1 /* 2 * WPA/RSN - Shared functions for supplicant and authenticator 3 * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/sha384.h" 16 #include "crypto/aes_wrap.h" 17 #include "crypto/crypto.h" 18 #include "ieee802_11_defs.h" 19 #include "defs.h" 20 #include "wpa_common.h" 21 22 23 static unsigned int wpa_kck_len(int akmp) 24 { 25 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 26 return 24; 27 return 16; 28 } 29 30 31 static unsigned int wpa_kek_len(int akmp) 32 { 33 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 34 return 32; 35 return 16; 36 } 37 38 39 unsigned int wpa_mic_len(int akmp) 40 { 41 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 42 return 24; 43 return 16; 44 } 45 46 47 /** 48 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC 49 * @key: EAPOL-Key Key Confirmation Key (KCK) 50 * @key_len: KCK length in octets 51 * @akmp: WPA_KEY_MGMT_* used in key derivation 52 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*) 53 * @buf: Pointer to the beginning of the EAPOL header (version field) 54 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame) 55 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written 56 * Returns: 0 on success, -1 on failure 57 * 58 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has 59 * to be cleared (all zeroes) when calling this function. 60 * 61 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the 62 * description of the Key MIC calculation. It includes packet data from the 63 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change 64 * happened during final editing of the standard and the correct behavior is 65 * defined in the last draft (IEEE 802.11i/D10). 66 */ 67 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver, 68 const u8 *buf, size_t len, u8 *mic) 69 { 70 u8 hash[SHA384_MAC_LEN]; 71 72 switch (ver) { 73 #ifndef CONFIG_FIPS 74 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4: 75 return hmac_md5(key, key_len, buf, len, mic); 76 #endif /* CONFIG_FIPS */ 77 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES: 78 if (hmac_sha1(key, key_len, buf, len, hash)) 79 return -1; 80 os_memcpy(mic, hash, MD5_MAC_LEN); 81 break; 82 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W) 83 case WPA_KEY_INFO_TYPE_AES_128_CMAC: 84 return omac1_aes_128(key, buf, len, mic); 85 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */ 86 case WPA_KEY_INFO_TYPE_AKM_DEFINED: 87 switch (akmp) { 88 #ifdef CONFIG_HS20 89 case WPA_KEY_MGMT_OSEN: 90 return omac1_aes_128(key, buf, len, mic); 91 #endif /* CONFIG_HS20 */ 92 #ifdef CONFIG_SUITEB 93 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 94 if (hmac_sha256(key, key_len, buf, len, hash)) 95 return -1; 96 os_memcpy(mic, hash, MD5_MAC_LEN); 97 break; 98 #endif /* CONFIG_SUITEB */ 99 #ifdef CONFIG_SUITEB192 100 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 101 if (hmac_sha384(key, key_len, buf, len, hash)) 102 return -1; 103 os_memcpy(mic, hash, 24); 104 break; 105 #endif /* CONFIG_SUITEB192 */ 106 default: 107 return -1; 108 } 109 break; 110 default: 111 return -1; 112 } 113 114 return 0; 115 } 116 117 118 /** 119 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces 120 * @pmk: Pairwise master key 121 * @pmk_len: Length of PMK 122 * @label: Label to use in derivation 123 * @addr1: AA or SA 124 * @addr2: SA or AA 125 * @nonce1: ANonce or SNonce 126 * @nonce2: SNonce or ANonce 127 * @ptk: Buffer for pairwise transient key 128 * @akmp: Negotiated AKM 129 * @cipher: Negotiated pairwise cipher 130 * Returns: 0 on success, -1 on failure 131 * 132 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 133 * PTK = PRF-X(PMK, "Pairwise key expansion", 134 * Min(AA, SA) || Max(AA, SA) || 135 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 136 * 137 * STK = PRF-X(SMK, "Peer key expansion", 138 * Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) || 139 * Min(INonce, PNonce) || Max(INonce, PNonce)) 140 */ 141 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, 142 const u8 *addr1, const u8 *addr2, 143 const u8 *nonce1, const u8 *nonce2, 144 struct wpa_ptk *ptk, int akmp, int cipher) 145 { 146 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN]; 147 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 148 size_t ptk_len; 149 150 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) { 151 os_memcpy(data, addr1, ETH_ALEN); 152 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN); 153 } else { 154 os_memcpy(data, addr2, ETH_ALEN); 155 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN); 156 } 157 158 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) { 159 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN); 160 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2, 161 WPA_NONCE_LEN); 162 } else { 163 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN); 164 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1, 165 WPA_NONCE_LEN); 166 } 167 168 ptk->kck_len = wpa_kck_len(akmp); 169 ptk->kek_len = wpa_kek_len(akmp); 170 ptk->tk_len = wpa_cipher_key_len(cipher); 171 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 172 173 #ifdef CONFIG_SUITEB192 174 if (wpa_key_mgmt_sha384(akmp)) 175 sha384_prf(pmk, pmk_len, label, data, sizeof(data), 176 tmp, ptk_len); 177 else 178 #endif /* CONFIG_SUITEB192 */ 179 #ifdef CONFIG_IEEE80211W 180 if (wpa_key_mgmt_sha256(akmp)) 181 sha256_prf(pmk, pmk_len, label, data, sizeof(data), 182 tmp, ptk_len); 183 else 184 #endif /* CONFIG_IEEE80211W */ 185 sha1_prf(pmk, pmk_len, label, data, sizeof(data), tmp, ptk_len); 186 187 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR, 188 MAC2STR(addr1), MAC2STR(addr2)); 189 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN); 190 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN); 191 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len); 192 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len); 193 194 os_memcpy(ptk->kck, tmp, ptk->kck_len); 195 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len); 196 197 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 198 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 199 200 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 201 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len); 202 203 os_memset(tmp, 0, sizeof(tmp)); 204 return 0; 205 } 206 207 208 #ifdef CONFIG_IEEE80211R 209 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr, 210 const u8 *ap_addr, u8 transaction_seqnum, 211 const u8 *mdie, size_t mdie_len, 212 const u8 *ftie, size_t ftie_len, 213 const u8 *rsnie, size_t rsnie_len, 214 const u8 *ric, size_t ric_len, u8 *mic) 215 { 216 const u8 *addr[9]; 217 size_t len[9]; 218 size_t i, num_elem = 0; 219 u8 zero_mic[16]; 220 221 if (kck_len != 16) { 222 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u", 223 (unsigned int) kck_len); 224 return -1; 225 } 226 227 addr[num_elem] = sta_addr; 228 len[num_elem] = ETH_ALEN; 229 num_elem++; 230 231 addr[num_elem] = ap_addr; 232 len[num_elem] = ETH_ALEN; 233 num_elem++; 234 235 addr[num_elem] = &transaction_seqnum; 236 len[num_elem] = 1; 237 num_elem++; 238 239 if (rsnie) { 240 addr[num_elem] = rsnie; 241 len[num_elem] = rsnie_len; 242 num_elem++; 243 } 244 if (mdie) { 245 addr[num_elem] = mdie; 246 len[num_elem] = mdie_len; 247 num_elem++; 248 } 249 if (ftie) { 250 if (ftie_len < 2 + sizeof(struct rsn_ftie)) 251 return -1; 252 253 /* IE hdr and mic_control */ 254 addr[num_elem] = ftie; 255 len[num_elem] = 2 + 2; 256 num_elem++; 257 258 /* MIC field with all zeros */ 259 os_memset(zero_mic, 0, sizeof(zero_mic)); 260 addr[num_elem] = zero_mic; 261 len[num_elem] = sizeof(zero_mic); 262 num_elem++; 263 264 /* Rest of FTIE */ 265 addr[num_elem] = ftie + 2 + 2 + 16; 266 len[num_elem] = ftie_len - (2 + 2 + 16); 267 num_elem++; 268 } 269 if (ric) { 270 addr[num_elem] = ric; 271 len[num_elem] = ric_len; 272 num_elem++; 273 } 274 275 for (i = 0; i < num_elem; i++) 276 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]); 277 if (omac1_aes_128_vector(kck, num_elem, addr, len, mic)) 278 return -1; 279 280 return 0; 281 } 282 283 284 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len, 285 struct wpa_ft_ies *parse) 286 { 287 const u8 *end, *pos; 288 289 parse->ftie = ie; 290 parse->ftie_len = ie_len; 291 292 pos = ie + sizeof(struct rsn_ftie); 293 end = ie + ie_len; 294 295 while (pos + 2 <= end && pos + 2 + pos[1] <= end) { 296 switch (pos[0]) { 297 case FTIE_SUBELEM_R1KH_ID: 298 if (pos[1] != FT_R1KH_ID_LEN) { 299 wpa_printf(MSG_DEBUG, "FT: Invalid R1KH-ID " 300 "length in FTIE: %d", pos[1]); 301 return -1; 302 } 303 parse->r1kh_id = pos + 2; 304 break; 305 case FTIE_SUBELEM_GTK: 306 parse->gtk = pos + 2; 307 parse->gtk_len = pos[1]; 308 break; 309 case FTIE_SUBELEM_R0KH_ID: 310 if (pos[1] < 1 || pos[1] > FT_R0KH_ID_MAX_LEN) { 311 wpa_printf(MSG_DEBUG, "FT: Invalid R0KH-ID " 312 "length in FTIE: %d", pos[1]); 313 return -1; 314 } 315 parse->r0kh_id = pos + 2; 316 parse->r0kh_id_len = pos[1]; 317 break; 318 #ifdef CONFIG_IEEE80211W 319 case FTIE_SUBELEM_IGTK: 320 parse->igtk = pos + 2; 321 parse->igtk_len = pos[1]; 322 break; 323 #endif /* CONFIG_IEEE80211W */ 324 } 325 326 pos += 2 + pos[1]; 327 } 328 329 return 0; 330 } 331 332 333 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, 334 struct wpa_ft_ies *parse) 335 { 336 const u8 *end, *pos; 337 struct wpa_ie_data data; 338 int ret; 339 const struct rsn_ftie *ftie; 340 int prot_ie_count = 0; 341 342 os_memset(parse, 0, sizeof(*parse)); 343 if (ies == NULL) 344 return 0; 345 346 pos = ies; 347 end = ies + ies_len; 348 while (pos + 2 <= end && pos + 2 + pos[1] <= end) { 349 switch (pos[0]) { 350 case WLAN_EID_RSN: 351 parse->rsn = pos + 2; 352 parse->rsn_len = pos[1]; 353 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2, 354 parse->rsn_len + 2, 355 &data); 356 if (ret < 0) { 357 wpa_printf(MSG_DEBUG, "FT: Failed to parse " 358 "RSN IE: %d", ret); 359 return -1; 360 } 361 if (data.num_pmkid == 1 && data.pmkid) 362 parse->rsn_pmkid = data.pmkid; 363 break; 364 case WLAN_EID_MOBILITY_DOMAIN: 365 if (pos[1] < sizeof(struct rsn_mdie)) 366 return -1; 367 parse->mdie = pos + 2; 368 parse->mdie_len = pos[1]; 369 break; 370 case WLAN_EID_FAST_BSS_TRANSITION: 371 if (pos[1] < sizeof(*ftie)) 372 return -1; 373 ftie = (const struct rsn_ftie *) (pos + 2); 374 prot_ie_count = ftie->mic_control[1]; 375 if (wpa_ft_parse_ftie(pos + 2, pos[1], parse) < 0) 376 return -1; 377 break; 378 case WLAN_EID_TIMEOUT_INTERVAL: 379 if (pos[1] != 5) 380 break; 381 parse->tie = pos + 2; 382 parse->tie_len = pos[1]; 383 break; 384 case WLAN_EID_RIC_DATA: 385 if (parse->ric == NULL) 386 parse->ric = pos; 387 break; 388 } 389 390 pos += 2 + pos[1]; 391 } 392 393 if (prot_ie_count == 0) 394 return 0; /* no MIC */ 395 396 /* 397 * Check that the protected IE count matches with IEs included in the 398 * frame. 399 */ 400 if (parse->rsn) 401 prot_ie_count--; 402 if (parse->mdie) 403 prot_ie_count--; 404 if (parse->ftie) 405 prot_ie_count--; 406 if (prot_ie_count < 0) { 407 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in " 408 "the protected IE count"); 409 return -1; 410 } 411 412 if (prot_ie_count == 0 && parse->ric) { 413 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not " 414 "included in protected IE count"); 415 return -1; 416 } 417 418 /* Determine the end of the RIC IE(s) */ 419 pos = parse->ric; 420 while (pos && pos + 2 <= end && pos + 2 + pos[1] <= end && 421 prot_ie_count) { 422 prot_ie_count--; 423 pos += 2 + pos[1]; 424 } 425 parse->ric_len = pos - parse->ric; 426 if (prot_ie_count) { 427 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from " 428 "frame", (int) prot_ie_count); 429 return -1; 430 } 431 432 return 0; 433 } 434 #endif /* CONFIG_IEEE80211R */ 435 436 437 static int rsn_selector_to_bitfield(const u8 *s) 438 { 439 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE) 440 return WPA_CIPHER_NONE; 441 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP) 442 return WPA_CIPHER_TKIP; 443 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP) 444 return WPA_CIPHER_CCMP; 445 #ifdef CONFIG_IEEE80211W 446 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC) 447 return WPA_CIPHER_AES_128_CMAC; 448 #endif /* CONFIG_IEEE80211W */ 449 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP) 450 return WPA_CIPHER_GCMP; 451 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256) 452 return WPA_CIPHER_CCMP_256; 453 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256) 454 return WPA_CIPHER_GCMP_256; 455 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128) 456 return WPA_CIPHER_BIP_GMAC_128; 457 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256) 458 return WPA_CIPHER_BIP_GMAC_256; 459 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256) 460 return WPA_CIPHER_BIP_CMAC_256; 461 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED) 462 return WPA_CIPHER_GTK_NOT_USED; 463 return 0; 464 } 465 466 467 static int rsn_key_mgmt_to_bitfield(const u8 *s) 468 { 469 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X) 470 return WPA_KEY_MGMT_IEEE8021X; 471 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X) 472 return WPA_KEY_MGMT_PSK; 473 #ifdef CONFIG_IEEE80211R 474 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X) 475 return WPA_KEY_MGMT_FT_IEEE8021X; 476 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK) 477 return WPA_KEY_MGMT_FT_PSK; 478 #endif /* CONFIG_IEEE80211R */ 479 #ifdef CONFIG_IEEE80211W 480 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256) 481 return WPA_KEY_MGMT_IEEE8021X_SHA256; 482 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256) 483 return WPA_KEY_MGMT_PSK_SHA256; 484 #endif /* CONFIG_IEEE80211W */ 485 #ifdef CONFIG_SAE 486 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE) 487 return WPA_KEY_MGMT_SAE; 488 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE) 489 return WPA_KEY_MGMT_FT_SAE; 490 #endif /* CONFIG_SAE */ 491 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B) 492 return WPA_KEY_MGMT_IEEE8021X_SUITE_B; 493 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192) 494 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; 495 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN) 496 return WPA_KEY_MGMT_OSEN; 497 return 0; 498 } 499 500 501 int wpa_cipher_valid_group(int cipher) 502 { 503 return wpa_cipher_valid_pairwise(cipher) || 504 cipher == WPA_CIPHER_GTK_NOT_USED; 505 } 506 507 508 #ifdef CONFIG_IEEE80211W 509 int wpa_cipher_valid_mgmt_group(int cipher) 510 { 511 return cipher == WPA_CIPHER_AES_128_CMAC || 512 cipher == WPA_CIPHER_BIP_GMAC_128 || 513 cipher == WPA_CIPHER_BIP_GMAC_256 || 514 cipher == WPA_CIPHER_BIP_CMAC_256; 515 } 516 #endif /* CONFIG_IEEE80211W */ 517 518 519 /** 520 * wpa_parse_wpa_ie_rsn - Parse RSN IE 521 * @rsn_ie: Buffer containing RSN IE 522 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets) 523 * @data: Pointer to structure that will be filled in with parsed data 524 * Returns: 0 on success, <0 on failure 525 */ 526 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len, 527 struct wpa_ie_data *data) 528 { 529 const u8 *pos; 530 int left; 531 int i, count; 532 533 os_memset(data, 0, sizeof(*data)); 534 data->proto = WPA_PROTO_RSN; 535 data->pairwise_cipher = WPA_CIPHER_CCMP; 536 data->group_cipher = WPA_CIPHER_CCMP; 537 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 538 data->capabilities = 0; 539 data->pmkid = NULL; 540 data->num_pmkid = 0; 541 #ifdef CONFIG_IEEE80211W 542 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC; 543 #else /* CONFIG_IEEE80211W */ 544 data->mgmt_group_cipher = 0; 545 #endif /* CONFIG_IEEE80211W */ 546 547 if (rsn_ie_len == 0) { 548 /* No RSN IE - fail silently */ 549 return -1; 550 } 551 552 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) { 553 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 554 __func__, (unsigned long) rsn_ie_len); 555 return -1; 556 } 557 558 if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 && 559 rsn_ie[1] == rsn_ie_len - 2 && 560 WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) { 561 pos = rsn_ie + 6; 562 left = rsn_ie_len - 6; 563 564 data->proto = WPA_PROTO_OSEN; 565 } else { 566 const struct rsn_ie_hdr *hdr; 567 568 hdr = (const struct rsn_ie_hdr *) rsn_ie; 569 570 if (hdr->elem_id != WLAN_EID_RSN || 571 hdr->len != rsn_ie_len - 2 || 572 WPA_GET_LE16(hdr->version) != RSN_VERSION) { 573 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 574 __func__); 575 return -2; 576 } 577 578 pos = (const u8 *) (hdr + 1); 579 left = rsn_ie_len - sizeof(*hdr); 580 } 581 582 if (left >= RSN_SELECTOR_LEN) { 583 data->group_cipher = rsn_selector_to_bitfield(pos); 584 if (!wpa_cipher_valid_group(data->group_cipher)) { 585 wpa_printf(MSG_DEBUG, "%s: invalid group cipher 0x%x", 586 __func__, data->group_cipher); 587 return -1; 588 } 589 pos += RSN_SELECTOR_LEN; 590 left -= RSN_SELECTOR_LEN; 591 } else if (left > 0) { 592 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 593 __func__, left); 594 return -3; 595 } 596 597 if (left >= 2) { 598 data->pairwise_cipher = 0; 599 count = WPA_GET_LE16(pos); 600 pos += 2; 601 left -= 2; 602 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 603 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 604 "count %u left %u", __func__, count, left); 605 return -4; 606 } 607 for (i = 0; i < count; i++) { 608 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 609 pos += RSN_SELECTOR_LEN; 610 left -= RSN_SELECTOR_LEN; 611 } 612 #ifdef CONFIG_IEEE80211W 613 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) { 614 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as " 615 "pairwise cipher", __func__); 616 return -1; 617 } 618 #endif /* CONFIG_IEEE80211W */ 619 } else if (left == 1) { 620 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 621 __func__); 622 return -5; 623 } 624 625 if (left >= 2) { 626 data->key_mgmt = 0; 627 count = WPA_GET_LE16(pos); 628 pos += 2; 629 left -= 2; 630 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 631 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 632 "count %u left %u", __func__, count, left); 633 return -6; 634 } 635 for (i = 0; i < count; i++) { 636 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 637 pos += RSN_SELECTOR_LEN; 638 left -= RSN_SELECTOR_LEN; 639 } 640 } else if (left == 1) { 641 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 642 __func__); 643 return -7; 644 } 645 646 if (left >= 2) { 647 data->capabilities = WPA_GET_LE16(pos); 648 pos += 2; 649 left -= 2; 650 } 651 652 if (left >= 2) { 653 u16 num_pmkid = WPA_GET_LE16(pos); 654 pos += 2; 655 left -= 2; 656 if (num_pmkid > (unsigned int) left / PMKID_LEN) { 657 wpa_printf(MSG_DEBUG, "%s: PMKID underflow " 658 "(num_pmkid=%u left=%d)", 659 __func__, num_pmkid, left); 660 data->num_pmkid = 0; 661 return -9; 662 } else { 663 data->num_pmkid = num_pmkid; 664 data->pmkid = pos; 665 pos += data->num_pmkid * PMKID_LEN; 666 left -= data->num_pmkid * PMKID_LEN; 667 } 668 } 669 670 #ifdef CONFIG_IEEE80211W 671 if (left >= 4) { 672 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos); 673 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) { 674 wpa_printf(MSG_DEBUG, "%s: Unsupported management " 675 "group cipher 0x%x", __func__, 676 data->mgmt_group_cipher); 677 return -10; 678 } 679 pos += RSN_SELECTOR_LEN; 680 left -= RSN_SELECTOR_LEN; 681 } 682 #endif /* CONFIG_IEEE80211W */ 683 684 if (left > 0) { 685 wpa_hexdump(MSG_DEBUG, 686 "wpa_parse_wpa_ie_rsn: ignore trailing bytes", 687 pos, left); 688 } 689 690 return 0; 691 } 692 693 694 static int wpa_selector_to_bitfield(const u8 *s) 695 { 696 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE) 697 return WPA_CIPHER_NONE; 698 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP) 699 return WPA_CIPHER_TKIP; 700 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP) 701 return WPA_CIPHER_CCMP; 702 return 0; 703 } 704 705 706 static int wpa_key_mgmt_to_bitfield(const u8 *s) 707 { 708 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X) 709 return WPA_KEY_MGMT_IEEE8021X; 710 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X) 711 return WPA_KEY_MGMT_PSK; 712 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE) 713 return WPA_KEY_MGMT_WPA_NONE; 714 return 0; 715 } 716 717 718 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len, 719 struct wpa_ie_data *data) 720 { 721 const struct wpa_ie_hdr *hdr; 722 const u8 *pos; 723 int left; 724 int i, count; 725 726 os_memset(data, 0, sizeof(*data)); 727 data->proto = WPA_PROTO_WPA; 728 data->pairwise_cipher = WPA_CIPHER_TKIP; 729 data->group_cipher = WPA_CIPHER_TKIP; 730 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 731 data->capabilities = 0; 732 data->pmkid = NULL; 733 data->num_pmkid = 0; 734 data->mgmt_group_cipher = 0; 735 736 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) { 737 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 738 __func__, (unsigned long) wpa_ie_len); 739 return -1; 740 } 741 742 hdr = (const struct wpa_ie_hdr *) wpa_ie; 743 744 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC || 745 hdr->len != wpa_ie_len - 2 || 746 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE || 747 WPA_GET_LE16(hdr->version) != WPA_VERSION) { 748 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 749 __func__); 750 return -2; 751 } 752 753 pos = (const u8 *) (hdr + 1); 754 left = wpa_ie_len - sizeof(*hdr); 755 756 if (left >= WPA_SELECTOR_LEN) { 757 data->group_cipher = wpa_selector_to_bitfield(pos); 758 pos += WPA_SELECTOR_LEN; 759 left -= WPA_SELECTOR_LEN; 760 } else if (left > 0) { 761 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 762 __func__, left); 763 return -3; 764 } 765 766 if (left >= 2) { 767 data->pairwise_cipher = 0; 768 count = WPA_GET_LE16(pos); 769 pos += 2; 770 left -= 2; 771 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 772 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 773 "count %u left %u", __func__, count, left); 774 return -4; 775 } 776 for (i = 0; i < count; i++) { 777 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 778 pos += WPA_SELECTOR_LEN; 779 left -= WPA_SELECTOR_LEN; 780 } 781 } else if (left == 1) { 782 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 783 __func__); 784 return -5; 785 } 786 787 if (left >= 2) { 788 data->key_mgmt = 0; 789 count = WPA_GET_LE16(pos); 790 pos += 2; 791 left -= 2; 792 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 793 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 794 "count %u left %u", __func__, count, left); 795 return -6; 796 } 797 for (i = 0; i < count; i++) { 798 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 799 pos += WPA_SELECTOR_LEN; 800 left -= WPA_SELECTOR_LEN; 801 } 802 } else if (left == 1) { 803 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 804 __func__); 805 return -7; 806 } 807 808 if (left >= 2) { 809 data->capabilities = WPA_GET_LE16(pos); 810 pos += 2; 811 left -= 2; 812 } 813 814 if (left > 0) { 815 wpa_hexdump(MSG_DEBUG, 816 "wpa_parse_wpa_ie_wpa: ignore trailing bytes", 817 pos, left); 818 } 819 820 return 0; 821 } 822 823 824 #ifdef CONFIG_IEEE80211R 825 826 /** 827 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name 828 * 829 * IEEE Std 802.11r-2008 - 8.5.1.5.3 830 */ 831 void wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len, 832 const u8 *ssid, size_t ssid_len, 833 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len, 834 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name) 835 { 836 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 + 837 FT_R0KH_ID_MAX_LEN + ETH_ALEN]; 838 u8 *pos, r0_key_data[48], hash[32]; 839 const u8 *addr[2]; 840 size_t len[2]; 841 842 /* 843 * R0-Key-Data = KDF-384(XXKey, "FT-R0", 844 * SSIDlength || SSID || MDID || R0KHlength || 845 * R0KH-ID || S0KH-ID) 846 * XXKey is either the second 256 bits of MSK or PSK. 847 * PMK-R0 = L(R0-Key-Data, 0, 256) 848 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128) 849 */ 850 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN) 851 return; 852 pos = buf; 853 *pos++ = ssid_len; 854 os_memcpy(pos, ssid, ssid_len); 855 pos += ssid_len; 856 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN); 857 pos += MOBILITY_DOMAIN_ID_LEN; 858 *pos++ = r0kh_id_len; 859 os_memcpy(pos, r0kh_id, r0kh_id_len); 860 pos += r0kh_id_len; 861 os_memcpy(pos, s0kh_id, ETH_ALEN); 862 pos += ETH_ALEN; 863 864 sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 865 r0_key_data, sizeof(r0_key_data)); 866 os_memcpy(pmk_r0, r0_key_data, PMK_LEN); 867 868 /* 869 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt) 870 */ 871 addr[0] = (const u8 *) "FT-R0N"; 872 len[0] = 6; 873 addr[1] = r0_key_data + PMK_LEN; 874 len[1] = 16; 875 876 sha256_vector(2, addr, len, hash); 877 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN); 878 } 879 880 881 /** 882 * wpa_derive_pmk_r1_name - Derive PMKR1Name 883 * 884 * IEEE Std 802.11r-2008 - 8.5.1.5.4 885 */ 886 void wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id, 887 const u8 *s1kh_id, u8 *pmk_r1_name) 888 { 889 u8 hash[32]; 890 const u8 *addr[4]; 891 size_t len[4]; 892 893 /* 894 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name || 895 * R1KH-ID || S1KH-ID)) 896 */ 897 addr[0] = (const u8 *) "FT-R1N"; 898 len[0] = 6; 899 addr[1] = pmk_r0_name; 900 len[1] = WPA_PMK_NAME_LEN; 901 addr[2] = r1kh_id; 902 len[2] = FT_R1KH_ID_LEN; 903 addr[3] = s1kh_id; 904 len[3] = ETH_ALEN; 905 906 sha256_vector(4, addr, len, hash); 907 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN); 908 } 909 910 911 /** 912 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0 913 * 914 * IEEE Std 802.11r-2008 - 8.5.1.5.4 915 */ 916 void wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name, 917 const u8 *r1kh_id, const u8 *s1kh_id, 918 u8 *pmk_r1, u8 *pmk_r1_name) 919 { 920 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN]; 921 u8 *pos; 922 923 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */ 924 pos = buf; 925 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN); 926 pos += FT_R1KH_ID_LEN; 927 os_memcpy(pos, s1kh_id, ETH_ALEN); 928 pos += ETH_ALEN; 929 930 sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf, pmk_r1, PMK_LEN); 931 932 wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, pmk_r1_name); 933 } 934 935 936 /** 937 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1 938 * 939 * IEEE Std 802.11r-2008 - 8.5.1.5.5 940 */ 941 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce, 942 const u8 *sta_addr, const u8 *bssid, 943 const u8 *pmk_r1_name, 944 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher) 945 { 946 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN]; 947 u8 *pos, hash[32]; 948 const u8 *addr[6]; 949 size_t len[6]; 950 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 951 size_t ptk_len; 952 953 /* 954 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce || 955 * BSSID || STA-ADDR) 956 */ 957 pos = buf; 958 os_memcpy(pos, snonce, WPA_NONCE_LEN); 959 pos += WPA_NONCE_LEN; 960 os_memcpy(pos, anonce, WPA_NONCE_LEN); 961 pos += WPA_NONCE_LEN; 962 os_memcpy(pos, bssid, ETH_ALEN); 963 pos += ETH_ALEN; 964 os_memcpy(pos, sta_addr, ETH_ALEN); 965 pos += ETH_ALEN; 966 967 ptk->kck_len = wpa_kck_len(akmp); 968 ptk->kek_len = wpa_kek_len(akmp); 969 ptk->tk_len = wpa_cipher_key_len(cipher); 970 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 971 972 sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf, tmp, ptk_len); 973 974 /* 975 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce || 976 * ANonce || BSSID || STA-ADDR)) 977 */ 978 addr[0] = pmk_r1_name; 979 len[0] = WPA_PMK_NAME_LEN; 980 addr[1] = (const u8 *) "FT-PTKN"; 981 len[1] = 7; 982 addr[2] = snonce; 983 len[2] = WPA_NONCE_LEN; 984 addr[3] = anonce; 985 len[3] = WPA_NONCE_LEN; 986 addr[4] = bssid; 987 len[4] = ETH_ALEN; 988 addr[5] = sta_addr; 989 len[5] = ETH_ALEN; 990 991 sha256_vector(6, addr, len, hash); 992 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN); 993 994 os_memcpy(ptk->kck, tmp, ptk->kck_len); 995 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 996 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 997 998 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len); 999 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len); 1000 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len); 1001 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN); 1002 1003 os_memset(tmp, 0, sizeof(tmp)); 1004 1005 return 0; 1006 } 1007 1008 #endif /* CONFIG_IEEE80211R */ 1009 1010 1011 /** 1012 * rsn_pmkid - Calculate PMK identifier 1013 * @pmk: Pairwise master key 1014 * @pmk_len: Length of pmk in bytes 1015 * @aa: Authenticator address 1016 * @spa: Supplicant address 1017 * @pmkid: Buffer for PMKID 1018 * @use_sha256: Whether to use SHA256-based KDF 1019 * 1020 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 1021 * PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AA || SPA) 1022 */ 1023 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa, 1024 u8 *pmkid, int use_sha256) 1025 { 1026 char *title = "PMK Name"; 1027 const u8 *addr[3]; 1028 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1029 unsigned char hash[SHA256_MAC_LEN]; 1030 1031 addr[0] = (u8 *) title; 1032 addr[1] = aa; 1033 addr[2] = spa; 1034 1035 #ifdef CONFIG_IEEE80211W 1036 if (use_sha256) 1037 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash); 1038 else 1039 #endif /* CONFIG_IEEE80211W */ 1040 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash); 1041 os_memcpy(pmkid, hash, PMKID_LEN); 1042 } 1043 1044 1045 #ifdef CONFIG_SUITEB 1046 /** 1047 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM 1048 * @kck: Key confirmation key 1049 * @kck_len: Length of kck in bytes 1050 * @aa: Authenticator address 1051 * @spa: Supplicant address 1052 * @pmkid: Buffer for PMKID 1053 * Returns: 0 on success, -1 on failure 1054 * 1055 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1056 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA)) 1057 */ 1058 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa, 1059 const u8 *spa, u8 *pmkid) 1060 { 1061 char *title = "PMK Name"; 1062 const u8 *addr[3]; 1063 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1064 unsigned char hash[SHA256_MAC_LEN]; 1065 1066 addr[0] = (u8 *) title; 1067 addr[1] = aa; 1068 addr[2] = spa; 1069 1070 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0) 1071 return -1; 1072 os_memcpy(pmkid, hash, PMKID_LEN); 1073 return 0; 1074 } 1075 #endif /* CONFIG_SUITEB */ 1076 1077 1078 #ifdef CONFIG_SUITEB192 1079 /** 1080 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM 1081 * @kck: Key confirmation key 1082 * @kck_len: Length of kck in bytes 1083 * @aa: Authenticator address 1084 * @spa: Supplicant address 1085 * @pmkid: Buffer for PMKID 1086 * Returns: 0 on success, -1 on failure 1087 * 1088 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1089 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA)) 1090 */ 1091 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa, 1092 const u8 *spa, u8 *pmkid) 1093 { 1094 char *title = "PMK Name"; 1095 const u8 *addr[3]; 1096 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1097 unsigned char hash[SHA384_MAC_LEN]; 1098 1099 addr[0] = (u8 *) title; 1100 addr[1] = aa; 1101 addr[2] = spa; 1102 1103 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0) 1104 return -1; 1105 os_memcpy(pmkid, hash, PMKID_LEN); 1106 return 0; 1107 } 1108 #endif /* CONFIG_SUITEB192 */ 1109 1110 1111 /** 1112 * wpa_cipher_txt - Convert cipher suite to a text string 1113 * @cipher: Cipher suite (WPA_CIPHER_* enum) 1114 * Returns: Pointer to a text string of the cipher suite name 1115 */ 1116 const char * wpa_cipher_txt(int cipher) 1117 { 1118 switch (cipher) { 1119 case WPA_CIPHER_NONE: 1120 return "NONE"; 1121 case WPA_CIPHER_WEP40: 1122 return "WEP-40"; 1123 case WPA_CIPHER_WEP104: 1124 return "WEP-104"; 1125 case WPA_CIPHER_TKIP: 1126 return "TKIP"; 1127 case WPA_CIPHER_CCMP: 1128 return "CCMP"; 1129 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP: 1130 return "CCMP+TKIP"; 1131 case WPA_CIPHER_GCMP: 1132 return "GCMP"; 1133 case WPA_CIPHER_GCMP_256: 1134 return "GCMP-256"; 1135 case WPA_CIPHER_CCMP_256: 1136 return "CCMP-256"; 1137 case WPA_CIPHER_GTK_NOT_USED: 1138 return "GTK_NOT_USED"; 1139 default: 1140 return "UNKNOWN"; 1141 } 1142 } 1143 1144 1145 /** 1146 * wpa_key_mgmt_txt - Convert key management suite to a text string 1147 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum) 1148 * @proto: WPA/WPA2 version (WPA_PROTO_*) 1149 * Returns: Pointer to a text string of the key management suite name 1150 */ 1151 const char * wpa_key_mgmt_txt(int key_mgmt, int proto) 1152 { 1153 switch (key_mgmt) { 1154 case WPA_KEY_MGMT_IEEE8021X: 1155 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1156 return "WPA2+WPA/IEEE 802.1X/EAP"; 1157 return proto == WPA_PROTO_RSN ? 1158 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP"; 1159 case WPA_KEY_MGMT_PSK: 1160 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1161 return "WPA2-PSK+WPA-PSK"; 1162 return proto == WPA_PROTO_RSN ? 1163 "WPA2-PSK" : "WPA-PSK"; 1164 case WPA_KEY_MGMT_NONE: 1165 return "NONE"; 1166 case WPA_KEY_MGMT_IEEE8021X_NO_WPA: 1167 return "IEEE 802.1X (no WPA)"; 1168 #ifdef CONFIG_IEEE80211R 1169 case WPA_KEY_MGMT_FT_IEEE8021X: 1170 return "FT-EAP"; 1171 case WPA_KEY_MGMT_FT_PSK: 1172 return "FT-PSK"; 1173 #endif /* CONFIG_IEEE80211R */ 1174 #ifdef CONFIG_IEEE80211W 1175 case WPA_KEY_MGMT_IEEE8021X_SHA256: 1176 return "WPA2-EAP-SHA256"; 1177 case WPA_KEY_MGMT_PSK_SHA256: 1178 return "WPA2-PSK-SHA256"; 1179 #endif /* CONFIG_IEEE80211W */ 1180 case WPA_KEY_MGMT_WPS: 1181 return "WPS"; 1182 case WPA_KEY_MGMT_SAE: 1183 return "SAE"; 1184 case WPA_KEY_MGMT_FT_SAE: 1185 return "FT-SAE"; 1186 case WPA_KEY_MGMT_OSEN: 1187 return "OSEN"; 1188 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 1189 return "WPA2-EAP-SUITE-B"; 1190 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 1191 return "WPA2-EAP-SUITE-B-192"; 1192 default: 1193 return "UNKNOWN"; 1194 } 1195 } 1196 1197 1198 u32 wpa_akm_to_suite(int akm) 1199 { 1200 if (akm & WPA_KEY_MGMT_FT_IEEE8021X) 1201 return WLAN_AKM_SUITE_FT_8021X; 1202 if (akm & WPA_KEY_MGMT_FT_PSK) 1203 return WLAN_AKM_SUITE_FT_PSK; 1204 if (akm & WPA_KEY_MGMT_IEEE8021X) 1205 return WLAN_AKM_SUITE_8021X; 1206 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256) 1207 return WLAN_AKM_SUITE_8021X_SHA256; 1208 if (akm & WPA_KEY_MGMT_IEEE8021X) 1209 return WLAN_AKM_SUITE_8021X; 1210 if (akm & WPA_KEY_MGMT_PSK_SHA256) 1211 return WLAN_AKM_SUITE_PSK_SHA256; 1212 if (akm & WPA_KEY_MGMT_PSK) 1213 return WLAN_AKM_SUITE_PSK; 1214 if (akm & WPA_KEY_MGMT_CCKM) 1215 return WLAN_AKM_SUITE_CCKM; 1216 if (akm & WPA_KEY_MGMT_OSEN) 1217 return WLAN_AKM_SUITE_OSEN; 1218 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B) 1219 return WLAN_AKM_SUITE_8021X_SUITE_B; 1220 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 1221 return WLAN_AKM_SUITE_8021X_SUITE_B_192; 1222 return 0; 1223 } 1224 1225 1226 int wpa_compare_rsn_ie(int ft_initial_assoc, 1227 const u8 *ie1, size_t ie1len, 1228 const u8 *ie2, size_t ie2len) 1229 { 1230 if (ie1 == NULL || ie2 == NULL) 1231 return -1; 1232 1233 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0) 1234 return 0; /* identical IEs */ 1235 1236 #ifdef CONFIG_IEEE80211R 1237 if (ft_initial_assoc) { 1238 struct wpa_ie_data ie1d, ie2d; 1239 /* 1240 * The PMKID-List in RSN IE is different between Beacon/Probe 1241 * Response/(Re)Association Request frames and EAPOL-Key 1242 * messages in FT initial mobility domain association. Allow 1243 * for this, but verify that other parts of the RSN IEs are 1244 * identical. 1245 */ 1246 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 || 1247 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0) 1248 return -1; 1249 if (ie1d.proto == ie2d.proto && 1250 ie1d.pairwise_cipher == ie2d.pairwise_cipher && 1251 ie1d.group_cipher == ie2d.group_cipher && 1252 ie1d.key_mgmt == ie2d.key_mgmt && 1253 ie1d.capabilities == ie2d.capabilities && 1254 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher) 1255 return 0; 1256 } 1257 #endif /* CONFIG_IEEE80211R */ 1258 1259 return -1; 1260 } 1261 1262 1263 #ifdef CONFIG_IEEE80211R 1264 int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid) 1265 { 1266 u8 *start, *end, *rpos, *rend; 1267 int added = 0; 1268 1269 start = ies; 1270 end = ies + ies_len; 1271 1272 while (start < end) { 1273 if (*start == WLAN_EID_RSN) 1274 break; 1275 start += 2 + start[1]; 1276 } 1277 if (start >= end) { 1278 wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in " 1279 "IEs data"); 1280 return -1; 1281 } 1282 wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification", 1283 start, 2 + start[1]); 1284 1285 /* Find start of PMKID-Count */ 1286 rpos = start + 2; 1287 rend = rpos + start[1]; 1288 1289 /* Skip Version and Group Data Cipher Suite */ 1290 rpos += 2 + 4; 1291 /* Skip Pairwise Cipher Suite Count and List */ 1292 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 1293 /* Skip AKM Suite Count and List */ 1294 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 1295 1296 if (rpos == rend) { 1297 /* Add RSN Capabilities */ 1298 os_memmove(rpos + 2, rpos, end - rpos); 1299 *rpos++ = 0; 1300 *rpos++ = 0; 1301 added += 2; 1302 start[1] += 2; 1303 rend = rpos; 1304 } else { 1305 /* Skip RSN Capabilities */ 1306 rpos += 2; 1307 if (rpos > rend) { 1308 wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in " 1309 "IEs data"); 1310 return -1; 1311 } 1312 } 1313 1314 if (rpos == rend) { 1315 /* No PMKID-Count field included; add it */ 1316 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos); 1317 WPA_PUT_LE16(rpos, 1); 1318 rpos += 2; 1319 os_memcpy(rpos, pmkid, PMKID_LEN); 1320 added += 2 + PMKID_LEN; 1321 start[1] += 2 + PMKID_LEN; 1322 } else { 1323 /* PMKID-Count was included; use it */ 1324 if (WPA_GET_LE16(rpos) != 0) { 1325 wpa_printf(MSG_ERROR, "FT: Unexpected PMKID " 1326 "in RSN IE in EAPOL-Key data"); 1327 return -1; 1328 } 1329 WPA_PUT_LE16(rpos, 1); 1330 rpos += 2; 1331 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos); 1332 os_memcpy(rpos, pmkid, PMKID_LEN); 1333 added += PMKID_LEN; 1334 start[1] += PMKID_LEN; 1335 } 1336 1337 wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification " 1338 "(PMKID inserted)", start, 2 + start[1]); 1339 1340 return added; 1341 } 1342 #endif /* CONFIG_IEEE80211R */ 1343 1344 1345 int wpa_cipher_key_len(int cipher) 1346 { 1347 switch (cipher) { 1348 case WPA_CIPHER_CCMP_256: 1349 case WPA_CIPHER_GCMP_256: 1350 case WPA_CIPHER_BIP_GMAC_256: 1351 case WPA_CIPHER_BIP_CMAC_256: 1352 return 32; 1353 case WPA_CIPHER_CCMP: 1354 case WPA_CIPHER_GCMP: 1355 case WPA_CIPHER_AES_128_CMAC: 1356 case WPA_CIPHER_BIP_GMAC_128: 1357 return 16; 1358 case WPA_CIPHER_TKIP: 1359 return 32; 1360 } 1361 1362 return 0; 1363 } 1364 1365 1366 int wpa_cipher_rsc_len(int cipher) 1367 { 1368 switch (cipher) { 1369 case WPA_CIPHER_CCMP_256: 1370 case WPA_CIPHER_GCMP_256: 1371 case WPA_CIPHER_CCMP: 1372 case WPA_CIPHER_GCMP: 1373 case WPA_CIPHER_TKIP: 1374 return 6; 1375 } 1376 1377 return 0; 1378 } 1379 1380 1381 int wpa_cipher_to_alg(int cipher) 1382 { 1383 switch (cipher) { 1384 case WPA_CIPHER_CCMP_256: 1385 return WPA_ALG_CCMP_256; 1386 case WPA_CIPHER_GCMP_256: 1387 return WPA_ALG_GCMP_256; 1388 case WPA_CIPHER_CCMP: 1389 return WPA_ALG_CCMP; 1390 case WPA_CIPHER_GCMP: 1391 return WPA_ALG_GCMP; 1392 case WPA_CIPHER_TKIP: 1393 return WPA_ALG_TKIP; 1394 case WPA_CIPHER_AES_128_CMAC: 1395 return WPA_ALG_IGTK; 1396 case WPA_CIPHER_BIP_GMAC_128: 1397 return WPA_ALG_BIP_GMAC_128; 1398 case WPA_CIPHER_BIP_GMAC_256: 1399 return WPA_ALG_BIP_GMAC_256; 1400 case WPA_CIPHER_BIP_CMAC_256: 1401 return WPA_ALG_BIP_CMAC_256; 1402 } 1403 return WPA_ALG_NONE; 1404 } 1405 1406 1407 int wpa_cipher_valid_pairwise(int cipher) 1408 { 1409 return cipher == WPA_CIPHER_CCMP_256 || 1410 cipher == WPA_CIPHER_GCMP_256 || 1411 cipher == WPA_CIPHER_CCMP || 1412 cipher == WPA_CIPHER_GCMP || 1413 cipher == WPA_CIPHER_TKIP; 1414 } 1415 1416 1417 u32 wpa_cipher_to_suite(int proto, int cipher) 1418 { 1419 if (cipher & WPA_CIPHER_CCMP_256) 1420 return RSN_CIPHER_SUITE_CCMP_256; 1421 if (cipher & WPA_CIPHER_GCMP_256) 1422 return RSN_CIPHER_SUITE_GCMP_256; 1423 if (cipher & WPA_CIPHER_CCMP) 1424 return (proto == WPA_PROTO_RSN ? 1425 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP); 1426 if (cipher & WPA_CIPHER_GCMP) 1427 return RSN_CIPHER_SUITE_GCMP; 1428 if (cipher & WPA_CIPHER_TKIP) 1429 return (proto == WPA_PROTO_RSN ? 1430 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP); 1431 if (cipher & WPA_CIPHER_NONE) 1432 return (proto == WPA_PROTO_RSN ? 1433 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE); 1434 if (cipher & WPA_CIPHER_GTK_NOT_USED) 1435 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED; 1436 if (cipher & WPA_CIPHER_AES_128_CMAC) 1437 return RSN_CIPHER_SUITE_AES_128_CMAC; 1438 if (cipher & WPA_CIPHER_BIP_GMAC_128) 1439 return RSN_CIPHER_SUITE_BIP_GMAC_128; 1440 if (cipher & WPA_CIPHER_BIP_GMAC_256) 1441 return RSN_CIPHER_SUITE_BIP_GMAC_256; 1442 if (cipher & WPA_CIPHER_BIP_CMAC_256) 1443 return RSN_CIPHER_SUITE_BIP_CMAC_256; 1444 return 0; 1445 } 1446 1447 1448 int rsn_cipher_put_suites(u8 *start, int ciphers) 1449 { 1450 u8 *pos = start; 1451 1452 if (ciphers & WPA_CIPHER_CCMP_256) { 1453 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256); 1454 pos += RSN_SELECTOR_LEN; 1455 } 1456 if (ciphers & WPA_CIPHER_GCMP_256) { 1457 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256); 1458 pos += RSN_SELECTOR_LEN; 1459 } 1460 if (ciphers & WPA_CIPHER_CCMP) { 1461 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1462 pos += RSN_SELECTOR_LEN; 1463 } 1464 if (ciphers & WPA_CIPHER_GCMP) { 1465 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP); 1466 pos += RSN_SELECTOR_LEN; 1467 } 1468 if (ciphers & WPA_CIPHER_TKIP) { 1469 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 1470 pos += RSN_SELECTOR_LEN; 1471 } 1472 if (ciphers & WPA_CIPHER_NONE) { 1473 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE); 1474 pos += RSN_SELECTOR_LEN; 1475 } 1476 1477 return (pos - start) / RSN_SELECTOR_LEN; 1478 } 1479 1480 1481 int wpa_cipher_put_suites(u8 *start, int ciphers) 1482 { 1483 u8 *pos = start; 1484 1485 if (ciphers & WPA_CIPHER_CCMP) { 1486 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP); 1487 pos += WPA_SELECTOR_LEN; 1488 } 1489 if (ciphers & WPA_CIPHER_TKIP) { 1490 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP); 1491 pos += WPA_SELECTOR_LEN; 1492 } 1493 if (ciphers & WPA_CIPHER_NONE) { 1494 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE); 1495 pos += WPA_SELECTOR_LEN; 1496 } 1497 1498 return (pos - start) / RSN_SELECTOR_LEN; 1499 } 1500 1501 1502 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed) 1503 { 1504 if (ciphers & WPA_CIPHER_CCMP_256) 1505 return WPA_CIPHER_CCMP_256; 1506 if (ciphers & WPA_CIPHER_GCMP_256) 1507 return WPA_CIPHER_GCMP_256; 1508 if (ciphers & WPA_CIPHER_CCMP) 1509 return WPA_CIPHER_CCMP; 1510 if (ciphers & WPA_CIPHER_GCMP) 1511 return WPA_CIPHER_GCMP; 1512 if (ciphers & WPA_CIPHER_TKIP) 1513 return WPA_CIPHER_TKIP; 1514 if (none_allowed && (ciphers & WPA_CIPHER_NONE)) 1515 return WPA_CIPHER_NONE; 1516 return -1; 1517 } 1518 1519 1520 int wpa_pick_group_cipher(int ciphers) 1521 { 1522 if (ciphers & WPA_CIPHER_CCMP_256) 1523 return WPA_CIPHER_CCMP_256; 1524 if (ciphers & WPA_CIPHER_GCMP_256) 1525 return WPA_CIPHER_GCMP_256; 1526 if (ciphers & WPA_CIPHER_CCMP) 1527 return WPA_CIPHER_CCMP; 1528 if (ciphers & WPA_CIPHER_GCMP) 1529 return WPA_CIPHER_GCMP; 1530 if (ciphers & WPA_CIPHER_GTK_NOT_USED) 1531 return WPA_CIPHER_GTK_NOT_USED; 1532 if (ciphers & WPA_CIPHER_TKIP) 1533 return WPA_CIPHER_TKIP; 1534 return -1; 1535 } 1536 1537 1538 int wpa_parse_cipher(const char *value) 1539 { 1540 int val = 0, last; 1541 char *start, *end, *buf; 1542 1543 buf = os_strdup(value); 1544 if (buf == NULL) 1545 return -1; 1546 start = buf; 1547 1548 while (*start != '\0') { 1549 while (*start == ' ' || *start == '\t') 1550 start++; 1551 if (*start == '\0') 1552 break; 1553 end = start; 1554 while (*end != ' ' && *end != '\t' && *end != '\0') 1555 end++; 1556 last = *end == '\0'; 1557 *end = '\0'; 1558 if (os_strcmp(start, "CCMP-256") == 0) 1559 val |= WPA_CIPHER_CCMP_256; 1560 else if (os_strcmp(start, "GCMP-256") == 0) 1561 val |= WPA_CIPHER_GCMP_256; 1562 else if (os_strcmp(start, "CCMP") == 0) 1563 val |= WPA_CIPHER_CCMP; 1564 else if (os_strcmp(start, "GCMP") == 0) 1565 val |= WPA_CIPHER_GCMP; 1566 else if (os_strcmp(start, "TKIP") == 0) 1567 val |= WPA_CIPHER_TKIP; 1568 else if (os_strcmp(start, "WEP104") == 0) 1569 val |= WPA_CIPHER_WEP104; 1570 else if (os_strcmp(start, "WEP40") == 0) 1571 val |= WPA_CIPHER_WEP40; 1572 else if (os_strcmp(start, "NONE") == 0) 1573 val |= WPA_CIPHER_NONE; 1574 else if (os_strcmp(start, "GTK_NOT_USED") == 0) 1575 val |= WPA_CIPHER_GTK_NOT_USED; 1576 else { 1577 os_free(buf); 1578 return -1; 1579 } 1580 1581 if (last) 1582 break; 1583 start = end + 1; 1584 } 1585 os_free(buf); 1586 1587 return val; 1588 } 1589 1590 1591 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim) 1592 { 1593 char *pos = start; 1594 int ret; 1595 1596 if (ciphers & WPA_CIPHER_CCMP_256) { 1597 ret = os_snprintf(pos, end - pos, "%sCCMP-256", 1598 pos == start ? "" : delim); 1599 if (os_snprintf_error(end - pos, ret)) 1600 return -1; 1601 pos += ret; 1602 } 1603 if (ciphers & WPA_CIPHER_GCMP_256) { 1604 ret = os_snprintf(pos, end - pos, "%sGCMP-256", 1605 pos == start ? "" : delim); 1606 if (os_snprintf_error(end - pos, ret)) 1607 return -1; 1608 pos += ret; 1609 } 1610 if (ciphers & WPA_CIPHER_CCMP) { 1611 ret = os_snprintf(pos, end - pos, "%sCCMP", 1612 pos == start ? "" : delim); 1613 if (os_snprintf_error(end - pos, ret)) 1614 return -1; 1615 pos += ret; 1616 } 1617 if (ciphers & WPA_CIPHER_GCMP) { 1618 ret = os_snprintf(pos, end - pos, "%sGCMP", 1619 pos == start ? "" : delim); 1620 if (os_snprintf_error(end - pos, ret)) 1621 return -1; 1622 pos += ret; 1623 } 1624 if (ciphers & WPA_CIPHER_TKIP) { 1625 ret = os_snprintf(pos, end - pos, "%sTKIP", 1626 pos == start ? "" : delim); 1627 if (os_snprintf_error(end - pos, ret)) 1628 return -1; 1629 pos += ret; 1630 } 1631 if (ciphers & WPA_CIPHER_NONE) { 1632 ret = os_snprintf(pos, end - pos, "%sNONE", 1633 pos == start ? "" : delim); 1634 if (os_snprintf_error(end - pos, ret)) 1635 return -1; 1636 pos += ret; 1637 } 1638 1639 return pos - start; 1640 } 1641 1642 1643 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise) 1644 { 1645 int pairwise = 0; 1646 1647 /* Select group cipher based on the enabled pairwise cipher suites */ 1648 if (wpa & 1) 1649 pairwise |= wpa_pairwise; 1650 if (wpa & 2) 1651 pairwise |= rsn_pairwise; 1652 1653 if (pairwise & WPA_CIPHER_TKIP) 1654 return WPA_CIPHER_TKIP; 1655 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP) 1656 return WPA_CIPHER_GCMP; 1657 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP | 1658 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256) 1659 return WPA_CIPHER_GCMP_256; 1660 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP | 1661 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256) 1662 return WPA_CIPHER_CCMP_256; 1663 return WPA_CIPHER_CCMP; 1664 } 1665