield(const u8 *s)
733 {
734 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
735 		return WPA_KEY_MGMT_IEEE8021X;
736 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
737 		return WPA_KEY_MGMT_PSK;
738 #ifdef CONFIG_IEEE80211R
739 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
740 		return WPA_KEY_MGMT_FT_IEEE8021X;
741 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
742 		return WPA_KEY_MGMT_FT_PSK;
743 #endif /* CONFIG_IEEE80211R */
744 #ifdef CONFIG_IEEE80211W
745 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
746 		return WPA_KEY_MGMT_IEEE8021X_SHA256;
747 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
748 		return WPA_KEY_MGMT_PSK_SHA256;
749 #endif /* CONFIG_IEEE80211W */
750 #ifdef CONFIG_SAE
751 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
752 		return WPA_KEY_MGMT_SAE;
753 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
754 		return WPA_KEY_MGMT_FT_SAE;
755 #endif /* CONFIG_SAE */
756 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
757 		return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
758 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
759 		return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
760 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256)
761 		return WPA_KEY_MGMT_FILS_SHA256;
762 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384)
763 		return WPA_KEY_MGMT_FILS_SHA384;
764 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256)
765 		return WPA_KEY_MGMT_FT_FILS_SHA256;
766 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
767 		return WPA_KEY_MGMT_FT_FILS_SHA384;
768 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
769 		return WPA_KEY_MGMT_OSEN;
770 	return 0;
771 }
772 
773 
wpa_cipher_valid_group(int cipher)774 int wpa_cipher_valid_group(int cipher)
775 {
776 	return wpa_cipher_valid_pairwise(cipher) ||
777 		cipher == WPA_CIPHER_GTK_NOT_USED;
778 }
779 
780 
781 #ifdef CONFIG_IEEE80211W
wpa_cipher_valid_mgmt_group(int cipher)782 int wpa_cipher_valid_mgmt_group(int cipher)
783 {
784 	return cipher == WPA_CIPHER_AES_128_CMAC ||
785 		cipher == WPA_CIPHER_BIP_GMAC_128 ||
786 		cipher == WPA_CIPHER_BIP_GMAC_256 ||
787 		cipher == WPA_CIPHER_BIP_CMAC_256;
788 }
789 #endif /* CONFIG_IEEE80211W */
790 
791 
792 /**
793  * wpa_parse_wpa_ie_rsn - Parse RSN IE
794  * @rsn_ie: Buffer containing RSN IE
795  * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
796  * @data: Pointer to structure that will be filled in with parsed data
797  * Returns: 0 on success, <0 on failure
798  */
wpa_parse_wpa_ie_rsn(const u8 * rsn_ie,size_t rsn_ie_len,struct wpa_ie_data * data)799 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
800 			 struct wpa_ie_data *data)
801 {
802 	const u8 *pos;
803 	int left;
804 	int i, count;
805 
806 	os_memset(data, 0, sizeof(*data));
807 	data->proto = WPA_PROTO_RSN;
808 	data->pairwise_cipher = WPA_CIPHER_CCMP;
809 	data->group_cipher = WPA_CIPHER_CCMP;
810 	data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
811 	data->capabilities = 0;
812 	data->pmkid = NULL;
813 	data->num_pmkid = 0;
814 #ifdef CONFIG_IEEE80211W
815 	data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
816 #else /* CONFIG_IEEE80211W */
817 	data->mgmt_group_cipher = 0;
818 #endif /* CONFIG_IEEE80211W */
819 
820 	if (rsn_ie_len == 0) {
821 		/* No RSN IE - fail silently */
822 		return -1;
823 	}
824 
825 	if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
826 		wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
827 			   __func__, (unsigned long) rsn_ie_len);
828 		return -1;
829 	}
830 
831 	if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 &&
832 	    rsn_ie[1] == rsn_ie_len - 2 &&
833 	    WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) {
834 		pos = rsn_ie + 6;
835 		left = rsn_ie_len - 6;
836 
837 		data->proto = WPA_PROTO_OSEN;
838 	} else {
839 		const struct rsn_ie_hdr *hdr;
840 
841 		hdr = (const struct rsn_ie_hdr *) rsn_ie;
842 
843 		if (hdr->elem_id != WLAN_EID_RSN ||
844 		    hdr->len != rsn_ie_len - 2 ||
845 		    WPA_GET_LE16(hdr->version) != RSN_VERSION) {
846 			wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
847 				   __func__);
848 			return -2;
849 		}
850 
851 		pos = (const u8 *) (hdr + 1);
852 		left = rsn_ie_len - sizeof(*hdr);
853 	}
854 
855 	if (left >= RSN_SELECTOR_LEN) {
856 		data->group_cipher = rsn_selector_to_bitfield(pos);
857 		if (!wpa_cipher_valid_group(data->group_cipher)) {
858 			wpa_printf(MSG_DEBUG,
859 				   "%s: invalid group cipher 0x%x (%08x)",
860 				   __func__, data->group_cipher,
861 				   WPA_GET_BE32(pos));
862 			return -1;
863 		}
864 		pos += RSN_SELECTOR_LEN;
865 		left -= RSN_SELECTOR_LEN;
866 	} else if (left > 0) {
867 		wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
868 			   __func__, left);
869 		return -3;
870 	}
871 
872 	if (left >= 2) {
873 		data->pairwise_cipher = 0;
874 		count = WPA_GET_LE16(pos);
875 		pos += 2;
876 		left -= 2;
877 		if (count == 0 || count > left / RSN_SELECTOR_LEN) {
878 			wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
879 				   "count %u left %u", __func__, count, left);
880 			return -4;
881 		}
882 		for (i = 0; i < count; i++) {
883 			data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
884 			pos += RSN_SELECTOR_LEN;
885 			left -= RSN_SELECTOR_LEN;
886 		}
887 #ifdef CONFIG_IEEE80211W
888 		if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
889 			wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
890 				   "pairwise cipher", __func__);
891 			return -1;
892 		}
893 #endif /* CONFIG_IEEE80211W */
894 	} else if (left == 1) {
895 		wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
896 			   __func__);
897 		return -5;
898 	}
899 
900 	if (left >= 2) {
901 		data->key_mgmt = 0;
902 		count = WPA_GET_LE16(pos);
903 		pos += 2;
904 		left -= 2;
905 		if (count == 0 || count > left / RSN_SELECTOR_LEN) {
906 			wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
907 				   "count %u left %u", __func__, count, left);
908 			return -6;
909 		}
910 		for (i = 0; i < count; i++) {
911 			data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
912 			pos += RSN_SELECTOR_LEN;
913 			left -= RSN_SELECTOR_LEN;
914 		}
915 	} else if (left == 1) {
916 		wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
917 			   __func__);
918 		return -7;
919 	}
920 
921 	if (left >= 2) {
922 		data->capabilities = WPA_GET_LE16(pos);
923 		pos += 2;
924 		left -= 2;
925 	}
926 
927 	if (left >= 2) {
928 		u16 num_pmkid = WPA_GET_LE16(pos);
929 		pos += 2;
930 		left -= 2;
931 		if (num_pmkid > (unsigned int) left / PMKID_LEN) {
932 			wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
933 				   "(num_pmkid=%u left=%d)",
934 				   __func__, num_pmkid, left);
935 			data->num_pmkid = 0;
936 			return -9;
937 		} else {
938 			data->num_pmkid = num_pmkid;
939 			data->pmkid = pos;
940 			pos += data->num_pmkid * PMKID_LEN;
941 			left -= data->num_pmkid * PMKID_LEN;
942 		}
943 	}
944 
945 #ifdef CONFIG_IEEE80211W
946 	if (left >= 4) {
947 		data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
948 		if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
949 			wpa_printf(MSG_DEBUG,
950 				   "%s: Unsupported management group cipher 0x%x (%08x)",
951 				   __func__, data->mgmt_group_cipher,
952 				   WPA_GET_BE32(pos));
953 			return -10;
954 		}
955 		pos += RSN_SELECTOR_LEN;
956 		left -= RSN_SELECTOR_LEN;
957 	}
958 #endif /* CONFIG_IEEE80211W */
959 
960 	if (left > 0) {
961 		wpa_hexdump(MSG_DEBUG,
962 			    "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
963 			    pos, left);
964 	}
965 
966 	return 0;
967 }
968 
969 
wpa_selector_to_bitfield(const u8 * s)970 static int wpa_selector_to_bitfield(const u8 *s)
971 {
972 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
973 		return WPA_CIPHER_NONE;
974 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
975 		return WPA_CIPHER_TKIP;
976 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
977 		return WPA_CIPHER_CCMP;
978 	return 0;
979 }
980 
981 
wpa_key_mgmt_to_bitfield(const u8 * s)982 static int wpa_key_mgmt_to_bitfield(const u8 *s)
983 {
984 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
985 		return WPA_KEY_MGMT_IEEE8021X;
986 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
987 		return WPA_KEY_MGMT_PSK;
988 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
989 		return WPA_KEY_MGMT_WPA_NONE;
990 	return 0;
991 }
992 
993 
wpa_parse_wpa_ie_wpa(const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ie_data * data)994 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
995 			 struct wpa_ie_data *data)
996 {
997 	const struct wpa_ie_hdr *hdr;
998 	const u8 *pos;
999 	int left;
1000 	int i, count;
1001 
1002 	os_memset(data, 0, sizeof(*data));
1003 	data->proto = WPA_PROTO_WPA;
1004 	data->pairwise_cipher = WPA_CIPHER_TKIP;
1005 	data->group_cipher = WPA_CIPHER_TKIP;
1006 	data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1007 	data->capabilities = 0;
1008 	data->pmkid = NULL;
1009 	data->num_pmkid = 0;
1010 	data->mgmt_group_cipher = 0;
1011 
1012 	if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
1013 		wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1014 			   __func__, (unsigned long) wpa_ie_len);
1015 		return -1;
1016 	}
1017 
1018 	hdr = (const struct wpa_ie_hdr *) wpa_ie;
1019 
1020 	if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
1021 	    hdr->len != wpa_ie_len - 2 ||
1022 	    RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
1023 	    WPA_GET_LE16(hdr->version) != WPA_VERSION) {
1024 		wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1025 			   __func__);
1026 		return -2;
1027 	}
1028 
1029 	pos = (const u8 *) (hdr + 1);
1030 	left = wpa_ie_len - sizeof(*hdr);
1031 
1032 	if (left >= WPA_SELECTOR_LEN) {
1033 		data->group_cipher = wpa_selector_to_bitfield(pos);
1034 		pos += WPA_SELECTOR_LEN;
1035 		left -= WPA_SELECTOR_LEN;
1036 	} else if (left > 0) {
1037 		wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1038 			   __func__, left);
1039 		return -3;
1040 	}
1041 
1042 	if (left >= 2) {
1043 		data->pairwise_cipher = 0;
1044 		count = WPA_GET_LE16(pos);
1045 		pos += 2;
1046 		left -= 2;
1047 		if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1048 			wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1049 				   "count %u left %u", __func__, count, left);
1050 			return -4;
1051 		}
1052 		for (i = 0; i < count; i++) {
1053 			data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
1054 			pos += WPA_SELECTOR_LEN;
1055 			left -= WPA_SELECTOR_LEN;
1056 		}
1057 	} else if (left == 1) {
1058 		wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1059 			   __func__);
1060 		return -5;
1061 	}
1062 
1063 	if (left >= 2) {
1064 		data->key_mgmt = 0;
1065 		count = WPA_GET_LE16(pos);
1066 		pos += 2;
1067 		left -= 2;
1068 		if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1069 			wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1070 				   "count %u left %u", __func__, count, left);
1071 			return -6;
1072 		}
1073 		for (i = 0; i < count; i++) {
1074 			data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
1075 			pos += WPA_SELECTOR_LEN;
1076 			left -= WPA_SELECTOR_LEN;
1077 		}
1078 	} else if (left == 1) {
1079 		wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1080 			   __func__);
1081 		return -7;
1082 	}
1083 
1084 	if (left >= 2) {
1085 		data->capabilities = WPA_GET_LE16(pos);
1086 		pos += 2;
1087 		left -= 2;
1088 	}
1089 
1090 	if (left > 0) {
1091 		wpa_hexdump(MSG_DEBUG,
1092 			    "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
1093 			    pos, left);
1094 	}
1095 
1096 	return 0;
1097 }
1098 
1099 
1100 #ifdef CONFIG_IEEE80211R
1101 
1102 /**
1103  * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
1104  *
1105  * IEEE Std 802.11r-2008 - 8.5.1.5.3
1106  */
wpa_derive_pmk_r0(const u8 * xxkey,size_t xxkey_len,const u8 * ssid,size_t ssid_len,const u8 * mdid,const u8 * r0kh_id,size_t r0kh_id_len,const u8 * s0kh_id,u8 * pmk_r0,u8 * pmk_r0_name)1107 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
1108 		      const u8 *ssid, size_t ssid_len,
1109 		      const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
1110 		      const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name)
1111 {
1112 	u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
1113 	       FT_R0KH_ID_MAX_LEN + ETH_ALEN];
1114 	u8 *pos, r0_key_data[48], hash[32];
1115 	const u8 *addr[2];
1116 	size_t len[2];
1117 
1118 	/*
1119 	 * R0-Key-Data = KDF-384(XXKey, "FT-R0",
1120 	 *                       SSIDlength || SSID || MDID || R0KHlength ||
1121 	 *                       R0KH-ID || S0KH-ID)
1122 	 * XXKey is either the second 256 bits of MSK or PSK.
1123 	 * PMK-R0 = L(R0-Key-Data, 0, 256)
1124 	 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128)
1125 	 */
1126 	if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
1127 		return -1;
1128 	pos = buf;
1129 	*pos++ = ssid_len;
1130 	os_memcpy(pos, ssid, ssid_len);
1131 	pos += ssid_len;
1132 	os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
1133 	pos += MOBILITY_DOMAIN_ID_LEN;
1134 	*pos++ = r0kh_id_len;
1135 	os_memcpy(pos, r0kh_id, r0kh_id_len);
1136 	pos += r0kh_id_len;
1137 	os_memcpy(pos, s0kh_id, ETH_ALEN);
1138 	pos += ETH_ALEN;
1139 
1140 	if (sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
1141 		       r0_key_data, sizeof(r0_key_data)) < 0)
1142 		return -1;
1143 	os_memcpy(pmk_r0, r0_key_data, PMK_LEN);
1144 
1145 	/*
1146 	 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt)
1147 	 */
1148 	addr[0] = (const u8 *) "FT-R0N";
1149 	len[0] = 6;
1150 	addr[1] = r0_key_data + PMK_LEN;
1151 	len[1] = 16;
1152 
1153 	if (sha256_vector(2, addr, len, hash) < 0)
1154 		return -1;
1155 	os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
1156 	return 0;
1157 }
1158 
1159 
1160 /**
1161  * wpa_derive_pmk_r1_name - Derive PMKR1Name
1162  *
1163  * IEEE Std 802.11r-2008 - 8.5.1.5.4
1164  */
wpa_derive_pmk_r1_name(const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1_name)1165 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
1166 			   const u8 *s1kh_id, u8 *pmk_r1_name)
1167 {
1168 	u8 hash[32];
1169 	const u8 *addr[4];
1170 	size_t len[4];
1171 
1172 	/*
1173 	 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name ||
1174 	 *                                  R1KH-ID || S1KH-ID))
1175 	 */
1176 	addr[0] = (const u8 *) "FT-R1N";
1177 	len[0] = 6;
1178 	addr[1] = pmk_r0_name;
1179 	len[1] = WPA_PMK_NAME_LEN;
1180 	addr[2] = r1kh_id;
1181 	len[2] = FT_R1KH_ID_LEN;
1182 	addr[3] = s1kh_id;
1183 	len[3] = ETH_ALEN;
1184 
1185 	if (sha256_vector(4, addr, len, hash) < 0)
1186 		return -1;
1187 	os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
1188 	return 0;
1189 }
1190 
1191 
1192 /**
1193  * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
1194  *
1195  * IEEE Std 802.11r-2008 - 8.5.1.5.4
1196  */
wpa_derive_pmk_r1(const u8 * pmk_r0,const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1,u8 * pmk_r1_name)1197 int wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name,
1198 		      const u8 *r1kh_id, const u8 *s1kh_id,
1199 		      u8 *pmk_r1, u8 *pmk_r1_name)
1200 {
1201 	u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
1202 	u8 *pos;
1203 
1204 	/* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
1205 	pos = buf;
1206 	os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
1207 	pos += FT_R1KH_ID_LEN;
1208 	os_memcpy(pos, s1kh_id, ETH_ALEN);
1209 	pos += ETH_ALEN;
1210 
1211 	if (sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf,
1212 		       pmk_r1, PMK_LEN) < 0)
1213 		return -1;
1214 
1215 	return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
1216 				      pmk_r1_name);
1217 }
1218 
1219 
1220 /**
1221  * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
1222  *
1223  * IEEE Std 802.11r-2008 - 8.5.1.5.5
1224  */
wpa_pmk_r1_to_ptk(const u8 * pmk_r1,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * pmk_r1_name,struct wpa_ptk * ptk,u8 * ptk_name,int akmp,int cipher)1225 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce,
1226 		      const u8 *sta_addr, const u8 *bssid,
1227 		      const u8 *pmk_r1_name,
1228 		      struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher)
1229 {
1230 	u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
1231 	u8 *pos, hash[32];
1232 	const u8 *addr[6];
1233 	size_t len[6];
1234 	u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
1235 	size_t ptk_len;
1236 
1237 	/*
1238 	 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
1239 	 *                  BSSID || STA-ADDR)
1240 	 */
1241 	pos = buf;
1242 	os_memcpy(pos, snonce, WPA_NONCE_LEN);
1243 	pos += WPA_NONCE_LEN;
1244 	os_memcpy(pos, anonce, WPA_NONCE_LEN);
1245 	pos += WPA_NONCE_LEN;
1246 	os_memcpy(pos, bssid, ETH_ALEN);
1247 	pos += ETH_ALEN;
1248 	os_memcpy(pos, sta_addr, ETH_ALEN);
1249 	pos += ETH_ALEN;
1250 
1251 	ptk->kck_len = wpa_kck_len(akmp);
1252 	ptk->kek_len = wpa_kek_len(akmp);
1253 	ptk->tk_len = wpa_cipher_key_len(cipher);
1254 	ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
1255 
1256 	if (sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf,
1257 		       tmp, ptk_len) < 0)
1258 		return -1;
1259 
1260 	/*
1261 	 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
1262 	 *                                ANonce || BSSID || STA-ADDR))
1263 	 */
1264 	addr[0] = pmk_r1_name;
1265 	len[0] = WPA_PMK_NAME_LEN;
1266 	addr[1] = (const u8 *) "FT-PTKN";
1267 	len[1] = 7;
1268 	addr[2] = snonce;
1269 	len[2] = WPA_NONCE_LEN;
1270 	addr[3] = anonce;
1271 	len[3] = WPA_NONCE_LEN;
1272 	addr[4] = bssid;
1273 	len[4] = ETH_ALEN;
1274 	addr[5] = sta_addr;
1275 	len[5] = ETH_ALEN;
1276 
1277 	if (sha256_vector(6, addr, len, hash) < 0)
1278 		return -1;
1279 	os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
1280 
1281 	os_memcpy(ptk->kck, tmp, ptk->kck_len);
1282 	os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
1283 	os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
1284 
1285 	wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);
1286 	wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len);
1287 	wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len);
1288 	wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
1289 
1290 	os_memset(tmp, 0, sizeof(tmp));
1291 
1292 	return 0;
1293 }
1294 
1295 #endif /* CONFIG_IEEE80211R */
1296 
1297 
1298 /**
1299  * rsn_pmkid - Calculate PMK identifier
1300  * @pmk: Pairwise master key
1301  * @pmk_len: Length of pmk in bytes
1302  * @aa: Authenticator address
1303  * @spa: Supplicant address
1304  * @pmkid: Buffer for PMKID
1305  * @use_sha256: Whether to use SHA256-based KDF
1306  *
1307  * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
1308  * PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AA || SPA)
1309  */
rsn_pmkid(const u8 * pmk,size_t pmk_len,const u8 * aa,const u8 * spa,u8 * pmkid,int use_sha256)1310 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
1311 	       u8 *pmkid, int use_sha256)
1312 {
1313 	char *title = "PMK Name";
1314 	const u8 *addr[3];
1315 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1316 	unsigned char hash[SHA256_MAC_LEN];
1317 
1318 	addr[0] = (u8 *) title;
1319 	addr[1] = aa;
1320 	addr[2] = spa;
1321 
1322 #ifdef CONFIG_IEEE80211W
1323 	if (use_sha256)
1324 		hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
1325 	else
1326 #endif /* CONFIG_IEEE80211W */
1327 		hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
1328 	os_memcpy(pmkid, hash, PMKID_LEN);
1329 }
1330 
1331 
1332 #ifdef CONFIG_SUITEB
1333 /**
1334  * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM
1335  * @kck: Key confirmation key
1336  * @kck_len: Length of kck in bytes
1337  * @aa: Authenticator address
1338  * @spa: Supplicant address
1339  * @pmkid: Buffer for PMKID
1340  * Returns: 0 on success, -1 on failure
1341  *
1342  * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1343  * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
1344  */
rsn_pmkid_suite_b(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)1345 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa,
1346 		      const u8 *spa, u8 *pmkid)
1347 {
1348 	char *title = "PMK Name";
1349 	const u8 *addr[3];
1350 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1351 	unsigned char hash[SHA256_MAC_LEN];
1352 
1353 	addr[0] = (u8 *) title;
1354 	addr[1] = aa;
1355 	addr[2] = spa;
1356 
1357 	if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0)
1358 		return -1;
1359 	os_memcpy(pmkid, hash, PMKID_LEN);
1360 	return 0;
1361 }
1362 #endif /* CONFIG_SUITEB */
1363 
1364 
1365 #ifdef CONFIG_SUITEB192
1366 /**
1367  * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM
1368  * @kck: Key confirmation key
1369  * @kck_len: Length of kck in bytes
1370  * @aa: Authenticator address
1371  * @spa: Supplicant address
1372  * @pmkid: Buffer for PMKID
1373  * Returns: 0 on success, -1 on failure
1374  *
1375  * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1376  * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
1377  */
rsn_pmkid_suite_b_192(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)1378 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa,
1379 			  const u8 *spa, u8 *pmkid)
1380 {
1381 	char *title = "PMK Name";
1382 	const u8 *addr[3];
1383 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1384 	unsigned char hash[SHA384_MAC_LEN];
1385 
1386 	addr[0] = (u8 *) title;
1387 	addr[1] = aa;
1388 	addr[2] = spa;
1389 
1390 	if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0)
1391 		return -1;
1392 	os_memcpy(pmkid, hash, PMKID_LEN);
1393 	return 0;
1394 }
1395 #endif /* CONFIG_SUITEB192 */
1396 
1397 
1398 /**
1399  * wpa_cipher_txt - Convert cipher suite to a text string
1400  * @cipher: Cipher suite (WPA_CIPHER_* enum)
1401  * Returns: Pointer to a text string of the cipher suite name
1402  */
wpa_cipher_txt(int cipher)1403 const char * wpa_cipher_txt(int cipher)
1404 {
1405 	switch (cipher) {
1406 	case WPA_CIPHER_NONE:
1407 		return "NONE";
1408 	case WPA_CIPHER_WEP40:
1409 		return "WEP-40";
1410 	case WPA_CIPHER_WEP104:
1411 		return "WEP-104";
1412 	case WPA_CIPHER_TKIP:
1413 		return "TKIP";
1414 	case WPA_CIPHER_CCMP:
1415 		return "CCMP";
1416 	case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
1417 		return "CCMP+TKIP";
1418 	case WPA_CIPHER_GCMP:
1419 		return "GCMP";
1420 	case WPA_CIPHER_GCMP_256:
1421 		return "GCMP-256";
1422 	case WPA_CIPHER_CCMP_256:
1423 		return "CCMP-256";
1424 	case WPA_CIPHER_GTK_NOT_USED:
1425 		return "GTK_NOT_USED";
1426 	default:
1427 		return "UNKNOWN";
1428 	}
1429 }
1430 
1431 
1432 /**
1433  * wpa_key_mgmt_txt - Convert key management suite to a text string
1434  * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
1435  * @proto: WPA/WPA2 version (WPA_PROTO_*)
1436  * Returns: Pointer to a text string of the key management suite name
1437  */
wpa_key_mgmt_txt(int key_mgmt,int proto)1438 const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
1439 {
1440 	switch (key_mgmt) {
1441 	case WPA_KEY_MGMT_IEEE8021X:
1442 		if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
1443 			return "WPA2+WPA/IEEE 802.1X/EAP";
1444 		return proto == WPA_PROTO_RSN ?
1445 			"WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
1446 	case WPA_KEY_MGMT_PSK:
1447 		if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
1448 			return "WPA2-PSK+WPA-PSK";
1449 		return proto == WPA_PROTO_RSN ?
1450 			"WPA2-PSK" : "WPA-PSK";
1451 	case WPA_KEY_MGMT_NONE:
1452 		return "NONE";
1453 	case WPA_KEY_MGMT_WPA_NONE:
1454 		return "WPA-NONE";
1455 	case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
1456 		return "IEEE 802.1X (no WPA)";
1457 #ifdef CONFIG_IEEE80211R
1458 	case WPA_KEY_MGMT_FT_IEEE8021X:
1459 		return "FT-EAP";
1460 	case WPA_KEY_MGMT_FT_PSK:
1461 		return "FT-PSK";
1462 #endif /* CONFIG_IEEE80211R */
1463 #ifdef CONFIG_IEEE80211W
1464 	case WPA_KEY_MGMT_IEEE8021X_SHA256:
1465 		return "WPA2-EAP-SHA256";
1466 	case WPA_KEY_MGMT_PSK_SHA256:
1467 		return "WPA2-PSK-SHA256";
1468 #endif /* CONFIG_IEEE80211W */
1469 	case WPA_KEY_MGMT_WPS:
1470 		return "WPS";
1471 	case WPA_KEY_MGMT_SAE:
1472 		return "SAE";
1473 	case WPA_KEY_MGMT_FT_SAE:
1474 		return "FT-SAE";
1475 	case WPA_KEY_MGMT_OSEN:
1476 		return "OSEN";
1477 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
1478 		return "WPA2-EAP-SUITE-B";
1479 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
1480 		return "WPA2-EAP-SUITE-B-192";
1481 	case WPA_KEY_MGMT_FILS_SHA256:
1482 		return "FILS-SHA256";
1483 	case WPA_KEY_MGMT_FILS_SHA384:
1484 		return "FILS-SHA384";
1485 	case WPA_KEY_MGMT_FT_FILS_SHA256:
1486 		return "FT-FILS-SHA256";
1487 	case WPA_KEY_MGMT_FT_FILS_SHA384:
1488 		return "FT-FILS-SHA384";
1489 	default:
1490 		return "UNKNOWN";
1491 	}
1492 }
1493 
1494 
wpa_akm_to_suite(int akm)1495 u32 wpa_akm_to_suite(int akm)
1496 {
1497 	if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
1498 		return RSN_AUTH_KEY_MGMT_FT_802_1X;
1499 	if (akm & WPA_KEY_MGMT_FT_PSK)
1500 		return RSN_AUTH_KEY_MGMT_FT_PSK;
1501 	if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
1502 		return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
1503 	if (akm & WPA_KEY_MGMT_IEEE8021X)
1504 		return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
1505 	if (akm & WPA_KEY_MGMT_PSK_SHA256)
1506 		return RSN_AUTH_KEY_MGMT_PSK_SHA256;
1507 	if (akm & WPA_KEY_MGMT_PSK)
1508 		return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
1509 	if (akm & WPA_KEY_MGMT_CCKM)
1510 		return RSN_AUTH_KEY_MGMT_CCKM;
1511 	if (akm & WPA_KEY_MGMT_OSEN)
1512 		return RSN_AUTH_KEY_MGMT_OSEN;
1513 	if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
1514 		return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
1515 	if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
1516 		return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
1517 	if (akm & WPA_KEY_MGMT_FILS_SHA256)
1518 		return RSN_AUTH_KEY_MGMT_FILS_SHA256;
1519 	if (akm & WPA_KEY_MGMT_FILS_SHA384)
1520 		return RSN_AUTH_KEY_MGMT_FILS_SHA384;
1521 	if (akm & WPA_KEY_MGMT_FT_FILS_SHA256)
1522 		return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
1523 	if (akm & WPA_KEY_MGMT_FT_FILS_SHA384)
1524 		return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
1525 	return 0;
1526 }
1527 
1528 
wpa_compare_rsn_ie(int ft_initial_assoc,const u8 * ie1,size_t ie1len,const u8 * ie2,size_t ie2len)1529 int wpa_compare_rsn_ie(int ft_initial_assoc,
1530 		       const u8 *ie1, size_t ie1len,
1531 		       const u8 *ie2, size_t ie2len)
1532 {
1533 	if (ie1 == NULL || ie2 == NULL)
1534 		return -1;
1535 
1536 	if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
1537 		return 0; /* identical IEs */
1538 
1539 #ifdef CONFIG_IEEE80211R
1540 	if (ft_initial_assoc) {
1541 		struct wpa_ie_data ie1d, ie2d;
1542 		/*
1543 		 * The PMKID-List in RSN IE is different between Beacon/Probe
1544 		 * Response/(Re)Association Request frames and EAPOL-Key
1545 		 * messages in FT initial mobility domain association. Allow
1546 		 * for this, but verify that other parts of the RSN IEs are
1547 		 * identical.
1548 		 */
1549 		if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
1550 		    wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
1551 			return -1;
1552 		if (ie1d.proto == ie2d.proto &&
1553 		    ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
1554 		    ie1d.group_cipher == ie2d.group_cipher &&
1555 		    ie1d.key_mgmt == ie2d.key_mgmt &&
1556 		    ie1d.capabilities == ie2d.capabilities &&
1557 		    ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
1558 			return 0;
1559 	}
1560 #endif /* CONFIG_IEEE80211R */
1561 
1562 	return -1;
1563 }
1564 
1565 
1566 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS)
wpa_insert_pmkid(u8 * ies,size_t * ies_len,const u8 * pmkid)1567 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid)
1568 {
1569 	u8 *start, *end, *rpos, *rend;
1570 	int added = 0;
1571 
1572 	start = ies;
1573 	end = ies + *ies_len;
1574 
1575 	while (start < end) {
1576 		if (*start == WLAN_EID_RSN)
1577 			break;
1578 		start += 2 + start[1];
1579 	}
1580 	if (start >= end) {
1581 		wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in "
1582 			   "IEs data");
1583 		return -1;
1584 	}
1585 	wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification",
1586 		    start, 2 + start[1]);
1587 
1588 	/* Find start of PMKID-Count */
1589 	rpos = start + 2;
1590 	rend = rpos + start[1];
1591 
1592 	/* Skip Version and Group Data Cipher Suite */
1593 	rpos += 2 + 4;
1594 	/* Skip Pairwise Cipher Suite Count and List */
1595 	rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
1596 	/* Skip AKM Suite Count and List */
1597 	rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
1598 
1599 	if (rpos == rend) {
1600 		/* Add RSN Capabilities */
1601 		os_memmove(rpos + 2, rpos, end - rpos);
1602 		*rpos++ = 0;
1603 		*rpos++ = 0;
1604 		added += 2;
1605 		start[1] += 2;
1606 		rend = rpos;
1607 	} else {
1608 		/* Skip RSN Capabilities */
1609 		rpos += 2;
1610 		if (rpos > rend) {
1611 			wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in "
1612 				   "IEs data");
1613 			return -1;
1614 		}
1615 	}
1616 
1617 	if (rpos == rend) {
1618 		/* No PMKID-Count field included; add it */
1619 		os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
1620 		WPA_PUT_LE16(rpos, 1);
1621 		rpos += 2;
1622 		os_memcpy(rpos, pmkid, PMKID_LEN);
1623 		added += 2 + PMKID_LEN;
1624 		start[1] += 2 + PMKID_LEN;
1625 	} else {
1626 		u16 num_pmkid;
1627 
1628 		if (rend - rpos < 2)
1629 			return -1;
1630 		num_pmkid = WPA_GET_LE16(rpos);
1631 		/* PMKID-Count was included; use it */
1632 		if (num_pmkid != 0) {
1633 			u8 *after;
1634 
1635 			if (num_pmkid * PMKID_LEN > rend - rpos - 2)
1636 				return -1;
1637 			/*
1638 			 * PMKID may have been included in RSN IE in
1639 			 * (Re)Association Request frame, so remove the old
1640 			 * PMKID(s) first before adding the new one.
1641 			 */
1642 			wpa_printf(MSG_DEBUG,
1643 				   "FT: Remove %u old PMKID(s) from RSN IE",
1644 				   num_pmkid);
1645 			after = rpos + 2 + num_pmkid * PMKID_LEN;
1646 			os_memmove(rpos + 2, after, rend - after);
1647 			start[1] -= num_pmkid * PMKID_LEN;
1648 			added -= num_pmkid * PMKID_LEN;
1649 		}
1650 		WPA_PUT_LE16(rpos, 1);
1651 		rpos += 2;
1652 		os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
1653 		os_memcpy(rpos, pmkid, PMKID_LEN);
1654 		added += PMKID_LEN;
1655 		start[1] += PMKID_LEN;
1656 	}
1657 
1658 	wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification "
1659 		    "(PMKID inserted)", start, 2 + start[1]);
1660 
1661 	*ies_len += added;
1662 
1663 	return 0;
1664 }
1665 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */
1666 
1667 
wpa_cipher_key_len(int cipher)1668 int wpa_cipher_key_len(int cipher)
1669 {
1670 	switch (cipher) {
1671 	case WPA_CIPHER_CCMP_256:
1672 	case WPA_CIPHER_GCMP_256:
1673 	case WPA_CIPHER_BIP_GMAC_256:
1674 	case WPA_CIPHER_BIP_CMAC_256:
1675 		return 32;
1676 	case WPA_CIPHER_CCMP:
1677 	case WPA_CIPHER_GCMP:
1678 	case WPA_CIPHER_AES_128_CMAC:
1679 	case WPA_CIPHER_BIP_GMAC_128:
1680 		return 16;
1681 	case WPA_CIPHER_TKIP:
1682 		return 32;
1683 	}
1684 
1685 	return 0;
1686 }
1687 
1688 
wpa_cipher_rsc_len(int cipher)1689 int wpa_cipher_rsc_len(int cipher)
1690 {
1691 	switch (cipher) {
1692 	case WPA_CIPHER_CCMP_256:
1693 	case WPA_CIPHER_GCMP_256:
1694 	case WPA_CIPHER_CCMP:
1695 	case WPA_CIPHER_GCMP:
1696 	case WPA_CIPHER_TKIP:
1697 		return 6;
1698 	}
1699 
1700 	return 0;
1701 }
1702 
1703 
wpa_cipher_to_alg(int cipher)1704 enum wpa_alg wpa_cipher_to_alg(int cipher)
1705 {
1706 	switch (cipher) {
1707 	case WPA_CIPHER_CCMP_256:
1708 		return WPA_ALG_CCMP_256;
1709 	case WPA_CIPHER_GCMP_256:
1710 		return WPA_ALG_GCMP_256;
1711 	case WPA_CIPHER_CCMP:
1712 		return WPA_ALG_CCMP;
1713 	case WPA_CIPHER_GCMP:
1714 		return WPA_ALG_GCMP;
1715 	case WPA_CIPHER_TKIP:
1716 		return WPA_ALG_TKIP;
1717 	case WPA_CIPHER_AES_128_CMAC:
1718 		return WPA_ALG_IGTK;
1719 	case WPA_CIPHER_BIP_GMAC_128:
1720 		return WPA_ALG_BIP_GMAC_128;
1721 	case WPA_CIPHER_BIP_GMAC_256:
1722 		return WPA_ALG_BIP_GMAC_256;
1723 	case WPA_CIPHER_BIP_CMAC_256:
1724 		return WPA_ALG_BIP_CMAC_256;
1725 	}
1726 	return WPA_ALG_NONE;
1727 }
1728 
1729 
wpa_cipher_valid_pairwise(int cipher)1730 int wpa_cipher_valid_pairwise(int cipher)
1731 {
1732 	return cipher == WPA_CIPHER_CCMP_256 ||
1733 		cipher == WPA_CIPHER_GCMP_256 ||
1734 		cipher == WPA_CIPHER_CCMP ||
1735 		cipher == WPA_CIPHER_GCMP ||
1736 		cipher == WPA_CIPHER_TKIP;
1737 }
1738 
1739 
wpa_cipher_to_suite(int proto,int cipher)1740 u32 wpa_cipher_to_suite(int proto, int cipher)
1741 {
1742 	if (cipher & WPA_CIPHER_CCMP_256)
1743 		return RSN_CIPHER_SUITE_CCMP_256;
1744 	if (cipher & WPA_CIPHER_GCMP_256)
1745 		return RSN_CIPHER_SUITE_GCMP_256;
1746 	if (cipher & WPA_CIPHER_CCMP)
1747 		return (proto == WPA_PROTO_RSN ?
1748 			RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
1749 	if (cipher & WPA_CIPHER_GCMP)
1750 		return RSN_CIPHER_SUITE_GCMP;
1751 	if (cipher & WPA_CIPHER_TKIP)
1752 		return (proto == WPA_PROTO_RSN ?
1753 			RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
1754 	if (cipher & WPA_CIPHER_NONE)
1755 		return (proto == WPA_PROTO_RSN ?
1756 			RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
1757 	if (cipher & WPA_CIPHER_GTK_NOT_USED)
1758 		return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED;
1759 	if (cipher & WPA_CIPHER_AES_128_CMAC)
1760 		return RSN_CIPHER_SUITE_AES_128_CMAC;
1761 	if (cipher & WPA_CIPHER_BIP_GMAC_128)
1762 		return RSN_CIPHER_SUITE_BIP_GMAC_128;
1763 	if (cipher & WPA_CIPHER_BIP_GMAC_256)
1764 		return RSN_CIPHER_SUITE_BIP_GMAC_256;
1765 	if (cipher & WPA_CIPHER_BIP_CMAC_256)
1766 		return RSN_CIPHER_SUITE_BIP_CMAC_256;
1767 	return 0;
1768 }
1769 
1770 
rsn_cipher_put_suites(u8 * start,int ciphers)1771 int rsn_cipher_put_suites(u8 *start, int ciphers)
1772 {
1773 	u8 *pos = start;
1774 
1775 	if (ciphers & WPA_CIPHER_CCMP_256) {
1776 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
1777 		pos += RSN_SELECTOR_LEN;
1778 	}
1779 	if (ciphers & WPA_CIPHER_GCMP_256) {
1780 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
1781 		pos += RSN_SELECTOR_LEN;
1782 	}
1783 	if (ciphers & WPA_CIPHER_CCMP) {
1784 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1785 		pos += RSN_SELECTOR_LEN;
1786 	}
1787 	if (ciphers & WPA_CIPHER_GCMP) {
1788 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
1789 		pos += RSN_SELECTOR_LEN;
1790 	}
1791 	if (ciphers & WPA_CIPHER_TKIP) {
1792 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
1793 		pos += RSN_SELECTOR_LEN;
1794 	}
1795 	if (ciphers & WPA_CIPHER_NONE) {
1796 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
1797 		pos += RSN_SELECTOR_LEN;
1798 	}
1799 
1800 	return (pos - start) / RSN_SELECTOR_LEN;
1801 }
1802 
1803 
wpa_cipher_put_suites(u8 * start,int ciphers)1804 int wpa_cipher_put_suites(u8 *start, int ciphers)
1805 {
1806 	u8 *pos = start;
1807 
1808 	if (ciphers & WPA_CIPHER_CCMP) {
1809 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
1810 		pos += WPA_SELECTOR_LEN;
1811 	}
1812 	if (ciphers & WPA_CIPHER_TKIP) {
1813 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
1814 		pos += WPA_SELECTOR_LEN;
1815 	}
1816 	if (ciphers & WPA_CIPHER_NONE) {
1817 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
1818 		pos += WPA_SELECTOR_LEN;
1819 	}
1820 
1821 	return (pos - start) / RSN_SELECTOR_LEN;
1822 }
1823 
1824 
wpa_pick_pairwise_cipher(int ciphers,int none_allowed)1825 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
1826 {
1827 	if (ciphers & WPA_CIPHER_CCMP_256)
1828 		return WPA_CIPHER_CCMP_256;
1829 	if (ciphers & WPA_CIPHER_GCMP_256)
1830 		return WPA_CIPHER_GCMP_256;
1831 	if (ciphers & WPA_CIPHER_CCMP)
1832 		return WPA_CIPHER_CCMP;
1833 	if (ciphers & WPA_CIPHER_GCMP)
1834 		return WPA_CIPHER_GCMP;
1835 	if (ciphers & WPA_CIPHER_TKIP)
1836 		return WPA_CIPHER_TKIP;
1837 	if (none_allowed && (ciphers & WPA_CIPHER_NONE))
1838 		return WPA_CIPHER_NONE;
1839 	return -1;
1840 }
1841 
1842 
wpa_pick_group_cipher(int ciphers)1843 int wpa_pick_group_cipher(int ciphers)
1844 {
1845 	if (ciphers & WPA_CIPHER_CCMP_256)
1846 		return WPA_CIPHER_CCMP_256;
1847 	if (ciphers & WPA_CIPHER_GCMP_256)
1848 		return WPA_CIPHER_GCMP_256;
1849 	if (ciphers & WPA_CIPHER_CCMP)
1850 		return WPA_CIPHER_CCMP;
1851 	if (ciphers & WPA_CIPHER_GCMP)
1852 		return WPA_CIPHER_GCMP;
1853 	if (ciphers & WPA_CIPHER_GTK_NOT_USED)
1854 		return WPA_CIPHER_GTK_NOT_USED;
1855 	if (ciphers & WPA_CIPHER_TKIP)
1856 		return WPA_CIPHER_TKIP;
1857 	return -1;
1858 }
1859 
1860 
wpa_parse_cipher(const char * value)1861 int wpa_parse_cipher(const char *value)
1862 {
1863 	int val = 0, last;
1864 	char *start, *end, *buf;
1865 
1866 	buf = os_strdup(value);
1867 	if (buf == NULL)
1868 		return -1;
1869 	start = buf;
1870 
1871 	while (*start != '\0') {
1872 		while (*start == ' ' || *start == '\t')
1873 			start++;
1874 		if (*start == '\0')
1875 			break;
1876 		end = start;
1877 		while (*end != ' ' && *end != '\t' && *end != '\0')
1878 			end++;
1879 		last = *end == '\0';
1880 		*end = '\0';
1881 		if (os_strcmp(start, "CCMP-256") == 0)
1882 			val |= WPA_CIPHER_CCMP_256;
1883 		else if (os_strcmp(start, "GCMP-256") == 0)
1884 			val |= WPA_CIPHER_GCMP_256;
1885 		else if (os_strcmp(start, "CCMP") == 0)
1886 			val |= WPA_CIPHER_CCMP;
1887 		else if (os_strcmp(start, "GCMP") == 0)
1888 			val |= WPA_CIPHER_GCMP;
1889 		else if (os_strcmp(start, "TKIP") == 0)
1890 			val |= WPA_CIPHER_TKIP;
1891 		else if (os_strcmp(start, "WEP104") == 0)
1892 			val |= WPA_CIPHER_WEP104;
1893 		else if (os_strcmp(start, "WEP40") == 0)
1894 			val |= WPA_CIPHER_WEP40;
1895 		else if (os_strcmp(start, "NONE") == 0)
1896 			val |= WPA_CIPHER_NONE;
1897 		else if (os_strcmp(start, "GTK_NOT_USED") == 0)
1898 			val |= WPA_CIPHER_GTK_NOT_USED;
1899 		else {
1900 			os_free(buf);
1901 			return -1;
1902 		}
1903 
1904 		if (last)
1905 			break;
1906 		start = end + 1;
1907 	}
1908 	os_free(buf);
1909 
1910 	return val;
1911 }
1912 
1913 
wpa_write_ciphers(char * start,char * end,int ciphers,const char * delim)1914 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
1915 {
1916 	char *pos = start;
1917 	int ret;
1918 
1919 	if (ciphers & WPA_CIPHER_CCMP_256) {
1920 		ret = os_snprintf(pos, end - pos, "%sCCMP-256",
1921 				  pos == start ? "" : delim);
1922 		if (os_snprintf_error(end - pos, ret))
1923 			return -1;
1924 		pos += ret;
1925 	}
1926 	if (ciphers & WPA_CIPHER_GCMP_256) {
1927 		ret = os_snprintf(pos, end - pos, "%sGCMP-256",
1928 				  pos == start ? "" : delim);
1929 		if (os_snprintf_error(end - pos, ret))
1930 			return -1;
1931 		pos += ret;
1932 	}
1933 	if (ciphers & WPA_CIPHER_CCMP) {
1934 		ret = os_snprintf(pos, end - pos, "%sCCMP",
1935 				  pos == start ? "" : delim);
1936 		if (os_snprintf_error(end - pos, ret))
1937 			return -1;
1938 		pos += ret;
1939 	}
1940 	if (ciphers & WPA_CIPHER_GCMP) {
1941 		ret = os_snprintf(pos, end - pos, "%sGCMP",
1942 				  pos == start ? "" : delim);
1943 		if (os_snprintf_error(end - pos, ret))
1944 			return -1;
1945 		pos += ret;
1946 	}
1947 	if (ciphers & WPA_CIPHER_TKIP) {
1948 		ret = os_snprintf(pos, end - pos, "%sTKIP",
1949 				  pos == start ? "" : delim);
1950 		if (os_snprintf_error(end - pos, ret))
1951 			return -1;
1952 		pos += ret;
1953 	}
1954 	if (ciphers & WPA_CIPHER_NONE) {
1955 		ret = os_snprintf(pos, end - pos, "%sNONE",
1956 				  pos == start ? "" : delim);
1957 		if (os_snprintf_error(end - pos, ret))
1958 			return -1;
1959 		pos += ret;
1960 	}
1961 
1962 	return pos - start;
1963 }
1964 
1965 
wpa_select_ap_group_cipher(int wpa,int wpa_pairwise,int rsn_pairwise)1966 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise)
1967 {
1968 	int pairwise = 0;
1969 
1970 	/* Select group cipher based on the enabled pairwise cipher suites */
1971 	if (wpa & 1)
1972 		pairwise |= wpa_pairwise;
1973 	if (wpa & 2)
1974 		pairwise |= rsn_pairwise;
1975 
1976 	if (pairwise & WPA_CIPHER_TKIP)
1977 		return WPA_CIPHER_TKIP;
1978 	if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP)
1979 		return WPA_CIPHER_GCMP;
1980 	if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP |
1981 			 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256)
1982 		return WPA_CIPHER_GCMP_256;
1983 	if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
1984 			 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256)
1985 		return WPA_CIPHER_CCMP_256;
1986 	return WPA_CIPHER_CCMP;
1987 }
1988 
1989 
1990 #ifdef CONFIG_FILS
fils_domain_name_hash(const char * domain,u8 * hash)1991 int fils_domain_name_hash(const char *domain, u8 *hash)
1992 {
1993 	char buf[255], *wpos = buf;
1994 	const char *pos = domain;
1995 	size_t len;
1996 	const u8 *addr[1];
1997 	u8 mac[SHA256_MAC_LEN];
1998 
1999 	for (len = 0; len < sizeof(buf) && *pos; len++) {
2000 		if (isalpha(*pos) && isupper(*pos))
2001 			*wpos++ = tolower(*pos);
2002 		else
2003 			*wpos++ = *pos;
2004 		pos++;
2005 	}
2006 
2007 	addr[0] = (const u8 *) buf;
2008 	if (sha256_vector(1, addr, &len, mac) < 0)
2009 		return -1;
2010 	os_memcpy(hash, mac, 2);
2011 	return 0;
2012 }
2013 #endif /* CONFIG_FILS */
2014