1/* 2 * WPA/RSN - Shared functions for supplicant and authenticator 3 * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/md5.h" 13#include "crypto/sha1.h" 14#include "crypto/sha256.h" 15#include "crypto/sha384.h" 16#include "crypto/aes_wrap.h" 17#include "crypto/crypto.h" 18#include "ieee802_11_defs.h" 19#include "defs.h" 20#include "wpa_common.h" 21 22 23static unsigned int wpa_kck_len(int akmp) 24{ 25 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 26 return 24; 27 return 16; 28} 29 30 31static unsigned int wpa_kek_len(int akmp) 32{ 33 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 34 return 32; 35 return 16; 36} 37 38 39unsigned int wpa_mic_len(int akmp) 40{ 41 if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 42 return 24; 43 return 16; 44} 45 46 47/** 48 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC 49 * @key: EAPOL-Key Key Confirmation Key (KCK) 50 * @key_len: KCK length in octets 51 * @akmp: WPA_KEY_MGMT_* used in key derivation 52 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*) 53 * @buf: Pointer to the beginning of the EAPOL header (version field) 54 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame) 55 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written 56 * Returns: 0 on success, -1 on failure 57 * 58 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has 59 * to be cleared (all zeroes) when calling this function. 60 * 61 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the 62 * description of the Key MIC calculation. It includes packet data from the 63 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change 64 * happened during final editing of the standard and the correct behavior is 65 * defined in the last draft (IEEE 802.11i/D10). 66 */ 67int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver, 68 const u8 *buf, size_t len, u8 *mic) 69{ 70 u8 hash[SHA384_MAC_LEN]; 71 72 switch (ver) { 73#ifndef CONFIG_FIPS 74 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4: 75 return hmac_md5(key, key_len, buf, len, mic); 76#endif /* CONFIG_FIPS */ 77 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES: 78 if (hmac_sha1(key, key_len, buf, len, hash)) 79 return -1; 80 os_memcpy(mic, hash, MD5_MAC_LEN); 81 break; 82#if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W) 83 case WPA_KEY_INFO_TYPE_AES_128_CMAC: 84 return omac1_aes_128(key, buf, len, mic); 85#endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */ 86 case WPA_KEY_INFO_TYPE_AKM_DEFINED: 87 switch (akmp) { 88#ifdef CONFIG_HS20 89 case WPA_KEY_MGMT_OSEN: 90 return omac1_aes_128(key, buf, len, mic); 91#endif /* CONFIG_HS20 */ 92#ifdef CONFIG_SUITEB 93 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 94 if (hmac_sha256(key, key_len, buf, len, hash)) 95 return -1; 96 os_memcpy(mic, hash, MD5_MAC_LEN); 97 break; 98#endif /* CONFIG_SUITEB */ 99#ifdef CONFIG_SUITEB192 100 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 101 if (hmac_sha384(key, key_len, buf, len, hash)) 102 return -1; 103 os_memcpy(mic, hash, 24); 104 break; 105#endif /* CONFIG_SUITEB192 */ 106 default: 107 return -1; 108 } 109 break; 110 default: 111 return -1; 112 } 113 114 return 0; 115} 116 117 118/** 119 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces 120 * @pmk: Pairwise master key 121 * @pmk_len: Length of PMK 122 * @label: Label to use in derivation 123 * @addr1: AA or SA 124 * @addr2: SA or AA 125 * @nonce1: ANonce or SNonce 126 * @nonce2: SNonce or ANonce 127 * @ptk: Buffer for pairwise transient key 128 * @akmp: Negotiated AKM 129 * @cipher: Negotiated pairwise cipher 130 * Returns: 0 on success, -1 on failure 131 * 132 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 133 * PTK = PRF-X(PMK, "Pairwise key expansion", 134 * Min(AA, SA) || Max(AA, SA) || 135 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 136 * 137 * STK = PRF-X(SMK, "Peer key expansion", 138 * Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) || 139 * Min(INonce, PNonce) || Max(INonce, PNonce)) 140 */ 141int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, 142 const u8 *addr1, const u8 *addr2, 143 const u8 *nonce1, const u8 *nonce2, 144 struct wpa_ptk *ptk, int akmp, int cipher) 145{ 146 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN]; 147 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 148 size_t ptk_len; 149 150 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) { 151 os_memcpy(data, addr1, ETH_ALEN); 152 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN); 153 } else { 154 os_memcpy(data, addr2, ETH_ALEN); 155 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN); 156 } 157 158 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) { 159 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN); 160 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2, 161 WPA_NONCE_LEN); 162 } else { 163 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN); 164 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1, 165 WPA_NONCE_LEN); 166 } 167 168 ptk->kck_len = wpa_kck_len(akmp); 169 ptk->kek_len = wpa_kek_len(akmp); 170 ptk->tk_len = wpa_cipher_key_len(cipher); 171 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 172 173#ifdef CONFIG_SUITEB192 174 if (wpa_key_mgmt_sha384(akmp)) 175 sha384_prf(pmk, pmk_len, label, data, sizeof(data), 176 tmp, ptk_len); 177 else 178#endif /* CONFIG_SUITEB192 */ 179#ifdef CONFIG_IEEE80211W 180 if (wpa_key_mgmt_sha256(akmp)) 181 sha256_prf(pmk, pmk_len, label, data, sizeof(data), 182 tmp, ptk_len); 183 else 184#endif /* CONFIG_IEEE80211W */ 185 sha1_prf(pmk, pmk_len, label, data, sizeof(data), tmp, ptk_len); 186 187 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR, 188 MAC2STR(addr1), MAC2STR(addr2)); 189 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN); 190 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN); 191 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len); 192 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len); 193 194 os_memcpy(ptk->kck, tmp, ptk->kck_len); 195 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len); 196 197 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 198 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 199 200 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 201 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len); 202 203 os_memset(tmp, 0, sizeof(tmp)); 204 return 0; 205} 206 207 208#ifdef CONFIG_IEEE80211R 209int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr, 210 const u8 *ap_addr, u8 transaction_seqnum, 211 const u8 *mdie, size_t mdie_len, 212 const u8 *ftie, size_t ftie_len, 213 const u8 *rsnie, size_t rsnie_len, 214 const u8 *ric, size_t ric_len, u8 *mic) 215{ 216 const u8 *addr[9]; 217 size_t len[9]; 218 size_t i, num_elem = 0; 219 u8 zero_mic[16]; 220 221 if (kck_len != 16) { 222 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u", 223 (unsigned int) kck_len); 224 return -1; 225 } 226 227 addr[num_elem] = sta_addr; 228 len[num_elem] = ETH_ALEN; 229 num_elem++; 230 231 addr[num_elem] = ap_addr; 232 len[num_elem] = ETH_ALEN; 233 num_elem++; 234 235 addr[num_elem] = &transaction_seqnum; 236 len[num_elem] = 1; 237 num_elem++; 238 239 if (rsnie) { 240 addr[num_elem] = rsnie; 241 len[num_elem] = rsnie_len; 242 num_elem++; 243 } 244 if (mdie) { 245 addr[num_elem] = mdie; 246 len[num_elem] = mdie_len; 247 num_elem++; 248 } 249 if (ftie) { 250 if (ftie_len < 2 + sizeof(struct rsn_ftie)) 251 return -1; 252 253 /* IE hdr and mic_control */ 254 addr[num_elem] = ftie; 255 len[num_elem] = 2 + 2; 256 num_elem++; 257 258 /* MIC field with all zeros */ 259 os_memset(zero_mic, 0, sizeof(zero_mic)); 260 addr[num_elem] = zero_mic; 261 len[num_elem] = sizeof(zero_mic); 262 num_elem++; 263 264 /* Rest of FTIE */ 265 addr[num_elem] = ftie + 2 + 2 + 16; 266 len[num_elem] = ftie_len - (2 + 2 + 16); 267 num_elem++; 268 } 269 if (ric) { 270 addr[num_elem] = ric; 271 len[num_elem] = ric_len; 272 num_elem++; 273 } 274 275 for (i = 0; i < num_elem; i++) 276 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]); 277 if (omac1_aes_128_vector(kck, num_elem, addr, len, mic)) 278 return -1; 279 280 return 0; 281} 282 283 284static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len, 285 struct wpa_ft_ies *parse) 286{ 287 const u8 *end, *pos; 288 289 parse->ftie = ie; 290 parse->ftie_len = ie_len; 291 292 pos = ie + sizeof(struct rsn_ftie); 293 end = ie + ie_len; 294 295 while (end - pos >= 2) { 296 u8 id, len; 297 298 id = *pos++; 299 len = *pos++; 300 if (len > end - pos) 301 break; 302 303 switch (id) { 304 case FTIE_SUBELEM_R1KH_ID: 305 if (len != FT_R1KH_ID_LEN) { 306 wpa_printf(MSG_DEBUG, 307 "FT: Invalid R1KH-ID length in FTIE: %d", 308 len); 309 return -1; 310 } 311 parse->r1kh_id = pos; 312 break; 313 case FTIE_SUBELEM_GTK: 314 parse->gtk = pos; 315 parse->gtk_len = len; 316 break; 317 case FTIE_SUBELEM_R0KH_ID: 318 if (len < 1 || len > FT_R0KH_ID_MAX_LEN) { 319 wpa_printf(MSG_DEBUG, 320 "FT: Invalid R0KH-ID length in FTIE: %d", 321 len); 322 return -1; 323 } 324 parse->r0kh_id = pos; 325 parse->r0kh_id_len = len; 326 break; 327#ifdef CONFIG_IEEE80211W 328 case FTIE_SUBELEM_IGTK: 329 parse->igtk = pos; 330 parse->igtk_len = len; 331 break; 332#endif /* CONFIG_IEEE80211W */ 333 } 334 335 pos += len; 336 } 337 338 return 0; 339} 340 341 342int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, 343 struct wpa_ft_ies *parse) 344{ 345 const u8 *end, *pos; 346 struct wpa_ie_data data; 347 int ret; 348 const struct rsn_ftie *ftie; 349 int prot_ie_count = 0; 350 351 os_memset(parse, 0, sizeof(*parse)); 352 if (ies == NULL) 353 return 0; 354 355 pos = ies; 356 end = ies + ies_len; 357 while (end - pos >= 2) { 358 u8 id, len; 359 360 id = *pos++; 361 len = *pos++; 362 if (len > end - pos) 363 break; 364 365 switch (id) { 366 case WLAN_EID_RSN: 367 parse->rsn = pos; 368 parse->rsn_len = len; 369 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2, 370 parse->rsn_len + 2, 371 &data); 372 if (ret < 0) { 373 wpa_printf(MSG_DEBUG, "FT: Failed to parse " 374 "RSN IE: %d", ret); 375 return -1; 376 } 377 if (data.num_pmkid == 1 && data.pmkid) 378 parse->rsn_pmkid = data.pmkid; 379 break; 380 case WLAN_EID_MOBILITY_DOMAIN: 381 if (len < sizeof(struct rsn_mdie)) 382 return -1; 383 parse->mdie = pos; 384 parse->mdie_len = len; 385 break; 386 case WLAN_EID_FAST_BSS_TRANSITION: 387 if (len < sizeof(*ftie)) 388 return -1; 389 ftie = (const struct rsn_ftie *) pos; 390 prot_ie_count = ftie->mic_control[1]; 391 if (wpa_ft_parse_ftie(pos, len, parse) < 0) 392 return -1; 393 break; 394 case WLAN_EID_TIMEOUT_INTERVAL: 395 if (len != 5) 396 break; 397 parse->tie = pos; 398 parse->tie_len = len; 399 break; 400 case WLAN_EID_RIC_DATA: 401 if (parse->ric == NULL) 402 parse->ric = pos - 2; 403 break; 404 } 405 406 pos += len; 407 } 408 409 if (prot_ie_count == 0) 410 return 0; /* no MIC */ 411 412 /* 413 * Check that the protected IE count matches with IEs included in the 414 * frame. 415 */ 416 if (parse->rsn) 417 prot_ie_count--; 418 if (parse->mdie) 419 prot_ie_count--; 420 if (parse->ftie) 421 prot_ie_count--; 422 if (prot_ie_count < 0) { 423 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in " 424 "the protected IE count"); 425 return -1; 426 } 427 428 if (prot_ie_count == 0 && parse->ric) { 429 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not " 430 "included in protected IE count"); 431 return -1; 432 } 433 434 /* Determine the end of the RIC IE(s) */ 435 if (parse->ric) { 436 pos = parse->ric; 437 while (end - pos >= 2 && 2 + pos[1] <= end - pos && 438 prot_ie_count) { 439 prot_ie_count--; 440 pos += 2 + pos[1]; 441 } 442 parse->ric_len = pos - parse->ric; 443 } 444 if (prot_ie_count) { 445 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from " 446 "frame", (int) prot_ie_count); 447 return -1; 448 } 449 450 return 0; 451} 452#endif /* CONFIG_IEEE80211R */ 453 454 455static int rsn_selector_to_bitfield(const u8 *s) 456{ 457 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE) 458 return WPA_CIPHER_NONE; 459 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP) 460 return WPA_CIPHER_TKIP; 461 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP) 462 return WPA_CIPHER_CCMP; 463#ifdef CONFIG_IEEE80211W 464 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC) 465 return WPA_CIPHER_AES_128_CMAC; 466#endif /* CONFIG_IEEE80211W */ 467 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP) 468 return WPA_CIPHER_GCMP; 469 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256) 470 return WPA_CIPHER_CCMP_256; 471 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256) 472 return WPA_CIPHER_GCMP_256; 473 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128) 474 return WPA_CIPHER_BIP_GMAC_128; 475 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256) 476 return WPA_CIPHER_BIP_GMAC_256; 477 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256) 478 return WPA_CIPHER_BIP_CMAC_256; 479 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED) 480 return WPA_CIPHER_GTK_NOT_USED; 481 return 0; 482} 483 484 485static int rsn_key_mgmt_to_bitfield(const u8 *s) 486{ 487 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X) 488 return WPA_KEY_MGMT_IEEE8021X; 489 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X) 490 return WPA_KEY_MGMT_PSK; 491#ifdef CONFIG_IEEE80211R 492 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X) 493 return WPA_KEY_MGMT_FT_IEEE8021X; 494 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK) 495 return WPA_KEY_MGMT_FT_PSK; 496#endif /* CONFIG_IEEE80211R */ 497#ifdef CONFIG_IEEE80211W 498 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256) 499 return WPA_KEY_MGMT_IEEE8021X_SHA256; 500 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256) 501 return WPA_KEY_MGMT_PSK_SHA256; 502#endif /* CONFIG_IEEE80211W */ 503#ifdef CONFIG_SAE 504 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE) 505 return WPA_KEY_MGMT_SAE; 506 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE) 507 return WPA_KEY_MGMT_FT_SAE; 508#endif /* CONFIG_SAE */ 509 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B) 510 return WPA_KEY_MGMT_IEEE8021X_SUITE_B; 511 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192) 512 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; 513 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN) 514 return WPA_KEY_MGMT_OSEN; 515 return 0; 516} 517 518 519int wpa_cipher_valid_group(int cipher) 520{ 521 return wpa_cipher_valid_pairwise(cipher) || 522 cipher == WPA_CIPHER_GTK_NOT_USED; 523} 524 525 526#ifdef CONFIG_IEEE80211W 527int wpa_cipher_valid_mgmt_group(int cipher) 528{ 529 return cipher == WPA_CIPHER_AES_128_CMAC || 530 cipher == WPA_CIPHER_BIP_GMAC_128 || 531 cipher == WPA_CIPHER_BIP_GMAC_256 || 532 cipher == WPA_CIPHER_BIP_CMAC_256; 533} 534#endif /* CONFIG_IEEE80211W */ 535 536 537/** 538 * wpa_parse_wpa_ie_rsn - Parse RSN IE 539 * @rsn_ie: Buffer containing RSN IE 540 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets) 541 * @data: Pointer to structure that will be filled in with parsed data 542 * Returns: 0 on success, <0 on failure 543 */ 544int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len, 545 struct wpa_ie_data *data) 546{ 547 const u8 *pos; 548 int left; 549 int i, count; 550 551 os_memset(data, 0, sizeof(*data)); 552 data->proto = WPA_PROTO_RSN; 553 data->pairwise_cipher = WPA_CIPHER_CCMP; 554 data->group_cipher = WPA_CIPHER_CCMP; 555 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 556 data->capabilities = 0; 557 data->pmkid = NULL; 558 data->num_pmkid = 0; 559#ifdef CONFIG_IEEE80211W 560 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC; 561#else /* CONFIG_IEEE80211W */ 562 data->mgmt_group_cipher = 0; 563#endif /* CONFIG_IEEE80211W */ 564 565 if (rsn_ie_len == 0) { 566 /* No RSN IE - fail silently */ 567 return -1; 568 } 569 570 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) { 571 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 572 __func__, (unsigned long) rsn_ie_len); 573 return -1; 574 } 575 576 if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 && 577 rsn_ie[1] == rsn_ie_len - 2 && 578 WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) { 579 pos = rsn_ie + 6; 580 left = rsn_ie_len - 6; 581 582 data->proto = WPA_PROTO_OSEN; 583 } else { 584 const struct rsn_ie_hdr *hdr; 585 586 hdr = (const struct rsn_ie_hdr *) rsn_ie; 587 588 if (hdr->elem_id != WLAN_EID_RSN || 589 hdr->len != rsn_ie_len - 2 || 590 WPA_GET_LE16(hdr->version) != RSN_VERSION) { 591 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 592 __func__); 593 return -2; 594 } 595 596 pos = (const u8 *) (hdr + 1); 597 left = rsn_ie_len - sizeof(*hdr); 598 } 599 600 if (left >= RSN_SELECTOR_LEN) { 601 data->group_cipher = rsn_selector_to_bitfield(pos); 602 if (!wpa_cipher_valid_group(data->group_cipher)) { 603 wpa_printf(MSG_DEBUG, 604 "%s: invalid group cipher 0x%x (%08x)", 605 __func__, data->group_cipher, 606 WPA_GET_BE32(pos)); 607 return -1; 608 } 609 pos += RSN_SELECTOR_LEN; 610 left -= RSN_SELECTOR_LEN; 611 } else if (left > 0) { 612 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 613 __func__, left); 614 return -3; 615 } 616 617 if (left >= 2) { 618 data->pairwise_cipher = 0; 619 count = WPA_GET_LE16(pos); 620 pos += 2; 621 left -= 2; 622 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 623 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 624 "count %u left %u", __func__, count, left); 625 return -4; 626 } 627 for (i = 0; i < count; i++) { 628 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 629 pos += RSN_SELECTOR_LEN; 630 left -= RSN_SELECTOR_LEN; 631 } 632#ifdef CONFIG_IEEE80211W 633 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) { 634 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as " 635 "pairwise cipher", __func__); 636 return -1; 637 } 638#endif /* CONFIG_IEEE80211W */ 639 } else if (left == 1) { 640 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 641 __func__); 642 return -5; 643 } 644 645 if (left >= 2) { 646 data->key_mgmt = 0; 647 count = WPA_GET_LE16(pos); 648 pos += 2; 649 left -= 2; 650 if (count == 0 || count > left / RSN_SELECTOR_LEN) { 651 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 652 "count %u left %u", __func__, count, left); 653 return -6; 654 } 655 for (i = 0; i < count; i++) { 656 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 657 pos += RSN_SELECTOR_LEN; 658 left -= RSN_SELECTOR_LEN; 659 } 660 } else if (left == 1) { 661 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 662 __func__); 663 return -7; 664 } 665 666 if (left >= 2) { 667 data->capabilities = WPA_GET_LE16(pos); 668 pos += 2; 669 left -= 2; 670 } 671 672 if (left >= 2) { 673 u16 num_pmkid = WPA_GET_LE16(pos); 674 pos += 2; 675 left -= 2; 676 if (num_pmkid > (unsigned int) left / PMKID_LEN) { 677 wpa_printf(MSG_DEBUG, "%s: PMKID underflow " 678 "(num_pmkid=%u left=%d)", 679 __func__, num_pmkid, left); 680 data->num_pmkid = 0; 681 return -9; 682 } else { 683 data->num_pmkid = num_pmkid; 684 data->pmkid = pos; 685 pos += data->num_pmkid * PMKID_LEN; 686 left -= data->num_pmkid * PMKID_LEN; 687 } 688 } 689 690#ifdef CONFIG_IEEE80211W 691 if (left >= 4) { 692 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos); 693 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) { 694 wpa_printf(MSG_DEBUG, 695 "%s: Unsupported management group cipher 0x%x (%08x)", 696 __func__, data->mgmt_group_cipher, 697 WPA_GET_BE32(pos)); 698 return -10; 699 } 700 pos += RSN_SELECTOR_LEN; 701 left -= RSN_SELECTOR_LEN; 702 } 703#endif /* CONFIG_IEEE80211W */ 704 705 if (left > 0) { 706 wpa_hexdump(MSG_DEBUG, 707 "wpa_parse_wpa_ie_rsn: ignore trailing bytes", 708 pos, left); 709 } 710 711 return 0; 712} 713 714 715static int wpa_selector_to_bitfield(const u8 *s) 716{ 717 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE) 718 return WPA_CIPHER_NONE; 719 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP) 720 return WPA_CIPHER_TKIP; 721 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP) 722 return WPA_CIPHER_CCMP; 723 return 0; 724} 725 726 727static int wpa_key_mgmt_to_bitfield(const u8 *s) 728{ 729 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X) 730 return WPA_KEY_MGMT_IEEE8021X; 731 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X) 732 return WPA_KEY_MGMT_PSK; 733 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE) 734 return WPA_KEY_MGMT_WPA_NONE; 735 return 0; 736} 737 738 739int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len, 740 struct wpa_ie_data *data) 741{ 742 const struct wpa_ie_hdr *hdr; 743 const u8 *pos; 744 int left; 745 int i, count; 746 747 os_memset(data, 0, sizeof(*data)); 748 data->proto = WPA_PROTO_WPA; 749 data->pairwise_cipher = WPA_CIPHER_TKIP; 750 data->group_cipher = WPA_CIPHER_TKIP; 751 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 752 data->capabilities = 0; 753 data->pmkid = NULL; 754 data->num_pmkid = 0; 755 data->mgmt_group_cipher = 0; 756 757 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) { 758 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu", 759 __func__, (unsigned long) wpa_ie_len); 760 return -1; 761 } 762 763 hdr = (const struct wpa_ie_hdr *) wpa_ie; 764 765 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC || 766 hdr->len != wpa_ie_len - 2 || 767 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE || 768 WPA_GET_LE16(hdr->version) != WPA_VERSION) { 769 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 770 __func__); 771 return -2; 772 } 773 774 pos = (const u8 *) (hdr + 1); 775 left = wpa_ie_len - sizeof(*hdr); 776 777 if (left >= WPA_SELECTOR_LEN) { 778 data->group_cipher = wpa_selector_to_bitfield(pos); 779 pos += WPA_SELECTOR_LEN; 780 left -= WPA_SELECTOR_LEN; 781 } else if (left > 0) { 782 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 783 __func__, left); 784 return -3; 785 } 786 787 if (left >= 2) { 788 data->pairwise_cipher = 0; 789 count = WPA_GET_LE16(pos); 790 pos += 2; 791 left -= 2; 792 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 793 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 794 "count %u left %u", __func__, count, left); 795 return -4; 796 } 797 for (i = 0; i < count; i++) { 798 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 799 pos += WPA_SELECTOR_LEN; 800 left -= WPA_SELECTOR_LEN; 801 } 802 } else if (left == 1) { 803 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 804 __func__); 805 return -5; 806 } 807 808 if (left >= 2) { 809 data->key_mgmt = 0; 810 count = WPA_GET_LE16(pos); 811 pos += 2; 812 left -= 2; 813 if (count == 0 || count > left / WPA_SELECTOR_LEN) { 814 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 815 "count %u left %u", __func__, count, left); 816 return -6; 817 } 818 for (i = 0; i < count; i++) { 819 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 820 pos += WPA_SELECTOR_LEN; 821 left -= WPA_SELECTOR_LEN; 822 } 823 } else if (left == 1) { 824 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 825 __func__); 826 return -7; 827 } 828 829 if (left >= 2) { 830 data->capabilities = WPA_GET_LE16(pos); 831 pos += 2; 832 left -= 2; 833 } 834 835 if (left > 0) { 836 wpa_hexdump(MSG_DEBUG, 837 "wpa_parse_wpa_ie_wpa: ignore trailing bytes", 838 pos, left); 839 } 840 841 return 0; 842} 843 844 845#ifdef CONFIG_IEEE80211R 846 847/** 848 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name 849 * 850 * IEEE Std 802.11r-2008 - 8.5.1.5.3 851 */ 852void wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len, 853 const u8 *ssid, size_t ssid_len, 854 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len, 855 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name) 856{ 857 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 + 858 FT_R0KH_ID_MAX_LEN + ETH_ALEN]; 859 u8 *pos, r0_key_data[48], hash[32]; 860 const u8 *addr[2]; 861 size_t len[2]; 862 863 /* 864 * R0-Key-Data = KDF-384(XXKey, "FT-R0", 865 * SSIDlength || SSID || MDID || R0KHlength || 866 * R0KH-ID || S0KH-ID) 867 * XXKey is either the second 256 bits of MSK or PSK. 868 * PMK-R0 = L(R0-Key-Data, 0, 256) 869 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128) 870 */ 871 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN) 872 return; 873 pos = buf; 874 *pos++ = ssid_len; 875 os_memcpy(pos, ssid, ssid_len); 876 pos += ssid_len; 877 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN); 878 pos += MOBILITY_DOMAIN_ID_LEN; 879 *pos++ = r0kh_id_len; 880 os_memcpy(pos, r0kh_id, r0kh_id_len); 881 pos += r0kh_id_len; 882 os_memcpy(pos, s0kh_id, ETH_ALEN); 883 pos += ETH_ALEN; 884 885 sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf, 886 r0_key_data, sizeof(r0_key_data)); 887 os_memcpy(pmk_r0, r0_key_data, PMK_LEN); 888 889 /* 890 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt) 891 */ 892 addr[0] = (const u8 *) "FT-R0N"; 893 len[0] = 6; 894 addr[1] = r0_key_data + PMK_LEN; 895 len[1] = 16; 896 897 sha256_vector(2, addr, len, hash); 898 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN); 899} 900 901 902/** 903 * wpa_derive_pmk_r1_name - Derive PMKR1Name 904 * 905 * IEEE Std 802.11r-2008 - 8.5.1.5.4 906 */ 907void wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id, 908 const u8 *s1kh_id, u8 *pmk_r1_name) 909{ 910 u8 hash[32]; 911 const u8 *addr[4]; 912 size_t len[4]; 913 914 /* 915 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name || 916 * R1KH-ID || S1KH-ID)) 917 */ 918 addr[0] = (const u8 *) "FT-R1N"; 919 len[0] = 6; 920 addr[1] = pmk_r0_name; 921 len[1] = WPA_PMK_NAME_LEN; 922 addr[2] = r1kh_id; 923 len[2] = FT_R1KH_ID_LEN; 924 addr[3] = s1kh_id; 925 len[3] = ETH_ALEN; 926 927 sha256_vector(4, addr, len, hash); 928 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN); 929} 930 931 932/** 933 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0 934 * 935 * IEEE Std 802.11r-2008 - 8.5.1.5.4 936 */ 937void wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name, 938 const u8 *r1kh_id, const u8 *s1kh_id, 939 u8 *pmk_r1, u8 *pmk_r1_name) 940{ 941 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN]; 942 u8 *pos; 943 944 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */ 945 pos = buf; 946 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN); 947 pos += FT_R1KH_ID_LEN; 948 os_memcpy(pos, s1kh_id, ETH_ALEN); 949 pos += ETH_ALEN; 950 951 sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf, pmk_r1, PMK_LEN); 952 953 wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, pmk_r1_name); 954} 955 956 957/** 958 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1 959 * 960 * IEEE Std 802.11r-2008 - 8.5.1.5.5 961 */ 962int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce, 963 const u8 *sta_addr, const u8 *bssid, 964 const u8 *pmk_r1_name, 965 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher) 966{ 967 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN]; 968 u8 *pos, hash[32]; 969 const u8 *addr[6]; 970 size_t len[6]; 971 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN]; 972 size_t ptk_len; 973 974 /* 975 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce || 976 * BSSID || STA-ADDR) 977 */ 978 pos = buf; 979 os_memcpy(pos, snonce, WPA_NONCE_LEN); 980 pos += WPA_NONCE_LEN; 981 os_memcpy(pos, anonce, WPA_NONCE_LEN); 982 pos += WPA_NONCE_LEN; 983 os_memcpy(pos, bssid, ETH_ALEN); 984 pos += ETH_ALEN; 985 os_memcpy(pos, sta_addr, ETH_ALEN); 986 pos += ETH_ALEN; 987 988 ptk->kck_len = wpa_kck_len(akmp); 989 ptk->kek_len = wpa_kek_len(akmp); 990 ptk->tk_len = wpa_cipher_key_len(cipher); 991 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; 992 993 sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf, tmp, ptk_len); 994 995 /* 996 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce || 997 * ANonce || BSSID || STA-ADDR)) 998 */ 999 addr[0] = pmk_r1_name; 1000 len[0] = WPA_PMK_NAME_LEN; 1001 addr[1] = (const u8 *) "FT-PTKN"; 1002 len[1] = 7; 1003 addr[2] = snonce; 1004 len[2] = WPA_NONCE_LEN; 1005 addr[3] = anonce; 1006 len[3] = WPA_NONCE_LEN; 1007 addr[4] = bssid; 1008 len[4] = ETH_ALEN; 1009 addr[5] = sta_addr; 1010 len[5] = ETH_ALEN; 1011 1012 sha256_vector(6, addr, len, hash); 1013 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN); 1014 1015 os_memcpy(ptk->kck, tmp, ptk->kck_len); 1016 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len); 1017 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len); 1018 1019 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len); 1020 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len); 1021 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len); 1022 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN); 1023 1024 os_memset(tmp, 0, sizeof(tmp)); 1025 1026 return 0; 1027} 1028 1029#endif /* CONFIG_IEEE80211R */ 1030 1031 1032/** 1033 * rsn_pmkid - Calculate PMK identifier 1034 * @pmk: Pairwise master key 1035 * @pmk_len: Length of pmk in bytes 1036 * @aa: Authenticator address 1037 * @spa: Supplicant address 1038 * @pmkid: Buffer for PMKID 1039 * @use_sha256: Whether to use SHA256-based KDF 1040 * 1041 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy 1042 * PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AA || SPA) 1043 */ 1044void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa, 1045 u8 *pmkid, int use_sha256) 1046{ 1047 char *title = "PMK Name"; 1048 const u8 *addr[3]; 1049 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1050 unsigned char hash[SHA256_MAC_LEN]; 1051 1052 addr[0] = (u8 *) title; 1053 addr[1] = aa; 1054 addr[2] = spa; 1055 1056#ifdef CONFIG_IEEE80211W 1057 if (use_sha256) 1058 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash); 1059 else 1060#endif /* CONFIG_IEEE80211W */ 1061 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash); 1062 os_memcpy(pmkid, hash, PMKID_LEN); 1063} 1064 1065 1066#ifdef CONFIG_SUITEB 1067/** 1068 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM 1069 * @kck: Key confirmation key 1070 * @kck_len: Length of kck in bytes 1071 * @aa: Authenticator address 1072 * @spa: Supplicant address 1073 * @pmkid: Buffer for PMKID 1074 * Returns: 0 on success, -1 on failure 1075 * 1076 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1077 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA)) 1078 */ 1079int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa, 1080 const u8 *spa, u8 *pmkid) 1081{ 1082 char *title = "PMK Name"; 1083 const u8 *addr[3]; 1084 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1085 unsigned char hash[SHA256_MAC_LEN]; 1086 1087 addr[0] = (u8 *) title; 1088 addr[1] = aa; 1089 addr[2] = spa; 1090 1091 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0) 1092 return -1; 1093 os_memcpy(pmkid, hash, PMKID_LEN); 1094 return 0; 1095} 1096#endif /* CONFIG_SUITEB */ 1097 1098 1099#ifdef CONFIG_SUITEB192 1100/** 1101 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM 1102 * @kck: Key confirmation key 1103 * @kck_len: Length of kck in bytes 1104 * @aa: Authenticator address 1105 * @spa: Supplicant address 1106 * @pmkid: Buffer for PMKID 1107 * Returns: 0 on success, -1 on failure 1108 * 1109 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy 1110 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA)) 1111 */ 1112int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa, 1113 const u8 *spa, u8 *pmkid) 1114{ 1115 char *title = "PMK Name"; 1116 const u8 *addr[3]; 1117 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN }; 1118 unsigned char hash[SHA384_MAC_LEN]; 1119 1120 addr[0] = (u8 *) title; 1121 addr[1] = aa; 1122 addr[2] = spa; 1123 1124 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0) 1125 return -1; 1126 os_memcpy(pmkid, hash, PMKID_LEN); 1127 return 0; 1128} 1129#endif /* CONFIG_SUITEB192 */ 1130 1131 1132/** 1133 * wpa_cipher_txt - Convert cipher suite to a text string 1134 * @cipher: Cipher suite (WPA_CIPHER_* enum) 1135 * Returns: Pointer to a text string of the cipher suite name 1136 */ 1137const char * wpa_cipher_txt(int cipher) 1138{ 1139 switch (cipher) { 1140 case WPA_CIPHER_NONE: 1141 return "NONE"; 1142 case WPA_CIPHER_WEP40: 1143 return "WEP-40"; 1144 case WPA_CIPHER_WEP104: 1145 return "WEP-104"; 1146 case WPA_CIPHER_TKIP: 1147 return "TKIP"; 1148 case WPA_CIPHER_CCMP: 1149 return "CCMP"; 1150 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP: 1151 return "CCMP+TKIP"; 1152 case WPA_CIPHER_GCMP: 1153 return "GCMP"; 1154 case WPA_CIPHER_GCMP_256: 1155 return "GCMP-256"; 1156 case WPA_CIPHER_CCMP_256: 1157 return "CCMP-256"; 1158 case WPA_CIPHER_GTK_NOT_USED: 1159 return "GTK_NOT_USED"; 1160 default: 1161 return "UNKNOWN"; 1162 } 1163} 1164 1165 1166/** 1167 * wpa_key_mgmt_txt - Convert key management suite to a text string 1168 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum) 1169 * @proto: WPA/WPA2 version (WPA_PROTO_*) 1170 * Returns: Pointer to a text string of the key management suite name 1171 */ 1172const char * wpa_key_mgmt_txt(int key_mgmt, int proto) 1173{ 1174 switch (key_mgmt) { 1175 case WPA_KEY_MGMT_IEEE8021X: 1176 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1177 return "WPA2+WPA/IEEE 802.1X/EAP"; 1178 return proto == WPA_PROTO_RSN ? 1179 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP"; 1180 case WPA_KEY_MGMT_PSK: 1181 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA)) 1182 return "WPA2-PSK+WPA-PSK"; 1183 return proto == WPA_PROTO_RSN ? 1184 "WPA2-PSK" : "WPA-PSK"; 1185 case WPA_KEY_MGMT_NONE: 1186 return "NONE"; 1187 case WPA_KEY_MGMT_IEEE8021X_NO_WPA: 1188 return "IEEE 802.1X (no WPA)"; 1189#ifdef CONFIG_IEEE80211R 1190 case WPA_KEY_MGMT_FT_IEEE8021X: 1191 return "FT-EAP"; 1192 case WPA_KEY_MGMT_FT_PSK: 1193 return "FT-PSK"; 1194#endif /* CONFIG_IEEE80211R */ 1195#ifdef CONFIG_IEEE80211W 1196 case WPA_KEY_MGMT_IEEE8021X_SHA256: 1197 return "WPA2-EAP-SHA256"; 1198 case WPA_KEY_MGMT_PSK_SHA256: 1199 return "WPA2-PSK-SHA256"; 1200#endif /* CONFIG_IEEE80211W */ 1201 case WPA_KEY_MGMT_WPS: 1202 return "WPS"; 1203 case WPA_KEY_MGMT_SAE: 1204 return "SAE"; 1205 case WPA_KEY_MGMT_FT_SAE: 1206 return "FT-SAE"; 1207 case WPA_KEY_MGMT_OSEN: 1208 return "OSEN"; 1209 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 1210 return "WPA2-EAP-SUITE-B"; 1211 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 1212 return "WPA2-EAP-SUITE-B-192"; 1213 default: 1214 return "UNKNOWN"; 1215 } 1216} 1217 1218 1219u32 wpa_akm_to_suite(int akm) 1220{ 1221 if (akm & WPA_KEY_MGMT_FT_IEEE8021X) 1222 return WLAN_AKM_SUITE_FT_8021X; 1223 if (akm & WPA_KEY_MGMT_FT_PSK) 1224 return WLAN_AKM_SUITE_FT_PSK; 1225 if (akm & WPA_KEY_MGMT_IEEE8021X) 1226 return WLAN_AKM_SUITE_8021X; 1227 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256) 1228 return WLAN_AKM_SUITE_8021X_SHA256; 1229 if (akm & WPA_KEY_MGMT_IEEE8021X) 1230 return WLAN_AKM_SUITE_8021X; 1231 if (akm & WPA_KEY_MGMT_PSK_SHA256) 1232 return WLAN_AKM_SUITE_PSK_SHA256; 1233 if (akm & WPA_KEY_MGMT_PSK) 1234 return WLAN_AKM_SUITE_PSK; 1235 if (akm & WPA_KEY_MGMT_CCKM) 1236 return WLAN_AKM_SUITE_CCKM; 1237 if (akm & WPA_KEY_MGMT_OSEN) 1238 return WLAN_AKM_SUITE_OSEN; 1239 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B) 1240 return WLAN_AKM_SUITE_8021X_SUITE_B; 1241 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 1242 return WLAN_AKM_SUITE_8021X_SUITE_B_192; 1243 return 0; 1244} 1245 1246 1247int wpa_compare_rsn_ie(int ft_initial_assoc, 1248 const u8 *ie1, size_t ie1len, 1249 const u8 *ie2, size_t ie2len) 1250{ 1251 if (ie1 == NULL || ie2 == NULL) 1252 return -1; 1253 1254 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0) 1255 return 0; /* identical IEs */ 1256 1257#ifdef CONFIG_IEEE80211R 1258 if (ft_initial_assoc) { 1259 struct wpa_ie_data ie1d, ie2d; 1260 /* 1261 * The PMKID-List in RSN IE is different between Beacon/Probe 1262 * Response/(Re)Association Request frames and EAPOL-Key 1263 * messages in FT initial mobility domain association. Allow 1264 * for this, but verify that other parts of the RSN IEs are 1265 * identical. 1266 */ 1267 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 || 1268 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0) 1269 return -1; 1270 if (ie1d.proto == ie2d.proto && 1271 ie1d.pairwise_cipher == ie2d.pairwise_cipher && 1272 ie1d.group_cipher == ie2d.group_cipher && 1273 ie1d.key_mgmt == ie2d.key_mgmt && 1274 ie1d.capabilities == ie2d.capabilities && 1275 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher) 1276 return 0; 1277 } 1278#endif /* CONFIG_IEEE80211R */ 1279 1280 return -1; 1281} 1282 1283 1284#ifdef CONFIG_IEEE80211R 1285int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid) 1286{ 1287 u8 *start, *end, *rpos, *rend; 1288 int added = 0; 1289 1290 start = ies; 1291 end = ies + *ies_len; 1292 1293 while (start < end) { 1294 if (*start == WLAN_EID_RSN) 1295 break; 1296 start += 2 + start[1]; 1297 } 1298 if (start >= end) { 1299 wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in " 1300 "IEs data"); 1301 return -1; 1302 } 1303 wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification", 1304 start, 2 + start[1]); 1305 1306 /* Find start of PMKID-Count */ 1307 rpos = start + 2; 1308 rend = rpos + start[1]; 1309 1310 /* Skip Version and Group Data Cipher Suite */ 1311 rpos += 2 + 4; 1312 /* Skip Pairwise Cipher Suite Count and List */ 1313 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 1314 /* Skip AKM Suite Count and List */ 1315 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN; 1316 1317 if (rpos == rend) { 1318 /* Add RSN Capabilities */ 1319 os_memmove(rpos + 2, rpos, end - rpos); 1320 *rpos++ = 0; 1321 *rpos++ = 0; 1322 added += 2; 1323 start[1] += 2; 1324 rend = rpos; 1325 } else { 1326 /* Skip RSN Capabilities */ 1327 rpos += 2; 1328 if (rpos > rend) { 1329 wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in " 1330 "IEs data"); 1331 return -1; 1332 } 1333 } 1334 1335 if (rpos == rend) { 1336 /* No PMKID-Count field included; add it */ 1337 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos); 1338 WPA_PUT_LE16(rpos, 1); 1339 rpos += 2; 1340 os_memcpy(rpos, pmkid, PMKID_LEN); 1341 added += 2 + PMKID_LEN; 1342 start[1] += 2 + PMKID_LEN; 1343 } else { 1344 u16 num_pmkid; 1345 1346 if (rend - rpos < 2) 1347 return -1; 1348 num_pmkid = WPA_GET_LE16(rpos); 1349 /* PMKID-Count was included; use it */ 1350 if (num_pmkid != 0) { 1351 u8 *after; 1352 1353 if (num_pmkid * PMKID_LEN > rend - rpos - 2) 1354 return -1; 1355 /* 1356 * PMKID may have been included in RSN IE in 1357 * (Re)Association Request frame, so remove the old 1358 * PMKID(s) first before adding the new one. 1359 */ 1360 wpa_printf(MSG_DEBUG, 1361 "FT: Remove %u old PMKID(s) from RSN IE", 1362 num_pmkid); 1363 after = rpos + 2 + num_pmkid * PMKID_LEN; 1364 os_memmove(rpos + 2, after, rend - after); 1365 start[1] -= num_pmkid * PMKID_LEN; 1366 added -= num_pmkid * PMKID_LEN; 1367 } 1368 WPA_PUT_LE16(rpos, 1); 1369 rpos += 2; 1370 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos); 1371 os_memcpy(rpos, pmkid, PMKID_LEN); 1372 added += PMKID_LEN; 1373 start[1] += PMKID_LEN; 1374 } 1375 1376 wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification " 1377 "(PMKID inserted)", start, 2 + start[1]); 1378 1379 *ies_len += added; 1380 1381 return 0; 1382} 1383#endif /* CONFIG_IEEE80211R */ 1384 1385 1386int wpa_cipher_key_len(int cipher) 1387{ 1388 switch (cipher) { 1389 case WPA_CIPHER_CCMP_256: 1390 case WPA_CIPHER_GCMP_256: 1391 case WPA_CIPHER_BIP_GMAC_256: 1392 case WPA_CIPHER_BIP_CMAC_256: 1393 return 32; 1394 case WPA_CIPHER_CCMP: 1395 case WPA_CIPHER_GCMP: 1396 case WPA_CIPHER_AES_128_CMAC: 1397 case WPA_CIPHER_BIP_GMAC_128: 1398 return 16; 1399 case WPA_CIPHER_TKIP: 1400 return 32; 1401 } 1402 1403 return 0; 1404} 1405 1406 1407int wpa_cipher_rsc_len(int cipher) 1408{ 1409 switch (cipher) { 1410 case WPA_CIPHER_CCMP_256: 1411 case WPA_CIPHER_GCMP_256: 1412 case WPA_CIPHER_CCMP: 1413 case WPA_CIPHER_GCMP: 1414 case WPA_CIPHER_TKIP: 1415 return 6; 1416 } 1417 1418 return 0; 1419} 1420 1421 1422int wpa_cipher_to_alg(int cipher) 1423{ 1424 switch (cipher) { 1425 case WPA_CIPHER_CCMP_256: 1426 return WPA_ALG_CCMP_256; 1427 case WPA_CIPHER_GCMP_256: 1428 return WPA_ALG_GCMP_256; 1429 case WPA_CIPHER_CCMP: 1430 return WPA_ALG_CCMP; 1431 case WPA_CIPHER_GCMP: 1432 return WPA_ALG_GCMP; 1433 case WPA_CIPHER_TKIP: 1434 return WPA_ALG_TKIP; 1435 case WPA_CIPHER_AES_128_CMAC: 1436 return WPA_ALG_IGTK; 1437 case WPA_CIPHER_BIP_GMAC_128: 1438 return WPA_ALG_BIP_GMAC_128; 1439 case WPA_CIPHER_BIP_GMAC_256: 1440 return WPA_ALG_BIP_GMAC_256; 1441 case WPA_CIPHER_BIP_CMAC_256: 1442 return WPA_ALG_BIP_CMAC_256; 1443 } 1444 return WPA_ALG_NONE; 1445} 1446 1447 1448int wpa_cipher_valid_pairwise(int cipher) 1449{ 1450 return cipher == WPA_CIPHER_CCMP_256 || 1451 cipher == WPA_CIPHER_GCMP_256 || 1452 cipher == WPA_CIPHER_CCMP || 1453 cipher == WPA_CIPHER_GCMP || 1454 cipher == WPA_CIPHER_TKIP; 1455} 1456 1457 1458u32 wpa_cipher_to_suite(int proto, int cipher) 1459{ 1460 if (cipher & WPA_CIPHER_CCMP_256) 1461 return RSN_CIPHER_SUITE_CCMP_256; 1462 if (cipher & WPA_CIPHER_GCMP_256) 1463 return RSN_CIPHER_SUITE_GCMP_256; 1464 if (cipher & WPA_CIPHER_CCMP) 1465 return (proto == WPA_PROTO_RSN ? 1466 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP); 1467 if (cipher & WPA_CIPHER_GCMP) 1468 return RSN_CIPHER_SUITE_GCMP; 1469 if (cipher & WPA_CIPHER_TKIP) 1470 return (proto == WPA_PROTO_RSN ? 1471 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP); 1472 if (cipher & WPA_CIPHER_NONE) 1473 return (proto == WPA_PROTO_RSN ? 1474 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE); 1475 if (cipher & WPA_CIPHER_GTK_NOT_USED) 1476 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED; 1477 if (cipher & WPA_CIPHER_AES_128_CMAC) 1478 return RSN_CIPHER_SUITE_AES_128_CMAC; 1479 if (cipher & WPA_CIPHER_BIP_GMAC_128) 1480 return RSN_CIPHER_SUITE_BIP_GMAC_128; 1481 if (cipher & WPA_CIPHER_BIP_GMAC_256) 1482 return RSN_CIPHER_SUITE_BIP_GMAC_256; 1483 if (cipher & WPA_CIPHER_BIP_CMAC_256) 1484 return RSN_CIPHER_SUITE_BIP_CMAC_256; 1485 return 0; 1486} 1487 1488 1489int rsn_cipher_put_suites(u8 *start, int ciphers) 1490{ 1491 u8 *pos = start; 1492 1493 if (ciphers & WPA_CIPHER_CCMP_256) { 1494 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256); 1495 pos += RSN_SELECTOR_LEN; 1496 } 1497 if (ciphers & WPA_CIPHER_GCMP_256) { 1498 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256); 1499 pos += RSN_SELECTOR_LEN; 1500 } 1501 if (ciphers & WPA_CIPHER_CCMP) { 1502 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1503 pos += RSN_SELECTOR_LEN; 1504 } 1505 if (ciphers & WPA_CIPHER_GCMP) { 1506 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP); 1507 pos += RSN_SELECTOR_LEN; 1508 } 1509 if (ciphers & WPA_CIPHER_TKIP) { 1510 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 1511 pos += RSN_SELECTOR_LEN; 1512 } 1513 if (ciphers & WPA_CIPHER_NONE) { 1514 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE); 1515 pos += RSN_SELECTOR_LEN; 1516 } 1517 1518 return (pos - start) / RSN_SELECTOR_LEN; 1519} 1520 1521 1522int wpa_cipher_put_suites(u8 *start, int ciphers) 1523{ 1524 u8 *pos = start; 1525 1526 if (ciphers & WPA_CIPHER_CCMP) { 1527 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP); 1528 pos += WPA_SELECTOR_LEN; 1529 } 1530 if (ciphers & WPA_CIPHER_TKIP) { 1531 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP); 1532 pos += WPA_SELECTOR_LEN; 1533 } 1534 if (ciphers & WPA_CIPHER_NONE) { 1535 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE); 1536 pos += WPA_SELECTOR_LEN; 1537 } 1538 1539 return (pos - start) / RSN_SELECTOR_LEN; 1540} 1541 1542 1543int wpa_pick_pairwise_cipher(int ciphers, int none_allowed) 1544{ 1545 if (ciphers & WPA_CIPHER_CCMP_256) 1546 return WPA_CIPHER_CCMP_256; 1547 if (ciphers & WPA_CIPHER_GCMP_256) 1548 return WPA_CIPHER_GCMP_256; 1549 if (ciphers & WPA_CIPHER_CCMP) 1550 return WPA_CIPHER_CCMP; 1551 if (ciphers & WPA_CIPHER_GCMP) 1552 return WPA_CIPHER_GCMP; 1553 if (ciphers & WPA_CIPHER_TKIP) 1554 return WPA_CIPHER_TKIP; 1555 if (none_allowed && (ciphers & WPA_CIPHER_NONE)) 1556 return WPA_CIPHER_NONE; 1557 return -1; 1558} 1559 1560 1561int wpa_pick_group_cipher(int ciphers) 1562{ 1563 if (ciphers & WPA_CIPHER_CCMP_256) 1564 return WPA_CIPHER_CCMP_256; 1565 if (ciphers & WPA_CIPHER_GCMP_256) 1566 return WPA_CIPHER_GCMP_256; 1567 if (ciphers & WPA_CIPHER_CCMP) 1568 return WPA_CIPHER_CCMP; 1569 if (ciphers & WPA_CIPHER_GCMP) 1570 return WPA_CIPHER_GCMP; 1571 if (ciphers & WPA_CIPHER_GTK_NOT_USED) 1572 return WPA_CIPHER_GTK_NOT_USED; 1573 if (ciphers & WPA_CIPHER_TKIP) 1574 return WPA_CIPHER_TKIP; 1575 return -1; 1576} 1577 1578 1579int wpa_parse_cipher(const char *value) 1580{ 1581 int val = 0, last; 1582 char *start, *end, *buf; 1583 1584 buf = os_strdup(value); 1585 if (buf == NULL) 1586 return -1; 1587 start = buf; 1588 1589 while (*start != '\0') { 1590 while (*start == ' ' || *start == '\t') 1591 start++; 1592 if (*start == '\0') 1593 break; 1594 end = start; 1595 while (*end != ' ' && *end != '\t' && *end != '\0') 1596 end++; 1597 last = *end == '\0'; 1598 *end = '\0'; 1599 if (os_strcmp(start, "CCMP-256") == 0) 1600 val |= WPA_CIPHER_CCMP_256; 1601 else if (os_strcmp(start, "GCMP-256") == 0) 1602 val |= WPA_CIPHER_GCMP_256; 1603 else if (os_strcmp(start, "CCMP") == 0) 1604 val |= WPA_CIPHER_CCMP; 1605 else if (os_strcmp(start, "GCMP") == 0) 1606 val |= WPA_CIPHER_GCMP; 1607 else if (os_strcmp(start, "TKIP") == 0) 1608 val |= WPA_CIPHER_TKIP; 1609 else if (os_strcmp(start, "WEP104") == 0) 1610 val |= WPA_CIPHER_WEP104; 1611 else if (os_strcmp(start, "WEP40") == 0) 1612 val |= WPA_CIPHER_WEP40; 1613 else if (os_strcmp(start, "NONE") == 0) 1614 val |= WPA_CIPHER_NONE; 1615 else if (os_strcmp(start, "GTK_NOT_USED") == 0) 1616 val |= WPA_CIPHER_GTK_NOT_USED; 1617 else { 1618 os_free(buf); 1619 return -1; 1620 } 1621 1622 if (last) 1623 break; 1624 start = end + 1; 1625 } 1626 os_free(buf); 1627 1628 return val; 1629} 1630 1631 1632int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim) 1633{ 1634 char *pos = start; 1635 int ret; 1636 1637 if (ciphers & WPA_CIPHER_CCMP_256) { 1638 ret = os_snprintf(pos, end - pos, "%sCCMP-256", 1639 pos == start ? "" : delim); 1640 if (os_snprintf_error(end - pos, ret)) 1641 return -1; 1642 pos += ret; 1643 } 1644 if (ciphers & WPA_CIPHER_GCMP_256) { 1645 ret = os_snprintf(pos, end - pos, "%sGCMP-256", 1646 pos == start ? "" : delim); 1647 if (os_snprintf_error(end - pos, ret)) 1648 return -1; 1649 pos += ret; 1650 } 1651 if (ciphers & WPA_CIPHER_CCMP) { 1652 ret = os_snprintf(pos, end - pos, "%sCCMP", 1653 pos == start ? "" : delim); 1654 if (os_snprintf_error(end - pos, ret)) 1655 return -1; 1656 pos += ret; 1657 } 1658 if (ciphers & WPA_CIPHER_GCMP) { 1659 ret = os_snprintf(pos, end - pos, "%sGCMP", 1660 pos == start ? "" : delim); 1661 if (os_snprintf_error(end - pos, ret)) 1662 return -1; 1663 pos += ret; 1664 } 1665 if (ciphers & WPA_CIPHER_TKIP) { 1666 ret = os_snprintf(pos, end - pos, "%sTKIP", 1667 pos == start ? "" : delim); 1668 if (os_snprintf_error(end - pos, ret)) 1669 return -1; 1670 pos += ret; 1671 } 1672 if (ciphers & WPA_CIPHER_NONE) { 1673 ret = os_snprintf(pos, end - pos, "%sNONE", 1674 pos == start ? "" : delim); 1675 if (os_snprintf_error(end - pos, ret)) 1676 return -1; 1677 pos += ret; 1678 } 1679 1680 return pos - start; 1681} 1682 1683 1684int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise) 1685{ 1686 int pairwise = 0; 1687 1688 /* Select group cipher based on the enabled pairwise cipher suites */ 1689 if (wpa & 1) 1690 pairwise |= wpa_pairwise; 1691 if (wpa & 2) 1692 pairwise |= rsn_pairwise; 1693 1694 if (pairwise & WPA_CIPHER_TKIP) 1695 return WPA_CIPHER_TKIP; 1696 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP) 1697 return WPA_CIPHER_GCMP; 1698 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP | 1699 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256) 1700 return WPA_CIPHER_GCMP_256; 1701 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP | 1702 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256) 1703 return WPA_CIPHER_CCMP_256; 1704 return WPA_CIPHER_CCMP; 1705} 1706