2016-11-02 23:46:18 +01:00
|
|
|
/*
|
|
|
|
*
|
|
|
|
* Wireless daemon for Linux
|
|
|
|
*
|
2019-10-25 00:43:08 +02:00
|
|
|
* Copyright (C) 2013-2019 Intel Corporation. All rights reserved.
|
2016-11-02 23:46:18 +01:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include <config.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <linux/if.h>
|
|
|
|
#include <linux/if_packet.h>
|
|
|
|
#include <linux/if_ether.h>
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
#include <linux/filter.h>
|
2018-10-26 21:27:01 +02:00
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
#include <ell/ell.h>
|
|
|
|
|
2019-04-03 18:34:22 +02:00
|
|
|
#include "src/missing.h"
|
2018-10-26 21:27:01 +02:00
|
|
|
#include "src/crypto.h"
|
|
|
|
#include "src/ie.h"
|
|
|
|
#include "src/util.h"
|
|
|
|
#include "src/handshake.h"
|
2021-08-03 23:40:44 +02:00
|
|
|
#include "src/erp.h"
|
2021-09-20 21:29:05 +02:00
|
|
|
#include "src/band.h"
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2022-01-11 17:51:11 +01:00
|
|
|
static inline unsigned int n_ecc_groups(void)
|
2021-07-08 21:10:15 +02:00
|
|
|
{
|
|
|
|
const unsigned int *groups = l_ecc_supported_ike_groups();
|
|
|
|
unsigned int j = 0;
|
|
|
|
|
|
|
|
while (groups[j])
|
|
|
|
j += 1;
|
|
|
|
|
|
|
|
return j;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int ecc_group_index(unsigned int group)
|
|
|
|
{
|
|
|
|
const unsigned int *groups = l_ecc_supported_ike_groups();
|
|
|
|
int j;
|
|
|
|
|
|
|
|
for (j = 0; groups[j]; j++)
|
|
|
|
if (groups[j] == group)
|
|
|
|
return j;
|
|
|
|
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
static bool handshake_get_nonce(uint8_t nonce[])
|
|
|
|
{
|
|
|
|
return l_getrandom(nonce, 32);
|
|
|
|
}
|
|
|
|
|
|
|
|
static handshake_get_nonce_func_t get_nonce = handshake_get_nonce;
|
|
|
|
static handshake_install_tk_func_t install_tk = NULL;
|
|
|
|
static handshake_install_gtk_func_t install_gtk = NULL;
|
|
|
|
static handshake_install_igtk_func_t install_igtk = NULL;
|
2021-10-07 22:49:47 +02:00
|
|
|
static handshake_install_ext_tk_func_t install_ext_tk = NULL;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
|
|
|
void __handshake_set_get_nonce_func(handshake_get_nonce_func_t func)
|
|
|
|
{
|
|
|
|
get_nonce = func;
|
|
|
|
}
|
|
|
|
|
|
|
|
void __handshake_set_install_tk_func(handshake_install_tk_func_t func)
|
|
|
|
{
|
|
|
|
install_tk = func;
|
|
|
|
}
|
|
|
|
|
|
|
|
void __handshake_set_install_gtk_func(handshake_install_gtk_func_t func)
|
|
|
|
{
|
|
|
|
install_gtk = func;
|
|
|
|
}
|
|
|
|
|
|
|
|
void __handshake_set_install_igtk_func(handshake_install_igtk_func_t func)
|
|
|
|
{
|
|
|
|
install_igtk = func;
|
|
|
|
}
|
|
|
|
|
2021-10-07 22:49:47 +02:00
|
|
|
void __handshake_set_install_ext_tk_func(handshake_install_ext_tk_func_t func)
|
|
|
|
{
|
|
|
|
install_ext_tk = func;
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
void handshake_state_free(struct handshake_state *s)
|
|
|
|
{
|
2023-11-30 04:29:38 +01:00
|
|
|
__typeof__(s->free) destroy;
|
|
|
|
|
|
|
|
if (!s)
|
|
|
|
return;
|
|
|
|
|
|
|
|
destroy = s->free;
|
2018-06-22 02:32:55 +02:00
|
|
|
|
2022-01-21 11:24:38 +01:00
|
|
|
if (s->in_event) {
|
|
|
|
s->in_event = false;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-08-25 03:54:24 +02:00
|
|
|
l_free(s->authenticator_ie);
|
|
|
|
l_free(s->supplicant_ie);
|
2021-07-08 22:36:25 +02:00
|
|
|
l_free(s->authenticator_rsnxe);
|
|
|
|
l_free(s->supplicant_rsnxe);
|
2016-11-02 23:46:18 +01:00
|
|
|
l_free(s->mde);
|
|
|
|
l_free(s->fte);
|
2023-12-06 21:17:53 +01:00
|
|
|
l_free(s->authenticator_fte);
|
|
|
|
l_free(s->supplicant_fte);
|
2021-08-27 05:02:05 +02:00
|
|
|
l_free(s->fils_ip_req_ie);
|
|
|
|
l_free(s->fils_ip_resp_ie);
|
2021-12-23 04:32:18 +01:00
|
|
|
l_free(s->vendor_ies);
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2021-08-03 23:40:44 +02:00
|
|
|
if (s->erp_cache)
|
|
|
|
erp_cache_put(s->erp_cache);
|
|
|
|
|
2021-09-20 21:29:05 +02:00
|
|
|
l_free(s->chandef);
|
|
|
|
|
2019-03-19 01:25:28 +01:00
|
|
|
if (s->passphrase) {
|
|
|
|
explicit_bzero(s->passphrase, strlen(s->passphrase));
|
|
|
|
l_free(s->passphrase);
|
|
|
|
}
|
|
|
|
|
2023-12-05 16:46:40 +01:00
|
|
|
if (s->password_identifier) {
|
|
|
|
explicit_bzero(s->password_identifier,
|
|
|
|
strlen(s->password_identifier));
|
|
|
|
l_free(s->password_identifier);
|
|
|
|
}
|
|
|
|
|
2021-07-08 21:10:15 +02:00
|
|
|
if (s->ecc_sae_pts) {
|
|
|
|
unsigned int i;
|
|
|
|
|
|
|
|
for (i = 0; i < n_ecc_groups(); i++)
|
|
|
|
l_ecc_point_free(s->ecc_sae_pts[i]);
|
|
|
|
|
|
|
|
l_free(s->ecc_sae_pts);
|
|
|
|
}
|
|
|
|
|
2019-03-19 01:25:28 +01:00
|
|
|
explicit_bzero(s, sizeof(*s));
|
2018-06-22 02:32:55 +02:00
|
|
|
|
|
|
|
if (destroy)
|
|
|
|
destroy(s);
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_supplicant_address(struct handshake_state *s,
|
|
|
|
const uint8_t *spa)
|
|
|
|
{
|
|
|
|
memcpy(s->spa, spa, sizeof(s->spa));
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_authenticator_address(struct handshake_state *s,
|
|
|
|
const uint8_t *aa)
|
|
|
|
{
|
|
|
|
memcpy(s->aa, aa, sizeof(s->aa));
|
|
|
|
}
|
|
|
|
|
2018-08-15 19:36:18 +02:00
|
|
|
void handshake_state_set_authenticator(struct handshake_state *s, bool auth)
|
|
|
|
{
|
|
|
|
s->authenticator = auth;
|
|
|
|
}
|
|
|
|
|
2018-03-15 12:06:53 +01:00
|
|
|
void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk,
|
|
|
|
size_t pmk_len)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
2018-03-15 12:06:53 +01:00
|
|
|
memcpy(s->pmk, pmk, pmk_len);
|
2019-01-14 21:54:17 +01:00
|
|
|
s->pmk_len = pmk_len;
|
2016-11-02 23:46:18 +01:00
|
|
|
s->have_pmk = true;
|
|
|
|
}
|
|
|
|
|
2019-04-18 01:46:17 +02:00
|
|
|
void handshake_state_set_ptk(struct handshake_state *s, const uint8_t *ptk,
|
|
|
|
size_t ptk_len)
|
|
|
|
{
|
|
|
|
memcpy(s->ptk, ptk, ptk_len);
|
|
|
|
s->ptk_complete = true;
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
void handshake_state_set_8021x_config(struct handshake_state *s,
|
|
|
|
struct l_settings *settings)
|
|
|
|
{
|
|
|
|
s->settings_8021x = settings;
|
|
|
|
}
|
|
|
|
|
2019-06-07 21:17:00 +02:00
|
|
|
bool handshake_state_set_authenticator_ie(struct handshake_state *s,
|
|
|
|
const uint8_t *ie)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
|
|
|
struct ie_rsn_info info;
|
|
|
|
|
2021-09-20 21:59:23 +02:00
|
|
|
if (!ie_parse_rsne_from_data(ie, ie[1] + 2, &info))
|
|
|
|
goto valid_ie;
|
|
|
|
|
|
|
|
if (!ie_parse_wpa_from_data(ie, ie[1] + 2, &info))
|
|
|
|
goto valid_ie;
|
|
|
|
|
|
|
|
if (ie_parse_osen_from_data(ie, ie[1] + 2, &info) < 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
valid_ie:
|
2018-08-25 03:54:24 +02:00
|
|
|
l_free(s->authenticator_ie);
|
|
|
|
s->authenticator_ie = l_memdup(ie, ie[1] + 2u);
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2021-09-20 21:29:05 +02:00
|
|
|
s->authenticator_ocvc = info.ocvc;
|
|
|
|
|
2021-09-20 21:59:23 +02:00
|
|
|
return true;
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
|
2019-06-07 21:17:00 +02:00
|
|
|
bool handshake_state_set_supplicant_ie(struct handshake_state *s,
|
|
|
|
const uint8_t *ie)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
2018-08-25 03:54:24 +02:00
|
|
|
struct ie_rsn_info info;
|
2021-09-20 21:59:23 +02:00
|
|
|
bool wpa_ie = false;
|
|
|
|
bool osen_ie = false;
|
2018-08-25 03:54:24 +02:00
|
|
|
|
2021-09-20 21:59:23 +02:00
|
|
|
if (!ie_parse_rsne_from_data(ie, ie[1] + 2, &info))
|
|
|
|
goto valid_ie;
|
|
|
|
|
|
|
|
if (!ie_parse_wpa_from_data(ie, ie[1] + 2, &info)) {
|
|
|
|
wpa_ie = true;
|
|
|
|
goto valid_ie;
|
2018-08-25 03:54:24 +02:00
|
|
|
}
|
|
|
|
|
2021-09-20 21:59:23 +02:00
|
|
|
if (ie_parse_osen_from_data(ie, ie[1] + 2, &info) < 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
osen_ie = true;
|
|
|
|
|
|
|
|
valid_ie:
|
2021-02-01 14:40:42 +01:00
|
|
|
if (__builtin_popcount(info.pairwise_ciphers) != 1)
|
|
|
|
return false;
|
|
|
|
|
2021-09-20 21:59:23 +02:00
|
|
|
if (__builtin_popcount(info.akm_suites) != 1)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
l_free(s->supplicant_ie);
|
|
|
|
s->supplicant_ie = l_memdup(ie, ie[1] + 2u);
|
|
|
|
|
|
|
|
s->osen_ie = osen_ie;
|
|
|
|
s->wpa_ie = wpa_ie;
|
|
|
|
|
2021-02-01 14:40:42 +01:00
|
|
|
s->pairwise_cipher = info.pairwise_ciphers;
|
2021-09-20 21:59:23 +02:00
|
|
|
s->group_cipher = info.group_cipher;
|
|
|
|
s->group_management_cipher = info.group_management_cipher;
|
|
|
|
s->akm_suite = info.akm_suites;
|
2021-09-20 21:29:05 +02:00
|
|
|
s->supplicant_ocvc = info.ocvc;
|
2021-10-07 22:49:46 +02:00
|
|
|
s->ext_key_id_capable = info.extended_key_id;
|
2021-02-01 14:40:42 +01:00
|
|
|
|
2021-09-20 21:59:23 +02:00
|
|
|
/*
|
|
|
|
* Don't set MFP for OSEN otherwise EAPoL will attempt to negotiate a
|
|
|
|
* iGTK which is not allowed for OSEN.
|
|
|
|
*/
|
|
|
|
if (!s->osen_ie)
|
|
|
|
s->mfp = info.mfpc;
|
2021-02-01 14:40:42 +01:00
|
|
|
|
2021-09-20 21:59:23 +02:00
|
|
|
return true;
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
|
2021-07-14 16:37:05 +02:00
|
|
|
static void replace_ie(uint8_t **old, const uint8_t *new)
|
|
|
|
{
|
|
|
|
if (*old == NULL) {
|
|
|
|
*old = new ? l_memdup(new, new[1] + 2) : NULL;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!new) {
|
|
|
|
l_free(*old);
|
|
|
|
*old = NULL;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((*old)[1] == new[1] && !memcmp(*old, new, new[1] + 2))
|
|
|
|
return;
|
|
|
|
|
|
|
|
l_free(*old);
|
|
|
|
*old = l_memdup(new, new[1] + 2);
|
|
|
|
}
|
|
|
|
|
2021-07-08 22:36:25 +02:00
|
|
|
void handshake_state_set_authenticator_rsnxe(struct handshake_state *s,
|
|
|
|
const uint8_t *ie)
|
|
|
|
{
|
|
|
|
l_free(s->authenticator_rsnxe);
|
|
|
|
s->authenticator_rsnxe = ie ? l_memdup(ie, ie[1] + 2) : NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_supplicant_rsnxe(struct handshake_state *s,
|
|
|
|
const uint8_t *ie)
|
|
|
|
{
|
|
|
|
replace_ie(&s->supplicant_rsnxe, ie);
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
void handshake_state_set_ssid(struct handshake_state *s, const uint8_t *ssid,
|
|
|
|
size_t ssid_len)
|
|
|
|
{
|
|
|
|
memcpy(s->ssid, ssid, ssid_len);
|
|
|
|
s->ssid_len = ssid_len;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_mde(struct handshake_state *s, const uint8_t *mde)
|
|
|
|
{
|
2021-07-14 16:37:05 +02:00
|
|
|
replace_ie(&s->mde, mde);
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_fte(struct handshake_state *s, const uint8_t *fte)
|
|
|
|
{
|
2021-07-14 16:37:05 +02:00
|
|
|
replace_ie(&s->fte, fte);
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
|
2023-12-06 21:17:53 +01:00
|
|
|
void handshake_state_set_authenticator_fte(struct handshake_state *s,
|
|
|
|
const uint8_t *fte)
|
|
|
|
{
|
|
|
|
replace_ie(&s->authenticator_fte, fte);
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_supplicant_fte(struct handshake_state *s,
|
|
|
|
const uint8_t *fte)
|
|
|
|
{
|
|
|
|
replace_ie(&s->supplicant_fte, fte);
|
|
|
|
}
|
|
|
|
|
2021-08-04 18:08:09 +02:00
|
|
|
void handshake_state_set_vendor_ies(struct handshake_state *s,
|
|
|
|
const struct iovec *iov,
|
|
|
|
size_t n_iovs)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
l_free(s->vendor_ies);
|
|
|
|
s->vendor_ies = NULL;
|
|
|
|
|
|
|
|
if (n_iovs == 0) {
|
|
|
|
s->vendor_ies_len = 0;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0, len = 0; i < n_iovs; i++)
|
|
|
|
len += iov[i].iov_len;
|
|
|
|
|
|
|
|
s->vendor_ies_len = len;
|
|
|
|
s->vendor_ies = l_malloc(len);
|
|
|
|
|
|
|
|
for (i = 0, len = 0; i < n_iovs; i++) {
|
|
|
|
memcpy(s->vendor_ies + len, iov[i].iov_base, iov[i].iov_len);
|
|
|
|
len += iov[i].iov_len;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
void handshake_state_set_kh_ids(struct handshake_state *s,
|
|
|
|
const uint8_t *r0khid, size_t r0khid_len,
|
|
|
|
const uint8_t *r1khid)
|
|
|
|
{
|
|
|
|
memcpy(s->r0khid, r0khid, r0khid_len);
|
|
|
|
s->r0khid_len = r0khid_len;
|
|
|
|
|
|
|
|
memcpy(s->r1khid, r1khid, 6);
|
|
|
|
}
|
|
|
|
|
2018-06-22 20:13:27 +02:00
|
|
|
void handshake_state_set_event_func(struct handshake_state *s,
|
|
|
|
handshake_event_func_t func,
|
|
|
|
void *user_data)
|
|
|
|
{
|
|
|
|
s->event_func = func;
|
|
|
|
s->user_data = user_data;
|
|
|
|
}
|
|
|
|
|
2018-08-07 23:29:06 +02:00
|
|
|
void handshake_state_set_passphrase(struct handshake_state *s,
|
|
|
|
const char *passphrase)
|
|
|
|
{
|
|
|
|
s->passphrase = l_strdup(passphrase);
|
|
|
|
}
|
|
|
|
|
2023-12-05 16:46:40 +01:00
|
|
|
void handshake_state_set_password_identifier(struct handshake_state *s,
|
|
|
|
const char *id)
|
|
|
|
{
|
|
|
|
s->password_identifier = l_strdup(id);
|
|
|
|
}
|
|
|
|
|
2019-01-25 20:23:09 +01:00
|
|
|
void handshake_state_set_no_rekey(struct handshake_state *s, bool no_rekey)
|
|
|
|
{
|
|
|
|
s->no_rekey = no_rekey;
|
|
|
|
}
|
|
|
|
|
2019-05-10 22:19:26 +02:00
|
|
|
void handshake_state_set_fils_ft(struct handshake_state *s,
|
|
|
|
const uint8_t *fils_ft,
|
|
|
|
size_t fils_ft_len)
|
|
|
|
{
|
|
|
|
memcpy(s->fils_ft, fils_ft, fils_ft_len);
|
|
|
|
s->fils_ft_len = fils_ft_len;
|
|
|
|
}
|
|
|
|
|
2019-07-16 04:45:12 +02:00
|
|
|
/*
|
|
|
|
* Override the protocol version used for EAPoL packets. The selection is as
|
|
|
|
* follows:
|
|
|
|
* 0 -> Automatic, use same proto as the request for the response and
|
|
|
|
* 2004 when in authenticator mode
|
|
|
|
* 1 -> Chooses 2001 Protocol Version
|
|
|
|
* 2 -> Chooses 2004 Protocol Version
|
|
|
|
* 3 -> Chooses 2010 Protocol Version
|
|
|
|
*/
|
|
|
|
void handshake_state_set_protocol_version(struct handshake_state *s,
|
|
|
|
uint8_t proto_version)
|
|
|
|
{
|
|
|
|
s->proto_version = proto_version;
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
void handshake_state_new_snonce(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
get_nonce(s->snonce);
|
|
|
|
|
|
|
|
s->have_snonce = true;
|
|
|
|
}
|
|
|
|
|
2018-06-20 20:05:16 +02:00
|
|
|
void handshake_state_new_anonce(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
get_nonce(s->anonce);
|
|
|
|
|
|
|
|
s->have_anonce = true;
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
void handshake_state_set_anonce(struct handshake_state *s,
|
|
|
|
const uint8_t *anonce)
|
|
|
|
{
|
|
|
|
memcpy(s->anonce, anonce, 32);
|
|
|
|
}
|
|
|
|
|
2019-01-17 21:25:30 +01:00
|
|
|
/* A multi-purpose getter for key sizes */
|
|
|
|
static bool handshake_get_key_sizes(struct handshake_state *s, size_t *ptk_size,
|
|
|
|
size_t *kck_size, size_t *kek_size)
|
|
|
|
{
|
|
|
|
size_t kck;
|
|
|
|
size_t kek;
|
|
|
|
size_t tk;
|
|
|
|
enum crypto_cipher cipher =
|
|
|
|
ie_rsn_cipher_suite_to_cipher(s->pairwise_cipher);
|
|
|
|
|
|
|
|
tk = crypto_cipher_key_len(cipher);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* IEEE 802.11-2016 Table 12-8: Integrity and key-wrap algorithms
|
|
|
|
*
|
|
|
|
* From the table, only 00-0F-AC:12 and 00-0F-AC:13 use longer KCK and
|
|
|
|
* KEK keys, which are 24 and 32 bytes respectively. The remainder use
|
|
|
|
* 16 and 16 respectively.
|
|
|
|
*/
|
|
|
|
switch (s->akm_suite) {
|
|
|
|
case IE_RSN_AKM_SUITE_8021X_SUITE_B_SHA256:
|
|
|
|
case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384:
|
|
|
|
kck = 24;
|
|
|
|
kek = 32;
|
2019-01-17 21:25:35 +01:00
|
|
|
break;
|
|
|
|
case IE_RSN_AKM_SUITE_OWE:
|
|
|
|
/*
|
|
|
|
* RFC 8110 Section 4.4 Table 2
|
|
|
|
*
|
|
|
|
* Luckily with OWE we can deduce the key lengths from the PMK
|
|
|
|
* size, since the PMK size maps to unique KCK/KEK lengths.
|
|
|
|
*/
|
|
|
|
switch (s->pmk_len) {
|
|
|
|
case 32:
|
|
|
|
/* SHA-256 used for PMK */
|
|
|
|
kck = 16;
|
|
|
|
kek = 16;
|
|
|
|
break;
|
|
|
|
case 48:
|
|
|
|
/* SHA-384 used for PMK */
|
|
|
|
kck = 24;
|
|
|
|
kek = 32;
|
|
|
|
break;
|
|
|
|
case 64:
|
|
|
|
/* SHA-512 used for PMK */
|
|
|
|
kck = 32;
|
|
|
|
kek = 32;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
l_error("Invalid PMK length for OWE %zu\n", s->pmk_len);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2019-04-05 00:29:38 +02:00
|
|
|
break;
|
|
|
|
case IE_RSN_AKM_SUITE_FILS_SHA256:
|
|
|
|
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
|
|
|
|
kck = 0;
|
|
|
|
kek = 32;
|
|
|
|
break;
|
|
|
|
case IE_RSN_AKM_SUITE_FILS_SHA384:
|
|
|
|
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
|
|
|
|
kck = 0;
|
|
|
|
kek = 64;
|
2019-01-17 21:25:30 +01:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
kck = 16;
|
|
|
|
kek = 16;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2019-05-10 22:19:29 +02:00
|
|
|
if (ptk_size) {
|
2019-01-17 21:25:30 +01:00
|
|
|
*ptk_size = kck + kek + tk;
|
2019-05-10 22:19:29 +02:00
|
|
|
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
|
|
|
|
*ptk_size += 32;
|
|
|
|
else if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
|
|
|
|
*ptk_size += 56;
|
|
|
|
}
|
2019-01-17 21:25:30 +01:00
|
|
|
|
|
|
|
if (kck_size)
|
|
|
|
*kck_size = kck;
|
|
|
|
|
|
|
|
if (kek_size)
|
|
|
|
*kek_size = kek;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
bool handshake_state_derive_ptk(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
size_t ptk_size;
|
2019-04-25 21:52:48 +02:00
|
|
|
enum l_checksum_type type;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2019-05-10 22:19:30 +02:00
|
|
|
if (!(s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)))
|
|
|
|
if (!s->have_snonce || !s->have_pmk)
|
|
|
|
return false;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
|
|
|
if ((s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
|
|
|
|
IE_RSN_AKM_SUITE_FT_USING_PSK |
|
2019-05-10 22:19:30 +02:00
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) &&
|
2016-11-02 23:46:18 +01:00
|
|
|
(!s->mde || !s->fte))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
s->ptk_complete = false;
|
|
|
|
|
2020-03-24 20:07:57 +01:00
|
|
|
if (s->akm_suite & IE_RSN_AKM_SUITE_OWE) {
|
|
|
|
if (s->pmk_len == 32)
|
|
|
|
type = L_CHECKSUM_SHA256;
|
|
|
|
else if (s->pmk_len == 48)
|
|
|
|
type = L_CHECKSUM_SHA384;
|
|
|
|
else if (s->pmk_len == 64)
|
|
|
|
type = L_CHECKSUM_SHA512;
|
|
|
|
else
|
|
|
|
return false;
|
|
|
|
} else if (s->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA384 |
|
2019-05-10 22:19:30 +02:00
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))
|
2019-04-25 21:52:49 +02:00
|
|
|
type = L_CHECKSUM_SHA384;
|
|
|
|
else if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
|
2016-11-02 23:46:18 +01:00
|
|
|
IE_RSN_AKM_SUITE_PSK_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_SAE_SHA256 |
|
2018-11-16 23:22:53 +01:00
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
|
2019-05-10 22:19:30 +02:00
|
|
|
IE_RSN_AKM_SUITE_FILS_SHA256 |
|
2019-06-07 22:58:46 +02:00
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_OSEN))
|
2019-04-25 21:52:48 +02:00
|
|
|
type = L_CHECKSUM_SHA256;
|
2016-11-02 23:46:18 +01:00
|
|
|
else
|
2019-04-25 21:52:48 +02:00
|
|
|
type = L_CHECKSUM_SHA1;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2019-01-17 21:25:30 +01:00
|
|
|
ptk_size = handshake_state_get_ptk_size(s);
|
2016-11-02 23:46:18 +01:00
|
|
|
|
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
|
|
|
|
IE_RSN_AKM_SUITE_FT_USING_PSK |
|
2019-05-10 22:19:30 +02:00
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
|
2016-11-02 23:46:18 +01:00
|
|
|
uint16_t mdid;
|
|
|
|
uint8_t ptk_name[16];
|
2018-03-15 12:06:53 +01:00
|
|
|
const uint8_t *xxkey = s->pmk;
|
2019-05-10 22:19:30 +02:00
|
|
|
size_t xxkey_len = 32;
|
|
|
|
bool sha384 = (s->akm_suite &
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384);
|
2018-03-15 12:06:53 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* In a Fast Transition initial mobility domain association
|
|
|
|
* the PMK maps to the XXKey, except with EAP:
|
|
|
|
* 802.11-2016 12.7.1.7.3:
|
|
|
|
* "If the AKM negotiated is 00-0F-AC:3, then [...] XXKey
|
|
|
|
* shall be the second 256 bits of the MSK (which is
|
|
|
|
* derived from the IEEE 802.1X authentication), i.e.,
|
|
|
|
* XXKey = L(MSK, 256, 256)."
|
|
|
|
*/
|
|
|
|
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X)
|
|
|
|
xxkey = s->pmk + 32;
|
2019-05-10 22:19:30 +02:00
|
|
|
else if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
|
|
|
|
xxkey = s->fils_ft;
|
|
|
|
xxkey_len = s->fils_ft_len;
|
|
|
|
}
|
2016-11-02 23:46:18 +01:00
|
|
|
|
|
|
|
ie_parse_mobility_domain_from_data(s->mde, s->mde[1] + 2,
|
|
|
|
&mdid, NULL, NULL);
|
|
|
|
|
2019-05-10 22:19:30 +02:00
|
|
|
if (!crypto_derive_pmk_r0(xxkey, xxkey_len, s->ssid,
|
|
|
|
s->ssid_len, mdid,
|
2016-11-02 23:46:18 +01:00
|
|
|
s->r0khid, s->r0khid_len,
|
2019-05-10 22:19:30 +02:00
|
|
|
s->spa, sha384,
|
2016-11-02 23:46:18 +01:00
|
|
|
s->pmk_r0, s->pmk_r0_name))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (!crypto_derive_pmk_r1(s->pmk_r0, s->r1khid, s->spa,
|
2019-05-10 22:19:30 +02:00
|
|
|
s->pmk_r0_name, sha384,
|
2016-11-02 23:46:18 +01:00
|
|
|
s->pmk_r1, s->pmk_r1_name))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (!crypto_derive_ft_ptk(s->pmk_r1, s->pmk_r1_name, s->aa,
|
|
|
|
s->spa, s->snonce, s->anonce,
|
2019-05-10 22:19:30 +02:00
|
|
|
sha384, s->ptk, ptk_size,
|
2019-05-10 22:19:28 +02:00
|
|
|
ptk_name))
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
} else
|
2019-01-17 21:25:31 +01:00
|
|
|
if (!crypto_derive_pairwise_ptk(s->pmk, s->pmk_len, s->spa,
|
2019-01-17 21:25:30 +01:00
|
|
|
s->aa, s->anonce, s->snonce,
|
2019-04-25 21:52:48 +02:00
|
|
|
s->ptk, ptk_size, type))
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-01-17 21:25:30 +01:00
|
|
|
size_t handshake_state_get_ptk_size(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
size_t ptk_size;
|
|
|
|
|
|
|
|
if (!handshake_get_key_sizes(s, &ptk_size, NULL, NULL))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
return ptk_size;
|
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *handshake_state_get_kck(struct handshake_state *s)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
2019-05-10 22:19:29 +02:00
|
|
|
/*
|
|
|
|
* FILS itself does not derive a KCK, but FILS-FT derives additional
|
|
|
|
* key bytes at the end of the PTK, which contains a special KCK used
|
|
|
|
* for fast transition. Since the normal FILS protocol will never call
|
|
|
|
* this, we can assume that its only being called for FILS-FT and is
|
|
|
|
* requesting this special KCK.
|
|
|
|
*/
|
|
|
|
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
|
|
|
|
return s->ptk + 48;
|
|
|
|
else if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
|
|
|
|
return s->ptk + 80;
|
|
|
|
|
2019-01-17 21:25:30 +01:00
|
|
|
return s->ptk;
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
|
2019-05-10 22:19:29 +02:00
|
|
|
size_t handshake_state_get_kck_len(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
|
|
|
|
return 24;
|
|
|
|
|
|
|
|
return 16;
|
|
|
|
}
|
|
|
|
|
2019-04-18 02:02:06 +02:00
|
|
|
size_t handshake_state_get_kek_len(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
size_t kek_size;
|
|
|
|
|
|
|
|
if (!handshake_get_key_sizes(s, NULL, NULL, &kek_size))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
return kek_size;
|
|
|
|
}
|
|
|
|
|
2019-01-17 21:25:30 +01:00
|
|
|
const uint8_t *handshake_state_get_kek(struct handshake_state *s)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
2019-01-17 21:25:30 +01:00
|
|
|
size_t kck_size;
|
|
|
|
|
|
|
|
if (!handshake_get_key_sizes(s, NULL, &kck_size, NULL))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return s->ptk + kck_size;
|
|
|
|
}
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2019-01-17 21:25:30 +01:00
|
|
|
static const uint8_t *handshake_get_tk(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
size_t kck_size, kek_size;
|
|
|
|
|
|
|
|
if (!handshake_get_key_sizes(s, NULL, &kck_size, &kek_size))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return s->ptk + kck_size + kek_size;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_install_ptk(struct handshake_state *s)
|
|
|
|
{
|
2016-11-02 23:46:18 +01:00
|
|
|
s->ptk_complete = true;
|
|
|
|
|
|
|
|
if (install_tk) {
|
|
|
|
uint32_t cipher = ie_rsn_cipher_suite_to_cipher(
|
|
|
|
s->pairwise_cipher);
|
|
|
|
|
2019-10-28 15:04:57 +01:00
|
|
|
handshake_event(s, HANDSHAKE_EVENT_SETTING_KEYS);
|
2018-06-22 20:13:27 +02:00
|
|
|
|
2021-10-08 20:07:22 +02:00
|
|
|
install_tk(s, s->active_tk_index, handshake_get_tk(s), cipher);
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-10-07 22:49:47 +02:00
|
|
|
void handshake_state_install_ext_ptk(struct handshake_state *s,
|
|
|
|
uint8_t key_idx,
|
|
|
|
struct eapol_frame *ek, uint16_t proto,
|
|
|
|
bool noencrypt)
|
|
|
|
{
|
|
|
|
s->ptk_complete = true;
|
|
|
|
|
|
|
|
if (install_ext_tk) {
|
|
|
|
uint32_t cipher =
|
|
|
|
ie_rsn_cipher_suite_to_cipher(s->pairwise_cipher);
|
|
|
|
|
|
|
|
install_ext_tk(s, key_idx, handshake_get_tk(s), cipher, ek,
|
|
|
|
proto, noencrypt);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
void handshake_state_install_gtk(struct handshake_state *s,
|
2020-04-02 07:41:02 +02:00
|
|
|
uint16_t gtk_key_index,
|
2016-11-02 23:46:18 +01:00
|
|
|
const uint8_t *gtk, size_t gtk_len,
|
|
|
|
const uint8_t *rsc, uint8_t rsc_len)
|
|
|
|
{
|
|
|
|
if (install_gtk) {
|
|
|
|
uint32_t cipher =
|
|
|
|
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
|
|
|
|
|
2018-06-22 02:32:55 +02:00
|
|
|
install_gtk(s, gtk_key_index, gtk, gtk_len,
|
|
|
|
rsc, rsc_len, cipher);
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_install_igtk(struct handshake_state *s,
|
2020-04-02 07:41:02 +02:00
|
|
|
uint16_t igtk_key_index,
|
2017-01-31 03:42:51 +01:00
|
|
|
const uint8_t *igtk, size_t igtk_len,
|
|
|
|
const uint8_t *ipn)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
|
|
|
if (install_igtk) {
|
|
|
|
uint32_t cipher =
|
|
|
|
ie_rsn_cipher_suite_to_cipher(
|
|
|
|
s->group_management_cipher);
|
|
|
|
|
2018-06-22 02:32:55 +02:00
|
|
|
install_igtk(s, igtk_key_index, igtk, igtk_len,
|
|
|
|
ipn, 6, cipher);
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_override_pairwise_cipher(struct handshake_state *s,
|
|
|
|
enum ie_rsn_cipher_suite pairwise)
|
|
|
|
{
|
|
|
|
s->pairwise_cipher = pairwise;
|
|
|
|
}
|
|
|
|
|
2018-08-07 23:29:10 +02:00
|
|
|
void handshake_state_set_pmkid(struct handshake_state *s, const uint8_t *pmkid)
|
|
|
|
{
|
|
|
|
memcpy(s->pmkid, pmkid, 16);
|
|
|
|
s->have_pmkid = true;
|
|
|
|
}
|
|
|
|
|
2023-06-20 19:25:32 +02:00
|
|
|
bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid,
|
|
|
|
enum l_checksum_type sha)
|
2017-04-15 13:58:45 +02:00
|
|
|
{
|
2018-08-07 23:29:10 +02:00
|
|
|
/* SAE exports pmkid */
|
|
|
|
if (s->have_pmkid) {
|
|
|
|
memcpy(out_pmkid, s->pmkid, 16);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-04-15 13:58:45 +02:00
|
|
|
if (!s->have_pmk)
|
|
|
|
return false;
|
|
|
|
|
2023-06-20 19:25:32 +02:00
|
|
|
return crypto_derive_pmkid(s->pmk, 32, s->spa, s->aa, out_pmkid,
|
|
|
|
sha);
|
|
|
|
}
|
|
|
|
|
|
|
|
bool handshake_state_pmkid_matches(struct handshake_state *s,
|
|
|
|
const uint8_t *check)
|
|
|
|
{
|
|
|
|
uint8_t own_pmkid[16];
|
|
|
|
enum l_checksum_type sha;
|
2017-04-15 13:58:45 +02:00
|
|
|
|
2023-06-20 19:25:33 +02:00
|
|
|
/*
|
|
|
|
* 802.11-2020 Table 9-151 defines the hashing algorithm to use
|
|
|
|
* for various AKM's. Note some AKMs are omitted here because they
|
|
|
|
* export the PMKID individually (SAE/FILS/FT-PSK)
|
|
|
|
*
|
|
|
|
* SHA1:
|
|
|
|
* 00-0F-AC:1 (8021X)
|
|
|
|
* 00-0F-AC:2 (PSK)
|
|
|
|
*
|
|
|
|
* SHA256:
|
|
|
|
* 00-0F-AC:3 (FT-8021X)
|
|
|
|
* 00-0F-AC:5 (8021X-SHA256)
|
|
|
|
* 00-0F-AC:6 (PSK-SHA256)
|
|
|
|
*
|
|
|
|
* SHA384:
|
|
|
|
* 00-0F-AC:13 (FT-8021X-SHA384)
|
|
|
|
*/
|
2017-04-15 13:58:45 +02:00
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
|
2023-06-20 19:25:33 +02:00
|
|
|
IE_RSN_AKM_SUITE_PSK_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_8021X))
|
2023-06-20 19:25:31 +02:00
|
|
|
sha = L_CHECKSUM_SHA256;
|
2017-04-15 13:58:45 +02:00
|
|
|
else
|
2023-06-20 19:25:31 +02:00
|
|
|
sha = L_CHECKSUM_SHA1;
|
2017-04-15 13:58:45 +02:00
|
|
|
|
2023-06-20 19:25:32 +02:00
|
|
|
if (!handshake_state_get_pmkid(s, own_pmkid, sha))
|
|
|
|
return false;
|
|
|
|
|
2023-06-20 19:25:33 +02:00
|
|
|
if (l_secure_memcmp(own_pmkid, check, 16)) {
|
|
|
|
if (s->akm_suite != IE_RSN_AKM_SUITE_FT_OVER_8021X)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
l_debug("PMKID did not match, trying SHA1 derivation");
|
|
|
|
|
|
|
|
if (!handshake_state_get_pmkid(s, own_pmkid, L_CHECKSUM_SHA1))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return l_secure_memcmp(own_pmkid, check, 16) == 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
2017-04-15 13:58:45 +02:00
|
|
|
}
|
|
|
|
|
2018-09-22 18:48:14 +02:00
|
|
|
void handshake_state_set_gtk(struct handshake_state *s, const uint8_t *key,
|
|
|
|
unsigned int key_index, const uint8_t *rsc)
|
|
|
|
{
|
|
|
|
enum crypto_cipher cipher =
|
|
|
|
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
|
|
|
|
int key_len = crypto_cipher_key_len(cipher);
|
|
|
|
|
|
|
|
if (!key_len)
|
|
|
|
return;
|
|
|
|
|
|
|
|
memcpy(s->gtk, key, key_len);
|
|
|
|
s->gtk_index = key_index;
|
|
|
|
memcpy(s->gtk_rsc, rsc, 6);
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
/*
|
|
|
|
* This function performs a match of the RSN/WPA IE obtained from the scan
|
|
|
|
* results vs the RSN/WPA IE obtained as part of the 4-way handshake. If they
|
|
|
|
* don't match, the EAPoL packet must be silently discarded.
|
|
|
|
*/
|
2021-09-17 16:09:43 +02:00
|
|
|
bool handshake_util_ap_ie_matches(const struct ie_rsn_info *msg_info,
|
2016-11-02 23:46:18 +01:00
|
|
|
const uint8_t *scan_ie, bool is_wpa)
|
|
|
|
{
|
|
|
|
struct ie_rsn_info scan_info;
|
2021-09-17 16:09:43 +02:00
|
|
|
int r;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (!is_wpa)
|
|
|
|
r = ie_parse_rsne_from_data(scan_ie,
|
|
|
|
scan_ie[1] + 2, &scan_info);
|
|
|
|
else
|
|
|
|
r = ie_parse_wpa_from_data(scan_ie, scan_ie[1] + 2, &scan_info);
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (r < 0)
|
|
|
|
return false;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->group_cipher != scan_info.group_cipher)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->pairwise_ciphers != scan_info.pairwise_ciphers)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->akm_suites != scan_info.akm_suites)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->preauthentication != scan_info.preauthentication)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->no_pairwise != scan_info.no_pairwise)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->ptksa_replay_counter != scan_info.ptksa_replay_counter)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->gtksa_replay_counter != scan_info.gtksa_replay_counter)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->mfpr != scan_info.mfpr)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->mfpc != scan_info.mfpc)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->peerkey_enabled != scan_info.peerkey_enabled)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->spp_a_msdu_capable != scan_info.spp_a_msdu_capable)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->spp_a_msdu_required != scan_info.spp_a_msdu_required)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->pbac != scan_info.pbac)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->extended_key_id != scan_info.extended_key_id)
|
2016-11-02 23:46:18 +01:00
|
|
|
return false;
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->ocvc != scan_info.ocvc)
|
2021-09-17 15:22:40 +02:00
|
|
|
return false;
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
/* We don't check the PMKIDs since these might actually be different */
|
|
|
|
|
2021-09-17 16:09:43 +02:00
|
|
|
if (msg_info->group_management_cipher !=
|
2016-11-02 23:46:18 +01:00
|
|
|
scan_info.group_management_cipher)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2021-07-15 23:01:30 +02:00
|
|
|
const uint8_t *handshake_util_find_kde(enum handshake_kde selector,
|
|
|
|
const uint8_t *data, size_t data_len,
|
|
|
|
size_t *out_kde_len)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
|
|
|
struct ie_tlv_iter iter;
|
|
|
|
const uint8_t *result;
|
|
|
|
unsigned int len;
|
|
|
|
|
|
|
|
ie_tlv_iter_init(&iter, data, data_len);
|
|
|
|
|
|
|
|
while (ie_tlv_iter_next(&iter)) {
|
|
|
|
if (ie_tlv_iter_get_tag(&iter) != IE_TYPE_VENDOR_SPECIFIC)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
len = ie_tlv_iter_get_length(&iter);
|
|
|
|
if (len < 4) /* Take care of padding */
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/* Check OUI */
|
|
|
|
result = ie_tlv_iter_get_data(&iter);
|
2018-09-22 18:48:16 +02:00
|
|
|
if (l_get_be32(result) != selector)
|
2016-11-02 23:46:18 +01:00
|
|
|
continue;
|
|
|
|
|
2021-07-15 23:01:30 +02:00
|
|
|
if (out_kde_len)
|
|
|
|
*out_kde_len = len - 4;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
|
|
|
return result + 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *handshake_util_find_gtk_kde(const uint8_t *data, size_t data_len,
|
|
|
|
size_t *out_gtk_len)
|
|
|
|
{
|
2017-10-19 21:40:15 +02:00
|
|
|
size_t gtk_len;
|
2021-07-15 23:01:30 +02:00
|
|
|
const uint8_t *gtk = handshake_util_find_kde(HANDSHAKE_KDE_GTK,
|
|
|
|
data, data_len, >k_len);
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2017-10-19 21:40:15 +02:00
|
|
|
if (!gtk)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Account for KeyId, TX and Reserved octet
|
|
|
|
* See 802.11-2016, Figure 12-35
|
|
|
|
*/
|
|
|
|
if (gtk_len < CRYPTO_MIN_GTK_LEN + 2)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (gtk_len > CRYPTO_MAX_GTK_LEN + 2)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (out_gtk_len)
|
|
|
|
*out_gtk_len = gtk_len;
|
|
|
|
|
|
|
|
return gtk;
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *handshake_util_find_igtk_kde(const uint8_t *data,
|
|
|
|
size_t data_len,
|
|
|
|
size_t *out_igtk_len)
|
|
|
|
{
|
2017-10-19 21:40:15 +02:00
|
|
|
size_t igtk_len;
|
2021-07-15 23:01:30 +02:00
|
|
|
const uint8_t *igtk = handshake_util_find_kde(HANDSHAKE_KDE_IGTK,
|
|
|
|
data, data_len, &igtk_len);
|
2017-10-19 21:40:15 +02:00
|
|
|
|
|
|
|
if (!igtk)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Account for KeyId and IPN
|
|
|
|
* See 802.11-2016, Figure 12-42
|
|
|
|
*/
|
|
|
|
if (igtk_len < CRYPTO_MIN_IGTK_LEN + 8)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (igtk_len > CRYPTO_MAX_IGTK_LEN + 8)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (out_igtk_len)
|
|
|
|
*out_igtk_len = igtk_len;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2017-10-19 21:40:15 +02:00
|
|
|
return igtk;
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
2017-01-31 03:42:52 +01:00
|
|
|
|
2017-04-15 13:58:46 +02:00
|
|
|
const uint8_t *handshake_util_find_pmkid_kde(const uint8_t *data,
|
|
|
|
size_t data_len)
|
|
|
|
{
|
|
|
|
const uint8_t *pmkid;
|
|
|
|
size_t pmkid_len;
|
|
|
|
|
2021-07-15 23:01:30 +02:00
|
|
|
pmkid = handshake_util_find_kde(HANDSHAKE_KDE_PMKID, data, data_len,
|
|
|
|
&pmkid_len);
|
2017-04-15 13:58:46 +02:00
|
|
|
|
2017-05-15 22:23:03 +02:00
|
|
|
if (pmkid && pmkid_len != 16)
|
2017-04-15 13:58:46 +02:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return pmkid;
|
|
|
|
}
|
|
|
|
|
2018-09-22 18:48:15 +02:00
|
|
|
/* Defined in 802.11-2016 12.7.2 j), Figure 12-34 */
|
|
|
|
void handshake_util_build_gtk_kde(enum crypto_cipher cipher, const uint8_t *key,
|
|
|
|
unsigned int key_index, uint8_t *to)
|
|
|
|
{
|
|
|
|
size_t key_len = crypto_cipher_key_len(cipher);
|
|
|
|
|
|
|
|
*to++ = IE_TYPE_VENDOR_SPECIFIC;
|
|
|
|
*to++ = 6 + key_len;
|
|
|
|
l_put_be32(HANDSHAKE_KDE_GTK, to);
|
|
|
|
to += 4;
|
|
|
|
*to++ = key_index;
|
|
|
|
*to++ = 0;
|
|
|
|
memcpy(to, key, key_len);
|
|
|
|
}
|
|
|
|
|
2019-05-10 22:19:30 +02:00
|
|
|
static const uint8_t *handshake_state_get_ft_fils_kek(struct handshake_state *s,
|
|
|
|
size_t *len)
|
|
|
|
{
|
|
|
|
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256) {
|
|
|
|
if (len)
|
|
|
|
*len = 16;
|
|
|
|
|
|
|
|
return s->ptk + 64;
|
|
|
|
} else if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384) {
|
|
|
|
if (len)
|
|
|
|
*len = 32;
|
|
|
|
|
|
|
|
return s->ptk + 104;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2017-01-31 19:03:51 +01:00
|
|
|
/*
|
|
|
|
* Unwrap a GTK / IGTK included in an FTE following 802.11-2012, Section 12.8.5:
|
|
|
|
*
|
|
|
|
* "If a GTK or an IGTK are included, the Key field of the subelement shall be
|
|
|
|
* encrypted using KEK and the NIST AES key wrap algorithm. The Key field shall
|
|
|
|
* be padded before encrypting if the key length is less than 16 octets or if
|
|
|
|
* it is not a multiple of 8. The padding consists of appending a single octet
|
|
|
|
* 0xdd followed by zero or more 0x00 octets. When processing a received
|
|
|
|
* message, the receiver shall ignore this trailing padding. Addition of
|
|
|
|
* padding does not change the value of the Key Length field. Note that the
|
|
|
|
* length of the encrypted Key field can be determined from the length of the
|
|
|
|
* GTK or IGTK subelement.
|
|
|
|
*/
|
2017-01-31 03:42:52 +01:00
|
|
|
bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped,
|
|
|
|
size_t key_len, uint8_t *key_out)
|
|
|
|
{
|
2019-05-10 22:19:30 +02:00
|
|
|
const uint8_t *kek;
|
2023-04-11 00:01:32 +02:00
|
|
|
size_t kek_len = handshake_state_get_kek_len(s);
|
2017-01-31 19:04:26 +01:00
|
|
|
size_t padded_len = key_len < 16 ? 16 : align_len(key_len, 8);
|
2017-01-31 03:42:52 +01:00
|
|
|
|
2019-05-10 22:19:30 +02:00
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))
|
|
|
|
kek = handshake_state_get_ft_fils_kek(s, &kek_len);
|
|
|
|
else
|
|
|
|
kek = handshake_state_get_kek(s);
|
|
|
|
|
|
|
|
if (!aes_unwrap(kek, kek_len, wrapped, padded_len + 8, key_out))
|
2017-01-31 03:42:52 +01:00
|
|
|
return false;
|
|
|
|
|
|
|
|
if (key_len < padded_len && key_out[key_len++] != 0xdd)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
while (key_len < padded_len)
|
|
|
|
if (key_out[key_len++] != 0x00)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
2021-07-08 21:10:15 +02:00
|
|
|
|
|
|
|
/* Add SAE-PT for ECC groups. The group is carried by the point itself */
|
|
|
|
bool handshake_state_add_ecc_sae_pt(struct handshake_state *s,
|
|
|
|
const struct l_ecc_point *pt)
|
|
|
|
{
|
|
|
|
const struct l_ecc_curve *curve;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (!pt)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
curve = l_ecc_point_get_curve(pt);
|
|
|
|
|
|
|
|
if (!s->ecc_sae_pts)
|
|
|
|
s->ecc_sae_pts = l_new(struct l_ecc_point *, n_ecc_groups());
|
|
|
|
|
|
|
|
if ((i = ecc_group_index(l_ecc_curve_get_ike_group(curve))) < 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (s->ecc_sae_pts[i])
|
|
|
|
return false;
|
|
|
|
|
|
|
|
s->ecc_sae_pts[i] = l_ecc_point_clone(pt);
|
|
|
|
return true;
|
|
|
|
}
|
2021-09-20 21:29:05 +02:00
|
|
|
|
|
|
|
void handshake_state_set_chandef(struct handshake_state *s,
|
|
|
|
struct band_chandef *chandef)
|
|
|
|
{
|
2021-09-24 00:57:28 +02:00
|
|
|
if (s->chandef)
|
|
|
|
l_free(s->chandef);
|
|
|
|
|
2021-09-20 21:29:05 +02:00
|
|
|
s->chandef = chandef;
|
|
|
|
}
|
|
|
|
|
|
|
|
int handshake_state_verify_oci(struct handshake_state *s, const uint8_t *oci,
|
|
|
|
size_t oci_len)
|
|
|
|
{
|
|
|
|
int r = -ENOENT;
|
|
|
|
bool ocvc;
|
|
|
|
|
|
|
|
l_debug("oci_len: %zu", oci ? oci_len : 0);
|
|
|
|
|
|
|
|
if (!oci)
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
r = -EBADMSG;
|
|
|
|
if (oci_len != 3)
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
l_debug("operating_class: %hu", oci[0]);
|
|
|
|
l_debug("primary_channel_number: %hu", oci[1]);
|
|
|
|
l_debug("frequency segment 1 channel number: %hu", oci[2]);
|
|
|
|
|
|
|
|
r = -EINVAL;
|
|
|
|
|
|
|
|
if (!s->chandef) {
|
|
|
|
l_debug("Own chandef unavailable");
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
r = oci_verify(oci, s->chandef);
|
|
|
|
if (r < 0)
|
|
|
|
l_debug("OCI verification failed: %s", strerror(-r));
|
|
|
|
|
|
|
|
done:
|
|
|
|
if (!r)
|
|
|
|
return r;
|
|
|
|
|
|
|
|
/* Only enforce validation if we're configured to do so */
|
|
|
|
ocvc = s->authenticator ? s->authenticator_ocvc : s->supplicant_ocvc;
|
|
|
|
if (!ocvc)
|
|
|
|
r = 0;
|
|
|
|
|
|
|
|
return r;
|
|
|
|
}
|