1 /*
2  * Copyright (c) 2017, 2019-2021 The Linux Foundation. All rights reserved.
3  * Copyright (c) 2021-2022 Qualcomm Innovation Center, Inc. All rights reserved.
4  *
5  * Permission to use, copy, modify, and/or distribute this software for
6  * any purpose with or without fee is hereby granted, provided that the
7  * above copyright notice and this permission notice appear in all
8  * copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
11  * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
12  * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
13  * AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
14  * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
15  * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
16  * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17  * PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include "wlan_crypto_global_def.h"
21 
22 #define FILS_EAP_TLV_MAX_DATA_LEN 255
23 #define FILS_SHA256_128_AUTH_TAG 16
24 #define FILS_SHA256_256_AUTH_TAG 32
25 
26 /* RFC 6696 */
27 #define RMSK_LABEL "Re-authentication Master Session Key@ietf.org"
28 
29 /* 12.12.2.5.3 80211-ai draft */
30 #define PTK_KEY_LABEL "FILS PTK Derivation"
31 #define FT_PMK_R0_KEY_LABEL "FT-R0"
32 #define FT_PMK_R0_NAME_KEY_LABEL "FT-R0N"
33 #define FT_PMK_R1_NAME_KEY_LABEL "FT-R1N"
34 
35 #define PMKR0_SCATTER_LIST_ELEM 2
36 #define PMKR1_SCATTER_LIST_ELEM 4
37 
38 #define SCTR_LST_ELEM0 0
39 #define SCTR_LST_ELEM1 1
40 #define SCTR_LST_ELEM2 2
41 #define SCTR_LST_ELEM3 3
42 
43 /* Length of "FT-R1N" */
44 #define SCTR_LST_R0_LABEL_LEN 6
45 #define SCTR_LST_R1_LABEL_LEN 6
46 
47 #define MAX_ICK_LEN 48
48 #define MAX_KEK_LEN 64
49 #define MAX_TK_LEN 32
50 #define MAX_KEY_AUTH_DATA_LEN 48
51 #define MAX_GTK_LEN 255
52 #define MAX_IGTK_LEN 255
53 #define SIR_FILS_SESSION_IE_LEN 11
54 #define FILS_KEY_RSC_LEN 8
55 #define FILS_MAX_KEY_AUTH_LEN (MAX_ICK_LEN + MAX_KEK_LEN + MAX_TK_LEN)
56 
57 #define IPN_LEN 6
58 #define FILS_SESSION_LENGTH 8
59 #define FILS_MAX_KDE_LIST_LEN 255
60 
61 /* 12.12.2.5.3 80211-ai draft */
62 #define FILS_SHA384_KEK_LEN 64
63 #define FILS_SHA256_KEK_LEN 32
64 
65 /* 12.12.2.5.3 80211-ai draft */
66 #define FILS_SHA256_ICK_LEN 32
67 #define FILS_SHA384_ICK_LEN 48
68 
69 #define TK_LEN_TKIP 32
70 #define TK_LEN_CCMP 16
71 #define TK_LEN_AES_128_CMAC 32
72 
73 #define FILS_SHA256_PMK_LEN 32
74 #define FILS_SHA384_PMK_LEN 48
75 
76 #define FILS_FT_SHA256_LEN 32
77 #define FILS_FT_SHA384_LEN 48
78 
79 #define FILS_FT_MAX_R0_KEY_DATA_LEN 64
80 
81 /* 12.7.1.7.3 802.11ai */
82 #define FILS_SHA256_Q_LEN 32
83 #define FILS_SHA384_Q_LEN 48
84 
85 /* 9.4.2.180 FILS Session element */
86 #define SIR_FILS_SESSION_LENGTH    8
87 #define SIR_FILS_SESSION_EXT_EID   4
88 
89 /* 9.4.2.184 FILS HLP Container Element */
90 #define SIR_FILS_HLP_EXT_EID 5
91 
92 /* 9.4.2.190 FILS Nonce element */
93 #define SIR_FILS_NONCE_LENGTH      16
94 #define SIR_FILS_NONCE_EXT_EID   13
95 
96 /*9.4.2.188 FILS Wrapped Data element */
97 #define SIR_FILS_WRAPPED_DATA_MAX_SIZE 255
98 #define SIR_FILS_WRAPPED_DATA_EXT_EID   8
99 
100 /* RFC 6696 5.3.1: EAP-Initiate/Re-auth-Start Packet */
101 #define SIR_FILS_EAP_REAUTH_PACKET_TYPE 1
102 #define SIR_FILS_EAP_INIT_PACKET_TYPE 2
103 
104 #define FILS_AUTH_TAG_MAX_LENGTH 32
105 
106 #define SIR_FILS_OPTIONAL_DATA_LEN 3
107 /* RFC 6696 4.3: RiK deriavtion */
108 #define SIR_FILS_RIK_LABEL "Re-authentication Integrity Key@ietf.org"
109 
110 /* RFC 6696 5.3.1: EAP-Initiate/Re-auth-Start Packet */
111 #define SIR_FILS_EAP_TLV_KEYNAME_NAI 1
112 #define SIR_FILS_EAP_TLV_R_RK_LIFETIME 2
113 #define SIR_FILS_EAP_TLV_R_MSK_LIFETIME 3
114 #define SIR_FILS_EAP_TLV_DOMAIN_NAME 4
115 #define SIR_FILS_EAP_TLV_CRYPTO_LIST 5
116 #define SIR_FILS_EAP_TLV_AUTH_INDICATION 6
117 
118 #define DATA_TYPE_GTK 1
119 #define DATA_TYPE_IGTK 9
120 #define KEY_RSC_LEN 8
121 #define KDE_IE_DATA_OFFSET 4
122 #define KDE_DATA_TYPE_OFFSET 3
123 #define GTK_OFFSET 2
124 #define IPN_OFFSET 2
125 #define IGTK_OFFSET 8
126 
127 #define KDE_OUI_TYPE   "\x00\x0F\xAC"
128 #define KDE_OUI_TYPE_SIZE  3
129 
130 #define SINGLE_ELEMENT_HASH_CNT 1
131 
132 /*
133  * struct eap_auth_reserved: this structure defines flags format in eap packets
134  * as defined in RFC 6696 5.3.1
135  * flag_r:
136  * flag_b:
137  * flag_l:
138  */
139 struct eap_auth_reserved {
140 	uint8_t flag_r:1;
141 	uint8_t flag_b:1;
142 	uint8_t flag_l:1;
143 	uint8_t reserved:5;
144 };
145 
146 /*
147  * struct fils_eap_tlv: this structure defines the eap header
148  * for eap packet present in warpped data element IE
149  * @type: type of packet
150  * @length: length of packet
151  * @data: pointer to eap data
152  */
153 struct fils_eap_tlv {
154 	uint8_t type;
155 	uint8_t length;
156 	uint8_t data[FILS_EAP_TLV_MAX_DATA_LEN];
157 };
158 
159 /* struct fils_auth_rsp_info: this structure saves the info from
160  * fils auth response.
161  * @keyname: pointer to keyname nai
162  * @keylength: keyname nai length
163  * @domain_name: pointer to domain name
164  * @domain_len: domain length
165  * @r_rk_lifetime: rRk lifetime
166  * @r_msk_lifetime: RMSK lifetime
167  * @sequence: sequence number to be validated
168  * @fils_nonce: anonce
169  * @assoc_delay: time in ms, DUT needs to wait after association req
170  */
171 struct fils_auth_rsp_info {
172 	uint8_t *keyname;
173 	uint8_t keylength;
174 	uint8_t *domain_name;
175 	uint8_t domain_len;
176 	uint32_t r_rk_lifetime;
177 	uint32_t r_msk_lifetime;
178 	uint16_t sequence;
179 	uint8_t fils_nonce[SIR_FILS_NONCE_LENGTH];
180 	uint8_t assoc_delay;
181 };
182 
183 #define FT_R0KH_ID_MAX_LEN 48
184 #define FT_R1KH_ID_LEN     6
185 #define FT_NONCE_LEN       32
186 
187 /* MIC Length Specified in Table 12-8- 802.11-2016 Spec */
188 #define FT_MIC_LEN         16
189 #define FT_GTK_RSC_LEN     8
190 #define FT_GTK_KEY_LEN     32
191 #define FT_IGTK_KEY_ID_LEN 2
192 #define FT_IGTK_IPN_LEN    6
193 #define FT_IGTK_KEY_LEN    24
194 
195 /**
196  * struct mac_ft_gtk_ie - structure to parse the gtk ie
197  * @present: flag to indicate ie is present
198  * @key_id: Key-Id
199  * @reserved: reserved bits
200  * @key_length: gtk key length
201  * @rsc: denotes the last TSC or PN sent using the GTK
202  * @num_key: number of keys
203  * @key: actual keys
204  */
205 struct mac_ft_gtk_ie {
206 	uint8_t present;
207 	uint16_t key_id:2;
208 	uint16_t reserved:14;
209 	uint8_t key_len;
210 	uint8_t rsc[FT_GTK_RSC_LEN];
211 	uint8_t num_key;
212 	uint8_t key[FT_GTK_KEY_LEN];
213 };
214 
215 /**
216  * struct mac_ft_gtk_ie - structure to parse the gtk ie
217  * @present: IE present or not present
218  * @key_id: 2Byte Key-ID
219  * @ipn: icorresponds to the last packet number used by broadcaster/multicaster
220  * @key_len: IGTK key length
221  * @key: IGTK Key
222  */
223 struct mac_ft_igtk_ie {
224 	uint8_t present;
225 	uint8_t key_id[FT_IGTK_KEY_ID_LEN];
226 	uint8_t ipn[FT_IGTK_IPN_LEN];
227 	uint8_t key_len;
228 	uint8_t key[FT_IGTK_KEY_LEN];
229 };
230 
231 /**
232  * struct mac_ft_ie - structure to parse the FT ie from auth frame
233  * @present: true if IE is present in Auth Frame
234  * @element_count: number of elements
235  * @mic: MIC. Will be zero in auth frame sent from AP. (Refer 13.2.4 802.11ai)
236  * @anonce: Authenticator NONCE. Will be zero in auth frame sent from AP.
237  * @snonce: Supplicant NONCE. Will be zero in auth frame
238  * @r1kh_id: R1KH ID. Length of R1KH ID is fixed(6 bytes).
239  * @r0kh_id_len: Length of R0KH ID
240  * @r0kh_id: R0KH id
241  * @gtk_ie: GTK subelement in FTIE
242  * @igtk_ie: IGTK subelement in FTIE
243  */
244 struct mac_ft_ie {
245 	bool present;
246 	uint8_t element_count;
247 	uint8_t mic[FT_MIC_LEN];
248 	uint8_t anonce[FT_NONCE_LEN];
249 	uint8_t snonce[FT_NONCE_LEN];
250 	uint8_t r1kh_id[FT_R1KH_ID_LEN];
251 	uint8_t r0kh_id_len;
252 	uint8_t r0kh_id[FT_R0KH_ID_MAX_LEN];
253 	struct mac_ft_gtk_ie gtk_ie;
254 	struct mac_ft_igtk_ie igtk_ie;
255 };
256 
257 #define FILS_PMK_LEN 48
258 #define FILS_PMK_NAME_LEN 16
259 #define FILS_FT_MAX_LEN 48
260 #define FILS_FT_PMK_R0_SALT_LEN 16
261 #define FILS_MAX_KEY_DATA_LEN \
262 	(MAX_ICK_LEN + MAX_KEK_LEN + MAX_TK_LEN + FILS_FT_MAX_LEN)
263 
264 /*
265  * struct pe_fils_session: fils session info used in PE session
266  * @is_fils_connection: whether connection is fils or not
267  * @keyname_nai_data: keyname nai data
268  * @keyname_nai_length: keyname nai length
269  * @akm: akm type will be used
270  * @auth: authentication type
271  * @cipher: cipher type
272  * @fils_erp_reauth_pkt: pointer to fils reauth packet data
273  * @fils_erp_reauth_pkt_len: reauth packet length
274  * @fils_rrk: pointer to fils rRk
275  * @fils_rrk_len: fils rRk length
276  * @fils_rik: pointer to fils rIk
277  * @fils_rik_len: fils rIk length
278  * @sequence_number: sequence number needs to be used in eap packet
279  * @fils_session: fils session IE element
280  * @fils_nonce: fils snonce
281  * @rsn_ie: rsn ie used in auth request
282  * @rsn_ie_len: rsn ie length
283  * @group_mgmt_cipher_suite_present: Check if group management cipher suite
284  * is present in the FILS RSN IE
285  * @ft_ie: structure to store the parsed FTIE from auth response frame
286  * @pmkr0: PMKR0
287  * @pmkr0_len: length of PMKR0 key
288  * @pmkr0_name: PMK_R0 name derived
289  * @pmkr1_name: PMKR1 Name derived
290  * @fils_eap_finish_pkt: pointer to eap finish packet
291  * @fils_eap_finish_pkt_len: eap finish packet length
292  * @fils_rmsk: rmsk data pointer
293  * @fils_rmsk_len: rmsk data length
294  * @fils_pmk: pointer to pmk data
295  * @fils_pmk_len: pmk length
296  * @fils_pmkid: pointer to pmkid derived
297  * @auth_info: data obtained from auth response
298  * @ick: pointer to ick
299  * @ick_len: ick length
300  * @kek: pointer to kek
301  * @kek_len: kek length
302  * @tk: pointer to tk
303  * @tk_len: tk length
304  * @key_auth: data needs to be sent in assoc req, will be validated by AP
305  * @key_auth_len: key auth data length
306  * @ap_key_auth_data: data needs to be validated in assoc rsp
307  * @ap_key_auth_len:  ap key data length
308  * @gtk_len: gtk key length
309  * @gtk: pointer to gtk data
310  * @fils_ft: xx_key data
311  * @fils_ft_len: xx_key length
312  * @rsc: rsc value
313  * @igtk_len: igtk length
314  * @igtk: igtk data pointer
315  * @ipn: pointer to ipn data
316  * @dst_mac: HLP destination mac address
317  * @src_mac: HLP source mac address
318  * @hlp_data_len: HLP data length
319  * @hlp_data: pointer to HLP data
320  */
321 struct pe_fils_session {
322 	bool is_fils_connection;
323 	uint8_t *keyname_nai_data;
324 	uint8_t keyname_nai_length;
325 	uint8_t akm;
326 	uint8_t auth;
327 	uint8_t cipher;
328 	uint8_t *fils_erp_reauth_pkt;
329 	uint32_t fils_erp_reauth_pkt_len;
330 	uint8_t *fils_rrk;
331 	uint8_t fils_rrk_len;
332 	uint8_t *fils_rik;
333 	uint32_t fils_rik_len;
334 	uint16_t sequence_number;
335 	uint8_t fils_session[SIR_FILS_SESSION_LENGTH];
336 	uint8_t fils_nonce[SIR_FILS_NONCE_LENGTH];
337 	uint8_t rsn_ie[WLAN_MAX_IE_LEN + 2];
338 	uint8_t rsn_ie_len;
339 	bool group_mgmt_cipher_present;
340 	struct mac_ft_ie ft_ie;
341 	uint8_t pmkr0[FILS_PMK_LEN];
342 	uint8_t pmkr0_len;
343 	uint8_t pmkr0_name[FILS_PMK_NAME_LEN];
344 	uint8_t pmkr1_name[FILS_PMK_NAME_LEN];
345 	uint8_t *fils_eap_finish_pkt;
346 	uint8_t fils_eap_finish_pkt_len;
347 	uint8_t *fils_rmsk;
348 	uint8_t fils_rmsk_len;
349 	uint8_t *fils_pmk;
350 	uint8_t fils_pmk_len;
351 	uint8_t fils_pmkid[PMKID_LEN];
352 	struct fils_auth_rsp_info auth_info;
353 	uint8_t ick[MAX_ICK_LEN];
354 	uint8_t ick_len;
355 	uint8_t kek[MAX_KEK_LEN];
356 	uint8_t kek_len;
357 	uint8_t tk[MAX_TK_LEN];
358 	uint8_t tk_len;
359 	uint8_t fils_ft[FILS_FT_MAX_LEN];
360 	uint8_t fils_ft_len;
361 	uint8_t key_auth[MAX_KEY_AUTH_DATA_LEN];
362 	uint8_t key_auth_len;
363 	uint8_t ap_key_auth_data[MAX_KEY_AUTH_DATA_LEN];
364 	uint8_t ap_key_auth_len;
365 	uint8_t gtk_len;
366 	uint8_t gtk[MAX_GTK_LEN];
367 	uint8_t rsc;
368 	uint8_t igtk_len;
369 	uint8_t igtk[MAX_IGTK_LEN];
370 	uint8_t ipn[IPN_LEN];
371 	struct qdf_mac_addr dst_mac;
372 	struct qdf_mac_addr src_mac;
373 	uint16_t hlp_data_len;
374 	uint8_t *hlp_data;
375 };
376