1 /* 2 * WPA/RSN - Shared functions for supplicant and authenticator 3 * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/sha384.h" 16 #include "crypto/sha512.h" 17 #include "crypto/aes_wrap.h" 18 #include "crypto/crypto.h" 19 #include "ieee802_11_defs.h" 20 #include "defs.h" 21 #include "wpa_common.h" 22 23 24 static unsigned int wpa_kck_len(int akmp, size_t pmk_len) 25 { 26 switch (akmp) { 27 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 28 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 29 return 24; 30 case WPA_KEY_MGMT_FILS_SHA256: 31 case WPA_KEY_MGMT_FT_FILS_SHA256: 32 case WPA_KEY_MGMT_FILS_SHA384: 33 case WPA_KEY_MGMT_FT_FILS_SHA384: 34 return 0; 35 case WPA_KEY_MGMT_DPP: 36 return pmk_len / 2; 37 case WPA_KEY_MGMT_OWE: 38 return pmk_len / 2; 39 default: 40 return 16; 41 } 42 } 43 44 45 #ifdef CONFIG_IEEE80211R 46 static unsigned int wpa_kck2_len(int akmp) 47 { 48 switch (akmp) { 49 case WPA_KEY_MGMT_FT_FILS_SHA256: 50 return 16; 51 case WPA_KEY_MGMT_FT_FILS_SHA384: 52 return 24; 53 default: 54 return 0; 55 } 56 } 57 #endif /* CONFIG_IEEE80211R */ 58 59 60 static unsigned int wpa_kek_len(int akmp, size_t pmk_len) 61 { 62 switch (akmp) { 63 case WPA_KEY_MGMT_FILS_SHA384: 64 case WPA_KEY_MGMT_FT_FILS_SHA384: 65 return 64; 66 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 67 case WPA_KEY_MGMT_FILS_SHA256: 68 case WPA_KEY_MGMT_FT_FILS_SHA256: 69 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 70 return 32; 71 case WPA_KEY_MGMT_DPP: 72 return pmk_len <= 32 ? 16 : 32; 73 case WPA_KEY_MGMT_OWE: 74 return pmk_len <= 32 ? 16 : 32; 75 default: 76 return 16; 77 } 78 } 79 80 81 #ifdef CONFIG_IEEE80211R 82 static unsigned int wpa_kek2_len(int akmp) 83 { 84 switch (akmp) { 85 case WPA_KEY_MGMT_FT_FILS_SHA256: 86 return 16; 87 case WPA_KEY_MGMT_FT_FILS_SHA384: 88 return 32; 89 default: 90 return 0; 91 } 92 } 93 #endif /* CONFIG_IEEE80211R */ 94 95 96 unsigned int wpa_mic_len(int akmp, size_t pmk_len) 97 { 98 switch (akmp) { 99 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 100 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 101 return 24; 102 case WPA_KEY_MGMT_FILS_SHA256: 103 case WPA_KEY_MGMT_FILS_SHA384: 104 case WPA_KEY_MGMT_FT_FILS_SHA256: 105 case WPA_KEY_MGMT_FT_FILS_SHA384: 106 return 0; 107 case WPA_KEY_MGMT_DPP: 108 return pmk_len / 2; 109 case WPA_KEY_MGMT_OWE: 110 return pmk_len / 2; 111 default: 112 return 16; 113 } 114 } 115 116 117 /** 118 * wpa_use_akm_defined - Is AKM-defined Key Descriptor Version used 119 * @akmp: WPA_KEY_MGMT_* used in key derivation 120 * Returns: 1 if AKM-defined Key Descriptor Version is used; 0 otherwise 121 */ 122 int wpa_use_akm_defined(int akmp) 123 { 124 return akmp == WPA_KEY_MGMT_OSEN || 125 akmp == WPA_KEY_MGMT_OWE || 126 akmp == WPA_KEY_MGMT_DPP || 127 akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 || 128 wpa_key_mgmt_sae(akmp) || 129 wpa_key_mgmt_suite_b(akmp) || 130 wpa_key_mgmt_fils(akmp); 131 } 132 133 134 /** 135 * wpa_use_cmac - Is CMAC integrity algorithm used for EAPOL-Key MIC 136 * @akmp: WPA_KEY_MGMT_* used in key derivation 137 * Returns: 1 if CMAC is used; 0 otherwise 138 */ 139 int wpa_use_cmac(int akmp) 140 { 141 return akmp == WPA_KEY_MGMT_OSEN || 142 akmp == WPA_KEY_MGMT_OWE || 143 akmp == WPA_KEY_MGMT_DPP || 144 wpa_key_mgmt_ft(akmp) || 145 wpa_key_mgmt_sha256(akmp) || 146 wpa_key_mgmt_sae(akmp) || 147 wpa_key_mgmt_suite_b(akmp); 148 } 149 150 151 /** 152 * wpa_use_aes_key_wrap - Is AES Keywrap algorithm used for EAPOL-Key Key Data 153 * @akmp: WPA_KEY_MGMT_* used in key derivation 154 * Returns: 1 if AES Keywrap is used; 0 otherwise 155 * 156 * Note: AKM 00-0F-AC:1 and 00-0F-AC:2 have special rules for selecting whether 157 * to use AES Keywrap based on the negotiated pairwise cipher. This function 158 * does not cover those special cases. 159 */ 160 int wpa_use_aes_key_wrap(int akmp) 161 { 162 return akmp == WPA_KEY_MGMT_OSEN || 163 akmp == WPA_KEY_MGMT_OWE || 164 akmp == WPA_KEY_MGMT_DPP || 165 wpa_key_mgmt_ft(akmp) || 166 wpa_key_mgmt_sha256(akmp) || 167 wpa_key_mgmt_sae(akmp) || 168 wpa_key_mgmt_suite_b(akmp); 169 } 170 171 172 /** 173 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC 174 * @key: EAPOL-Key Key Confirmation Key (KCK) 175 * @key_len: KCK length in octets 176 * @akmp: WPA_KEY_MGMT_* used in key derivation 177 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*) 178 * @buf: Pointer to the beginning of the EAPOL header (version field) 179 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame) 180 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written 181 * Returns: 0 on success, -1 on failure 182 * 183 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has 184 * to be cleared (all zeroes) when calling this function. 185 * 186 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the 187 * description of the Key MIC calculation. It includes packet data from the 188 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change 189 * happened during final editing of the standard and the correct behavior is 190 * defined in the last draft (IEEE 802.11i/D10). 191 */ 192 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver, 193 const u8 *buf, size_t len, u8 *mic) 194 { 195 u8 hash[SHA512_MAC_LEN]; 196 197 if (key_len == 0) { 198 wpa_printf(MSG_DEBUG, 199 "WPA: KCK not set - cannot calculate MIC"); 200 return -1; 201 } 202 203 switch (ver) { 204 #ifndef CONFIG_FIPS 205 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4: 206 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-MD5"); 207 return hmac_md5(key, key_len, buf, len, mic); 208 #endif /* CONFIG_FIPS */ 209 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES: 210 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-SHA1"); 211 if (hmac_sha1(key, key_len, buf, len, hash)) 212 return -1; 213 os_memcpy(mic, hash, MD5_MAC_LEN); 214 break; 215 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W) 216 case WPA_KEY_INFO_TYPE_AES_128_CMAC: 217 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using AES-CMAC"); 218 return omac1_aes_128(key, buf, len, mic); 219 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */ 220 case WPA_KEY_INFO_TYPE_AKM_DEFINED: 221 switch (akmp) { 222 #ifdef CONFIG_SAE 223 case WPA_KEY_MGMT_SAE: 224 case WPA_KEY_MGMT_FT_SAE: 225 wpa_printf(MSG_DEBUG, 226 "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - SAE)"); 227 return omac1_aes_128(key, buf, len, mic); 228 #endif /* CONFIG_SAE */ 229 #ifdef CONFIG_HS20 230 case WPA_KEY_MGMT_OSEN: 231 wpa_printf(MSG_DEBUG, 232 "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - OSEN)"); 233 return omac1_aes_128(key, buf, len, mic); 234 #endif /* CONFIG_HS20 */ 235 #ifdef CONFIG_SUITEB 236 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 237 wpa_printf(MSG_DEBUG, 238 "WPA: EAPOL-Key MIC using HMAC-SHA256 (AKM-defined - Suite B)"); 239 if (hmac_sha256(key, key_len, buf, len, hash)) 240 return -1; 241 os_memcpy(mic, hash, MD5_MAC_LEN); 242 break; 243 #endif /* CONFIG_SUITEB */ 244 #ifdef CONFIG_SUITEB192 245 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 246 wpa_printf(MSG_DEBUG, 247 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - Suite B 192-bit)"); 248 if (hmac_sha384(key, key_len, buf, len, hash)) 249 return -1; 250 os_memcpy(mic, hash, 24); 251 break; 252 #endif /* CONFIG_SUITEB192 */ 253 #ifdef CONFIG_OWE 254 case WPA_KEY_MGMT_OWE: 255 wpa_printf(MSG_DEBUG, 256 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - OWE)", 257 (unsigned int) key_len * 8 * 2); 258 if (key_len == 128 / 8) { 259 if (hmac_sha256(key, key_len, buf, len, hash)) 260 return -1; 261 } else if (key_len == 192 / 8) { 262 if (hmac_sha384(key, key_len, buf, len, hash)) 263 return -1; 264 } else if (key_len == 256 / 8) { 265 if (hmac_sha512(key, key_len, buf, len, hash)) 266 return -1; 267 } else { 268 wpa_printf(MSG_INFO, 269 "OWE: Unsupported KCK length: %u", 270 (unsigned int) key_len); 271 return -1; 272 } 273 os_memcpy(mic, hash, key_len); 274 break; 275 #endif /* CONFIG_OWE */ 276 #ifdef CONFIG_DPP 277 case WPA_KEY_MGMT_DPP: 278 wpa_printf(MSG_DEBUG, 279 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - DPP)", 280 (unsigned int) key_len * 8 * 2); 281 if (key_len == 128 / 8) { 282 if (hmac_sha256(key, key_len, buf, len, hash)) 283 return -1; 284 } else if (key_len == 192 / 8) { 285 if (hmac_sha384(key, key_len, buf, len, hash)) 286 return -1; 287 } else if (key_len == 256 / 8) { 288 if (hmac_sha512(key, key_len, buf, len, hash)) 289 return -1; 290 } else { 291 wpa_printf(MSG_INFO, 292 "DPP: Unsupported KCK length: %u", 293 (unsigned int) key_len); 294 return -1; 295 } 296 os_memcpy(mic, hash, key_len); 297 break; 298 #endif /* CONFIG_DPP */ 299 #if defined(CONFIG_IEEE80211R) && defined(CONFIG_SHA384) 300 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 301 wpa_printf(MSG_DEBUG, 302 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - FT 802.1X SHA384)"); 303 if (hmac_sha384(key, key_len, buf, len, hash)) 304 return -1; 305 os_memcpy(mic, hash, 24); 306 break; 307 #endif /* CONFIG_IEEE80211R && CONFIG_SHA384 */ 308 default: 309 wpa_printf(MSG_DEBUG, 310 "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)", 311 akmp); 312 return -1; 313 } 314 break; 315 default: 316 wpa_printf(MSG_DEBUG, 317 "WPA: EAPOL-Key MIC algorithm not known (ver=%d)", 318 ver); 319 return -1; 320 } 321 322 return 0; 323 } 324 325 326 /** 327 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces 328 * @pmk: Pairwise master key 329 * @pmk_len: Length of PMK 330 * @label: Label to use in derivation 331 * @addr1: AA or SA 332 * @addr2: SA or AA 333 * @nonce1: ANonce or SNonce 334 * @nonce2: SNonce or ANonce 335 * @ptk: Buffer for pairwise transient key 336 * @akmp: Negotiated AKM 337 * @cipher: Negotiated pairwise cipher 338 * Returns: 0 on success, -1 on failure 339 * 340 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 341 * PTK = PRF-X(PMK, "Pairwise key expansion", 342 * Min(AA, SA) || Max(AA, SA) || 343 * Min(ANonce, SNonce) || Max(ANonce, SNonce) 344 * [ || Z.x ]) 345 * 346 * The optional Z.x component is used only with DPP and that part is not defined 347 * in IEEE 802.11. 348 */ 349 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, 350 const u8 *addr1, const u8 *addr2, 351 const u8 *nonce1, const u8 *nonce2, 352 struct wpa_ptk *ptk, int akmp, int cipher, 353 const u8 *z, size_t z_len) 354 { 355 #define MAX_Z_LEN 66 /* with NIST P-521 */ 356 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN + MAX_Z_LEN]; 357 size_t data_len = 2 * ETH_ALEN + 2 * WPA_NONCE_LEN; 358 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 359 size_t ptk_len; 360 361 if (pmk_len == 0) { 362 wpa_printf(MSG_ERROR, "WPA: No PMK set for PTK derivation"); 363 return -1; 364 } 365 366 if (z_len > MAX_Z_LEN) 367 return -1; 368 369 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) { 370 os_memcpy(data, addr1, ETH_ALEN); 371 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN); 372 } else { 373 os_memcpy(data, addr2, ETH_ALEN); 374 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN); 375 } 376 377 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) { 378 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN); 379 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2, 380 WPA_NONCE_LEN); 381 } else { 382 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN); 383 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1, 384 WPA_NONCE_LEN); 385 } 386 387 if (z && z_len) { 388 os_memcpy(data + 2 * ETH_ALEN + 2 * WPA_NONCE_LEN, z, z_len); 389 data_len += z_len; 390 } 391 392 ptk->kck_len = wpa_kck_len(akmp, pmk_len); 393 ptk->kek_len = wpa_kek_len(akmp, pmk_len); 394 ptk->tk_len = wpa_cipher_key_len(cipher); 395 if (ptk->tk_len == 0) { 396 wpa_printf(MSG_ERROR, 397 "WPA: Unsupported cipher (0x%x) used in PTK derivation", 398 cipher); 399 return -1; 400 } 401 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 402 403 if (wpa_key_mgmt_sha384(akmp)) { 404 #if defined(CONFIG_SUITEB192) || defined(CONFIG_FILS) 405 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)"); 406 if (sha384_prf(pmk, pmk_len, label, data, data_len, 407 tmp, ptk_len) < 0) 408 return -1; 409 #else /* CONFIG_SUITEB192 || CONFIG_FILS */ 410 return -1; 411 #endif /* CONFIG_SUITEB192 || CONFIG_FILS */ 412 } else if (wpa_key_mgmt_sha256(akmp) || akmp == WPA_KEY_MGMT_OWE) { 413 #if defined(CONFIG_IEEE80211W) || defined(CONFIG_SAE) || defined(CONFIG_FILS) 414 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)"); 415 if (sha256_prf(pmk, pmk_len, label, data, data_len, 416 tmp, ptk_len) < 0) 417 return -1; 418 #else /* CONFIG_IEEE80211W or CONFIG_SAE or CONFIG_FILS */ 419 return -1; 420 #endif /* CONFIG_IEEE80211W or CONFIG_SAE or CONFIG_FILS */ 421 #ifdef CONFIG_DPP 422 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 32) { 423 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)"); 424 if (sha256_prf(pmk, pmk_len, label, data, data_len, 425 tmp, ptk_len) < 0) 426 return -1; 427 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 48) { 428 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)"); 429 if (sha384_prf(pmk, pmk_len, label, data, data_len, 430 tmp, ptk_len) < 0) 431 return -1; 432 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 64) { 433 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)"); 434 if (sha512_prf(pmk, pmk_len, label, data, data_len, 435 tmp, ptk_len) < 0) 436 return -1; 437 } else if (akmp == WPA_KEY_MGMT_DPP) { 438 wpa_printf(MSG_INFO, "DPP: Unknown PMK length %u", 439 (unsigned int) pmk_len); 440 return -1; 441 #endif /* CONFIG_DPP */ 442 } else { 443 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA1)"); 444 if (sha1_prf(pmk, pmk_len, label, data, data_len, tmp, 445 ptk_len) < 0) 446 return -1; 447 } 448 449 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR, 450 MAC2STR(addr1), MAC2STR(addr2)); 451 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN); 452 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN); 453 if (z && z_len) 454 wpa_hexdump_key(MSG_DEBUG, "WPA: Z.x", z, z_len); 455 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len); 456 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len); 457 458 os_memcpy(ptk->kck, tmp, ptk->kck_len); 459 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len); 460 461 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 462 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 463 464 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 465 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len); 466 467 ptk->kek2_len = 0; 468 ptk->kck2_len = 0; 469 470 os_memset(tmp, 0, sizeof(tmp)); 471 os_memset(data, 0, data_len); 472 return 0; 473 } 474 475 #ifdef CONFIG_FILS 476 477 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len, 478 const u8 *snonce, const u8 *anonce, const u8 *dh_ss, 479 size_t dh_ss_len, u8 *pmk, size_t *pmk_len) 480 { 481 u8 nonces[2 * FILS_NONCE_LEN]; 482 const u8 *addr[2]; 483 size_t len[2]; 484 size_t num_elem; 485 int res; 486 487 /* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */ 488 wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation"); 489 490 if (wpa_key_mgmt_sha384(akmp)) 491 *pmk_len = SHA384_MAC_LEN; 492 else if (wpa_key_mgmt_sha256(akmp)) 493 *pmk_len = SHA256_MAC_LEN; 494 else 495 return -1; 496 497 wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len); 498 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN); 499 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN); 500 wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len); 501 502 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 503 os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN); 504 addr[0] = rmsk; 505 len[0] = rmsk_len; 506 num_elem = 1; 507 if (dh_ss) { 508 addr[1] = dh_ss; 509 len[1] = dh_ss_len; 510 num_elem++; 511 } 512 if (wpa_key_mgmt_sha384(akmp)) 513 res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem, 514 addr, len, pmk); 515 else 516 res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem, 517 addr, len, pmk); 518 if (res == 0) 519 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len); 520 else 521 *pmk_len = 0; 522 return res; 523 } 524 525 526 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len, 527 u8 *pmkid) 528 { 529 const u8 *addr[1]; 530 size_t len[1]; 531 u8 hash[SHA384_MAC_LEN]; 532 int res; 533 534 /* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */ 535 addr[0] = reauth; 536 len[0] = reauth_len; 537 if (wpa_key_mgmt_sha384(akmp)) 538 res = sha384_vector(1, addr, len, hash); 539 else if (wpa_key_mgmt_sha256(akmp)) 540 res = sha256_vector(1, addr, len, hash); 541 else 542 return -1; 543 if (res) 544 return res; 545 os_memcpy(pmkid, hash, PMKID_LEN); 546 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN); 547 return 0; 548 } 549 550 551 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa, 552 const u8 *snonce, const u8 *anonce, const u8 *dhss, 553 size_t dhss_len, struct wpa_ptk *ptk, 554 u8 *ick, size_t *ick_len, int akmp, int cipher, 555 u8 *fils_ft, size_t *fils_ft_len) 556 { 557 u8 *data, *pos; 558 size_t data_len; 559 u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN + 560 FILS_FT_MAX_LEN]; 561 size_t key_data_len; 562 const char *label = "FILS PTK Derivation"; 563 int ret = -1; 564 565 /* 566 * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation", 567 * SPA || AA || SNonce || ANonce [ || DHss ]) 568 * ICK = L(FILS-Key-Data, 0, ICK_bits) 569 * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits) 570 * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits) 571 * If doing FT initial mobility domain association: 572 * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits, 573 * FILS-FT_bits) 574 */ 575 data_len = 2 * ETH_ALEN + 2 * FILS_NONCE_LEN + dhss_len; 576 data = os_malloc(data_len); 577 if (!data) 578 goto err; 579 pos = data; 580 os_memcpy(pos, spa, ETH_ALEN); 581 pos += ETH_ALEN; 582 os_memcpy(pos, aa, ETH_ALEN); 583 pos += ETH_ALEN; 584 os_memcpy(pos, snonce, FILS_NONCE_LEN); 585 pos += FILS_NONCE_LEN; 586 os_memcpy(pos, anonce, FILS_NONCE_LEN); 587 pos += FILS_NONCE_LEN; 588 if (dhss) 589 os_memcpy(pos, dhss, dhss_len); 590 591 ptk->kck_len = 0; 592 ptk->kek_len = wpa_kek_len(akmp, pmk_len); 593 ptk->tk_len = wpa_cipher_key_len(cipher); 594 if (wpa_key_mgmt_sha384(akmp)) 595 *ick_len = 48; 596 else if (wpa_key_mgmt_sha256(akmp)) 597 *ick_len = 32; 598 else 599 goto err; 600 key_data_len = *ick_len + ptk->kek_len + ptk->tk_len; 601 602 if (fils_ft && fils_ft_len) { 603 if (akmp == WPA_KEY_MGMT_FT_FILS_SHA256) { 604 *fils_ft_len = 32; 605 } else if (akmp == WPA_KEY_MGMT_FT_FILS_SHA384) { 606 *fils_ft_len = 48; 607 } else { 608 *fils_ft_len = 0; 609 fils_ft = NULL; 610 } 611 key_data_len += *fils_ft_len; 612 } 613 614 if (wpa_key_mgmt_sha384(akmp)) { 615 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA384)"); 616 if (sha384_prf(pmk, pmk_len, label, data, data_len, 617 tmp, key_data_len) < 0) 618 goto err; 619 } else { 620 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA256)"); 621 if (sha256_prf(pmk, pmk_len, label, data, data_len, 622 tmp, key_data_len) < 0) 623 goto err; 624 } 625 626 wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR 627 " AA=" MACSTR, MAC2STR(spa), MAC2STR(aa)); 628 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN); 629 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN); 630 if (dhss) 631 wpa_hexdump_key(MSG_DEBUG, "FILS: DHss", dhss, dhss_len); 632 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len); 633 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len); 634 635 os_memcpy(ick, tmp, *ick_len); 636 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len); 637 638 os_memcpy(ptk->kek, tmp + *ick_len, ptk->kek_len); 639 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len); 640 641 os_memcpy(ptk->tk, tmp + *ick_len + ptk->kek_len, ptk->tk_len); 642 wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len); 643 644 if (fils_ft && fils_ft_len) { 645 os_memcpy(fils_ft, tmp + *ick_len + ptk->kek_len + ptk->tk_len, 646 *fils_ft_len); 647 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-FT", 648 fils_ft, *fils_ft_len); 649 } 650 651 ptk->kek2_len = 0; 652 ptk->kck2_len = 0; 653 654 os_memset(tmp, 0, sizeof(tmp)); 655 ret = 0; 656 err: 657 bin_clear_free(data, data_len); 658 return ret; 659 } 660 661 662 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce, 663 const u8 *anonce, const u8 *sta_addr, const u8 *bssid, 664 const u8 *g_sta, size_t g_sta_len, 665 const u8 *g_ap, size_t g_ap_len, 666 int akmp, u8 *key_auth_sta, u8 *key_auth_ap, 667 size_t *key_auth_len) 668 { 669 const u8 *addr[6]; 670 size_t len[6]; 671 size_t num_elem = 4; 672 int res; 673 674 wpa_printf(MSG_DEBUG, "FILS: Key-Auth derivation: STA-MAC=" MACSTR 675 " AP-BSSID=" MACSTR, MAC2STR(sta_addr), MAC2STR(bssid)); 676 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, ick_len); 677 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN); 678 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN); 679 wpa_hexdump(MSG_DEBUG, "FILS: gSTA", g_sta, g_sta_len); 680 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len); 681 682 /* 683 * For (Re)Association Request frame (STA->AP): 684 * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID 685 * [ || gSTA || gAP ]) 686 */ 687 addr[0] = snonce; 688 len[0] = FILS_NONCE_LEN; 689 addr[1] = anonce; 690 len[1] = FILS_NONCE_LEN; 691 addr[2] = sta_addr; 692 len[2] = ETH_ALEN; 693 addr[3] = bssid; 694 len[3] = ETH_ALEN; 695 if (g_sta && g_ap_len && g_ap && g_ap_len) { 696 addr[4] = g_sta; 697 len[4] = g_sta_len; 698 addr[5] = g_ap; 699 len[5] = g_ap_len; 700 num_elem = 6; 701 } 702 703 if (wpa_key_mgmt_sha384(akmp)) { 704 *key_auth_len = 48; 705 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len, 706 key_auth_sta); 707 } else if (wpa_key_mgmt_sha256(akmp)) { 708 *key_auth_len = 32; 709 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len, 710 key_auth_sta); 711 } else { 712 return -1; 713 } 714 if (res < 0) 715 return res; 716 717 /* 718 * For (Re)Association Response frame (AP->STA): 719 * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC 720 * [ || gAP || gSTA ]) 721 */ 722 addr[0] = anonce; 723 addr[1] = snonce; 724 addr[2] = bssid; 725 addr[3] = sta_addr; 726 if (g_sta && g_ap_len && g_ap && g_ap_len) { 727 addr[4] = g_ap; 728 len[4] = g_ap_len; 729 addr[5] = g_sta; 730 len[5] = g_sta_len; 731 } 732 733 if (wpa_key_mgmt_sha384(akmp)) 734 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len, 735 key_auth_ap); 736 else if (wpa_key_mgmt_sha256(akmp)) 737 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len, 738 key_auth_ap); 739 if (res < 0) 740 return res; 741 742 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)", 743 key_auth_sta, *key_auth_len); 744 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)", 745 key_auth_ap, *key_auth_len); 746 747 return 0; 748 } 749 750 #endif /* CONFIG_FILS */ 751 752 753 #ifdef CONFIG_IEEE80211R 754 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr, 755 const u8 *ap_addr, u8 transaction_seqnum, 756 const u8 *mdie, size_t mdie_len, 757 const u8 *ftie, size_t ftie_len, 758 const u8 *rsnie, size_t rsnie_len, 759 const u8 *ric, size_t ric_len, u8 *mic) 760 { 761 const u8 *addr[9]; 762 size_t len[9]; 763 size_t i, num_elem = 0; 764 u8 zero_mic[24]; 765 size_t mic_len, fte_fixed_len; 766 767 if (kck_len == 16) { 768 mic_len = 16; 769 #ifdef CONFIG_SHA384 770 } else if (kck_len == 24) { 771 mic_len = 24; 772 #endif /* CONFIG_SHA384 */ 773 } else { 774 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u", 775 (unsigned int) kck_len); 776 return -1; 777 } 778 779 fte_fixed_len = sizeof(struct rsn_ftie) - 16 + mic_len; 780 781 addr[num_elem] = sta_addr; 782 len[num_elem] = ETH_ALEN; 783 num_elem++; 784 785 addr[num_elem] = ap_addr; 786 len[num_elem] = ETH_ALEN; 787 num_elem++; 788 789 addr[num_elem] = &transaction_seqnum; 790 len[num_elem] = 1; 791 num_elem++; 792 793 if (rsnie) { 794 addr[num_elem] = rsnie; 795 len[num_elem] = rsnie_len; 796 num_elem++; 797 } 798 if (mdie) { 799 addr[num_elem] = mdie; 800 len[num_elem] = mdie_len; 801 num_elem++; 802 } 803 if (ftie) { 804 if (ftie_len < 2 + fte_fixed_len) 805 return -1; 806 807 /* IE hdr and mic_control */ 808 addr[num_elem] = ftie; 809 len[num_elem] = 2 + 2; 810 num_elem++; 811 812 /* MIC field with all zeros */ 813 os_memset(zero_mic, 0, mic_len); 814 addr[num_elem] = zero_mic; 815 len[num_elem] = mic_len; 816 num_elem++; 817 818 /* Rest of FTIE */ 819 addr[num_elem] = ftie + 2 + 2 + mic_len; 820 len[num_elem] = ftie_len - (2 + 2 + mic_len); 821 num_elem++; 822 } 823 if (ric) { 824 addr[num_elem] = ric; 825 len[num_elem] = ric_len; 826 num_elem++; 827 } 828 829 for (i = 0; i < num_elem; i++) 830 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]); 831 #ifdef CONFIG_SHA384 832 if (kck_len == 24) { 833 u8 hash[SHA384_MAC_LEN]; 834 835 if (hmac_sha384_vector(kck, kck_len, num_elem, addr, len, hash)) 836 return -1; 837 os_memcpy(mic, hash, 24); 838 } 839 #endif /* CONFIG_SHA384 */ 840 if (kck_len == 16 && 841 omac1_aes_128_vector(kck, num_elem, addr, len, mic)) 842 return -1; 843 844 return 0; 845 } 846 847 848 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len, 849 struct wpa_ft_ies *parse, int use_sha384) 850 { 851 const u8 *end, *pos; 852 853 parse->ftie = ie; 854 parse->ftie_len = ie_len; 855 856 pos = ie + (use_sha384 ? sizeof(struct rsn_ftie_sha384) : 857 sizeof(struct rsn_ftie)); 858 end = ie + ie_len; 859 wpa_hexdump(MSG_DEBUG, "FT: Parse FTE subelements", pos, end - pos); 860 861 while (end - pos >= 2) { 862 u8 id, len; 863 864 id = *pos++; 865 len = *pos++; 866 if (len > end - pos) { 867 wpa_printf(MSG_DEBUG, "FT: Truncated subelement"); 868 break; 869 } 870 871 switch (id) { 872 case FTIE_SUBELEM_R1KH_ID: 873 if (len != FT_R1KH_ID_LEN) { 874 wpa_printf(MSG_DEBUG, 875 "FT: Invalid R1KH-ID length in FTIE: %d", 876 len); 877 return -1; 878 } 879 parse->r1kh_id = pos; 880 break; 881 case FTIE_SUBELEM_GTK: 882 parse->gtk = pos; 883 parse->gtk_len = len; 884 break; 885 case FTIE_SUBELEM_R0KH_ID: 886 if (len < 1 || len > FT_R0KH_ID_MAX_LEN) { 887 wpa_printf(MSG_DEBUG, 888 "FT: Invalid R0KH-ID length in FTIE: %d", 889 len); 890 return -1; 891 } 892 parse->r0kh_id = pos; 893 parse->r0kh_id_len = len; 894 break; 895 #ifdef CONFIG_IEEE80211W 896 case FTIE_SUBELEM_IGTK: 897 parse->igtk = pos; 898 parse->igtk_len = len; 899 break; 900 #endif /* CONFIG_IEEE80211W */ 901 #ifdef CONFIG_OCV 902 case FTIE_SUBELEM_OCI: 903 parse->oci = pos; 904 parse->oci_len = len; 905 break; 906 #endif /* CONFIG_OCV */ 907 default: 908 wpa_printf(MSG_DEBUG, "FT: Unknown subelem id %u", id); 909 break; 910 } 911 912 pos += len; 913 } 914 915 return 0; 916 } 917 918 919 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, 920 struct wpa_ft_ies *parse, int use_sha384) 921 { 922 const u8 *end, *pos; 923 struct wpa_ie_data data; 924 int ret; 925 const struct rsn_ftie *ftie; 926 int prot_ie_count = 0; 927 int update_use_sha384 = 0; 928 929 if (use_sha384 < 0) { 930 use_sha384 = 0; 931 update_use_sha384 = 1; 932 } 933 934 os_memset(parse, 0, sizeof(*parse)); 935 if (ies == NULL) 936 return 0; 937 938 pos = ies; 939 end = ies + ies_len; 940 while (end - pos >= 2) { 941 u8 id, len; 942 943 id = *pos++; 944 len = *pos++; 945 if (len > end - pos) 946 break; 947 948 switch (id) { 949 case WLAN_EID_RSN: 950 wpa_hexdump(MSG_DEBUG, "FT: RSNE", pos, len); 951 parse->rsn = pos; 952 parse->rsn_len = len; 953 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2, 954 parse->rsn_len + 2, 955 &data); 956 if (ret < 0) { 957 wpa_printf(MSG_DEBUG, "FT: Failed to parse " 958 "RSN IE: %d", ret); 959 return -1; 960 } 961 if (data.num_pmkid == 1 && data.pmkid) 962 parse->rsn_pmkid = data.pmkid; 963 parse->key_mgmt = data.key_mgmt; 964 parse->pairwise_cipher = data.pairwise_cipher; 965 if (update_use_sha384) { 966 use_sha384 = 967 wpa_key_mgmt_sha384(parse->key_mgmt); 968 update_use_sha384 = 0; 969 } 970 break; 971 case WLAN_EID_MOBILITY_DOMAIN: 972 wpa_hexdump(MSG_DEBUG, "FT: MDE", pos, len); 973 if (len < sizeof(struct rsn_mdie)) 974 return -1; 975 parse->mdie = pos; 976 parse->mdie_len = len; 977 break; 978 case WLAN_EID_FAST_BSS_TRANSITION: 979 wpa_hexdump(MSG_DEBUG, "FT: FTE", pos, len); 980 if (use_sha384) { 981 const struct rsn_ftie_sha384 *ftie_sha384; 982 983 if (len < sizeof(*ftie_sha384)) 984 return -1; 985 ftie_sha384 = 986 (const struct rsn_ftie_sha384 *) pos; 987 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control", 988 ftie_sha384->mic_control, 2); 989 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC", 990 ftie_sha384->mic, 991 sizeof(ftie_sha384->mic)); 992 wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce", 993 ftie_sha384->anonce, 994 WPA_NONCE_LEN); 995 wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce", 996 ftie_sha384->snonce, 997 WPA_NONCE_LEN); 998 prot_ie_count = ftie_sha384->mic_control[1]; 999 if (wpa_ft_parse_ftie(pos, len, parse, 1) < 0) 1000 return -1; 1001 break; 1002 } 1003 1004 if (len < sizeof(*ftie)) 1005 return -1; 1006 ftie = (const struct rsn_ftie *) pos; 1007 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control", 1008 ftie->mic_control, 2); 1009 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC", 1010 ftie->mic, sizeof(ftie->mic)); 1011 wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce", 1012 ftie->anonce, WPA_NONCE_LEN); 1013 wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce", 1014 ftie->snonce, WPA_NONCE_LEN); 1015 prot_ie_count = ftie->mic_control[1]; 1016 if (wpa_ft_parse_ftie(pos, len, parse, 0) < 0) 1017 return -1; 1018 break; 1019 case WLAN_EID_TIMEOUT_INTERVAL: 1020 wpa_hexdump(MSG_DEBUG, "FT: Timeout Interval", 1021 pos, len); 1022 if (len != 5) 1023 break; 1024 parse->tie = pos; 1025 parse->tie_len = len; 1026 break; 1027 case WLAN_EID_RIC_DATA: 1028 if (parse->ric == NULL) 1029 parse->ric = pos - 2; 1030 break; 1031 } 1032 1033 pos += len; 1034 } 1035 1036 if (prot_ie_count == 0) 1037 return 0; /* no MIC */ 1038 1039 /* 1040 * Check that the protected IE count matches with IEs included in the 1041 * frame. 1042 */ 1043 if (parse->rsn) 1044 prot_ie_count--; 1045 if (parse->mdie) 1046 prot_ie_count--; 1047 if (parse->ftie) 1048 prot_ie_count--; 1049 if (prot_ie_count < 0) { 1050 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in " 1051 "the protected IE count"); 1052 return -1; 1053 } 1054 1055 if (prot_ie_count == 0 && parse->ric) { 1056 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not " 1057 "included in protected IE count"); 1058 return -1; 1059 } 1060 1061 /* Determine the end of the RIC IE(s) */ 1062 if (parse->ric) { 1063 pos = parse->ric; 1064 while (end - pos >= 2 && 2 + pos[1] <= end - pos && 1065 prot_ie_count) { 1066 prot_ie_count--; 1067 pos += 2 + pos[1]; 1068 } 1069 parse->ric_len = pos - parse->ric; 1070 } 1071 if (prot_ie_count) { 1072 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from " 1073 "frame", (int) prot_ie_count); 1074 return -1; 1075 } 1076 1077 return 0; 1078 } 1079 #endif /* CONFIG_IEEE80211R */ 1080 1081 1082 static int rsn_selector_to_bitfield(const u8 *s) 1083 { 1084 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE) 1085 return WPA_CIPHER_NONE; 1086 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP) 1087 return WPA_CIPHER_TKIP; 1088 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP) 1089 return WPA_CIPHER_CCMP; 1090 #ifdef CONFIG_IEEE80211W 1091 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC) 1092 return WPA_CIPHER_AES_128_CMAC; 1093 #endif /* CONFIG_IEEE80211W */ 1094 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP) 1095 return WPA_CIPHER_GCMP; 1096 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256) 1097 return WPA_CIPHER_CCMP_256; 1098 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256) 1099 return WPA_CIPHER_GCMP_256; 1100 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128) 1101 return WPA_CIPHER_BIP_GMAC_128; 1102 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256) 1103 return WPA_CIPHER_BIP_GMAC_256; 1104 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256) 1105 return WPA_CIPHER_BIP_CMAC_256; 1106 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED) 1107 return WPA_CIPHER_GTK_NOT_USED; 1108 return 0; 1109 } 1110 1111 1112 static int rsn_key_mgmt_to_bitfield(const u8 *s) 1113 { 1114 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X) 1115 return WPA_KEY_MGMT_IEEE8021X; 1116 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X) 1117 return WPA_KEY_MGMT_PSK; 1118 #ifdef CONFIG_IEEE80211R 1119 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X) 1120 return WPA_KEY_MGMT_FT_IEEE8021X; 1121 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK) 1122 return WPA_KEY_MGMT_FT_PSK; 1123 #ifdef CONFIG_SHA384 1124 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384) 1125 return WPA_KEY_MGMT_FT_IEEE8021X_SHA384; 1126 #endif /* CONFIG_SHA384 */ 1127 #endif /* CONFIG_IEEE80211R */ 1128 #ifdef CONFIG_IEEE80211W 1129 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256) 1130 return WPA_KEY_MGMT_IEEE8021X_SHA256; 1131 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256) 1132 return WPA_KEY_MGMT_PSK_SHA256; 1133 #endif /* CONFIG_IEEE80211W */ 1134 #ifdef CONFIG_SAE 1135 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE) 1136 return WPA_KEY_MGMT_SAE; 1137 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE) 1138 return WPA_KEY_MGMT_FT_SAE; 1139 #endif /* CONFIG_SAE */ 1140 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B) 1141 return WPA_KEY_MGMT_IEEE8021X_SUITE_B; 1142 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192) 1143 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; 1144 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256) 1145 return WPA_KEY_MGMT_FILS_SHA256; 1146 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384) 1147 return WPA_KEY_MGMT_FILS_SHA384; 1148 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256) 1149 return WPA_KEY_MGMT_FT_FILS_SHA256; 1150 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384) 1151 return WPA_KEY_MGMT_FT_FILS_SHA384; 1152 #ifdef CONFIG_OWE 1153 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE) 1154 return WPA_KEY_MGMT_OWE; 1155 #endif /* CONFIG_OWE */ 1156 #ifdef CONFIG_DPP 1157 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP) 1158 return WPA_KEY_MGMT_DPP; 1159 #endif /* CONFIG_DPP */ 1160 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN) 1161 return WPA_KEY_MGMT_OSEN; 1162 return 0; 1163 } 1164 1165 1166 int wpa_cipher_valid_group(int cipher) 1167 { 1168 return wpa_cipher_valid_pairwise(cipher) || 1169 cipher == WPA_CIPHER_GTK_NOT_USED; 1170 } 1171 1172 1173 #ifdef CONFIG_IEEE80211W 1174 int wpa_cipher_valid_mgmt_group(int cipher) 1175 { 1176 return cipher == WPA_CIPHER_AES_128_CMAC || 1177 cipher == WPA_CIPHER_BIP_GMAC_128 || 1178 cipher == WPA_CIPHER_BIP_GMAC_256 || 1179 cipher == WPA_CIPHER_BIP_CMAC_256; 1180 } 1181 #endif /* CONFIG_IEEE80211W */ 1182 1183 1184 /** 1185 * wpa_parse_wpa_ie_rsn - Parse RSN IE 1186 * @rsn_ie: Buffer containing RSN IE 1187 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets) 1188 * @data: Pointer to structure that will be filled in with parsed data 1189 * Returns: 0 on success, <0 on failure 1190 */ 1191 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len, 1192 struct wpa_ie_data *data) 1193 { 1194 const u8 *pos; 1195 int left; 1196 int i, count; 1197 1198 os_memset(data, 0, sizeof(*data)); 1199 data->proto = WPA_PROTO_RSN; 1200 data->pairwise_cipher = WPA_CIPHER_CCMP; 1201 data->group_cipher = WPA_CIPHER_CCMP; 1202 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 1203 data->capabilities = 0; 1204 data->pmkid = NULL; 1205 data->num_pmkid = 0; 1206 #ifdef CONFIG_IEEE80211W 1207 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC; 1208 #else /* CONFIG_IEEE80211W */ 1209 data->mgmt_group_cipher = 0; 1210 #endif /* CONFIG_IEEE80211W */ 1211 1212 if (rsn_ie_len == 0) { 1213 /* No RSN IE - fail silently */ 1214 return -1; 1215 } 1216 1217 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) { 1218 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 1219 __func__, (unsigned long) rsn_ie_len); 1220 return -1; 1221 } 1222 1223 if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 && 1224 rsn_ie[1] == rsn_ie_len - 2 && 1225 WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) { 1226 pos = rsn_ie + 6; 1227 left = rsn_ie_len - 6; 1228 1229 data->group_cipher = WPA_CIPHER_GTK_NOT_USED; 1230 data->has_group = 1; 1231 data->key_mgmt = WPA_KEY_MGMT_OSEN; 1232 data->proto = WPA_PROTO_OSEN; 1233 } else { 1234 const struct rsn_ie_hdr *hdr; 1235 1236 hdr = (const struct rsn_ie_hdr *) rsn_ie; 1237 1238 if (hdr->elem_id != WLAN_EID_RSN || 1239 hdr->len != rsn_ie_len - 2 || 1240 WPA_GET_LE16(hdr->version) != RSN_VERSION) { 1241 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 1242 __func__); 1243 return -2; 1244 } 1245 1246 pos = (const u8 *) (hdr + 1); 1247 left = rsn_ie_len - sizeof(*hdr); 1248 } 1249 1250 if (left >= RSN_SELECTOR_LEN) { 1251 data->group_cipher = rsn_selector_to_bitfield(pos); 1252 data->has_group = 1; 1253 if (!wpa_cipher_valid_group(data->group_cipher)) { 1254 wpa_printf(MSG_DEBUG, 1255 "%s: invalid group cipher 0x%x (%08x)", 1256 __func__, data->group_cipher, 1257 WPA_GET_BE32(pos)); 1258 return -1; 1259 } 1260 pos += RSN_SELECTOR_LEN; 1261 left -= RSN_SELECTOR_LEN; 1262 } else if (left > 0) { 1263 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 1264 __func__, left); 1265 return -3; 1266 } 1267 1268 if (left >= 2) { 1269 data->pairwise_cipher = 0; 1270 count = WPA_GET_LE16(pos); 1271 pos += 2; 1272 left -= 2; 1273 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 1274 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 1275 "count %u left %u", __func__, count, left); 1276 return -4; 1277 } 1278 if (count) 1279 data->has_pairwise = 1; 1280 for (i = 0; i < count; i++) { 1281 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 1282 pos += RSN_SELECTOR_LEN; 1283 left -= RSN_SELECTOR_LEN; 1284 } 1285 #ifdef CONFIG_IEEE80211W 1286 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) { 1287 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as " 1288 "pairwise cipher", __func__); 1289 return -1; 1290 } 1291 #endif /* CONFIG_IEEE80211W */ 1292 } else if (left == 1) { 1293 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 1294 __func__); 1295 return -5; 1296 } 1297 1298 if (left >= 2) { 1299 data->key_mgmt = 0; 1300 count = WPA_GET_LE16(pos); 1301 pos += 2; 1302 left -= 2; 1303 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 1304 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 1305 "count %u left %u", __func__, count, left); 1306 return -6; 1307 } 1308 for (i = 0; i < count; i++) { 1309 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 1310 pos += RSN_SELECTOR_LEN; 1311 left -= RSN_SELECTOR_LEN; 1312 } 1313 } else if (left == 1) { 1314 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 1315 __func__); 1316 return -7; 1317 } 1318 1319 if (left >= 2) { 1320 data->capabilities = WPA_GET_LE16(pos); 1321 pos += 2; 1322 left -= 2; 1323 } 1324 1325 if (left >= 2) { 1326 u16 num_pmkid = WPA_GET_LE16(pos); 1327 pos += 2; 1328 left -= 2; 1329 if (num_pmkid > (unsigned int) left / PMKID_LEN) { 1330 wpa_printf(MSG_DEBUG, "%s: PMKID underflow " 1331 "(num_pmkid=%u left=%d)", 1332 __func__, num_pmkid, left); 1333 data->num_pmkid = 0; 1334 return -9; 1335 } else { 1336 data->num_pmkid = num_pmkid; 1337 data->pmkid = pos; 1338 pos += data->num_pmkid * PMKID_LEN; 1339 left -= data->num_pmkid * PMKID_LEN; 1340 } 1341 } 1342 1343 #ifdef CONFIG_IEEE80211W 1344 if (left >= 4) { 1345 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos); 1346 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) { 1347 wpa_printf(MSG_DEBUG, 1348 "%s: Unsupported management group cipher 0x%x (%08x)", 1349 __func__, data->mgmt_group_cipher, 1350 WPA_GET_BE32(pos)); 1351 return -10; 1352 } 1353 pos += RSN_SELECTOR_LEN; 1354 left -= RSN_SELECTOR_LEN; 1355 } 1356 #endif /* CONFIG_IEEE80211W */ 1357 1358 if (left > 0) { 1359 wpa_hexdump(MSG_DEBUG, 1360 "wpa_parse_wpa_ie_rsn: ignore trailing bytes", 1361 pos, left); 1362 } 1363 1364 return 0; 1365 } 1366 1367 1368 static int wpa_selector_to_bitfield(const u8 *s) 1369 { 1370 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE) 1371 return WPA_CIPHER_NONE; 1372 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP) 1373 return WPA_CIPHER_TKIP; 1374 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP) 1375 return WPA_CIPHER_CCMP; 1376 return 0; 1377 } 1378 1379 1380 static int wpa_key_mgmt_to_bitfield(const u8 *s) 1381 { 1382 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X) 1383 return WPA_KEY_MGMT_IEEE8021X; 1384 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X) 1385 return WPA_KEY_MGMT_PSK; 1386 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE) 1387 return WPA_KEY_MGMT_WPA_NONE; 1388 return 0; 1389 } 1390 1391 1392 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len, 1393 struct wpa_ie_data *data) 1394 { 1395 const struct wpa_ie_hdr *hdr; 1396 const u8 *pos; 1397 int left; 1398 int i, count; 1399 1400 os_memset(data, 0, sizeof(*data)); 1401 data->proto = WPA_PROTO_WPA; 1402 data->pairwise_cipher = WPA_CIPHER_TKIP; 1403 data->group_cipher = WPA_CIPHER_TKIP; 1404 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 1405 data->capabilities = 0; 1406 data->pmkid = NULL; 1407 data->num_pmkid = 0; 1408 data->mgmt_group_cipher = 0; 1409 1410 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) { 1411 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 1412 __func__, (unsigned long) wpa_ie_len); 1413 return -1; 1414 } 1415 1416 hdr = (const struct wpa_ie_hdr *) wpa_ie; 1417 1418 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC || 1419 hdr->len != wpa_ie_len - 2 || 1420 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE || 1421 WPA_GET_LE16(hdr->version) != WPA_VERSION) { 1422 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 1423 __func__); 1424 return -2; 1425 } 1426 1427 pos = (const u8 *) (hdr + 1); 1428 left = wpa_ie_len - sizeof(*hdr); 1429 1430 if (left >= WPA_SELECTOR_LEN) { 1431 data->group_cipher = wpa_selector_to_bitfield(pos); 1432 pos += WPA_SELECTOR_LEN; 1433 left -= WPA_SELECTOR_LEN; 1434 } else if (left > 0) { 1435 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 1436 __func__, left); 1437 return -3; 1438 } 1439 1440 if (left >= 2) { 1441 data->pairwise_cipher = 0; 1442 count = WPA_GET_LE16(pos); 1443 pos += 2; 1444 left -= 2; 1445 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 1446 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 1447 "count %u left %u", __func__, count, left); 1448 return -4; 1449 } 1450 for (i = 0; i < count; i++) { 1451 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 1452 pos += WPA_SELECTOR_LEN; 1453 left -= WPA_SELECTOR_LEN; 1454 } 1455 } else if (left == 1) { 1456 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 1457 __func__); 1458 return -5; 1459 } 1460 1461 if (left >= 2) { 1462 data->key_mgmt = 0; 1463 count = WPA_GET_LE16(pos); 1464 pos += 2; 1465 left -= 2; 1466 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 1467 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 1468 "count %u left %u", __func__, count, left); 1469 return -6; 1470 } 1471 for (i = 0; i < count; i++) { 1472 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 1473 pos += WPA_SELECTOR_LEN; 1474 left -= WPA_SELECTOR_LEN; 1475 } 1476 } else if (left == 1) { 1477 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 1478 __func__); 1479 return -7; 1480 } 1481 1482 if (left >= 2) { 1483 data->capabilities = WPA_GET_LE16(pos); 1484 pos += 2; 1485 left -= 2; 1486 } 1487 1488 if (left > 0) { 1489 wpa_hexdump(MSG_DEBUG, 1490 "wpa_parse_wpa_ie_wpa: ignore trailing bytes", 1491 pos, left); 1492 } 1493 1494 return 0; 1495 } 1496 1497 1498 int wpa_default_rsn_cipher(int freq) 1499 { 1500 if (freq > 56160) 1501 return WPA_CIPHER_GCMP; /* DMG */ 1502 1503 return WPA_CIPHER_CCMP; 1504 } 1505 1506 1507 #ifdef CONFIG_IEEE80211R 1508 1509 /** 1510 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name 1511 * 1512 * IEEE Std 802.11r-2008 - 8.5.1.5.3 1513 */ 1514 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len, 1515 const u8 *ssid, size_t ssid_len, 1516 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len, 1517 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name, 1518 int use_sha384) 1519 { 1520 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 + 1521 FT_R0KH_ID_MAX_LEN + ETH_ALEN]; 1522 u8 *pos, r0_key_data[64], hash[48]; 1523 const u8 *addr[2]; 1524 size_t len[2]; 1525 size_t q = use_sha384 ? 48 : 32; 1526 size_t r0_key_data_len = q + 16; 1527 1528 /* 1529 * R0-Key-Data = KDF-384(XXKey, "FT-R0", 1530 * SSIDlength || SSID || MDID || R0KHlength || 1531 * R0KH-ID || S0KH-ID) 1532 * XXKey is either the second 256 bits of MSK or PSK; or the first 1533 * 384 bits of MSK for FT-EAP-SHA384. 1534 * PMK-R0 = L(R0-Key-Data, 0, Q) 1535 * PMK-R0Name-Salt = L(R0-Key-Data, Q, 128) 1536 * Q = 384 for FT-EAP-SHA384; otherwise, 256 1537 */ 1538 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN) 1539 return -1; 1540 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R0 using KDF-%s", 1541 use_sha384 ? "SHA384" : "SHA256"); 1542 wpa_hexdump_key(MSG_DEBUG, "FT: XXKey", xxkey, xxkey_len); 1543 wpa_hexdump_ascii(MSG_DEBUG, "FT: SSID", ssid, ssid_len); 1544 wpa_hexdump(MSG_DEBUG, "FT: MDID", mdid, MOBILITY_DOMAIN_ID_LEN); 1545 wpa_hexdump_ascii(MSG_DEBUG, "FT: R0KH-ID", r0kh_id, r0kh_id_len); 1546 wpa_printf(MSG_DEBUG, "FT: S0KH-ID: " MACSTR, MAC2STR(s0kh_id)); 1547 pos = buf; 1548 *pos++ = ssid_len; 1549 os_memcpy(pos, ssid, ssid_len); 1550 pos += ssid_len; 1551 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN); 1552 pos += MOBILITY_DOMAIN_ID_LEN; 1553 *pos++ = r0kh_id_len; 1554 os_memcpy(pos, r0kh_id, r0kh_id_len); 1555 pos += r0kh_id_len; 1556 os_memcpy(pos, s0kh_id, ETH_ALEN); 1557 pos += ETH_ALEN; 1558 1559 #ifdef CONFIG_SHA384 1560 if (use_sha384) { 1561 if (xxkey_len != SHA384_MAC_LEN) { 1562 wpa_printf(MSG_ERROR, 1563 "FT: Unexpected XXKey length %d (expected %d)", 1564 (int) xxkey_len, SHA384_MAC_LEN); 1565 return -1; 1566 } 1567 if (sha384_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 1568 r0_key_data, r0_key_data_len) < 0) 1569 return -1; 1570 } 1571 #endif /* CONFIG_SHA384 */ 1572 if (!use_sha384) { 1573 if (xxkey_len != PMK_LEN) { 1574 wpa_printf(MSG_ERROR, 1575 "FT: Unexpected XXKey length %d (expected %d)", 1576 (int) xxkey_len, PMK_LEN); 1577 return -1; 1578 } 1579 if (sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 1580 r0_key_data, r0_key_data_len) < 0) 1581 return -1; 1582 } 1583 os_memcpy(pmk_r0, r0_key_data, q); 1584 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, q); 1585 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0Name-Salt", &r0_key_data[q], 16); 1586 1587 /* 1588 * PMKR0Name = Truncate-128(Hash("FT-R0N" || PMK-R0Name-Salt) 1589 */ 1590 addr[0] = (const u8 *) "FT-R0N"; 1591 len[0] = 6; 1592 addr[1] = &r0_key_data[q]; 1593 len[1] = 16; 1594 1595 #ifdef CONFIG_SHA384 1596 if (use_sha384 && sha384_vector(2, addr, len, hash) < 0) 1597 return -1; 1598 #endif /* CONFIG_SHA384 */ 1599 if (!use_sha384 && sha256_vector(2, addr, len, hash) < 0) 1600 return -1; 1601 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN); 1602 os_memset(r0_key_data, 0, sizeof(r0_key_data)); 1603 return 0; 1604 } 1605 1606 1607 /** 1608 * wpa_derive_pmk_r1_name - Derive PMKR1Name 1609 * 1610 * IEEE Std 802.11r-2008 - 8.5.1.5.4 1611 */ 1612 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id, 1613 const u8 *s1kh_id, u8 *pmk_r1_name, int use_sha384) 1614 { 1615 u8 hash[48]; 1616 const u8 *addr[4]; 1617 size_t len[4]; 1618 1619 /* 1620 * PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name || 1621 * R1KH-ID || S1KH-ID)) 1622 */ 1623 addr[0] = (const u8 *) "FT-R1N"; 1624 len[0] = 6; 1625 addr[1] = pmk_r0_name; 1626 len[1] = WPA_PMK_NAME_LEN; 1627 addr[2] = r1kh_id; 1628 len[2] = FT_R1KH_ID_LEN; 1629 addr[3] = s1kh_id; 1630 len[3] = ETH_ALEN; 1631 1632 #ifdef CONFIG_SHA384 1633 if (use_sha384 && sha384_vector(4, addr, len, hash) < 0) 1634 return -1; 1635 #endif /* CONFIG_SHA384 */ 1636 if (!use_sha384 && sha256_vector(4, addr, len, hash) < 0) 1637 return -1; 1638 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN); 1639 return 0; 1640 } 1641 1642 1643 /** 1644 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0 1645 * 1646 * IEEE Std 802.11r-2008 - 8.5.1.5.4 1647 */ 1648 int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len, 1649 const u8 *pmk_r0_name, 1650 const u8 *r1kh_id, const u8 *s1kh_id, 1651 u8 *pmk_r1, u8 *pmk_r1_name) 1652 { 1653 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN]; 1654 u8 *pos; 1655 1656 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */ 1657 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R1 using KDF-%s", 1658 pmk_r0_len == SHA384_MAC_LEN ? "SHA384" : "SHA256"); 1659 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, pmk_r0_len); 1660 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", r1kh_id, FT_R1KH_ID_LEN); 1661 wpa_printf(MSG_DEBUG, "FT: S1KH-ID: " MACSTR, MAC2STR(s1kh_id)); 1662 pos = buf; 1663 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN); 1664 pos += FT_R1KH_ID_LEN; 1665 os_memcpy(pos, s1kh_id, ETH_ALEN); 1666 pos += ETH_ALEN; 1667 1668 #ifdef CONFIG_SHA384 1669 if (pmk_r0_len == SHA384_MAC_LEN && 1670 sha384_prf(pmk_r0, pmk_r0_len, "FT-R1", 1671 buf, pos - buf, pmk_r1, pmk_r0_len) < 0) 1672 return -1; 1673 #endif /* CONFIG_SHA384 */ 1674 if (pmk_r0_len == PMK_LEN && 1675 sha256_prf(pmk_r0, pmk_r0_len, "FT-R1", 1676 buf, pos - buf, pmk_r1, pmk_r0_len) < 0) 1677 return -1; 1678 if (pmk_r0_len != SHA384_MAC_LEN && pmk_r0_len != PMK_LEN) { 1679 wpa_printf(MSG_ERROR, "FT: Unexpected PMK-R0 length %d", 1680 (int) pmk_r0_len); 1681 return -1; 1682 } 1683 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len); 1684 1685 return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, 1686 pmk_r1_name, 1687 pmk_r0_len == SHA384_MAC_LEN); 1688 } 1689 1690 1691 /** 1692 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1 1693 * 1694 * IEEE Std 802.11r-2008 - 8.5.1.5.5 1695 */ 1696 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, size_t pmk_r1_len, 1697 const u8 *snonce, const u8 *anonce, 1698 const u8 *sta_addr, const u8 *bssid, 1699 const u8 *pmk_r1_name, 1700 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher) 1701 { 1702 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN]; 1703 u8 *pos, hash[32]; 1704 const u8 *addr[6]; 1705 size_t len[6]; 1706 u8 tmp[2 * WPA_KCK_MAX_LEN + 2 * WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 1707 size_t ptk_len, offset; 1708 int use_sha384 = wpa_key_mgmt_sha384(akmp); 1709 1710 /* 1711 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce || 1712 * BSSID || STA-ADDR) 1713 */ 1714 wpa_printf(MSG_DEBUG, "FT: Derive PTK using KDF-%s", 1715 use_sha384 ? "SHA384" : "SHA256"); 1716 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r1_len); 1717 wpa_hexdump(MSG_DEBUG, "FT: SNonce", snonce, WPA_NONCE_LEN); 1718 wpa_hexdump(MSG_DEBUG, "FT: ANonce", anonce, WPA_NONCE_LEN); 1719 wpa_printf(MSG_DEBUG, "FT: BSSID=" MACSTR " STA-ADDR=" MACSTR, 1720 MAC2STR(bssid), MAC2STR(sta_addr)); 1721 pos = buf; 1722 os_memcpy(pos, snonce, WPA_NONCE_LEN); 1723 pos += WPA_NONCE_LEN; 1724 os_memcpy(pos, anonce, WPA_NONCE_LEN); 1725 pos += WPA_NONCE_LEN; 1726 os_memcpy(pos, bssid, ETH_ALEN); 1727 pos += ETH_ALEN; 1728 os_memcpy(pos, sta_addr, ETH_ALEN); 1729 pos += ETH_ALEN; 1730 1731 ptk->kck_len = wpa_kck_len(akmp, PMK_LEN); 1732 ptk->kck2_len = wpa_kck2_len(akmp); 1733 ptk->kek_len = wpa_kek_len(akmp, PMK_LEN); 1734 ptk->kek2_len = wpa_kek2_len(akmp); 1735 ptk->tk_len = wpa_cipher_key_len(cipher); 1736 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + 1737 ptk->kck2_len + ptk->kek2_len; 1738 1739 #ifdef CONFIG_SHA384 1740 if (use_sha384) { 1741 if (pmk_r1_len != SHA384_MAC_LEN) { 1742 wpa_printf(MSG_ERROR, 1743 "FT: Unexpected PMK-R1 length %d (expected %d)", 1744 (int) pmk_r1_len, SHA384_MAC_LEN); 1745 return -1; 1746 } 1747 if (sha384_prf(pmk_r1, pmk_r1_len, "FT-PTK", 1748 buf, pos - buf, tmp, ptk_len) < 0) 1749 return -1; 1750 } 1751 #endif /* CONFIG_SHA384 */ 1752 if (!use_sha384) { 1753 if (pmk_r1_len != PMK_LEN) { 1754 wpa_printf(MSG_ERROR, 1755 "FT: Unexpected PMK-R1 length %d (expected %d)", 1756 (int) pmk_r1_len, PMK_LEN); 1757 return -1; 1758 } 1759 if (sha256_prf(pmk_r1, pmk_r1_len, "FT-PTK", 1760 buf, pos - buf, tmp, ptk_len) < 0) 1761 return -1; 1762 } 1763 wpa_hexdump_key(MSG_DEBUG, "FT: PTK", tmp, ptk_len); 1764 1765 /* 1766 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce || 1767 * ANonce || BSSID || STA-ADDR)) 1768 */ 1769 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN); 1770 addr[0] = pmk_r1_name; 1771 len[0] = WPA_PMK_NAME_LEN; 1772 addr[1] = (const u8 *) "FT-PTKN"; 1773 len[1] = 7; 1774 addr[2] = snonce; 1775 len[2] = WPA_NONCE_LEN; 1776 addr[3] = anonce; 1777 len[3] = WPA_NONCE_LEN; 1778 addr[4] = bssid; 1779 len[4] = ETH_ALEN; 1780 addr[5] = sta_addr; 1781 len[5] = ETH_ALEN; 1782 1783 if (sha256_vector(6, addr, len, hash) < 0) 1784 return -1; 1785 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN); 1786 1787 os_memcpy(ptk->kck, tmp, ptk->kck_len); 1788 offset = ptk->kck_len; 1789 os_memcpy(ptk->kek, tmp + offset, ptk->kek_len); 1790 offset += ptk->kek_len; 1791 os_memcpy(ptk->tk, tmp + offset, ptk->tk_len); 1792 offset += ptk->tk_len; 1793 os_memcpy(ptk->kck2, tmp + offset, ptk->kck2_len); 1794 offset += ptk->kck2_len; 1795 os_memcpy(ptk->kek2, tmp + offset, ptk->kek2_len); 1796 1797 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len); 1798 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len); 1799 if (ptk->kck2_len) 1800 wpa_hexdump_key(MSG_DEBUG, "FT: KCK2", 1801 ptk->kck2, ptk->kck2_len); 1802 if (ptk->kek2_len) 1803 wpa_hexdump_key(MSG_DEBUG, "FT: KEK2", 1804 ptk->kek2, ptk->kek2_len); 1805 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len); 1806 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN); 1807 1808 os_memset(tmp, 0, sizeof(tmp)); 1809 1810 return 0; 1811 } 1812 1813 #endif /* CONFIG_IEEE80211R */ 1814 1815 1816 /** 1817 * rsn_pmkid - Calculate PMK identifier 1818 * @pmk: Pairwise master key 1819 * @pmk_len: Length of pmk in bytes 1820 * @aa: Authenticator address 1821 * @spa: Supplicant address 1822 * @pmkid: Buffer for PMKID 1823 * @akmp: Negotiated key management protocol 1824 * 1825 * IEEE Std 802.11-2016 - 12.7.1.3 Pairwise key hierarchy 1826 * AKM: 00-0F-AC:5, 00-0F-AC:6, 00-0F-AC:14, 00-0F-AC:16 1827 * PMKID = Truncate-128(HMAC-SHA-256(PMK, "PMK Name" || AA || SPA)) 1828 * AKM: 00-0F-AC:11 1829 * See rsn_pmkid_suite_b() 1830 * AKM: 00-0F-AC:12 1831 * See rsn_pmkid_suite_b_192() 1832 * AKM: 00-0F-AC:13, 00-0F-AC:15, 00-0F-AC:17 1833 * PMKID = Truncate-128(HMAC-SHA-384(PMK, "PMK Name" || AA || SPA)) 1834 * Otherwise: 1835 * PMKID = Truncate-128(HMAC-SHA-1(PMK, "PMK Name" || AA || SPA)) 1836 */ 1837 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa, 1838 u8 *pmkid, int akmp) 1839 { 1840 char *title = "PMK Name"; 1841 const u8 *addr[3]; 1842 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1843 unsigned char hash[SHA384_MAC_LEN]; 1844 1845 addr[0] = (u8 *) title; 1846 addr[1] = aa; 1847 addr[2] = spa; 1848 1849 if (0) { 1850 #if defined(CONFIG_FILS) || defined(CONFIG_SHA384) 1851 } else if (wpa_key_mgmt_sha384(akmp)) { 1852 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-384"); 1853 hmac_sha384_vector(pmk, pmk_len, 3, addr, len, hash); 1854 #endif /* CONFIG_FILS || CONFIG_SHA384 */ 1855 #if defined(CONFIG_IEEE80211W) || defined(CONFIG_FILS) 1856 } else if (wpa_key_mgmt_sha256(akmp)) { 1857 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-256"); 1858 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash); 1859 #endif /* CONFIG_IEEE80211W || CONFIG_FILS */ 1860 } else { 1861 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-1"); 1862 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash); 1863 } 1864 wpa_hexdump(MSG_DEBUG, "RSN: Derived PMKID", hash, PMKID_LEN); 1865 os_memcpy(pmkid, hash, PMKID_LEN); 1866 } 1867 1868 1869 #ifdef CONFIG_SUITEB 1870 /** 1871 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM 1872 * @kck: Key confirmation key 1873 * @kck_len: Length of kck in bytes 1874 * @aa: Authenticator address 1875 * @spa: Supplicant address 1876 * @pmkid: Buffer for PMKID 1877 * Returns: 0 on success, -1 on failure 1878 * 1879 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1880 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA)) 1881 */ 1882 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa, 1883 const u8 *spa, u8 *pmkid) 1884 { 1885 char *title = "PMK Name"; 1886 const u8 *addr[3]; 1887 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1888 unsigned char hash[SHA256_MAC_LEN]; 1889 1890 addr[0] = (u8 *) title; 1891 addr[1] = aa; 1892 addr[2] = spa; 1893 1894 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0) 1895 return -1; 1896 os_memcpy(pmkid, hash, PMKID_LEN); 1897 return 0; 1898 } 1899 #endif /* CONFIG_SUITEB */ 1900 1901 1902 #ifdef CONFIG_SUITEB192 1903 /** 1904 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM 1905 * @kck: Key confirmation key 1906 * @kck_len: Length of kck in bytes 1907 * @aa: Authenticator address 1908 * @spa: Supplicant address 1909 * @pmkid: Buffer for PMKID 1910 * Returns: 0 on success, -1 on failure 1911 * 1912 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1913 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA)) 1914 */ 1915 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa, 1916 const u8 *spa, u8 *pmkid) 1917 { 1918 char *title = "PMK Name"; 1919 const u8 *addr[3]; 1920 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1921 unsigned char hash[SHA384_MAC_LEN]; 1922 1923 addr[0] = (u8 *) title; 1924 addr[1] = aa; 1925 addr[2] = spa; 1926 1927 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0) 1928 return -1; 1929 os_memcpy(pmkid, hash, PMKID_LEN); 1930 return 0; 1931 } 1932 #endif /* CONFIG_SUITEB192 */ 1933 1934 1935 /** 1936 * wpa_cipher_txt - Convert cipher suite to a text string 1937 * @cipher: Cipher suite (WPA_CIPHER_* enum) 1938 * Returns: Pointer to a text string of the cipher suite name 1939 */ 1940 const char * wpa_cipher_txt(int cipher) 1941 { 1942 switch (cipher) { 1943 case WPA_CIPHER_NONE: 1944 return "NONE"; 1945 case WPA_CIPHER_WEP40: 1946 return "WEP-40"; 1947 case WPA_CIPHER_WEP104: 1948 return "WEP-104"; 1949 case WPA_CIPHER_TKIP: 1950 return "TKIP"; 1951 case WPA_CIPHER_CCMP: 1952 return "CCMP"; 1953 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP: 1954 return "CCMP+TKIP"; 1955 case WPA_CIPHER_GCMP: 1956 return "GCMP"; 1957 case WPA_CIPHER_GCMP_256: 1958 return "GCMP-256"; 1959 case WPA_CIPHER_CCMP_256: 1960 return "CCMP-256"; 1961 case WPA_CIPHER_AES_128_CMAC: 1962 return "BIP"; 1963 case WPA_CIPHER_BIP_GMAC_128: 1964 return "BIP-GMAC-128"; 1965 case WPA_CIPHER_BIP_GMAC_256: 1966 return "BIP-GMAC-256"; 1967 case WPA_CIPHER_BIP_CMAC_256: 1968 return "BIP-CMAC-256"; 1969 case WPA_CIPHER_GTK_NOT_USED: 1970 return "GTK_NOT_USED"; 1971 default: 1972 return "UNKNOWN"; 1973 } 1974 } 1975 1976 1977 /** 1978 * wpa_key_mgmt_txt - Convert key management suite to a text string 1979 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum) 1980 * @proto: WPA/WPA2 version (WPA_PROTO_*) 1981 * Returns: Pointer to a text string of the key management suite name 1982 */ 1983 const char * wpa_key_mgmt_txt(int key_mgmt, int proto) 1984 { 1985 switch (key_mgmt) { 1986 case WPA_KEY_MGMT_IEEE8021X: 1987 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1988 return "WPA2+WPA/IEEE 802.1X/EAP"; 1989 return proto == WPA_PROTO_RSN ? 1990 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP"; 1991 case WPA_KEY_MGMT_PSK: 1992 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1993 return "WPA2-PSK+WPA-PSK"; 1994 return proto == WPA_PROTO_RSN ? 1995 "WPA2-PSK" : "WPA-PSK"; 1996 case WPA_KEY_MGMT_NONE: 1997 return "NONE"; 1998 case WPA_KEY_MGMT_WPA_NONE: 1999 return "WPA-NONE"; 2000 case WPA_KEY_MGMT_IEEE8021X_NO_WPA: 2001 return "IEEE 802.1X (no WPA)"; 2002 #ifdef CONFIG_IEEE80211R 2003 case WPA_KEY_MGMT_FT_IEEE8021X: 2004 return "FT-EAP"; 2005 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 2006 return "FT-EAP-SHA384"; 2007 case WPA_KEY_MGMT_FT_PSK: 2008 return "FT-PSK"; 2009 #endif /* CONFIG_IEEE80211R */ 2010 #ifdef CONFIG_IEEE80211W 2011 case WPA_KEY_MGMT_IEEE8021X_SHA256: 2012 return "WPA2-EAP-SHA256"; 2013 case WPA_KEY_MGMT_PSK_SHA256: 2014 return "WPA2-PSK-SHA256"; 2015 #endif /* CONFIG_IEEE80211W */ 2016 case WPA_KEY_MGMT_WPS: 2017 return "WPS"; 2018 case WPA_KEY_MGMT_SAE: 2019 return "SAE"; 2020 case WPA_KEY_MGMT_FT_SAE: 2021 return "FT-SAE"; 2022 case WPA_KEY_MGMT_OSEN: 2023 return "OSEN"; 2024 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 2025 return "WPA2-EAP-SUITE-B"; 2026 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 2027 return "WPA2-EAP-SUITE-B-192"; 2028 case WPA_KEY_MGMT_FILS_SHA256: 2029 return "FILS-SHA256"; 2030 case WPA_KEY_MGMT_FILS_SHA384: 2031 return "FILS-SHA384"; 2032 case WPA_KEY_MGMT_FT_FILS_SHA256: 2033 return "FT-FILS-SHA256"; 2034 case WPA_KEY_MGMT_FT_FILS_SHA384: 2035 return "FT-FILS-SHA384"; 2036 case WPA_KEY_MGMT_OWE: 2037 return "OWE"; 2038 case WPA_KEY_MGMT_DPP: 2039 return "DPP"; 2040 default: 2041 return "UNKNOWN"; 2042 } 2043 } 2044 2045 2046 u32 wpa_akm_to_suite(int akm) 2047 { 2048 if (akm & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) 2049 return RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384; 2050 if (akm & WPA_KEY_MGMT_FT_IEEE8021X) 2051 return RSN_AUTH_KEY_MGMT_FT_802_1X; 2052 if (akm & WPA_KEY_MGMT_FT_PSK) 2053 return RSN_AUTH_KEY_MGMT_FT_PSK; 2054 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256) 2055 return RSN_AUTH_KEY_MGMT_802_1X_SHA256; 2056 if (akm & WPA_KEY_MGMT_IEEE8021X) 2057 return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; 2058 if (akm & WPA_KEY_MGMT_PSK_SHA256) 2059 return RSN_AUTH_KEY_MGMT_PSK_SHA256; 2060 if (akm & WPA_KEY_MGMT_PSK) 2061 return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X; 2062 if (akm & WPA_KEY_MGMT_CCKM) 2063 return RSN_AUTH_KEY_MGMT_CCKM; 2064 if (akm & WPA_KEY_MGMT_OSEN) 2065 return RSN_AUTH_KEY_MGMT_OSEN; 2066 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B) 2067 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; 2068 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 2069 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; 2070 if (akm & WPA_KEY_MGMT_FILS_SHA256) 2071 return RSN_AUTH_KEY_MGMT_FILS_SHA256; 2072 if (akm & WPA_KEY_MGMT_FILS_SHA384) 2073 return RSN_AUTH_KEY_MGMT_FILS_SHA384; 2074 if (akm & WPA_KEY_MGMT_FT_FILS_SHA256) 2075 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256; 2076 if (akm & WPA_KEY_MGMT_FT_FILS_SHA384) 2077 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384; 2078 return 0; 2079 } 2080 2081 2082 int wpa_compare_rsn_ie(int ft_initial_assoc, 2083 const u8 *ie1, size_t ie1len, 2084 const u8 *ie2, size_t ie2len) 2085 { 2086 if (ie1 == NULL || ie2 == NULL) 2087 return -1; 2088 2089 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0) 2090 return 0; /* identical IEs */ 2091 2092 #ifdef CONFIG_IEEE80211R 2093 if (ft_initial_assoc) { 2094 struct wpa_ie_data ie1d, ie2d; 2095 /* 2096 * The PMKID-List in RSN IE is different between Beacon/Probe 2097 * Response/(Re)Association Request frames and EAPOL-Key 2098 * messages in FT initial mobility domain association. Allow 2099 * for this, but verify that other parts of the RSN IEs are 2100 * identical. 2101 */ 2102 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 || 2103 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0) 2104 return -1; 2105 if (ie1d.proto == ie2d.proto && 2106 ie1d.pairwise_cipher == ie2d.pairwise_cipher && 2107 ie1d.group_cipher == ie2d.group_cipher && 2108 ie1d.key_mgmt == ie2d.key_mgmt && 2109 ie1d.capabilities == ie2d.capabilities && 2110 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher) 2111 return 0; 2112 } 2113 #endif /* CONFIG_IEEE80211R */ 2114 2115 return -1; 2116 } 2117 2118 2119 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS) 2120 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid) 2121 { 2122 u8 *start, *end, *rpos, *rend; 2123 int added = 0; 2124 2125 start = ies; 2126 end = ies + *ies_len; 2127 2128 while (start < end) { 2129 if (*start == WLAN_EID_RSN) 2130 break; 2131 start += 2 + start[1]; 2132 } 2133 if (start >= end) { 2134 wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in " 2135 "IEs data"); 2136 return -1; 2137 } 2138 wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification", 2139 start, 2 + start[1]); 2140 2141 /* Find start of PMKID-Count */ 2142 rpos = start + 2; 2143 rend = rpos + start[1]; 2144 2145 /* Skip Version and Group Data Cipher Suite */ 2146 rpos += 2 + 4; 2147 /* Skip Pairwise Cipher Suite Count and List */ 2148 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 2149 /* Skip AKM Suite Count and List */ 2150 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 2151 2152 if (rpos == rend) { 2153 /* Add RSN Capabilities */ 2154 os_memmove(rpos + 2, rpos, end - rpos); 2155 *rpos++ = 0; 2156 *rpos++ = 0; 2157 added += 2; 2158 start[1] += 2; 2159 rend = rpos; 2160 } else { 2161 /* Skip RSN Capabilities */ 2162 rpos += 2; 2163 if (rpos > rend) { 2164 wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in " 2165 "IEs data"); 2166 return -1; 2167 } 2168 } 2169 2170 if (rpos == rend) { 2171 /* No PMKID-Count field included; add it */ 2172 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos); 2173 WPA_PUT_LE16(rpos, 1); 2174 rpos += 2; 2175 os_memcpy(rpos, pmkid, PMKID_LEN); 2176 added += 2 + PMKID_LEN; 2177 start[1] += 2 + PMKID_LEN; 2178 } else { 2179 u16 num_pmkid; 2180 2181 if (rend - rpos < 2) 2182 return -1; 2183 num_pmkid = WPA_GET_LE16(rpos); 2184 /* PMKID-Count was included; use it */ 2185 if (num_pmkid != 0) { 2186 u8 *after; 2187 2188 if (num_pmkid * PMKID_LEN > rend - rpos - 2) 2189 return -1; 2190 /* 2191 * PMKID may have been included in RSN IE in 2192 * (Re)Association Request frame, so remove the old 2193 * PMKID(s) first before adding the new one. 2194 */ 2195 wpa_printf(MSG_DEBUG, 2196 "FT: Remove %u old PMKID(s) from RSN IE", 2197 num_pmkid); 2198 after = rpos + 2 + num_pmkid * PMKID_LEN; 2199 os_memmove(rpos + 2, after, rend - after); 2200 start[1] -= num_pmkid * PMKID_LEN; 2201 added -= num_pmkid * PMKID_LEN; 2202 } 2203 WPA_PUT_LE16(rpos, 1); 2204 rpos += 2; 2205 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos); 2206 os_memcpy(rpos, pmkid, PMKID_LEN); 2207 added += PMKID_LEN; 2208 start[1] += PMKID_LEN; 2209 } 2210 2211 wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification " 2212 "(PMKID inserted)", start, 2 + start[1]); 2213 2214 *ies_len += added; 2215 2216 return 0; 2217 } 2218 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */ 2219 2220 2221 int wpa_cipher_key_len(int cipher) 2222 { 2223 switch (cipher) { 2224 case WPA_CIPHER_CCMP_256: 2225 case WPA_CIPHER_GCMP_256: 2226 case WPA_CIPHER_BIP_GMAC_256: 2227 case WPA_CIPHER_BIP_CMAC_256: 2228 return 32; 2229 case WPA_CIPHER_CCMP: 2230 case WPA_CIPHER_GCMP: 2231 case WPA_CIPHER_AES_128_CMAC: 2232 case WPA_CIPHER_BIP_GMAC_128: 2233 return 16; 2234 case WPA_CIPHER_TKIP: 2235 return 32; 2236 } 2237 2238 return 0; 2239 } 2240 2241 2242 int wpa_cipher_rsc_len(int cipher) 2243 { 2244 switch (cipher) { 2245 case WPA_CIPHER_CCMP_256: 2246 case WPA_CIPHER_GCMP_256: 2247 case WPA_CIPHER_CCMP: 2248 case WPA_CIPHER_GCMP: 2249 case WPA_CIPHER_TKIP: 2250 return 6; 2251 } 2252 2253 return 0; 2254 } 2255 2256 2257 enum wpa_alg wpa_cipher_to_alg(int cipher) 2258 { 2259 switch (cipher) { 2260 case WPA_CIPHER_CCMP_256: 2261 return WPA_ALG_CCMP_256; 2262 case WPA_CIPHER_GCMP_256: 2263 return WPA_ALG_GCMP_256; 2264 case WPA_CIPHER_CCMP: 2265 return WPA_ALG_CCMP; 2266 case WPA_CIPHER_GCMP: 2267 return WPA_ALG_GCMP; 2268 case WPA_CIPHER_TKIP: 2269 return WPA_ALG_TKIP; 2270 case WPA_CIPHER_AES_128_CMAC: 2271 return WPA_ALG_IGTK; 2272 case WPA_CIPHER_BIP_GMAC_128: 2273 return WPA_ALG_BIP_GMAC_128; 2274 case WPA_CIPHER_BIP_GMAC_256: 2275 return WPA_ALG_BIP_GMAC_256; 2276 case WPA_CIPHER_BIP_CMAC_256: 2277 return WPA_ALG_BIP_CMAC_256; 2278 } 2279 return WPA_ALG_NONE; 2280 } 2281 2282 2283 int wpa_cipher_valid_pairwise(int cipher) 2284 { 2285 return cipher == WPA_CIPHER_CCMP_256 || 2286 cipher == WPA_CIPHER_GCMP_256 || 2287 cipher == WPA_CIPHER_CCMP || 2288 cipher == WPA_CIPHER_GCMP || 2289 cipher == WPA_CIPHER_TKIP; 2290 } 2291 2292 2293 u32 wpa_cipher_to_suite(int proto, int cipher) 2294 { 2295 if (cipher & WPA_CIPHER_CCMP_256) 2296 return RSN_CIPHER_SUITE_CCMP_256; 2297 if (cipher & WPA_CIPHER_GCMP_256) 2298 return RSN_CIPHER_SUITE_GCMP_256; 2299 if (cipher & WPA_CIPHER_CCMP) 2300 return (proto == WPA_PROTO_RSN ? 2301 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP); 2302 if (cipher & WPA_CIPHER_GCMP) 2303 return RSN_CIPHER_SUITE_GCMP; 2304 if (cipher & WPA_CIPHER_TKIP) 2305 return (proto == WPA_PROTO_RSN ? 2306 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP); 2307 if (cipher & WPA_CIPHER_NONE) 2308 return (proto == WPA_PROTO_RSN ? 2309 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE); 2310 if (cipher & WPA_CIPHER_GTK_NOT_USED) 2311 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED; 2312 if (cipher & WPA_CIPHER_AES_128_CMAC) 2313 return RSN_CIPHER_SUITE_AES_128_CMAC; 2314 if (cipher & WPA_CIPHER_BIP_GMAC_128) 2315 return RSN_CIPHER_SUITE_BIP_GMAC_128; 2316 if (cipher & WPA_CIPHER_BIP_GMAC_256) 2317 return RSN_CIPHER_SUITE_BIP_GMAC_256; 2318 if (cipher & WPA_CIPHER_BIP_CMAC_256) 2319 return RSN_CIPHER_SUITE_BIP_CMAC_256; 2320 return 0; 2321 } 2322 2323 2324 int rsn_cipher_put_suites(u8 *start, int ciphers) 2325 { 2326 u8 *pos = start; 2327 2328 if (ciphers & WPA_CIPHER_CCMP_256) { 2329 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256); 2330 pos += RSN_SELECTOR_LEN; 2331 } 2332 if (ciphers & WPA_CIPHER_GCMP_256) { 2333 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256); 2334 pos += RSN_SELECTOR_LEN; 2335 } 2336 if (ciphers & WPA_CIPHER_CCMP) { 2337 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 2338 pos += RSN_SELECTOR_LEN; 2339 } 2340 if (ciphers & WPA_CIPHER_GCMP) { 2341 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP); 2342 pos += RSN_SELECTOR_LEN; 2343 } 2344 if (ciphers & WPA_CIPHER_TKIP) { 2345 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 2346 pos += RSN_SELECTOR_LEN; 2347 } 2348 if (ciphers & WPA_CIPHER_NONE) { 2349 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE); 2350 pos += RSN_SELECTOR_LEN; 2351 } 2352 2353 return (pos - start) / RSN_SELECTOR_LEN; 2354 } 2355 2356 2357 int wpa_cipher_put_suites(u8 *start, int ciphers) 2358 { 2359 u8 *pos = start; 2360 2361 if (ciphers & WPA_CIPHER_CCMP) { 2362 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP); 2363 pos += WPA_SELECTOR_LEN; 2364 } 2365 if (ciphers & WPA_CIPHER_TKIP) { 2366 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP); 2367 pos += WPA_SELECTOR_LEN; 2368 } 2369 if (ciphers & WPA_CIPHER_NONE) { 2370 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE); 2371 pos += WPA_SELECTOR_LEN; 2372 } 2373 2374 return (pos - start) / RSN_SELECTOR_LEN; 2375 } 2376 2377 2378 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed) 2379 { 2380 if (ciphers & WPA_CIPHER_CCMP_256) 2381 return WPA_CIPHER_CCMP_256; 2382 if (ciphers & WPA_CIPHER_GCMP_256) 2383 return WPA_CIPHER_GCMP_256; 2384 if (ciphers & WPA_CIPHER_CCMP) 2385 return WPA_CIPHER_CCMP; 2386 if (ciphers & WPA_CIPHER_GCMP) 2387 return WPA_CIPHER_GCMP; 2388 if (ciphers & WPA_CIPHER_TKIP) 2389 return WPA_CIPHER_TKIP; 2390 if (none_allowed && (ciphers & WPA_CIPHER_NONE)) 2391 return WPA_CIPHER_NONE; 2392 return -1; 2393 } 2394 2395 2396 int wpa_pick_group_cipher(int ciphers) 2397 { 2398 if (ciphers & WPA_CIPHER_CCMP_256) 2399 return WPA_CIPHER_CCMP_256; 2400 if (ciphers & WPA_CIPHER_GCMP_256) 2401 return WPA_CIPHER_GCMP_256; 2402 if (ciphers & WPA_CIPHER_CCMP) 2403 return WPA_CIPHER_CCMP; 2404 if (ciphers & WPA_CIPHER_GCMP) 2405 return WPA_CIPHER_GCMP; 2406 if (ciphers & WPA_CIPHER_GTK_NOT_USED) 2407 return WPA_CIPHER_GTK_NOT_USED; 2408 if (ciphers & WPA_CIPHER_TKIP) 2409 return WPA_CIPHER_TKIP; 2410 return -1; 2411 } 2412 2413 2414 int wpa_parse_cipher(const char *value) 2415 { 2416 int val = 0, last; 2417 char *start, *end, *buf; 2418 2419 buf = os_strdup(value); 2420 if (buf == NULL) 2421 return -1; 2422 start = buf; 2423 2424 while (*start != '\0') { 2425 while (*start == ' ' || *start == '\t') 2426 start++; 2427 if (*start == '\0') 2428 break; 2429 end = start; 2430 while (*end != ' ' && *end != '\t' && *end != '\0') 2431 end++; 2432 last = *end == '\0'; 2433 *end = '\0'; 2434 if (os_strcmp(start, "CCMP-256") == 0) 2435 val |= WPA_CIPHER_CCMP_256; 2436 else if (os_strcmp(start, "GCMP-256") == 0) 2437 val |= WPA_CIPHER_GCMP_256; 2438 else if (os_strcmp(start, "CCMP") == 0) 2439 val |= WPA_CIPHER_CCMP; 2440 else if (os_strcmp(start, "GCMP") == 0) 2441 val |= WPA_CIPHER_GCMP; 2442 else if (os_strcmp(start, "TKIP") == 0) 2443 val |= WPA_CIPHER_TKIP; 2444 else if (os_strcmp(start, "WEP104") == 0) 2445 val |= WPA_CIPHER_WEP104; 2446 else if (os_strcmp(start, "WEP40") == 0) 2447 val |= WPA_CIPHER_WEP40; 2448 else if (os_strcmp(start, "NONE") == 0) 2449 val |= WPA_CIPHER_NONE; 2450 else if (os_strcmp(start, "GTK_NOT_USED") == 0) 2451 val |= WPA_CIPHER_GTK_NOT_USED; 2452 else if (os_strcmp(start, "AES-128-CMAC") == 0) 2453 val |= WPA_CIPHER_AES_128_CMAC; 2454 else if (os_strcmp(start, "BIP-GMAC-128") == 0) 2455 val |= WPA_CIPHER_BIP_GMAC_128; 2456 else if (os_strcmp(start, "BIP-GMAC-256") == 0) 2457 val |= WPA_CIPHER_BIP_GMAC_256; 2458 else if (os_strcmp(start, "BIP-CMAC-256") == 0) 2459 val |= WPA_CIPHER_BIP_CMAC_256; 2460 else { 2461 os_free(buf); 2462 return -1; 2463 } 2464 2465 if (last) 2466 break; 2467 start = end + 1; 2468 } 2469 os_free(buf); 2470 2471 return val; 2472 } 2473 2474 2475 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim) 2476 { 2477 char *pos = start; 2478 int ret; 2479 2480 if (ciphers & WPA_CIPHER_CCMP_256) { 2481 ret = os_snprintf(pos, end - pos, "%sCCMP-256", 2482 pos == start ? "" : delim); 2483 if (os_snprintf_error(end - pos, ret)) 2484 return -1; 2485 pos += ret; 2486 } 2487 if (ciphers & WPA_CIPHER_GCMP_256) { 2488 ret = os_snprintf(pos, end - pos, "%sGCMP-256", 2489 pos == start ? "" : delim); 2490 if (os_snprintf_error(end - pos, ret)) 2491 return -1; 2492 pos += ret; 2493 } 2494 if (ciphers & WPA_CIPHER_CCMP) { 2495 ret = os_snprintf(pos, end - pos, "%sCCMP", 2496 pos == start ? "" : delim); 2497 if (os_snprintf_error(end - pos, ret)) 2498 return -1; 2499 pos += ret; 2500 } 2501 if (ciphers & WPA_CIPHER_GCMP) { 2502 ret = os_snprintf(pos, end - pos, "%sGCMP", 2503 pos == start ? "" : delim); 2504 if (os_snprintf_error(end - pos, ret)) 2505 return -1; 2506 pos += ret; 2507 } 2508 if (ciphers & WPA_CIPHER_TKIP) { 2509 ret = os_snprintf(pos, end - pos, "%sTKIP", 2510 pos == start ? "" : delim); 2511 if (os_snprintf_error(end - pos, ret)) 2512 return -1; 2513 pos += ret; 2514 } 2515 if (ciphers & WPA_CIPHER_AES_128_CMAC) { 2516 ret = os_snprintf(pos, end - pos, "%sAES-128-CMAC", 2517 pos == start ? "" : delim); 2518 if (os_snprintf_error(end - pos, ret)) 2519 return -1; 2520 pos += ret; 2521 } 2522 if (ciphers & WPA_CIPHER_BIP_GMAC_128) { 2523 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-128", 2524 pos == start ? "" : delim); 2525 if (os_snprintf_error(end - pos, ret)) 2526 return -1; 2527 pos += ret; 2528 } 2529 if (ciphers & WPA_CIPHER_BIP_GMAC_256) { 2530 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-256", 2531 pos == start ? "" : delim); 2532 if (os_snprintf_error(end - pos, ret)) 2533 return -1; 2534 pos += ret; 2535 } 2536 if (ciphers & WPA_CIPHER_BIP_CMAC_256) { 2537 ret = os_snprintf(pos, end - pos, "%sBIP-CMAC-256", 2538 pos == start ? "" : delim); 2539 if (os_snprintf_error(end - pos, ret)) 2540 return -1; 2541 pos += ret; 2542 } 2543 if (ciphers & WPA_CIPHER_NONE) { 2544 ret = os_snprintf(pos, end - pos, "%sNONE", 2545 pos == start ? "" : delim); 2546 if (os_snprintf_error(end - pos, ret)) 2547 return -1; 2548 pos += ret; 2549 } 2550 2551 return pos - start; 2552 } 2553 2554 2555 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise) 2556 { 2557 int pairwise = 0; 2558 2559 /* Select group cipher based on the enabled pairwise cipher suites */ 2560 if (wpa & 1) 2561 pairwise |= wpa_pairwise; 2562 if (wpa & 2) 2563 pairwise |= rsn_pairwise; 2564 2565 if (pairwise & WPA_CIPHER_TKIP) 2566 return WPA_CIPHER_TKIP; 2567 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP) 2568 return WPA_CIPHER_GCMP; 2569 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP | 2570 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256) 2571 return WPA_CIPHER_GCMP_256; 2572 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP | 2573 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256) 2574 return WPA_CIPHER_CCMP_256; 2575 return WPA_CIPHER_CCMP; 2576 } 2577 2578 2579 #ifdef CONFIG_FILS 2580 int fils_domain_name_hash(const char *domain, u8 *hash) 2581 { 2582 char buf[255], *wpos = buf; 2583 const char *pos = domain; 2584 size_t len; 2585 const u8 *addr[1]; 2586 u8 mac[SHA256_MAC_LEN]; 2587 2588 for (len = 0; len < sizeof(buf) && *pos; len++) { 2589 if (isalpha(*pos) && isupper(*pos)) 2590 *wpos++ = tolower(*pos); 2591 else 2592 *wpos++ = *pos; 2593 pos++; 2594 } 2595 2596 addr[0] = (const u8 *) buf; 2597 if (sha256_vector(1, addr, &len, mac) < 0) 2598 return -1; 2599 os_memcpy(hash, mac, 2); 2600 return 0; 2601 } 2602 #endif /* CONFIG_FILS */ 2603