Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 950d1568eb203b1f9e09ecfa7a0ba575ee2f0172 / . / src / common / wpa_common.c
blob: 24a61e4801f9ab76f744c73ead48783b8ba4c3db [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1/*
2 * WPA/RSN - Shared functions for supplicant and authenticator
3 * Copyright (c) 2002-2008, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "includes.h"
16
17#include "common.h"
18#include "crypto/md5.h"
19#include "crypto/sha1.h"
20#include "crypto/sha256.h"
21#include "crypto/aes_wrap.h"
22#include "crypto/crypto.h"
23#include "ieee802_11_defs.h"
24#include "defs.h"
25#include "wpa_common.h"
26
27
28/**
29 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
30 * @key: EAPOL-Key Key Confirmation Key (KCK)
31 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
32 * @buf: Pointer to the beginning of the EAPOL header (version field)
33 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
34 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
35 * Returns: 0 on success, -1 on failure
36 *
37 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
38 * to be cleared (all zeroes) when calling this function.
39 *
40 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
41 * description of the Key MIC calculation. It includes packet data from the
42 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
43 * happened during final editing of the standard and the correct behavior is
44 * defined in the last draft (IEEE 802.11i/D10).
45 */
46int wpa_eapol_key_mic(const u8 *key, int ver, const u8 *buf, size_t len,
47 u8 *mic)
48{
49 u8 hash[SHA1_MAC_LEN];
50
51 switch (ver) {
52 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
53 return hmac_md5(key, 16, buf, len, mic);
54 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
55 if (hmac_sha1(key, 16, buf, len, hash))
56 return -1;
57 os_memcpy(mic, hash, MD5_MAC_LEN);
58 break;
59#if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
60 case WPA_KEY_INFO_TYPE_AES_128_CMAC:
61 return omac1_aes_128(key, buf, len, mic);
62#endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
63 default:
64 return -1;
65 }
66
67 return 0;
68}
69
70
71/**
72 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
73 * @pmk: Pairwise master key
74 * @pmk_len: Length of PMK
75 * @label: Label to use in derivation
76 * @addr1: AA or SA
77 * @addr2: SA or AA
78 * @nonce1: ANonce or SNonce
79 * @nonce2: SNonce or ANonce
80 * @ptk: Buffer for pairwise transient key
81 * @ptk_len: Length of PTK
82 * @use_sha256: Whether to use SHA256-based KDF
83 *
84 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
85 * PTK = PRF-X(PMK, "Pairwise key expansion",
86 * Min(AA, SA) || Max(AA, SA) ||
87 * Min(ANonce, SNonce) || Max(ANonce, SNonce))
88 *
89 * STK = PRF-X(SMK, "Peer key expansion",
90 * Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) ||
91 * Min(INonce, PNonce) || Max(INonce, PNonce))
92 */
93void wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
94 const u8 *addr1, const u8 *addr2,
95 const u8 *nonce1, const u8 *nonce2,
96 u8 *ptk, size_t ptk_len, int use_sha256)
97{
98 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN];
99
100 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
101 os_memcpy(data, addr1, ETH_ALEN);
102 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
103 } else {
104 os_memcpy(data, addr2, ETH_ALEN);
105 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
106 }
107
108 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
109 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
110 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
111 WPA_NONCE_LEN);
112 } else {
113 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
114 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
115 WPA_NONCE_LEN);
116 }
117
118#ifdef CONFIG_IEEE80211W
119 if (use_sha256)
120 sha256_prf(pmk, pmk_len, label, data, sizeof(data),
121 ptk, ptk_len);
122 else
123#endif /* CONFIG_IEEE80211W */
124 sha1_prf(pmk, pmk_len, label, data, sizeof(data), ptk,
125 ptk_len);
126
127 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
128 MAC2STR(addr1), MAC2STR(addr2));
129 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
130 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
131 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
132 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", ptk, ptk_len);
133}
134
135
136#ifdef CONFIG_IEEE80211R
137int wpa_ft_mic(const u8 *kck, const u8 *sta_addr, const u8 *ap_addr,
138 u8 transaction_seqnum, const u8 *mdie, size_t mdie_len,
139 const u8 *ftie, size_t ftie_len,
140 const u8 *rsnie, size_t rsnie_len,
141 const u8 *ric, size_t ric_len, u8 *mic)
142{
143 u8 *buf, *pos;
144 size_t buf_len;
145
146 buf_len = 2 * ETH_ALEN + 1 + mdie_len + ftie_len + rsnie_len + ric_len;
147 buf = os_malloc(buf_len);
148 if (buf == NULL)
149 return -1;
150
151 pos = buf;
152 os_memcpy(pos, sta_addr, ETH_ALEN);
153 pos += ETH_ALEN;
154 os_memcpy(pos, ap_addr, ETH_ALEN);
155 pos += ETH_ALEN;
156 *pos++ = transaction_seqnum;
157 if (rsnie) {
158 os_memcpy(pos, rsnie, rsnie_len);
159 pos += rsnie_len;
160 }
161 if (mdie) {
162 os_memcpy(pos, mdie, mdie_len);
163 pos += mdie_len;
164 }
165 if (ftie) {
166 struct rsn_ftie *_ftie;
167 os_memcpy(pos, ftie, ftie_len);
168 if (ftie_len < 2 + sizeof(*_ftie)) {
169 os_free(buf);
170 return -1;
171 }
172 _ftie = (struct rsn_ftie *) (pos + 2);
173 os_memset(_ftie->mic, 0, sizeof(_ftie->mic));
174 pos += ftie_len;
175 }
176 if (ric) {
177 os_memcpy(pos, ric, ric_len);
178 pos += ric_len;
179 }
180
181 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", buf, pos - buf);
182 if (omac1_aes_128(kck, buf, pos - buf, mic)) {
183 os_free(buf);
184 return -1;
185 }
186
187 os_free(buf);
188
189 return 0;
190}
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]191
192
193static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
194 struct wpa_ft_ies *parse)
195{
196 const u8 *end, *pos;
197
198 parse->ftie = ie;
199 parse->ftie_len = ie_len;
200
201 pos = ie + sizeof(struct rsn_ftie);
202 end = ie + ie_len;
203
204 while (pos + 2 <= end && pos + 2 + pos[1] <= end) {
205 switch (pos[0]) {
206 case FTIE_SUBELEM_R1KH_ID:
207 if (pos[1] != FT_R1KH_ID_LEN) {
208 wpa_printf(MSG_DEBUG, "FT: Invalid R1KH-ID "
209 "length in FTIE: %d", pos[1]);
210 return -1;
211 }
212 parse->r1kh_id = pos + 2;
213 break;
214 case FTIE_SUBELEM_GTK:
215 parse->gtk = pos + 2;
216 parse->gtk_len = pos[1];
217 break;
218 case FTIE_SUBELEM_R0KH_ID:
219 if (pos[1] < 1 || pos[1] > FT_R0KH_ID_MAX_LEN) {
220 wpa_printf(MSG_DEBUG, "FT: Invalid R0KH-ID "
221 "length in FTIE: %d", pos[1]);
222 return -1;
223 }
224 parse->r0kh_id = pos + 2;
225 parse->r0kh_id_len = pos[1];
226 break;
227#ifdef CONFIG_IEEE80211W
228 case FTIE_SUBELEM_IGTK:
229 parse->igtk = pos + 2;
230 parse->igtk_len = pos[1];
231 break;
232#endif /* CONFIG_IEEE80211W */
233 }
234
235 pos += 2 + pos[1];
236 }
237
238 return 0;
239}
240
241
242int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
243 struct wpa_ft_ies *parse)
244{
245 const u8 *end, *pos;
246 struct wpa_ie_data data;
247 int ret;
248 const struct rsn_ftie *ftie;
249 int prot_ie_count = 0;
250
251 os_memset(parse, 0, sizeof(*parse));
252 if (ies == NULL)
253 return 0;
254
255 pos = ies;
256 end = ies + ies_len;
257 while (pos + 2 <= end && pos + 2 + pos[1] <= end) {
258 switch (pos[0]) {
259 case WLAN_EID_RSN:
260 parse->rsn = pos + 2;
261 parse->rsn_len = pos[1];
262 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
263 parse->rsn_len + 2,
264 &data);
265 if (ret < 0) {
266 wpa_printf(MSG_DEBUG, "FT: Failed to parse "
267 "RSN IE: %d", ret);
268 return -1;
269 }
270 if (data.num_pmkid == 1 && data.pmkid)
271 parse->rsn_pmkid = data.pmkid;
272 break;
273 case WLAN_EID_MOBILITY_DOMAIN:
274 parse->mdie = pos + 2;
275 parse->mdie_len = pos[1];
276 break;
277 case WLAN_EID_FAST_BSS_TRANSITION:
278 if (pos[1] < sizeof(*ftie))
279 return -1;
280 ftie = (const struct rsn_ftie *) (pos + 2);
281 prot_ie_count = ftie->mic_control[1];
282 if (wpa_ft_parse_ftie(pos + 2, pos[1], parse) < 0)
283 return -1;
284 break;
285 case WLAN_EID_TIMEOUT_INTERVAL:
286 parse->tie = pos + 2;
287 parse->tie_len = pos[1];
288 break;
289 case WLAN_EID_RIC_DATA:
290 if (parse->ric == NULL)
291 parse->ric = pos;
292 break;
293 }
294
295 pos += 2 + pos[1];
296 }
297
298 if (prot_ie_count == 0)
299 return 0; /* no MIC */
300
301 /*
302 * Check that the protected IE count matches with IEs included in the
303 * frame.
304 */
305 if (parse->rsn)
306 prot_ie_count--;
307 if (parse->mdie)
308 prot_ie_count--;
309 if (parse->ftie)
310 prot_ie_count--;
311 if (prot_ie_count < 0) {
312 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
313 "the protected IE count");
314 return -1;
315 }
316
317 if (prot_ie_count == 0 && parse->ric) {
318 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
319 "included in protected IE count");
320 return -1;
321 }
322
323 /* Determine the end of the RIC IE(s) */
324 pos = parse->ric;
325 while (pos && pos + 2 <= end && pos + 2 + pos[1] <= end &&
326 prot_ie_count) {
327 prot_ie_count--;
328 pos += 2 + pos[1];
329 }
330 parse->ric_len = pos - parse->ric;
331 if (prot_ie_count) {
332 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
333 "frame", (int) prot_ie_count);
334 return -1;
335 }
336
337 return 0;
338}
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]339#endif /* CONFIG_IEEE80211R */
340
341
342#ifndef CONFIG_NO_WPA2
343static int rsn_selector_to_bitfield(const u8 *s)
344{
345 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
346 return WPA_CIPHER_NONE;
347 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP40)
348 return WPA_CIPHER_WEP40;
349 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
350 return WPA_CIPHER_TKIP;
351 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
352 return WPA_CIPHER_CCMP;
353 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP104)
354 return WPA_CIPHER_WEP104;
355#ifdef CONFIG_IEEE80211W
356 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
357 return WPA_CIPHER_AES_128_CMAC;
358#endif /* CONFIG_IEEE80211W */
359 return 0;
360}
361
362
363static int rsn_key_mgmt_to_bitfield(const u8 *s)
364{
365 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
366 return WPA_KEY_MGMT_IEEE8021X;
367 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
368 return WPA_KEY_MGMT_PSK;
369#ifdef CONFIG_IEEE80211R
370 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
371 return WPA_KEY_MGMT_FT_IEEE8021X;
372 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
373 return WPA_KEY_MGMT_FT_PSK;
374#endif /* CONFIG_IEEE80211R */
375#ifdef CONFIG_IEEE80211W
376 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
377 return WPA_KEY_MGMT_IEEE8021X_SHA256;
378 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
379 return WPA_KEY_MGMT_PSK_SHA256;
380#endif /* CONFIG_IEEE80211W */
381 return 0;
382}
383#endif /* CONFIG_NO_WPA2 */
384
385
386/**
387 * wpa_parse_wpa_ie_rsn - Parse RSN IE
388 * @rsn_ie: Buffer containing RSN IE
389 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
390 * @data: Pointer to structure that will be filled in with parsed data
391 * Returns: 0 on success, <0 on failure
392 */
393int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
394 struct wpa_ie_data *data)
395{
396#ifndef CONFIG_NO_WPA2
397 const struct rsn_ie_hdr *hdr;
398 const u8 *pos;
399 int left;
400 int i, count;
401
402 os_memset(data, 0, sizeof(*data));
403 data->proto = WPA_PROTO_RSN;
404 data->pairwise_cipher = WPA_CIPHER_CCMP;
405 data->group_cipher = WPA_CIPHER_CCMP;
406 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
407 data->capabilities = 0;
408 data->pmkid = NULL;
409 data->num_pmkid = 0;
410#ifdef CONFIG_IEEE80211W
411 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
412#else /* CONFIG_IEEE80211W */
413 data->mgmt_group_cipher = 0;
414#endif /* CONFIG_IEEE80211W */
415
416 if (rsn_ie_len == 0) {
417 /* No RSN IE - fail silently */
418 return -1;
419 }
420
421 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
422 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
423 __func__, (unsigned long) rsn_ie_len);
424 return -1;
425 }
426
427 hdr = (const struct rsn_ie_hdr *) rsn_ie;
428
429 if (hdr->elem_id != WLAN_EID_RSN ||
430 hdr->len != rsn_ie_len - 2 ||
431 WPA_GET_LE16(hdr->version) != RSN_VERSION) {
432 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
433 __func__);
434 return -2;
435 }
436
437 pos = (const u8 *) (hdr + 1);
438 left = rsn_ie_len - sizeof(*hdr);
439
440 if (left >= RSN_SELECTOR_LEN) {
441 data->group_cipher = rsn_selector_to_bitfield(pos);
442#ifdef CONFIG_IEEE80211W
443 if (data->group_cipher == WPA_CIPHER_AES_128_CMAC) {
444 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as group "
445 "cipher", __func__);
446 return -1;
447 }
448#endif /* CONFIG_IEEE80211W */
449 pos += RSN_SELECTOR_LEN;
450 left -= RSN_SELECTOR_LEN;
451 } else if (left > 0) {
452 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
453 __func__, left);
454 return -3;
455 }
456
457 if (left >= 2) {
458 data->pairwise_cipher = 0;
459 count = WPA_GET_LE16(pos);
460 pos += 2;
461 left -= 2;
462 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
463 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
464 "count %u left %u", __func__, count, left);
465 return -4;
466 }
467 for (i = 0; i < count; i++) {
468 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
469 pos += RSN_SELECTOR_LEN;
470 left -= RSN_SELECTOR_LEN;
471 }
472#ifdef CONFIG_IEEE80211W
473 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
474 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
475 "pairwise cipher", __func__);
476 return -1;
477 }
478#endif /* CONFIG_IEEE80211W */
479 } else if (left == 1) {
480 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
481 __func__);
482 return -5;
483 }
484
485 if (left >= 2) {
486 data->key_mgmt = 0;
487 count = WPA_GET_LE16(pos);
488 pos += 2;
489 left -= 2;
490 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
491 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
492 "count %u left %u", __func__, count, left);
493 return -6;
494 }
495 for (i = 0; i < count; i++) {
496 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
497 pos += RSN_SELECTOR_LEN;
498 left -= RSN_SELECTOR_LEN;
499 }
500 } else if (left == 1) {
501 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
502 __func__);
503 return -7;
504 }
505
506 if (left >= 2) {
507 data->capabilities = WPA_GET_LE16(pos);
508 pos += 2;
509 left -= 2;
510 }
511
512 if (left >= 2) {
513 data->num_pmkid = WPA_GET_LE16(pos);
514 pos += 2;
515 left -= 2;
516 if (left < (int) data->num_pmkid * PMKID_LEN) {
517 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
518 "(num_pmkid=%lu left=%d)",
519 __func__, (unsigned long) data->num_pmkid,
520 left);
521 data->num_pmkid = 0;
522 return -9;
523 } else {
524 data->pmkid = pos;
525 pos += data->num_pmkid * PMKID_LEN;
526 left -= data->num_pmkid * PMKID_LEN;
527 }
528 }
529
530#ifdef CONFIG_IEEE80211W
531 if (left >= 4) {
532 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
533 if (data->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC) {
534 wpa_printf(MSG_DEBUG, "%s: Unsupported management "
535 "group cipher 0x%x", __func__,
536 data->mgmt_group_cipher);
537 return -10;
538 }
539 pos += RSN_SELECTOR_LEN;
540 left -= RSN_SELECTOR_LEN;
541 }
542#endif /* CONFIG_IEEE80211W */
543
544 if (left > 0) {
545 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
546 __func__, left);
547 }
548
549 return 0;
550#else /* CONFIG_NO_WPA2 */
551 return -1;
552#endif /* CONFIG_NO_WPA2 */
553}
554
555
556static int wpa_selector_to_bitfield(const u8 *s)
557{
558 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
559 return WPA_CIPHER_NONE;
560 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_WEP40)
561 return WPA_CIPHER_WEP40;
562 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
563 return WPA_CIPHER_TKIP;
564 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
565 return WPA_CIPHER_CCMP;
566 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_WEP104)
567 return WPA_CIPHER_WEP104;
568 return 0;
569}
570
571
572static int wpa_key_mgmt_to_bitfield(const u8 *s)
573{
574 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
575 return WPA_KEY_MGMT_IEEE8021X;
576 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
577 return WPA_KEY_MGMT_PSK;
578 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
579 return WPA_KEY_MGMT_WPA_NONE;
580 return 0;
581}
582
583
584int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
585 struct wpa_ie_data *data)
586{
587 const struct wpa_ie_hdr *hdr;
588 const u8 *pos;
589 int left;
590 int i, count;
591
592 os_memset(data, 0, sizeof(*data));
593 data->proto = WPA_PROTO_WPA;
594 data->pairwise_cipher = WPA_CIPHER_TKIP;
595 data->group_cipher = WPA_CIPHER_TKIP;
596 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
597 data->capabilities = 0;
598 data->pmkid = NULL;
599 data->num_pmkid = 0;
600 data->mgmt_group_cipher = 0;
601
602 if (wpa_ie_len == 0) {
603 /* No WPA IE - fail silently */
604 return -1;
605 }
606
607 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
608 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
609 __func__, (unsigned long) wpa_ie_len);
610 return -1;
611 }
612
613 hdr = (const struct wpa_ie_hdr *) wpa_ie;
614
615 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
616 hdr->len != wpa_ie_len - 2 ||
617 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
618 WPA_GET_LE16(hdr->version) != WPA_VERSION) {
619 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
620 __func__);
621 return -2;
622 }
623
624 pos = (const u8 *) (hdr + 1);
625 left = wpa_ie_len - sizeof(*hdr);
626
627 if (left >= WPA_SELECTOR_LEN) {
628 data->group_cipher = wpa_selector_to_bitfield(pos);
629 pos += WPA_SELECTOR_LEN;
630 left -= WPA_SELECTOR_LEN;
631 } else if (left > 0) {
632 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
633 __func__, left);
634 return -3;
635 }
636
637 if (left >= 2) {
638 data->pairwise_cipher = 0;
639 count = WPA_GET_LE16(pos);
640 pos += 2;
641 left -= 2;
642 if (count == 0 || left < count * WPA_SELECTOR_LEN) {
643 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
644 "count %u left %u", __func__, count, left);
645 return -4;
646 }
647 for (i = 0; i < count; i++) {
648 data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
649 pos += WPA_SELECTOR_LEN;
650 left -= WPA_SELECTOR_LEN;
651 }
652 } else if (left == 1) {
653 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
654 __func__);
655 return -5;
656 }
657
658 if (left >= 2) {
659 data->key_mgmt = 0;
660 count = WPA_GET_LE16(pos);
661 pos += 2;
662 left -= 2;
663 if (count == 0 || left < count * WPA_SELECTOR_LEN) {
664 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
665 "count %u left %u", __func__, count, left);
666 return -6;
667 }
668 for (i = 0; i < count; i++) {
669 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
670 pos += WPA_SELECTOR_LEN;
671 left -= WPA_SELECTOR_LEN;
672 }
673 } else if (left == 1) {
674 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
675 __func__);
676 return -7;
677 }
678
679 if (left >= 2) {
680 data->capabilities = WPA_GET_LE16(pos);
681 pos += 2;
682 left -= 2;
683 }
684
685 if (left > 0) {
686 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
687 __func__, left);
688 }
689
690 return 0;
691}
692
693
694#ifdef CONFIG_IEEE80211R
695
696/**
697 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
698 *
699 * IEEE Std 802.11r-2008 - 8.5.1.5.3
700 */
701void wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
702 const u8 *ssid, size_t ssid_len,
703 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
704 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name)
705{
706 u8 buf[1 + WPA_MAX_SSID_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
707 FT_R0KH_ID_MAX_LEN + ETH_ALEN];
708 u8 *pos, r0_key_data[48], hash[32];
709 const u8 *addr[2];
710 size_t len[2];
711
712 /*
713 * R0-Key-Data = KDF-384(XXKey, "FT-R0",
714 * SSIDlength || SSID || MDID || R0KHlength ||
715 * R0KH-ID || S0KH-ID)
716 * XXKey is either the second 256 bits of MSK or PSK.
717 * PMK-R0 = L(R0-Key-Data, 0, 256)
718 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128)
719 */
720 if (ssid_len > WPA_MAX_SSID_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
721 return;
722 pos = buf;
723 *pos++ = ssid_len;
724 os_memcpy(pos, ssid, ssid_len);
725 pos += ssid_len;
726 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
727 pos += MOBILITY_DOMAIN_ID_LEN;
728 *pos++ = r0kh_id_len;
729 os_memcpy(pos, r0kh_id, r0kh_id_len);
730 pos += r0kh_id_len;
731 os_memcpy(pos, s0kh_id, ETH_ALEN);
732 pos += ETH_ALEN;
733
734 sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
735 r0_key_data, sizeof(r0_key_data));
736 os_memcpy(pmk_r0, r0_key_data, PMK_LEN);
737
738 /*
739 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt)
740 */
741 addr[0] = (const u8 *) "FT-R0N";
742 len[0] = 6;
743 addr[1] = r0_key_data + PMK_LEN;
744 len[1] = 16;
745
746 sha256_vector(2, addr, len, hash);
747 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
748}
749
750
751/**
752 * wpa_derive_pmk_r1_name - Derive PMKR1Name
753 *
754 * IEEE Std 802.11r-2008 - 8.5.1.5.4
755 */
756void wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
757 const u8 *s1kh_id, u8 *pmk_r1_name)
758{
759 u8 hash[32];
760 const u8 *addr[4];
761 size_t len[4];
762
763 /*
764 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name ||
765 * R1KH-ID || S1KH-ID))
766 */
767 addr[0] = (const u8 *) "FT-R1N";
768 len[0] = 6;
769 addr[1] = pmk_r0_name;
770 len[1] = WPA_PMK_NAME_LEN;
771 addr[2] = r1kh_id;
772 len[2] = FT_R1KH_ID_LEN;
773 addr[3] = s1kh_id;
774 len[3] = ETH_ALEN;
775
776 sha256_vector(4, addr, len, hash);
777 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
778}
779
780
781/**
782 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
783 *
784 * IEEE Std 802.11r-2008 - 8.5.1.5.4
785 */
786void wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name,
787 const u8 *r1kh_id, const u8 *s1kh_id,
788 u8 *pmk_r1, u8 *pmk_r1_name)
789{
790 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
791 u8 *pos;
792
793 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
794 pos = buf;
795 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
796 pos += FT_R1KH_ID_LEN;
797 os_memcpy(pos, s1kh_id, ETH_ALEN);
798 pos += ETH_ALEN;
799
800 sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf, pmk_r1, PMK_LEN);
801
802 wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, pmk_r1_name);
803}
804
805
806/**
807 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
808 *
809 * IEEE Std 802.11r-2008 - 8.5.1.5.5
810 */
811void wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce,
812 const u8 *sta_addr, const u8 *bssid,
813 const u8 *pmk_r1_name,
814 u8 *ptk, size_t ptk_len, u8 *ptk_name)
815{
816 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
817 u8 *pos, hash[32];
818 const u8 *addr[6];
819 size_t len[6];
820
821 /*
822 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
823 * BSSID || STA-ADDR)
824 */
825 pos = buf;
826 os_memcpy(pos, snonce, WPA_NONCE_LEN);
827 pos += WPA_NONCE_LEN;
828 os_memcpy(pos, anonce, WPA_NONCE_LEN);
829 pos += WPA_NONCE_LEN;
830 os_memcpy(pos, bssid, ETH_ALEN);
831 pos += ETH_ALEN;
832 os_memcpy(pos, sta_addr, ETH_ALEN);
833 pos += ETH_ALEN;
834
835 sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf, ptk, ptk_len);
836
837 /*
838 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
839 * ANonce || BSSID || STA-ADDR))
840 */
841 addr[0] = pmk_r1_name;
842 len[0] = WPA_PMK_NAME_LEN;
843 addr[1] = (const u8 *) "FT-PTKN";
844 len[1] = 7;
845 addr[2] = snonce;
846 len[2] = WPA_NONCE_LEN;
847 addr[3] = anonce;
848 len[3] = WPA_NONCE_LEN;
849 addr[4] = bssid;
850 len[4] = ETH_ALEN;
851 addr[5] = sta_addr;
852 len[5] = ETH_ALEN;
853
854 sha256_vector(6, addr, len, hash);
855 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
856}
857
858#endif /* CONFIG_IEEE80211R */
859
860
861/**
862 * rsn_pmkid - Calculate PMK identifier
863 * @pmk: Pairwise master key
864 * @pmk_len: Length of pmk in bytes
865 * @aa: Authenticator address
866 * @spa: Supplicant address
867 * @pmkid: Buffer for PMKID
868 * @use_sha256: Whether to use SHA256-based KDF
869 *
870 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
871 * PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AA || SPA)
872 */
873void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
874 u8 *pmkid, int use_sha256)
875{
876 char *title = "PMK Name";
877 const u8 *addr[3];
878 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
879 unsigned char hash[SHA256_MAC_LEN];
880
881 addr[0] = (u8 *) title;
882 addr[1] = aa;
883 addr[2] = spa;
884
885#ifdef CONFIG_IEEE80211W
886 if (use_sha256)
887 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
888 else
889#endif /* CONFIG_IEEE80211W */
890 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
891 os_memcpy(pmkid, hash, PMKID_LEN);
892}
893
894
895/**
896 * wpa_cipher_txt - Convert cipher suite to a text string
897 * @cipher: Cipher suite (WPA_CIPHER_* enum)
898 * Returns: Pointer to a text string of the cipher suite name
899 */
900const char * wpa_cipher_txt(int cipher)
901{
902 switch (cipher) {
903 case WPA_CIPHER_NONE:
904 return "NONE";
905 case WPA_CIPHER_WEP40:
906 return "WEP-40";
907 case WPA_CIPHER_WEP104:
908 return "WEP-104";
909 case WPA_CIPHER_TKIP:
910 return "TKIP";
911 case WPA_CIPHER_CCMP:
912 return "CCMP";
913 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
914 return "CCMP+TKIP";
915 default:
916 return "UNKNOWN";
917 }
918}
919
920
921/**
922 * wpa_key_mgmt_txt - Convert key management suite to a text string
923 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
924 * @proto: WPA/WPA2 version (WPA_PROTO_*)
925 * Returns: Pointer to a text string of the key management suite name
926 */
927const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
928{
929 switch (key_mgmt) {
930 case WPA_KEY_MGMT_IEEE8021X:
931 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
932 return "WPA2+WPA/IEEE 802.1X/EAP";
933 return proto == WPA_PROTO_RSN ?
934 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
935 case WPA_KEY_MGMT_PSK:
936 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
937 return "WPA2-PSK+WPA-PSK";
938 return proto == WPA_PROTO_RSN ?
939 "WPA2-PSK" : "WPA-PSK";
940 case WPA_KEY_MGMT_NONE:
941 return "NONE";
942 case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
943 return "IEEE 802.1X (no WPA)";
944#ifdef CONFIG_IEEE80211R
945 case WPA_KEY_MGMT_FT_IEEE8021X:
946 return "FT-EAP";
947 case WPA_KEY_MGMT_FT_PSK:
948 return "FT-PSK";
949#endif /* CONFIG_IEEE80211R */
950#ifdef CONFIG_IEEE80211W
951 case WPA_KEY_MGMT_IEEE8021X_SHA256:
952 return "WPA2-EAP-SHA256";
953 case WPA_KEY_MGMT_PSK_SHA256:
954 return "WPA2-PSK-SHA256";
955#endif /* CONFIG_IEEE80211W */
956 default:
957 return "UNKNOWN";
958 }
959}
960
961
962int wpa_compare_rsn_ie(int ft_initial_assoc,
963 const u8 *ie1, size_t ie1len,
964 const u8 *ie2, size_t ie2len)
965{
966 if (ie1 == NULL || ie2 == NULL)
967 return -1;
968
969 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
970 return 0; /* identical IEs */
971
972#ifdef CONFIG_IEEE80211R
973 if (ft_initial_assoc) {
974 struct wpa_ie_data ie1d, ie2d;
975 /*
976 * The PMKID-List in RSN IE is different between Beacon/Probe
977 * Response/(Re)Association Request frames and EAPOL-Key
978 * messages in FT initial mobility domain association. Allow
979 * for this, but verify that other parts of the RSN IEs are
980 * identical.
981 */
982 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
983 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
984 return -1;
985 if (ie1d.proto == ie2d.proto &&
986 ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
987 ie1d.group_cipher == ie2d.group_cipher &&
988 ie1d.key_mgmt == ie2d.key_mgmt &&
989 ie1d.capabilities == ie2d.capabilities &&
990 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
991 return 0;
992 }
993#endif /* CONFIG_IEEE80211R */
994
995 return -1;
996}
997
998
999#ifdef CONFIG_IEEE80211R
1000int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid)
1001{
1002 u8 *start, *end, *rpos, *rend;
1003 int added = 0;
1004
1005 start = ies;
1006 end = ies + ies_len;
1007
1008 while (start < end) {
1009 if (*start == WLAN_EID_RSN)
1010 break;
1011 start += 2 + start[1];
1012 }
1013 if (start >= end) {
1014 wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in "
1015 "IEs data");
1016 return -1;
1017 }
1018 wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification",
1019 start, 2 + start[1]);
1020
1021 /* Find start of PMKID-Count */
1022 rpos = start + 2;
1023 rend = rpos + start[1];
1024
1025 /* Skip Version and Group Data Cipher Suite */
1026 rpos += 2 + 4;
1027 /* Skip Pairwise Cipher Suite Count and List */
1028 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
1029 /* Skip AKM Suite Count and List */
1030 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
1031
1032 if (rpos == rend) {
1033 /* Add RSN Capabilities */
1034 os_memmove(rpos + 2, rpos, end - rpos);
1035 *rpos++ = 0;
1036 *rpos++ = 0;
1037 } else {
1038 /* Skip RSN Capabilities */
1039 rpos += 2;
1040 if (rpos > rend) {
1041 wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in "
1042 "IEs data");
1043 return -1;
1044 }
1045 }
1046
1047 if (rpos == rend) {
1048 /* No PMKID-Count field included; add it */
1049 os_memmove(rpos + 2 + PMKID_LEN, rpos, end - rpos);
1050 WPA_PUT_LE16(rpos, 1);
1051 rpos += 2;
1052 os_memcpy(rpos, pmkid, PMKID_LEN);
1053 added += 2 + PMKID_LEN;
1054 start[1] += 2 + PMKID_LEN;
1055 } else {
1056 /* PMKID-Count was included; use it */
1057 if (WPA_GET_LE16(rpos) != 0) {
1058 wpa_printf(MSG_ERROR, "FT: Unexpected PMKID "
1059 "in RSN IE in EAPOL-Key data");
1060 return -1;
1061 }
1062 WPA_PUT_LE16(rpos, 1);
1063 rpos += 2;
1064 os_memmove(rpos + PMKID_LEN, rpos, end - rpos);
1065 os_memcpy(rpos, pmkid, PMKID_LEN);
1066 added += PMKID_LEN;
1067 start[1] += PMKID_LEN;
1068 }
1069
1070 wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification "
1071 "(PMKID inserted)", start, 2 + start[1]);
1072
1073 return added;
1074}
1075#endif /* CONFIG_IEEE80211R */