1 /* 2 * WPA/RSN - Shared functions for supplicant and authenticator 3 * Copyright (c) 2002-2015, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/sha384.h" 16 #include "crypto/aes_wrap.h" 17 #include "crypto/crypto.h" 18 #include "ieee802_11_defs.h" 19 #include "defs.h" 20 #include "wpa_common.h" 21 22 23 static unsigned int wpa_kck_len(int akmp) 24 { 25 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 26 return 24; 27 return 16; 28 } 29 30 31 static unsigned int wpa_kek_len(int akmp) 32 { 33 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 34 return 32; 35 return 16; 36 } 37 38 39 unsigned int wpa_mic_len(int akmp) 40 { 41 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 42 return 24; 43 return 16; 44 } 45 46 47 /** 48 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC 49 * @key: EAPOL-Key Key Confirmation Key (KCK) 50 * @key_len: KCK length in octets 51 * @akmp: WPA_KEY_MGMT_* used in key derivation 52 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*) 53 * @buf: Pointer to the beginning of the EAPOL header (version field) 54 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame) 55 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written 56 * Returns: 0 on success, -1 on failure 57 * 58 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has 59 * to be cleared (all zeroes) when calling this function. 60 * 61 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the 62 * description of the Key MIC calculation. It includes packet data from the 63 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change 64 * happened during final editing of the standard and the correct behavior is 65 * defined in the last draft (IEEE 802.11i/D10). 66 */ 67 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver, 68 const u8 *buf, size_t len, u8 *mic) 69 { 70 u8 hash[SHA384_MAC_LEN]; 71 72 switch (ver) { 73 #ifndef CONFIG_FIPS 74 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4: 75 return hmac_md5(key, key_len, buf, len, mic); 76 #endif /* CONFIG_FIPS */ 77 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES: 78 if (hmac_sha1(key, key_len, buf, len, hash)) 79 return -1; 80 os_memcpy(mic, hash, MD5_MAC_LEN); 81 break; 82 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W) 83 case WPA_KEY_INFO_TYPE_AES_128_CMAC: 84 return omac1_aes_128(key, buf, len, mic); 85 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */ 86 case WPA_KEY_INFO_TYPE_AKM_DEFINED: 87 switch (akmp) { 88 #ifdef CONFIG_HS20 89 case WPA_KEY_MGMT_OSEN: 90 return omac1_aes_128(key, buf, len, mic); 91 #endif /* CONFIG_HS20 */ 92 #ifdef CONFIG_SUITEB 93 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 94 if (hmac_sha256(key, key_len, buf, len, hash)) 95 return -1; 96 os_memcpy(mic, hash, MD5_MAC_LEN); 97 break; 98 #endif /* CONFIG_SUITEB */ 99 #ifdef CONFIG_SUITEB192 100 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 101 if (hmac_sha384(key, key_len, buf, len, hash)) 102 return -1; 103 os_memcpy(mic, hash, 24); 104 break; 105 #endif /* CONFIG_SUITEB192 */ 106 default: 107 return -1; 108 } 109 break; 110 default: 111 return -1; 112 } 113 114 return 0; 115 } 116 117 118 /** 119 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces 120 * @pmk: Pairwise master key 121 * @pmk_len: Length of PMK 122 * @label: Label to use in derivation 123 * @addr1: AA or SA 124 * @addr2: SA or AA 125 * @nonce1: ANonce or SNonce 126 * @nonce2: SNonce or ANonce 127 * @ptk: Buffer for pairwise transient key 128 * @akmp: Negotiated AKM 129 * @cipher: Negotiated pairwise cipher 130 * Returns: 0 on success, -1 on failure 131 * 132 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 133 * PTK = PRF-X(PMK, "Pairwise key expansion", 134 * Min(AA, SA) || Max(AA, SA) || 135 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 136 * 137 * STK = PRF-X(SMK, "Peer key expansion", 138 * Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) || 139 * Min(INonce, PNonce) || Max(INonce, PNonce)) 140 */ 141 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, 142 const u8 *addr1, const u8 *addr2, 143 const u8 *nonce1, const u8 *nonce2, 144 struct wpa_ptk *ptk, int akmp, int cipher) 145 { 146 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN]; 147 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 148 size_t ptk_len; 149 150 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) { 151 os_memcpy(data, addr1, ETH_ALEN); 152 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN); 153 } else { 154 os_memcpy(data, addr2, ETH_ALEN); 155 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN); 156 } 157 158 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) { 159 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN); 160 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2, 161 WPA_NONCE_LEN); 162 } else { 163 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN); 164 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1, 165 WPA_NONCE_LEN); 166 } 167 168 ptk->kck_len = wpa_kck_len(akmp); 169 ptk->kek_len = wpa_kek_len(akmp); 170 ptk->tk_len = wpa_cipher_key_len(cipher); 171 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 172 173 #ifdef CONFIG_IEEE80211W 174 if (wpa_key_mgmt_sha256(akmp)) 175 sha256_prf(pmk, pmk_len, label, data, sizeof(data), 176 tmp, ptk_len); 177 else 178 #endif /* CONFIG_IEEE80211W */ 179 sha1_prf(pmk, pmk_len, label, data, sizeof(data), tmp, ptk_len); 180 181 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR, 182 MAC2STR(addr1), MAC2STR(addr2)); 183 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN); 184 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN); 185 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len); 186 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len); 187 188 os_memcpy(ptk->kck, tmp, ptk->kck_len); 189 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len); 190 191 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 192 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 193 194 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 195 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len); 196 197 os_memset(tmp, 0, sizeof(tmp)); 198 return 0; 199 } 200 201 202 #ifdef CONFIG_IEEE80211R 203 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr, 204 const u8 *ap_addr, u8 transaction_seqnum, 205 const u8 *mdie, size_t mdie_len, 206 const u8 *ftie, size_t ftie_len, 207 const u8 *rsnie, size_t rsnie_len, 208 const u8 *ric, size_t ric_len, u8 *mic) 209 { 210 const u8 *addr[9]; 211 size_t len[9]; 212 size_t i, num_elem = 0; 213 u8 zero_mic[16]; 214 215 if (kck_len != 16) { 216 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u", 217 (unsigned int) kck_len); 218 return -1; 219 } 220 221 addr[num_elem] = sta_addr; 222 len[num_elem] = ETH_ALEN; 223 num_elem++; 224 225 addr[num_elem] = ap_addr; 226 len[num_elem] = ETH_ALEN; 227 num_elem++; 228 229 addr[num_elem] = &transaction_seqnum; 230 len[num_elem] = 1; 231 num_elem++; 232 233 if (rsnie) { 234 addr[num_elem] = rsnie; 235 len[num_elem] = rsnie_len; 236 num_elem++; 237 } 238 if (mdie) { 239 addr[num_elem] = mdie; 240 len[num_elem] = mdie_len; 241 num_elem++; 242 } 243 if (ftie) { 244 if (ftie_len < 2 + sizeof(struct rsn_ftie)) 245 return -1; 246 247 /* IE hdr and mic_control */ 248 addr[num_elem] = ftie; 249 len[num_elem] = 2 + 2; 250 num_elem++; 251 252 /* MIC field with all zeros */ 253 os_memset(zero_mic, 0, sizeof(zero_mic)); 254 addr[num_elem] = zero_mic; 255 len[num_elem] = sizeof(zero_mic); 256 num_elem++; 257 258 /* Rest of FTIE */ 259 addr[num_elem] = ftie + 2 + 2 + 16; 260 len[num_elem] = ftie_len - (2 + 2 + 16); 261 num_elem++; 262 } 263 if (ric) { 264 addr[num_elem] = ric; 265 len[num_elem] = ric_len; 266 num_elem++; 267 } 268 269 for (i = 0; i < num_elem; i++) 270 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]); 271 if (omac1_aes_128_vector(kck, num_elem, addr, len, mic)) 272 return -1; 273 274 return 0; 275 } 276 277 278 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len, 279 struct wpa_ft_ies *parse) 280 { 281 const u8 *end, *pos; 282 283 parse->ftie = ie; 284 parse->ftie_len = ie_len; 285 286 pos = ie + sizeof(struct rsn_ftie); 287 end = ie + ie_len; 288 289 while (pos + 2 <= end && pos + 2 + pos[1] <= end) { 290 switch (pos[0]) { 291 case FTIE_SUBELEM_R1KH_ID: 292 if (pos[1] != FT_R1KH_ID_LEN) { 293 wpa_printf(MSG_DEBUG, "FT: Invalid R1KH-ID " 294 "length in FTIE: %d", pos[1]); 295 return -1; 296 } 297 parse->r1kh_id = pos + 2; 298 break; 299 case FTIE_SUBELEM_GTK: 300 parse->gtk = pos + 2; 301 parse->gtk_len = pos[1]; 302 break; 303 case FTIE_SUBELEM_R0KH_ID: 304 if (pos[1] < 1 || pos[1] > FT_R0KH_ID_MAX_LEN) { 305 wpa_printf(MSG_DEBUG, "FT: Invalid R0KH-ID " 306 "length in FTIE: %d", pos[1]); 307 return -1; 308 } 309 parse->r0kh_id = pos + 2; 310 parse->r0kh_id_len = pos[1]; 311 break; 312 #ifdef CONFIG_IEEE80211W 313 case FTIE_SUBELEM_IGTK: 314 parse->igtk = pos + 2; 315 parse->igtk_len = pos[1]; 316 break; 317 #endif /* CONFIG_IEEE80211W */ 318 } 319 320 pos += 2 + pos[1]; 321 } 322 323 return 0; 324 } 325 326 327 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, 328 struct wpa_ft_ies *parse) 329 { 330 const u8 *end, *pos; 331 struct wpa_ie_data data; 332 int ret; 333 const struct rsn_ftie *ftie; 334 int prot_ie_count = 0; 335 336 os_memset(parse, 0, sizeof(*parse)); 337 if (ies == NULL) 338 return 0; 339 340 pos = ies; 341 end = ies + ies_len; 342 while (pos + 2 <= end && pos + 2 + pos[1] <= end) { 343 switch (pos[0]) { 344 case WLAN_EID_RSN: 345 parse->rsn = pos + 2; 346 parse->rsn_len = pos[1]; 347 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2, 348 parse->rsn_len + 2, 349 &data); 350 if (ret < 0) { 351 wpa_printf(MSG_DEBUG, "FT: Failed to parse " 352 "RSN IE: %d", ret); 353 return -1; 354 } 355 if (data.num_pmkid == 1 && data.pmkid) 356 parse->rsn_pmkid = data.pmkid; 357 break; 358 case WLAN_EID_MOBILITY_DOMAIN: 359 if (pos[1] < sizeof(struct rsn_mdie)) 360 return -1; 361 parse->mdie = pos + 2; 362 parse->mdie_len = pos[1]; 363 break; 364 case WLAN_EID_FAST_BSS_TRANSITION: 365 if (pos[1] < sizeof(*ftie)) 366 return -1; 367 ftie = (const struct rsn_ftie *) (pos + 2); 368 prot_ie_count = ftie->mic_control[1]; 369 if (wpa_ft_parse_ftie(pos + 2, pos[1], parse) < 0) 370 return -1; 371 break; 372 case WLAN_EID_TIMEOUT_INTERVAL: 373 if (pos[1] != 5) 374 break; 375 parse->tie = pos + 2; 376 parse->tie_len = pos[1]; 377 break; 378 case WLAN_EID_RIC_DATA: 379 if (parse->ric == NULL) 380 parse->ric = pos; 381 break; 382 } 383 384 pos += 2 + pos[1]; 385 } 386 387 if (prot_ie_count == 0) 388 return 0; /* no MIC */ 389 390 /* 391 * Check that the protected IE count matches with IEs included in the 392 * frame. 393 */ 394 if (parse->rsn) 395 prot_ie_count--; 396 if (parse->mdie) 397 prot_ie_count--; 398 if (parse->ftie) 399 prot_ie_count--; 400 if (prot_ie_count < 0) { 401 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in " 402 "the protected IE count"); 403 return -1; 404 } 405 406 if (prot_ie_count == 0 && parse->ric) { 407 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not " 408 "included in protected IE count"); 409 return -1; 410 } 411 412 /* Determine the end of the RIC IE(s) */ 413 pos = parse->ric; 414 while (pos && pos + 2 <= end && pos + 2 + pos[1] <= end && 415 prot_ie_count) { 416 prot_ie_count--; 417 pos += 2 + pos[1]; 418 } 419 parse->ric_len = pos - parse->ric; 420 if (prot_ie_count) { 421 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from " 422 "frame", (int) prot_ie_count); 423 return -1; 424 } 425 426 return 0; 427 } 428 #endif /* CONFIG_IEEE80211R */ 429 430 431 static int rsn_selector_to_bitfield(const u8 *s) 432 { 433 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE) 434 return WPA_CIPHER_NONE; 435 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP) 436 return WPA_CIPHER_TKIP; 437 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP) 438 return WPA_CIPHER_CCMP; 439 #ifdef CONFIG_IEEE80211W 440 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC) 441 return WPA_CIPHER_AES_128_CMAC; 442 #endif /* CONFIG_IEEE80211W */ 443 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP) 444 return WPA_CIPHER_GCMP; 445 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256) 446 return WPA_CIPHER_CCMP_256; 447 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256) 448 return WPA_CIPHER_GCMP_256; 449 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128) 450 return WPA_CIPHER_BIP_GMAC_128; 451 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256) 452 return WPA_CIPHER_BIP_GMAC_256; 453 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256) 454 return WPA_CIPHER_BIP_CMAC_256; 455 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED) 456 return WPA_CIPHER_GTK_NOT_USED; 457 return 0; 458 } 459 460 461 static int rsn_key_mgmt_to_bitfield(const u8 *s) 462 { 463 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X) 464 return WPA_KEY_MGMT_IEEE8021X; 465 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X) 466 return WPA_KEY_MGMT_PSK; 467 #ifdef CONFIG_IEEE80211R 468 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X) 469 return WPA_KEY_MGMT_FT_IEEE8021X; 470 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK) 471 return WPA_KEY_MGMT_FT_PSK; 472 #endif /* CONFIG_IEEE80211R */ 473 #ifdef CONFIG_IEEE80211W 474 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256) 475 return WPA_KEY_MGMT_IEEE8021X_SHA256; 476 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256) 477 return WPA_KEY_MGMT_PSK_SHA256; 478 #endif /* CONFIG_IEEE80211W */ 479 #ifdef CONFIG_SAE 480 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE) 481 return WPA_KEY_MGMT_SAE; 482 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE) 483 return WPA_KEY_MGMT_FT_SAE; 484 #endif /* CONFIG_SAE */ 485 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B) 486 return WPA_KEY_MGMT_IEEE8021X_SUITE_B; 487 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192) 488 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; 489 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN) 490 return WPA_KEY_MGMT_OSEN; 491 return 0; 492 } 493 494 495 static int wpa_cipher_valid_group(int cipher) 496 { 497 return wpa_cipher_valid_pairwise(cipher) || 498 cipher == WPA_CIPHER_GTK_NOT_USED; 499 } 500 501 502 #ifdef CONFIG_IEEE80211W 503 int wpa_cipher_valid_mgmt_group(int cipher) 504 { 505 return cipher == WPA_CIPHER_AES_128_CMAC || 506 cipher == WPA_CIPHER_BIP_GMAC_128 || 507 cipher == WPA_CIPHER_BIP_GMAC_256 || 508 cipher == WPA_CIPHER_BIP_CMAC_256; 509 } 510 #endif /* CONFIG_IEEE80211W */ 511 512 513 /** 514 * wpa_parse_wpa_ie_rsn - Parse RSN IE 515 * @rsn_ie: Buffer containing RSN IE 516 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets) 517 * @data: Pointer to structure that will be filled in with parsed data 518 * Returns: 0 on success, <0 on failure 519 */ 520 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len, 521 struct wpa_ie_data *data) 522 { 523 const u8 *pos; 524 int left; 525 int i, count; 526 527 os_memset(data, 0, sizeof(*data)); 528 data->proto = WPA_PROTO_RSN; 529 data->pairwise_cipher = WPA_CIPHER_CCMP; 530 data->group_cipher = WPA_CIPHER_CCMP; 531 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 532 data->capabilities = 0; 533 data->pmkid = NULL; 534 data->num_pmkid = 0; 535 #ifdef CONFIG_IEEE80211W 536 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC; 537 #else /* CONFIG_IEEE80211W */ 538 data->mgmt_group_cipher = 0; 539 #endif /* CONFIG_IEEE80211W */ 540 541 if (rsn_ie_len == 0) { 542 /* No RSN IE - fail silently */ 543 return -1; 544 } 545 546 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) { 547 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 548 __func__, (unsigned long) rsn_ie_len); 549 return -1; 550 } 551 552 if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 && 553 rsn_ie[1] == rsn_ie_len - 2 && 554 WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) { 555 pos = rsn_ie + 6; 556 left = rsn_ie_len - 6; 557 558 data->proto = WPA_PROTO_OSEN; 559 } else { 560 const struct rsn_ie_hdr *hdr; 561 562 hdr = (const struct rsn_ie_hdr *) rsn_ie; 563 564 if (hdr->elem_id != WLAN_EID_RSN || 565 hdr->len != rsn_ie_len - 2 || 566 WPA_GET_LE16(hdr->version) != RSN_VERSION) { 567 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 568 __func__); 569 return -2; 570 } 571 572 pos = (const u8 *) (hdr + 1); 573 left = rsn_ie_len - sizeof(*hdr); 574 } 575 576 if (left >= RSN_SELECTOR_LEN) { 577 data->group_cipher = rsn_selector_to_bitfield(pos); 578 if (!wpa_cipher_valid_group(data->group_cipher)) { 579 wpa_printf(MSG_DEBUG, "%s: invalid group cipher 0x%x", 580 __func__, data->group_cipher); 581 return -1; 582 } 583 pos += RSN_SELECTOR_LEN; 584 left -= RSN_SELECTOR_LEN; 585 } else if (left > 0) { 586 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 587 __func__, left); 588 return -3; 589 } 590 591 if (left >= 2) { 592 data->pairwise_cipher = 0; 593 count = WPA_GET_LE16(pos); 594 pos += 2; 595 left -= 2; 596 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 597 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 598 "count %u left %u", __func__, count, left); 599 return -4; 600 } 601 for (i = 0; i < count; i++) { 602 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 603 pos += RSN_SELECTOR_LEN; 604 left -= RSN_SELECTOR_LEN; 605 } 606 #ifdef CONFIG_IEEE80211W 607 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) { 608 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as " 609 "pairwise cipher", __func__); 610 return -1; 611 } 612 #endif /* CONFIG_IEEE80211W */ 613 } else if (left == 1) { 614 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 615 __func__); 616 return -5; 617 } 618 619 if (left >= 2) { 620 data->key_mgmt = 0; 621 count = WPA_GET_LE16(pos); 622 pos += 2; 623 left -= 2; 624 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 625 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 626 "count %u left %u", __func__, count, left); 627 return -6; 628 } 629 for (i = 0; i < count; i++) { 630 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 631 pos += RSN_SELECTOR_LEN; 632 left -= RSN_SELECTOR_LEN; 633 } 634 } else if (left == 1) { 635 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 636 __func__); 637 return -7; 638 } 639 640 if (left >= 2) { 641 data->capabilities = WPA_GET_LE16(pos); 642 pos += 2; 643 left -= 2; 644 } 645 646 if (left >= 2) { 647 u16 num_pmkid = WPA_GET_LE16(pos); 648 pos += 2; 649 left -= 2; 650 if (num_pmkid > (unsigned int) left / PMKID_LEN) { 651 wpa_printf(MSG_DEBUG, "%s: PMKID underflow " 652 "(num_pmkid=%u left=%d)", 653 __func__, num_pmkid, left); 654 data->num_pmkid = 0; 655 return -9; 656 } else { 657 data->num_pmkid = num_pmkid; 658 data->pmkid = pos; 659 pos += data->num_pmkid * PMKID_LEN; 660 left -= data->num_pmkid * PMKID_LEN; 661 } 662 } 663 664 #ifdef CONFIG_IEEE80211W 665 if (left >= 4) { 666 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos); 667 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) { 668 wpa_printf(MSG_DEBUG, "%s: Unsupported management " 669 "group cipher 0x%x", __func__, 670 data->mgmt_group_cipher); 671 return -10; 672 } 673 pos += RSN_SELECTOR_LEN; 674 left -= RSN_SELECTOR_LEN; 675 } 676 #endif /* CONFIG_IEEE80211W */ 677 678 if (left > 0) { 679 wpa_hexdump(MSG_DEBUG, 680 "wpa_parse_wpa_ie_rsn: ignore trailing bytes", 681 pos, left); 682 } 683 684 return 0; 685 } 686 687 688 static int wpa_selector_to_bitfield(const u8 *s) 689 { 690 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE) 691 return WPA_CIPHER_NONE; 692 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP) 693 return WPA_CIPHER_TKIP; 694 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP) 695 return WPA_CIPHER_CCMP; 696 return 0; 697 } 698 699 700 static int wpa_key_mgmt_to_bitfield(const u8 *s) 701 { 702 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X) 703 return WPA_KEY_MGMT_IEEE8021X; 704 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X) 705 return WPA_KEY_MGMT_PSK; 706 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE) 707 return WPA_KEY_MGMT_WPA_NONE; 708 return 0; 709 } 710 711 712 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len, 713 struct wpa_ie_data *data) 714 { 715 const struct wpa_ie_hdr *hdr; 716 const u8 *pos; 717 int left; 718 int i, count; 719 720 os_memset(data, 0, sizeof(*data)); 721 data->proto = WPA_PROTO_WPA; 722 data->pairwise_cipher = WPA_CIPHER_TKIP; 723 data->group_cipher = WPA_CIPHER_TKIP; 724 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 725 data->capabilities = 0; 726 data->pmkid = NULL; 727 data->num_pmkid = 0; 728 data->mgmt_group_cipher = 0; 729 730 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) { 731 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 732 __func__, (unsigned long) wpa_ie_len); 733 return -1; 734 } 735 736 hdr = (const struct wpa_ie_hdr *) wpa_ie; 737 738 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC || 739 hdr->len != wpa_ie_len - 2 || 740 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE || 741 WPA_GET_LE16(hdr->version) != WPA_VERSION) { 742 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 743 __func__); 744 return -2; 745 } 746 747 pos = (const u8 *) (hdr + 1); 748 left = wpa_ie_len - sizeof(*hdr); 749 750 if (left >= WPA_SELECTOR_LEN) { 751 data->group_cipher = wpa_selector_to_bitfield(pos); 752 pos += WPA_SELECTOR_LEN; 753 left -= WPA_SELECTOR_LEN; 754 } else if (left > 0) { 755 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 756 __func__, left); 757 return -3; 758 } 759 760 if (left >= 2) { 761 data->pairwise_cipher = 0; 762 count = WPA_GET_LE16(pos); 763 pos += 2; 764 left -= 2; 765 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 766 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 767 "count %u left %u", __func__, count, left); 768 return -4; 769 } 770 for (i = 0; i < count; i++) { 771 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 772 pos += WPA_SELECTOR_LEN; 773 left -= WPA_SELECTOR_LEN; 774 } 775 } else if (left == 1) { 776 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 777 __func__); 778 return -5; 779 } 780 781 if (left >= 2) { 782 data->key_mgmt = 0; 783 count = WPA_GET_LE16(pos); 784 pos += 2; 785 left -= 2; 786 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 787 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 788 "count %u left %u", __func__, count, left); 789 return -6; 790 } 791 for (i = 0; i < count; i++) { 792 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 793 pos += WPA_SELECTOR_LEN; 794 left -= WPA_SELECTOR_LEN; 795 } 796 } else if (left == 1) { 797 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 798 __func__); 799 return -7; 800 } 801 802 if (left >= 2) { 803 data->capabilities = WPA_GET_LE16(pos); 804 pos += 2; 805 left -= 2; 806 } 807 808 if (left > 0) { 809 wpa_hexdump(MSG_DEBUG, 810 "wpa_parse_wpa_ie_wpa: ignore trailing bytes", 811 pos, left); 812 } 813 814 return 0; 815 } 816 817 818 #ifdef CONFIG_IEEE80211R 819 820 /** 821 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name 822 * 823 * IEEE Std 802.11r-2008 - 8.5.1.5.3 824 */ 825 void wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len, 826 const u8 *ssid, size_t ssid_len, 827 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len, 828 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name) 829 { 830 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 + 831 FT_R0KH_ID_MAX_LEN + ETH_ALEN]; 832 u8 *pos, r0_key_data[48], hash[32]; 833 const u8 *addr[2]; 834 size_t len[2]; 835 836 /* 837 * R0-Key-Data = KDF-384(XXKey, "FT-R0", 838 * SSIDlength || SSID || MDID || R0KHlength || 839 * R0KH-ID || S0KH-ID) 840 * XXKey is either the second 256 bits of MSK or PSK. 841 * PMK-R0 = L(R0-Key-Data, 0, 256) 842 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128) 843 */ 844 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN) 845 return; 846 pos = buf; 847 *pos++ = ssid_len; 848 os_memcpy(pos, ssid, ssid_len); 849 pos += ssid_len; 850 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN); 851 pos += MOBILITY_DOMAIN_ID_LEN; 852 *pos++ = r0kh_id_len; 853 os_memcpy(pos, r0kh_id, r0kh_id_len); 854 pos += r0kh_id_len; 855 os_memcpy(pos, s0kh_id, ETH_ALEN); 856 pos += ETH_ALEN; 857 858 sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 859 r0_key_data, sizeof(r0_key_data)); 860 os_memcpy(pmk_r0, r0_key_data, PMK_LEN); 861 862 /* 863 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt) 864 */ 865 addr[0] = (const u8 *) "FT-R0N"; 866 len[0] = 6; 867 addr[1] = r0_key_data + PMK_LEN; 868 len[1] = 16; 869 870 sha256_vector(2, addr, len, hash); 871 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN); 872 } 873 874 875 /** 876 * wpa_derive_pmk_r1_name - Derive PMKR1Name 877 * 878 * IEEE Std 802.11r-2008 - 8.5.1.5.4 879 */ 880 void wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id, 881 const u8 *s1kh_id, u8 *pmk_r1_name) 882 { 883 u8 hash[32]; 884 const u8 *addr[4]; 885 size_t len[4]; 886 887 /* 888 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name || 889 * R1KH-ID || S1KH-ID)) 890 */ 891 addr[0] = (const u8 *) "FT-R1N"; 892 len[0] = 6; 893 addr[1] = pmk_r0_name; 894 len[1] = WPA_PMK_NAME_LEN; 895 addr[2] = r1kh_id; 896 len[2] = FT_R1KH_ID_LEN; 897 addr[3] = s1kh_id; 898 len[3] = ETH_ALEN; 899 900 sha256_vector(4, addr, len, hash); 901 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN); 902 } 903 904 905 /** 906 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0 907 * 908 * IEEE Std 802.11r-2008 - 8.5.1.5.4 909 */ 910 void wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name, 911 const u8 *r1kh_id, const u8 *s1kh_id, 912 u8 *pmk_r1, u8 *pmk_r1_name) 913 { 914 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN]; 915 u8 *pos; 916 917 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */ 918 pos = buf; 919 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN); 920 pos += FT_R1KH_ID_LEN; 921 os_memcpy(pos, s1kh_id, ETH_ALEN); 922 pos += ETH_ALEN; 923 924 sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf, pmk_r1, PMK_LEN); 925 926 wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, pmk_r1_name); 927 } 928 929 930 /** 931 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1 932 * 933 * IEEE Std 802.11r-2008 - 8.5.1.5.5 934 */ 935 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce, 936 const u8 *sta_addr, const u8 *bssid, 937 const u8 *pmk_r1_name, 938 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher) 939 { 940 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN]; 941 u8 *pos, hash[32]; 942 const u8 *addr[6]; 943 size_t len[6]; 944 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 945 size_t ptk_len; 946 947 /* 948 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce || 949 * BSSID || STA-ADDR) 950 */ 951 pos = buf; 952 os_memcpy(pos, snonce, WPA_NONCE_LEN); 953 pos += WPA_NONCE_LEN; 954 os_memcpy(pos, anonce, WPA_NONCE_LEN); 955 pos += WPA_NONCE_LEN; 956 os_memcpy(pos, bssid, ETH_ALEN); 957 pos += ETH_ALEN; 958 os_memcpy(pos, sta_addr, ETH_ALEN); 959 pos += ETH_ALEN; 960 961 ptk->kck_len = wpa_kck_len(akmp); 962 ptk->kek_len = wpa_kek_len(akmp); 963 ptk->tk_len = wpa_cipher_key_len(cipher); 964 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 965 966 sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf, tmp, ptk_len); 967 968 /* 969 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce || 970 * ANonce || BSSID || STA-ADDR)) 971 */ 972 addr[0] = pmk_r1_name; 973 len[0] = WPA_PMK_NAME_LEN; 974 addr[1] = (const u8 *) "FT-PTKN"; 975 len[1] = 7; 976 addr[2] = snonce; 977 len[2] = WPA_NONCE_LEN; 978 addr[3] = anonce; 979 len[3] = WPA_NONCE_LEN; 980 addr[4] = bssid; 981 len[4] = ETH_ALEN; 982 addr[5] = sta_addr; 983 len[5] = ETH_ALEN; 984 985 sha256_vector(6, addr, len, hash); 986 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN); 987 988 os_memcpy(ptk->kck, tmp, ptk->kck_len); 989 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 990 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 991 992 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len); 993 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len); 994 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len); 995 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN); 996 997 os_memset(tmp, 0, sizeof(tmp)); 998 999 return 0; 1000 } 1001 1002 #endif /* CONFIG_IEEE80211R */ 1003 1004 1005 /** 1006 * rsn_pmkid - Calculate PMK identifier 1007 * @pmk: Pairwise master key 1008 * @pmk_len: Length of pmk in bytes 1009 * @aa: Authenticator address 1010 * @spa: Supplicant address 1011 * @pmkid: Buffer for PMKID 1012 * @use_sha256: Whether to use SHA256-based KDF 1013 * 1014 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 1015 * PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AA || SPA) 1016 */ 1017 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa, 1018 u8 *pmkid, int use_sha256) 1019 { 1020 char *title = "PMK Name"; 1021 const u8 *addr[3]; 1022 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1023 unsigned char hash[SHA256_MAC_LEN]; 1024 1025 addr[0] = (u8 *) title; 1026 addr[1] = aa; 1027 addr[2] = spa; 1028 1029 #ifdef CONFIG_IEEE80211W 1030 if (use_sha256) 1031 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash); 1032 else 1033 #endif /* CONFIG_IEEE80211W */ 1034 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash); 1035 os_memcpy(pmkid, hash, PMKID_LEN); 1036 } 1037 1038 1039 #ifdef CONFIG_SUITEB 1040 /** 1041 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM 1042 * @kck: Key confirmation key 1043 * @kck_len: Length of kck in bytes 1044 * @aa: Authenticator address 1045 * @spa: Supplicant address 1046 * @pmkid: Buffer for PMKID 1047 * Returns: 0 on success, -1 on failure 1048 * 1049 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1050 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA)) 1051 */ 1052 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa, 1053 const u8 *spa, u8 *pmkid) 1054 { 1055 char *title = "PMK Name"; 1056 const u8 *addr[3]; 1057 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1058 unsigned char hash[SHA256_MAC_LEN]; 1059 1060 addr[0] = (u8 *) title; 1061 addr[1] = aa; 1062 addr[2] = spa; 1063 1064 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0) 1065 return -1; 1066 os_memcpy(pmkid, hash, PMKID_LEN); 1067 return 0; 1068 } 1069 #endif /* CONFIG_SUITEB */ 1070 1071 1072 #ifdef CONFIG_SUITEB192 1073 /** 1074 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM 1075 * @kck: Key confirmation key 1076 * @kck_len: Length of kck in bytes 1077 * @aa: Authenticator address 1078 * @spa: Supplicant address 1079 * @pmkid: Buffer for PMKID 1080 * Returns: 0 on success, -1 on failure 1081 * 1082 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1083 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA)) 1084 */ 1085 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa, 1086 const u8 *spa, u8 *pmkid) 1087 { 1088 char *title = "PMK Name"; 1089 const u8 *addr[3]; 1090 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1091 unsigned char hash[SHA384_MAC_LEN]; 1092 1093 addr[0] = (u8 *) title; 1094 addr[1] = aa; 1095 addr[2] = spa; 1096 1097 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0) 1098 return -1; 1099 os_memcpy(pmkid, hash, PMKID_LEN); 1100 return 0; 1101 } 1102 #endif /* CONFIG_SUITEB192 */ 1103 1104 1105 /** 1106 * wpa_cipher_txt - Convert cipher suite to a text string 1107 * @cipher: Cipher suite (WPA_CIPHER_* enum) 1108 * Returns: Pointer to a text string of the cipher suite name 1109 */ 1110 const char * wpa_cipher_txt(int cipher) 1111 { 1112 switch (cipher) { 1113 case WPA_CIPHER_NONE: 1114 return "NONE"; 1115 case WPA_CIPHER_WEP40: 1116 return "WEP-40"; 1117 case WPA_CIPHER_WEP104: 1118 return "WEP-104"; 1119 case WPA_CIPHER_TKIP: 1120 return "TKIP"; 1121 case WPA_CIPHER_CCMP: 1122 return "CCMP"; 1123 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP: 1124 return "CCMP+TKIP"; 1125 case WPA_CIPHER_GCMP: 1126 return "GCMP"; 1127 case WPA_CIPHER_GCMP_256: 1128 return "GCMP-256"; 1129 case WPA_CIPHER_CCMP_256: 1130 return "CCMP-256"; 1131 case WPA_CIPHER_GTK_NOT_USED: 1132 return "GTK_NOT_USED"; 1133 default: 1134 return "UNKNOWN"; 1135 } 1136 } 1137 1138 1139 /** 1140 * wpa_key_mgmt_txt - Convert key management suite to a text string 1141 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum) 1142 * @proto: WPA/WPA2 version (WPA_PROTO_*) 1143 * Returns: Pointer to a text string of the key management suite name 1144 */ 1145 const char * wpa_key_mgmt_txt(int key_mgmt, int proto) 1146 { 1147 switch (key_mgmt) { 1148 case WPA_KEY_MGMT_IEEE8021X: 1149 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1150 return "WPA2+WPA/IEEE 802.1X/EAP"; 1151 return proto == WPA_PROTO_RSN ? 1152 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP"; 1153 case WPA_KEY_MGMT_PSK: 1154 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1155 return "WPA2-PSK+WPA-PSK"; 1156 return proto == WPA_PROTO_RSN ? 1157 "WPA2-PSK" : "WPA-PSK"; 1158 case WPA_KEY_MGMT_NONE: 1159 return "NONE"; 1160 case WPA_KEY_MGMT_IEEE8021X_NO_WPA: 1161 return "IEEE 802.1X (no WPA)"; 1162 #ifdef CONFIG_IEEE80211R 1163 case WPA_KEY_MGMT_FT_IEEE8021X: 1164 return "FT-EAP"; 1165 case WPA_KEY_MGMT_FT_PSK: 1166 return "FT-PSK"; 1167 #endif /* CONFIG_IEEE80211R */ 1168 #ifdef CONFIG_IEEE80211W 1169 case WPA_KEY_MGMT_IEEE8021X_SHA256: 1170 return "WPA2-EAP-SHA256"; 1171 case WPA_KEY_MGMT_PSK_SHA256: 1172 return "WPA2-PSK-SHA256"; 1173 #endif /* CONFIG_IEEE80211W */ 1174 case WPA_KEY_MGMT_WPS: 1175 return "WPS"; 1176 case WPA_KEY_MGMT_SAE: 1177 return "SAE"; 1178 case WPA_KEY_MGMT_FT_SAE: 1179 return "FT-SAE"; 1180 case WPA_KEY_MGMT_OSEN: 1181 return "OSEN"; 1182 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 1183 return "WPA2-EAP-SUITE-B"; 1184 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 1185 return "WPA2-EAP-SUITE-B-192"; 1186 default: 1187 return "UNKNOWN"; 1188 } 1189 } 1190 1191 1192 u32 wpa_akm_to_suite(int akm) 1193 { 1194 if (akm & WPA_KEY_MGMT_FT_IEEE8021X) 1195 return WLAN_AKM_SUITE_FT_8021X; 1196 if (akm & WPA_KEY_MGMT_FT_PSK) 1197 return WLAN_AKM_SUITE_FT_PSK; 1198 if (akm & WPA_KEY_MGMT_IEEE8021X) 1199 return WLAN_AKM_SUITE_8021X; 1200 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256) 1201 return WLAN_AKM_SUITE_8021X_SHA256; 1202 if (akm & WPA_KEY_MGMT_IEEE8021X) 1203 return WLAN_AKM_SUITE_8021X; 1204 if (akm & WPA_KEY_MGMT_PSK_SHA256) 1205 return WLAN_AKM_SUITE_PSK_SHA256; 1206 if (akm & WPA_KEY_MGMT_PSK) 1207 return WLAN_AKM_SUITE_PSK; 1208 if (akm & WPA_KEY_MGMT_CCKM) 1209 return WLAN_AKM_SUITE_CCKM; 1210 if (akm & WPA_KEY_MGMT_OSEN) 1211 return WLAN_AKM_SUITE_OSEN; 1212 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B) 1213 return WLAN_AKM_SUITE_8021X_SUITE_B; 1214 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 1215 return WLAN_AKM_SUITE_8021X_SUITE_B_192; 1216 return 0; 1217 } 1218 1219 1220 int wpa_compare_rsn_ie(int ft_initial_assoc, 1221 const u8 *ie1, size_t ie1len, 1222 const u8 *ie2, size_t ie2len) 1223 { 1224 if (ie1 == NULL || ie2 == NULL) 1225 return -1; 1226 1227 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0) 1228 return 0; /* identical IEs */ 1229 1230 #ifdef CONFIG_IEEE80211R 1231 if (ft_initial_assoc) { 1232 struct wpa_ie_data ie1d, ie2d; 1233 /* 1234 * The PMKID-List in RSN IE is different between Beacon/Probe 1235 * Response/(Re)Association Request frames and EAPOL-Key 1236 * messages in FT initial mobility domain association. Allow 1237 * for this, but verify that other parts of the RSN IEs are 1238 * identical. 1239 */ 1240 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 || 1241 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0) 1242 return -1; 1243 if (ie1d.proto == ie2d.proto && 1244 ie1d.pairwise_cipher == ie2d.pairwise_cipher && 1245 ie1d.group_cipher == ie2d.group_cipher && 1246 ie1d.key_mgmt == ie2d.key_mgmt && 1247 ie1d.capabilities == ie2d.capabilities && 1248 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher) 1249 return 0; 1250 } 1251 #endif /* CONFIG_IEEE80211R */ 1252 1253 return -1; 1254 } 1255 1256 1257 #ifdef CONFIG_IEEE80211R 1258 int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid) 1259 { 1260 u8 *start, *end, *rpos, *rend; 1261 int added = 0; 1262 1263 start = ies; 1264 end = ies + ies_len; 1265 1266 while (start < end) { 1267 if (*start == WLAN_EID_RSN) 1268 break; 1269 start += 2 + start[1]; 1270 } 1271 if (start >= end) { 1272 wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in " 1273 "IEs data"); 1274 return -1; 1275 } 1276 wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification", 1277 start, 2 + start[1]); 1278 1279 /* Find start of PMKID-Count */ 1280 rpos = start + 2; 1281 rend = rpos + start[1]; 1282 1283 /* Skip Version and Group Data Cipher Suite */ 1284 rpos += 2 + 4; 1285 /* Skip Pairwise Cipher Suite Count and List */ 1286 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 1287 /* Skip AKM Suite Count and List */ 1288 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 1289 1290 if (rpos == rend) { 1291 /* Add RSN Capabilities */ 1292 os_memmove(rpos + 2, rpos, end - rpos); 1293 *rpos++ = 0; 1294 *rpos++ = 0; 1295 } else { 1296 /* Skip RSN Capabilities */ 1297 rpos += 2; 1298 if (rpos > rend) { 1299 wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in " 1300 "IEs data"); 1301 return -1; 1302 } 1303 } 1304 1305 if (rpos == rend) { 1306 /* No PMKID-Count field included; add it */ 1307 os_memmove(rpos + 2 + PMKID_LEN, rpos, end - rpos); 1308 WPA_PUT_LE16(rpos, 1); 1309 rpos += 2; 1310 os_memcpy(rpos, pmkid, PMKID_LEN); 1311 added += 2 + PMKID_LEN; 1312 start[1] += 2 + PMKID_LEN; 1313 } else { 1314 /* PMKID-Count was included; use it */ 1315 if (WPA_GET_LE16(rpos) != 0) { 1316 wpa_printf(MSG_ERROR, "FT: Unexpected PMKID " 1317 "in RSN IE in EAPOL-Key data"); 1318 return -1; 1319 } 1320 WPA_PUT_LE16(rpos, 1); 1321 rpos += 2; 1322 os_memmove(rpos + PMKID_LEN, rpos, end - rpos); 1323 os_memcpy(rpos, pmkid, PMKID_LEN); 1324 added += PMKID_LEN; 1325 start[1] += PMKID_LEN; 1326 } 1327 1328 wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification " 1329 "(PMKID inserted)", start, 2 + start[1]); 1330 1331 return added; 1332 } 1333 #endif /* CONFIG_IEEE80211R */ 1334 1335 1336 int wpa_cipher_key_len(int cipher) 1337 { 1338 switch (cipher) { 1339 case WPA_CIPHER_CCMP_256: 1340 case WPA_CIPHER_GCMP_256: 1341 case WPA_CIPHER_BIP_GMAC_256: 1342 case WPA_CIPHER_BIP_CMAC_256: 1343 return 32; 1344 case WPA_CIPHER_CCMP: 1345 case WPA_CIPHER_GCMP: 1346 case WPA_CIPHER_AES_128_CMAC: 1347 case WPA_CIPHER_BIP_GMAC_128: 1348 return 16; 1349 case WPA_CIPHER_TKIP: 1350 return 32; 1351 } 1352 1353 return 0; 1354 } 1355 1356 1357 int wpa_cipher_rsc_len(int cipher) 1358 { 1359 switch (cipher) { 1360 case WPA_CIPHER_CCMP_256: 1361 case WPA_CIPHER_GCMP_256: 1362 case WPA_CIPHER_CCMP: 1363 case WPA_CIPHER_GCMP: 1364 case WPA_CIPHER_TKIP: 1365 return 6; 1366 } 1367 1368 return 0; 1369 } 1370 1371 1372 int wpa_cipher_to_alg(int cipher) 1373 { 1374 switch (cipher) { 1375 case WPA_CIPHER_CCMP_256: 1376 return WPA_ALG_CCMP_256; 1377 case WPA_CIPHER_GCMP_256: 1378 return WPA_ALG_GCMP_256; 1379 case WPA_CIPHER_CCMP: 1380 return WPA_ALG_CCMP; 1381 case WPA_CIPHER_GCMP: 1382 return WPA_ALG_GCMP; 1383 case WPA_CIPHER_TKIP: 1384 return WPA_ALG_TKIP; 1385 case WPA_CIPHER_AES_128_CMAC: 1386 return WPA_ALG_IGTK; 1387 case WPA_CIPHER_BIP_GMAC_128: 1388 return WPA_ALG_BIP_GMAC_128; 1389 case WPA_CIPHER_BIP_GMAC_256: 1390 return WPA_ALG_BIP_GMAC_256; 1391 case WPA_CIPHER_BIP_CMAC_256: 1392 return WPA_ALG_BIP_CMAC_256; 1393 } 1394 return WPA_ALG_NONE; 1395 } 1396 1397 1398 int wpa_cipher_valid_pairwise(int cipher) 1399 { 1400 return cipher == WPA_CIPHER_CCMP_256 || 1401 cipher == WPA_CIPHER_GCMP_256 || 1402 cipher == WPA_CIPHER_CCMP || 1403 cipher == WPA_CIPHER_GCMP || 1404 cipher == WPA_CIPHER_TKIP; 1405 } 1406 1407 1408 u32 wpa_cipher_to_suite(int proto, int cipher) 1409 { 1410 if (cipher & WPA_CIPHER_CCMP_256) 1411 return RSN_CIPHER_SUITE_CCMP_256; 1412 if (cipher & WPA_CIPHER_GCMP_256) 1413 return RSN_CIPHER_SUITE_GCMP_256; 1414 if (cipher & WPA_CIPHER_CCMP) 1415 return (proto == WPA_PROTO_RSN ? 1416 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP); 1417 if (cipher & WPA_CIPHER_GCMP) 1418 return RSN_CIPHER_SUITE_GCMP; 1419 if (cipher & WPA_CIPHER_TKIP) 1420 return (proto == WPA_PROTO_RSN ? 1421 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP); 1422 if (cipher & WPA_CIPHER_NONE) 1423 return (proto == WPA_PROTO_RSN ? 1424 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE); 1425 if (cipher & WPA_CIPHER_GTK_NOT_USED) 1426 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED; 1427 if (cipher & WPA_CIPHER_AES_128_CMAC) 1428 return RSN_CIPHER_SUITE_AES_128_CMAC; 1429 if (cipher & WPA_CIPHER_BIP_GMAC_128) 1430 return RSN_CIPHER_SUITE_BIP_GMAC_128; 1431 if (cipher & WPA_CIPHER_BIP_GMAC_256) 1432 return RSN_CIPHER_SUITE_BIP_GMAC_256; 1433 if (cipher & WPA_CIPHER_BIP_CMAC_256) 1434 return RSN_CIPHER_SUITE_BIP_CMAC_256; 1435 return 0; 1436 } 1437 1438 1439 int rsn_cipher_put_suites(u8 *start, int ciphers) 1440 { 1441 u8 *pos = start; 1442 1443 if (ciphers & WPA_CIPHER_CCMP_256) { 1444 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256); 1445 pos += RSN_SELECTOR_LEN; 1446 } 1447 if (ciphers & WPA_CIPHER_GCMP_256) { 1448 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256); 1449 pos += RSN_SELECTOR_LEN; 1450 } 1451 if (ciphers & WPA_CIPHER_CCMP) { 1452 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1453 pos += RSN_SELECTOR_LEN; 1454 } 1455 if (ciphers & WPA_CIPHER_GCMP) { 1456 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP); 1457 pos += RSN_SELECTOR_LEN; 1458 } 1459 if (ciphers & WPA_CIPHER_TKIP) { 1460 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 1461 pos += RSN_SELECTOR_LEN; 1462 } 1463 if (ciphers & WPA_CIPHER_NONE) { 1464 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE); 1465 pos += RSN_SELECTOR_LEN; 1466 } 1467 1468 return (pos - start) / RSN_SELECTOR_LEN; 1469 } 1470 1471 1472 int wpa_cipher_put_suites(u8 *start, int ciphers) 1473 { 1474 u8 *pos = start; 1475 1476 if (ciphers & WPA_CIPHER_CCMP) { 1477 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP); 1478 pos += WPA_SELECTOR_LEN; 1479 } 1480 if (ciphers & WPA_CIPHER_TKIP) { 1481 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP); 1482 pos += WPA_SELECTOR_LEN; 1483 } 1484 if (ciphers & WPA_CIPHER_NONE) { 1485 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE); 1486 pos += WPA_SELECTOR_LEN; 1487 } 1488 1489 return (pos - start) / RSN_SELECTOR_LEN; 1490 } 1491 1492 1493 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed) 1494 { 1495 if (ciphers & WPA_CIPHER_CCMP_256) 1496 return WPA_CIPHER_CCMP_256; 1497 if (ciphers & WPA_CIPHER_GCMP_256) 1498 return WPA_CIPHER_GCMP_256; 1499 if (ciphers & WPA_CIPHER_CCMP) 1500 return WPA_CIPHER_CCMP; 1501 if (ciphers & WPA_CIPHER_GCMP) 1502 return WPA_CIPHER_GCMP; 1503 if (ciphers & WPA_CIPHER_TKIP) 1504 return WPA_CIPHER_TKIP; 1505 if (none_allowed && (ciphers & WPA_CIPHER_NONE)) 1506 return WPA_CIPHER_NONE; 1507 return -1; 1508 } 1509 1510 1511 int wpa_pick_group_cipher(int ciphers) 1512 { 1513 if (ciphers & WPA_CIPHER_CCMP_256) 1514 return WPA_CIPHER_CCMP_256; 1515 if (ciphers & WPA_CIPHER_GCMP_256) 1516 return WPA_CIPHER_GCMP_256; 1517 if (ciphers & WPA_CIPHER_CCMP) 1518 return WPA_CIPHER_CCMP; 1519 if (ciphers & WPA_CIPHER_GCMP) 1520 return WPA_CIPHER_GCMP; 1521 if (ciphers & WPA_CIPHER_GTK_NOT_USED) 1522 return WPA_CIPHER_GTK_NOT_USED; 1523 if (ciphers & WPA_CIPHER_TKIP) 1524 return WPA_CIPHER_TKIP; 1525 return -1; 1526 } 1527 1528 1529 int wpa_parse_cipher(const char *value) 1530 { 1531 int val = 0, last; 1532 char *start, *end, *buf; 1533 1534 buf = os_strdup(value); 1535 if (buf == NULL) 1536 return -1; 1537 start = buf; 1538 1539 while (*start != '\0') { 1540 while (*start == ' ' || *start == '\t') 1541 start++; 1542 if (*start == '\0') 1543 break; 1544 end = start; 1545 while (*end != ' ' && *end != '\t' && *end != '\0') 1546 end++; 1547 last = *end == '\0'; 1548 *end = '\0'; 1549 if (os_strcmp(start, "CCMP-256") == 0) 1550 val |= WPA_CIPHER_CCMP_256; 1551 else if (os_strcmp(start, "GCMP-256") == 0) 1552 val |= WPA_CIPHER_GCMP_256; 1553 else if (os_strcmp(start, "CCMP") == 0) 1554 val |= WPA_CIPHER_CCMP; 1555 else if (os_strcmp(start, "GCMP") == 0) 1556 val |= WPA_CIPHER_GCMP; 1557 else if (os_strcmp(start, "TKIP") == 0) 1558 val |= WPA_CIPHER_TKIP; 1559 else if (os_strcmp(start, "WEP104") == 0) 1560 val |= WPA_CIPHER_WEP104; 1561 else if (os_strcmp(start, "WEP40") == 0) 1562 val |= WPA_CIPHER_WEP40; 1563 else if (os_strcmp(start, "NONE") == 0) 1564 val |= WPA_CIPHER_NONE; 1565 else if (os_strcmp(start, "GTK_NOT_USED") == 0) 1566 val |= WPA_CIPHER_GTK_NOT_USED; 1567 else { 1568 os_free(buf); 1569 return -1; 1570 } 1571 1572 if (last) 1573 break; 1574 start = end + 1; 1575 } 1576 os_free(buf); 1577 1578 return val; 1579 } 1580 1581 1582 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim) 1583 { 1584 char *pos = start; 1585 int ret; 1586 1587 if (ciphers & WPA_CIPHER_CCMP_256) { 1588 ret = os_snprintf(pos, end - pos, "%sCCMP-256", 1589 pos == start ? "" : delim); 1590 if (os_snprintf_error(end - pos, ret)) 1591 return -1; 1592 pos += ret; 1593 } 1594 if (ciphers & WPA_CIPHER_GCMP_256) { 1595 ret = os_snprintf(pos, end - pos, "%sGCMP-256", 1596 pos == start ? "" : delim); 1597 if (os_snprintf_error(end - pos, ret)) 1598 return -1; 1599 pos += ret; 1600 } 1601 if (ciphers & WPA_CIPHER_CCMP) { 1602 ret = os_snprintf(pos, end - pos, "%sCCMP", 1603 pos == start ? "" : delim); 1604 if (os_snprintf_error(end - pos, ret)) 1605 return -1; 1606 pos += ret; 1607 } 1608 if (ciphers & WPA_CIPHER_GCMP) { 1609 ret = os_snprintf(pos, end - pos, "%sGCMP", 1610 pos == start ? "" : delim); 1611 if (os_snprintf_error(end - pos, ret)) 1612 return -1; 1613 pos += ret; 1614 } 1615 if (ciphers & WPA_CIPHER_TKIP) { 1616 ret = os_snprintf(pos, end - pos, "%sTKIP", 1617 pos == start ? "" : delim); 1618 if (os_snprintf_error(end - pos, ret)) 1619 return -1; 1620 pos += ret; 1621 } 1622 if (ciphers & WPA_CIPHER_NONE) { 1623 ret = os_snprintf(pos, end - pos, "%sNONE", 1624 pos == start ? "" : delim); 1625 if (os_snprintf_error(end - pos, ret)) 1626 return -1; 1627 pos += ret; 1628 } 1629 1630 return pos - start; 1631 } 1632 1633 1634 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise) 1635 { 1636 int pairwise = 0; 1637 1638 /* Select group cipher based on the enabled pairwise cipher suites */ 1639 if (wpa & 1) 1640 pairwise |= wpa_pairwise; 1641 if (wpa & 2) 1642 pairwise |= rsn_pairwise; 1643 1644 if (pairwise & WPA_CIPHER_TKIP) 1645 return WPA_CIPHER_TKIP; 1646 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP) 1647 return WPA_CIPHER_GCMP; 1648 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP | 1649 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256) 1650 return WPA_CIPHER_GCMP_256; 1651 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP | 1652 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256) 1653 return WPA_CIPHER_CCMP_256; 1654 return WPA_CIPHER_CCMP; 1655 } 1656