1 /*
2 * WPA/RSN - Shared functions for supplicant and authenticator
3 * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/sha384.h"
16 #include "crypto/aes_wrap.h"
17 #include "crypto/crypto.h"
18 #include "ieee802_11_defs.h"
19 #include "defs.h"
20 #include "wpa_common.h"
21
22
wpa_kck_len(int akmp)23 static unsigned int wpa_kck_len(int akmp)
24 {
25 switch (akmp) {
26 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
27 return 24;
28 case WPA_KEY_MGMT_FILS_SHA256:
29 case WPA_KEY_MGMT_FT_FILS_SHA256:
30 case WPA_KEY_MGMT_FILS_SHA384:
31 case WPA_KEY_MGMT_FT_FILS_SHA384:
32 return 0;
33 default:
34 return 16;
35 }
36 }
37
38
wpa_kek_len(int akmp)39 static unsigned int wpa_kek_len(int akmp)
40 {
41 switch (akmp) {
42 case WPA_KEY_MGMT_FILS_SHA384:
43 case WPA_KEY_MGMT_FT_FILS_SHA384:
44 return 64;
45 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
46 case WPA_KEY_MGMT_FILS_SHA256:
47 case WPA_KEY_MGMT_FT_FILS_SHA256:
48 return 32;
49 default:
50 return 16;
51 }
52 }
53
54
wpa_mic_len(int akmp)55 unsigned int wpa_mic_len(int akmp)
56 {
57 switch (akmp) {
58 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
59 return 24;
60 case WPA_KEY_MGMT_FILS_SHA256:
61 case WPA_KEY_MGMT_FILS_SHA384:
62 case WPA_KEY_MGMT_FT_FILS_SHA256:
63 case WPA_KEY_MGMT_FT_FILS_SHA384:
64 return 0;
65 default:
66 return 16;
67 }
68 }
69
70
71 /**
72 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
73 * @key: EAPOL-Key Key Confirmation Key (KCK)
74 * @key_len: KCK length in octets
75 * @akmp: WPA_KEY_MGMT_* used in key derivation
76 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
77 * @buf: Pointer to the beginning of the EAPOL header (version field)
78 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
79 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
80 * Returns: 0 on success, -1 on failure
81 *
82 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
83 * to be cleared (all zeroes) when calling this function.
84 *
85 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
86 * description of the Key MIC calculation. It includes packet data from the
87 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
88 * happened during final editing of the standard and the correct behavior is
89 * defined in the last draft (IEEE 802.11i/D10).
90 */
wpa_eapol_key_mic(const u8 * key,size_t key_len,int akmp,int ver,const u8 * buf,size_t len,u8 * mic)91 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
92 const u8 *buf, size_t len, u8 *mic)
93 {
94 u8 hash[SHA384_MAC_LEN];
95
96 switch (ver) {
97 #ifndef CONFIG_FIPS
98 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
99 return hmac_md5(key, key_len, buf, len, mic);
100 #endif /* CONFIG_FIPS */
101 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
102 if (hmac_sha1(key, key_len, buf, len, hash))
103 return -1;
104 os_memcpy(mic, hash, MD5_MAC_LEN);
105 break;
106 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
107 case WPA_KEY_INFO_TYPE_AES_128_CMAC:
108 return omac1_aes_128(key, buf, len, mic);
109 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
110 case WPA_KEY_INFO_TYPE_AKM_DEFINED:
111 switch (akmp) {
112 #ifdef CONFIG_HS20
113 case WPA_KEY_MGMT_OSEN:
114 return omac1_aes_128(key, buf, len, mic);
115 #endif /* CONFIG_HS20 */
116 #ifdef CONFIG_SUITEB
117 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
118 if (hmac_sha256(key, key_len, buf, len, hash))
119 return -1;
120 os_memcpy(mic, hash, MD5_MAC_LEN);
121 break;
122 #endif /* CONFIG_SUITEB */
123 #ifdef CONFIG_SUITEB192
124 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
125 if (hmac_sha384(key, key_len, buf, len, hash))
126 return -1;
127 os_memcpy(mic, hash, 24);
128 break;
129 #endif /* CONFIG_SUITEB192 */
130 default:
131 return -1;
132 }
133 break;
134 default:
135 return -1;
136 }
137
138 return 0;
139 }
140
141
142 /**
143 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
144 * @pmk: Pairwise master key
145 * @pmk_len: Length of PMK
146 * @label: Label to use in derivation
147 * @addr1: AA or SA
148 * @addr2: SA or AA
149 * @nonce1: ANonce or SNonce
150 * @nonce2: SNonce or ANonce
151 * @ptk: Buffer for pairwise transient key
152 * @akmp: Negotiated AKM
153 * @cipher: Negotiated pairwise cipher
154 * Returns: 0 on success, -1 on failure
155 *
156 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
157 * PTK = PRF-X(PMK, "Pairwise key expansion",
158 * Min(AA, SA) || Max(AA, SA) ||
159 * Min(ANonce, SNonce) || Max(ANonce, SNonce))
160 *
161 * STK = PRF-X(SMK, "Peer key expansion",
162 * Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) ||
163 * Min(INonce, PNonce) || Max(INonce, PNonce))
164 */
wpa_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const char * label,const u8 * addr1,const u8 * addr2,const u8 * nonce1,const u8 * nonce2,struct wpa_ptk * ptk,int akmp,int cipher)165 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
166 const u8 *addr1, const u8 *addr2,
167 const u8 *nonce1, const u8 *nonce2,
168 struct wpa_ptk *ptk, int akmp, int cipher)
169 {
170 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN];
171 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
172 size_t ptk_len;
173
174 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
175 os_memcpy(data, addr1, ETH_ALEN);
176 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
177 } else {
178 os_memcpy(data, addr2, ETH_ALEN);
179 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
180 }
181
182 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
183 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
184 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
185 WPA_NONCE_LEN);
186 } else {
187 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
188 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
189 WPA_NONCE_LEN);
190 }
191
192 ptk->kck_len = wpa_kck_len(akmp);
193 ptk->kek_len = wpa_kek_len(akmp);
194 ptk->tk_len = wpa_cipher_key_len(cipher);
195 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
196
197 #if defined(CONFIG_SUITEB192) || defined(CONFIG_FILS)
198 if (wpa_key_mgmt_sha384(akmp))
199 sha384_prf(pmk, pmk_len, label, data, sizeof(data),
200 tmp, ptk_len);
201 else
202 #endif /* CONFIG_SUITEB192 || CONFIG_FILS */
203 #ifdef CONFIG_IEEE80211W
204 if (wpa_key_mgmt_sha256(akmp))
205 sha256_prf(pmk, pmk_len, label, data, sizeof(data),
206 tmp, ptk_len);
207 else
208 #endif /* CONFIG_IEEE80211W */
209 sha1_prf(pmk, pmk_len, label, data, sizeof(data), tmp, ptk_len);
210
211 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
212 MAC2STR(addr1), MAC2STR(addr2));
213 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
214 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
215 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
216 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len);
217
218 os_memcpy(ptk->kck, tmp, ptk->kck_len);
219 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len);
220
221 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
222 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
223
224 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
225 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len);
226
227 os_memset(tmp, 0, sizeof(tmp));
228 return 0;
229 }
230
231 #ifdef CONFIG_FILS
232
fils_rmsk_to_pmk(int akmp,const u8 * rmsk,size_t rmsk_len,const u8 * snonce,const u8 * anonce,const u8 * dh_ss,size_t dh_ss_len,u8 * pmk,size_t * pmk_len)233 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len,
234 const u8 *snonce, const u8 *anonce, const u8 *dh_ss,
235 size_t dh_ss_len, u8 *pmk, size_t *pmk_len)
236 {
237 u8 nonces[2 * FILS_NONCE_LEN];
238 const u8 *addr[2];
239 size_t len[2];
240 size_t num_elem;
241 int res;
242
243 /* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */
244 wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation");
245
246 if (wpa_key_mgmt_sha384(akmp))
247 *pmk_len = SHA384_MAC_LEN;
248 else if (wpa_key_mgmt_sha256(akmp))
249 *pmk_len = SHA256_MAC_LEN;
250 else
251 return -1;
252
253 wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len);
254 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
255 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
256 wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len);
257
258 os_memcpy(nonces, snonce, FILS_NONCE_LEN);
259 os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN);
260 addr[0] = rmsk;
261 len[0] = rmsk_len;
262 num_elem = 1;
263 if (dh_ss) {
264 addr[1] = dh_ss;
265 len[1] = dh_ss_len;
266 num_elem++;
267 }
268 if (wpa_key_mgmt_sha384(akmp))
269 res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
270 addr, len, pmk);
271 else
272 res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
273 addr, len, pmk);
274 if (res == 0)
275 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len);
276 return res;
277 }
278
279
fils_pmkid_erp(int akmp,const u8 * reauth,size_t reauth_len,u8 * pmkid)280 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len,
281 u8 *pmkid)
282 {
283 const u8 *addr[1];
284 size_t len[1];
285 u8 hash[SHA384_MAC_LEN];
286 int res;
287
288 /* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */
289 addr[0] = reauth;
290 len[0] = reauth_len;
291 if (wpa_key_mgmt_sha384(akmp))
292 res = sha384_vector(1, addr, len, hash);
293 else if (wpa_key_mgmt_sha256(akmp))
294 res = sha256_vector(1, addr, len, hash);
295 else
296 return -1;
297 if (res)
298 return res;
299 os_memcpy(pmkid, hash, PMKID_LEN);
300 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
301 return 0;
302 }
303
304
fils_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * aa,const u8 * snonce,const u8 * anonce,struct wpa_ptk * ptk,u8 * ick,size_t * ick_len,int akmp,int cipher)305 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa,
306 const u8 *snonce, const u8 *anonce, struct wpa_ptk *ptk,
307 u8 *ick, size_t *ick_len, int akmp, int cipher)
308 {
309 u8 data[2 * ETH_ALEN + 2 * FILS_NONCE_LEN];
310 u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
311 size_t key_data_len;
312 const char *label = "FILS PTK Derivation";
313
314 /*
315 * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation",
316 * SPA || AA || SNonce || ANonce)
317 * ICK = L(FILS-Key-Data, 0, ICK_bits)
318 * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits)
319 * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits)
320 * If doing FT initial mobility domain association:
321 * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits,
322 * FILS-FT_bits)
323 */
324 os_memcpy(data, spa, ETH_ALEN);
325 os_memcpy(data + ETH_ALEN, aa, ETH_ALEN);
326 os_memcpy(data + 2 * ETH_ALEN, snonce, FILS_NONCE_LEN);
327 os_memcpy(data + 2 * ETH_ALEN + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN);
328
329 ptk->kck_len = 0;
330 ptk->kek_len = wpa_kek_len(akmp);
331 ptk->tk_len = wpa_cipher_key_len(cipher);
332 if (wpa_key_mgmt_sha384(akmp))
333 *ick_len = 48;
334 else if (wpa_key_mgmt_sha256(akmp))
335 *ick_len = 32;
336 else
337 return -1;
338 key_data_len = *ick_len + ptk->kek_len + ptk->tk_len;
339
340 if (wpa_key_mgmt_sha384(akmp))
341 sha384_prf(pmk, pmk_len, label, data, sizeof(data),
342 tmp, key_data_len);
343 else if (sha256_prf(pmk, pmk_len, label, data, sizeof(data),
344 tmp, key_data_len) < 0)
345 return -1;
346
347 wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR
348 " AA=" MACSTR, MAC2STR(spa), MAC2STR(aa));
349 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
350 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
351 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len);
352 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len);
353
354 os_memcpy(ick, tmp, *ick_len);
355 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len);
356
357 os_memcpy(ptk->kek, tmp + *ick_len, ptk->kek_len);
358 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len);
359
360 os_memcpy(ptk->tk, tmp + *ick_len + ptk->kek_len, ptk->tk_len);
361 wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len);
362
363 /* TODO: FILS-FT */
364
365 os_memset(tmp, 0, sizeof(tmp));
366 return 0;
367 }
368
369
fils_key_auth_sk(const u8 * ick,size_t ick_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * g_sta,size_t g_sta_len,const u8 * g_ap,size_t g_ap_len,int akmp,u8 * key_auth_sta,u8 * key_auth_ap,size_t * key_auth_len)370 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce,
371 const u8 *anonce, const u8 *sta_addr, const u8 *bssid,
372 const u8 *g_sta, size_t g_sta_len,
373 const u8 *g_ap, size_t g_ap_len,
374 int akmp, u8 *key_auth_sta, u8 *key_auth_ap,
375 size_t *key_auth_len)
376 {
377 const u8 *addr[6];
378 size_t len[6];
379 size_t num_elem = 4;
380 int res;
381
382 /*
383 * For (Re)Association Request frame (STA->AP):
384 * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID
385 * [ || gSTA || gAP ])
386 */
387 addr[0] = snonce;
388 len[0] = FILS_NONCE_LEN;
389 addr[1] = anonce;
390 len[1] = FILS_NONCE_LEN;
391 addr[2] = sta_addr;
392 len[2] = ETH_ALEN;
393 addr[3] = bssid;
394 len[3] = ETH_ALEN;
395 if (g_sta && g_ap_len && g_ap && g_ap_len) {
396 addr[4] = g_sta;
397 len[4] = g_sta_len;
398 addr[5] = g_ap;
399 len[5] = g_ap_len;
400 num_elem = 6;
401 }
402
403 if (wpa_key_mgmt_sha384(akmp)) {
404 *key_auth_len = 48;
405 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
406 key_auth_sta);
407 } else if (wpa_key_mgmt_sha256(akmp)) {
408 *key_auth_len = 32;
409 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
410 key_auth_sta);
411 } else {
412 return -1;
413 }
414 if (res < 0)
415 return res;
416
417 /*
418 * For (Re)Association Response frame (AP->STA):
419 * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC
420 * [ || gAP || gSTA ])
421 */
422 addr[0] = anonce;
423 addr[1] = snonce;
424 addr[2] = bssid;
425 addr[3] = sta_addr;
426 if (g_sta && g_ap_len && g_ap && g_ap_len) {
427 addr[4] = g_ap;
428 len[4] = g_ap_len;
429 addr[5] = g_sta;
430 len[5] = g_sta_len;
431 }
432
433 if (wpa_key_mgmt_sha384(akmp))
434 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
435 key_auth_ap);
436 else if (wpa_key_mgmt_sha256(akmp))
437 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
438 key_auth_ap);
439 if (res < 0)
440 return res;
441
442 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)",
443 key_auth_sta, *key_auth_len);
444 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)",
445 key_auth_ap, *key_auth_len);
446
447 return 0;
448 }
449
450 #endif /* CONFIG_FILS */
451
452
453 #ifdef CONFIG_IEEE80211R
wpa_ft_mic(const u8 * kck,size_t kck_len,const u8 * sta_addr,const u8 * ap_addr,u8 transaction_seqnum,const u8 * mdie,size_t mdie_len,const u8 * ftie,size_t ftie_len,const u8 * rsnie,size_t rsnie_len,const u8 * ric,size_t ric_len,u8 * mic)454 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr,
455 const u8 *ap_addr, u8 transaction_seqnum,
456 const u8 *mdie, size_t mdie_len,
457 const u8 *ftie, size_t ftie_len,
458 const u8 *rsnie, size_t rsnie_len,
459 const u8 *ric, size_t ric_len, u8 *mic)
460 {
461 const u8 *addr[9];
462 size_t len[9];
463 size_t i, num_elem = 0;
464 u8 zero_mic[16];
465
466 if (kck_len != 16) {
467 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u",
468 (unsigned int) kck_len);
469 return -1;
470 }
471
472 addr[num_elem] = sta_addr;
473 len[num_elem] = ETH_ALEN;
474 num_elem++;
475
476 addr[num_elem] = ap_addr;
477 len[num_elem] = ETH_ALEN;
478 num_elem++;
479
480 addr[num_elem] = &transaction_seqnum;
481 len[num_elem] = 1;
482 num_elem++;
483
484 if (rsnie) {
485 addr[num_elem] = rsnie;
486 len[num_elem] = rsnie_len;
487 num_elem++;
488 }
489 if (mdie) {
490 addr[num_elem] = mdie;
491 len[num_elem] = mdie_len;
492 num_elem++;
493 }
494 if (ftie) {
495 if (ftie_len < 2 + sizeof(struct rsn_ftie))
496 return -1;
497
498 /* IE hdr and mic_control */
499 addr[num_elem] = ftie;
500 len[num_elem] = 2 + 2;
501 num_elem++;
502
503 /* MIC field with all zeros */
504 os_memset(zero_mic, 0, sizeof(zero_mic));
505 addr[num_elem] = zero_mic;
506 len[num_elem] = sizeof(zero_mic);
507 num_elem++;
508
509 /* Rest of FTIE */
510 addr[num_elem] = ftie + 2 + 2 + 16;
511 len[num_elem] = ftie_len - (2 + 2 + 16);
512 num_elem++;
513 }
514 if (ric) {
515 addr[num_elem] = ric;
516 len[num_elem] = ric_len;
517 num_elem++;
518 }
519
520 for (i = 0; i < num_elem; i++)
521 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]);
522 if (omac1_aes_128_vector(kck, num_elem, addr, len, mic))
523 return -1;
524
525 return 0;
526 }
527
528
wpa_ft_parse_ftie(const u8 * ie,size_t ie_len,struct wpa_ft_ies * parse)529 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
530 struct wpa_ft_ies *parse)
531 {
532 const u8 *end, *pos;
533
534 parse->ftie = ie;
535 parse->ftie_len = ie_len;
536
537 pos = ie + sizeof(struct rsn_ftie);
538 end = ie + ie_len;
539
540 while (end - pos >= 2) {
541 u8 id, len;
542
543 id = *pos++;
544 len = *pos++;
545 if (len > end - pos)
546 break;
547
548 switch (id) {
549 case FTIE_SUBELEM_R1KH_ID:
550 if (len != FT_R1KH_ID_LEN) {
551 wpa_printf(MSG_DEBUG,
552 "FT: Invalid R1KH-ID length in FTIE: %d",
553 len);
554 return -1;
555 }
556 parse->r1kh_id = pos;
557 break;
558 case FTIE_SUBELEM_GTK:
559 parse->gtk = pos;
560 parse->gtk_len = len;
561 break;
562 case FTIE_SUBELEM_R0KH_ID:
563 if (len < 1 || len > FT_R0KH_ID_MAX_LEN) {
564 wpa_printf(MSG_DEBUG,
565 "FT: Invalid R0KH-ID length in FTIE: %d",
566 len);
567 return -1;
568 }
569 parse->r0kh_id = pos;
570 parse->r0kh_id_len = len;
571 break;
572 #ifdef CONFIG_IEEE80211W
573 case FTIE_SUBELEM_IGTK:
574 parse->igtk = pos;
575 parse->igtk_len = len;
576 break;
577 #endif /* CONFIG_IEEE80211W */
578 }
579
580 pos += len;
581 }
582
583 return 0;
584 }
585
586
wpa_ft_parse_ies(const u8 * ies,size_t ies_len,struct wpa_ft_ies * parse)587 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
588 struct wpa_ft_ies *parse)
589 {
590 const u8 *end, *pos;
591 struct wpa_ie_data data;
592 int ret;
593 const struct rsn_ftie *ftie;
594 int prot_ie_count = 0;
595
596 os_memset(parse, 0, sizeof(*parse));
597 if (ies == NULL)
598 return 0;
599
600 pos = ies;
601 end = ies + ies_len;
602 while (end - pos >= 2) {
603 u8 id, len;
604
605 id = *pos++;
606 len = *pos++;
607 if (len > end - pos)
608 break;
609
610 switch (id) {
611 case WLAN_EID_RSN:
612 parse->rsn = pos;
613 parse->rsn_len = len;
614 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
615 parse->rsn_len + 2,
616 &data);
617 if (ret < 0) {
618 wpa_printf(MSG_DEBUG, "FT: Failed to parse "
619 "RSN IE: %d", ret);
620 return -1;
621 }
622 if (data.num_pmkid == 1 && data.pmkid)
623 parse->rsn_pmkid = data.pmkid;
624 parse->key_mgmt = data.key_mgmt;
625 parse->pairwise_cipher = data.pairwise_cipher;
626 break;
627 case WLAN_EID_MOBILITY_DOMAIN:
628 if (len < sizeof(struct rsn_mdie))
629 return -1;
630 parse->mdie = pos;
631 parse->mdie_len = len;
632 break;
633 case WLAN_EID_FAST_BSS_TRANSITION:
634 if (len < sizeof(*ftie))
635 return -1;
636 ftie = (const struct rsn_ftie *) pos;
637 prot_ie_count = ftie->mic_control[1];
638 if (wpa_ft_parse_ftie(pos, len, parse) < 0)
639 return -1;
640 break;
641 case WLAN_EID_TIMEOUT_INTERVAL:
642 if (len != 5)
643 break;
644 parse->tie = pos;
645 parse->tie_len = len;
646 break;
647 case WLAN_EID_RIC_DATA:
648 if (parse->ric == NULL)
649 parse->ric = pos - 2;
650 break;
651 }
652
653 pos += len;
654 }
655
656 if (prot_ie_count == 0)
657 return 0; /* no MIC */
658
659 /*
660 * Check that the protected IE count matches with IEs included in the
661 * frame.
662 */
663 if (parse->rsn)
664 prot_ie_count--;
665 if (parse->mdie)
666 prot_ie_count--;
667 if (parse->ftie)
668 prot_ie_count--;
669 if (prot_ie_count < 0) {
670 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
671 "the protected IE count");
672 return -1;
673 }
674
675 if (prot_ie_count == 0 && parse->ric) {
676 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
677 "included in protected IE count");
678 return -1;
679 }
680
681 /* Determine the end of the RIC IE(s) */
682 if (parse->ric) {
683 pos = parse->ric;
684 while (end - pos >= 2 && 2 + pos[1] <= end - pos &&
685 prot_ie_count) {
686 prot_ie_count--;
687 pos += 2 + pos[1];
688 }
689 parse->ric_len = pos - parse->ric;
690 }
691 if (prot_ie_count) {
692 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
693 "frame", (int) prot_ie_count);
694 return -1;
695 }
696
697 return 0;
698 }
699 #endif /* CONFIG_IEEE80211R */
700
701
rsn_selector_to_bitfield(const u8 * s)702 static int rsn_selector_to_bitfield(const u8 *s)
703 {
704 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
705 return WPA_CIPHER_NONE;
706 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
707 return WPA_CIPHER_TKIP;
708 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
709 return WPA_CIPHER_CCMP;
710 #ifdef CONFIG_IEEE80211W
711 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
712 return WPA_CIPHER_AES_128_CMAC;
713 #endif /* CONFIG_IEEE80211W */
714 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP)
715 return WPA_CIPHER_GCMP;
716 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256)
717 return WPA_CIPHER_CCMP_256;
718 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256)
719 return WPA_CIPHER_GCMP_256;
720 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128)
721 return WPA_CIPHER_BIP_GMAC_128;
722 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256)
723 return WPA_CIPHER_BIP_GMAC_256;
724 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256)
725 return WPA_CIPHER_BIP_CMAC_256;
726 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED)
727 return WPA_CIPHER_GTK_NOT_USED;
728 return 0;
729 }
730
731
rsn_key_mgmt_to_bitfield(const u8 * s)732 static int rsn_key_mgmt_to_bitfield(const u8 *s)
733 {
734 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
735 return WPA_KEY_MGMT_IEEE8021X;
736 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
737 return WPA_KEY_MGMT_PSK;
738 #ifdef CONFIG_IEEE80211R
739 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
740 return WPA_KEY_MGMT_FT_IEEE8021X;
741 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
742 return WPA_KEY_MGMT_FT_PSK;
743 #endif /* CONFIG_IEEE80211R */
744 #ifdef CONFIG_IEEE80211W
745 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
746 return WPA_KEY_MGMT_IEEE8021X_SHA256;
747 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
748 return WPA_KEY_MGMT_PSK_SHA256;
749 #endif /* CONFIG_IEEE80211W */
750 #ifdef CONFIG_SAE
751 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
752 return WPA_KEY_MGMT_SAE;
753 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
754 return WPA_KEY_MGMT_FT_SAE;
755 #endif /* CONFIG_SAE */
756 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
757 return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
758 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
759 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
760 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256)
761 return WPA_KEY_MGMT_FILS_SHA256;
762 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384)
763 return WPA_KEY_MGMT_FILS_SHA384;
764 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256)
765 return WPA_KEY_MGMT_FT_FILS_SHA256;
766 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
767 return WPA_KEY_MGMT_FT_FILS_SHA384;
768 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
769 return WPA_KEY_MGMT_OSEN;
770 return 0;
771 }
772
773
wpa_cipher_valid_group(int cipher)774 int wpa_cipher_valid_group(int cipher)
775 {
776 return wpa_cipher_valid_pairwise(cipher) ||
777 cipher == WPA_CIPHER_GTK_NOT_USED;
778 }
779
780
781 #ifdef CONFIG_IEEE80211W
wpa_cipher_valid_mgmt_group(int cipher)782 int wpa_cipher_valid_mgmt_group(int cipher)
783 {
784 return cipher == WPA_CIPHER_AES_128_CMAC ||
785 cipher == WPA_CIPHER_BIP_GMAC_128 ||
786 cipher == WPA_CIPHER_BIP_GMAC_256 ||
787 cipher == WPA_CIPHER_BIP_CMAC_256;
788 }
789 #endif /* CONFIG_IEEE80211W */
790
791
792 /**
793 * wpa_parse_wpa_ie_rsn - Parse RSN IE
794 * @rsn_ie: Buffer containing RSN IE
795 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
796 * @data: Pointer to structure that will be filled in with parsed data
797 * Returns: 0 on success, <0 on failure
798 */
wpa_parse_wpa_ie_rsn(const u8 * rsn_ie,size_t rsn_ie_len,struct wpa_ie_data * data)799 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
800 struct wpa_ie_data *data)
801 {
802 const u8 *pos;
803 int left;
804 int i, count;
805
806 os_memset(data, 0, sizeof(*data));
807 data->proto = WPA_PROTO_RSN;
808 data->pairwise_cipher = WPA_CIPHER_CCMP;
809 data->group_cipher = WPA_CIPHER_CCMP;
810 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
811 data->capabilities = 0;
812 data->pmkid = NULL;
813 data->num_pmkid = 0;
814 #ifdef CONFIG_IEEE80211W
815 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
816 #else /* CONFIG_IEEE80211W */
817 data->mgmt_group_cipher = 0;
818 #endif /* CONFIG_IEEE80211W */
819
820 if (rsn_ie_len == 0) {
821 /* No RSN IE - fail silently */
822 return -1;
823 }
824
825 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
826 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
827 __func__, (unsigned long) rsn_ie_len);
828 return -1;
829 }
830
831 if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 &&
832 rsn_ie[1] == rsn_ie_len - 2 &&
833 WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) {
834 pos = rsn_ie + 6;
835 left = rsn_ie_len - 6;
836
837 data->proto = WPA_PROTO_OSEN;
838 } else {
839 const struct rsn_ie_hdr *hdr;
840
841 hdr = (const struct rsn_ie_hdr *) rsn_ie;
842
843 if (hdr->elem_id != WLAN_EID_RSN ||
844 hdr->len != rsn_ie_len - 2 ||
845 WPA_GET_LE16(hdr->version) != RSN_VERSION) {
846 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
847 __func__);
848 return -2;
849 }
850
851 pos = (const u8 *) (hdr + 1);
852 left = rsn_ie_len - sizeof(*hdr);
853 }
854
855 if (left >= RSN_SELECTOR_LEN) {
856 data->group_cipher = rsn_selector_to_bitfield(pos);
857 if (!wpa_cipher_valid_group(data->group_cipher)) {
858 wpa_printf(MSG_DEBUG,
859 "%s: invalid group cipher 0x%x (%08x)",
860 __func__, data->group_cipher,
861 WPA_GET_BE32(pos));
862 return -1;
863 }
864 pos += RSN_SELECTOR_LEN;
865 left -= RSN_SELECTOR_LEN;
866 } else if (left > 0) {
867 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
868 __func__, left);
869 return -3;
870 }
871
872 if (left >= 2) {
873 data->pairwise_cipher = 0;
874 count = WPA_GET_LE16(pos);
875 pos += 2;
876 left -= 2;
877 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
878 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
879 "count %u left %u", __func__, count, left);
880 return -4;
881 }
882 for (i = 0; i < count; i++) {
883 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
884 pos += RSN_SELECTOR_LEN;
885 left -= RSN_SELECTOR_LEN;
886 }
887 #ifdef CONFIG_IEEE80211W
888 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
889 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
890 "pairwise cipher", __func__);
891 return -1;
892 }
893 #endif /* CONFIG_IEEE80211W */
894 } else if (left == 1) {
895 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
896 __func__);
897 return -5;
898 }
899
900 if (left >= 2) {
901 data->key_mgmt = 0;
902 count = WPA_GET_LE16(pos);
903 pos += 2;
904 left -= 2;
905 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
906 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
907 "count %u left %u", __func__, count, left);
908 return -6;
909 }
910 for (i = 0; i < count; i++) {
911 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
912 pos += RSN_SELECTOR_LEN;
913 left -= RSN_SELECTOR_LEN;
914 }
915 } else if (left == 1) {
916 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
917 __func__);
918 return -7;
919 }
920
921 if (left >= 2) {
922 data->capabilities = WPA_GET_LE16(pos);
923 pos += 2;
924 left -= 2;
925 }
926
927 if (left >= 2) {
928 u16 num_pmkid = WPA_GET_LE16(pos);
929 pos += 2;
930 left -= 2;
931 if (num_pmkid > (unsigned int) left / PMKID_LEN) {
932 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
933 "(num_pmkid=%u left=%d)",
934 __func__, num_pmkid, left);
935 data->num_pmkid = 0;
936 return -9;
937 } else {
938 data->num_pmkid = num_pmkid;
939 data->pmkid = pos;
940 pos += data->num_pmkid * PMKID_LEN;
941 left -= data->num_pmkid * PMKID_LEN;
942 }
943 }
944
945 #ifdef CONFIG_IEEE80211W
946 if (left >= 4) {
947 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
948 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
949 wpa_printf(MSG_DEBUG,
950 "%s: Unsupported management group cipher 0x%x (%08x)",
951 __func__, data->mgmt_group_cipher,
952 WPA_GET_BE32(pos));
953 return -10;
954 }
955 pos += RSN_SELECTOR_LEN;
956 left -= RSN_SELECTOR_LEN;
957 }
958 #endif /* CONFIG_IEEE80211W */
959
960 if (left > 0) {
961 wpa_hexdump(MSG_DEBUG,
962 "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
963 pos, left);
964 }
965
966 return 0;
967 }
968
969
wpa_selector_to_bitfield(const u8 * s)970 static int wpa_selector_to_bitfield(const u8 *s)
971 {
972 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
973 return WPA_CIPHER_NONE;
974 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
975 return WPA_CIPHER_TKIP;
976 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
977 return WPA_CIPHER_CCMP;
978 return 0;
979 }
980
981
wpa_key_mgmt_to_bitfield(const u8 * s)982 static int wpa_key_mgmt_to_bitfield(const u8 *s)
983 {
984 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
985 return WPA_KEY_MGMT_IEEE8021X;
986 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
987 return WPA_KEY_MGMT_PSK;
988 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
989 return WPA_KEY_MGMT_WPA_NONE;
990 return 0;
991 }
992
993
wpa_parse_wpa_ie_wpa(const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ie_data * data)994 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
995 struct wpa_ie_data *data)
996 {
997 const struct wpa_ie_hdr *hdr;
998 const u8 *pos;
999 int left;
1000 int i, count;
1001
1002 os_memset(data, 0, sizeof(*data));
1003 data->proto = WPA_PROTO_WPA;
1004 data->pairwise_cipher = WPA_CIPHER_TKIP;
1005 data->group_cipher = WPA_CIPHER_TKIP;
1006 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1007 data->capabilities = 0;
1008 data->pmkid = NULL;
1009 data->num_pmkid = 0;
1010 data->mgmt_group_cipher = 0;
1011
1012 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
1013 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1014 __func__, (unsigned long) wpa_ie_len);
1015 return -1;
1016 }
1017
1018 hdr = (const struct wpa_ie_hdr *) wpa_ie;
1019
1020 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
1021 hdr->len != wpa_ie_len - 2 ||
1022 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
1023 WPA_GET_LE16(hdr->version) != WPA_VERSION) {
1024 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1025 __func__);
1026 return -2;
1027 }
1028
1029 pos = (const u8 *) (hdr + 1);
1030 left = wpa_ie_len - sizeof(*hdr);
1031
1032 if (left >= WPA_SELECTOR_LEN) {
1033 data->group_cipher = wpa_selector_to_bitfield(pos);
1034 pos += WPA_SELECTOR_LEN;
1035 left -= WPA_SELECTOR_LEN;
1036 } else if (left > 0) {
1037 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1038 __func__, left);
1039 return -3;
1040 }
1041
1042 if (left >= 2) {
1043 data->pairwise_cipher = 0;
1044 count = WPA_GET_LE16(pos);
1045 pos += 2;
1046 left -= 2;
1047 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1048 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1049 "count %u left %u", __func__, count, left);
1050 return -4;
1051 }
1052 for (i = 0; i < count; i++) {
1053 data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
1054 pos += WPA_SELECTOR_LEN;
1055 left -= WPA_SELECTOR_LEN;
1056 }
1057 } else if (left == 1) {
1058 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1059 __func__);
1060 return -5;
1061 }
1062
1063 if (left >= 2) {
1064 data->key_mgmt = 0;
1065 count = WPA_GET_LE16(pos);
1066 pos += 2;
1067 left -= 2;
1068 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1069 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1070 "count %u left %u", __func__, count, left);
1071 return -6;
1072 }
1073 for (i = 0; i < count; i++) {
1074 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
1075 pos += WPA_SELECTOR_LEN;
1076 left -= WPA_SELECTOR_LEN;
1077 }
1078 } else if (left == 1) {
1079 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1080 __func__);
1081 return -7;
1082 }
1083
1084 if (left >= 2) {
1085 data->capabilities = WPA_GET_LE16(pos);
1086 pos += 2;
1087 left -= 2;
1088 }
1089
1090 if (left > 0) {
1091 wpa_hexdump(MSG_DEBUG,
1092 "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
1093 pos, left);
1094 }
1095
1096 return 0;
1097 }
1098
1099
1100 #ifdef CONFIG_IEEE80211R
1101
1102 /**
1103 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
1104 *
1105 * IEEE Std 802.11r-2008 - 8.5.1.5.3
1106 */
wpa_derive_pmk_r0(const u8 * xxkey,size_t xxkey_len,const u8 * ssid,size_t ssid_len,const u8 * mdid,const u8 * r0kh_id,size_t r0kh_id_len,const u8 * s0kh_id,u8 * pmk_r0,u8 * pmk_r0_name)1107 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
1108 const u8 *ssid, size_t ssid_len,
1109 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
1110 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name)
1111 {
1112 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
1113 FT_R0KH_ID_MAX_LEN + ETH_ALEN];
1114 u8 *pos, r0_key_data[48], hash[32];
1115 const u8 *addr[2];
1116 size_t len[2];
1117
1118 /*
1119 * R0-Key-Data = KDF-384(XXKey, "FT-R0",
1120 * SSIDlength || SSID || MDID || R0KHlength ||
1121 * R0KH-ID || S0KH-ID)
1122 * XXKey is either the second 256 bits of MSK or PSK.
1123 * PMK-R0 = L(R0-Key-Data, 0, 256)
1124 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128)
1125 */
1126 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
1127 return -1;
1128 pos = buf;
1129 *pos++ = ssid_len;
1130 os_memcpy(pos, ssid, ssid_len);
1131 pos += ssid_len;
1132 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
1133 pos += MOBILITY_DOMAIN_ID_LEN;
1134 *pos++ = r0kh_id_len;
1135 os_memcpy(pos, r0kh_id, r0kh_id_len);
1136 pos += r0kh_id_len;
1137 os_memcpy(pos, s0kh_id, ETH_ALEN);
1138 pos += ETH_ALEN;
1139
1140 if (sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
1141 r0_key_data, sizeof(r0_key_data)) < 0)
1142 return -1;
1143 os_memcpy(pmk_r0, r0_key_data, PMK_LEN);
1144
1145 /*
1146 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt)
1147 */
1148 addr[0] = (const u8 *) "FT-R0N";
1149 len[0] = 6;
1150 addr[1] = r0_key_data + PMK_LEN;
1151 len[1] = 16;
1152
1153 if (sha256_vector(2, addr, len, hash) < 0)
1154 return -1;
1155 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
1156 return 0;
1157 }
1158
1159
1160 /**
1161 * wpa_derive_pmk_r1_name - Derive PMKR1Name
1162 *
1163 * IEEE Std 802.11r-2008 - 8.5.1.5.4
1164 */
wpa_derive_pmk_r1_name(const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1_name)1165 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
1166 const u8 *s1kh_id, u8 *pmk_r1_name)
1167 {
1168 u8 hash[32];
1169 const u8 *addr[4];
1170 size_t len[4];
1171
1172 /*
1173 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name ||
1174 * R1KH-ID || S1KH-ID))
1175 */
1176 addr[0] = (const u8 *) "FT-R1N";
1177 len[0] = 6;
1178 addr[1] = pmk_r0_name;
1179 len[1] = WPA_PMK_NAME_LEN;
1180 addr[2] = r1kh_id;
1181 len[2] = FT_R1KH_ID_LEN;
1182 addr[3] = s1kh_id;
1183 len[3] = ETH_ALEN;
1184
1185 if (sha256_vector(4, addr, len, hash) < 0)
1186 return -1;
1187 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
1188 return 0;
1189 }
1190
1191
1192 /**
1193 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
1194 *
1195 * IEEE Std 802.11r-2008 - 8.5.1.5.4
1196 */
wpa_derive_pmk_r1(const u8 * pmk_r0,const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1,u8 * pmk_r1_name)1197 int wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name,
1198 const u8 *r1kh_id, const u8 *s1kh_id,
1199 u8 *pmk_r1, u8 *pmk_r1_name)
1200 {
1201 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
1202 u8 *pos;
1203
1204 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
1205 pos = buf;
1206 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
1207 pos += FT_R1KH_ID_LEN;
1208 os_memcpy(pos, s1kh_id, ETH_ALEN);
1209 pos += ETH_ALEN;
1210
1211 if (sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf,
1212 pmk_r1, PMK_LEN) < 0)
1213 return -1;
1214
1215 return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
1216 pmk_r1_name);
1217 }
1218
1219
1220 /**
1221 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
1222 *
1223 * IEEE Std 802.11r-2008 - 8.5.1.5.5
1224 */
wpa_pmk_r1_to_ptk(const u8 * pmk_r1,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * pmk_r1_name,struct wpa_ptk * ptk,u8 * ptk_name,int akmp,int cipher)1225 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce,
1226 const u8 *sta_addr, const u8 *bssid,
1227 const u8 *pmk_r1_name,
1228 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher)
1229 {
1230 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
1231 u8 *pos, hash[32];
1232 const u8 *addr[6];
1233 size_t len[6];
1234 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
1235 size_t ptk_len;
1236
1237 /*
1238 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
1239 * BSSID || STA-ADDR)
1240 */
1241 pos = buf;
1242 os_memcpy(pos, snonce, WPA_NONCE_LEN);
1243 pos += WPA_NONCE_LEN;
1244 os_memcpy(pos, anonce, WPA_NONCE_LEN);
1245 pos += WPA_NONCE_LEN;
1246 os_memcpy(pos, bssid, ETH_ALEN);
1247 pos += ETH_ALEN;
1248 os_memcpy(pos, sta_addr, ETH_ALEN);
1249 pos += ETH_ALEN;
1250
1251 ptk->kck_len = wpa_kck_len(akmp);
1252 ptk->kek_len = wpa_kek_len(akmp);
1253 ptk->tk_len = wpa_cipher_key_len(cipher);
1254 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
1255
1256 if (sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf,
1257 tmp, ptk_len) < 0)
1258 return -1;
1259
1260 /*
1261 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
1262 * ANonce || BSSID || STA-ADDR))
1263 */
1264 addr[0] = pmk_r1_name;
1265 len[0] = WPA_PMK_NAME_LEN;
1266 addr[1] = (const u8 *) "FT-PTKN";
1267 len[1] = 7;
1268 addr[2] = snonce;
1269 len[2] = WPA_NONCE_LEN;
1270 addr[3] = anonce;
1271 len[3] = WPA_NONCE_LEN;
1272 addr[4] = bssid;
1273 len[4] = ETH_ALEN;
1274 addr[5] = sta_addr;
1275 len[5] = ETH_ALEN;
1276
1277 if (sha256_vector(6, addr, len, hash) < 0)
1278 return -1;
1279 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
1280
1281 os_memcpy(ptk->kck, tmp, ptk->kck_len);
1282 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
1283 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
1284
1285 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);
1286 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len);
1287 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len);
1288 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
1289
1290 os_memset(tmp, 0, sizeof(tmp));
1291
1292 return 0;
1293 }
1294
1295 #endif /* CONFIG_IEEE80211R */
1296
1297
1298 /**
1299 * rsn_pmkid - Calculate PMK identifier
1300 * @pmk: Pairwise master key
1301 * @pmk_len: Length of pmk in bytes
1302 * @aa: Authenticator address
1303 * @spa: Supplicant address
1304 * @pmkid: Buffer for PMKID
1305 * @use_sha256: Whether to use SHA256-based KDF
1306 *
1307 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
1308 * PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AA || SPA)
1309 */
rsn_pmkid(const u8 * pmk,size_t pmk_len,const u8 * aa,const u8 * spa,u8 * pmkid,int use_sha256)1310 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
1311 u8 *pmkid, int use_sha256)
1312 {
1313 char *title = "PMK Name";
1314 const u8 *addr[3];
1315 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1316 unsigned char hash[SHA256_MAC_LEN];
1317
1318 addr[0] = (u8 *) title;
1319 addr[1] = aa;
1320 addr[2] = spa;
1321
1322 #ifdef CONFIG_IEEE80211W
1323 if (use_sha256)
1324 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
1325 else
1326 #endif /* CONFIG_IEEE80211W */
1327 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
1328 os_memcpy(pmkid, hash, PMKID_LEN);
1329 }
1330
1331
1332 #ifdef CONFIG_SUITEB
1333 /**
1334 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM
1335 * @kck: Key confirmation key
1336 * @kck_len: Length of kck in bytes
1337 * @aa: Authenticator address
1338 * @spa: Supplicant address
1339 * @pmkid: Buffer for PMKID
1340 * Returns: 0 on success, -1 on failure
1341 *
1342 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1343 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
1344 */
rsn_pmkid_suite_b(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)1345 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa,
1346 const u8 *spa, u8 *pmkid)
1347 {
1348 char *title = "PMK Name";
1349 const u8 *addr[3];
1350 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1351 unsigned char hash[SHA256_MAC_LEN];
1352
1353 addr[0] = (u8 *) title;
1354 addr[1] = aa;
1355 addr[2] = spa;
1356
1357 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0)
1358 return -1;
1359 os_memcpy(pmkid, hash, PMKID_LEN);
1360 return 0;
1361 }
1362 #endif /* CONFIG_SUITEB */
1363
1364
1365 #ifdef CONFIG_SUITEB192
1366 /**
1367 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM
1368 * @kck: Key confirmation key
1369 * @kck_len: Length of kck in bytes
1370 * @aa: Authenticator address
1371 * @spa: Supplicant address
1372 * @pmkid: Buffer for PMKID
1373 * Returns: 0 on success, -1 on failure
1374 *
1375 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1376 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
1377 */
rsn_pmkid_suite_b_192(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)1378 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa,
1379 const u8 *spa, u8 *pmkid)
1380 {
1381 char *title = "PMK Name";
1382 const u8 *addr[3];
1383 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1384 unsigned char hash[SHA384_MAC_LEN];
1385
1386 addr[0] = (u8 *) title;
1387 addr[1] = aa;
1388 addr[2] = spa;
1389
1390 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0)
1391 return -1;
1392 os_memcpy(pmkid, hash, PMKID_LEN);
1393 return 0;
1394 }
1395 #endif /* CONFIG_SUITEB192 */
1396
1397
1398 /**
1399 * wpa_cipher_txt - Convert cipher suite to a text string
1400 * @cipher: Cipher suite (WPA_CIPHER_* enum)
1401 * Returns: Pointer to a text string of the cipher suite name
1402 */
wpa_cipher_txt(int cipher)1403 const char * wpa_cipher_txt(int cipher)
1404 {
1405 switch (cipher) {
1406 case WPA_CIPHER_NONE:
1407 return "NONE";
1408 case WPA_CIPHER_WEP40:
1409 return "WEP-40";
1410 case WPA_CIPHER_WEP104:
1411 return "WEP-104";
1412 case WPA_CIPHER_TKIP:
1413 return "TKIP";
1414 case WPA_CIPHER_CCMP:
1415 return "CCMP";
1416 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
1417 return "CCMP+TKIP";
1418 case WPA_CIPHER_GCMP:
1419 return "GCMP";
1420 case WPA_CIPHER_GCMP_256:
1421 return "GCMP-256";
1422 case WPA_CIPHER_CCMP_256:
1423 return "CCMP-256";
1424 case WPA_CIPHER_GTK_NOT_USED:
1425 return "GTK_NOT_USED";
1426 default:
1427 return "UNKNOWN";
1428 }
1429 }
1430
1431
1432 /**
1433 * wpa_key_mgmt_txt - Convert key management suite to a text string
1434 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
1435 * @proto: WPA/WPA2 version (WPA_PROTO_*)
1436 * Returns: Pointer to a text string of the key management suite name
1437 */
wpa_key_mgmt_txt(int key_mgmt,int proto)1438 const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
1439 {
1440 switch (key_mgmt) {
1441 case WPA_KEY_MGMT_IEEE8021X:
1442 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
1443 return "WPA2+WPA/IEEE 802.1X/EAP";
1444 return proto == WPA_PROTO_RSN ?
1445 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
1446 case WPA_KEY_MGMT_PSK:
1447 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
1448 return "WPA2-PSK+WPA-PSK";
1449 return proto == WPA_PROTO_RSN ?
1450 "WPA2-PSK" : "WPA-PSK";
1451 case WPA_KEY_MGMT_NONE:
1452 return "NONE";
1453 case WPA_KEY_MGMT_WPA_NONE:
1454 return "WPA-NONE";
1455 case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
1456 return "IEEE 802.1X (no WPA)";
1457 #ifdef CONFIG_IEEE80211R
1458 case WPA_KEY_MGMT_FT_IEEE8021X:
1459 return "FT-EAP";
1460 case WPA_KEY_MGMT_FT_PSK:
1461 return "FT-PSK";
1462 #endif /* CONFIG_IEEE80211R */
1463 #ifdef CONFIG_IEEE80211W
1464 case WPA_KEY_MGMT_IEEE8021X_SHA256:
1465 return "WPA2-EAP-SHA256";
1466 case WPA_KEY_MGMT_PSK_SHA256:
1467 return "WPA2-PSK-SHA256";
1468 #endif /* CONFIG_IEEE80211W */
1469 case WPA_KEY_MGMT_WPS:
1470 return "WPS";
1471 case WPA_KEY_MGMT_SAE:
1472 return "SAE";
1473 case WPA_KEY_MGMT_FT_SAE:
1474 return "FT-SAE";
1475 case WPA_KEY_MGMT_OSEN:
1476 return "OSEN";
1477 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
1478 return "WPA2-EAP-SUITE-B";
1479 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
1480 return "WPA2-EAP-SUITE-B-192";
1481 case WPA_KEY_MGMT_FILS_SHA256:
1482 return "FILS-SHA256";
1483 case WPA_KEY_MGMT_FILS_SHA384:
1484 return "FILS-SHA384";
1485 case WPA_KEY_MGMT_FT_FILS_SHA256:
1486 return "FT-FILS-SHA256";
1487 case WPA_KEY_MGMT_FT_FILS_SHA384:
1488 return "FT-FILS-SHA384";
1489 default:
1490 return "UNKNOWN";
1491 }
1492 }
1493
1494
wpa_akm_to_suite(int akm)1495 u32 wpa_akm_to_suite(int akm)
1496 {
1497 if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
1498 return RSN_AUTH_KEY_MGMT_FT_802_1X;
1499 if (akm & WPA_KEY_MGMT_FT_PSK)
1500 return RSN_AUTH_KEY_MGMT_FT_PSK;
1501 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
1502 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
1503 if (akm & WPA_KEY_MGMT_IEEE8021X)
1504 return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
1505 if (akm & WPA_KEY_MGMT_PSK_SHA256)
1506 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
1507 if (akm & WPA_KEY_MGMT_PSK)
1508 return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
1509 if (akm & WPA_KEY_MGMT_CCKM)
1510 return RSN_AUTH_KEY_MGMT_CCKM;
1511 if (akm & WPA_KEY_MGMT_OSEN)
1512 return RSN_AUTH_KEY_MGMT_OSEN;
1513 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
1514 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
1515 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
1516 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
1517 if (akm & WPA_KEY_MGMT_FILS_SHA256)
1518 return RSN_AUTH_KEY_MGMT_FILS_SHA256;
1519 if (akm & WPA_KEY_MGMT_FILS_SHA384)
1520 return RSN_AUTH_KEY_MGMT_FILS_SHA384;
1521 if (akm & WPA_KEY_MGMT_FT_FILS_SHA256)
1522 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
1523 if (akm & WPA_KEY_MGMT_FT_FILS_SHA384)
1524 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
1525 return 0;
1526 }
1527
1528
wpa_compare_rsn_ie(int ft_initial_assoc,const u8 * ie1,size_t ie1len,const u8 * ie2,size_t ie2len)1529 int wpa_compare_rsn_ie(int ft_initial_assoc,
1530 const u8 *ie1, size_t ie1len,
1531 const u8 *ie2, size_t ie2len)
1532 {
1533 if (ie1 == NULL || ie2 == NULL)
1534 return -1;
1535
1536 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
1537 return 0; /* identical IEs */
1538
1539 #ifdef CONFIG_IEEE80211R
1540 if (ft_initial_assoc) {
1541 struct wpa_ie_data ie1d, ie2d;
1542 /*
1543 * The PMKID-List in RSN IE is different between Beacon/Probe
1544 * Response/(Re)Association Request frames and EAPOL-Key
1545 * messages in FT initial mobility domain association. Allow
1546 * for this, but verify that other parts of the RSN IEs are
1547 * identical.
1548 */
1549 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
1550 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
1551 return -1;
1552 if (ie1d.proto == ie2d.proto &&
1553 ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
1554 ie1d.group_cipher == ie2d.group_cipher &&
1555 ie1d.key_mgmt == ie2d.key_mgmt &&
1556 ie1d.capabilities == ie2d.capabilities &&
1557 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
1558 return 0;
1559 }
1560 #endif /* CONFIG_IEEE80211R */
1561
1562 return -1;
1563 }
1564
1565
1566 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS)
wpa_insert_pmkid(u8 * ies,size_t * ies_len,const u8 * pmkid)1567 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid)
1568 {
1569 u8 *start, *end, *rpos, *rend;
1570 int added = 0;
1571
1572 start = ies;
1573 end = ies + *ies_len;
1574
1575 while (start < end) {
1576 if (*start == WLAN_EID_RSN)
1577 break;
1578 start += 2 + start[1];
1579 }
1580 if (start >= end) {
1581 wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in "
1582 "IEs data");
1583 return -1;
1584 }
1585 wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification",
1586 start, 2 + start[1]);
1587
1588 /* Find start of PMKID-Count */
1589 rpos = start + 2;
1590 rend = rpos + start[1];
1591
1592 /* Skip Version and Group Data Cipher Suite */
1593 rpos += 2 + 4;
1594 /* Skip Pairwise Cipher Suite Count and List */
1595 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
1596 /* Skip AKM Suite Count and List */
1597 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
1598
1599 if (rpos == rend) {
1600 /* Add RSN Capabilities */
1601 os_memmove(rpos + 2, rpos, end - rpos);
1602 *rpos++ = 0;
1603 *rpos++ = 0;
1604 added += 2;
1605 start[1] += 2;
1606 rend = rpos;
1607 } else {
1608 /* Skip RSN Capabilities */
1609 rpos += 2;
1610 if (rpos > rend) {
1611 wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in "
1612 "IEs data");
1613 return -1;
1614 }
1615 }
1616
1617 if (rpos == rend) {
1618 /* No PMKID-Count field included; add it */
1619 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
1620 WPA_PUT_LE16(rpos, 1);
1621 rpos += 2;
1622 os_memcpy(rpos, pmkid, PMKID_LEN);
1623 added += 2 + PMKID_LEN;
1624 start[1] += 2 + PMKID_LEN;
1625 } else {
1626 u16 num_pmkid;
1627
1628 if (rend - rpos < 2)
1629 return -1;
1630 num_pmkid = WPA_GET_LE16(rpos);
1631 /* PMKID-Count was included; use it */
1632 if (num_pmkid != 0) {
1633 u8 *after;
1634
1635 if (num_pmkid * PMKID_LEN > rend - rpos - 2)
1636 return -1;
1637 /*
1638 * PMKID may have been included in RSN IE in
1639 * (Re)Association Request frame, so remove the old
1640 * PMKID(s) first before adding the new one.
1641 */
1642 wpa_printf(MSG_DEBUG,
1643 "FT: Remove %u old PMKID(s) from RSN IE",
1644 num_pmkid);
1645 after = rpos + 2 + num_pmkid * PMKID_LEN;
1646 os_memmove(rpos + 2, after, rend - after);
1647 start[1] -= num_pmkid * PMKID_LEN;
1648 added -= num_pmkid * PMKID_LEN;
1649 }
1650 WPA_PUT_LE16(rpos, 1);
1651 rpos += 2;
1652 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
1653 os_memcpy(rpos, pmkid, PMKID_LEN);
1654 added += PMKID_LEN;
1655 start[1] += PMKID_LEN;
1656 }
1657
1658 wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification "
1659 "(PMKID inserted)", start, 2 + start[1]);
1660
1661 *ies_len += added;
1662
1663 return 0;
1664 }
1665 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */
1666
1667
wpa_cipher_key_len(int cipher)1668 int wpa_cipher_key_len(int cipher)
1669 {
1670 switch (cipher) {
1671 case WPA_CIPHER_CCMP_256:
1672 case WPA_CIPHER_GCMP_256:
1673 case WPA_CIPHER_BIP_GMAC_256:
1674 case WPA_CIPHER_BIP_CMAC_256:
1675 return 32;
1676 case WPA_CIPHER_CCMP:
1677 case WPA_CIPHER_GCMP:
1678 case WPA_CIPHER_AES_128_CMAC:
1679 case WPA_CIPHER_BIP_GMAC_128:
1680 return 16;
1681 case WPA_CIPHER_TKIP:
1682 return 32;
1683 }
1684
1685 return 0;
1686 }
1687
1688
wpa_cipher_rsc_len(int cipher)1689 int wpa_cipher_rsc_len(int cipher)
1690 {
1691 switch (cipher) {
1692 case WPA_CIPHER_CCMP_256:
1693 case WPA_CIPHER_GCMP_256:
1694 case WPA_CIPHER_CCMP:
1695 case WPA_CIPHER_GCMP:
1696 case WPA_CIPHER_TKIP:
1697 return 6;
1698 }
1699
1700 return 0;
1701 }
1702
1703
wpa_cipher_to_alg(int cipher)1704 enum wpa_alg wpa_cipher_to_alg(int cipher)
1705 {
1706 switch (cipher) {
1707 case WPA_CIPHER_CCMP_256:
1708 return WPA_ALG_CCMP_256;
1709 case WPA_CIPHER_GCMP_256:
1710 return WPA_ALG_GCMP_256;
1711 case WPA_CIPHER_CCMP:
1712 return WPA_ALG_CCMP;
1713 case WPA_CIPHER_GCMP:
1714 return WPA_ALG_GCMP;
1715 case WPA_CIPHER_TKIP:
1716 return WPA_ALG_TKIP;
1717 case WPA_CIPHER_AES_128_CMAC:
1718 return WPA_ALG_IGTK;
1719 case WPA_CIPHER_BIP_GMAC_128:
1720 return WPA_ALG_BIP_GMAC_128;
1721 case WPA_CIPHER_BIP_GMAC_256:
1722 return WPA_ALG_BIP_GMAC_256;
1723 case WPA_CIPHER_BIP_CMAC_256:
1724 return WPA_ALG_BIP_CMAC_256;
1725 }
1726 return WPA_ALG_NONE;
1727 }
1728
1729
wpa_cipher_valid_pairwise(int cipher)1730 int wpa_cipher_valid_pairwise(int cipher)
1731 {
1732 return cipher == WPA_CIPHER_CCMP_256 ||
1733 cipher == WPA_CIPHER_GCMP_256 ||
1734 cipher == WPA_CIPHER_CCMP ||
1735 cipher == WPA_CIPHER_GCMP ||
1736 cipher == WPA_CIPHER_TKIP;
1737 }
1738
1739
wpa_cipher_to_suite(int proto,int cipher)1740 u32 wpa_cipher_to_suite(int proto, int cipher)
1741 {
1742 if (cipher & WPA_CIPHER_CCMP_256)
1743 return RSN_CIPHER_SUITE_CCMP_256;
1744 if (cipher & WPA_CIPHER_GCMP_256)
1745 return RSN_CIPHER_SUITE_GCMP_256;
1746 if (cipher & WPA_CIPHER_CCMP)
1747 return (proto == WPA_PROTO_RSN ?
1748 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
1749 if (cipher & WPA_CIPHER_GCMP)
1750 return RSN_CIPHER_SUITE_GCMP;
1751 if (cipher & WPA_CIPHER_TKIP)
1752 return (proto == WPA_PROTO_RSN ?
1753 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
1754 if (cipher & WPA_CIPHER_NONE)
1755 return (proto == WPA_PROTO_RSN ?
1756 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
1757 if (cipher & WPA_CIPHER_GTK_NOT_USED)
1758 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED;
1759 if (cipher & WPA_CIPHER_AES_128_CMAC)
1760 return RSN_CIPHER_SUITE_AES_128_CMAC;
1761 if (cipher & WPA_CIPHER_BIP_GMAC_128)
1762 return RSN_CIPHER_SUITE_BIP_GMAC_128;
1763 if (cipher & WPA_CIPHER_BIP_GMAC_256)
1764 return RSN_CIPHER_SUITE_BIP_GMAC_256;
1765 if (cipher & WPA_CIPHER_BIP_CMAC_256)
1766 return RSN_CIPHER_SUITE_BIP_CMAC_256;
1767 return 0;
1768 }
1769
1770
rsn_cipher_put_suites(u8 * start,int ciphers)1771 int rsn_cipher_put_suites(u8 *start, int ciphers)
1772 {
1773 u8 *pos = start;
1774
1775 if (ciphers & WPA_CIPHER_CCMP_256) {
1776 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
1777 pos += RSN_SELECTOR_LEN;
1778 }
1779 if (ciphers & WPA_CIPHER_GCMP_256) {
1780 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
1781 pos += RSN_SELECTOR_LEN;
1782 }
1783 if (ciphers & WPA_CIPHER_CCMP) {
1784 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1785 pos += RSN_SELECTOR_LEN;
1786 }
1787 if (ciphers & WPA_CIPHER_GCMP) {
1788 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
1789 pos += RSN_SELECTOR_LEN;
1790 }
1791 if (ciphers & WPA_CIPHER_TKIP) {
1792 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
1793 pos += RSN_SELECTOR_LEN;
1794 }
1795 if (ciphers & WPA_CIPHER_NONE) {
1796 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
1797 pos += RSN_SELECTOR_LEN;
1798 }
1799
1800 return (pos - start) / RSN_SELECTOR_LEN;
1801 }
1802
1803
wpa_cipher_put_suites(u8 * start,int ciphers)1804 int wpa_cipher_put_suites(u8 *start, int ciphers)
1805 {
1806 u8 *pos = start;
1807
1808 if (ciphers & WPA_CIPHER_CCMP) {
1809 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
1810 pos += WPA_SELECTOR_LEN;
1811 }
1812 if (ciphers & WPA_CIPHER_TKIP) {
1813 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
1814 pos += WPA_SELECTOR_LEN;
1815 }
1816 if (ciphers & WPA_CIPHER_NONE) {
1817 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
1818 pos += WPA_SELECTOR_LEN;
1819 }
1820
1821 return (pos - start) / RSN_SELECTOR_LEN;
1822 }
1823
1824
wpa_pick_pairwise_cipher(int ciphers,int none_allowed)1825 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
1826 {
1827 if (ciphers & WPA_CIPHER_CCMP_256)
1828 return WPA_CIPHER_CCMP_256;
1829 if (ciphers & WPA_CIPHER_GCMP_256)
1830 return WPA_CIPHER_GCMP_256;
1831 if (ciphers & WPA_CIPHER_CCMP)
1832 return WPA_CIPHER_CCMP;
1833 if (ciphers & WPA_CIPHER_GCMP)
1834 return WPA_CIPHER_GCMP;
1835 if (ciphers & WPA_CIPHER_TKIP)
1836 return WPA_CIPHER_TKIP;
1837 if (none_allowed && (ciphers & WPA_CIPHER_NONE))
1838 return WPA_CIPHER_NONE;
1839 return -1;
1840 }
1841
1842
wpa_pick_group_cipher(int ciphers)1843 int wpa_pick_group_cipher(int ciphers)
1844 {
1845 if (ciphers & WPA_CIPHER_CCMP_256)
1846 return WPA_CIPHER_CCMP_256;
1847 if (ciphers & WPA_CIPHER_GCMP_256)
1848 return WPA_CIPHER_GCMP_256;
1849 if (ciphers & WPA_CIPHER_CCMP)
1850 return WPA_CIPHER_CCMP;
1851 if (ciphers & WPA_CIPHER_GCMP)
1852 return WPA_CIPHER_GCMP;
1853 if (ciphers & WPA_CIPHER_GTK_NOT_USED)
1854 return WPA_CIPHER_GTK_NOT_USED;
1855 if (ciphers & WPA_CIPHER_TKIP)
1856 return WPA_CIPHER_TKIP;
1857 return -1;
1858 }
1859
1860
wpa_parse_cipher(const char * value)1861 int wpa_parse_cipher(const char *value)
1862 {
1863 int val = 0, last;
1864 char *start, *end, *buf;
1865
1866 buf = os_strdup(value);
1867 if (buf == NULL)
1868 return -1;
1869 start = buf;
1870
1871 while (*start != '\0') {
1872 while (*start == ' ' || *start == '\t')
1873 start++;
1874 if (*start == '\0')
1875 break;
1876 end = start;
1877 while (*end != ' ' && *end != '\t' && *end != '\0')
1878 end++;
1879 last = *end == '\0';
1880 *end = '\0';
1881 if (os_strcmp(start, "CCMP-256") == 0)
1882 val |= WPA_CIPHER_CCMP_256;
1883 else if (os_strcmp(start, "GCMP-256") == 0)
1884 val |= WPA_CIPHER_GCMP_256;
1885 else if (os_strcmp(start, "CCMP") == 0)
1886 val |= WPA_CIPHER_CCMP;
1887 else if (os_strcmp(start, "GCMP") == 0)
1888 val |= WPA_CIPHER_GCMP;
1889 else if (os_strcmp(start, "TKIP") == 0)
1890 val |= WPA_CIPHER_TKIP;
1891 else if (os_strcmp(start, "WEP104") == 0)
1892 val |= WPA_CIPHER_WEP104;
1893 else if (os_strcmp(start, "WEP40") == 0)
1894 val |= WPA_CIPHER_WEP40;
1895 else if (os_strcmp(start, "NONE") == 0)
1896 val |= WPA_CIPHER_NONE;
1897 else if (os_strcmp(start, "GTK_NOT_USED") == 0)
1898 val |= WPA_CIPHER_GTK_NOT_USED;
1899 else {
1900 os_free(buf);
1901 return -1;
1902 }
1903
1904 if (last)
1905 break;
1906 start = end + 1;
1907 }
1908 os_free(buf);
1909
1910 return val;
1911 }
1912
1913
wpa_write_ciphers(char * start,char * end,int ciphers,const char * delim)1914 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
1915 {
1916 char *pos = start;
1917 int ret;
1918
1919 if (ciphers & WPA_CIPHER_CCMP_256) {
1920 ret = os_snprintf(pos, end - pos, "%sCCMP-256",
1921 pos == start ? "" : delim);
1922 if (os_snprintf_error(end - pos, ret))
1923 return -1;
1924 pos += ret;
1925 }
1926 if (ciphers & WPA_CIPHER_GCMP_256) {
1927 ret = os_snprintf(pos, end - pos, "%sGCMP-256",
1928 pos == start ? "" : delim);
1929 if (os_snprintf_error(end - pos, ret))
1930 return -1;
1931 pos += ret;
1932 }
1933 if (ciphers & WPA_CIPHER_CCMP) {
1934 ret = os_snprintf(pos, end - pos, "%sCCMP",
1935 pos == start ? "" : delim);
1936 if (os_snprintf_error(end - pos, ret))
1937 return -1;
1938 pos += ret;
1939 }
1940 if (ciphers & WPA_CIPHER_GCMP) {
1941 ret = os_snprintf(pos, end - pos, "%sGCMP",
1942 pos == start ? "" : delim);
1943 if (os_snprintf_error(end - pos, ret))
1944 return -1;
1945 pos += ret;
1946 }
1947 if (ciphers & WPA_CIPHER_TKIP) {
1948 ret = os_snprintf(pos, end - pos, "%sTKIP",
1949 pos == start ? "" : delim);
1950 if (os_snprintf_error(end - pos, ret))
1951 return -1;
1952 pos += ret;
1953 }
1954 if (ciphers & WPA_CIPHER_NONE) {
1955 ret = os_snprintf(pos, end - pos, "%sNONE",
1956 pos == start ? "" : delim);
1957 if (os_snprintf_error(end - pos, ret))
1958 return -1;
1959 pos += ret;
1960 }
1961
1962 return pos - start;
1963 }
1964
1965
wpa_select_ap_group_cipher(int wpa,int wpa_pairwise,int rsn_pairwise)1966 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise)
1967 {
1968 int pairwise = 0;
1969
1970 /* Select group cipher based on the enabled pairwise cipher suites */
1971 if (wpa & 1)
1972 pairwise |= wpa_pairwise;
1973 if (wpa & 2)
1974 pairwise |= rsn_pairwise;
1975
1976 if (pairwise & WPA_CIPHER_TKIP)
1977 return WPA_CIPHER_TKIP;
1978 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP)
1979 return WPA_CIPHER_GCMP;
1980 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP |
1981 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256)
1982 return WPA_CIPHER_GCMP_256;
1983 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
1984 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256)
1985 return WPA_CIPHER_CCMP_256;
1986 return WPA_CIPHER_CCMP;
1987 }
1988
1989
1990 #ifdef CONFIG_FILS
fils_domain_name_hash(const char * domain,u8 * hash)1991 int fils_domain_name_hash(const char *domain, u8 *hash)
1992 {
1993 char buf[255], *wpos = buf;
1994 const char *pos = domain;
1995 size_t len;
1996 const u8 *addr[1];
1997 u8 mac[SHA256_MAC_LEN];
1998
1999 for (len = 0; len < sizeof(buf) && *pos; len++) {
2000 if (isalpha(*pos) && isupper(*pos))
2001 *wpos++ = tolower(*pos);
2002 else
2003 *wpos++ = *pos;
2004 pos++;
2005 }
2006
2007 addr[0] = (const u8 *) buf;
2008 if (sha256_vector(1, addr, &len, mac) < 0)
2009 return -1;
2010 os_memcpy(hash, mac, 2);
2011 return 0;
2012 }
2013 #endif /* CONFIG_FILS */
2014