1 /* 2 * WPA/RSN - Shared functions for supplicant and authenticator 3 * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/sha384.h" 16 #include "crypto/sha512.h" 17 #include "crypto/aes_wrap.h" 18 #include "crypto/crypto.h" 19 #include "ieee802_11_defs.h" 20 #include "ieee802_11_common.h" 21 #include "defs.h" 22 #include "wpa_common.h" 23 24 wpa_kck_len(int akmp,size_t pmk_len)25 static unsigned int wpa_kck_len(int akmp, size_t pmk_len) 26 { 27 switch (akmp) { 28 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 29 case WPA_KEY_MGMT_IEEE8021X_SHA384: 30 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 31 return 24; 32 case WPA_KEY_MGMT_FILS_SHA256: 33 case WPA_KEY_MGMT_FT_FILS_SHA256: 34 case WPA_KEY_MGMT_FILS_SHA384: 35 case WPA_KEY_MGMT_FT_FILS_SHA384: 36 return 0; 37 case WPA_KEY_MGMT_DPP: 38 return pmk_len / 2; 39 case WPA_KEY_MGMT_OWE: 40 return pmk_len / 2; 41 case WPA_KEY_MGMT_SAE_EXT_KEY: 42 case WPA_KEY_MGMT_FT_SAE_EXT_KEY: 43 return pmk_len / 2; 44 default: 45 return 16; 46 } 47 } 48 49 50 #ifdef CONFIG_IEEE80211R wpa_kck2_len(int akmp)51 static unsigned int wpa_kck2_len(int akmp) 52 { 53 switch (akmp) { 54 case WPA_KEY_MGMT_FT_FILS_SHA256: 55 return 16; 56 case WPA_KEY_MGMT_FT_FILS_SHA384: 57 return 24; 58 default: 59 return 0; 60 } 61 } 62 #endif /* CONFIG_IEEE80211R */ 63 64 wpa_kek_len(int akmp,size_t pmk_len)65 static unsigned int wpa_kek_len(int akmp, size_t pmk_len) 66 { 67 switch (akmp) { 68 case WPA_KEY_MGMT_FILS_SHA384: 69 case WPA_KEY_MGMT_FT_FILS_SHA384: 70 return 64; 71 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 72 case WPA_KEY_MGMT_FILS_SHA256: 73 case WPA_KEY_MGMT_FT_FILS_SHA256: 74 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 75 case WPA_KEY_MGMT_IEEE8021X_SHA384: 76 return 32; 77 case WPA_KEY_MGMT_DPP: 78 return pmk_len <= 32 ? 16 : 32; 79 case WPA_KEY_MGMT_OWE: 80 return pmk_len <= 32 ? 16 : 32; 81 case WPA_KEY_MGMT_SAE_EXT_KEY: 82 case WPA_KEY_MGMT_FT_SAE_EXT_KEY: 83 return pmk_len <= 32 ? 16 : 32; 84 default: 85 return 16; 86 } 87 } 88 89 90 #ifdef CONFIG_IEEE80211R wpa_kek2_len(int akmp)91 static unsigned int wpa_kek2_len(int akmp) 92 { 93 switch (akmp) { 94 case WPA_KEY_MGMT_FT_FILS_SHA256: 95 return 16; 96 case WPA_KEY_MGMT_FT_FILS_SHA384: 97 return 32; 98 default: 99 return 0; 100 } 101 } 102 #endif /* CONFIG_IEEE80211R */ 103 104 wpa_mic_len(int akmp,size_t pmk_len)105 unsigned int wpa_mic_len(int akmp, size_t pmk_len) 106 { 107 switch (akmp) { 108 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 109 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 110 case WPA_KEY_MGMT_IEEE8021X_SHA384: 111 return 24; 112 case WPA_KEY_MGMT_FILS_SHA256: 113 case WPA_KEY_MGMT_FILS_SHA384: 114 case WPA_KEY_MGMT_FT_FILS_SHA256: 115 case WPA_KEY_MGMT_FT_FILS_SHA384: 116 return 0; 117 case WPA_KEY_MGMT_DPP: 118 return pmk_len / 2; 119 case WPA_KEY_MGMT_OWE: 120 return pmk_len / 2; 121 case WPA_KEY_MGMT_SAE_EXT_KEY: 122 case WPA_KEY_MGMT_FT_SAE_EXT_KEY: 123 return pmk_len / 2; 124 default: 125 return 16; 126 } 127 } 128 129 130 /** 131 * wpa_use_akm_defined - Is AKM-defined Key Descriptor Version used 132 * @akmp: WPA_KEY_MGMT_* used in key derivation 133 * Returns: 1 if AKM-defined Key Descriptor Version is used; 0 otherwise 134 */ wpa_use_akm_defined(int akmp)135 int wpa_use_akm_defined(int akmp) 136 { 137 return akmp == WPA_KEY_MGMT_OWE || 138 akmp == WPA_KEY_MGMT_DPP || 139 akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 || 140 akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 || 141 wpa_key_mgmt_sae(akmp) || 142 wpa_key_mgmt_suite_b(akmp) || 143 wpa_key_mgmt_fils(akmp); 144 } 145 146 147 /** 148 * wpa_use_cmac - Is CMAC integrity algorithm used for EAPOL-Key MIC 149 * @akmp: WPA_KEY_MGMT_* used in key derivation 150 * Returns: 1 if CMAC is used; 0 otherwise 151 */ wpa_use_cmac(int akmp)152 int wpa_use_cmac(int akmp) 153 { 154 return akmp == WPA_KEY_MGMT_OWE || 155 akmp == WPA_KEY_MGMT_DPP || 156 wpa_key_mgmt_ft(akmp) || 157 wpa_key_mgmt_sha256(akmp) || 158 (wpa_key_mgmt_sae(akmp) && 159 !wpa_key_mgmt_sae_ext_key(akmp)) || 160 wpa_key_mgmt_suite_b(akmp); 161 } 162 163 164 /** 165 * wpa_use_aes_key_wrap - Is AES Keywrap algorithm used for EAPOL-Key Key Data 166 * @akmp: WPA_KEY_MGMT_* used in key derivation 167 * Returns: 1 if AES Keywrap is used; 0 otherwise 168 * 169 * Note: AKM 00-0F-AC:1 and 00-0F-AC:2 have special rules for selecting whether 170 * to use AES Keywrap based on the negotiated pairwise cipher. This function 171 * does not cover those special cases. 172 */ wpa_use_aes_key_wrap(int akmp)173 int wpa_use_aes_key_wrap(int akmp) 174 { 175 return akmp == WPA_KEY_MGMT_OWE || 176 akmp == WPA_KEY_MGMT_DPP || 177 akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 || 178 wpa_key_mgmt_ft(akmp) || 179 wpa_key_mgmt_sha256(akmp) || 180 wpa_key_mgmt_sae(akmp) || 181 wpa_key_mgmt_suite_b(akmp); 182 } 183 184 185 /** 186 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC 187 * @key: EAPOL-Key Key Confirmation Key (KCK) 188 * @key_len: KCK length in octets 189 * @akmp: WPA_KEY_MGMT_* used in key derivation 190 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*) 191 * @buf: Pointer to the beginning of the EAPOL header (version field) 192 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame) 193 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written 194 * Returns: 0 on success, -1 on failure 195 * 196 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has 197 * to be cleared (all zeroes) when calling this function. 198 * 199 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the 200 * description of the Key MIC calculation. It includes packet data from the 201 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change 202 * happened during final editing of the standard and the correct behavior is 203 * defined in the last draft (IEEE 802.11i/D10). 204 */ wpa_eapol_key_mic(const u8 * key,size_t key_len,int akmp,int ver,const u8 * buf,size_t len,u8 * mic)205 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver, 206 const u8 *buf, size_t len, u8 *mic) 207 { 208 u8 hash[SHA512_MAC_LEN]; 209 210 if (key_len == 0) { 211 wpa_printf(MSG_DEBUG, 212 "WPA: KCK not set - cannot calculate MIC"); 213 return -1; 214 } 215 216 switch (ver) { 217 #ifndef CONFIG_FIPS 218 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4: 219 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-MD5"); 220 return hmac_md5(key, key_len, buf, len, mic); 221 #endif /* CONFIG_FIPS */ 222 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES: 223 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-SHA1"); 224 if (hmac_sha1(key, key_len, buf, len, hash)) 225 return -1; 226 os_memcpy(mic, hash, MD5_MAC_LEN); 227 break; 228 case WPA_KEY_INFO_TYPE_AES_128_CMAC: 229 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using AES-CMAC"); 230 return omac1_aes_128(key, buf, len, mic); 231 case WPA_KEY_INFO_TYPE_AKM_DEFINED: 232 switch (akmp) { 233 #ifdef CONFIG_SAE 234 case WPA_KEY_MGMT_SAE: 235 case WPA_KEY_MGMT_FT_SAE: 236 wpa_printf(MSG_DEBUG, 237 "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - SAE)"); 238 return omac1_aes_128(key, buf, len, mic); 239 case WPA_KEY_MGMT_SAE_EXT_KEY: 240 case WPA_KEY_MGMT_FT_SAE_EXT_KEY: 241 wpa_printf(MSG_DEBUG, 242 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - SAE-EXT-KEY)", 243 (unsigned int) key_len * 8 * 2); 244 if (key_len == 128 / 8) { 245 if (hmac_sha256(key, key_len, buf, len, hash)) 246 return -1; 247 #ifdef CONFIG_SHA384 248 } else if (key_len == 192 / 8) { 249 if (hmac_sha384(key, key_len, buf, len, hash)) 250 return -1; 251 #endif /* CONFIG_SHA384 */ 252 #ifdef CONFIG_SHA512 253 } else if (key_len == 256 / 8) { 254 if (hmac_sha512(key, key_len, buf, len, hash)) 255 return -1; 256 #endif /* CONFIG_SHA512 */ 257 } else { 258 wpa_printf(MSG_INFO, 259 "SAE: Unsupported KCK length: %u", 260 (unsigned int) key_len); 261 return -1; 262 } 263 os_memcpy(mic, hash, key_len); 264 break; 265 #endif /* CONFIG_SAE */ 266 #ifdef CONFIG_SUITEB 267 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 268 wpa_printf(MSG_DEBUG, 269 "WPA: EAPOL-Key MIC using HMAC-SHA256 (AKM-defined - Suite B)"); 270 if (hmac_sha256(key, key_len, buf, len, hash)) 271 return -1; 272 os_memcpy(mic, hash, MD5_MAC_LEN); 273 break; 274 #endif /* CONFIG_SUITEB */ 275 #ifdef CONFIG_SUITEB192 276 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 277 wpa_printf(MSG_DEBUG, 278 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - Suite B 192-bit)"); 279 if (hmac_sha384(key, key_len, buf, len, hash)) 280 return -1; 281 os_memcpy(mic, hash, 24); 282 break; 283 #endif /* CONFIG_SUITEB192 */ 284 #ifdef CONFIG_OWE 285 case WPA_KEY_MGMT_OWE: 286 wpa_printf(MSG_DEBUG, 287 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - OWE)", 288 (unsigned int) key_len * 8 * 2); 289 if (key_len == 128 / 8) { 290 if (hmac_sha256(key, key_len, buf, len, hash)) 291 return -1; 292 } else if (key_len == 192 / 8) { 293 if (hmac_sha384(key, key_len, buf, len, hash)) 294 return -1; 295 } else if (key_len == 256 / 8) { 296 if (hmac_sha512(key, key_len, buf, len, hash)) 297 return -1; 298 } else { 299 wpa_printf(MSG_INFO, 300 "OWE: Unsupported KCK length: %u", 301 (unsigned int) key_len); 302 return -1; 303 } 304 os_memcpy(mic, hash, key_len); 305 break; 306 #endif /* CONFIG_OWE */ 307 #ifdef CONFIG_DPP 308 case WPA_KEY_MGMT_DPP: 309 wpa_printf(MSG_DEBUG, 310 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - DPP)", 311 (unsigned int) key_len * 8 * 2); 312 if (key_len == 128 / 8) { 313 if (hmac_sha256(key, key_len, buf, len, hash)) 314 return -1; 315 } else if (key_len == 192 / 8) { 316 if (hmac_sha384(key, key_len, buf, len, hash)) 317 return -1; 318 } else if (key_len == 256 / 8) { 319 if (hmac_sha512(key, key_len, buf, len, hash)) 320 return -1; 321 } else { 322 wpa_printf(MSG_INFO, 323 "DPP: Unsupported KCK length: %u", 324 (unsigned int) key_len); 325 return -1; 326 } 327 os_memcpy(mic, hash, key_len); 328 break; 329 #endif /* CONFIG_DPP */ 330 #ifdef CONFIG_SHA384 331 case WPA_KEY_MGMT_IEEE8021X_SHA384: 332 #ifdef CONFIG_IEEE80211R 333 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 334 #endif /* CONFIG_IEEE80211R */ 335 wpa_printf(MSG_DEBUG, 336 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - 802.1X SHA384)"); 337 if (hmac_sha384(key, key_len, buf, len, hash)) 338 return -1; 339 os_memcpy(mic, hash, 24); 340 break; 341 #endif /* CONFIG_SHA384 */ 342 default: 343 wpa_printf(MSG_DEBUG, 344 "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)", 345 akmp); 346 return -1; 347 } 348 break; 349 default: 350 wpa_printf(MSG_DEBUG, 351 "WPA: EAPOL-Key MIC algorithm not known (ver=%d)", 352 ver); 353 return -1; 354 } 355 356 return 0; 357 } 358 359 360 /** 361 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces 362 * @pmk: Pairwise master key 363 * @pmk_len: Length of PMK 364 * @label: Label to use in derivation 365 * @addr1: AA or SA 366 * @addr2: SA or AA 367 * @nonce1: ANonce or SNonce 368 * @nonce2: SNonce or ANonce 369 * @ptk: Buffer for pairwise transient key 370 * @akmp: Negotiated AKM 371 * @cipher: Negotiated pairwise cipher 372 * @kdk_len: The length in octets that should be derived for KDK 373 * Returns: 0 on success, -1 on failure 374 * 375 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 376 * PTK = PRF-X(PMK, "Pairwise key expansion", 377 * Min(AA, SA) || Max(AA, SA) || 378 * Min(ANonce, SNonce) || Max(ANonce, SNonce) 379 * [ || Z.x ]) 380 * 381 * The optional Z.x component is used only with DPP and that part is not defined 382 * in IEEE 802.11. 383 */ wpa_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const char * label,const u8 * addr1,const u8 * addr2,const u8 * nonce1,const u8 * nonce2,struct wpa_ptk * ptk,int akmp,int cipher,const u8 * z,size_t z_len,size_t kdk_len)384 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, 385 const u8 *addr1, const u8 *addr2, 386 const u8 *nonce1, const u8 *nonce2, 387 struct wpa_ptk *ptk, int akmp, int cipher, 388 const u8 *z, size_t z_len, size_t kdk_len) 389 { 390 #define MAX_Z_LEN 66 /* with NIST P-521 */ 391 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN + MAX_Z_LEN]; 392 size_t data_len = 2 * ETH_ALEN + 2 * WPA_NONCE_LEN; 393 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN + 394 WPA_KDK_MAX_LEN]; 395 size_t ptk_len; 396 #ifdef CONFIG_OWE 397 int owe_ptk_workaround = 0; 398 399 if (akmp == (WPA_KEY_MGMT_OWE | WPA_KEY_MGMT_PSK_SHA256)) { 400 owe_ptk_workaround = 1; 401 akmp = WPA_KEY_MGMT_OWE; 402 } 403 #endif /* CONFIG_OWE */ 404 405 if (pmk_len == 0) { 406 wpa_printf(MSG_ERROR, "WPA: No PMK set for PTK derivation"); 407 return -1; 408 } 409 410 if (z_len > MAX_Z_LEN) 411 return -1; 412 413 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) { 414 os_memcpy(data, addr1, ETH_ALEN); 415 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN); 416 } else { 417 os_memcpy(data, addr2, ETH_ALEN); 418 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN); 419 } 420 421 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) { 422 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN); 423 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2, 424 WPA_NONCE_LEN); 425 } else { 426 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN); 427 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1, 428 WPA_NONCE_LEN); 429 } 430 431 if (z && z_len) { 432 os_memcpy(data + 2 * ETH_ALEN + 2 * WPA_NONCE_LEN, z, z_len); 433 data_len += z_len; 434 } 435 436 if (kdk_len > WPA_KDK_MAX_LEN) { 437 wpa_printf(MSG_ERROR, 438 "WPA: KDK len=%zu exceeds max supported len", 439 kdk_len); 440 return -1; 441 } 442 443 ptk->kck_len = wpa_kck_len(akmp, pmk_len); 444 ptk->kek_len = wpa_kek_len(akmp, pmk_len); 445 ptk->tk_len = wpa_cipher_key_len(cipher); 446 ptk->kdk_len = kdk_len; 447 if (ptk->tk_len == 0) { 448 wpa_printf(MSG_ERROR, 449 "WPA: Unsupported cipher (0x%x) used in PTK derivation", 450 cipher); 451 return -1; 452 } 453 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + ptk->kdk_len; 454 455 if (wpa_key_mgmt_sha384(akmp)) { 456 #ifdef CONFIG_SHA384 457 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)"); 458 if (sha384_prf(pmk, pmk_len, label, data, data_len, 459 tmp, ptk_len) < 0) 460 return -1; 461 #else /* CONFIG_SHA384 */ 462 return -1; 463 #endif /* CONFIG_SHA384 */ 464 } else if (wpa_key_mgmt_sha256(akmp)) { 465 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)"); 466 if (sha256_prf(pmk, pmk_len, label, data, data_len, 467 tmp, ptk_len) < 0) 468 return -1; 469 #ifdef CONFIG_OWE 470 } else if (akmp == WPA_KEY_MGMT_OWE && (pmk_len == 32 || 471 owe_ptk_workaround)) { 472 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)"); 473 if (sha256_prf(pmk, pmk_len, label, data, data_len, 474 tmp, ptk_len) < 0) 475 return -1; 476 } else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 48) { 477 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)"); 478 if (sha384_prf(pmk, pmk_len, label, data, data_len, 479 tmp, ptk_len) < 0) 480 return -1; 481 } else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 64) { 482 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)"); 483 if (sha512_prf(pmk, pmk_len, label, data, data_len, 484 tmp, ptk_len) < 0) 485 return -1; 486 } else if (akmp == WPA_KEY_MGMT_OWE) { 487 wpa_printf(MSG_INFO, "OWE: Unknown PMK length %u", 488 (unsigned int) pmk_len); 489 return -1; 490 #endif /* CONFIG_OWE */ 491 #ifdef CONFIG_DPP 492 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 32) { 493 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)"); 494 if (sha256_prf(pmk, pmk_len, label, data, data_len, 495 tmp, ptk_len) < 0) 496 return -1; 497 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 48) { 498 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)"); 499 if (sha384_prf(pmk, pmk_len, label, data, data_len, 500 tmp, ptk_len) < 0) 501 return -1; 502 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 64) { 503 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)"); 504 if (sha512_prf(pmk, pmk_len, label, data, data_len, 505 tmp, ptk_len) < 0) 506 return -1; 507 } else if (akmp == WPA_KEY_MGMT_DPP) { 508 wpa_printf(MSG_INFO, "DPP: Unknown PMK length %u", 509 (unsigned int) pmk_len); 510 return -1; 511 #endif /* CONFIG_DPP */ 512 #ifdef CONFIG_SAE 513 } else if (wpa_key_mgmt_sae_ext_key(akmp)) { 514 if (pmk_len == 32) { 515 wpa_printf(MSG_DEBUG, 516 "SAE: PTK derivation using PRF(SHA256)"); 517 if (sha256_prf(pmk, pmk_len, label, data, data_len, 518 tmp, ptk_len) < 0) 519 return -1; 520 #ifdef CONFIG_SHA384 521 } else if (pmk_len == 48) { 522 wpa_printf(MSG_DEBUG, 523 "SAE: PTK derivation using PRF(SHA384)"); 524 if (sha384_prf(pmk, pmk_len, label, data, data_len, 525 tmp, ptk_len) < 0) 526 return -1; 527 #endif /* CONFIG_SHA384 */ 528 #ifdef CONFIG_SHA512 529 } else if (pmk_len == 64) { 530 wpa_printf(MSG_DEBUG, 531 "SAE: PTK derivation using PRF(SHA512)"); 532 if (sha512_prf(pmk, pmk_len, label, data, data_len, 533 tmp, ptk_len) < 0) 534 return -1; 535 #endif /* CONFIG_SHA512 */ 536 } else { 537 wpa_printf(MSG_INFO, "SAE: Unknown PMK length %u", 538 (unsigned int) pmk_len); 539 return -1; 540 } 541 #endif /* CONFIG_SAE */ 542 } else { 543 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA1)"); 544 if (sha1_prf(pmk, pmk_len, label, data, data_len, tmp, 545 ptk_len) < 0) 546 return -1; 547 } 548 549 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR, 550 MAC2STR(addr1), MAC2STR(addr2)); 551 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN); 552 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN); 553 if (z && z_len) 554 wpa_hexdump_key(MSG_DEBUG, "WPA: Z.x", z, z_len); 555 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len); 556 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len); 557 558 os_memcpy(ptk->kck, tmp, ptk->kck_len); 559 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len); 560 561 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 562 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 563 564 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 565 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len); 566 567 if (kdk_len) { 568 os_memcpy(ptk->kdk, tmp + ptk->kck_len + ptk->kek_len + 569 ptk->tk_len, ptk->kdk_len); 570 wpa_hexdump_key(MSG_DEBUG, "WPA: KDK", ptk->kdk, ptk->kdk_len); 571 } 572 573 ptk->kek2_len = 0; 574 ptk->kck2_len = 0; 575 576 ptk->ptk_len = ptk_len; 577 os_memset(tmp, 0, sizeof(tmp)); 578 os_memset(data, 0, data_len); 579 return 0; 580 } 581 582 #ifdef CONFIG_FILS 583 fils_rmsk_to_pmk(int akmp,const u8 * rmsk,size_t rmsk_len,const u8 * snonce,const u8 * anonce,const u8 * dh_ss,size_t dh_ss_len,u8 * pmk,size_t * pmk_len)584 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len, 585 const u8 *snonce, const u8 *anonce, const u8 *dh_ss, 586 size_t dh_ss_len, u8 *pmk, size_t *pmk_len) 587 { 588 u8 nonces[2 * FILS_NONCE_LEN]; 589 const u8 *addr[2]; 590 size_t len[2]; 591 size_t num_elem; 592 int res; 593 594 /* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */ 595 wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation"); 596 597 if (wpa_key_mgmt_sha384(akmp)) 598 *pmk_len = SHA384_MAC_LEN; 599 else if (wpa_key_mgmt_sha256(akmp)) 600 *pmk_len = SHA256_MAC_LEN; 601 else 602 return -1; 603 604 wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len); 605 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN); 606 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN); 607 wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len); 608 609 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 610 os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN); 611 addr[0] = rmsk; 612 len[0] = rmsk_len; 613 num_elem = 1; 614 if (dh_ss) { 615 addr[1] = dh_ss; 616 len[1] = dh_ss_len; 617 num_elem++; 618 } 619 if (wpa_key_mgmt_sha384(akmp)) 620 res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem, 621 addr, len, pmk); 622 else 623 res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem, 624 addr, len, pmk); 625 if (res == 0) 626 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len); 627 else 628 *pmk_len = 0; 629 return res; 630 } 631 632 fils_pmkid_erp(int akmp,const u8 * reauth,size_t reauth_len,u8 * pmkid)633 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len, 634 u8 *pmkid) 635 { 636 const u8 *addr[1]; 637 size_t len[1]; 638 u8 hash[SHA384_MAC_LEN]; 639 int res; 640 641 /* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */ 642 addr[0] = reauth; 643 len[0] = reauth_len; 644 if (wpa_key_mgmt_sha384(akmp)) 645 res = sha384_vector(1, addr, len, hash); 646 else if (wpa_key_mgmt_sha256(akmp)) 647 res = sha256_vector(1, addr, len, hash); 648 else 649 return -1; 650 if (res) 651 return res; 652 os_memcpy(pmkid, hash, PMKID_LEN); 653 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN); 654 return 0; 655 } 656 657 fils_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * aa,const u8 * snonce,const u8 * anonce,const u8 * dhss,size_t dhss_len,struct wpa_ptk * ptk,u8 * ick,size_t * ick_len,int akmp,int cipher,u8 * fils_ft,size_t * fils_ft_len,size_t kdk_len)658 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa, 659 const u8 *snonce, const u8 *anonce, const u8 *dhss, 660 size_t dhss_len, struct wpa_ptk *ptk, 661 u8 *ick, size_t *ick_len, int akmp, int cipher, 662 u8 *fils_ft, size_t *fils_ft_len, size_t kdk_len) 663 { 664 u8 *data, *pos; 665 size_t data_len; 666 u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN + 667 FILS_FT_MAX_LEN + WPA_KDK_MAX_LEN]; 668 size_t key_data_len; 669 const char *label = "FILS PTK Derivation"; 670 int ret = -1; 671 size_t offset; 672 673 /* 674 * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation", 675 * SPA || AA || SNonce || ANonce [ || DHss ]) 676 * ICK = L(FILS-Key-Data, 0, ICK_bits) 677 * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits) 678 * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits) 679 * If doing FT initial mobility domain association: 680 * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits, 681 * FILS-FT_bits) 682 * When a KDK is derived: 683 * KDK = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits + FILS-FT_bits, 684 * KDK_bits) 685 */ 686 data_len = 2 * ETH_ALEN + 2 * FILS_NONCE_LEN + dhss_len; 687 data = os_malloc(data_len); 688 if (!data) 689 goto err; 690 pos = data; 691 os_memcpy(pos, spa, ETH_ALEN); 692 pos += ETH_ALEN; 693 os_memcpy(pos, aa, ETH_ALEN); 694 pos += ETH_ALEN; 695 os_memcpy(pos, snonce, FILS_NONCE_LEN); 696 pos += FILS_NONCE_LEN; 697 os_memcpy(pos, anonce, FILS_NONCE_LEN); 698 pos += FILS_NONCE_LEN; 699 if (dhss) 700 os_memcpy(pos, dhss, dhss_len); 701 702 ptk->kck_len = 0; 703 ptk->kek_len = wpa_kek_len(akmp, pmk_len); 704 ptk->tk_len = wpa_cipher_key_len(cipher); 705 if (wpa_key_mgmt_sha384(akmp)) 706 *ick_len = 48; 707 else if (wpa_key_mgmt_sha256(akmp)) 708 *ick_len = 32; 709 else 710 goto err; 711 key_data_len = *ick_len + ptk->kek_len + ptk->tk_len; 712 713 if (kdk_len) { 714 if (kdk_len > WPA_KDK_MAX_LEN) { 715 wpa_printf(MSG_ERROR, "FILS: KDK len=%zu too big", 716 kdk_len); 717 goto err; 718 } 719 720 ptk->kdk_len = kdk_len; 721 key_data_len += kdk_len; 722 } else { 723 ptk->kdk_len = 0; 724 } 725 726 if (fils_ft && fils_ft_len) { 727 if (akmp == WPA_KEY_MGMT_FT_FILS_SHA256) { 728 *fils_ft_len = 32; 729 } else if (akmp == WPA_KEY_MGMT_FT_FILS_SHA384) { 730 *fils_ft_len = 48; 731 } else { 732 *fils_ft_len = 0; 733 fils_ft = NULL; 734 } 735 key_data_len += *fils_ft_len; 736 } 737 738 if (wpa_key_mgmt_sha384(akmp)) { 739 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA384)"); 740 if (sha384_prf(pmk, pmk_len, label, data, data_len, 741 tmp, key_data_len) < 0) 742 goto err; 743 } else { 744 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA256)"); 745 if (sha256_prf(pmk, pmk_len, label, data, data_len, 746 tmp, key_data_len) < 0) 747 goto err; 748 } 749 750 wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR 751 " AA=" MACSTR, MAC2STR(spa), MAC2STR(aa)); 752 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN); 753 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN); 754 if (dhss) 755 wpa_hexdump_key(MSG_DEBUG, "FILS: DHss", dhss, dhss_len); 756 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len); 757 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len); 758 759 os_memcpy(ick, tmp, *ick_len); 760 offset = *ick_len; 761 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len); 762 763 os_memcpy(ptk->kek, tmp + offset, ptk->kek_len); 764 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len); 765 offset += ptk->kek_len; 766 767 os_memcpy(ptk->tk, tmp + offset, ptk->tk_len); 768 wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len); 769 offset += ptk->tk_len; 770 771 if (fils_ft && fils_ft_len) { 772 os_memcpy(fils_ft, tmp + offset, *fils_ft_len); 773 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-FT", 774 fils_ft, *fils_ft_len); 775 offset += *fils_ft_len; 776 } 777 778 if (ptk->kdk_len) { 779 os_memcpy(ptk->kdk, tmp + offset, ptk->kdk_len); 780 wpa_hexdump_key(MSG_DEBUG, "FILS: KDK", ptk->kdk, ptk->kdk_len); 781 } 782 783 ptk->kek2_len = 0; 784 ptk->kck2_len = 0; 785 786 os_memset(tmp, 0, sizeof(tmp)); 787 ret = 0; 788 err: 789 bin_clear_free(data, data_len); 790 return ret; 791 } 792 793 fils_key_auth_sk(const u8 * ick,size_t ick_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * g_sta,size_t g_sta_len,const u8 * g_ap,size_t g_ap_len,int akmp,u8 * key_auth_sta,u8 * key_auth_ap,size_t * key_auth_len)794 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce, 795 const u8 *anonce, const u8 *sta_addr, const u8 *bssid, 796 const u8 *g_sta, size_t g_sta_len, 797 const u8 *g_ap, size_t g_ap_len, 798 int akmp, u8 *key_auth_sta, u8 *key_auth_ap, 799 size_t *key_auth_len) 800 { 801 const u8 *addr[6]; 802 size_t len[6]; 803 size_t num_elem = 4; 804 int res; 805 806 wpa_printf(MSG_DEBUG, "FILS: Key-Auth derivation: STA-MAC=" MACSTR 807 " AP-BSSID=" MACSTR, MAC2STR(sta_addr), MAC2STR(bssid)); 808 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, ick_len); 809 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN); 810 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN); 811 wpa_hexdump(MSG_DEBUG, "FILS: gSTA", g_sta, g_sta_len); 812 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len); 813 814 /* 815 * For (Re)Association Request frame (STA->AP): 816 * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID 817 * [ || gSTA || gAP ]) 818 */ 819 addr[0] = snonce; 820 len[0] = FILS_NONCE_LEN; 821 addr[1] = anonce; 822 len[1] = FILS_NONCE_LEN; 823 addr[2] = sta_addr; 824 len[2] = ETH_ALEN; 825 addr[3] = bssid; 826 len[3] = ETH_ALEN; 827 if (g_sta && g_sta_len && g_ap && g_ap_len) { 828 addr[4] = g_sta; 829 len[4] = g_sta_len; 830 addr[5] = g_ap; 831 len[5] = g_ap_len; 832 num_elem = 6; 833 } 834 835 if (wpa_key_mgmt_sha384(akmp)) { 836 *key_auth_len = 48; 837 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len, 838 key_auth_sta); 839 } else if (wpa_key_mgmt_sha256(akmp)) { 840 *key_auth_len = 32; 841 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len, 842 key_auth_sta); 843 } else { 844 return -1; 845 } 846 if (res < 0) 847 return res; 848 849 /* 850 * For (Re)Association Response frame (AP->STA): 851 * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC 852 * [ || gAP || gSTA ]) 853 */ 854 addr[0] = anonce; 855 addr[1] = snonce; 856 addr[2] = bssid; 857 addr[3] = sta_addr; 858 if (g_sta && g_sta_len && g_ap && g_ap_len) { 859 addr[4] = g_ap; 860 len[4] = g_ap_len; 861 addr[5] = g_sta; 862 len[5] = g_sta_len; 863 } 864 865 if (wpa_key_mgmt_sha384(akmp)) 866 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len, 867 key_auth_ap); 868 else if (wpa_key_mgmt_sha256(akmp)) 869 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len, 870 key_auth_ap); 871 if (res < 0) 872 return res; 873 874 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)", 875 key_auth_sta, *key_auth_len); 876 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)", 877 key_auth_ap, *key_auth_len); 878 879 return 0; 880 } 881 882 #endif /* CONFIG_FILS */ 883 884 885 #ifdef CONFIG_IEEE80211R wpa_ft_mic(int key_mgmt,const u8 * kck,size_t kck_len,const u8 * sta_addr,const u8 * ap_addr,u8 transaction_seqnum,const u8 * mdie,size_t mdie_len,const u8 * ftie,size_t ftie_len,const u8 * rsnie,size_t rsnie_len,const u8 * ric,size_t ric_len,const u8 * rsnxe,size_t rsnxe_len,const struct wpabuf * extra,u8 * mic)886 int wpa_ft_mic(int key_mgmt, const u8 *kck, size_t kck_len, const u8 *sta_addr, 887 const u8 *ap_addr, u8 transaction_seqnum, 888 const u8 *mdie, size_t mdie_len, 889 const u8 *ftie, size_t ftie_len, 890 const u8 *rsnie, size_t rsnie_len, 891 const u8 *ric, size_t ric_len, 892 const u8 *rsnxe, size_t rsnxe_len, 893 const struct wpabuf *extra, 894 u8 *mic) 895 { 896 const u8 *addr[11]; 897 size_t len[11]; 898 size_t i, num_elem = 0; 899 u8 zero_mic[32]; 900 size_t mic_len, fte_fixed_len; 901 int res; 902 903 if (kck_len == 16) { 904 mic_len = 16; 905 #ifdef CONFIG_SHA384 906 } else if (kck_len == 24) { 907 mic_len = 24; 908 #endif /* CONFIG_SHA384 */ 909 #ifdef CONFIG_SHA512 910 } else if (kck_len == 32) { 911 mic_len = 32; 912 #endif /* CONFIG_SHA512 */ 913 } else { 914 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u", 915 (unsigned int) kck_len); 916 return -1; 917 } 918 919 fte_fixed_len = sizeof(struct rsn_ftie) - 16 + mic_len; 920 921 addr[num_elem] = sta_addr; 922 len[num_elem] = ETH_ALEN; 923 num_elem++; 924 925 addr[num_elem] = ap_addr; 926 len[num_elem] = ETH_ALEN; 927 num_elem++; 928 929 addr[num_elem] = &transaction_seqnum; 930 len[num_elem] = 1; 931 num_elem++; 932 933 if (rsnie) { 934 addr[num_elem] = rsnie; 935 len[num_elem] = rsnie_len; 936 num_elem++; 937 } 938 if (mdie) { 939 addr[num_elem] = mdie; 940 len[num_elem] = mdie_len; 941 num_elem++; 942 } 943 if (ftie) { 944 if (ftie_len < 2 + fte_fixed_len) 945 return -1; 946 947 /* IE hdr and mic_control */ 948 addr[num_elem] = ftie; 949 len[num_elem] = 2 + 2; 950 num_elem++; 951 952 /* MIC field with all zeros */ 953 os_memset(zero_mic, 0, mic_len); 954 addr[num_elem] = zero_mic; 955 len[num_elem] = mic_len; 956 num_elem++; 957 958 /* Rest of FTIE */ 959 addr[num_elem] = ftie + 2 + 2 + mic_len; 960 len[num_elem] = ftie_len - (2 + 2 + mic_len); 961 num_elem++; 962 } 963 if (ric) { 964 addr[num_elem] = ric; 965 len[num_elem] = ric_len; 966 num_elem++; 967 } 968 969 if (rsnxe) { 970 addr[num_elem] = rsnxe; 971 len[num_elem] = rsnxe_len; 972 num_elem++; 973 } 974 975 if (extra) { 976 addr[num_elem] = wpabuf_head(extra); 977 len[num_elem] = wpabuf_len(extra); 978 num_elem++; 979 } 980 981 for (i = 0; i < num_elem; i++) 982 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]); 983 res = -1; 984 #ifdef CONFIG_SHA512 985 if (kck_len == 32) { 986 u8 hash[SHA512_MAC_LEN]; 987 988 if (hmac_sha512_vector(kck, kck_len, num_elem, addr, len, hash)) 989 return -1; 990 os_memcpy(mic, hash, 32); 991 res = 0; 992 } 993 #endif /* CONFIG_SHA384 */ 994 #ifdef CONFIG_SHA384 995 if (kck_len == 24) { 996 u8 hash[SHA384_MAC_LEN]; 997 998 if (hmac_sha384_vector(kck, kck_len, num_elem, addr, len, hash)) 999 return -1; 1000 os_memcpy(mic, hash, 24); 1001 res = 0; 1002 } 1003 #endif /* CONFIG_SHA384 */ 1004 if (kck_len == 16 && key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) { 1005 u8 hash[SHA256_MAC_LEN]; 1006 1007 if (hmac_sha256_vector(kck, kck_len, num_elem, addr, len, hash)) 1008 return -1; 1009 os_memcpy(mic, hash, 16); 1010 res = 0; 1011 } 1012 if (kck_len == 16 && key_mgmt != WPA_KEY_MGMT_FT_SAE_EXT_KEY && 1013 omac1_aes_128_vector(kck, num_elem, addr, len, mic) == 0) 1014 res = 0; 1015 1016 return res; 1017 } 1018 1019 wpa_ft_parse_ftie(const u8 * ie,size_t ie_len,struct wpa_ft_ies * parse,const u8 * opt)1020 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len, 1021 struct wpa_ft_ies *parse, const u8 *opt) 1022 { 1023 const u8 *end, *pos; 1024 u8 link_id; 1025 1026 pos = opt; 1027 end = ie + ie_len; 1028 wpa_hexdump(MSG_DEBUG, "FT: Parse FTE subelements", pos, end - pos); 1029 1030 while (end - pos >= 2) { 1031 u8 id, len; 1032 1033 id = *pos++; 1034 len = *pos++; 1035 if (len > end - pos) { 1036 wpa_printf(MSG_DEBUG, "FT: Truncated subelement"); 1037 return -1; 1038 } 1039 1040 switch (id) { 1041 case FTIE_SUBELEM_R1KH_ID: 1042 if (len != FT_R1KH_ID_LEN) { 1043 wpa_printf(MSG_DEBUG, 1044 "FT: Invalid R1KH-ID length in FTIE: %d", 1045 len); 1046 return -1; 1047 } 1048 parse->r1kh_id = pos; 1049 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", 1050 parse->r1kh_id, FT_R1KH_ID_LEN); 1051 break; 1052 case FTIE_SUBELEM_GTK: 1053 wpa_printf(MSG_DEBUG, "FT: GTK"); 1054 parse->gtk = pos; 1055 parse->gtk_len = len; 1056 break; 1057 case FTIE_SUBELEM_R0KH_ID: 1058 if (len < 1 || len > FT_R0KH_ID_MAX_LEN) { 1059 wpa_printf(MSG_DEBUG, 1060 "FT: Invalid R0KH-ID length in FTIE: %d", 1061 len); 1062 return -1; 1063 } 1064 parse->r0kh_id = pos; 1065 parse->r0kh_id_len = len; 1066 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID", 1067 parse->r0kh_id, parse->r0kh_id_len); 1068 break; 1069 case FTIE_SUBELEM_IGTK: 1070 wpa_printf(MSG_DEBUG, "FT: IGTK"); 1071 parse->igtk = pos; 1072 parse->igtk_len = len; 1073 break; 1074 #ifdef CONFIG_OCV 1075 case FTIE_SUBELEM_OCI: 1076 parse->oci = pos; 1077 parse->oci_len = len; 1078 wpa_hexdump(MSG_DEBUG, "FT: OCI", 1079 parse->oci, parse->oci_len); 1080 break; 1081 #endif /* CONFIG_OCV */ 1082 case FTIE_SUBELEM_BIGTK: 1083 wpa_printf(MSG_DEBUG, "FT: BIGTK"); 1084 parse->bigtk = pos; 1085 parse->bigtk_len = len; 1086 break; 1087 case FTIE_SUBELEM_MLO_GTK: 1088 if (len < 2 + 1 + 1 + 8) { 1089 wpa_printf(MSG_DEBUG, 1090 "FT: Too short MLO GTK in FTE"); 1091 return -1; 1092 } 1093 link_id = pos[2] & 0x0f; 1094 wpa_printf(MSG_DEBUG, "FT: MLO GTK (Link ID %u)", 1095 link_id); 1096 if (link_id >= MAX_NUM_MLD_LINKS) 1097 break; 1098 parse->valid_mlo_gtks |= BIT(link_id); 1099 parse->mlo_gtk[link_id] = pos; 1100 parse->mlo_gtk_len[link_id] = len; 1101 break; 1102 case FTIE_SUBELEM_MLO_IGTK: 1103 if (len < 2 + 6 + 1 + 1) { 1104 wpa_printf(MSG_DEBUG, 1105 "FT: Too short MLO IGTK in FTE"); 1106 return -1; 1107 } 1108 link_id = pos[2 + 6] & 0x0f; 1109 wpa_printf(MSG_DEBUG, "FT: MLO IGTK (Link ID %u)", 1110 link_id); 1111 if (link_id >= MAX_NUM_MLD_LINKS) 1112 break; 1113 parse->valid_mlo_igtks |= BIT(link_id); 1114 parse->mlo_igtk[link_id] = pos; 1115 parse->mlo_igtk_len[link_id] = len; 1116 break; 1117 case FTIE_SUBELEM_MLO_BIGTK: 1118 if (len < 2 + 6 + 1 + 1) { 1119 wpa_printf(MSG_DEBUG, 1120 "FT: Too short MLO BIGTK in FTE"); 1121 return -1; 1122 } 1123 link_id = pos[2 + 6] & 0x0f; 1124 wpa_printf(MSG_DEBUG, "FT: MLO BIGTK (Link ID %u)", 1125 link_id); 1126 if (link_id >= MAX_NUM_MLD_LINKS) 1127 break; 1128 parse->valid_mlo_bigtks |= BIT(link_id); 1129 parse->mlo_bigtk[link_id] = pos; 1130 parse->mlo_bigtk_len[link_id] = len; 1131 break; 1132 default: 1133 wpa_printf(MSG_DEBUG, "FT: Unknown subelem id %u", id); 1134 break; 1135 } 1136 1137 pos += len; 1138 } 1139 1140 return 0; 1141 } 1142 1143 wpa_ft_parse_fte(int key_mgmt,const u8 * ie,size_t len,struct wpa_ft_ies * parse)1144 static int wpa_ft_parse_fte(int key_mgmt, const u8 *ie, size_t len, 1145 struct wpa_ft_ies *parse) 1146 { 1147 size_t mic_len; 1148 u8 mic_len_info; 1149 const u8 *pos = ie; 1150 const u8 *end = pos + len; 1151 1152 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control", pos, 2); 1153 parse->fte_rsnxe_used = pos[0] & FTE_MIC_CTRL_RSNXE_USED; 1154 mic_len_info = (pos[0] & FTE_MIC_CTRL_MIC_LEN_MASK) >> 1155 FTE_MIC_CTRL_MIC_LEN_SHIFT; 1156 parse->fte_elem_count = pos[1]; 1157 pos += 2; 1158 1159 if (key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) { 1160 switch (mic_len_info) { 1161 case FTE_MIC_LEN_16: 1162 mic_len = 16; 1163 break; 1164 case FTE_MIC_LEN_24: 1165 mic_len = 24; 1166 break; 1167 case FTE_MIC_LEN_32: 1168 mic_len = 32; 1169 break; 1170 default: 1171 wpa_printf(MSG_DEBUG, 1172 "FT: Unknown MIC Length subfield value %u", 1173 mic_len_info); 1174 return -1; 1175 } 1176 } else { 1177 mic_len = wpa_key_mgmt_sha384(key_mgmt) ? 24 : 16; 1178 } 1179 if (mic_len > (size_t) (end - pos)) { 1180 wpa_printf(MSG_DEBUG, "FT: No room for %zu octet MIC in FTE", 1181 mic_len); 1182 return -1; 1183 } 1184 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC", pos, mic_len); 1185 parse->fte_mic = pos; 1186 parse->fte_mic_len = mic_len; 1187 pos += mic_len; 1188 1189 if (2 * WPA_NONCE_LEN > end - pos) 1190 return -1; 1191 parse->fte_anonce = pos; 1192 wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce", 1193 parse->fte_anonce, WPA_NONCE_LEN); 1194 pos += WPA_NONCE_LEN; 1195 parse->fte_snonce = pos; 1196 wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce", 1197 parse->fte_snonce, WPA_NONCE_LEN); 1198 pos += WPA_NONCE_LEN; 1199 1200 return wpa_ft_parse_ftie(ie, len, parse, pos); 1201 } 1202 1203 wpa_ft_parse_ies(const u8 * ies,size_t ies_len,struct wpa_ft_ies * parse,int key_mgmt,bool reassoc_resp)1204 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, struct wpa_ft_ies *parse, 1205 int key_mgmt, bool reassoc_resp) 1206 { 1207 const u8 *end, *pos; 1208 struct wpa_ie_data data; 1209 int ret; 1210 int prot_ie_count = 0; 1211 const u8 *fte = NULL; 1212 size_t fte_len = 0; 1213 bool is_fte = false; 1214 struct ieee802_11_elems elems; 1215 1216 os_memset(parse, 0, sizeof(*parse)); 1217 if (ies == NULL) 1218 return 0; 1219 1220 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == ParseFailed) { 1221 wpa_printf(MSG_DEBUG, "FT: Failed to parse elements"); 1222 goto fail; 1223 } 1224 1225 pos = ies; 1226 end = ies + ies_len; 1227 while (end - pos >= 2) { 1228 u8 id, len; 1229 1230 id = *pos++; 1231 len = *pos++; 1232 if (len > end - pos) 1233 break; 1234 1235 if (id != WLAN_EID_FAST_BSS_TRANSITION && 1236 id != WLAN_EID_FRAGMENT) 1237 is_fte = false; 1238 1239 switch (id) { 1240 case WLAN_EID_RSN: 1241 wpa_hexdump(MSG_DEBUG, "FT: RSNE", pos, len); 1242 parse->rsn = pos; 1243 parse->rsn_len = len; 1244 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2, 1245 parse->rsn_len + 2, 1246 &data); 1247 if (ret < 0) { 1248 wpa_printf(MSG_DEBUG, "FT: Failed to parse " 1249 "RSN IE: %d", ret); 1250 goto fail; 1251 } 1252 parse->rsn_capab = data.capabilities; 1253 if (data.num_pmkid == 1 && data.pmkid) 1254 parse->rsn_pmkid = data.pmkid; 1255 parse->key_mgmt = data.key_mgmt; 1256 parse->pairwise_cipher = data.pairwise_cipher; 1257 if (!key_mgmt) 1258 key_mgmt = parse->key_mgmt; 1259 break; 1260 case WLAN_EID_RSNX: 1261 wpa_hexdump(MSG_DEBUG, "FT: RSNXE", pos, len); 1262 if (len < 1) 1263 break; 1264 parse->rsnxe = pos; 1265 parse->rsnxe_len = len; 1266 break; 1267 case WLAN_EID_MOBILITY_DOMAIN: 1268 wpa_hexdump(MSG_DEBUG, "FT: MDE", pos, len); 1269 if (len < sizeof(struct rsn_mdie)) 1270 goto fail; 1271 parse->mdie = pos; 1272 parse->mdie_len = len; 1273 break; 1274 case WLAN_EID_FAST_BSS_TRANSITION: 1275 wpa_hexdump(MSG_DEBUG, "FT: FTE", pos, len); 1276 /* The first two octets (MIC Control field) is in the 1277 * same offset for all cases, but the second field (MIC) 1278 * has variable length with three different values. 1279 * In particular the FT-SAE-EXT-KEY is inconvinient to 1280 * parse, so try to handle this in pieces instead of 1281 * using the struct rsn_ftie* definitions. */ 1282 1283 if (len < 2) 1284 goto fail; 1285 prot_ie_count = pos[1]; /* Element Count field in 1286 * MIC Control */ 1287 is_fte = true; 1288 fte = pos; 1289 fte_len = len; 1290 break; 1291 case WLAN_EID_FRAGMENT: 1292 if (is_fte) { 1293 wpa_hexdump(MSG_DEBUG, "FT: FTE fragment", 1294 pos, len); 1295 fte_len += 2 + len; 1296 } 1297 break; 1298 case WLAN_EID_TIMEOUT_INTERVAL: 1299 wpa_hexdump(MSG_DEBUG, "FT: Timeout Interval", 1300 pos, len); 1301 if (len != 5) 1302 break; 1303 parse->tie = pos; 1304 parse->tie_len = len; 1305 break; 1306 case WLAN_EID_RIC_DATA: 1307 if (parse->ric == NULL) 1308 parse->ric = pos - 2; 1309 break; 1310 } 1311 1312 pos += len; 1313 } 1314 1315 if (fte) { 1316 int res; 1317 1318 if (fte_len < 255) { 1319 res = wpa_ft_parse_fte(key_mgmt, fte, fte_len, parse); 1320 } else { 1321 parse->fte_buf = ieee802_11_defrag(fte, fte_len, false); 1322 if (!parse->fte_buf) 1323 goto fail; 1324 res = wpa_ft_parse_fte(key_mgmt, 1325 wpabuf_head(parse->fte_buf), 1326 wpabuf_len(parse->fte_buf), 1327 parse); 1328 } 1329 if (res < 0) 1330 goto fail; 1331 1332 /* FTE might be fragmented. If it is, the separate Fragment 1333 * elements are included in MIC calculation as full elements. */ 1334 parse->ftie = fte; 1335 parse->ftie_len = fte_len; 1336 } 1337 1338 if (prot_ie_count == 0) 1339 return 0; /* no MIC */ 1340 1341 /* 1342 * Check that the protected IE count matches with IEs included in the 1343 * frame. 1344 */ 1345 if (reassoc_resp && elems.basic_mle) { 1346 unsigned int link_id; 1347 1348 /* TODO: This count should be done based on all _requested_, 1349 * not _accepted_ links. */ 1350 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) { 1351 if (parse->mlo_gtk[link_id]) { 1352 if (parse->rsn) 1353 prot_ie_count--; 1354 if (parse->rsnxe) 1355 prot_ie_count--; 1356 } 1357 } 1358 } else { 1359 if (parse->rsn) 1360 prot_ie_count--; 1361 if (parse->rsnxe) 1362 prot_ie_count--; 1363 } 1364 if (parse->mdie) 1365 prot_ie_count--; 1366 if (parse->ftie) 1367 prot_ie_count--; 1368 if (prot_ie_count < 0) { 1369 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in " 1370 "the protected IE count"); 1371 goto fail; 1372 } 1373 1374 if (prot_ie_count == 0 && parse->ric) { 1375 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not " 1376 "included in protected IE count"); 1377 goto fail; 1378 } 1379 1380 /* Determine the end of the RIC IE(s) */ 1381 if (parse->ric) { 1382 pos = parse->ric; 1383 while (end - pos >= 2 && 2 + pos[1] <= end - pos && 1384 prot_ie_count) { 1385 prot_ie_count--; 1386 pos += 2 + pos[1]; 1387 } 1388 parse->ric_len = pos - parse->ric; 1389 } 1390 if (prot_ie_count) { 1391 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from " 1392 "frame", (int) prot_ie_count); 1393 goto fail; 1394 } 1395 1396 return 0; 1397 1398 fail: 1399 wpa_ft_parse_ies_free(parse); 1400 return -1; 1401 } 1402 1403 wpa_ft_parse_ies_free(struct wpa_ft_ies * parse)1404 void wpa_ft_parse_ies_free(struct wpa_ft_ies *parse) 1405 { 1406 if (!parse) 1407 return; 1408 wpabuf_free(parse->fte_buf); 1409 parse->fte_buf = NULL; 1410 } 1411 1412 #endif /* CONFIG_IEEE80211R */ 1413 1414 1415 #ifdef CONFIG_PASN 1416 1417 /* 1418 * pasn_use_sha384 - Should SHA384 be used or SHA256 1419 * 1420 * @akmp: Authentication and key management protocol 1421 * @cipher: The cipher suite 1422 * 1423 * According to IEEE P802.11az/D2.7, 12.12.7, the hash algorithm to use is the 1424 * hash algorithm defined for the Base AKM (see Table 9-151 (AKM suite 1425 * selectors)). When there is no Base AKM, the hash algorithm is selected based 1426 * on the pairwise cipher suite provided in the RSNE by the AP in the second 1427 * PASN frame. SHA-256 is used as the hash algorithm, except for the ciphers 1428 * 00-0F-AC:9 and 00-0F-AC:10 for which SHA-384 is used. 1429 */ pasn_use_sha384(int akmp,int cipher)1430 bool pasn_use_sha384(int akmp, int cipher) 1431 { 1432 return (akmp == WPA_KEY_MGMT_PASN && (cipher == WPA_CIPHER_CCMP_256 || 1433 cipher == WPA_CIPHER_GCMP_256)) || 1434 wpa_key_mgmt_sha384(akmp); 1435 } 1436 1437 1438 /** 1439 * pasn_pmk_to_ptk - Calculate PASN PTK from PMK, addresses, etc. 1440 * @pmk: Pairwise master key 1441 * @pmk_len: Length of PMK 1442 * @spa: Suppplicant address 1443 * @bssid: AP BSSID 1444 * @dhss: Is the shared secret (DHss) derived from the PASN ephemeral key 1445 * exchange encoded as an octet string 1446 * @dhss_len: The length of dhss in octets 1447 * @ptk: Buffer for pairwise transient key 1448 * @akmp: Negotiated AKM 1449 * @cipher: Negotiated pairwise cipher 1450 * @kdk_len: the length in octets that should be derived for HTLK. Can be zero. 1451 * @kek_len: The length in octets that should be derived for KEK. Can be zero. 1452 * Returns: 0 on success, -1 on failure 1453 */ pasn_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * bssid,const u8 * dhss,size_t dhss_len,struct wpa_ptk * ptk,int akmp,int cipher,size_t kdk_len,size_t kek_len)1454 int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len, 1455 const u8 *spa, const u8 *bssid, 1456 const u8 *dhss, size_t dhss_len, 1457 struct wpa_ptk *ptk, int akmp, int cipher, 1458 size_t kdk_len, size_t kek_len) 1459 { 1460 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN + 1461 WPA_KDK_MAX_LEN]; 1462 const u8 *pos; 1463 u8 *data; 1464 size_t data_len, ptk_len; 1465 int ret = -1; 1466 const char *label = "PASN PTK Derivation"; 1467 1468 if (!pmk || !pmk_len) { 1469 wpa_printf(MSG_ERROR, "PASN: No PMK set for PTK derivation"); 1470 return -1; 1471 } 1472 1473 if (!dhss || !dhss_len) { 1474 wpa_printf(MSG_ERROR, "PASN: No DHss set for PTK derivation"); 1475 return -1; 1476 } 1477 1478 /* 1479 * PASN-PTK = KDF(PMK, “PASN PTK Derivation”, SPA || BSSID || DHss) 1480 * 1481 * KCK = L(PASN-PTK, 0, 256) 1482 * TK = L(PASN-PTK, 256, TK_bits) 1483 * KDK = L(PASN-PTK, 256 + TK_bits, kdk_len * 8) 1484 */ 1485 data_len = 2 * ETH_ALEN + dhss_len; 1486 data = os_zalloc(data_len); 1487 if (!data) 1488 return -1; 1489 1490 os_memcpy(data, spa, ETH_ALEN); 1491 os_memcpy(data + ETH_ALEN, bssid, ETH_ALEN); 1492 os_memcpy(data + 2 * ETH_ALEN, dhss, dhss_len); 1493 1494 ptk->kck_len = WPA_PASN_KCK_LEN; 1495 ptk->tk_len = wpa_cipher_key_len(cipher); 1496 ptk->kdk_len = kdk_len; 1497 ptk->kek_len = kek_len; 1498 ptk->kek2_len = 0; 1499 ptk->kck2_len = 0; 1500 1501 if (ptk->tk_len == 0) { 1502 wpa_printf(MSG_ERROR, 1503 "PASN: Unsupported cipher (0x%x) used in PTK derivation", 1504 cipher); 1505 goto err; 1506 } 1507 1508 ptk_len = ptk->kck_len + ptk->tk_len + ptk->kdk_len + ptk->kek_len; 1509 if (ptk_len > sizeof(tmp)) 1510 goto err; 1511 1512 if (pasn_use_sha384(akmp, cipher)) { 1513 wpa_printf(MSG_DEBUG, "PASN: PTK derivation using SHA384"); 1514 1515 if (sha384_prf(pmk, pmk_len, label, data, data_len, tmp, 1516 ptk_len) < 0) 1517 goto err; 1518 } else { 1519 wpa_printf(MSG_DEBUG, "PASN: PTK derivation using SHA256"); 1520 1521 if (sha256_prf(pmk, pmk_len, label, data, data_len, tmp, 1522 ptk_len) < 0) 1523 goto err; 1524 } 1525 1526 wpa_printf(MSG_DEBUG, 1527 "PASN: PTK derivation: SPA=" MACSTR " BSSID=" MACSTR, 1528 MAC2STR(spa), MAC2STR(bssid)); 1529 1530 wpa_hexdump_key(MSG_DEBUG, "PASN: DHss", dhss, dhss_len); 1531 wpa_hexdump_key(MSG_DEBUG, "PASN: PMK", pmk, pmk_len); 1532 wpa_hexdump_key(MSG_DEBUG, "PASN: PASN-PTK", tmp, ptk_len); 1533 1534 os_memcpy(ptk->kck, tmp, WPA_PASN_KCK_LEN); 1535 wpa_hexdump_key(MSG_DEBUG, "PASN: KCK:", ptk->kck, WPA_PASN_KCK_LEN); 1536 pos = &tmp[WPA_PASN_KCK_LEN]; 1537 1538 if (kek_len) { 1539 os_memcpy(ptk->kek, pos, kek_len); 1540 wpa_hexdump_key(MSG_DEBUG, "PASN: KEK:", 1541 ptk->kek, ptk->kek_len); 1542 pos += kek_len; 1543 } 1544 1545 os_memcpy(ptk->tk, pos, ptk->tk_len); 1546 wpa_hexdump_key(MSG_DEBUG, "PASN: TK:", ptk->tk, ptk->tk_len); 1547 pos += ptk->tk_len; 1548 1549 if (kdk_len) { 1550 os_memcpy(ptk->kdk, pos, ptk->kdk_len); 1551 wpa_hexdump_key(MSG_DEBUG, "PASN: KDK:", 1552 ptk->kdk, ptk->kdk_len); 1553 } 1554 1555 ptk->ptk_len = ptk_len; 1556 forced_memzero(tmp, sizeof(tmp)); 1557 ret = 0; 1558 err: 1559 bin_clear_free(data, data_len); 1560 return ret; 1561 } 1562 1563 1564 /* 1565 * pasn_mic_len - Returns the MIC length for PASN authentication 1566 */ pasn_mic_len(int akmp,int cipher)1567 u8 pasn_mic_len(int akmp, int cipher) 1568 { 1569 if (pasn_use_sha384(akmp, cipher)) 1570 return 24; 1571 1572 return 16; 1573 } 1574 1575 1576 /** 1577 * wpa_ltf_keyseed - Compute LTF keyseed from KDK 1578 * @ptk: Buffer that holds pairwise transient key 1579 * @akmp: Negotiated AKM 1580 * @cipher: Negotiated pairwise cipher 1581 * Returns: 0 on success, -1 on failure 1582 */ wpa_ltf_keyseed(struct wpa_ptk * ptk,int akmp,int cipher)1583 int wpa_ltf_keyseed(struct wpa_ptk *ptk, int akmp, int cipher) 1584 { 1585 u8 *buf; 1586 size_t buf_len; 1587 u8 hash[SHA384_MAC_LEN]; 1588 const u8 *kdk = ptk->kdk; 1589 size_t kdk_len = ptk->kdk_len; 1590 const char *label = "Secure LTF key seed"; 1591 1592 if (!kdk || !kdk_len) { 1593 wpa_printf(MSG_ERROR, "WPA: No KDK for LTF keyseed generation"); 1594 return -1; 1595 } 1596 1597 buf = (u8 *)label; 1598 buf_len = os_strlen(label); 1599 1600 if (pasn_use_sha384(akmp, cipher)) { 1601 wpa_printf(MSG_DEBUG, 1602 "WPA: Secure LTF keyseed using HMAC-SHA384"); 1603 1604 if (hmac_sha384(kdk, kdk_len, buf, buf_len, hash)) { 1605 wpa_printf(MSG_ERROR, 1606 "WPA: HMAC-SHA384 compute failed"); 1607 return -1; 1608 } 1609 os_memcpy(ptk->ltf_keyseed, hash, SHA384_MAC_LEN); 1610 ptk->ltf_keyseed_len = SHA384_MAC_LEN; 1611 wpa_hexdump_key(MSG_DEBUG, "WPA: Secure LTF keyseed: ", 1612 ptk->ltf_keyseed, ptk->ltf_keyseed_len); 1613 1614 } else { 1615 wpa_printf(MSG_DEBUG, "WPA: LTF keyseed using HMAC-SHA256"); 1616 1617 if (hmac_sha256(kdk, kdk_len, buf, buf_len, hash)) { 1618 wpa_printf(MSG_ERROR, 1619 "WPA: HMAC-SHA256 compute failed"); 1620 return -1; 1621 } 1622 os_memcpy(ptk->ltf_keyseed, hash, SHA256_MAC_LEN); 1623 ptk->ltf_keyseed_len = SHA256_MAC_LEN; 1624 wpa_hexdump_key(MSG_DEBUG, "WPA: Secure LTF keyseed: ", 1625 ptk->ltf_keyseed, ptk->ltf_keyseed_len); 1626 } 1627 1628 return 0; 1629 } 1630 1631 1632 /** 1633 * pasn_mic - Calculate PASN MIC 1634 * @kck: The key confirmation key for the PASN PTKSA 1635 * @akmp: Negotiated AKM 1636 * @cipher: Negotiated pairwise cipher 1637 * @addr1: For the 2nd PASN frame supplicant address; for the 3rd frame the 1638 * BSSID 1639 * @addr2: For the 2nd PASN frame the BSSID; for the 3rd frame the supplicant 1640 * address 1641 * @data: For calculating the MIC for the 2nd PASN frame, this should hold the 1642 * Beacon frame RSNE + RSNXE. For calculating the MIC for the 3rd PASN 1643 * frame, this should hold the hash of the body of the PASN 1st frame. 1644 * @data_len: The length of data 1645 * @frame: The body of the PASN frame including the MIC element with the octets 1646 * in the MIC field of the MIC element set to 0. 1647 * @frame_len: The length of frame 1648 * @mic: Buffer to hold the MIC on success. Should be big enough to handle the 1649 * maximal MIC length 1650 * Returns: 0 on success, -1 on failure 1651 */ pasn_mic(const u8 * kck,int akmp,int cipher,const u8 * addr1,const u8 * addr2,const u8 * data,size_t data_len,const u8 * frame,size_t frame_len,u8 * mic)1652 int pasn_mic(const u8 *kck, int akmp, int cipher, 1653 const u8 *addr1, const u8 *addr2, 1654 const u8 *data, size_t data_len, 1655 const u8 *frame, size_t frame_len, u8 *mic) 1656 { 1657 u8 *buf; 1658 u8 hash[SHA384_MAC_LEN]; 1659 size_t buf_len = 2 * ETH_ALEN + data_len + frame_len; 1660 int ret = -1; 1661 1662 if (!kck) { 1663 wpa_printf(MSG_ERROR, "PASN: No KCK for MIC calculation"); 1664 return -1; 1665 } 1666 1667 if (!data || !data_len) { 1668 wpa_printf(MSG_ERROR, "PASN: invalid data for MIC calculation"); 1669 return -1; 1670 } 1671 1672 if (!frame || !frame_len) { 1673 wpa_printf(MSG_ERROR, "PASN: invalid data for MIC calculation"); 1674 return -1; 1675 } 1676 1677 buf = os_zalloc(buf_len); 1678 if (!buf) 1679 return -1; 1680 1681 os_memcpy(buf, addr1, ETH_ALEN); 1682 os_memcpy(buf + ETH_ALEN, addr2, ETH_ALEN); 1683 1684 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: data", data, data_len); 1685 os_memcpy(buf + 2 * ETH_ALEN, data, data_len); 1686 1687 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: frame", frame, frame_len); 1688 os_memcpy(buf + 2 * ETH_ALEN + data_len, frame, frame_len); 1689 1690 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: KCK", kck, WPA_PASN_KCK_LEN); 1691 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: buf", buf, buf_len); 1692 1693 if (pasn_use_sha384(akmp, cipher)) { 1694 wpa_printf(MSG_DEBUG, "PASN: MIC using HMAC-SHA384"); 1695 1696 if (hmac_sha384(kck, WPA_PASN_KCK_LEN, buf, buf_len, hash)) 1697 goto err; 1698 1699 os_memcpy(mic, hash, 24); 1700 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: mic: ", mic, 24); 1701 } else { 1702 wpa_printf(MSG_DEBUG, "PASN: MIC using HMAC-SHA256"); 1703 1704 if (hmac_sha256(kck, WPA_PASN_KCK_LEN, buf, buf_len, hash)) 1705 goto err; 1706 1707 os_memcpy(mic, hash, 16); 1708 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: mic: ", mic, 16); 1709 } 1710 1711 ret = 0; 1712 err: 1713 bin_clear_free(buf, buf_len); 1714 return ret; 1715 } 1716 1717 1718 /** 1719 * pasn_auth_frame_hash - Computes a hash of an Authentication frame body 1720 * @akmp: Negotiated AKM 1721 * @cipher: Negotiated pairwise cipher 1722 * @data: Pointer to the Authentication frame body 1723 * @len: Length of the Authentication frame body 1724 * @hash: On return would hold the computed hash. Should be big enough to handle 1725 * SHA384. 1726 * Returns: 0 on success, -1 on failure 1727 */ pasn_auth_frame_hash(int akmp,int cipher,const u8 * data,size_t len,u8 * hash)1728 int pasn_auth_frame_hash(int akmp, int cipher, const u8 *data, size_t len, 1729 u8 *hash) 1730 { 1731 if (pasn_use_sha384(akmp, cipher)) { 1732 wpa_printf(MSG_DEBUG, "PASN: Frame hash using SHA-384"); 1733 return sha384_vector(1, &data, &len, hash); 1734 } else { 1735 wpa_printf(MSG_DEBUG, "PASN: Frame hash using SHA-256"); 1736 return sha256_vector(1, &data, &len, hash); 1737 } 1738 } 1739 1740 #endif /* CONFIG_PASN */ 1741 1742 rsn_selector_to_bitfield(const u8 * s)1743 static int rsn_selector_to_bitfield(const u8 *s) 1744 { 1745 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE) 1746 return WPA_CIPHER_NONE; 1747 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP) 1748 return WPA_CIPHER_TKIP; 1749 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP) 1750 return WPA_CIPHER_CCMP; 1751 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC) 1752 return WPA_CIPHER_AES_128_CMAC; 1753 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP) 1754 return WPA_CIPHER_GCMP; 1755 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256) 1756 return WPA_CIPHER_CCMP_256; 1757 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256) 1758 return WPA_CIPHER_GCMP_256; 1759 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128) 1760 return WPA_CIPHER_BIP_GMAC_128; 1761 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256) 1762 return WPA_CIPHER_BIP_GMAC_256; 1763 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256) 1764 return WPA_CIPHER_BIP_CMAC_256; 1765 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED) 1766 return WPA_CIPHER_GTK_NOT_USED; 1767 return 0; 1768 } 1769 1770 rsn_key_mgmt_to_bitfield(const u8 * s)1771 static int rsn_key_mgmt_to_bitfield(const u8 *s) 1772 { 1773 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X) 1774 return WPA_KEY_MGMT_IEEE8021X; 1775 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X) 1776 return WPA_KEY_MGMT_PSK; 1777 #ifdef CONFIG_IEEE80211R 1778 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X) 1779 return WPA_KEY_MGMT_FT_IEEE8021X; 1780 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK) 1781 return WPA_KEY_MGMT_FT_PSK; 1782 #ifdef CONFIG_SHA384 1783 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384) 1784 return WPA_KEY_MGMT_FT_IEEE8021X_SHA384; 1785 #endif /* CONFIG_SHA384 */ 1786 #endif /* CONFIG_IEEE80211R */ 1787 #ifdef CONFIG_SHA384 1788 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA384) 1789 return WPA_KEY_MGMT_IEEE8021X_SHA384; 1790 #endif /* CONFIG_SHA384 */ 1791 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256) 1792 return WPA_KEY_MGMT_IEEE8021X_SHA256; 1793 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256) 1794 return WPA_KEY_MGMT_PSK_SHA256; 1795 #ifdef CONFIG_SAE 1796 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE) 1797 return WPA_KEY_MGMT_SAE; 1798 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE_EXT_KEY) 1799 return WPA_KEY_MGMT_SAE_EXT_KEY; 1800 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE) 1801 return WPA_KEY_MGMT_FT_SAE; 1802 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY) 1803 return WPA_KEY_MGMT_FT_SAE_EXT_KEY; 1804 #endif /* CONFIG_SAE */ 1805 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B) 1806 return WPA_KEY_MGMT_IEEE8021X_SUITE_B; 1807 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192) 1808 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; 1809 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256) 1810 return WPA_KEY_MGMT_FILS_SHA256; 1811 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384) 1812 return WPA_KEY_MGMT_FILS_SHA384; 1813 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256) 1814 return WPA_KEY_MGMT_FT_FILS_SHA256; 1815 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384) 1816 return WPA_KEY_MGMT_FT_FILS_SHA384; 1817 #ifdef CONFIG_OWE 1818 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE) 1819 return WPA_KEY_MGMT_OWE; 1820 #endif /* CONFIG_OWE */ 1821 #ifdef CONFIG_DPP 1822 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP) 1823 return WPA_KEY_MGMT_DPP; 1824 #endif /* CONFIG_DPP */ 1825 #ifdef CONFIG_PASN 1826 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PASN) 1827 return WPA_KEY_MGMT_PASN; 1828 #endif /* CONFIG_PASN */ 1829 return 0; 1830 } 1831 1832 wpa_cipher_valid_group(int cipher)1833 int wpa_cipher_valid_group(int cipher) 1834 { 1835 return wpa_cipher_valid_pairwise(cipher) || 1836 cipher == WPA_CIPHER_GTK_NOT_USED; 1837 } 1838 1839 wpa_cipher_valid_mgmt_group(int cipher)1840 int wpa_cipher_valid_mgmt_group(int cipher) 1841 { 1842 return cipher == WPA_CIPHER_GTK_NOT_USED || 1843 cipher == WPA_CIPHER_AES_128_CMAC || 1844 cipher == WPA_CIPHER_BIP_GMAC_128 || 1845 cipher == WPA_CIPHER_BIP_GMAC_256 || 1846 cipher == WPA_CIPHER_BIP_CMAC_256; 1847 } 1848 1849 1850 /** 1851 * wpa_parse_wpa_ie_rsn - Parse RSN IE 1852 * @rsn_ie: Buffer containing RSN IE 1853 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets) 1854 * @data: Pointer to structure that will be filled in with parsed data 1855 * Returns: 0 on success, <0 on failure 1856 */ wpa_parse_wpa_ie_rsn(const u8 * rsn_ie,size_t rsn_ie_len,struct wpa_ie_data * data)1857 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len, 1858 struct wpa_ie_data *data) 1859 { 1860 const u8 *pos; 1861 int left; 1862 int i, count; 1863 1864 os_memset(data, 0, sizeof(*data)); 1865 data->proto = WPA_PROTO_RSN; 1866 data->pairwise_cipher = WPA_CIPHER_CCMP; 1867 data->group_cipher = WPA_CIPHER_CCMP; 1868 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 1869 data->capabilities = 0; 1870 data->pmkid = NULL; 1871 data->num_pmkid = 0; 1872 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC; 1873 1874 if (rsn_ie_len == 0) { 1875 /* No RSN IE - fail silently */ 1876 return -1; 1877 } 1878 1879 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) { 1880 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 1881 __func__, (unsigned long) rsn_ie_len); 1882 return -1; 1883 } 1884 1885 if (rsn_ie_len >= 2 + 4 + 2 && rsn_ie[1] >= 4 + 2 && 1886 rsn_ie[1] == rsn_ie_len - 2 && 1887 (WPA_GET_BE32(&rsn_ie[2]) == RSNE_OVERRIDE_IE_VENDOR_TYPE || 1888 WPA_GET_BE32(&rsn_ie[2]) == 1889 RSNE_OVERRIDE_2_IE_VENDOR_TYPE) && 1890 WPA_GET_LE16(&rsn_ie[2 + 4]) == RSN_VERSION) { 1891 pos = rsn_ie + 2 + 4 + 2; 1892 left = rsn_ie_len - 2 - 4 - 2; 1893 } else { 1894 const struct rsn_ie_hdr *hdr; 1895 1896 hdr = (const struct rsn_ie_hdr *) rsn_ie; 1897 1898 if (hdr->elem_id != WLAN_EID_RSN || 1899 hdr->len != rsn_ie_len - 2 || 1900 WPA_GET_LE16(hdr->version) != RSN_VERSION) { 1901 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 1902 __func__); 1903 return -2; 1904 } 1905 1906 pos = (const u8 *) (hdr + 1); 1907 left = rsn_ie_len - sizeof(*hdr); 1908 } 1909 1910 if (left >= RSN_SELECTOR_LEN) { 1911 data->group_cipher = rsn_selector_to_bitfield(pos); 1912 data->has_group = 1; 1913 if (!wpa_cipher_valid_group(data->group_cipher)) { 1914 wpa_printf(MSG_DEBUG, 1915 "%s: invalid group cipher 0x%x (%08x)", 1916 __func__, data->group_cipher, 1917 WPA_GET_BE32(pos)); 1918 #ifdef CONFIG_NO_TKIP 1919 if (RSN_SELECTOR_GET(pos) == RSN_CIPHER_SUITE_TKIP) { 1920 wpa_printf(MSG_DEBUG, 1921 "%s: TKIP as group cipher not supported in CONFIG_NO_TKIP=y build", 1922 __func__); 1923 } 1924 #endif /* CONFIG_NO_TKIP */ 1925 return -1; 1926 } 1927 pos += RSN_SELECTOR_LEN; 1928 left -= RSN_SELECTOR_LEN; 1929 } else if (left > 0) { 1930 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 1931 __func__, left); 1932 return -3; 1933 } 1934 1935 if (left >= 2) { 1936 data->pairwise_cipher = 0; 1937 count = WPA_GET_LE16(pos); 1938 pos += 2; 1939 left -= 2; 1940 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 1941 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 1942 "count %u left %u", __func__, count, left); 1943 return -4; 1944 } 1945 if (count) 1946 data->has_pairwise = 1; 1947 for (i = 0; i < count; i++) { 1948 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 1949 pos += RSN_SELECTOR_LEN; 1950 left -= RSN_SELECTOR_LEN; 1951 } 1952 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) { 1953 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as " 1954 "pairwise cipher", __func__); 1955 return -1; 1956 } 1957 } else if (left == 1) { 1958 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 1959 __func__); 1960 return -5; 1961 } 1962 1963 if (left >= 2) { 1964 data->key_mgmt = 0; 1965 count = WPA_GET_LE16(pos); 1966 pos += 2; 1967 left -= 2; 1968 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 1969 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 1970 "count %u left %u", __func__, count, left); 1971 return -6; 1972 } 1973 for (i = 0; i < count; i++) { 1974 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 1975 pos += RSN_SELECTOR_LEN; 1976 left -= RSN_SELECTOR_LEN; 1977 } 1978 } else if (left == 1) { 1979 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 1980 __func__); 1981 return -7; 1982 } 1983 1984 if (left >= 2) { 1985 data->capabilities = WPA_GET_LE16(pos); 1986 pos += 2; 1987 left -= 2; 1988 } 1989 1990 if (left >= 2) { 1991 u16 num_pmkid = WPA_GET_LE16(pos); 1992 pos += 2; 1993 left -= 2; 1994 if (num_pmkid > (unsigned int) left / PMKID_LEN) { 1995 wpa_printf(MSG_DEBUG, "%s: PMKID underflow " 1996 "(num_pmkid=%u left=%d)", 1997 __func__, num_pmkid, left); 1998 data->num_pmkid = 0; 1999 return -9; 2000 } else { 2001 data->num_pmkid = num_pmkid; 2002 data->pmkid = pos; 2003 pos += data->num_pmkid * PMKID_LEN; 2004 left -= data->num_pmkid * PMKID_LEN; 2005 } 2006 } 2007 2008 if (left >= 4) { 2009 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos); 2010 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) { 2011 wpa_printf(MSG_DEBUG, 2012 "%s: Unsupported management group cipher 0x%x (%08x)", 2013 __func__, data->mgmt_group_cipher, 2014 WPA_GET_BE32(pos)); 2015 return -10; 2016 } 2017 pos += RSN_SELECTOR_LEN; 2018 left -= RSN_SELECTOR_LEN; 2019 } 2020 2021 if (left > 0) { 2022 wpa_hexdump(MSG_DEBUG, 2023 "wpa_parse_wpa_ie_rsn: ignore trailing bytes", 2024 pos, left); 2025 } 2026 2027 return 0; 2028 } 2029 2030 wpa_selector_to_bitfield(const u8 * s)2031 static int wpa_selector_to_bitfield(const u8 *s) 2032 { 2033 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE) 2034 return WPA_CIPHER_NONE; 2035 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP) 2036 return WPA_CIPHER_TKIP; 2037 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP) 2038 return WPA_CIPHER_CCMP; 2039 return 0; 2040 } 2041 2042 wpa_key_mgmt_to_bitfield(const u8 * s)2043 static int wpa_key_mgmt_to_bitfield(const u8 *s) 2044 { 2045 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X) 2046 return WPA_KEY_MGMT_IEEE8021X; 2047 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X) 2048 return WPA_KEY_MGMT_PSK; 2049 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE) 2050 return WPA_KEY_MGMT_WPA_NONE; 2051 return 0; 2052 } 2053 2054 wpa_parse_wpa_ie_wpa(const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ie_data * data)2055 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len, 2056 struct wpa_ie_data *data) 2057 { 2058 const struct wpa_ie_hdr *hdr; 2059 const u8 *pos; 2060 int left; 2061 int i, count; 2062 2063 os_memset(data, 0, sizeof(*data)); 2064 data->proto = WPA_PROTO_WPA; 2065 data->pairwise_cipher = WPA_CIPHER_TKIP; 2066 data->group_cipher = WPA_CIPHER_TKIP; 2067 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 2068 data->capabilities = 0; 2069 data->pmkid = NULL; 2070 data->num_pmkid = 0; 2071 data->mgmt_group_cipher = 0; 2072 2073 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) { 2074 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 2075 __func__, (unsigned long) wpa_ie_len); 2076 return -1; 2077 } 2078 2079 hdr = (const struct wpa_ie_hdr *) wpa_ie; 2080 2081 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC || 2082 hdr->len != wpa_ie_len - 2 || 2083 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE || 2084 WPA_GET_LE16(hdr->version) != WPA_VERSION) { 2085 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 2086 __func__); 2087 return -2; 2088 } 2089 2090 pos = (const u8 *) (hdr + 1); 2091 left = wpa_ie_len - sizeof(*hdr); 2092 2093 if (left >= WPA_SELECTOR_LEN) { 2094 data->group_cipher = wpa_selector_to_bitfield(pos); 2095 pos += WPA_SELECTOR_LEN; 2096 left -= WPA_SELECTOR_LEN; 2097 } else if (left > 0) { 2098 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 2099 __func__, left); 2100 return -3; 2101 } 2102 2103 if (left >= 2) { 2104 data->pairwise_cipher = 0; 2105 count = WPA_GET_LE16(pos); 2106 pos += 2; 2107 left -= 2; 2108 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 2109 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 2110 "count %u left %u", __func__, count, left); 2111 return -4; 2112 } 2113 for (i = 0; i < count; i++) { 2114 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 2115 pos += WPA_SELECTOR_LEN; 2116 left -= WPA_SELECTOR_LEN; 2117 } 2118 } else if (left == 1) { 2119 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 2120 __func__); 2121 return -5; 2122 } 2123 2124 if (left >= 2) { 2125 data->key_mgmt = 0; 2126 count = WPA_GET_LE16(pos); 2127 pos += 2; 2128 left -= 2; 2129 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 2130 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 2131 "count %u left %u", __func__, count, left); 2132 return -6; 2133 } 2134 for (i = 0; i < count; i++) { 2135 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 2136 pos += WPA_SELECTOR_LEN; 2137 left -= WPA_SELECTOR_LEN; 2138 } 2139 } else if (left == 1) { 2140 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 2141 __func__); 2142 return -7; 2143 } 2144 2145 if (left >= 2) { 2146 data->capabilities = WPA_GET_LE16(pos); 2147 pos += 2; 2148 left -= 2; 2149 } 2150 2151 if (left > 0) { 2152 wpa_hexdump(MSG_DEBUG, 2153 "wpa_parse_wpa_ie_wpa: ignore trailing bytes", 2154 pos, left); 2155 } 2156 2157 return 0; 2158 } 2159 2160 wpa_default_rsn_cipher(int freq)2161 int wpa_default_rsn_cipher(int freq) 2162 { 2163 if (freq > 56160) 2164 return WPA_CIPHER_GCMP; /* DMG */ 2165 2166 return WPA_CIPHER_CCMP; 2167 } 2168 2169 2170 #ifdef CONFIG_IEEE80211R 2171 2172 /** 2173 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name 2174 * 2175 * IEEE Std 802.11r-2008 - 8.5.1.5.3 2176 */ wpa_derive_pmk_r0(const u8 * xxkey,size_t xxkey_len,const u8 * ssid,size_t ssid_len,const u8 * mdid,const u8 * r0kh_id,size_t r0kh_id_len,const u8 * s0kh_id,u8 * pmk_r0,u8 * pmk_r0_name,int key_mgmt)2177 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len, 2178 const u8 *ssid, size_t ssid_len, 2179 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len, 2180 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name, 2181 int key_mgmt) 2182 { 2183 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 + 2184 FT_R0KH_ID_MAX_LEN + ETH_ALEN]; 2185 u8 *pos, r0_key_data[64 + 16], hash[64]; 2186 const u8 *addr[2]; 2187 size_t len[2]; 2188 size_t q, r0_key_data_len; 2189 int res; 2190 2191 if (key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY && 2192 (xxkey_len == SHA256_MAC_LEN || xxkey_len == SHA384_MAC_LEN || 2193 xxkey_len == SHA512_MAC_LEN)) 2194 q = xxkey_len; 2195 else if (wpa_key_mgmt_sha384(key_mgmt)) 2196 q = SHA384_MAC_LEN; 2197 else 2198 q = SHA256_MAC_LEN; 2199 r0_key_data_len = q + 16; 2200 2201 /* 2202 * R0-Key-Data = KDF-Hash-Length(XXKey, "FT-R0", 2203 * SSIDlength || SSID || MDID || R0KHlength || 2204 * R0KH-ID || S0KH-ID) 2205 * XXKey is either the second 256 bits of MSK or PSK; or the first 2206 * 384 bits of MSK for FT-EAP-SHA384; or PMK from SAE. 2207 * PMK-R0 = L(R0-Key-Data, 0, Q) 2208 * PMK-R0Name-Salt = L(R0-Key-Data, Q, 128) 2209 * Q = 384 for FT-EAP-SHA384; the length of the digest generated by H() 2210 * for FT-SAE-EXT-KEY; or otherwise, 256 2211 */ 2212 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN) 2213 return -1; 2214 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R0 using KDF-SHA%zu", q * 8); 2215 wpa_hexdump_key(MSG_DEBUG, "FT: XXKey", xxkey, xxkey_len); 2216 wpa_hexdump_ascii(MSG_DEBUG, "FT: SSID", ssid, ssid_len); 2217 wpa_hexdump(MSG_DEBUG, "FT: MDID", mdid, MOBILITY_DOMAIN_ID_LEN); 2218 wpa_hexdump_ascii(MSG_DEBUG, "FT: R0KH-ID", r0kh_id, r0kh_id_len); 2219 wpa_printf(MSG_DEBUG, "FT: S0KH-ID: " MACSTR, MAC2STR(s0kh_id)); 2220 pos = buf; 2221 *pos++ = ssid_len; 2222 os_memcpy(pos, ssid, ssid_len); 2223 pos += ssid_len; 2224 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN); 2225 pos += MOBILITY_DOMAIN_ID_LEN; 2226 *pos++ = r0kh_id_len; 2227 os_memcpy(pos, r0kh_id, r0kh_id_len); 2228 pos += r0kh_id_len; 2229 os_memcpy(pos, s0kh_id, ETH_ALEN); 2230 pos += ETH_ALEN; 2231 2232 res = -1; 2233 #ifdef CONFIG_SHA512 2234 if (q == SHA512_MAC_LEN) { 2235 if (xxkey_len != SHA512_MAC_LEN) { 2236 wpa_printf(MSG_ERROR, 2237 "FT: Unexpected XXKey length %d (expected %d)", 2238 (int) xxkey_len, SHA512_MAC_LEN); 2239 return -1; 2240 } 2241 res = sha512_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 2242 r0_key_data, r0_key_data_len); 2243 } 2244 #endif /* CONFIG_SHA512 */ 2245 #ifdef CONFIG_SHA384 2246 if (q == SHA384_MAC_LEN) { 2247 if (xxkey_len != SHA384_MAC_LEN) { 2248 wpa_printf(MSG_ERROR, 2249 "FT: Unexpected XXKey length %d (expected %d)", 2250 (int) xxkey_len, SHA384_MAC_LEN); 2251 return -1; 2252 } 2253 res = sha384_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 2254 r0_key_data, r0_key_data_len); 2255 } 2256 #endif /* CONFIG_SHA384 */ 2257 if (q == SHA256_MAC_LEN) { 2258 if (xxkey_len != PMK_LEN) { 2259 wpa_printf(MSG_ERROR, 2260 "FT: Unexpected XXKey length %d (expected %d)", 2261 (int) xxkey_len, PMK_LEN); 2262 return -1; 2263 } 2264 res = sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 2265 r0_key_data, r0_key_data_len); 2266 } 2267 if (res < 0) 2268 return res; 2269 os_memcpy(pmk_r0, r0_key_data, q); 2270 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, q); 2271 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0Name-Salt", &r0_key_data[q], 16); 2272 2273 /* 2274 * PMKR0Name = Truncate-128(Hash("FT-R0N" || PMK-R0Name-Salt) 2275 */ 2276 addr[0] = (const u8 *) "FT-R0N"; 2277 len[0] = 6; 2278 addr[1] = &r0_key_data[q]; 2279 len[1] = 16; 2280 2281 res = -1; 2282 #ifdef CONFIG_SHA512 2283 if (q == SHA512_MAC_LEN) 2284 res = sha512_vector(2, addr, len, hash); 2285 #endif /* CONFIG_SHA512 */ 2286 #ifdef CONFIG_SHA384 2287 if (q == SHA384_MAC_LEN) 2288 res = sha384_vector(2, addr, len, hash); 2289 #endif /* CONFIG_SHA384 */ 2290 if (q == SHA256_MAC_LEN) 2291 res = sha256_vector(2, addr, len, hash); 2292 if (res < 0) { 2293 wpa_printf(MSG_DEBUG, 2294 "FT: Failed to derive PMKR0Name (PMK-R0 len %zu)", 2295 q); 2296 return res; 2297 } 2298 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN); 2299 wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN); 2300 forced_memzero(r0_key_data, sizeof(r0_key_data)); 2301 return 0; 2302 } 2303 2304 2305 /** 2306 * wpa_derive_pmk_r1_name - Derive PMKR1Name 2307 * 2308 * IEEE Std 802.11r-2008 - 8.5.1.5.4 2309 */ wpa_derive_pmk_r1_name(const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1_name,size_t pmk_r1_len)2310 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id, 2311 const u8 *s1kh_id, u8 *pmk_r1_name, 2312 size_t pmk_r1_len) 2313 { 2314 u8 hash[64]; 2315 const u8 *addr[4]; 2316 size_t len[4]; 2317 int res; 2318 const char *title; 2319 2320 /* 2321 * PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name || 2322 * R1KH-ID || S1KH-ID)) 2323 */ 2324 addr[0] = (const u8 *) "FT-R1N"; 2325 len[0] = 6; 2326 addr[1] = pmk_r0_name; 2327 len[1] = WPA_PMK_NAME_LEN; 2328 addr[2] = r1kh_id; 2329 len[2] = FT_R1KH_ID_LEN; 2330 addr[3] = s1kh_id; 2331 len[3] = ETH_ALEN; 2332 2333 res = -1; 2334 #ifdef CONFIG_SHA512 2335 if (pmk_r1_len == SHA512_MAC_LEN) { 2336 title = "FT: PMKR1Name (using SHA512)"; 2337 res = sha512_vector(4, addr, len, hash); 2338 } 2339 #endif /* CONFIG_SHA512 */ 2340 #ifdef CONFIG_SHA384 2341 if (pmk_r1_len == SHA384_MAC_LEN) { 2342 title = "FT: PMKR1Name (using SHA384)"; 2343 res = sha384_vector(4, addr, len, hash); 2344 } 2345 #endif /* CONFIG_SHA384 */ 2346 if (pmk_r1_len == SHA256_MAC_LEN) { 2347 title = "FT: PMKR1Name (using SHA256)"; 2348 res = sha256_vector(4, addr, len, hash); 2349 } 2350 if (res < 0) { 2351 wpa_printf(MSG_DEBUG, 2352 "FT: Failed to derive PMKR1Name (PMK-R1 len %zu)", 2353 pmk_r1_len); 2354 return res; 2355 } 2356 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN); 2357 wpa_hexdump(MSG_DEBUG, title, pmk_r1_name, WPA_PMK_NAME_LEN); 2358 return 0; 2359 } 2360 2361 2362 /** 2363 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0 2364 * 2365 * IEEE Std 802.11r-2008 - 8.5.1.5.4 2366 */ wpa_derive_pmk_r1(const u8 * pmk_r0,size_t pmk_r0_len,const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1,u8 * pmk_r1_name)2367 int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len, 2368 const u8 *pmk_r0_name, 2369 const u8 *r1kh_id, const u8 *s1kh_id, 2370 u8 *pmk_r1, u8 *pmk_r1_name) 2371 { 2372 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN]; 2373 u8 *pos; 2374 int res; 2375 2376 /* PMK-R1 = KDF-Hash(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */ 2377 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R1 using KDF-SHA%zu", 2378 pmk_r0_len * 8); 2379 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, pmk_r0_len); 2380 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", r1kh_id, FT_R1KH_ID_LEN); 2381 wpa_printf(MSG_DEBUG, "FT: S1KH-ID: " MACSTR, MAC2STR(s1kh_id)); 2382 pos = buf; 2383 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN); 2384 pos += FT_R1KH_ID_LEN; 2385 os_memcpy(pos, s1kh_id, ETH_ALEN); 2386 pos += ETH_ALEN; 2387 2388 res = -1; 2389 #ifdef CONFIG_SHA512 2390 if (pmk_r0_len == SHA512_MAC_LEN) 2391 res = sha512_prf(pmk_r0, pmk_r0_len, "FT-R1", 2392 buf, pos - buf, pmk_r1, pmk_r0_len); 2393 #endif /* CONFIG_SHA512 */ 2394 #ifdef CONFIG_SHA384 2395 if (pmk_r0_len == SHA384_MAC_LEN) 2396 res = sha384_prf(pmk_r0, pmk_r0_len, "FT-R1", 2397 buf, pos - buf, pmk_r1, pmk_r0_len); 2398 #endif /* CONFIG_SHA384 */ 2399 if (pmk_r0_len == SHA256_MAC_LEN) 2400 res = sha256_prf(pmk_r0, pmk_r0_len, "FT-R1", 2401 buf, pos - buf, pmk_r1, pmk_r0_len); 2402 if (res < 0) { 2403 wpa_printf(MSG_ERROR, "FT: Failed to derive PMK-R1"); 2404 return res; 2405 } 2406 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len); 2407 2408 return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, 2409 pmk_r1_name, pmk_r0_len); 2410 } 2411 2412 2413 /** 2414 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1 2415 * 2416 * IEEE Std 802.11r-2008 - 8.5.1.5.5 2417 */ wpa_pmk_r1_to_ptk(const u8 * pmk_r1,size_t pmk_r1_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * pmk_r1_name,struct wpa_ptk * ptk,u8 * ptk_name,int akmp,int cipher,size_t kdk_len)2418 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, size_t pmk_r1_len, 2419 const u8 *snonce, const u8 *anonce, 2420 const u8 *sta_addr, const u8 *bssid, 2421 const u8 *pmk_r1_name, 2422 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher, 2423 size_t kdk_len) 2424 { 2425 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN]; 2426 u8 *pos, hash[32]; 2427 const u8 *addr[6]; 2428 size_t len[6]; 2429 u8 tmp[2 * WPA_KCK_MAX_LEN + 2 * WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN + 2430 WPA_KDK_MAX_LEN]; 2431 size_t ptk_len, offset; 2432 size_t key_len; 2433 int res; 2434 2435 if (kdk_len > WPA_KDK_MAX_LEN) { 2436 wpa_printf(MSG_ERROR, 2437 "FT: KDK len=%zu exceeds max supported len", 2438 kdk_len); 2439 return -1; 2440 } 2441 2442 if (akmp == WPA_KEY_MGMT_FT_SAE_EXT_KEY && 2443 (pmk_r1_len == SHA256_MAC_LEN || pmk_r1_len == SHA384_MAC_LEN || 2444 pmk_r1_len == SHA512_MAC_LEN)) 2445 key_len = pmk_r1_len; 2446 else if (wpa_key_mgmt_sha384(akmp)) 2447 key_len = SHA384_MAC_LEN; 2448 else 2449 key_len = SHA256_MAC_LEN; 2450 2451 /* 2452 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce || 2453 * BSSID || STA-ADDR) 2454 */ 2455 wpa_printf(MSG_DEBUG, "FT: Derive PTK using KDF-SHA%zu", key_len * 8); 2456 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r1_len); 2457 wpa_hexdump(MSG_DEBUG, "FT: SNonce", snonce, WPA_NONCE_LEN); 2458 wpa_hexdump(MSG_DEBUG, "FT: ANonce", anonce, WPA_NONCE_LEN); 2459 wpa_printf(MSG_DEBUG, "FT: BSSID=" MACSTR " STA-ADDR=" MACSTR, 2460 MAC2STR(bssid), MAC2STR(sta_addr)); 2461 pos = buf; 2462 os_memcpy(pos, snonce, WPA_NONCE_LEN); 2463 pos += WPA_NONCE_LEN; 2464 os_memcpy(pos, anonce, WPA_NONCE_LEN); 2465 pos += WPA_NONCE_LEN; 2466 os_memcpy(pos, bssid, ETH_ALEN); 2467 pos += ETH_ALEN; 2468 os_memcpy(pos, sta_addr, ETH_ALEN); 2469 pos += ETH_ALEN; 2470 2471 ptk->kck_len = wpa_kck_len(akmp, key_len); 2472 ptk->kck2_len = wpa_kck2_len(akmp); 2473 ptk->kek_len = wpa_kek_len(akmp, key_len); 2474 ptk->kek2_len = wpa_kek2_len(akmp); 2475 ptk->tk_len = wpa_cipher_key_len(cipher); 2476 ptk->kdk_len = kdk_len; 2477 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + 2478 ptk->kck2_len + ptk->kek2_len + ptk->kdk_len; 2479 2480 res = -1; 2481 #ifdef CONFIG_SHA512 2482 if (key_len == SHA512_MAC_LEN) { 2483 if (pmk_r1_len != SHA512_MAC_LEN) { 2484 wpa_printf(MSG_ERROR, 2485 "FT: Unexpected PMK-R1 length %d (expected %d)", 2486 (int) pmk_r1_len, SHA512_MAC_LEN); 2487 return -1; 2488 } 2489 res = sha512_prf(pmk_r1, pmk_r1_len, "FT-PTK", 2490 buf, pos - buf, tmp, ptk_len); 2491 } 2492 #endif /* CONFIG_SHA512 */ 2493 #ifdef CONFIG_SHA384 2494 if (key_len == SHA384_MAC_LEN) { 2495 if (pmk_r1_len != SHA384_MAC_LEN) { 2496 wpa_printf(MSG_ERROR, 2497 "FT: Unexpected PMK-R1 length %d (expected %d)", 2498 (int) pmk_r1_len, SHA384_MAC_LEN); 2499 return -1; 2500 } 2501 res = sha384_prf(pmk_r1, pmk_r1_len, "FT-PTK", 2502 buf, pos - buf, tmp, ptk_len); 2503 } 2504 #endif /* CONFIG_SHA384 */ 2505 if (key_len == SHA256_MAC_LEN) { 2506 if (pmk_r1_len != PMK_LEN) { 2507 wpa_printf(MSG_ERROR, 2508 "FT: Unexpected PMK-R1 length %d (expected %d)", 2509 (int) pmk_r1_len, PMK_LEN); 2510 return -1; 2511 } 2512 res = sha256_prf(pmk_r1, pmk_r1_len, "FT-PTK", 2513 buf, pos - buf, tmp, ptk_len); 2514 } 2515 if (res < 0) 2516 return -1; 2517 wpa_hexdump_key(MSG_DEBUG, "FT: PTK", tmp, ptk_len); 2518 2519 /* 2520 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce || 2521 * ANonce || BSSID || STA-ADDR)) 2522 */ 2523 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN); 2524 addr[0] = pmk_r1_name; 2525 len[0] = WPA_PMK_NAME_LEN; 2526 addr[1] = (const u8 *) "FT-PTKN"; 2527 len[1] = 7; 2528 addr[2] = snonce; 2529 len[2] = WPA_NONCE_LEN; 2530 addr[3] = anonce; 2531 len[3] = WPA_NONCE_LEN; 2532 addr[4] = bssid; 2533 len[4] = ETH_ALEN; 2534 addr[5] = sta_addr; 2535 len[5] = ETH_ALEN; 2536 2537 if (sha256_vector(6, addr, len, hash) < 0) 2538 return -1; 2539 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN); 2540 2541 os_memcpy(ptk->kck, tmp, ptk->kck_len); 2542 offset = ptk->kck_len; 2543 os_memcpy(ptk->kek, tmp + offset, ptk->kek_len); 2544 offset += ptk->kek_len; 2545 os_memcpy(ptk->tk, tmp + offset, ptk->tk_len); 2546 offset += ptk->tk_len; 2547 os_memcpy(ptk->kck2, tmp + offset, ptk->kck2_len); 2548 offset += ptk->kck2_len; 2549 os_memcpy(ptk->kek2, tmp + offset, ptk->kek2_len); 2550 offset += ptk->kek2_len; 2551 os_memcpy(ptk->kdk, tmp + offset, ptk->kdk_len); 2552 2553 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len); 2554 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len); 2555 if (ptk->kck2_len) 2556 wpa_hexdump_key(MSG_DEBUG, "FT: KCK2", 2557 ptk->kck2, ptk->kck2_len); 2558 if (ptk->kek2_len) 2559 wpa_hexdump_key(MSG_DEBUG, "FT: KEK2", 2560 ptk->kek2, ptk->kek2_len); 2561 if (ptk->kdk_len) 2562 wpa_hexdump_key(MSG_DEBUG, "FT: KDK", ptk->kdk, ptk->kdk_len); 2563 2564 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len); 2565 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN); 2566 2567 forced_memzero(tmp, sizeof(tmp)); 2568 2569 return 0; 2570 } 2571 2572 #endif /* CONFIG_IEEE80211R */ 2573 2574 2575 /** 2576 * rsn_pmkid - Calculate PMK identifier 2577 * @pmk: Pairwise master key 2578 * @pmk_len: Length of pmk in bytes 2579 * @aa: Authenticator address 2580 * @spa: Supplicant address 2581 * @pmkid: Buffer for PMKID 2582 * @akmp: Negotiated key management protocol 2583 * 2584 * IEEE Std 802.11-2016 - 12.7.1.3 Pairwise key hierarchy 2585 * AKM: 00-0F-AC:3, 00-0F-AC:5, 00-0F-AC:6, 00-0F-AC:14, 00-0F-AC:16 2586 * PMKID = Truncate-128(HMAC-SHA-256(PMK, "PMK Name" || AA || SPA)) 2587 * AKM: 00-0F-AC:11 2588 * See rsn_pmkid_suite_b() 2589 * AKM: 00-0F-AC:12 2590 * See rsn_pmkid_suite_b_192() 2591 * AKM: 00-0F-AC:13, 00-0F-AC:15, 00-0F-AC:17 2592 * PMKID = Truncate-128(HMAC-SHA-384(PMK, "PMK Name" || AA || SPA)) 2593 * Otherwise: 2594 * PMKID = Truncate-128(HMAC-SHA-1(PMK, "PMK Name" || AA || SPA)) 2595 */ rsn_pmkid(const u8 * pmk,size_t pmk_len,const u8 * aa,const u8 * spa,u8 * pmkid,int akmp)2596 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa, 2597 u8 *pmkid, int akmp) 2598 { 2599 char *title = "PMK Name"; 2600 const u8 *addr[3]; 2601 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 2602 unsigned char hash[SHA384_MAC_LEN]; 2603 2604 addr[0] = (u8 *) title; 2605 addr[1] = aa; 2606 addr[2] = spa; 2607 2608 if (0) { 2609 #if defined(CONFIG_FILS) || defined(CONFIG_SHA384) 2610 } else if (wpa_key_mgmt_sha384(akmp)) { 2611 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-384"); 2612 hmac_sha384_vector(pmk, pmk_len, 3, addr, len, hash); 2613 #endif /* CONFIG_FILS || CONFIG_SHA384 */ 2614 } else if (wpa_key_mgmt_sha256(akmp)) { 2615 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-256"); 2616 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash); 2617 } else { 2618 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-1"); 2619 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash); 2620 } 2621 wpa_hexdump(MSG_DEBUG, "RSN: Derived PMKID", hash, PMKID_LEN); 2622 os_memcpy(pmkid, hash, PMKID_LEN); 2623 } 2624 2625 2626 #ifdef CONFIG_SUITEB 2627 /** 2628 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM 2629 * @kck: Key confirmation key 2630 * @kck_len: Length of kck in bytes 2631 * @aa: Authenticator address 2632 * @spa: Supplicant address 2633 * @pmkid: Buffer for PMKID 2634 * Returns: 0 on success, -1 on failure 2635 * 2636 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 2637 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA)) 2638 */ rsn_pmkid_suite_b(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)2639 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa, 2640 const u8 *spa, u8 *pmkid) 2641 { 2642 char *title = "PMK Name"; 2643 const u8 *addr[3]; 2644 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 2645 unsigned char hash[SHA256_MAC_LEN]; 2646 2647 addr[0] = (u8 *) title; 2648 addr[1] = aa; 2649 addr[2] = spa; 2650 2651 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0) 2652 return -1; 2653 os_memcpy(pmkid, hash, PMKID_LEN); 2654 return 0; 2655 } 2656 #endif /* CONFIG_SUITEB */ 2657 2658 2659 #ifdef CONFIG_SUITEB192 2660 /** 2661 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM 2662 * @kck: Key confirmation key 2663 * @kck_len: Length of kck in bytes 2664 * @aa: Authenticator address 2665 * @spa: Supplicant address 2666 * @pmkid: Buffer for PMKID 2667 * Returns: 0 on success, -1 on failure 2668 * 2669 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 2670 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA)) 2671 */ rsn_pmkid_suite_b_192(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)2672 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa, 2673 const u8 *spa, u8 *pmkid) 2674 { 2675 char *title = "PMK Name"; 2676 const u8 *addr[3]; 2677 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 2678 unsigned char hash[SHA384_MAC_LEN]; 2679 2680 addr[0] = (u8 *) title; 2681 addr[1] = aa; 2682 addr[2] = spa; 2683 2684 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0) 2685 return -1; 2686 os_memcpy(pmkid, hash, PMKID_LEN); 2687 return 0; 2688 } 2689 #endif /* CONFIG_SUITEB192 */ 2690 2691 2692 /** 2693 * wpa_cipher_txt - Convert cipher suite to a text string 2694 * @cipher: Cipher suite (WPA_CIPHER_* enum) 2695 * Returns: Pointer to a text string of the cipher suite name 2696 */ wpa_cipher_txt(int cipher)2697 const char * wpa_cipher_txt(int cipher) 2698 { 2699 switch (cipher) { 2700 case WPA_CIPHER_NONE: 2701 return "NONE"; 2702 #ifdef CONFIG_WEP 2703 case WPA_CIPHER_WEP40: 2704 return "WEP-40"; 2705 case WPA_CIPHER_WEP104: 2706 return "WEP-104"; 2707 #endif /* CONFIG_WEP */ 2708 case WPA_CIPHER_TKIP: 2709 return "TKIP"; 2710 case WPA_CIPHER_CCMP: 2711 return "CCMP"; 2712 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP: 2713 return "CCMP+TKIP"; 2714 case WPA_CIPHER_GCMP: 2715 return "GCMP"; 2716 case WPA_CIPHER_GCMP_256: 2717 return "GCMP-256"; 2718 case WPA_CIPHER_CCMP_256: 2719 return "CCMP-256"; 2720 case WPA_CIPHER_AES_128_CMAC: 2721 return "BIP"; 2722 case WPA_CIPHER_BIP_GMAC_128: 2723 return "BIP-GMAC-128"; 2724 case WPA_CIPHER_BIP_GMAC_256: 2725 return "BIP-GMAC-256"; 2726 case WPA_CIPHER_BIP_CMAC_256: 2727 return "BIP-CMAC-256"; 2728 case WPA_CIPHER_GTK_NOT_USED: 2729 return "GTK_NOT_USED"; 2730 default: 2731 return "UNKNOWN"; 2732 } 2733 } 2734 2735 2736 /** 2737 * wpa_key_mgmt_txt - Convert key management suite to a text string 2738 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum) 2739 * @proto: WPA/WPA2 version (WPA_PROTO_*) 2740 * Returns: Pointer to a text string of the key management suite name 2741 */ wpa_key_mgmt_txt(int key_mgmt,int proto)2742 const char * wpa_key_mgmt_txt(int key_mgmt, int proto) 2743 { 2744 switch (key_mgmt) { 2745 case WPA_KEY_MGMT_IEEE8021X: 2746 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 2747 return "WPA2+WPA/IEEE 802.1X/EAP"; 2748 return proto == WPA_PROTO_RSN ? 2749 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP"; 2750 case WPA_KEY_MGMT_PSK: 2751 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 2752 return "WPA2-PSK+WPA-PSK"; 2753 return proto == WPA_PROTO_RSN ? 2754 "WPA2-PSK" : "WPA-PSK"; 2755 case WPA_KEY_MGMT_NONE: 2756 return "NONE"; 2757 case WPA_KEY_MGMT_WPA_NONE: 2758 return "WPA-NONE"; 2759 case WPA_KEY_MGMT_IEEE8021X_NO_WPA: 2760 return "IEEE 802.1X (no WPA)"; 2761 #ifdef CONFIG_IEEE80211R 2762 case WPA_KEY_MGMT_FT_IEEE8021X: 2763 return "FT-EAP"; 2764 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 2765 return "FT-EAP-SHA384"; 2766 case WPA_KEY_MGMT_FT_PSK: 2767 return "FT-PSK"; 2768 #endif /* CONFIG_IEEE80211R */ 2769 case WPA_KEY_MGMT_IEEE8021X_SHA256: 2770 return "WPA2-EAP-SHA256"; 2771 case WPA_KEY_MGMT_PSK_SHA256: 2772 return "WPA2-PSK-SHA256"; 2773 case WPA_KEY_MGMT_WPS: 2774 return "WPS"; 2775 case WPA_KEY_MGMT_SAE: 2776 return "SAE"; 2777 case WPA_KEY_MGMT_SAE_EXT_KEY: 2778 return "SAE-EXT-KEY"; 2779 case WPA_KEY_MGMT_FT_SAE: 2780 return "FT-SAE"; 2781 case WPA_KEY_MGMT_FT_SAE_EXT_KEY: 2782 return "FT-SAE-EXT-KEY"; 2783 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 2784 return "WPA2-EAP-SUITE-B"; 2785 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 2786 return "WPA2-EAP-SUITE-B-192"; 2787 case WPA_KEY_MGMT_FILS_SHA256: 2788 return "FILS-SHA256"; 2789 case WPA_KEY_MGMT_FILS_SHA384: 2790 return "FILS-SHA384"; 2791 case WPA_KEY_MGMT_FT_FILS_SHA256: 2792 return "FT-FILS-SHA256"; 2793 case WPA_KEY_MGMT_FT_FILS_SHA384: 2794 return "FT-FILS-SHA384"; 2795 case WPA_KEY_MGMT_OWE: 2796 return "OWE"; 2797 case WPA_KEY_MGMT_DPP: 2798 return "DPP"; 2799 case WPA_KEY_MGMT_PASN: 2800 return "PASN"; 2801 case WPA_KEY_MGMT_IEEE8021X_SHA384: 2802 return "WPA2-EAP-SHA384"; 2803 default: 2804 return "UNKNOWN"; 2805 } 2806 } 2807 2808 wpa_akm_to_suite(int akm)2809 u32 wpa_akm_to_suite(int akm) 2810 { 2811 if (akm & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) 2812 return RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384; 2813 if (akm & WPA_KEY_MGMT_FT_IEEE8021X) 2814 return RSN_AUTH_KEY_MGMT_FT_802_1X; 2815 if (akm & WPA_KEY_MGMT_FT_PSK) 2816 return RSN_AUTH_KEY_MGMT_FT_PSK; 2817 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA384) 2818 return RSN_AUTH_KEY_MGMT_802_1X_SHA384; 2819 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256) 2820 return RSN_AUTH_KEY_MGMT_802_1X_SHA256; 2821 if (akm & WPA_KEY_MGMT_IEEE8021X) 2822 return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; 2823 if (akm & WPA_KEY_MGMT_PSK_SHA256) 2824 return RSN_AUTH_KEY_MGMT_PSK_SHA256; 2825 if (akm & WPA_KEY_MGMT_PSK) 2826 return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X; 2827 if (akm & WPA_KEY_MGMT_CCKM) 2828 return RSN_AUTH_KEY_MGMT_CCKM; 2829 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B) 2830 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; 2831 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 2832 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; 2833 if (akm & WPA_KEY_MGMT_FILS_SHA256) 2834 return RSN_AUTH_KEY_MGMT_FILS_SHA256; 2835 if (akm & WPA_KEY_MGMT_FILS_SHA384) 2836 return RSN_AUTH_KEY_MGMT_FILS_SHA384; 2837 if (akm & WPA_KEY_MGMT_FT_FILS_SHA256) 2838 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256; 2839 if (akm & WPA_KEY_MGMT_FT_FILS_SHA384) 2840 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384; 2841 if (akm & WPA_KEY_MGMT_SAE) 2842 return RSN_AUTH_KEY_MGMT_SAE; 2843 if (akm & WPA_KEY_MGMT_SAE_EXT_KEY) 2844 return RSN_AUTH_KEY_MGMT_SAE_EXT_KEY; 2845 if (akm & WPA_KEY_MGMT_FT_SAE) 2846 return RSN_AUTH_KEY_MGMT_FT_SAE; 2847 if (akm & WPA_KEY_MGMT_FT_SAE_EXT_KEY) 2848 return RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY; 2849 if (akm & WPA_KEY_MGMT_OWE) 2850 return RSN_AUTH_KEY_MGMT_OWE; 2851 if (akm & WPA_KEY_MGMT_DPP) 2852 return RSN_AUTH_KEY_MGMT_DPP; 2853 return 0; 2854 } 2855 2856 wpa_compare_rsn_ie(int ft_initial_assoc,const u8 * ie1,size_t ie1len,const u8 * ie2,size_t ie2len)2857 int wpa_compare_rsn_ie(int ft_initial_assoc, 2858 const u8 *ie1, size_t ie1len, 2859 const u8 *ie2, size_t ie2len) 2860 { 2861 if (ie1 == NULL || ie2 == NULL) 2862 return -1; 2863 2864 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0) 2865 return 0; /* identical IEs */ 2866 2867 #ifdef CONFIG_IEEE80211R 2868 if (ft_initial_assoc) { 2869 struct wpa_ie_data ie1d, ie2d; 2870 /* 2871 * The PMKID-List in RSN IE is different between Beacon/Probe 2872 * Response/(Re)Association Request frames and EAPOL-Key 2873 * messages in FT initial mobility domain association. Allow 2874 * for this, but verify that other parts of the RSN IEs are 2875 * identical. 2876 */ 2877 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 || 2878 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0) 2879 return -1; 2880 if (ie1d.proto == ie2d.proto && 2881 ie1d.pairwise_cipher == ie2d.pairwise_cipher && 2882 ie1d.group_cipher == ie2d.group_cipher && 2883 ie1d.key_mgmt == ie2d.key_mgmt && 2884 ie1d.capabilities == ie2d.capabilities && 2885 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher) 2886 return 0; 2887 } 2888 #endif /* CONFIG_IEEE80211R */ 2889 2890 return -1; 2891 } 2892 2893 wpa_insert_pmkid(u8 * ies,size_t * ies_len,const u8 * pmkid,bool replace)2894 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid, bool replace) 2895 { 2896 u8 *start, *end, *rpos, *rend; 2897 int added = 0; 2898 2899 start = ies; 2900 end = ies + *ies_len; 2901 2902 while (start < end) { 2903 if (*start == WLAN_EID_RSN) 2904 break; 2905 start += 2 + start[1]; 2906 } 2907 if (start >= end) { 2908 wpa_printf(MSG_ERROR, "RSN: Could not find RSNE in IEs data"); 2909 return -1; 2910 } 2911 wpa_hexdump(MSG_DEBUG, "RSN: RSNE before modification", 2912 start, 2 + start[1]); 2913 2914 /* Find start of PMKID-Count */ 2915 rpos = start + 2; 2916 rend = rpos + start[1]; 2917 2918 /* Skip Version and Group Data Cipher Suite */ 2919 rpos += 2 + 4; 2920 /* Skip Pairwise Cipher Suite Count and List */ 2921 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 2922 /* Skip AKM Suite Count and List */ 2923 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 2924 2925 if (rpos == rend) { 2926 /* Add RSN Capabilities */ 2927 os_memmove(rpos + 2, rpos, end - rpos); 2928 *rpos++ = 0; 2929 *rpos++ = 0; 2930 added += 2; 2931 start[1] += 2; 2932 rend = rpos; 2933 } else { 2934 /* Skip RSN Capabilities */ 2935 rpos += 2; 2936 if (rpos > rend) { 2937 wpa_printf(MSG_ERROR, 2938 "RSN: Could not parse RSNE in IEs data"); 2939 return -1; 2940 } 2941 } 2942 2943 if (rpos == rend) { 2944 /* No PMKID-Count field included; add it */ 2945 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos); 2946 WPA_PUT_LE16(rpos, 1); 2947 rpos += 2; 2948 os_memcpy(rpos, pmkid, PMKID_LEN); 2949 added += 2 + PMKID_LEN; 2950 start[1] += 2 + PMKID_LEN; 2951 } else { 2952 u16 num_pmkid; 2953 2954 if (rend - rpos < 2) 2955 return -1; 2956 num_pmkid = WPA_GET_LE16(rpos); 2957 if (num_pmkid * PMKID_LEN > rend - rpos - 2) 2958 return -1; 2959 /* PMKID-Count was included; use it */ 2960 if (replace && num_pmkid != 0) { 2961 u8 *after; 2962 2963 /* 2964 * PMKID may have been included in RSN IE in 2965 * (Re)Association Request frame, so remove the old 2966 * PMKID(s) first before adding the new one. 2967 */ 2968 wpa_printf(MSG_DEBUG, 2969 "RSN: Remove %u old PMKID(s) from RSNE", 2970 num_pmkid); 2971 after = rpos + 2 + num_pmkid * PMKID_LEN; 2972 os_memmove(rpos + 2, after, end - after); 2973 start[1] -= num_pmkid * PMKID_LEN; 2974 added -= num_pmkid * PMKID_LEN; 2975 num_pmkid = 0; 2976 } 2977 WPA_PUT_LE16(rpos, num_pmkid + 1); 2978 rpos += 2; 2979 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos); 2980 os_memcpy(rpos, pmkid, PMKID_LEN); 2981 added += PMKID_LEN; 2982 start[1] += PMKID_LEN; 2983 } 2984 2985 wpa_hexdump(MSG_DEBUG, "RSN: RSNE after modification (PMKID inserted)", 2986 start, 2 + start[1]); 2987 2988 *ies_len += added; 2989 2990 return 0; 2991 } 2992 2993 wpa_cipher_key_len(int cipher)2994 int wpa_cipher_key_len(int cipher) 2995 { 2996 switch (cipher) { 2997 case WPA_CIPHER_CCMP_256: 2998 case WPA_CIPHER_GCMP_256: 2999 case WPA_CIPHER_BIP_GMAC_256: 3000 case WPA_CIPHER_BIP_CMAC_256: 3001 return 32; 3002 case WPA_CIPHER_CCMP: 3003 case WPA_CIPHER_GCMP: 3004 case WPA_CIPHER_AES_128_CMAC: 3005 case WPA_CIPHER_BIP_GMAC_128: 3006 return 16; 3007 case WPA_CIPHER_TKIP: 3008 return 32; 3009 default: 3010 return 0; 3011 } 3012 } 3013 3014 wpa_cipher_rsc_len(int cipher)3015 int wpa_cipher_rsc_len(int cipher) 3016 { 3017 switch (cipher) { 3018 case WPA_CIPHER_CCMP_256: 3019 case WPA_CIPHER_GCMP_256: 3020 case WPA_CIPHER_CCMP: 3021 case WPA_CIPHER_GCMP: 3022 case WPA_CIPHER_TKIP: 3023 return 6; 3024 default: 3025 return 0; 3026 } 3027 } 3028 3029 wpa_cipher_to_alg(int cipher)3030 enum wpa_alg wpa_cipher_to_alg(int cipher) 3031 { 3032 switch (cipher) { 3033 case WPA_CIPHER_CCMP_256: 3034 return WPA_ALG_CCMP_256; 3035 case WPA_CIPHER_GCMP_256: 3036 return WPA_ALG_GCMP_256; 3037 case WPA_CIPHER_CCMP: 3038 return WPA_ALG_CCMP; 3039 case WPA_CIPHER_GCMP: 3040 return WPA_ALG_GCMP; 3041 case WPA_CIPHER_TKIP: 3042 return WPA_ALG_TKIP; 3043 case WPA_CIPHER_AES_128_CMAC: 3044 return WPA_ALG_BIP_CMAC_128; 3045 case WPA_CIPHER_BIP_GMAC_128: 3046 return WPA_ALG_BIP_GMAC_128; 3047 case WPA_CIPHER_BIP_GMAC_256: 3048 return WPA_ALG_BIP_GMAC_256; 3049 case WPA_CIPHER_BIP_CMAC_256: 3050 return WPA_ALG_BIP_CMAC_256; 3051 default: 3052 return WPA_ALG_NONE; 3053 } 3054 } 3055 3056 wpa_cipher_valid_pairwise(int cipher)3057 int wpa_cipher_valid_pairwise(int cipher) 3058 { 3059 #ifdef CONFIG_NO_TKIP 3060 return cipher == WPA_CIPHER_CCMP_256 || 3061 cipher == WPA_CIPHER_GCMP_256 || 3062 cipher == WPA_CIPHER_CCMP || 3063 cipher == WPA_CIPHER_GCMP; 3064 #else /* CONFIG_NO_TKIP */ 3065 return cipher == WPA_CIPHER_CCMP_256 || 3066 cipher == WPA_CIPHER_GCMP_256 || 3067 cipher == WPA_CIPHER_CCMP || 3068 cipher == WPA_CIPHER_GCMP || 3069 cipher == WPA_CIPHER_TKIP; 3070 #endif /* CONFIG_NO_TKIP */ 3071 } 3072 3073 wpa_cipher_to_suite(int proto,int cipher)3074 u32 wpa_cipher_to_suite(int proto, int cipher) 3075 { 3076 if (cipher & WPA_CIPHER_CCMP_256) 3077 return RSN_CIPHER_SUITE_CCMP_256; 3078 if (cipher & WPA_CIPHER_GCMP_256) 3079 return RSN_CIPHER_SUITE_GCMP_256; 3080 if (cipher & WPA_CIPHER_CCMP) 3081 return (proto == WPA_PROTO_RSN ? 3082 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP); 3083 if (cipher & WPA_CIPHER_GCMP) 3084 return RSN_CIPHER_SUITE_GCMP; 3085 if (cipher & WPA_CIPHER_TKIP) 3086 return (proto == WPA_PROTO_RSN ? 3087 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP); 3088 if (cipher & WPA_CIPHER_NONE) 3089 return (proto == WPA_PROTO_RSN ? 3090 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE); 3091 if (cipher & WPA_CIPHER_GTK_NOT_USED) 3092 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED; 3093 if (cipher & WPA_CIPHER_AES_128_CMAC) 3094 return RSN_CIPHER_SUITE_AES_128_CMAC; 3095 if (cipher & WPA_CIPHER_BIP_GMAC_128) 3096 return RSN_CIPHER_SUITE_BIP_GMAC_128; 3097 if (cipher & WPA_CIPHER_BIP_GMAC_256) 3098 return RSN_CIPHER_SUITE_BIP_GMAC_256; 3099 if (cipher & WPA_CIPHER_BIP_CMAC_256) 3100 return RSN_CIPHER_SUITE_BIP_CMAC_256; 3101 return 0; 3102 } 3103 3104 rsn_cipher_put_suites(u8 * start,int ciphers)3105 int rsn_cipher_put_suites(u8 *start, int ciphers) 3106 { 3107 u8 *pos = start; 3108 3109 if (ciphers & WPA_CIPHER_CCMP_256) { 3110 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256); 3111 pos += RSN_SELECTOR_LEN; 3112 } 3113 if (ciphers & WPA_CIPHER_GCMP_256) { 3114 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256); 3115 pos += RSN_SELECTOR_LEN; 3116 } 3117 if (ciphers & WPA_CIPHER_CCMP) { 3118 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 3119 pos += RSN_SELECTOR_LEN; 3120 } 3121 if (ciphers & WPA_CIPHER_GCMP) { 3122 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP); 3123 pos += RSN_SELECTOR_LEN; 3124 } 3125 if (ciphers & WPA_CIPHER_TKIP) { 3126 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 3127 pos += RSN_SELECTOR_LEN; 3128 } 3129 if (ciphers & WPA_CIPHER_NONE) { 3130 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE); 3131 pos += RSN_SELECTOR_LEN; 3132 } 3133 3134 return (pos - start) / RSN_SELECTOR_LEN; 3135 } 3136 3137 wpa_cipher_put_suites(u8 * start,int ciphers)3138 int wpa_cipher_put_suites(u8 *start, int ciphers) 3139 { 3140 u8 *pos = start; 3141 3142 if (ciphers & WPA_CIPHER_CCMP) { 3143 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP); 3144 pos += WPA_SELECTOR_LEN; 3145 } 3146 if (ciphers & WPA_CIPHER_TKIP) { 3147 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP); 3148 pos += WPA_SELECTOR_LEN; 3149 } 3150 if (ciphers & WPA_CIPHER_NONE) { 3151 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE); 3152 pos += WPA_SELECTOR_LEN; 3153 } 3154 3155 return (pos - start) / RSN_SELECTOR_LEN; 3156 } 3157 3158 wpa_pick_pairwise_cipher(int ciphers,int none_allowed)3159 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed) 3160 { 3161 if (ciphers & WPA_CIPHER_CCMP_256) 3162 return WPA_CIPHER_CCMP_256; 3163 if (ciphers & WPA_CIPHER_GCMP_256) 3164 return WPA_CIPHER_GCMP_256; 3165 if (ciphers & WPA_CIPHER_CCMP) 3166 return WPA_CIPHER_CCMP; 3167 if (ciphers & WPA_CIPHER_GCMP) 3168 return WPA_CIPHER_GCMP; 3169 if (ciphers & WPA_CIPHER_TKIP) 3170 return WPA_CIPHER_TKIP; 3171 if (none_allowed && (ciphers & WPA_CIPHER_NONE)) 3172 return WPA_CIPHER_NONE; 3173 return -1; 3174 } 3175 3176 wpa_pick_group_cipher(int ciphers)3177 int wpa_pick_group_cipher(int ciphers) 3178 { 3179 if (ciphers & WPA_CIPHER_CCMP_256) 3180 return WPA_CIPHER_CCMP_256; 3181 if (ciphers & WPA_CIPHER_GCMP_256) 3182 return WPA_CIPHER_GCMP_256; 3183 if (ciphers & WPA_CIPHER_CCMP) 3184 return WPA_CIPHER_CCMP; 3185 if (ciphers & WPA_CIPHER_GCMP) 3186 return WPA_CIPHER_GCMP; 3187 if (ciphers & WPA_CIPHER_GTK_NOT_USED) 3188 return WPA_CIPHER_GTK_NOT_USED; 3189 if (ciphers & WPA_CIPHER_TKIP) 3190 return WPA_CIPHER_TKIP; 3191 return -1; 3192 } 3193 3194 wpa_parse_cipher(const char * value)3195 int wpa_parse_cipher(const char *value) 3196 { 3197 int val = 0, last; 3198 char *start, *end, *buf; 3199 3200 buf = os_strdup(value); 3201 if (buf == NULL) 3202 return -1; 3203 start = buf; 3204 3205 while (*start != '\0') { 3206 while (*start == ' ' || *start == '\t') 3207 start++; 3208 if (*start == '\0') 3209 break; 3210 end = start; 3211 while (*end != ' ' && *end != '\t' && *end != '\0') 3212 end++; 3213 last = *end == '\0'; 3214 *end = '\0'; 3215 if (os_strcmp(start, "CCMP-256") == 0) 3216 val |= WPA_CIPHER_CCMP_256; 3217 else if (os_strcmp(start, "GCMP-256") == 0) 3218 val |= WPA_CIPHER_GCMP_256; 3219 else if (os_strcmp(start, "CCMP") == 0) 3220 val |= WPA_CIPHER_CCMP; 3221 else if (os_strcmp(start, "GCMP") == 0) 3222 val |= WPA_CIPHER_GCMP; 3223 #ifndef CONFIG_NO_TKIP 3224 else if (os_strcmp(start, "TKIP") == 0) 3225 val |= WPA_CIPHER_TKIP; 3226 #endif /* CONFIG_NO_TKIP */ 3227 #ifdef CONFIG_WEP 3228 else if (os_strcmp(start, "WEP104") == 0) 3229 val |= WPA_CIPHER_WEP104; 3230 else if (os_strcmp(start, "WEP40") == 0) 3231 val |= WPA_CIPHER_WEP40; 3232 #endif /* CONFIG_WEP */ 3233 else if (os_strcmp(start, "NONE") == 0) 3234 val |= WPA_CIPHER_NONE; 3235 else if (os_strcmp(start, "GTK_NOT_USED") == 0) 3236 val |= WPA_CIPHER_GTK_NOT_USED; 3237 else if (os_strcmp(start, "AES-128-CMAC") == 0) 3238 val |= WPA_CIPHER_AES_128_CMAC; 3239 else if (os_strcmp(start, "BIP-GMAC-128") == 0) 3240 val |= WPA_CIPHER_BIP_GMAC_128; 3241 else if (os_strcmp(start, "BIP-GMAC-256") == 0) 3242 val |= WPA_CIPHER_BIP_GMAC_256; 3243 else if (os_strcmp(start, "BIP-CMAC-256") == 0) 3244 val |= WPA_CIPHER_BIP_CMAC_256; 3245 else { 3246 os_free(buf); 3247 return -1; 3248 } 3249 3250 if (last) 3251 break; 3252 start = end + 1; 3253 } 3254 os_free(buf); 3255 3256 return val; 3257 } 3258 3259 wpa_write_ciphers(char * start,char * end,int ciphers,const char * delim)3260 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim) 3261 { 3262 char *pos = start; 3263 int ret; 3264 3265 if (ciphers & WPA_CIPHER_CCMP_256) { 3266 ret = os_snprintf(pos, end - pos, "%sCCMP-256", 3267 pos == start ? "" : delim); 3268 if (os_snprintf_error(end - pos, ret)) 3269 return -1; 3270 pos += ret; 3271 } 3272 if (ciphers & WPA_CIPHER_GCMP_256) { 3273 ret = os_snprintf(pos, end - pos, "%sGCMP-256", 3274 pos == start ? "" : delim); 3275 if (os_snprintf_error(end - pos, ret)) 3276 return -1; 3277 pos += ret; 3278 } 3279 if (ciphers & WPA_CIPHER_CCMP) { 3280 ret = os_snprintf(pos, end - pos, "%sCCMP", 3281 pos == start ? "" : delim); 3282 if (os_snprintf_error(end - pos, ret)) 3283 return -1; 3284 pos += ret; 3285 } 3286 if (ciphers & WPA_CIPHER_GCMP) { 3287 ret = os_snprintf(pos, end - pos, "%sGCMP", 3288 pos == start ? "" : delim); 3289 if (os_snprintf_error(end - pos, ret)) 3290 return -1; 3291 pos += ret; 3292 } 3293 if (ciphers & WPA_CIPHER_TKIP) { 3294 ret = os_snprintf(pos, end - pos, "%sTKIP", 3295 pos == start ? "" : delim); 3296 if (os_snprintf_error(end - pos, ret)) 3297 return -1; 3298 pos += ret; 3299 } 3300 if (ciphers & WPA_CIPHER_AES_128_CMAC) { 3301 ret = os_snprintf(pos, end - pos, "%sAES-128-CMAC", 3302 pos == start ? "" : delim); 3303 if (os_snprintf_error(end - pos, ret)) 3304 return -1; 3305 pos += ret; 3306 } 3307 if (ciphers & WPA_CIPHER_BIP_GMAC_128) { 3308 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-128", 3309 pos == start ? "" : delim); 3310 if (os_snprintf_error(end - pos, ret)) 3311 return -1; 3312 pos += ret; 3313 } 3314 if (ciphers & WPA_CIPHER_BIP_GMAC_256) { 3315 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-256", 3316 pos == start ? "" : delim); 3317 if (os_snprintf_error(end - pos, ret)) 3318 return -1; 3319 pos += ret; 3320 } 3321 if (ciphers & WPA_CIPHER_BIP_CMAC_256) { 3322 ret = os_snprintf(pos, end - pos, "%sBIP-CMAC-256", 3323 pos == start ? "" : delim); 3324 if (os_snprintf_error(end - pos, ret)) 3325 return -1; 3326 pos += ret; 3327 } 3328 if (ciphers & WPA_CIPHER_NONE) { 3329 ret = os_snprintf(pos, end - pos, "%sNONE", 3330 pos == start ? "" : delim); 3331 if (os_snprintf_error(end - pos, ret)) 3332 return -1; 3333 pos += ret; 3334 } 3335 3336 return pos - start; 3337 } 3338 3339 wpa_select_ap_group_cipher(int wpa,int wpa_pairwise,int rsn_pairwise)3340 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise) 3341 { 3342 int pairwise = 0; 3343 3344 /* Select group cipher based on the enabled pairwise cipher suites */ 3345 if (wpa & 1) 3346 pairwise |= wpa_pairwise; 3347 if (wpa & 2) 3348 pairwise |= rsn_pairwise; 3349 3350 if (pairwise & WPA_CIPHER_TKIP) 3351 return WPA_CIPHER_TKIP; 3352 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP) 3353 return WPA_CIPHER_GCMP; 3354 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP | 3355 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256) 3356 return WPA_CIPHER_GCMP_256; 3357 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP | 3358 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256) 3359 return WPA_CIPHER_CCMP_256; 3360 return WPA_CIPHER_CCMP; 3361 } 3362 3363 3364 #ifdef CONFIG_FILS fils_domain_name_hash(const char * domain,u8 * hash)3365 int fils_domain_name_hash(const char *domain, u8 *hash) 3366 { 3367 char buf[255], *wpos = buf; 3368 const char *pos = domain; 3369 size_t len; 3370 const u8 *addr[1]; 3371 u8 mac[SHA256_MAC_LEN]; 3372 3373 for (len = 0; len < sizeof(buf) && *pos; len++) { 3374 if (isalpha(*pos) && isupper(*pos)) 3375 *wpos++ = tolower(*pos); 3376 else 3377 *wpos++ = *pos; 3378 pos++; 3379 } 3380 3381 addr[0] = (const u8 *) buf; 3382 if (sha256_vector(1, addr, &len, mac) < 0) 3383 return -1; 3384 os_memcpy(hash, mac, 2); 3385 return 0; 3386 } 3387 #endif /* CONFIG_FILS */ 3388 3389 3390 /** 3391 * wpa_parse_vendor_specific - Parse Vendor Specific IEs 3392 * @pos: Pointer to the IE header 3393 * @end: Pointer to the end of the Key Data buffer 3394 * @ie: Pointer to parsed IE data 3395 */ wpa_parse_vendor_specific(const u8 * pos,const u8 * end,struct wpa_eapol_ie_parse * ie)3396 static void wpa_parse_vendor_specific(const u8 *pos, const u8 *end, 3397 struct wpa_eapol_ie_parse *ie) 3398 { 3399 unsigned int oui; 3400 3401 if (pos[1] < 4) { 3402 wpa_printf(MSG_MSGDUMP, 3403 "Too short vendor specific IE ignored (len=%u)", 3404 pos[1]); 3405 return; 3406 } 3407 3408 oui = WPA_GET_BE24(&pos[2]); 3409 if (oui == OUI_MICROSOFT && pos[5] == WMM_OUI_TYPE && pos[1] > 4) { 3410 if (pos[6] == WMM_OUI_SUBTYPE_INFORMATION_ELEMENT) { 3411 ie->wmm = &pos[2]; 3412 ie->wmm_len = pos[1]; 3413 wpa_hexdump(MSG_DEBUG, "WPA: WMM IE", 3414 ie->wmm, ie->wmm_len); 3415 } else if (pos[6] == WMM_OUI_SUBTYPE_PARAMETER_ELEMENT) { 3416 ie->wmm = &pos[2]; 3417 ie->wmm_len = pos[1]; 3418 wpa_hexdump(MSG_DEBUG, "WPA: WMM Parameter Element", 3419 ie->wmm, ie->wmm_len); 3420 } 3421 } 3422 } 3423 3424 3425 /** 3426 * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs 3427 * @pos: Pointer to the IE header 3428 * @ie: Pointer to parsed IE data 3429 * Returns: 0 on success, 1 if end mark is found, 2 if KDE is not recognized 3430 */ wpa_parse_generic(const u8 * pos,struct wpa_eapol_ie_parse * ie)3431 static int wpa_parse_generic(const u8 *pos, struct wpa_eapol_ie_parse *ie) 3432 { 3433 u8 len = pos[1]; 3434 size_t dlen = 2 + len; 3435 u32 selector; 3436 const u8 *p; 3437 size_t left; 3438 u8 link_id; 3439 char title[100]; 3440 int ret; 3441 3442 if (len == 0) 3443 return 1; 3444 3445 if (len < RSN_SELECTOR_LEN) 3446 return 2; 3447 3448 p = pos + 2; 3449 selector = RSN_SELECTOR_GET(p); 3450 p += RSN_SELECTOR_LEN; 3451 left = len - RSN_SELECTOR_LEN; 3452 3453 if (left >= 2 && selector == WPA_OUI_TYPE && p[0] == 1 && p[1] == 0) { 3454 ie->wpa_ie = pos; 3455 ie->wpa_ie_len = dlen; 3456 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE in EAPOL-Key", 3457 ie->wpa_ie, ie->wpa_ie_len); 3458 return 0; 3459 } 3460 3461 if (left >= PMKID_LEN && selector == RSN_KEY_DATA_PMKID) { 3462 ie->pmkid = p; 3463 wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key", pos, dlen); 3464 return 0; 3465 } 3466 3467 if (left >= 2 && selector == RSN_KEY_DATA_KEYID) { 3468 ie->key_id = p; 3469 wpa_hexdump(MSG_DEBUG, "WPA: KeyID in EAPOL-Key", pos, dlen); 3470 return 0; 3471 } 3472 3473 if (left > 2 && selector == RSN_KEY_DATA_GROUPKEY) { 3474 ie->gtk = p; 3475 ie->gtk_len = left; 3476 wpa_hexdump_key(MSG_DEBUG, "WPA: GTK in EAPOL-Key", pos, dlen); 3477 return 0; 3478 } 3479 3480 if (left >= ETH_ALEN && selector == RSN_KEY_DATA_MAC_ADDR) { 3481 ie->mac_addr = p; 3482 wpa_printf(MSG_DEBUG, "WPA: MAC Address in EAPOL-Key: " MACSTR, 3483 MAC2STR(ie->mac_addr)); 3484 return 0; 3485 } 3486 3487 if (left > 2 && selector == RSN_KEY_DATA_IGTK) { 3488 ie->igtk = p; 3489 ie->igtk_len = left; 3490 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK in EAPOL-Key", 3491 pos, dlen); 3492 return 0; 3493 } 3494 3495 if (left > 2 && selector == RSN_KEY_DATA_BIGTK) { 3496 ie->bigtk = p; 3497 ie->bigtk_len = left; 3498 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK in EAPOL-Key", 3499 pos, dlen); 3500 return 0; 3501 } 3502 3503 if (left >= 1 && selector == WFA_KEY_DATA_IP_ADDR_REQ) { 3504 ie->ip_addr_req = p; 3505 wpa_hexdump(MSG_DEBUG, "WPA: IP Address Request in EAPOL-Key", 3506 ie->ip_addr_req, left); 3507 return 0; 3508 } 3509 3510 if (left >= 3 * 4 && selector == WFA_KEY_DATA_IP_ADDR_ALLOC) { 3511 ie->ip_addr_alloc = p; 3512 wpa_hexdump(MSG_DEBUG, 3513 "WPA: IP Address Allocation in EAPOL-Key", 3514 ie->ip_addr_alloc, left); 3515 return 0; 3516 } 3517 3518 if (left > 2 && selector == RSN_KEY_DATA_OCI) { 3519 ie->oci = p; 3520 ie->oci_len = left; 3521 wpa_hexdump(MSG_DEBUG, "WPA: OCI KDE in EAPOL-Key", 3522 pos, dlen); 3523 return 0; 3524 } 3525 3526 if (left >= 1 && selector == WFA_KEY_DATA_TRANSITION_DISABLE) { 3527 ie->transition_disable = p; 3528 ie->transition_disable_len = left; 3529 wpa_hexdump(MSG_DEBUG, 3530 "WPA: Transition Disable KDE in EAPOL-Key", 3531 pos, dlen); 3532 return 0; 3533 } 3534 3535 if (left >= 2 && selector == WFA_KEY_DATA_DPP) { 3536 ie->dpp_kde = p; 3537 ie->dpp_kde_len = left; 3538 wpa_hexdump(MSG_DEBUG, "WPA: DPP KDE in EAPOL-Key", pos, dlen); 3539 return 0; 3540 } 3541 3542 if (left >= RSN_MLO_GTK_KDE_PREFIX_LENGTH && 3543 selector == RSN_KEY_DATA_MLO_GTK) { 3544 link_id = (p[0] & RSN_MLO_GTK_KDE_PREFIX0_LINK_ID_MASK) >> 3545 RSN_MLO_GTK_KDE_PREFIX0_LINK_ID_SHIFT; 3546 if (link_id >= MAX_NUM_MLD_LINKS) 3547 return 2; 3548 3549 ie->valid_mlo_gtks |= BIT(link_id); 3550 ie->mlo_gtk[link_id] = p; 3551 ie->mlo_gtk_len[link_id] = left; 3552 ret = os_snprintf(title, sizeof(title), 3553 "RSN: Link ID %u - MLO GTK KDE in EAPOL-Key", 3554 link_id); 3555 if (!os_snprintf_error(sizeof(title), ret)) 3556 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen); 3557 return 0; 3558 } 3559 3560 if (left >= RSN_MLO_IGTK_KDE_PREFIX_LENGTH && 3561 selector == RSN_KEY_DATA_MLO_IGTK) { 3562 link_id = (p[8] & RSN_MLO_IGTK_KDE_PREFIX8_LINK_ID_MASK) >> 3563 RSN_MLO_IGTK_KDE_PREFIX8_LINK_ID_SHIFT; 3564 if (link_id >= MAX_NUM_MLD_LINKS) 3565 return 2; 3566 3567 ie->valid_mlo_igtks |= BIT(link_id); 3568 ie->mlo_igtk[link_id] = p; 3569 ie->mlo_igtk_len[link_id] = left; 3570 ret = os_snprintf(title, sizeof(title), 3571 "RSN: Link ID %u - MLO IGTK KDE in EAPOL-Key", 3572 link_id); 3573 if (!os_snprintf_error(sizeof(title), ret)) 3574 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen); 3575 return 0; 3576 } 3577 3578 if (left >= RSN_MLO_BIGTK_KDE_PREFIX_LENGTH && 3579 selector == RSN_KEY_DATA_MLO_BIGTK) { 3580 link_id = (p[8] & RSN_MLO_BIGTK_KDE_PREFIX8_LINK_ID_MASK) >> 3581 RSN_MLO_BIGTK_KDE_PREFIX8_LINK_ID_SHIFT; 3582 if (link_id >= MAX_NUM_MLD_LINKS) 3583 return 2; 3584 3585 ie->valid_mlo_bigtks |= BIT(link_id); 3586 ie->mlo_bigtk[link_id] = p; 3587 ie->mlo_bigtk_len[link_id] = left; 3588 ret = os_snprintf(title, sizeof(title), 3589 "RSN: Link ID %u - MLO BIGTK KDE in EAPOL-Key", 3590 link_id); 3591 if (!os_snprintf_error(sizeof(title), ret)) 3592 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen); 3593 return 0; 3594 } 3595 3596 if (left >= RSN_MLO_LINK_KDE_FIXED_LENGTH && 3597 selector == RSN_KEY_DATA_MLO_LINK) { 3598 link_id = (p[0] & RSN_MLO_LINK_KDE_LI_LINK_ID_MASK) >> 3599 RSN_MLO_LINK_KDE_LI_LINK_ID_SHIFT; 3600 if (link_id >= MAX_NUM_MLD_LINKS) 3601 return 2; 3602 3603 ie->valid_mlo_links |= BIT(link_id); 3604 ie->mlo_link[link_id] = p; 3605 ie->mlo_link_len[link_id] = left; 3606 ret = os_snprintf(title, sizeof(title), 3607 "RSN: Link ID %u - MLO Link KDE in EAPOL-Key", 3608 link_id); 3609 if (!os_snprintf_error(sizeof(title), ret)) 3610 wpa_hexdump(MSG_DEBUG, title, pos, dlen); 3611 return 0; 3612 } 3613 3614 if (left >= 1 && selector == WFA_KEY_DATA_RSN_OVERRIDE_LINK) { 3615 link_id = p[0]; 3616 if (link_id >= MAX_NUM_MLD_LINKS) 3617 return 2; 3618 3619 ie->rsn_override_link[link_id] = p; 3620 ie->rsn_override_link_len[link_id] = left; 3621 ret = os_snprintf(title, sizeof(title), 3622 "RSN: Link ID %u - RSN Override Link KDE in EAPOL-Key", 3623 link_id); 3624 if (!os_snprintf_error(sizeof(title), ret)) 3625 wpa_hexdump(MSG_DEBUG, title, pos, dlen); 3626 return 0; 3627 } 3628 3629 if (selector == RSNE_OVERRIDE_IE_VENDOR_TYPE) { 3630 ie->rsne_override = pos; 3631 ie->rsne_override_len = dlen; 3632 wpa_hexdump(MSG_DEBUG, 3633 "RSN: RSNE Override element in EAPOL-Key", 3634 ie->rsne_override, ie->rsne_override_len); 3635 return 0; 3636 } 3637 3638 if (selector == RSNE_OVERRIDE_2_IE_VENDOR_TYPE) { 3639 ie->rsne_override_2 = pos; 3640 ie->rsne_override_2_len = dlen; 3641 wpa_hexdump(MSG_DEBUG, 3642 "RSN: RSNE Override 2 element in EAPOL-Key", 3643 ie->rsne_override_2, ie->rsne_override_2_len); 3644 return 0; 3645 } 3646 3647 if (selector == RSNXE_OVERRIDE_IE_VENDOR_TYPE) { 3648 ie->rsnxe_override = pos; 3649 ie->rsnxe_override_len = dlen; 3650 wpa_hexdump(MSG_DEBUG, 3651 "RSN: RSNXE Override element in EAPOL-Key", 3652 ie->rsnxe_override, ie->rsnxe_override_len); 3653 return 0; 3654 } 3655 3656 if (selector == RSN_SELECTION_IE_VENDOR_TYPE) { 3657 ie->rsn_selection = p; 3658 ie->rsn_selection_len = left; 3659 wpa_hexdump(MSG_DEBUG, 3660 "RSN: RSN Selection element in EAPOL-Key", 3661 ie->rsn_selection, ie->rsn_selection_len); 3662 return 0; 3663 } 3664 3665 return 2; 3666 } 3667 3668 3669 /** 3670 * wpa_parse_kde_ies - Parse EAPOL-Key Key Data IEs 3671 * @buf: Pointer to the Key Data buffer 3672 * @len: Key Data Length 3673 * @ie: Pointer to parsed IE data 3674 * Returns: 0 on success, -1 on failure 3675 */ wpa_parse_kde_ies(const u8 * buf,size_t len,struct wpa_eapol_ie_parse * ie)3676 int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie) 3677 { 3678 const u8 *pos, *end; 3679 int ret = 0; 3680 size_t dlen = 0; 3681 3682 os_memset(ie, 0, sizeof(*ie)); 3683 for (pos = buf, end = pos + len; end - pos > 1; pos += dlen) { 3684 if (pos[0] == 0xdd && 3685 ((pos == buf + len - 1) || pos[1] == 0)) { 3686 /* Ignore padding */ 3687 break; 3688 } 3689 dlen = 2 + pos[1]; 3690 if ((int) dlen > end - pos) { 3691 wpa_printf(MSG_DEBUG, 3692 "WPA: EAPOL-Key Key Data underflow (ie=%d len=%d pos=%d)", 3693 pos[0], pos[1], (int) (pos - buf)); 3694 wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data", buf, len); 3695 ret = -1; 3696 break; 3697 } 3698 if (*pos == WLAN_EID_RSN) { 3699 ie->rsn_ie = pos; 3700 ie->rsn_ie_len = dlen; 3701 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key", 3702 ie->rsn_ie, ie->rsn_ie_len); 3703 } else if (*pos == WLAN_EID_RSNX) { 3704 ie->rsnxe = pos; 3705 ie->rsnxe_len = dlen; 3706 wpa_hexdump(MSG_DEBUG, "WPA: RSNXE in EAPOL-Key", 3707 ie->rsnxe, ie->rsnxe_len); 3708 } else if (*pos == WLAN_EID_MOBILITY_DOMAIN) { 3709 ie->mdie = pos; 3710 ie->mdie_len = dlen; 3711 wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key", 3712 ie->mdie, ie->mdie_len); 3713 } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) { 3714 ie->ftie = pos; 3715 ie->ftie_len = dlen; 3716 wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key", 3717 ie->ftie, ie->ftie_len); 3718 } else if (*pos == WLAN_EID_TIMEOUT_INTERVAL && pos[1] >= 5) { 3719 if (pos[2] == WLAN_TIMEOUT_REASSOC_DEADLINE) { 3720 ie->reassoc_deadline = pos; 3721 wpa_hexdump(MSG_DEBUG, "WPA: Reassoc Deadline " 3722 "in EAPOL-Key", 3723 ie->reassoc_deadline, dlen); 3724 } else if (pos[2] == WLAN_TIMEOUT_KEY_LIFETIME) { 3725 ie->key_lifetime = pos; 3726 wpa_hexdump(MSG_DEBUG, "WPA: KeyLifetime " 3727 "in EAPOL-Key", 3728 ie->key_lifetime, dlen); 3729 } else { 3730 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized " 3731 "EAPOL-Key Key Data IE", 3732 pos, dlen); 3733 } 3734 } else if (*pos == WLAN_EID_LINK_ID) { 3735 if (pos[1] >= 18) { 3736 ie->lnkid = pos; 3737 ie->lnkid_len = dlen; 3738 } 3739 } else if (*pos == WLAN_EID_EXT_CAPAB) { 3740 ie->ext_capab = pos; 3741 ie->ext_capab_len = dlen; 3742 } else if (*pos == WLAN_EID_SUPP_RATES) { 3743 ie->supp_rates = pos; 3744 ie->supp_rates_len = dlen; 3745 } else if (*pos == WLAN_EID_EXT_SUPP_RATES) { 3746 ie->ext_supp_rates = pos; 3747 ie->ext_supp_rates_len = dlen; 3748 } else if (*pos == WLAN_EID_HT_CAP && 3749 pos[1] >= sizeof(struct ieee80211_ht_capabilities)) { 3750 ie->ht_capabilities = pos + 2; 3751 } else if (*pos == WLAN_EID_AID) { 3752 if (pos[1] >= 2) 3753 ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff; 3754 } else if (*pos == WLAN_EID_VHT_CAP && 3755 pos[1] >= sizeof(struct ieee80211_vht_capabilities)) 3756 { 3757 ie->vht_capabilities = pos + 2; 3758 } else if (*pos == WLAN_EID_EXTENSION && 3759 pos[1] >= 1 + IEEE80211_HE_CAPAB_MIN_LEN && 3760 pos[2] == WLAN_EID_EXT_HE_CAPABILITIES) { 3761 ie->he_capabilities = pos + 3; 3762 ie->he_capab_len = pos[1] - 1; 3763 } else if (*pos == WLAN_EID_EXTENSION && 3764 pos[1] >= 1 + 3765 sizeof(struct ieee80211_he_6ghz_band_cap) && 3766 pos[2] == WLAN_EID_EXT_HE_6GHZ_BAND_CAP) { 3767 ie->he_6ghz_capabilities = pos + 3; 3768 } else if (*pos == WLAN_EID_EXTENSION && 3769 pos[1] >= 1 + IEEE80211_EHT_CAPAB_MIN_LEN && 3770 pos[2] == WLAN_EID_EXT_EHT_CAPABILITIES) { 3771 ie->eht_capabilities = pos + 3; 3772 ie->eht_capab_len = pos[1] - 1; 3773 } else if (*pos == WLAN_EID_QOS && pos[1] >= 1) { 3774 ie->qosinfo = pos[2]; 3775 } else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) { 3776 ie->supp_channels = pos + 2; 3777 ie->supp_channels_len = pos[1]; 3778 } else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) { 3779 /* 3780 * The value of the Length field of the Supported 3781 * Operating Classes element is between 2 and 253. 3782 * Silently skip invalid elements to avoid interop 3783 * issues when trying to use the value. 3784 */ 3785 if (pos[1] >= 2 && pos[1] <= 253) { 3786 ie->supp_oper_classes = pos + 2; 3787 ie->supp_oper_classes_len = pos[1]; 3788 } 3789 } else if (*pos == WLAN_EID_SSID) { 3790 ie->ssid = pos + 2; 3791 ie->ssid_len = pos[1]; 3792 wpa_hexdump_ascii(MSG_DEBUG, "RSN: SSID in EAPOL-Key", 3793 ie->ssid, ie->ssid_len); 3794 } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) { 3795 ret = wpa_parse_generic(pos, ie); 3796 if (ret == 1) { 3797 /* end mark found */ 3798 ret = 0; 3799 break; 3800 } 3801 3802 if (ret == 2) { 3803 /* not a known KDE */ 3804 wpa_parse_vendor_specific(pos, end, ie); 3805 } 3806 3807 ret = 0; 3808 } else { 3809 wpa_hexdump(MSG_DEBUG, 3810 "WPA: Unrecognized EAPOL-Key Key Data IE", 3811 pos, dlen); 3812 } 3813 } 3814 3815 return ret; 3816 } 3817 3818 3819 #ifdef CONFIG_PASN 3820 3821 /* 3822 * wpa_pasn_build_auth_header - Add the MAC header and initialize Authentication 3823 * frame for PASN 3824 * 3825 * @buf: Buffer in which the header will be added 3826 * @bssid: The BSSID of the AP 3827 * @src: Source address 3828 * @dst: Destination address 3829 * @trans_seq: Authentication transaction sequence number 3830 * @status: Authentication status 3831 */ wpa_pasn_build_auth_header(struct wpabuf * buf,const u8 * bssid,const u8 * src,const u8 * dst,u8 trans_seq,u16 status)3832 void wpa_pasn_build_auth_header(struct wpabuf *buf, const u8 *bssid, 3833 const u8 *src, const u8 *dst, 3834 u8 trans_seq, u16 status) 3835 { 3836 struct ieee80211_mgmt *auth; 3837 3838 wpa_printf(MSG_DEBUG, "PASN: Add authentication header. trans_seq=%u", 3839 trans_seq); 3840 3841 auth = wpabuf_put(buf, offsetof(struct ieee80211_mgmt, 3842 u.auth.variable)); 3843 3844 auth->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) | 3845 (WLAN_FC_STYPE_AUTH << 4)); 3846 3847 os_memcpy(auth->da, dst, ETH_ALEN); 3848 os_memcpy(auth->sa, src, ETH_ALEN); 3849 os_memcpy(auth->bssid, bssid, ETH_ALEN); 3850 auth->seq_ctrl = 0; 3851 3852 auth->u.auth.auth_alg = host_to_le16(WLAN_AUTH_PASN); 3853 auth->u.auth.auth_transaction = host_to_le16(trans_seq); 3854 auth->u.auth.status_code = host_to_le16(status); 3855 } 3856 3857 3858 /* 3859 * wpa_pasn_add_rsne - Add an RSNE for PASN authentication 3860 * @buf: Buffer in which the IE will be added 3861 * @pmkid: Optional PMKID. Can be NULL. 3862 * @akmp: Authentication and key management protocol 3863 * @cipher: The cipher suite 3864 */ wpa_pasn_add_rsne(struct wpabuf * buf,const u8 * pmkid,int akmp,int cipher)3865 int wpa_pasn_add_rsne(struct wpabuf *buf, const u8 *pmkid, int akmp, int cipher) 3866 { 3867 struct rsn_ie_hdr *hdr; 3868 u32 suite; 3869 u16 capab; 3870 u8 *pos; 3871 u8 rsne_len; 3872 3873 wpa_printf(MSG_DEBUG, "PASN: Add RSNE"); 3874 3875 rsne_len = sizeof(*hdr) + RSN_SELECTOR_LEN + 3876 2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN + 3877 2 + RSN_SELECTOR_LEN + 2 + (pmkid ? PMKID_LEN : 0); 3878 3879 if (wpabuf_tailroom(buf) < rsne_len) 3880 return -1; 3881 hdr = wpabuf_put(buf, rsne_len); 3882 hdr->elem_id = WLAN_EID_RSN; 3883 hdr->len = rsne_len - 2; 3884 WPA_PUT_LE16(hdr->version, RSN_VERSION); 3885 pos = (u8 *) (hdr + 1); 3886 3887 /* Group addressed data is not allowed */ 3888 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 3889 pos += RSN_SELECTOR_LEN; 3890 3891 /* Add the pairwise cipher */ 3892 WPA_PUT_LE16(pos, 1); 3893 pos += 2; 3894 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, cipher); 3895 RSN_SELECTOR_PUT(pos, suite); 3896 pos += RSN_SELECTOR_LEN; 3897 3898 /* Add the AKM suite */ 3899 WPA_PUT_LE16(pos, 1); 3900 pos += 2; 3901 3902 switch (akmp) { 3903 case WPA_KEY_MGMT_PASN: 3904 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PASN); 3905 break; 3906 #ifdef CONFIG_SAE 3907 case WPA_KEY_MGMT_SAE: 3908 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE); 3909 break; 3910 case WPA_KEY_MGMT_SAE_EXT_KEY: 3911 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY); 3912 break; 3913 #endif /* CONFIG_SAE */ 3914 #ifdef CONFIG_FILS 3915 case WPA_KEY_MGMT_FILS_SHA256: 3916 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA256); 3917 break; 3918 case WPA_KEY_MGMT_FILS_SHA384: 3919 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA384); 3920 break; 3921 #endif /* CONFIG_FILS */ 3922 #ifdef CONFIG_IEEE80211R 3923 case WPA_KEY_MGMT_FT_PSK: 3924 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK); 3925 break; 3926 case WPA_KEY_MGMT_FT_IEEE8021X: 3927 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X); 3928 break; 3929 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 3930 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384); 3931 break; 3932 #endif /* CONFIG_IEEE80211R */ 3933 default: 3934 wpa_printf(MSG_ERROR, "PASN: Invalid AKMP=0x%x", akmp); 3935 return -1; 3936 } 3937 pos += RSN_SELECTOR_LEN; 3938 3939 /* RSN Capabilities: PASN mandates both MFP capable and required */ 3940 capab = WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR; 3941 WPA_PUT_LE16(pos, capab); 3942 pos += 2; 3943 3944 if (pmkid) { 3945 wpa_printf(MSG_DEBUG, "PASN: Adding PMKID"); 3946 3947 WPA_PUT_LE16(pos, 1); 3948 pos += 2; 3949 os_memcpy(pos, pmkid, PMKID_LEN); 3950 pos += PMKID_LEN; 3951 } else { 3952 WPA_PUT_LE16(pos, 0); 3953 pos += 2; 3954 } 3955 3956 /* Group addressed management is not allowed */ 3957 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED); 3958 3959 return 0; 3960 } 3961 3962 3963 /* 3964 * wpa_pasn_add_parameter_ie - Add PASN Parameters IE for PASN authentication 3965 * @buf: Buffer in which the IE will be added 3966 * @pasn_group: Finite Cyclic Group ID for PASN authentication 3967 * @wrapped_data_format: Format of the data in the Wrapped Data IE 3968 * @pubkey: A buffer holding the local public key. Can be NULL 3969 * @compressed: In case pubkey is included, indicates if the public key is 3970 * compressed (only x coordinate is included) or not (both x and y 3971 * coordinates are included) 3972 * @comeback: A buffer holding the comeback token. Can be NULL 3973 * @after: If comeback is set, defined the comeback time in seconds. -1 to not 3974 * include the Comeback After field (frames from non-AP STA). 3975 */ wpa_pasn_add_parameter_ie(struct wpabuf * buf,u16 pasn_group,u8 wrapped_data_format,const struct wpabuf * pubkey,bool compressed,const struct wpabuf * comeback,int after)3976 void wpa_pasn_add_parameter_ie(struct wpabuf *buf, u16 pasn_group, 3977 u8 wrapped_data_format, 3978 const struct wpabuf *pubkey, bool compressed, 3979 const struct wpabuf *comeback, int after) 3980 { 3981 struct pasn_parameter_ie *params; 3982 3983 wpa_printf(MSG_DEBUG, "PASN: Add PASN Parameters element"); 3984 3985 params = wpabuf_put(buf, sizeof(*params)); 3986 3987 params->id = WLAN_EID_EXTENSION; 3988 params->len = sizeof(*params) - 2; 3989 params->id_ext = WLAN_EID_EXT_PASN_PARAMS; 3990 params->control = 0; 3991 params->wrapped_data_format = wrapped_data_format; 3992 3993 if (comeback) { 3994 wpa_printf(MSG_DEBUG, "PASN: Adding comeback data"); 3995 3996 /* 3997 * 2 octets for the 'after' field + 1 octet for the length + 3998 * actual cookie data 3999 */ 4000 if (after >= 0) 4001 params->len += 2; 4002 params->len += 1 + wpabuf_len(comeback); 4003 params->control |= WPA_PASN_CTRL_COMEBACK_INFO_PRESENT; 4004 4005 if (after >= 0) 4006 wpabuf_put_le16(buf, after); 4007 wpabuf_put_u8(buf, wpabuf_len(comeback)); 4008 wpabuf_put_buf(buf, comeback); 4009 } 4010 4011 if (pubkey) { 4012 wpa_printf(MSG_DEBUG, 4013 "PASN: Adding public key and group ID %u", 4014 pasn_group); 4015 4016 /* 4017 * 2 octets for the finite cyclic group + 2 octets public key 4018 * length + 1 octet for the compressed/uncompressed indication + 4019 * the actual key. 4020 */ 4021 params->len += 2 + 1 + 1 + wpabuf_len(pubkey); 4022 params->control |= WPA_PASN_CTRL_GROUP_AND_KEY_PRESENT; 4023 4024 wpabuf_put_le16(buf, pasn_group); 4025 4026 /* 4027 * The first octet indicates whether the public key is 4028 * compressed, as defined in RFC 5480 section 2.2. 4029 */ 4030 wpabuf_put_u8(buf, wpabuf_len(pubkey) + 1); 4031 wpabuf_put_u8(buf, compressed ? WPA_PASN_PUBKEY_COMPRESSED_0 : 4032 WPA_PASN_PUBKEY_UNCOMPRESSED); 4033 4034 wpabuf_put_buf(buf, pubkey); 4035 } 4036 } 4037 4038 /* 4039 * wpa_pasn_add_wrapped_data - Add a Wrapped Data IE to PASN Authentication 4040 * frame. If needed, the Wrapped Data IE would be fragmented. 4041 * 4042 * @buf: Buffer in which the IE will be added 4043 * @wrapped_data_buf: Buffer holding the wrapped data 4044 */ wpa_pasn_add_wrapped_data(struct wpabuf * buf,struct wpabuf * wrapped_data_buf)4045 int wpa_pasn_add_wrapped_data(struct wpabuf *buf, 4046 struct wpabuf *wrapped_data_buf) 4047 { 4048 const u8 *data; 4049 size_t data_len; 4050 u8 len; 4051 4052 if (!wrapped_data_buf) 4053 return 0; 4054 4055 wpa_printf(MSG_DEBUG, "PASN: Add wrapped data"); 4056 4057 data = wpabuf_head_u8(wrapped_data_buf); 4058 data_len = wpabuf_len(wrapped_data_buf); 4059 4060 /* nothing to add */ 4061 if (!data_len) 4062 return 0; 4063 4064 if (data_len <= 254) 4065 len = 1 + data_len; 4066 else 4067 len = 255; 4068 4069 if (wpabuf_tailroom(buf) < 3 + data_len) 4070 return -1; 4071 4072 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); 4073 wpabuf_put_u8(buf, len); 4074 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA); 4075 wpabuf_put_data(buf, data, len - 1); 4076 4077 data += len - 1; 4078 data_len -= len - 1; 4079 4080 while (data_len) { 4081 if (wpabuf_tailroom(buf) < 1 + data_len) 4082 return -1; 4083 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT); 4084 len = data_len > 255 ? 255 : data_len; 4085 wpabuf_put_u8(buf, len); 4086 wpabuf_put_data(buf, data, len); 4087 data += len; 4088 data_len -= len; 4089 } 4090 4091 return 0; 4092 } 4093 4094 4095 /* 4096 * wpa_pasn_validate_rsne - Validate PSAN specific data of RSNE 4097 * @data: Parsed representation of an RSNE 4098 * Returns -1 for invalid data; otherwise 0 4099 */ wpa_pasn_validate_rsne(const struct wpa_ie_data * data)4100 int wpa_pasn_validate_rsne(const struct wpa_ie_data *data) 4101 { 4102 u16 capab = WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR; 4103 4104 if (data->proto != WPA_PROTO_RSN) 4105 return -1; 4106 4107 if ((data->capabilities & capab) != capab) { 4108 wpa_printf(MSG_DEBUG, "PASN: Invalid RSNE capabilities"); 4109 return -1; 4110 } 4111 4112 if (!data->has_group || data->group_cipher != WPA_CIPHER_GTK_NOT_USED) { 4113 wpa_printf(MSG_DEBUG, "PASN: Invalid group data cipher"); 4114 return -1; 4115 } 4116 4117 if (!data->has_pairwise || !data->pairwise_cipher || 4118 (data->pairwise_cipher & (data->pairwise_cipher - 1))) { 4119 wpa_printf(MSG_DEBUG, "PASN: No valid pairwise suite"); 4120 return -1; 4121 } 4122 4123 switch (data->key_mgmt) { 4124 #ifdef CONFIG_SAE 4125 case WPA_KEY_MGMT_SAE: 4126 case WPA_KEY_MGMT_SAE_EXT_KEY: 4127 /* fall through */ 4128 #endif /* CONFIG_SAE */ 4129 #ifdef CONFIG_FILS 4130 case WPA_KEY_MGMT_FILS_SHA256: 4131 case WPA_KEY_MGMT_FILS_SHA384: 4132 /* fall through */ 4133 #endif /* CONFIG_FILS */ 4134 #ifdef CONFIG_IEEE80211R 4135 case WPA_KEY_MGMT_FT_PSK: 4136 case WPA_KEY_MGMT_FT_IEEE8021X: 4137 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 4138 /* fall through */ 4139 #endif /* CONFIG_IEEE80211R */ 4140 case WPA_KEY_MGMT_PASN: 4141 break; 4142 default: 4143 wpa_printf(MSG_ERROR, "PASN: invalid key_mgmt: 0x%0x", 4144 data->key_mgmt); 4145 return -1; 4146 } 4147 4148 if (data->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED) { 4149 wpa_printf(MSG_DEBUG, "PASN: Invalid group mgmt cipher"); 4150 return -1; 4151 } 4152 4153 if (data->num_pmkid > 1) { 4154 wpa_printf(MSG_DEBUG, "PASN: Invalid number of PMKIDs"); 4155 return -1; 4156 } 4157 4158 return 0; 4159 } 4160 4161 4162 /* 4163 * wpa_pasn_parse_parameter_ie - Validates PASN Parameters IE 4164 * @data: Pointer to the PASN Parameters IE (starting with the EID). 4165 * @len: Length of the data in the PASN Parameters IE 4166 * @from_ap: Whether this was received from an AP 4167 * @pasn_params: On successful return would hold the parsed PASN parameters. 4168 * Returns: -1 for invalid data; otherwise 0 4169 * 4170 * Note: On successful return, the pointers in &pasn_params point to the data in 4171 * the IE and are not locally allocated (so they should not be freed etc.). 4172 */ wpa_pasn_parse_parameter_ie(const u8 * data,u8 len,bool from_ap,struct wpa_pasn_params_data * pasn_params)4173 int wpa_pasn_parse_parameter_ie(const u8 *data, u8 len, bool from_ap, 4174 struct wpa_pasn_params_data *pasn_params) 4175 { 4176 struct pasn_parameter_ie *params = (struct pasn_parameter_ie *) data; 4177 const u8 *pos = (const u8 *) (params + 1); 4178 4179 if (!pasn_params) { 4180 wpa_printf(MSG_DEBUG, "PASN: Invalid params"); 4181 return -1; 4182 } 4183 4184 if (!params || ((size_t) (params->len + 2) < sizeof(*params)) || 4185 len < sizeof(*params) || params->len + 2 != len) { 4186 wpa_printf(MSG_DEBUG, 4187 "PASN: Invalid parameters IE. len=(%u, %u)", 4188 params ? params->len : 0, len); 4189 return -1; 4190 } 4191 4192 os_memset(pasn_params, 0, sizeof(*pasn_params)); 4193 4194 switch (params->wrapped_data_format) { 4195 case WPA_PASN_WRAPPED_DATA_NO: 4196 case WPA_PASN_WRAPPED_DATA_SAE: 4197 case WPA_PASN_WRAPPED_DATA_FILS_SK: 4198 case WPA_PASN_WRAPPED_DATA_FT: 4199 break; 4200 default: 4201 wpa_printf(MSG_DEBUG, "PASN: Invalid wrapped data format"); 4202 return -1; 4203 } 4204 4205 pasn_params->wrapped_data_format = params->wrapped_data_format; 4206 4207 len -= sizeof(*params); 4208 4209 if (params->control & WPA_PASN_CTRL_COMEBACK_INFO_PRESENT) { 4210 if (from_ap) { 4211 if (len < 2) { 4212 wpa_printf(MSG_DEBUG, 4213 "PASN: Invalid Parameters IE: Truncated Comeback After"); 4214 return -1; 4215 } 4216 pasn_params->after = WPA_GET_LE16(pos); 4217 pos += 2; 4218 len -= 2; 4219 } 4220 4221 if (len < 1 || len < 1 + *pos) { 4222 wpa_printf(MSG_DEBUG, 4223 "PASN: Invalid Parameters IE: comeback len"); 4224 return -1; 4225 } 4226 4227 pasn_params->comeback_len = *pos++; 4228 len--; 4229 pasn_params->comeback = pos; 4230 len -= pasn_params->comeback_len; 4231 pos += pasn_params->comeback_len; 4232 } 4233 4234 if (params->control & WPA_PASN_CTRL_GROUP_AND_KEY_PRESENT) { 4235 if (len < 3 || len < 3 + pos[2]) { 4236 wpa_printf(MSG_DEBUG, 4237 "PASN: Invalid Parameters IE: group and key"); 4238 return -1; 4239 } 4240 4241 pasn_params->group = WPA_GET_LE16(pos); 4242 pos += 2; 4243 len -= 2; 4244 pasn_params->pubkey_len = *pos++; 4245 len--; 4246 pasn_params->pubkey = pos; 4247 len -= pasn_params->pubkey_len; 4248 pos += pasn_params->pubkey_len; 4249 } 4250 4251 if (len) { 4252 wpa_printf(MSG_DEBUG, 4253 "PASN: Invalid Parameters IE. Bytes left=%u", len); 4254 return -1; 4255 } 4256 4257 return 0; 4258 } 4259 4260 wpa_pasn_add_rsnxe(struct wpabuf * buf,u16 capab)4261 void wpa_pasn_add_rsnxe(struct wpabuf *buf, u16 capab) 4262 { 4263 size_t flen; 4264 4265 flen = (capab & 0xff00) ? 2 : 1; 4266 if (!capab) 4267 return; /* no supported extended RSN capabilities */ 4268 if (wpabuf_tailroom(buf) < 2 + flen) 4269 return; 4270 capab |= flen - 1; /* bit 0-3 = Field length (n - 1) */ 4271 4272 wpabuf_put_u8(buf, WLAN_EID_RSNX); 4273 wpabuf_put_u8(buf, flen); 4274 wpabuf_put_u8(buf, capab & 0x00ff); 4275 capab >>= 8; 4276 if (capab) 4277 wpabuf_put_u8(buf, capab); 4278 } 4279 4280 4281 /* 4282 * wpa_pasn_add_extra_ies - Add protocol specific IEs in Authentication 4283 * frame for PASN. 4284 * 4285 * @buf: Buffer in which the elements will be added 4286 * @extra_ies: Protocol specific elements to add 4287 * @len: Length of the elements 4288 * Returns: 0 on success, -1 on failure 4289 */ 4290 wpa_pasn_add_extra_ies(struct wpabuf * buf,const u8 * extra_ies,size_t len)4291 int wpa_pasn_add_extra_ies(struct wpabuf *buf, const u8 *extra_ies, size_t len) 4292 { 4293 if (!len || !extra_ies || !buf) 4294 return 0; 4295 4296 if (wpabuf_tailroom(buf) < sizeof(len)) 4297 return -1; 4298 4299 wpabuf_put_data(buf, extra_ies, len); 4300 return 0; 4301 } 4302 4303 #endif /* CONFIG_PASN */ 4304 4305 rsn_set_snonce_cookie(u8 * snonce)4306 void rsn_set_snonce_cookie(u8 *snonce) 4307 { 4308 u8 *pos; 4309 4310 pos = snonce + WPA_NONCE_LEN - 6; 4311 WPA_PUT_BE24(pos, OUI_WFA); 4312 pos += 3; 4313 WPA_PUT_BE24(pos, 0x000029); 4314 } 4315 4316 rsn_is_snonce_cookie(const u8 * snonce)4317 bool rsn_is_snonce_cookie(const u8 *snonce) 4318 { 4319 const u8 *pos; 4320 4321 pos = snonce + WPA_NONCE_LEN - 6; 4322 return WPA_GET_BE24(pos) == OUI_WFA && 4323 WPA_GET_BE24(pos + 3) == 0x000029; 4324 } 4325