1 /* 2 * WPA/RSN - Shared functions for supplicant and authenticator 3 * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/sha384.h" 16 #include "crypto/aes_wrap.h" 17 #include "crypto/crypto.h" 18 #include "ieee802_11_defs.h" 19 #include "defs.h" 20 #include "wpa_common.h" 21 22 23 static unsigned int wpa_kck_len(int akmp) 24 { 25 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 26 return 24; 27 return 16; 28 } 29 30 31 static unsigned int wpa_kek_len(int akmp) 32 { 33 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 34 return 32; 35 return 16; 36 } 37 38 39 unsigned int wpa_mic_len(int akmp) 40 { 41 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 42 return 24; 43 return 16; 44 } 45 46 47 /** 48 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC 49 * @key: EAPOL-Key Key Confirmation Key (KCK) 50 * @key_len: KCK length in octets 51 * @akmp: WPA_KEY_MGMT_* used in key derivation 52 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*) 53 * @buf: Pointer to the beginning of the EAPOL header (version field) 54 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame) 55 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written 56 * Returns: 0 on success, -1 on failure 57 * 58 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has 59 * to be cleared (all zeroes) when calling this function. 60 * 61 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the 62 * description of the Key MIC calculation. It includes packet data from the 63 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change 64 * happened during final editing of the standard and the correct behavior is 65 * defined in the last draft (IEEE 802.11i/D10). 66 */ 67 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver, 68 const u8 *buf, size_t len, u8 *mic) 69 { 70 u8 hash[SHA384_MAC_LEN]; 71 72 switch (ver) { 73 #ifndef CONFIG_FIPS 74 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4: 75 return hmac_md5(key, key_len, buf, len, mic); 76 #endif /* CONFIG_FIPS */ 77 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES: 78 if (hmac_sha1(key, key_len, buf, len, hash)) 79 return -1; 80 os_memcpy(mic, hash, MD5_MAC_LEN); 81 break; 82 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W) 83 case WPA_KEY_INFO_TYPE_AES_128_CMAC: 84 return omac1_aes_128(key, buf, len, mic); 85 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */ 86 case WPA_KEY_INFO_TYPE_AKM_DEFINED: 87 switch (akmp) { 88 #ifdef CONFIG_HS20 89 case WPA_KEY_MGMT_OSEN: 90 return omac1_aes_128(key, buf, len, mic); 91 #endif /* CONFIG_HS20 */ 92 #ifdef CONFIG_SUITEB 93 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 94 if (hmac_sha256(key, key_len, buf, len, hash)) 95 return -1; 96 os_memcpy(mic, hash, MD5_MAC_LEN); 97 break; 98 #endif /* CONFIG_SUITEB */ 99 #ifdef CONFIG_SUITEB192 100 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 101 if (hmac_sha384(key, key_len, buf, len, hash)) 102 return -1; 103 os_memcpy(mic, hash, 24); 104 break; 105 #endif /* CONFIG_SUITEB192 */ 106 default: 107 return -1; 108 } 109 break; 110 default: 111 return -1; 112 } 113 114 return 0; 115 } 116 117 118 /** 119 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces 120 * @pmk: Pairwise master key 121 * @pmk_len: Length of PMK 122 * @label: Label to use in derivation 123 * @addr1: AA or SA 124 * @addr2: SA or AA 125 * @nonce1: ANonce or SNonce 126 * @nonce2: SNonce or ANonce 127 * @ptk: Buffer for pairwise transient key 128 * @akmp: Negotiated AKM 129 * @cipher: Negotiated pairwise cipher 130 * Returns: 0 on success, -1 on failure 131 * 132 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 133 * PTK = PRF-X(PMK, "Pairwise key expansion", 134 * Min(AA, SA) || Max(AA, SA) || 135 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 136 * 137 * STK = PRF-X(SMK, "Peer key expansion", 138 * Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) || 139 * Min(INonce, PNonce) || Max(INonce, PNonce)) 140 */ 141 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, 142 const u8 *addr1, const u8 *addr2, 143 const u8 *nonce1, const u8 *nonce2, 144 struct wpa_ptk *ptk, int akmp, int cipher) 145 { 146 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN]; 147 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 148 size_t ptk_len; 149 150 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) { 151 os_memcpy(data, addr1, ETH_ALEN); 152 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN); 153 } else { 154 os_memcpy(data, addr2, ETH_ALEN); 155 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN); 156 } 157 158 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) { 159 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN); 160 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2, 161 WPA_NONCE_LEN); 162 } else { 163 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN); 164 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1, 165 WPA_NONCE_LEN); 166 } 167 168 ptk->kck_len = wpa_kck_len(akmp); 169 ptk->kek_len = wpa_kek_len(akmp); 170 ptk->tk_len = wpa_cipher_key_len(cipher); 171 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 172 173 #ifdef CONFIG_SUITEB192 174 if (wpa_key_mgmt_sha384(akmp)) 175 sha384_prf(pmk, pmk_len, label, data, sizeof(data), 176 tmp, ptk_len); 177 else 178 #endif /* CONFIG_SUITEB192 */ 179 #ifdef CONFIG_IEEE80211W 180 if (wpa_key_mgmt_sha256(akmp)) 181 sha256_prf(pmk, pmk_len, label, data, sizeof(data), 182 tmp, ptk_len); 183 else 184 #endif /* CONFIG_IEEE80211W */ 185 sha1_prf(pmk, pmk_len, label, data, sizeof(data), tmp, ptk_len); 186 187 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR, 188 MAC2STR(addr1), MAC2STR(addr2)); 189 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN); 190 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN); 191 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len); 192 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len); 193 194 os_memcpy(ptk->kck, tmp, ptk->kck_len); 195 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len); 196 197 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 198 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 199 200 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 201 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len); 202 203 os_memset(tmp, 0, sizeof(tmp)); 204 return 0; 205 } 206 207 208 #ifdef CONFIG_IEEE80211R 209 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr, 210 const u8 *ap_addr, u8 transaction_seqnum, 211 const u8 *mdie, size_t mdie_len, 212 const u8 *ftie, size_t ftie_len, 213 const u8 *rsnie, size_t rsnie_len, 214 const u8 *ric, size_t ric_len, u8 *mic) 215 { 216 const u8 *addr[9]; 217 size_t len[9]; 218 size_t i, num_elem = 0; 219 u8 zero_mic[16]; 220 221 if (kck_len != 16) { 222 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u", 223 (unsigned int) kck_len); 224 return -1; 225 } 226 227 addr[num_elem] = sta_addr; 228 len[num_elem] = ETH_ALEN; 229 num_elem++; 230 231 addr[num_elem] = ap_addr; 232 len[num_elem] = ETH_ALEN; 233 num_elem++; 234 235 addr[num_elem] = &transaction_seqnum; 236 len[num_elem] = 1; 237 num_elem++; 238 239 if (rsnie) { 240 addr[num_elem] = rsnie; 241 len[num_elem] = rsnie_len; 242 num_elem++; 243 } 244 if (mdie) { 245 addr[num_elem] = mdie; 246 len[num_elem] = mdie_len; 247 num_elem++; 248 } 249 if (ftie) { 250 if (ftie_len < 2 + sizeof(struct rsn_ftie)) 251 return -1; 252 253 /* IE hdr and mic_control */ 254 addr[num_elem] = ftie; 255 len[num_elem] = 2 + 2; 256 num_elem++; 257 258 /* MIC field with all zeros */ 259 os_memset(zero_mic, 0, sizeof(zero_mic)); 260 addr[num_elem] = zero_mic; 261 len[num_elem] = sizeof(zero_mic); 262 num_elem++; 263 264 /* Rest of FTIE */ 265 addr[num_elem] = ftie + 2 + 2 + 16; 266 len[num_elem] = ftie_len - (2 + 2 + 16); 267 num_elem++; 268 } 269 if (ric) { 270 addr[num_elem] = ric; 271 len[num_elem] = ric_len; 272 num_elem++; 273 } 274 275 for (i = 0; i < num_elem; i++) 276 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]); 277 if (omac1_aes_128_vector(kck, num_elem, addr, len, mic)) 278 return -1; 279 280 return 0; 281 } 282 283 284 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len, 285 struct wpa_ft_ies *parse) 286 { 287 const u8 *end, *pos; 288 289 parse->ftie = ie; 290 parse->ftie_len = ie_len; 291 292 pos = ie + sizeof(struct rsn_ftie); 293 end = ie + ie_len; 294 295 while (end - pos >= 2) { 296 u8 id, len; 297 298 id = *pos++; 299 len = *pos++; 300 if (len > end - pos) 301 break; 302 303 switch (id) { 304 case FTIE_SUBELEM_R1KH_ID: 305 if (len != FT_R1KH_ID_LEN) { 306 wpa_printf(MSG_DEBUG, 307 "FT: Invalid R1KH-ID length in FTIE: %d", 308 len); 309 return -1; 310 } 311 parse->r1kh_id = pos; 312 break; 313 case FTIE_SUBELEM_GTK: 314 parse->gtk = pos; 315 parse->gtk_len = len; 316 break; 317 case FTIE_SUBELEM_R0KH_ID: 318 if (len < 1 || len > FT_R0KH_ID_MAX_LEN) { 319 wpa_printf(MSG_DEBUG, 320 "FT: Invalid R0KH-ID length in FTIE: %d", 321 len); 322 return -1; 323 } 324 parse->r0kh_id = pos; 325 parse->r0kh_id_len = len; 326 break; 327 #ifdef CONFIG_IEEE80211W 328 case FTIE_SUBELEM_IGTK: 329 parse->igtk = pos; 330 parse->igtk_len = len; 331 break; 332 #endif /* CONFIG_IEEE80211W */ 333 } 334 335 pos += len; 336 } 337 338 return 0; 339 } 340 341 342 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, 343 struct wpa_ft_ies *parse) 344 { 345 const u8 *end, *pos; 346 struct wpa_ie_data data; 347 int ret; 348 const struct rsn_ftie *ftie; 349 int prot_ie_count = 0; 350 351 os_memset(parse, 0, sizeof(*parse)); 352 if (ies == NULL) 353 return 0; 354 355 pos = ies; 356 end = ies + ies_len; 357 while (end - pos >= 2) { 358 u8 id, len; 359 360 id = *pos++; 361 len = *pos++; 362 if (len > end - pos) 363 break; 364 365 switch (id) { 366 case WLAN_EID_RSN: 367 parse->rsn = pos; 368 parse->rsn_len = len; 369 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2, 370 parse->rsn_len + 2, 371 &data); 372 if (ret < 0) { 373 wpa_printf(MSG_DEBUG, "FT: Failed to parse " 374 "RSN IE: %d", ret); 375 return -1; 376 } 377 if (data.num_pmkid == 1 && data.pmkid) 378 parse->rsn_pmkid = data.pmkid; 379 break; 380 case WLAN_EID_MOBILITY_DOMAIN: 381 if (len < sizeof(struct rsn_mdie)) 382 return -1; 383 parse->mdie = pos; 384 parse->mdie_len = len; 385 break; 386 case WLAN_EID_FAST_BSS_TRANSITION: 387 if (len < sizeof(*ftie)) 388 return -1; 389 ftie = (const struct rsn_ftie *) pos; 390 prot_ie_count = ftie->mic_control[1]; 391 if (wpa_ft_parse_ftie(pos, len, parse) < 0) 392 return -1; 393 break; 394 case WLAN_EID_TIMEOUT_INTERVAL: 395 if (len != 5) 396 break; 397 parse->tie = pos; 398 parse->tie_len = len; 399 break; 400 case WLAN_EID_RIC_DATA: 401 if (parse->ric == NULL) 402 parse->ric = pos - 2; 403 break; 404 } 405 406 pos += len; 407 } 408 409 if (prot_ie_count == 0) 410 return 0; /* no MIC */ 411 412 /* 413 * Check that the protected IE count matches with IEs included in the 414 * frame. 415 */ 416 if (parse->rsn) 417 prot_ie_count--; 418 if (parse->mdie) 419 prot_ie_count--; 420 if (parse->ftie) 421 prot_ie_count--; 422 if (prot_ie_count < 0) { 423 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in " 424 "the protected IE count"); 425 return -1; 426 } 427 428 if (prot_ie_count == 0 && parse->ric) { 429 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not " 430 "included in protected IE count"); 431 return -1; 432 } 433 434 /* Determine the end of the RIC IE(s) */ 435 if (parse->ric) { 436 pos = parse->ric; 437 while (end - pos >= 2 && 2 + pos[1] <= end - pos && 438 prot_ie_count) { 439 prot_ie_count--; 440 pos += 2 + pos[1]; 441 } 442 parse->ric_len = pos - parse->ric; 443 } 444 if (prot_ie_count) { 445 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from " 446 "frame", (int) prot_ie_count); 447 return -1; 448 } 449 450 return 0; 451 } 452 #endif /* CONFIG_IEEE80211R */ 453 454 455 static int rsn_selector_to_bitfield(const u8 *s) 456 { 457 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE) 458 return WPA_CIPHER_NONE; 459 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP) 460 return WPA_CIPHER_TKIP; 461 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP) 462 return WPA_CIPHER_CCMP; 463 #ifdef CONFIG_IEEE80211W 464 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC) 465 return WPA_CIPHER_AES_128_CMAC; 466 #endif /* CONFIG_IEEE80211W */ 467 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP) 468 return WPA_CIPHER_GCMP; 469 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256) 470 return WPA_CIPHER_CCMP_256; 471 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256) 472 return WPA_CIPHER_GCMP_256; 473 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128) 474 return WPA_CIPHER_BIP_GMAC_128; 475 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256) 476 return WPA_CIPHER_BIP_GMAC_256; 477 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256) 478 return WPA_CIPHER_BIP_CMAC_256; 479 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED) 480 return WPA_CIPHER_GTK_NOT_USED; 481 return 0; 482 } 483 484 485 static int rsn_key_mgmt_to_bitfield(const u8 *s) 486 { 487 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X) 488 return WPA_KEY_MGMT_IEEE8021X; 489 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X) 490 return WPA_KEY_MGMT_PSK; 491 #ifdef CONFIG_IEEE80211R 492 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X) 493 return WPA_KEY_MGMT_FT_IEEE8021X; 494 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK) 495 return WPA_KEY_MGMT_FT_PSK; 496 #endif /* CONFIG_IEEE80211R */ 497 #ifdef CONFIG_IEEE80211W 498 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256) 499 return WPA_KEY_MGMT_IEEE8021X_SHA256; 500 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256) 501 return WPA_KEY_MGMT_PSK_SHA256; 502 #endif /* CONFIG_IEEE80211W */ 503 #ifdef CONFIG_SAE 504 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE) 505 return WPA_KEY_MGMT_SAE; 506 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE) 507 return WPA_KEY_MGMT_FT_SAE; 508 #endif /* CONFIG_SAE */ 509 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B) 510 return WPA_KEY_MGMT_IEEE8021X_SUITE_B; 511 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192) 512 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; 513 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN) 514 return WPA_KEY_MGMT_OSEN; 515 return 0; 516 } 517 518 519 int wpa_cipher_valid_group(int cipher) 520 { 521 return wpa_cipher_valid_pairwise(cipher) || 522 cipher == WPA_CIPHER_GTK_NOT_USED; 523 } 524 525 526 #ifdef CONFIG_IEEE80211W 527 int wpa_cipher_valid_mgmt_group(int cipher) 528 { 529 return cipher == WPA_CIPHER_AES_128_CMAC || 530 cipher == WPA_CIPHER_BIP_GMAC_128 || 531 cipher == WPA_CIPHER_BIP_GMAC_256 || 532 cipher == WPA_CIPHER_BIP_CMAC_256; 533 } 534 #endif /* CONFIG_IEEE80211W */ 535 536 537 /** 538 * wpa_parse_wpa_ie_rsn - Parse RSN IE 539 * @rsn_ie: Buffer containing RSN IE 540 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets) 541 * @data: Pointer to structure that will be filled in with parsed data 542 * Returns: 0 on success, <0 on failure 543 */ 544 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len, 545 struct wpa_ie_data *data) 546 { 547 const u8 *pos; 548 int left; 549 int i, count; 550 551 os_memset(data, 0, sizeof(*data)); 552 data->proto = WPA_PROTO_RSN; 553 data->pairwise_cipher = WPA_CIPHER_CCMP; 554 data->group_cipher = WPA_CIPHER_CCMP; 555 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 556 data->capabilities = 0; 557 data->pmkid = NULL; 558 data->num_pmkid = 0; 559 #ifdef CONFIG_IEEE80211W 560 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC; 561 #else /* CONFIG_IEEE80211W */ 562 data->mgmt_group_cipher = 0; 563 #endif /* CONFIG_IEEE80211W */ 564 565 if (rsn_ie_len == 0) { 566 /* No RSN IE - fail silently */ 567 return -1; 568 } 569 570 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) { 571 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 572 __func__, (unsigned long) rsn_ie_len); 573 return -1; 574 } 575 576 if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 && 577 rsn_ie[1] == rsn_ie_len - 2 && 578 WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) { 579 pos = rsn_ie + 6; 580 left = rsn_ie_len - 6; 581 582 data->proto = WPA_PROTO_OSEN; 583 } else { 584 const struct rsn_ie_hdr *hdr; 585 586 hdr = (const struct rsn_ie_hdr *) rsn_ie; 587 588 if (hdr->elem_id != WLAN_EID_RSN || 589 hdr->len != rsn_ie_len - 2 || 590 WPA_GET_LE16(hdr->version) != RSN_VERSION) { 591 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 592 __func__); 593 return -2; 594 } 595 596 pos = (const u8 *) (hdr + 1); 597 left = rsn_ie_len - sizeof(*hdr); 598 } 599 600 if (left >= RSN_SELECTOR_LEN) { 601 data->group_cipher = rsn_selector_to_bitfield(pos); 602 if (!wpa_cipher_valid_group(data->group_cipher)) { 603 wpa_printf(MSG_DEBUG, 604 "%s: invalid group cipher 0x%x (%08x)", 605 __func__, data->group_cipher, 606 WPA_GET_BE32(pos)); 607 return -1; 608 } 609 pos += RSN_SELECTOR_LEN; 610 left -= RSN_SELECTOR_LEN; 611 } else if (left > 0) { 612 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 613 __func__, left); 614 return -3; 615 } 616 617 if (left >= 2) { 618 data->pairwise_cipher = 0; 619 count = WPA_GET_LE16(pos); 620 pos += 2; 621 left -= 2; 622 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 623 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 624 "count %u left %u", __func__, count, left); 625 return -4; 626 } 627 for (i = 0; i < count; i++) { 628 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 629 pos += RSN_SELECTOR_LEN; 630 left -= RSN_SELECTOR_LEN; 631 } 632 #ifdef CONFIG_IEEE80211W 633 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) { 634 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as " 635 "pairwise cipher", __func__); 636 return -1; 637 } 638 #endif /* CONFIG_IEEE80211W */ 639 } else if (left == 1) { 640 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 641 __func__); 642 return -5; 643 } 644 645 if (left >= 2) { 646 data->key_mgmt = 0; 647 count = WPA_GET_LE16(pos); 648 pos += 2; 649 left -= 2; 650 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 651 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 652 "count %u left %u", __func__, count, left); 653 return -6; 654 } 655 for (i = 0; i < count; i++) { 656 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 657 pos += RSN_SELECTOR_LEN; 658 left -= RSN_SELECTOR_LEN; 659 } 660 } else if (left == 1) { 661 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 662 __func__); 663 return -7; 664 } 665 666 if (left >= 2) { 667 data->capabilities = WPA_GET_LE16(pos); 668 pos += 2; 669 left -= 2; 670 } 671 672 if (left >= 2) { 673 u16 num_pmkid = WPA_GET_LE16(pos); 674 pos += 2; 675 left -= 2; 676 if (num_pmkid > (unsigned int) left / PMKID_LEN) { 677 wpa_printf(MSG_DEBUG, "%s: PMKID underflow " 678 "(num_pmkid=%u left=%d)", 679 __func__, num_pmkid, left); 680 data->num_pmkid = 0; 681 return -9; 682 } else { 683 data->num_pmkid = num_pmkid; 684 data->pmkid = pos; 685 pos += data->num_pmkid * PMKID_LEN; 686 left -= data->num_pmkid * PMKID_LEN; 687 } 688 } 689 690 #ifdef CONFIG_IEEE80211W 691 if (left >= 4) { 692 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos); 693 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) { 694 wpa_printf(MSG_DEBUG, 695 "%s: Unsupported management group cipher 0x%x (%08x)", 696 __func__, data->mgmt_group_cipher, 697 WPA_GET_BE32(pos)); 698 return -10; 699 } 700 pos += RSN_SELECTOR_LEN; 701 left -= RSN_SELECTOR_LEN; 702 } 703 #endif /* CONFIG_IEEE80211W */ 704 705 if (left > 0) { 706 wpa_hexdump(MSG_DEBUG, 707 "wpa_parse_wpa_ie_rsn: ignore trailing bytes", 708 pos, left); 709 } 710 711 return 0; 712 } 713 714 715 static int wpa_selector_to_bitfield(const u8 *s) 716 { 717 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE) 718 return WPA_CIPHER_NONE; 719 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP) 720 return WPA_CIPHER_TKIP; 721 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP) 722 return WPA_CIPHER_CCMP; 723 return 0; 724 } 725 726 727 static int wpa_key_mgmt_to_bitfield(const u8 *s) 728 { 729 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X) 730 return WPA_KEY_MGMT_IEEE8021X; 731 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X) 732 return WPA_KEY_MGMT_PSK; 733 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE) 734 return WPA_KEY_MGMT_WPA_NONE; 735 return 0; 736 } 737 738 739 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len, 740 struct wpa_ie_data *data) 741 { 742 const struct wpa_ie_hdr *hdr; 743 const u8 *pos; 744 int left; 745 int i, count; 746 747 os_memset(data, 0, sizeof(*data)); 748 data->proto = WPA_PROTO_WPA; 749 data->pairwise_cipher = WPA_CIPHER_TKIP; 750 data->group_cipher = WPA_CIPHER_TKIP; 751 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 752 data->capabilities = 0; 753 data->pmkid = NULL; 754 data->num_pmkid = 0; 755 data->mgmt_group_cipher = 0; 756 757 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) { 758 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 759 __func__, (unsigned long) wpa_ie_len); 760 return -1; 761 } 762 763 hdr = (const struct wpa_ie_hdr *) wpa_ie; 764 765 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC || 766 hdr->len != wpa_ie_len - 2 || 767 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE || 768 WPA_GET_LE16(hdr->version) != WPA_VERSION) { 769 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 770 __func__); 771 return -2; 772 } 773 774 pos = (const u8 *) (hdr + 1); 775 left = wpa_ie_len - sizeof(*hdr); 776 777 if (left >= WPA_SELECTOR_LEN) { 778 data->group_cipher = wpa_selector_to_bitfield(pos); 779 pos += WPA_SELECTOR_LEN; 780 left -= WPA_SELECTOR_LEN; 781 } else if (left > 0) { 782 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 783 __func__, left); 784 return -3; 785 } 786 787 if (left >= 2) { 788 data->pairwise_cipher = 0; 789 count = WPA_GET_LE16(pos); 790 pos += 2; 791 left -= 2; 792 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 793 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 794 "count %u left %u", __func__, count, left); 795 return -4; 796 } 797 for (i = 0; i < count; i++) { 798 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 799 pos += WPA_SELECTOR_LEN; 800 left -= WPA_SELECTOR_LEN; 801 } 802 } else if (left == 1) { 803 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 804 __func__); 805 return -5; 806 } 807 808 if (left >= 2) { 809 data->key_mgmt = 0; 810 count = WPA_GET_LE16(pos); 811 pos += 2; 812 left -= 2; 813 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 814 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 815 "count %u left %u", __func__, count, left); 816 return -6; 817 } 818 for (i = 0; i < count; i++) { 819 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 820 pos += WPA_SELECTOR_LEN; 821 left -= WPA_SELECTOR_LEN; 822 } 823 } else if (left == 1) { 824 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 825 __func__); 826 return -7; 827 } 828 829 if (left >= 2) { 830 data->capabilities = WPA_GET_LE16(pos); 831 pos += 2; 832 left -= 2; 833 } 834 835 if (left > 0) { 836 wpa_hexdump(MSG_DEBUG, 837 "wpa_parse_wpa_ie_wpa: ignore trailing bytes", 838 pos, left); 839 } 840 841 return 0; 842 } 843 844 845 #ifdef CONFIG_IEEE80211R 846 847 /** 848 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name 849 * 850 * IEEE Std 802.11r-2008 - 8.5.1.5.3 851 */ 852 void wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len, 853 const u8 *ssid, size_t ssid_len, 854 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len, 855 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name) 856 { 857 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 + 858 FT_R0KH_ID_MAX_LEN + ETH_ALEN]; 859 u8 *pos, r0_key_data[48], hash[32]; 860 const u8 *addr[2]; 861 size_t len[2]; 862 863 /* 864 * R0-Key-Data = KDF-384(XXKey, "FT-R0", 865 * SSIDlength || SSID || MDID || R0KHlength || 866 * R0KH-ID || S0KH-ID) 867 * XXKey is either the second 256 bits of MSK or PSK. 868 * PMK-R0 = L(R0-Key-Data, 0, 256) 869 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128) 870 */ 871 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN) 872 return; 873 pos = buf; 874 *pos++ = ssid_len; 875 os_memcpy(pos, ssid, ssid_len); 876 pos += ssid_len; 877 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN); 878 pos += MOBILITY_DOMAIN_ID_LEN; 879 *pos++ = r0kh_id_len; 880 os_memcpy(pos, r0kh_id, r0kh_id_len); 881 pos += r0kh_id_len; 882 os_memcpy(pos, s0kh_id, ETH_ALEN); 883 pos += ETH_ALEN; 884 885 sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 886 r0_key_data, sizeof(r0_key_data)); 887 os_memcpy(pmk_r0, r0_key_data, PMK_LEN); 888 889 /* 890 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt) 891 */ 892 addr[0] = (const u8 *) "FT-R0N"; 893 len[0] = 6; 894 addr[1] = r0_key_data + PMK_LEN; 895 len[1] = 16; 896 897 sha256_vector(2, addr, len, hash); 898 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN); 899 } 900 901 902 /** 903 * wpa_derive_pmk_r1_name - Derive PMKR1Name 904 * 905 * IEEE Std 802.11r-2008 - 8.5.1.5.4 906 */ 907 void wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id, 908 const u8 *s1kh_id, u8 *pmk_r1_name) 909 { 910 u8 hash[32]; 911 const u8 *addr[4]; 912 size_t len[4]; 913 914 /* 915 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name || 916 * R1KH-ID || S1KH-ID)) 917 */ 918 addr[0] = (const u8 *) "FT-R1N"; 919 len[0] = 6; 920 addr[1] = pmk_r0_name; 921 len[1] = WPA_PMK_NAME_LEN; 922 addr[2] = r1kh_id; 923 len[2] = FT_R1KH_ID_LEN; 924 addr[3] = s1kh_id; 925 len[3] = ETH_ALEN; 926 927 sha256_vector(4, addr, len, hash); 928 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN); 929 } 930 931 932 /** 933 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0 934 * 935 * IEEE Std 802.11r-2008 - 8.5.1.5.4 936 */ 937 void wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name, 938 const u8 *r1kh_id, const u8 *s1kh_id, 939 u8 *pmk_r1, u8 *pmk_r1_name) 940 { 941 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN]; 942 u8 *pos; 943 944 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */ 945 pos = buf; 946 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN); 947 pos += FT_R1KH_ID_LEN; 948 os_memcpy(pos, s1kh_id, ETH_ALEN); 949 pos += ETH_ALEN; 950 951 sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf, pmk_r1, PMK_LEN); 952 953 wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, pmk_r1_name); 954 } 955 956 957 /** 958 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1 959 * 960 * IEEE Std 802.11r-2008 - 8.5.1.5.5 961 */ 962 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce, 963 const u8 *sta_addr, const u8 *bssid, 964 const u8 *pmk_r1_name, 965 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher) 966 { 967 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN]; 968 u8 *pos, hash[32]; 969 const u8 *addr[6]; 970 size_t len[6]; 971 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 972 size_t ptk_len; 973 974 /* 975 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce || 976 * BSSID || STA-ADDR) 977 */ 978 pos = buf; 979 os_memcpy(pos, snonce, WPA_NONCE_LEN); 980 pos += WPA_NONCE_LEN; 981 os_memcpy(pos, anonce, WPA_NONCE_LEN); 982 pos += WPA_NONCE_LEN; 983 os_memcpy(pos, bssid, ETH_ALEN); 984 pos += ETH_ALEN; 985 os_memcpy(pos, sta_addr, ETH_ALEN); 986 pos += ETH_ALEN; 987 988 ptk->kck_len = wpa_kck_len(akmp); 989 ptk->kek_len = wpa_kek_len(akmp); 990 ptk->tk_len = wpa_cipher_key_len(cipher); 991 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 992 993 sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf, tmp, ptk_len); 994 995 /* 996 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce || 997 * ANonce || BSSID || STA-ADDR)) 998 */ 999 addr[0] = pmk_r1_name; 1000 len[0] = WPA_PMK_NAME_LEN; 1001 addr[1] = (const u8 *) "FT-PTKN"; 1002 len[1] = 7; 1003 addr[2] = snonce; 1004 len[2] = WPA_NONCE_LEN; 1005 addr[3] = anonce; 1006 len[3] = WPA_NONCE_LEN; 1007 addr[4] = bssid; 1008 len[4] = ETH_ALEN; 1009 addr[5] = sta_addr; 1010 len[5] = ETH_ALEN; 1011 1012 sha256_vector(6, addr, len, hash); 1013 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN); 1014 1015 os_memcpy(ptk->kck, tmp, ptk->kck_len); 1016 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 1017 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 1018 1019 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len); 1020 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len); 1021 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len); 1022 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN); 1023 1024 os_memset(tmp, 0, sizeof(tmp)); 1025 1026 return 0; 1027 } 1028 1029 #endif /* CONFIG_IEEE80211R */ 1030 1031 1032 /** 1033 * rsn_pmkid - Calculate PMK identifier 1034 * @pmk: Pairwise master key 1035 * @pmk_len: Length of pmk in bytes 1036 * @aa: Authenticator address 1037 * @spa: Supplicant address 1038 * @pmkid: Buffer for PMKID 1039 * @use_sha256: Whether to use SHA256-based KDF 1040 * 1041 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 1042 * PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AA || SPA) 1043 */ 1044 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa, 1045 u8 *pmkid, int use_sha256) 1046 { 1047 char *title = "PMK Name"; 1048 const u8 *addr[3]; 1049 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1050 unsigned char hash[SHA256_MAC_LEN]; 1051 1052 addr[0] = (u8 *) title; 1053 addr[1] = aa; 1054 addr[2] = spa; 1055 1056 #ifdef CONFIG_IEEE80211W 1057 if (use_sha256) 1058 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash); 1059 else 1060 #endif /* CONFIG_IEEE80211W */ 1061 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash); 1062 os_memcpy(pmkid, hash, PMKID_LEN); 1063 } 1064 1065 1066 #ifdef CONFIG_SUITEB 1067 /** 1068 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM 1069 * @kck: Key confirmation key 1070 * @kck_len: Length of kck in bytes 1071 * @aa: Authenticator address 1072 * @spa: Supplicant address 1073 * @pmkid: Buffer for PMKID 1074 * Returns: 0 on success, -1 on failure 1075 * 1076 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1077 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA)) 1078 */ 1079 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa, 1080 const u8 *spa, u8 *pmkid) 1081 { 1082 char *title = "PMK Name"; 1083 const u8 *addr[3]; 1084 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1085 unsigned char hash[SHA256_MAC_LEN]; 1086 1087 addr[0] = (u8 *) title; 1088 addr[1] = aa; 1089 addr[2] = spa; 1090 1091 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0) 1092 return -1; 1093 os_memcpy(pmkid, hash, PMKID_LEN); 1094 return 0; 1095 } 1096 #endif /* CONFIG_SUITEB */ 1097 1098 1099 #ifdef CONFIG_SUITEB192 1100 /** 1101 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM 1102 * @kck: Key confirmation key 1103 * @kck_len: Length of kck in bytes 1104 * @aa: Authenticator address 1105 * @spa: Supplicant address 1106 * @pmkid: Buffer for PMKID 1107 * Returns: 0 on success, -1 on failure 1108 * 1109 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1110 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA)) 1111 */ 1112 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa, 1113 const u8 *spa, u8 *pmkid) 1114 { 1115 char *title = "PMK Name"; 1116 const u8 *addr[3]; 1117 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1118 unsigned char hash[SHA384_MAC_LEN]; 1119 1120 addr[0] = (u8 *) title; 1121 addr[1] = aa; 1122 addr[2] = spa; 1123 1124 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0) 1125 return -1; 1126 os_memcpy(pmkid, hash, PMKID_LEN); 1127 return 0; 1128 } 1129 #endif /* CONFIG_SUITEB192 */ 1130 1131 1132 /** 1133 * wpa_cipher_txt - Convert cipher suite to a text string 1134 * @cipher: Cipher suite (WPA_CIPHER_* enum) 1135 * Returns: Pointer to a text string of the cipher suite name 1136 */ 1137 const char * wpa_cipher_txt(int cipher) 1138 { 1139 switch (cipher) { 1140 case WPA_CIPHER_NONE: 1141 return "NONE"; 1142 case WPA_CIPHER_WEP40: 1143 return "WEP-40"; 1144 case WPA_CIPHER_WEP104: 1145 return "WEP-104"; 1146 case WPA_CIPHER_TKIP: 1147 return "TKIP"; 1148 case WPA_CIPHER_CCMP: 1149 return "CCMP"; 1150 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP: 1151 return "CCMP+TKIP"; 1152 case WPA_CIPHER_GCMP: 1153 return "GCMP"; 1154 case WPA_CIPHER_GCMP_256: 1155 return "GCMP-256"; 1156 case WPA_CIPHER_CCMP_256: 1157 return "CCMP-256"; 1158 case WPA_CIPHER_GTK_NOT_USED: 1159 return "GTK_NOT_USED"; 1160 default: 1161 return "UNKNOWN"; 1162 } 1163 } 1164 1165 1166 /** 1167 * wpa_key_mgmt_txt - Convert key management suite to a text string 1168 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum) 1169 * @proto: WPA/WPA2 version (WPA_PROTO_*) 1170 * Returns: Pointer to a text string of the key management suite name 1171 */ 1172 const char * wpa_key_mgmt_txt(int key_mgmt, int proto) 1173 { 1174 switch (key_mgmt) { 1175 case WPA_KEY_MGMT_IEEE8021X: 1176 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1177 return "WPA2+WPA/IEEE 802.1X/EAP"; 1178 return proto == WPA_PROTO_RSN ? 1179 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP"; 1180 case WPA_KEY_MGMT_PSK: 1181 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1182 return "WPA2-PSK+WPA-PSK"; 1183 return proto == WPA_PROTO_RSN ? 1184 "WPA2-PSK" : "WPA-PSK"; 1185 case WPA_KEY_MGMT_NONE: 1186 return "NONE"; 1187 case WPA_KEY_MGMT_WPA_NONE: 1188 return "WPA-NONE"; 1189 case WPA_KEY_MGMT_IEEE8021X_NO_WPA: 1190 return "IEEE 802.1X (no WPA)"; 1191 #ifdef CONFIG_IEEE80211R 1192 case WPA_KEY_MGMT_FT_IEEE8021X: 1193 return "FT-EAP"; 1194 case WPA_KEY_MGMT_FT_PSK: 1195 return "FT-PSK"; 1196 #endif /* CONFIG_IEEE80211R */ 1197 #ifdef CONFIG_IEEE80211W 1198 case WPA_KEY_MGMT_IEEE8021X_SHA256: 1199 return "WPA2-EAP-SHA256"; 1200 case WPA_KEY_MGMT_PSK_SHA256: 1201 return "WPA2-PSK-SHA256"; 1202 #endif /* CONFIG_IEEE80211W */ 1203 case WPA_KEY_MGMT_WPS: 1204 return "WPS"; 1205 case WPA_KEY_MGMT_SAE: 1206 return "SAE"; 1207 case WPA_KEY_MGMT_FT_SAE: 1208 return "FT-SAE"; 1209 case WPA_KEY_MGMT_OSEN: 1210 return "OSEN"; 1211 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 1212 return "WPA2-EAP-SUITE-B"; 1213 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 1214 return "WPA2-EAP-SUITE-B-192"; 1215 default: 1216 return "UNKNOWN"; 1217 } 1218 } 1219 1220 1221 u32 wpa_akm_to_suite(int akm) 1222 { 1223 if (akm & WPA_KEY_MGMT_FT_IEEE8021X) 1224 return WLAN_AKM_SUITE_FT_8021X; 1225 if (akm & WPA_KEY_MGMT_FT_PSK) 1226 return WLAN_AKM_SUITE_FT_PSK; 1227 if (akm & WPA_KEY_MGMT_IEEE8021X) 1228 return WLAN_AKM_SUITE_8021X; 1229 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256) 1230 return WLAN_AKM_SUITE_8021X_SHA256; 1231 if (akm & WPA_KEY_MGMT_IEEE8021X) 1232 return WLAN_AKM_SUITE_8021X; 1233 if (akm & WPA_KEY_MGMT_PSK_SHA256) 1234 return WLAN_AKM_SUITE_PSK_SHA256; 1235 if (akm & WPA_KEY_MGMT_PSK) 1236 return WLAN_AKM_SUITE_PSK; 1237 if (akm & WPA_KEY_MGMT_CCKM) 1238 return WLAN_AKM_SUITE_CCKM; 1239 if (akm & WPA_KEY_MGMT_OSEN) 1240 return WLAN_AKM_SUITE_OSEN; 1241 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B) 1242 return WLAN_AKM_SUITE_8021X_SUITE_B; 1243 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 1244 return WLAN_AKM_SUITE_8021X_SUITE_B_192; 1245 return 0; 1246 } 1247 1248 1249 int wpa_compare_rsn_ie(int ft_initial_assoc, 1250 const u8 *ie1, size_t ie1len, 1251 const u8 *ie2, size_t ie2len) 1252 { 1253 if (ie1 == NULL || ie2 == NULL) 1254 return -1; 1255 1256 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0) 1257 return 0; /* identical IEs */ 1258 1259 #ifdef CONFIG_IEEE80211R 1260 if (ft_initial_assoc) { 1261 struct wpa_ie_data ie1d, ie2d; 1262 /* 1263 * The PMKID-List in RSN IE is different between Beacon/Probe 1264 * Response/(Re)Association Request frames and EAPOL-Key 1265 * messages in FT initial mobility domain association. Allow 1266 * for this, but verify that other parts of the RSN IEs are 1267 * identical. 1268 */ 1269 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 || 1270 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0) 1271 return -1; 1272 if (ie1d.proto == ie2d.proto && 1273 ie1d.pairwise_cipher == ie2d.pairwise_cipher && 1274 ie1d.group_cipher == ie2d.group_cipher && 1275 ie1d.key_mgmt == ie2d.key_mgmt && 1276 ie1d.capabilities == ie2d.capabilities && 1277 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher) 1278 return 0; 1279 } 1280 #endif /* CONFIG_IEEE80211R */ 1281 1282 return -1; 1283 } 1284 1285 1286 #ifdef CONFIG_IEEE80211R 1287 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid) 1288 { 1289 u8 *start, *end, *rpos, *rend; 1290 int added = 0; 1291 1292 start = ies; 1293 end = ies + *ies_len; 1294 1295 while (start < end) { 1296 if (*start == WLAN_EID_RSN) 1297 break; 1298 start += 2 + start[1]; 1299 } 1300 if (start >= end) { 1301 wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in " 1302 "IEs data"); 1303 return -1; 1304 } 1305 wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification", 1306 start, 2 + start[1]); 1307 1308 /* Find start of PMKID-Count */ 1309 rpos = start + 2; 1310 rend = rpos + start[1]; 1311 1312 /* Skip Version and Group Data Cipher Suite */ 1313 rpos += 2 + 4; 1314 /* Skip Pairwise Cipher Suite Count and List */ 1315 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 1316 /* Skip AKM Suite Count and List */ 1317 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 1318 1319 if (rpos == rend) { 1320 /* Add RSN Capabilities */ 1321 os_memmove(rpos + 2, rpos, end - rpos); 1322 *rpos++ = 0; 1323 *rpos++ = 0; 1324 added += 2; 1325 start[1] += 2; 1326 rend = rpos; 1327 } else { 1328 /* Skip RSN Capabilities */ 1329 rpos += 2; 1330 if (rpos > rend) { 1331 wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in " 1332 "IEs data"); 1333 return -1; 1334 } 1335 } 1336 1337 if (rpos == rend) { 1338 /* No PMKID-Count field included; add it */ 1339 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos); 1340 WPA_PUT_LE16(rpos, 1); 1341 rpos += 2; 1342 os_memcpy(rpos, pmkid, PMKID_LEN); 1343 added += 2 + PMKID_LEN; 1344 start[1] += 2 + PMKID_LEN; 1345 } else { 1346 u16 num_pmkid; 1347 1348 if (rend - rpos < 2) 1349 return -1; 1350 num_pmkid = WPA_GET_LE16(rpos); 1351 /* PMKID-Count was included; use it */ 1352 if (num_pmkid != 0) { 1353 u8 *after; 1354 1355 if (num_pmkid * PMKID_LEN > rend - rpos - 2) 1356 return -1; 1357 /* 1358 * PMKID may have been included in RSN IE in 1359 * (Re)Association Request frame, so remove the old 1360 * PMKID(s) first before adding the new one. 1361 */ 1362 wpa_printf(MSG_DEBUG, 1363 "FT: Remove %u old PMKID(s) from RSN IE", 1364 num_pmkid); 1365 after = rpos + 2 + num_pmkid * PMKID_LEN; 1366 os_memmove(rpos + 2, after, rend - after); 1367 start[1] -= num_pmkid * PMKID_LEN; 1368 added -= num_pmkid * PMKID_LEN; 1369 } 1370 WPA_PUT_LE16(rpos, 1); 1371 rpos += 2; 1372 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos); 1373 os_memcpy(rpos, pmkid, PMKID_LEN); 1374 added += PMKID_LEN; 1375 start[1] += PMKID_LEN; 1376 } 1377 1378 wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification " 1379 "(PMKID inserted)", start, 2 + start[1]); 1380 1381 *ies_len += added; 1382 1383 return 0; 1384 } 1385 #endif /* CONFIG_IEEE80211R */ 1386 1387 1388 int wpa_cipher_key_len(int cipher) 1389 { 1390 switch (cipher) { 1391 case WPA_CIPHER_CCMP_256: 1392 case WPA_CIPHER_GCMP_256: 1393 case WPA_CIPHER_BIP_GMAC_256: 1394 case WPA_CIPHER_BIP_CMAC_256: 1395 return 32; 1396 case WPA_CIPHER_CCMP: 1397 case WPA_CIPHER_GCMP: 1398 case WPA_CIPHER_AES_128_CMAC: 1399 case WPA_CIPHER_BIP_GMAC_128: 1400 return 16; 1401 case WPA_CIPHER_TKIP: 1402 return 32; 1403 } 1404 1405 return 0; 1406 } 1407 1408 1409 int wpa_cipher_rsc_len(int cipher) 1410 { 1411 switch (cipher) { 1412 case WPA_CIPHER_CCMP_256: 1413 case WPA_CIPHER_GCMP_256: 1414 case WPA_CIPHER_CCMP: 1415 case WPA_CIPHER_GCMP: 1416 case WPA_CIPHER_TKIP: 1417 return 6; 1418 } 1419 1420 return 0; 1421 } 1422 1423 1424 int wpa_cipher_to_alg(int cipher) 1425 { 1426 switch (cipher) { 1427 case WPA_CIPHER_CCMP_256: 1428 return WPA_ALG_CCMP_256; 1429 case WPA_CIPHER_GCMP_256: 1430 return WPA_ALG_GCMP_256; 1431 case WPA_CIPHER_CCMP: 1432 return WPA_ALG_CCMP; 1433 case WPA_CIPHER_GCMP: 1434 return WPA_ALG_GCMP; 1435 case WPA_CIPHER_TKIP: 1436 return WPA_ALG_TKIP; 1437 case WPA_CIPHER_AES_128_CMAC: 1438 return WPA_ALG_IGTK; 1439 case WPA_CIPHER_BIP_GMAC_128: 1440 return WPA_ALG_BIP_GMAC_128; 1441 case WPA_CIPHER_BIP_GMAC_256: 1442 return WPA_ALG_BIP_GMAC_256; 1443 case WPA_CIPHER_BIP_CMAC_256: 1444 return WPA_ALG_BIP_CMAC_256; 1445 } 1446 return WPA_ALG_NONE; 1447 } 1448 1449 1450 int wpa_cipher_valid_pairwise(int cipher) 1451 { 1452 return cipher == WPA_CIPHER_CCMP_256 || 1453 cipher == WPA_CIPHER_GCMP_256 || 1454 cipher == WPA_CIPHER_CCMP || 1455 cipher == WPA_CIPHER_GCMP || 1456 cipher == WPA_CIPHER_TKIP; 1457 } 1458 1459 1460 u32 wpa_cipher_to_suite(int proto, int cipher) 1461 { 1462 if (cipher & WPA_CIPHER_CCMP_256) 1463 return RSN_CIPHER_SUITE_CCMP_256; 1464 if (cipher & WPA_CIPHER_GCMP_256) 1465 return RSN_CIPHER_SUITE_GCMP_256; 1466 if (cipher & WPA_CIPHER_CCMP) 1467 return (proto == WPA_PROTO_RSN ? 1468 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP); 1469 if (cipher & WPA_CIPHER_GCMP) 1470 return RSN_CIPHER_SUITE_GCMP; 1471 if (cipher & WPA_CIPHER_TKIP) 1472 return (proto == WPA_PROTO_RSN ? 1473 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP); 1474 if (cipher & WPA_CIPHER_NONE) 1475 return (proto == WPA_PROTO_RSN ? 1476 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE); 1477 if (cipher & WPA_CIPHER_GTK_NOT_USED) 1478 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED; 1479 if (cipher & WPA_CIPHER_AES_128_CMAC) 1480 return RSN_CIPHER_SUITE_AES_128_CMAC; 1481 if (cipher & WPA_CIPHER_BIP_GMAC_128) 1482 return RSN_CIPHER_SUITE_BIP_GMAC_128; 1483 if (cipher & WPA_CIPHER_BIP_GMAC_256) 1484 return RSN_CIPHER_SUITE_BIP_GMAC_256; 1485 if (cipher & WPA_CIPHER_BIP_CMAC_256) 1486 return RSN_CIPHER_SUITE_BIP_CMAC_256; 1487 return 0; 1488 } 1489 1490 1491 int rsn_cipher_put_suites(u8 *start, int ciphers) 1492 { 1493 u8 *pos = start; 1494 1495 if (ciphers & WPA_CIPHER_CCMP_256) { 1496 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256); 1497 pos += RSN_SELECTOR_LEN; 1498 } 1499 if (ciphers & WPA_CIPHER_GCMP_256) { 1500 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256); 1501 pos += RSN_SELECTOR_LEN; 1502 } 1503 if (ciphers & WPA_CIPHER_CCMP) { 1504 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1505 pos += RSN_SELECTOR_LEN; 1506 } 1507 if (ciphers & WPA_CIPHER_GCMP) { 1508 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP); 1509 pos += RSN_SELECTOR_LEN; 1510 } 1511 if (ciphers & WPA_CIPHER_TKIP) { 1512 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 1513 pos += RSN_SELECTOR_LEN; 1514 } 1515 if (ciphers & WPA_CIPHER_NONE) { 1516 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE); 1517 pos += RSN_SELECTOR_LEN; 1518 } 1519 1520 return (pos - start) / RSN_SELECTOR_LEN; 1521 } 1522 1523 1524 int wpa_cipher_put_suites(u8 *start, int ciphers) 1525 { 1526 u8 *pos = start; 1527 1528 if (ciphers & WPA_CIPHER_CCMP) { 1529 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP); 1530 pos += WPA_SELECTOR_LEN; 1531 } 1532 if (ciphers & WPA_CIPHER_TKIP) { 1533 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP); 1534 pos += WPA_SELECTOR_LEN; 1535 } 1536 if (ciphers & WPA_CIPHER_NONE) { 1537 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE); 1538 pos += WPA_SELECTOR_LEN; 1539 } 1540 1541 return (pos - start) / RSN_SELECTOR_LEN; 1542 } 1543 1544 1545 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed) 1546 { 1547 if (ciphers & WPA_CIPHER_CCMP_256) 1548 return WPA_CIPHER_CCMP_256; 1549 if (ciphers & WPA_CIPHER_GCMP_256) 1550 return WPA_CIPHER_GCMP_256; 1551 if (ciphers & WPA_CIPHER_CCMP) 1552 return WPA_CIPHER_CCMP; 1553 if (ciphers & WPA_CIPHER_GCMP) 1554 return WPA_CIPHER_GCMP; 1555 if (ciphers & WPA_CIPHER_TKIP) 1556 return WPA_CIPHER_TKIP; 1557 if (none_allowed && (ciphers & WPA_CIPHER_NONE)) 1558 return WPA_CIPHER_NONE; 1559 return -1; 1560 } 1561 1562 1563 int wpa_pick_group_cipher(int ciphers) 1564 { 1565 if (ciphers & WPA_CIPHER_CCMP_256) 1566 return WPA_CIPHER_CCMP_256; 1567 if (ciphers & WPA_CIPHER_GCMP_256) 1568 return WPA_CIPHER_GCMP_256; 1569 if (ciphers & WPA_CIPHER_CCMP) 1570 return WPA_CIPHER_CCMP; 1571 if (ciphers & WPA_CIPHER_GCMP) 1572 return WPA_CIPHER_GCMP; 1573 if (ciphers & WPA_CIPHER_GTK_NOT_USED) 1574 return WPA_CIPHER_GTK_NOT_USED; 1575 if (ciphers & WPA_CIPHER_TKIP) 1576 return WPA_CIPHER_TKIP; 1577 return -1; 1578 } 1579 1580 1581 int wpa_parse_cipher(const char *value) 1582 { 1583 int val = 0, last; 1584 char *start, *end, *buf; 1585 1586 buf = os_strdup(value); 1587 if (buf == NULL) 1588 return -1; 1589 start = buf; 1590 1591 while (*start != '\0') { 1592 while (*start == ' ' || *start == '\t') 1593 start++; 1594 if (*start == '\0') 1595 break; 1596 end = start; 1597 while (*end != ' ' && *end != '\t' && *end != '\0') 1598 end++; 1599 last = *end == '\0'; 1600 *end = '\0'; 1601 if (os_strcmp(start, "CCMP-256") == 0) 1602 val |= WPA_CIPHER_CCMP_256; 1603 else if (os_strcmp(start, "GCMP-256") == 0) 1604 val |= WPA_CIPHER_GCMP_256; 1605 else if (os_strcmp(start, "CCMP") == 0) 1606 val |= WPA_CIPHER_CCMP; 1607 else if (os_strcmp(start, "GCMP") == 0) 1608 val |= WPA_CIPHER_GCMP; 1609 else if (os_strcmp(start, "TKIP") == 0) 1610 val |= WPA_CIPHER_TKIP; 1611 else if (os_strcmp(start, "WEP104") == 0) 1612 val |= WPA_CIPHER_WEP104; 1613 else if (os_strcmp(start, "WEP40") == 0) 1614 val |= WPA_CIPHER_WEP40; 1615 else if (os_strcmp(start, "NONE") == 0) 1616 val |= WPA_CIPHER_NONE; 1617 else if (os_strcmp(start, "GTK_NOT_USED") == 0) 1618 val |= WPA_CIPHER_GTK_NOT_USED; 1619 else { 1620 os_free(buf); 1621 return -1; 1622 } 1623 1624 if (last) 1625 break; 1626 start = end + 1; 1627 } 1628 os_free(buf); 1629 1630 return val; 1631 } 1632 1633 1634 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim) 1635 { 1636 char *pos = start; 1637 int ret; 1638 1639 if (ciphers & WPA_CIPHER_CCMP_256) { 1640 ret = os_snprintf(pos, end - pos, "%sCCMP-256", 1641 pos == start ? "" : delim); 1642 if (os_snprintf_error(end - pos, ret)) 1643 return -1; 1644 pos += ret; 1645 } 1646 if (ciphers & WPA_CIPHER_GCMP_256) { 1647 ret = os_snprintf(pos, end - pos, "%sGCMP-256", 1648 pos == start ? "" : delim); 1649 if (os_snprintf_error(end - pos, ret)) 1650 return -1; 1651 pos += ret; 1652 } 1653 if (ciphers & WPA_CIPHER_CCMP) { 1654 ret = os_snprintf(pos, end - pos, "%sCCMP", 1655 pos == start ? "" : delim); 1656 if (os_snprintf_error(end - pos, ret)) 1657 return -1; 1658 pos += ret; 1659 } 1660 if (ciphers & WPA_CIPHER_GCMP) { 1661 ret = os_snprintf(pos, end - pos, "%sGCMP", 1662 pos == start ? "" : delim); 1663 if (os_snprintf_error(end - pos, ret)) 1664 return -1; 1665 pos += ret; 1666 } 1667 if (ciphers & WPA_CIPHER_TKIP) { 1668 ret = os_snprintf(pos, end - pos, "%sTKIP", 1669 pos == start ? "" : delim); 1670 if (os_snprintf_error(end - pos, ret)) 1671 return -1; 1672 pos += ret; 1673 } 1674 if (ciphers & WPA_CIPHER_NONE) { 1675 ret = os_snprintf(pos, end - pos, "%sNONE", 1676 pos == start ? "" : delim); 1677 if (os_snprintf_error(end - pos, ret)) 1678 return -1; 1679 pos += ret; 1680 } 1681 1682 return pos - start; 1683 } 1684 1685 1686 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise) 1687 { 1688 int pairwise = 0; 1689 1690 /* Select group cipher based on the enabled pairwise cipher suites */ 1691 if (wpa & 1) 1692 pairwise |= wpa_pairwise; 1693 if (wpa & 2) 1694 pairwise |= rsn_pairwise; 1695 1696 if (pairwise & WPA_CIPHER_TKIP) 1697 return WPA_CIPHER_TKIP; 1698 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP) 1699 return WPA_CIPHER_GCMP; 1700 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP | 1701 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256) 1702 return WPA_CIPHER_GCMP_256; 1703 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP | 1704 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256) 1705 return WPA_CIPHER_CCMP_256; 1706 return WPA_CIPHER_CCMP; 1707 } 1708