Kernel/iwd
3
0
Fork 0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-05 03:29:24 +01:00
Code Releases Activity
7c779956ac
iwd/src/handshake.c

707 lines
17 KiB
C
Raw Normal View History

Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
/*
*
* Wireless daemon for Linux
*
* Copyright (C) 2013-2014 Intel Corporation. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <arpa/inet.h>
#include <linux/filter.h>
#include <ell/ell.h>
#include "crypto.h"
#include "ie.h"
#include "util.h"
#include "handshake.h"
static bool handshake_get_nonce(uint8_t nonce[])
{
return l_getrandom(nonce, 32);
}
static handshake_get_nonce_func_t get_nonce = handshake_get_nonce;
static handshake_install_tk_func_t install_tk = NULL;
static handshake_install_gtk_func_t install_gtk = NULL;
static handshake_install_igtk_func_t install_igtk = NULL;
void __handshake_set_get_nonce_func(handshake_get_nonce_func_t func)
{
get_nonce = func;
}
void __handshake_set_install_tk_func(handshake_install_tk_func_t func)
{
install_tk = func;
}
void __handshake_set_install_gtk_func(handshake_install_gtk_func_t func)
{
install_gtk = func;
}
void __handshake_set_install_igtk_func(handshake_install_igtk_func_t func)
{
install_igtk = func;
}
void handshake_state_free(struct handshake_state *s)
{
handshake: Switch to superclass api
2018-06-22 02:32:55 +02:00
typeof(s->free) destroy = s->free;
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
l_free(s->authenticator_ie);
l_free(s->supplicant_ie);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
l_free(s->mde);
l_free(s->fte);
network: save passphrase in network SAE needs access to the raw passphrase, not the PSK which network saves. This changes saves the passphrase in network and handshake objects, as well as adds getters to both objects so SAE can retrieve the passphrase.
2018-08-07 23:29:06 +02:00
l_free(s->passphrase);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
handshake: Switch to superclass api
2018-06-22 02:32:55 +02:00
memset(s, 0, sizeof(*s));
if (destroy)
destroy(s);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
}
void handshake_state_set_supplicant_address(struct handshake_state *s,
const uint8_t *spa)
{
memcpy(s->spa, spa, sizeof(s->spa));
}
void handshake_state_set_authenticator_address(struct handshake_state *s,
const uint8_t *aa)
{
memcpy(s->aa, aa, sizeof(s->aa));
}
handshake: introduce authenticator bit Both SAE and adhoc can benefit from knowing whether the handshake state is an authenticator or a supplicant. It will allow both to easily obtain the remote address rather than sorting out if aa/spa match the devices own address.
2018-08-15 19:36:18 +02:00
void handshake_state_set_authenticator(struct handshake_state *s, bool auth)
{
s->authenticator = auth;
}
eapol: In FT-EAP use all 64 bytes of the MSK Until now we'd save the second 32 bytes of the MSK as the PMK and use that for the PMK-R0 as well as the PMKID calculation. The PMKID actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey input maps to the second 32 bytes. Add a pmk_len parameter to handshake_state_set_pmk to handle that. Update the eapol_eap_results_cb 802.11 quotes to the 2016 version.
2018-03-15 12:06:53 +01:00
void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk,
size_t pmk_len)
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
{
eapol: In FT-EAP use all 64 bytes of the MSK Until now we'd save the second 32 bytes of the MSK as the PMK and use that for the PMK-R0 as well as the PMKID calculation. The PMKID actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey input maps to the second 32 bytes. Add a pmk_len parameter to handshake_state_set_pmk to handle that. Update the eapol_eap_results_cb 802.11 quotes to the 2016 version.
2018-03-15 12:06:53 +01:00
memcpy(s->pmk, pmk, pmk_len);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
s->have_pmk = true;
}
void handshake_state_set_8021x_config(struct handshake_state *s,
struct l_settings *settings)
{
s->settings_8021x = settings;
}
handshake: Add getter for settings_8021x
2016-11-15 20:03:31 +01:00
struct l_settings *handshake_state_get_8021x_config(struct handshake_state *s)
{
return s->settings_8021x;
}
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
static bool handshake_state_setup_own_ciphers(struct handshake_state *s,
const struct ie_rsn_info *info)
{
if (__builtin_popcount(info->pairwise_ciphers) != 1)
return false;
if (__builtin_popcount(info->akm_suites) != 1)
return false;
s->akm_suite = info->akm_suites;
s->pairwise_cipher = info->pairwise_ciphers;
s->group_cipher = info->group_cipher;
s->group_management_cipher = info->group_management_cipher;
s->mfp = info->mfpc;
return true;
}
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
static bool handshake_state_set_authenticator_ie(struct handshake_state *s,
const uint8_t *ie, bool is_wpa)
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
{
struct ie_rsn_info info;
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
l_free(s->authenticator_ie);
s->authenticator_ie = l_memdup(ie, ie[1] + 2u);
s->wpa_ie = is_wpa;
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
if (!s->authenticator)
return true;
if (is_wpa) {
if (ie_parse_wpa_from_data(ie, ie[1] + 2, &info) < 0)
return false;
} else {
if (ie_parse_rsne_from_data(ie, ie[1] + 2, &info) < 0)
return false;
}
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
return handshake_state_setup_own_ciphers(s, &info);
}
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
static bool handshake_state_set_supplicant_ie(struct handshake_state *s,
const uint8_t *ie, bool is_wpa)
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
{
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
struct ie_rsn_info info;
l_free(s->supplicant_ie);
s->supplicant_ie = l_memdup(ie, ie[1] + 2u);
s->wpa_ie = is_wpa;
if (s->authenticator)
return true;
if (is_wpa) {
if (ie_parse_wpa_from_data(ie, ie[1] + 2, &info) < 0)
return false;
} else {
if (ie_parse_rsne_from_data(ie, ie[1] + 2, &info) < 0)
return false;
}
return handshake_state_setup_own_ciphers(s, &info);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
}
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
bool handshake_state_set_authenticator_rsn(struct handshake_state *s,
const uint8_t *rsn_ie)
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
{
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
return handshake_state_set_authenticator_ie(s, rsn_ie, false);
}
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
bool handshake_state_set_supplicant_rsn(struct handshake_state *s,
const uint8_t *rsn_ie)
{
return handshake_state_set_supplicant_ie(s, rsn_ie, false);
}
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
bool handshake_state_set_authenticator_wpa(struct handshake_state *s,
const uint8_t *wpa_ie)
{
return handshake_state_set_authenticator_ie(s, wpa_ie, true);
}
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
handshake: Rename own_ie/ap_ie and related setters To avoid confusion in case of an authenticator side handshake_state structure and eapol_sm structure, rename own_ie to supplicant_ie and ap_ie to authenticator_ie. Also rename handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call handshake_state_setup_own_ciphers. As a result handshake_state_set_authenticator, if needed, should be called before handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-25 03:54:24 +02:00
bool handshake_state_set_supplicant_wpa(struct handshake_state *s,
const uint8_t *wpa_ie)
{
return handshake_state_set_supplicant_ie(s, wpa_ie, true);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
}
void handshake_state_set_ssid(struct handshake_state *s, const uint8_t *ssid,
size_t ssid_len)
{
memcpy(s->ssid, ssid, ssid_len);
s->ssid_len = ssid_len;
}
void handshake_state_set_mde(struct handshake_state *s, const uint8_t *mde)
{
if (s->mde)
l_free(s->mde);
s->mde = mde ? l_memdup(mde, mde[1] + 2) : NULL;
}
void handshake_state_set_fte(struct handshake_state *s, const uint8_t *fte)
{
if (s->fte)
l_free(s->fte);
s->fte = fte ? l_memdup(fte, fte[1] + 2) : NULL;
}
void handshake_state_set_kh_ids(struct handshake_state *s,
const uint8_t *r0khid, size_t r0khid_len,
const uint8_t *r1khid)
{
memcpy(s->r0khid, r0khid, r0khid_len);
s->r0khid_len = r0khid_len;
memcpy(s->r1khid, r1khid, 6);
}
handshake: remove handshake related netdev events Handshake related netdev events were removed in favor of handshake events. Now events will be emitted on the handshake object related to the 4-way handshake and key settings. Events are: HANDSHAKE_EVENT_STARTED HANDSHAKE_EVENT_SETTING_KEYS HANDSHAKE_EVENT_COMPLETE HANDSHAKE_EVENT_FAILED Right now, since netdev only operates in station mode, nothing listens for COMPLETE/FAILED, as device/wsc gets notified by the connect_cb when the connection was successful. The COMPLETE/ FAILED were added in preperation for AP moving into eapol/netdev.
2018-06-22 20:13:27 +02:00
void handshake_state_set_event_func(struct handshake_state *s,
handshake_event_func_t func,
void *user_data)
{
s->event_func = func;
s->user_data = user_data;
}
network: save passphrase in network SAE needs access to the raw passphrase, not the PSK which network saves. This changes saves the passphrase in network and handshake objects, as well as adds getters to both objects so SAE can retrieve the passphrase.
2018-08-07 23:29:06 +02:00
void handshake_state_set_passphrase(struct handshake_state *s,
const char *passphrase)
{
s->passphrase = l_strdup(passphrase);
}
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
void handshake_state_new_snonce(struct handshake_state *s)
{
get_nonce(s->snonce);
s->have_snonce = true;
}
handshake: Add utility to generate a new anonce AP EAPoL state machine will need to generate the anonce, so as with snonce, an API was added to do that.
2018-06-20 20:05:16 +02:00
void handshake_state_new_anonce(struct handshake_state *s)
{
get_nonce(s->anonce);
s->have_anonce = true;
}
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
void handshake_state_set_anonce(struct handshake_state *s,
const uint8_t *anonce)
{
memcpy(s->anonce, anonce, 32);
}
bool handshake_state_derive_ptk(struct handshake_state *s)
{
struct crypto_ptk *ptk = (struct crypto_ptk *) s->ptk;
enum crypto_cipher cipher;
size_t ptk_size;
bool use_sha256;
if (!s->have_snonce || !s->have_pmk)
return false;
if ((s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
IE_RSN_AKM_SUITE_FT_USING_PSK |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) &&
(!s->mde || !s->fte))
return false;
s->ptk_complete = false;
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
IE_RSN_AKM_SUITE_PSK_SHA256 |
IE_RSN_AKM_SUITE_SAE_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256))
use_sha256 = true;
else
use_sha256 = false;
cipher = ie_rsn_cipher_suite_to_cipher(s->pairwise_cipher);
ptk_size = sizeof(struct crypto_ptk) + crypto_cipher_key_len(cipher);
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
IE_RSN_AKM_SUITE_FT_USING_PSK |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) {
uint16_t mdid;
uint8_t ptk_name[16];
eapol: In FT-EAP use all 64 bytes of the MSK Until now we'd save the second 32 bytes of the MSK as the PMK and use that for the PMK-R0 as well as the PMKID calculation. The PMKID actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey input maps to the second 32 bytes. Add a pmk_len parameter to handshake_state_set_pmk to handle that. Update the eapol_eap_results_cb 802.11 quotes to the 2016 version.
2018-03-15 12:06:53 +01:00
const uint8_t *xxkey = s->pmk;
/*
* In a Fast Transition initial mobility domain association
* the PMK maps to the XXKey, except with EAP:
* 802.11-2016 12.7.1.7.3:
* "If the AKM negotiated is 00-0F-AC:3, then [...] XXKey
* shall be the second 256 bits of the MSK (which is
* derived from the IEEE 802.1X authentication), i.e.,
* XXKey = L(MSK, 256, 256)."
*/
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X)
xxkey = s->pmk + 32;
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
ie_parse_mobility_domain_from_data(s->mde, s->mde[1] + 2,
&mdid, NULL, NULL);
eapol: In FT-EAP use all 64 bytes of the MSK Until now we'd save the second 32 bytes of the MSK as the PMK and use that for the PMK-R0 as well as the PMKID calculation. The PMKID actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey input maps to the second 32 bytes. Add a pmk_len parameter to handshake_state_set_pmk to handle that. Update the eapol_eap_results_cb 802.11 quotes to the 2016 version.
2018-03-15 12:06:53 +01:00
if (!crypto_derive_pmk_r0(xxkey, s->ssid, s->ssid_len, mdid,
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
s->r0khid, s->r0khid_len,
s->spa,
s->pmk_r0, s->pmk_r0_name))
return false;
if (!crypto_derive_pmk_r1(s->pmk_r0, s->r1khid, s->spa,
s->pmk_r0_name,
s->pmk_r1, s->pmk_r1_name))
return false;
if (!crypto_derive_ft_ptk(s->pmk_r1, s->pmk_r1_name, s->aa,
s->spa, s->snonce, s->anonce,
ptk, ptk_size, ptk_name))
return false;
} else
if (!crypto_derive_pairwise_ptk(s->pmk, s->spa, s->aa,
s->anonce, s->snonce,
ptk, ptk_size, use_sha256))
return false;
return true;
}
const struct crypto_ptk *handshake_state_get_ptk(struct handshake_state *s)
{
return (struct crypto_ptk *) s->ptk;
}
void handshake_state_install_ptk(struct handshake_state *s)
{
struct crypto_ptk *ptk = (struct crypto_ptk *) s->ptk;
s->ptk_complete = true;
if (install_tk) {
uint32_t cipher = ie_rsn_cipher_suite_to_cipher(
s->pairwise_cipher);
handshake: remove handshake related netdev events Handshake related netdev events were removed in favor of handshake events. Now events will be emitted on the handshake object related to the 4-way handshake and key settings. Events are: HANDSHAKE_EVENT_STARTED HANDSHAKE_EVENT_SETTING_KEYS HANDSHAKE_EVENT_COMPLETE HANDSHAKE_EVENT_FAILED Right now, since netdev only operates in station mode, nothing listens for COMPLETE/FAILED, as device/wsc gets notified by the connect_cb when the connection was successful. The COMPLETE/ FAILED were added in preperation for AP moving into eapol/netdev.
2018-06-22 20:13:27 +02:00
handshake_event(s, HANDSHAKE_EVENT_SETTING_KEYS, NULL);
handshake: Switch to superclass api
2018-06-22 02:32:55 +02:00
install_tk(s, ptk->tk, cipher);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
}
}
void handshake_state_install_gtk(struct handshake_state *s,
uint8_t gtk_key_index,
const uint8_t *gtk, size_t gtk_len,
const uint8_t *rsc, uint8_t rsc_len)
{
if (install_gtk) {
uint32_t cipher =
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
handshake: Switch to superclass api
2018-06-22 02:32:55 +02:00
install_gtk(s, gtk_key_index, gtk, gtk_len,
rsc, rsc_len, cipher);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
}
}
void handshake_state_install_igtk(struct handshake_state *s,
uint8_t igtk_key_index,
handshake: Split the install_igtk igtk parameter in 2 buffers Split the igtk parameter to handshake_state_install_igtk into one parameter for the actual IGTK buffer and one for the IPN buffer instead of requiring the caller to have them both in one continuous buffer. With FT protocol, one is received encrypted and the other in plain text.
2017-01-31 03:42:51 +01:00
const uint8_t *igtk, size_t igtk_len,
const uint8_t *ipn)
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
{
if (install_igtk) {
uint32_t cipher =
ie_rsn_cipher_suite_to_cipher(
s->group_management_cipher);
handshake: Switch to superclass api
2018-06-22 02:32:55 +02:00
install_igtk(s, igtk_key_index, igtk, igtk_len,
ipn, 6, cipher);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
}
}
void handshake_state_override_pairwise_cipher(struct handshake_state *s,
enum ie_rsn_cipher_suite pairwise)
{
s->pairwise_cipher = pairwise;
}
handshake: add setter for PMKID SAE generates the PMKID during the authentication process, rather than generating it on-the-fly using the PMK. For this reason SAE needs to be able to set the PMKID once its generated. A new flag was also added (has_pmkid) which signifies if the PMKID was set or if it should be generated.
2018-08-07 23:29:10 +02:00
void handshake_state_set_pmkid(struct handshake_state *s, const uint8_t *pmkid)
{
memcpy(s->pmkid, pmkid, 16);
s->have_pmkid = true;
}
handshake: Add handshake_state_get_pmkid Returns the PMKID for the current PMK (configured through handshake_state_set_pmk for PSK, created through EAP or from pre-authentication)
2017-04-15 13:58:45 +02:00
bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
{
bool use_sha256;
handshake: add setter for PMKID SAE generates the PMKID during the authentication process, rather than generating it on-the-fly using the PMK. For this reason SAE needs to be able to set the PMKID once its generated. A new flag was also added (has_pmkid) which signifies if the PMKID was set or if it should be generated.
2018-08-07 23:29:10 +02:00
/* SAE exports pmkid */
if (s->have_pmkid) {
memcpy(out_pmkid, s->pmkid, 16);
return true;
}
handshake: Add handshake_state_get_pmkid Returns the PMKID for the current PMK (configured through handshake_state_set_pmk for PSK, created through EAP or from pre-authentication)
2017-04-15 13:58:45 +02:00
if (!s->have_pmk)
return false;
/*
* Note 802.11 section 11.6.1.3:
* "When the PMKID is calculated for the PMKSA as part of RSN
* preauthentication, the AKM has not yet been negotiated. In this
* case, the HMAC-SHA1-128 based derivation is used for the PMKID
* calculation."
*/
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
IE_RSN_AKM_SUITE_PSK_SHA256))
use_sha256 = true;
else
use_sha256 = false;
return crypto_derive_pmkid(s->pmk, s->spa, s->aa, out_pmkid,
use_sha256);
}
handshake: Add GTK data to handshake_state Add places to store the GTK data, index and RSC in struct handshake_state and add a setter function for these fields. We may want to also convert install_gtk to use these fields similar to install_ptk.
2018-09-22 18:48:14 +02:00
void handshake_state_set_gtk(struct handshake_state *s, const uint8_t *key,
unsigned int key_index, const uint8_t *rsc)
{
enum crypto_cipher cipher =
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
int key_len = crypto_cipher_key_len(cipher);
if (!key_len)
return;
memcpy(s->gtk, key, key_len);
s->gtk_index = key_index;
memcpy(s->gtk_rsc, rsc, 6);
}
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
/*
* This function performs a match of the RSN/WPA IE obtained from the scan
* results vs the RSN/WPA IE obtained as part of the 4-way handshake. If they
* don't match, the EAPoL packet must be silently discarded.
*/
bool handshake_util_ap_ie_matches(const uint8_t *msg_ie,
const uint8_t *scan_ie, bool is_wpa)
{
struct ie_rsn_info msg_info;
struct ie_rsn_info scan_info;
/*
* First check that the sizes match, if they do, run a bitwise
* comparison.
*/
if (msg_ie[1] == scan_ie[1] &&
!memcmp(msg_ie + 2, scan_ie + 2, msg_ie[1]))
return true;
/*
* Otherwise we have to parse the IEs and compare the individual
* fields
*/
if (!is_wpa) {
if (ie_parse_rsne_from_data(msg_ie, msg_ie[1] + 2,
&msg_info) < 0)
return false;
if (ie_parse_rsne_from_data(scan_ie, scan_ie[1] + 2,
&scan_info) < 0)
return false;
} else {
if (ie_parse_wpa_from_data(msg_ie, msg_ie[1] + 2,
&msg_info) < 0)
return false;
if (ie_parse_wpa_from_data(scan_ie, scan_ie[1] + 2,
&scan_info) < 0)
return false;
}
if (msg_info.group_cipher != scan_info.group_cipher)
return false;
if (msg_info.pairwise_ciphers != scan_info.pairwise_ciphers)
return false;
if (msg_info.akm_suites != scan_info.akm_suites)
return false;
if (msg_info.preauthentication != scan_info.preauthentication)
return false;
if (msg_info.no_pairwise != scan_info.no_pairwise)
return false;
if (msg_info.ptksa_replay_counter != scan_info.ptksa_replay_counter)
return false;
if (msg_info.gtksa_replay_counter != scan_info.gtksa_replay_counter)
return false;
if (msg_info.mfpr != scan_info.mfpr)
return false;
if (msg_info.mfpc != scan_info.mfpc)
return false;
if (msg_info.peerkey_enabled != scan_info.peerkey_enabled)
return false;
if (msg_info.spp_a_msdu_capable != scan_info.spp_a_msdu_capable)
return false;
if (msg_info.spp_a_msdu_required != scan_info.spp_a_msdu_required)
return false;
if (msg_info.pbac != scan_info.pbac)
return false;
if (msg_info.extended_key_id != scan_info.extended_key_id)
return false;
/* We don't check the PMKIDs since these might actually be different */
if (msg_info.group_management_cipher !=
scan_info.group_management_cipher)
return false;
return true;
}
static const uint8_t *find_kde(const uint8_t *data, size_t data_len,
size_t *out_len, const unsigned char *oui)
{
struct ie_tlv_iter iter;
const uint8_t *result;
unsigned int len;
ie_tlv_iter_init(&iter, data, data_len);
while (ie_tlv_iter_next(&iter)) {
if (ie_tlv_iter_get_tag(&iter) != IE_TYPE_VENDOR_SPECIFIC)
continue;
len = ie_tlv_iter_get_length(&iter);
if (len < 4) /* Take care of padding */
return NULL;
/* Check OUI */
result = ie_tlv_iter_get_data(&iter);
if (memcmp(result, oui, 4))
continue;
if (out_len)
*out_len = len - 4;
return result + 4;
}
return NULL;
}
const uint8_t *handshake_util_find_gtk_kde(const uint8_t *data, size_t data_len,
size_t *out_gtk_len)
{
static const unsigned char gtk_oui[] = { 0x00, 0x0f, 0xac, 0x01 };
eapol: Tighten up GTK/IGTK KDE validation GTK KDE was being checked for being a minimum of 6 bytes. Not quite sure why since the minimum GTK key length is 16 bytes for CCMP. Similarly make sure that the maximum length is not more than 32, which is currently the largest key size (TKIP)
2017-10-19 21:40:15 +02:00
size_t gtk_len;
const uint8_t *gtk = find_kde(data, data_len, &gtk_len, gtk_oui);
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
eapol: Tighten up GTK/IGTK KDE validation GTK KDE was being checked for being a minimum of 6 bytes. Not quite sure why since the minimum GTK key length is 16 bytes for CCMP. Similarly make sure that the maximum length is not more than 32, which is currently the largest key size (TKIP)
2017-10-19 21:40:15 +02:00
if (!gtk)
return NULL;
/*
* Account for KeyId, TX and Reserved octet
* See 802.11-2016, Figure 12-35
*/
if (gtk_len < CRYPTO_MIN_GTK_LEN + 2)
return NULL;
if (gtk_len > CRYPTO_MAX_GTK_LEN + 2)
return NULL;
if (out_gtk_len)
*out_gtk_len = gtk_len;
return gtk;
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
}
const uint8_t *handshake_util_find_igtk_kde(const uint8_t *data,
size_t data_len,
size_t *out_igtk_len)
{
static const unsigned char igtk_oui[] = { 0x00, 0x0f, 0xac, 0x09 };
eapol: Tighten up GTK/IGTK KDE validation GTK KDE was being checked for being a minimum of 6 bytes. Not quite sure why since the minimum GTK key length is 16 bytes for CCMP. Similarly make sure that the maximum length is not more than 32, which is currently the largest key size (TKIP)
2017-10-19 21:40:15 +02:00
size_t igtk_len;
const uint8_t *igtk = find_kde(data, data_len, &igtk_len, igtk_oui);
if (!igtk)
return NULL;
/*
* Account for KeyId and IPN
* See 802.11-2016, Figure 12-42
*/
if (igtk_len < CRYPTO_MIN_IGTK_LEN + 8)
return NULL;
if (igtk_len > CRYPTO_MAX_IGTK_LEN + 8)
return NULL;
if (out_igtk_len)
*out_igtk_len = igtk_len;
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
eapol: Tighten up GTK/IGTK KDE validation GTK KDE was being checked for being a minimum of 6 bytes. Not quite sure why since the minimum GTK key length is 16 bytes for CCMP. Similarly make sure that the maximum length is not more than 32, which is currently the largest key size (TKIP)
2017-10-19 21:40:15 +02:00
return igtk;
Add handshake_state object struct handshake_state is an object that stores all the key data and other authentication state and does the low level operations on the keys. Together with the next patch this mostly just splits eapol.c into two layers so that the key operations can also be used in Fast Transitions which don't use eapol.
2016-11-02 23:46:18 +01:00
}
handshake: Add utility for decoding GTK & IGTK from FTE handshake_decode_fte_key unwraps and validates the padding in the FTE GTK and IGTK subelements.
2017-01-31 03:42:52 +01:00
handshake: Add handshake_util_find_pmkid_kde Add a function that finds the PMKID kde in an RSNE's Key Data field similar to handshake_util_find_gtk_kde.
2017-04-15 13:58:46 +02:00
const uint8_t *handshake_util_find_pmkid_kde(const uint8_t *data,
size_t data_len)
{
static const unsigned char pmkid_oui[] = { 0x00, 0x0f, 0xac, 0x04 };
const uint8_t *pmkid;
size_t pmkid_len;
pmkid = find_kde(data, data_len, &pmkid_len, pmkid_oui);
handshake: Fix valgrind warning ==27901== Conditional jump or move depends on uninitialised value(s) ==27901== at 0x41157A: handshake_util_find_pmkid_kde (handshake.c:537) ==27901== by 0x40E03A: eapol_handle_ptk_1_of_4 (eapol.c:852) ==27901== by 0x40F3CD: eapol_key_handle (eapol.c:1417) ==27901== by 0x40F955: eapol_rx_packet (eapol.c:1607) ==27901== by 0x410321: __eapol_rx_packet (eapol.c:1915)
2017-05-15 22:23:03 +02:00
if (pmkid && pmkid_len != 16)
handshake: Add handshake_util_find_pmkid_kde Add a function that finds the PMKID kde in an RSNE's Key Data field similar to handshake_util_find_gtk_kde.
2017-04-15 13:58:46 +02:00
return NULL;
return pmkid;
}
handshake: Add handshake_util_build_gtk_kde utility
2018-09-22 18:48:15 +02:00
/* Defined in 802.11-2016 12.7.2 j), Figure 12-34 */
void handshake_util_build_gtk_kde(enum crypto_cipher cipher, const uint8_t *key,
unsigned int key_index, uint8_t *to)
{
size_t key_len = crypto_cipher_key_len(cipher);
*to++ = IE_TYPE_VENDOR_SPECIFIC;
*to++ = 6 + key_len;
l_put_be32(HANDSHAKE_KDE_GTK, to);
to += 4;
*to++ = key_index;
*to++ = 0;
memcpy(to, key, key_len);
}
handshake: Quote relevant section from 802.11 To make reading the code easier
2017-01-31 19:03:51 +01:00
/*
* Unwrap a GTK / IGTK included in an FTE following 802.11-2012, Section 12.8.5:
*
* "If a GTK or an IGTK are included, the Key field of the subelement shall be
* encrypted using KEK and the NIST AES key wrap algorithm. The Key field shall
* be padded before encrypting if the key length is less than 16 octets or if
* it is not a multiple of 8. The padding consists of appending a single octet
* 0xdd followed by zero or more 0x00 octets. When processing a received
* message, the receiver shall ignore this trailing padding. Addition of
* padding does not change the value of the Key Length field. Note that the
* length of the encrypted Key field can be determined from the length of the
* GTK or IGTK subelement.
*/
handshake: Add utility for decoding GTK & IGTK from FTE handshake_decode_fte_key unwraps and validates the padding in the FTE GTK and IGTK subelements.
2017-01-31 03:42:52 +01:00
bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped,
size_t key_len, uint8_t *key_out)
{
const struct crypto_ptk *ptk = handshake_state_get_ptk(s);
handshake: Use align_len macro
2017-01-31 19:04:26 +01:00
size_t padded_len = key_len < 16 ? 16 : align_len(key_len, 8);
handshake: Add utility for decoding GTK & IGTK from FTE handshake_decode_fte_key unwraps and validates the padding in the FTE GTK and IGTK subelements.
2017-01-31 03:42:52 +01:00
if (!aes_unwrap(ptk->kek, wrapped, padded_len + 8, key_out))
return false;
if (key_len < padded_len && key_out[key_len++] != 0xdd)
return false;
while (key_len < padded_len)
if (key_out[key_len++] != 0x00)
return false;
return true;
}
handshake: remove handshake related netdev events Handshake related netdev events were removed in favor of handshake events. Now events will be emitted on the handshake object related to the 4-way handshake and key settings. Events are: HANDSHAKE_EVENT_STARTED HANDSHAKE_EVENT_SETTING_KEYS HANDSHAKE_EVENT_COMPLETE HANDSHAKE_EVENT_FAILED Right now, since netdev only operates in station mode, nothing listens for COMPLETE/FAILED, as device/wsc gets notified by the connect_cb when the connection was successful. The COMPLETE/ FAILED were added in preperation for AP moving into eapol/netdev.
2018-06-22 20:13:27 +02:00
void handshake_event(struct handshake_state *hs,
enum handshake_event event, void *event_data)
{
if (hs->event_func)
hs->event_func(hs, event, event_data, hs->user_data);
}
Copy Permalink