2016-11-02 23:46:18 +01:00
|
|
|
/*
|
|
|
|
*
|
|
|
|
* Wireless daemon for Linux
|
|
|
|
*
|
|
|
|
* Copyright (C) 2013-2014 Intel Corporation. All rights reserved.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include <config.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <linux/if.h>
|
|
|
|
#include <linux/if_packet.h>
|
|
|
|
#include <linux/if_ether.h>
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
#include <linux/filter.h>
|
|
|
|
#include <ell/ell.h>
|
|
|
|
|
|
|
|
#include "crypto.h"
|
|
|
|
#include "ie.h"
|
|
|
|
#include "util.h"
|
|
|
|
#include "handshake.h"
|
|
|
|
|
|
|
|
static bool handshake_get_nonce(uint8_t nonce[])
|
|
|
|
{
|
|
|
|
return l_getrandom(nonce, 32);
|
|
|
|
}
|
|
|
|
|
|
|
|
static handshake_get_nonce_func_t get_nonce = handshake_get_nonce;
|
|
|
|
static handshake_install_tk_func_t install_tk = NULL;
|
|
|
|
static handshake_install_gtk_func_t install_gtk = NULL;
|
|
|
|
static handshake_install_igtk_func_t install_igtk = NULL;
|
|
|
|
|
|
|
|
void __handshake_set_get_nonce_func(handshake_get_nonce_func_t func)
|
|
|
|
{
|
|
|
|
get_nonce = func;
|
|
|
|
}
|
|
|
|
|
|
|
|
void __handshake_set_install_tk_func(handshake_install_tk_func_t func)
|
|
|
|
{
|
|
|
|
install_tk = func;
|
|
|
|
}
|
|
|
|
|
|
|
|
void __handshake_set_install_gtk_func(handshake_install_gtk_func_t func)
|
|
|
|
{
|
|
|
|
install_gtk = func;
|
|
|
|
}
|
|
|
|
|
|
|
|
void __handshake_set_install_igtk_func(handshake_install_igtk_func_t func)
|
|
|
|
{
|
|
|
|
install_igtk = func;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct handshake_state *handshake_state_new(uint32_t ifindex)
|
|
|
|
{
|
|
|
|
struct handshake_state *s;
|
|
|
|
|
|
|
|
s = l_new(struct handshake_state, 1);
|
|
|
|
|
|
|
|
s->ifindex = ifindex;
|
|
|
|
|
|
|
|
return s;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_free(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
l_free(s->ap_ie);
|
|
|
|
l_free(s->own_ie);
|
|
|
|
l_free(s->mde);
|
|
|
|
l_free(s->fte);
|
|
|
|
|
|
|
|
l_free(s);
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_supplicant_address(struct handshake_state *s,
|
|
|
|
const uint8_t *spa)
|
|
|
|
{
|
|
|
|
memcpy(s->spa, spa, sizeof(s->spa));
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_authenticator_address(struct handshake_state *s,
|
|
|
|
const uint8_t *aa)
|
|
|
|
{
|
|
|
|
memcpy(s->aa, aa, sizeof(s->aa));
|
|
|
|
}
|
|
|
|
|
2018-03-15 12:06:53 +01:00
|
|
|
void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk,
|
|
|
|
size_t pmk_len)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
2018-03-15 12:06:53 +01:00
|
|
|
memcpy(s->pmk, pmk, pmk_len);
|
2016-11-02 23:46:18 +01:00
|
|
|
s->have_pmk = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_8021x_config(struct handshake_state *s,
|
|
|
|
struct l_settings *settings)
|
|
|
|
{
|
|
|
|
s->settings_8021x = settings;
|
|
|
|
}
|
|
|
|
|
2016-11-15 20:03:31 +01:00
|
|
|
struct l_settings *handshake_state_get_8021x_config(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
return s->settings_8021x;
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
static void handshake_state_set_ap_ie(struct handshake_state *s,
|
|
|
|
const uint8_t *ie, bool is_wpa)
|
|
|
|
{
|
|
|
|
l_free(s->ap_ie);
|
|
|
|
s->ap_ie = l_memdup(ie, ie[1] + 2u);
|
|
|
|
s->wpa_ie = is_wpa;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void handshake_state_set_own_ie(struct handshake_state *s,
|
|
|
|
const uint8_t *ie, bool is_wpa)
|
|
|
|
{
|
|
|
|
l_free(s->own_ie);
|
|
|
|
s->own_ie = l_memdup(ie, ie[1] + 2u);
|
|
|
|
s->wpa_ie = is_wpa;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_ap_rsn(struct handshake_state *s,
|
|
|
|
const uint8_t *rsn_ie)
|
|
|
|
{
|
|
|
|
handshake_state_set_ap_ie(s, rsn_ie, false);
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool handshake_state_setup_own_ciphers(struct handshake_state *s,
|
|
|
|
const struct ie_rsn_info *info)
|
|
|
|
{
|
|
|
|
if (__builtin_popcount(info->pairwise_ciphers) != 1)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (__builtin_popcount(info->akm_suites) != 1)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
s->akm_suite = info->akm_suites;
|
|
|
|
s->pairwise_cipher = info->pairwise_ciphers;
|
|
|
|
s->group_cipher = info->group_cipher;
|
|
|
|
s->group_management_cipher = info->group_management_cipher;
|
|
|
|
s->mfp = info->mfpc;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool handshake_state_set_own_rsn(struct handshake_state *s,
|
|
|
|
const uint8_t *rsn_ie)
|
|
|
|
{
|
|
|
|
struct ie_rsn_info info;
|
|
|
|
|
|
|
|
handshake_state_set_own_ie(s, rsn_ie, false);
|
|
|
|
|
|
|
|
if (ie_parse_rsne_from_data(rsn_ie, rsn_ie[1] + 2, &info) < 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return handshake_state_setup_own_ciphers(s, &info);
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_ap_wpa(struct handshake_state *s,
|
|
|
|
const uint8_t *wpa_ie)
|
|
|
|
{
|
|
|
|
handshake_state_set_ap_ie(s, wpa_ie, true);
|
|
|
|
}
|
|
|
|
|
|
|
|
bool handshake_state_set_own_wpa(struct handshake_state *s,
|
|
|
|
const uint8_t *wpa_ie)
|
|
|
|
{
|
|
|
|
struct ie_rsn_info info;
|
|
|
|
|
|
|
|
handshake_state_set_own_ie(s, wpa_ie, true);
|
|
|
|
|
|
|
|
if (ie_parse_wpa_from_data(wpa_ie, wpa_ie[1] + 2, &info) < 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return handshake_state_setup_own_ciphers(s, &info);
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_user_data(struct handshake_state *s, void *user_data)
|
|
|
|
{
|
|
|
|
s->user_data = user_data;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_ssid(struct handshake_state *s, const uint8_t *ssid,
|
|
|
|
size_t ssid_len)
|
|
|
|
{
|
|
|
|
memcpy(s->ssid, ssid, ssid_len);
|
|
|
|
s->ssid_len = ssid_len;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_mde(struct handshake_state *s, const uint8_t *mde)
|
|
|
|
{
|
|
|
|
if (s->mde)
|
|
|
|
l_free(s->mde);
|
|
|
|
|
|
|
|
s->mde = mde ? l_memdup(mde, mde[1] + 2) : NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_fte(struct handshake_state *s, const uint8_t *fte)
|
|
|
|
{
|
|
|
|
if (s->fte)
|
|
|
|
l_free(s->fte);
|
|
|
|
|
|
|
|
s->fte = fte ? l_memdup(fte, fte[1] + 2) : NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_kh_ids(struct handshake_state *s,
|
|
|
|
const uint8_t *r0khid, size_t r0khid_len,
|
|
|
|
const uint8_t *r1khid)
|
|
|
|
{
|
|
|
|
memcpy(s->r0khid, r0khid, r0khid_len);
|
|
|
|
s->r0khid_len = r0khid_len;
|
|
|
|
|
|
|
|
memcpy(s->r1khid, r1khid, 6);
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_new_snonce(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
get_nonce(s->snonce);
|
|
|
|
|
|
|
|
s->have_snonce = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_set_anonce(struct handshake_state *s,
|
|
|
|
const uint8_t *anonce)
|
|
|
|
{
|
|
|
|
memcpy(s->anonce, anonce, 32);
|
|
|
|
}
|
|
|
|
|
|
|
|
bool handshake_state_derive_ptk(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
struct crypto_ptk *ptk = (struct crypto_ptk *) s->ptk;
|
|
|
|
enum crypto_cipher cipher;
|
|
|
|
size_t ptk_size;
|
|
|
|
bool use_sha256;
|
|
|
|
|
|
|
|
if (!s->have_snonce || !s->have_pmk)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if ((s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
|
|
|
|
IE_RSN_AKM_SUITE_FT_USING_PSK |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) &&
|
|
|
|
(!s->mde || !s->fte))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
s->ptk_complete = false;
|
|
|
|
|
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_PSK_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_SAE_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256))
|
|
|
|
use_sha256 = true;
|
|
|
|
else
|
|
|
|
use_sha256 = false;
|
|
|
|
|
|
|
|
cipher = ie_rsn_cipher_suite_to_cipher(s->pairwise_cipher);
|
|
|
|
|
|
|
|
ptk_size = sizeof(struct crypto_ptk) + crypto_cipher_key_len(cipher);
|
|
|
|
|
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
|
|
|
|
IE_RSN_AKM_SUITE_FT_USING_PSK |
|
|
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) {
|
|
|
|
uint16_t mdid;
|
|
|
|
uint8_t ptk_name[16];
|
2018-03-15 12:06:53 +01:00
|
|
|
const uint8_t *xxkey = s->pmk;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* In a Fast Transition initial mobility domain association
|
|
|
|
* the PMK maps to the XXKey, except with EAP:
|
|
|
|
* 802.11-2016 12.7.1.7.3:
|
|
|
|
* "If the AKM negotiated is 00-0F-AC:3, then [...] XXKey
|
|
|
|
* shall be the second 256 bits of the MSK (which is
|
|
|
|
* derived from the IEEE 802.1X authentication), i.e.,
|
|
|
|
* XXKey = L(MSK, 256, 256)."
|
|
|
|
*/
|
|
|
|
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X)
|
|
|
|
xxkey = s->pmk + 32;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
|
|
|
ie_parse_mobility_domain_from_data(s->mde, s->mde[1] + 2,
|
|
|
|
&mdid, NULL, NULL);
|
|
|
|
|
2018-03-15 12:06:53 +01:00
|
|
|
if (!crypto_derive_pmk_r0(xxkey, s->ssid, s->ssid_len, mdid,
|
2016-11-02 23:46:18 +01:00
|
|
|
s->r0khid, s->r0khid_len,
|
|
|
|
s->spa,
|
|
|
|
s->pmk_r0, s->pmk_r0_name))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (!crypto_derive_pmk_r1(s->pmk_r0, s->r1khid, s->spa,
|
|
|
|
s->pmk_r0_name,
|
|
|
|
s->pmk_r1, s->pmk_r1_name))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (!crypto_derive_ft_ptk(s->pmk_r1, s->pmk_r1_name, s->aa,
|
|
|
|
s->spa, s->snonce, s->anonce,
|
|
|
|
ptk, ptk_size, ptk_name))
|
|
|
|
return false;
|
|
|
|
} else
|
|
|
|
if (!crypto_derive_pairwise_ptk(s->pmk, s->spa, s->aa,
|
|
|
|
s->anonce, s->snonce,
|
|
|
|
ptk, ptk_size, use_sha256))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
const struct crypto_ptk *handshake_state_get_ptk(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
return (struct crypto_ptk *) s->ptk;
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_install_ptk(struct handshake_state *s)
|
|
|
|
{
|
|
|
|
struct crypto_ptk *ptk = (struct crypto_ptk *) s->ptk;
|
|
|
|
|
|
|
|
s->ptk_complete = true;
|
|
|
|
|
|
|
|
if (install_tk) {
|
|
|
|
uint32_t cipher = ie_rsn_cipher_suite_to_cipher(
|
|
|
|
s->pairwise_cipher);
|
|
|
|
|
|
|
|
install_tk(s->ifindex, s->aa, ptk->tk, cipher, s->user_data);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_install_gtk(struct handshake_state *s,
|
|
|
|
uint8_t gtk_key_index,
|
|
|
|
const uint8_t *gtk, size_t gtk_len,
|
|
|
|
const uint8_t *rsc, uint8_t rsc_len)
|
|
|
|
{
|
|
|
|
if (install_gtk) {
|
|
|
|
uint32_t cipher =
|
|
|
|
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
|
|
|
|
|
|
|
|
install_gtk(s->ifindex, gtk_key_index, gtk, gtk_len,
|
|
|
|
rsc, rsc_len, cipher, s->user_data);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_install_igtk(struct handshake_state *s,
|
|
|
|
uint8_t igtk_key_index,
|
2017-01-31 03:42:51 +01:00
|
|
|
const uint8_t *igtk, size_t igtk_len,
|
|
|
|
const uint8_t *ipn)
|
2016-11-02 23:46:18 +01:00
|
|
|
{
|
|
|
|
if (install_igtk) {
|
|
|
|
uint32_t cipher =
|
|
|
|
ie_rsn_cipher_suite_to_cipher(
|
|
|
|
s->group_management_cipher);
|
|
|
|
|
2017-01-31 03:42:51 +01:00
|
|
|
install_igtk(s->ifindex, igtk_key_index, igtk, igtk_len,
|
|
|
|
ipn, 6, cipher, s->user_data);
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void handshake_state_override_pairwise_cipher(struct handshake_state *s,
|
|
|
|
enum ie_rsn_cipher_suite pairwise)
|
|
|
|
{
|
|
|
|
s->pairwise_cipher = pairwise;
|
|
|
|
}
|
|
|
|
|
2017-04-15 13:58:45 +02:00
|
|
|
bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
|
|
|
|
{
|
|
|
|
bool use_sha256;
|
|
|
|
|
|
|
|
if (!s->have_pmk)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note 802.11 section 11.6.1.3:
|
|
|
|
* "When the PMKID is calculated for the PMKSA as part of RSN
|
|
|
|
* preauthentication, the AKM has not yet been negotiated. In this
|
|
|
|
* case, the HMAC-SHA1-128 based derivation is used for the PMKID
|
|
|
|
* calculation."
|
|
|
|
*/
|
|
|
|
|
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
|
|
|
|
IE_RSN_AKM_SUITE_PSK_SHA256))
|
|
|
|
use_sha256 = true;
|
|
|
|
else
|
|
|
|
use_sha256 = false;
|
|
|
|
|
|
|
|
return crypto_derive_pmkid(s->pmk, s->spa, s->aa, out_pmkid,
|
|
|
|
use_sha256);
|
|
|
|
}
|
|
|
|
|
2016-11-02 23:46:18 +01:00
|
|
|
/*
|
|
|
|
* This function performs a match of the RSN/WPA IE obtained from the scan
|
|
|
|
* results vs the RSN/WPA IE obtained as part of the 4-way handshake. If they
|
|
|
|
* don't match, the EAPoL packet must be silently discarded.
|
|
|
|
*/
|
|
|
|
bool handshake_util_ap_ie_matches(const uint8_t *msg_ie,
|
|
|
|
const uint8_t *scan_ie, bool is_wpa)
|
|
|
|
{
|
|
|
|
struct ie_rsn_info msg_info;
|
|
|
|
struct ie_rsn_info scan_info;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* First check that the sizes match, if they do, run a bitwise
|
|
|
|
* comparison.
|
|
|
|
*/
|
|
|
|
if (msg_ie[1] == scan_ie[1] &&
|
|
|
|
!memcmp(msg_ie + 2, scan_ie + 2, msg_ie[1]))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Otherwise we have to parse the IEs and compare the individual
|
|
|
|
* fields
|
|
|
|
*/
|
|
|
|
if (!is_wpa) {
|
|
|
|
if (ie_parse_rsne_from_data(msg_ie, msg_ie[1] + 2,
|
|
|
|
&msg_info) < 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (ie_parse_rsne_from_data(scan_ie, scan_ie[1] + 2,
|
|
|
|
&scan_info) < 0)
|
|
|
|
return false;
|
|
|
|
} else {
|
|
|
|
if (ie_parse_wpa_from_data(msg_ie, msg_ie[1] + 2,
|
|
|
|
&msg_info) < 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (ie_parse_wpa_from_data(scan_ie, scan_ie[1] + 2,
|
|
|
|
&scan_info) < 0)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (msg_info.group_cipher != scan_info.group_cipher)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.pairwise_ciphers != scan_info.pairwise_ciphers)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.akm_suites != scan_info.akm_suites)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.preauthentication != scan_info.preauthentication)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.no_pairwise != scan_info.no_pairwise)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.ptksa_replay_counter != scan_info.ptksa_replay_counter)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.gtksa_replay_counter != scan_info.gtksa_replay_counter)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.mfpr != scan_info.mfpr)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.mfpc != scan_info.mfpc)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.peerkey_enabled != scan_info.peerkey_enabled)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.spp_a_msdu_capable != scan_info.spp_a_msdu_capable)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.spp_a_msdu_required != scan_info.spp_a_msdu_required)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.pbac != scan_info.pbac)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (msg_info.extended_key_id != scan_info.extended_key_id)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* We don't check the PMKIDs since these might actually be different */
|
|
|
|
|
|
|
|
if (msg_info.group_management_cipher !=
|
|
|
|
scan_info.group_management_cipher)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const uint8_t *find_kde(const uint8_t *data, size_t data_len,
|
|
|
|
size_t *out_len, const unsigned char *oui)
|
|
|
|
{
|
|
|
|
struct ie_tlv_iter iter;
|
|
|
|
const uint8_t *result;
|
|
|
|
unsigned int len;
|
|
|
|
|
|
|
|
ie_tlv_iter_init(&iter, data, data_len);
|
|
|
|
|
|
|
|
while (ie_tlv_iter_next(&iter)) {
|
|
|
|
if (ie_tlv_iter_get_tag(&iter) != IE_TYPE_VENDOR_SPECIFIC)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
len = ie_tlv_iter_get_length(&iter);
|
|
|
|
if (len < 4) /* Take care of padding */
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/* Check OUI */
|
|
|
|
result = ie_tlv_iter_get_data(&iter);
|
|
|
|
if (memcmp(result, oui, 4))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (out_len)
|
|
|
|
*out_len = len - 4;
|
|
|
|
|
|
|
|
return result + 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *handshake_util_find_gtk_kde(const uint8_t *data, size_t data_len,
|
|
|
|
size_t *out_gtk_len)
|
|
|
|
{
|
|
|
|
static const unsigned char gtk_oui[] = { 0x00, 0x0f, 0xac, 0x01 };
|
2017-10-19 21:40:15 +02:00
|
|
|
size_t gtk_len;
|
|
|
|
const uint8_t *gtk = find_kde(data, data_len, >k_len, gtk_oui);
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2017-10-19 21:40:15 +02:00
|
|
|
if (!gtk)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Account for KeyId, TX and Reserved octet
|
|
|
|
* See 802.11-2016, Figure 12-35
|
|
|
|
*/
|
|
|
|
if (gtk_len < CRYPTO_MIN_GTK_LEN + 2)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (gtk_len > CRYPTO_MAX_GTK_LEN + 2)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (out_gtk_len)
|
|
|
|
*out_gtk_len = gtk_len;
|
|
|
|
|
|
|
|
return gtk;
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *handshake_util_find_igtk_kde(const uint8_t *data,
|
|
|
|
size_t data_len,
|
|
|
|
size_t *out_igtk_len)
|
|
|
|
{
|
|
|
|
static const unsigned char igtk_oui[] = { 0x00, 0x0f, 0xac, 0x09 };
|
2017-10-19 21:40:15 +02:00
|
|
|
size_t igtk_len;
|
|
|
|
const uint8_t *igtk = find_kde(data, data_len, &igtk_len, igtk_oui);
|
|
|
|
|
|
|
|
if (!igtk)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Account for KeyId and IPN
|
|
|
|
* See 802.11-2016, Figure 12-42
|
|
|
|
*/
|
|
|
|
if (igtk_len < CRYPTO_MIN_IGTK_LEN + 8)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (igtk_len > CRYPTO_MAX_IGTK_LEN + 8)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (out_igtk_len)
|
|
|
|
*out_igtk_len = igtk_len;
|
2016-11-02 23:46:18 +01:00
|
|
|
|
2017-10-19 21:40:15 +02:00
|
|
|
return igtk;
|
2016-11-02 23:46:18 +01:00
|
|
|
}
|
2017-01-31 03:42:52 +01:00
|
|
|
|
2017-04-15 13:58:46 +02:00
|
|
|
const uint8_t *handshake_util_find_pmkid_kde(const uint8_t *data,
|
|
|
|
size_t data_len)
|
|
|
|
{
|
|
|
|
static const unsigned char pmkid_oui[] = { 0x00, 0x0f, 0xac, 0x04 };
|
|
|
|
const uint8_t *pmkid;
|
|
|
|
size_t pmkid_len;
|
|
|
|
|
|
|
|
pmkid = find_kde(data, data_len, &pmkid_len, pmkid_oui);
|
|
|
|
|
2017-05-15 22:23:03 +02:00
|
|
|
if (pmkid && pmkid_len != 16)
|
2017-04-15 13:58:46 +02:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return pmkid;
|
|
|
|
}
|
|
|
|
|
2017-01-31 19:03:51 +01:00
|
|
|
/*
|
|
|
|
* Unwrap a GTK / IGTK included in an FTE following 802.11-2012, Section 12.8.5:
|
|
|
|
*
|
|
|
|
* "If a GTK or an IGTK are included, the Key field of the subelement shall be
|
|
|
|
* encrypted using KEK and the NIST AES key wrap algorithm. The Key field shall
|
|
|
|
* be padded before encrypting if the key length is less than 16 octets or if
|
|
|
|
* it is not a multiple of 8. The padding consists of appending a single octet
|
|
|
|
* 0xdd followed by zero or more 0x00 octets. When processing a received
|
|
|
|
* message, the receiver shall ignore this trailing padding. Addition of
|
|
|
|
* padding does not change the value of the Key Length field. Note that the
|
|
|
|
* length of the encrypted Key field can be determined from the length of the
|
|
|
|
* GTK or IGTK subelement.
|
|
|
|
*/
|
2017-01-31 03:42:52 +01:00
|
|
|
bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped,
|
|
|
|
size_t key_len, uint8_t *key_out)
|
|
|
|
{
|
|
|
|
const struct crypto_ptk *ptk = handshake_state_get_ptk(s);
|
2017-01-31 19:04:26 +01:00
|
|
|
size_t padded_len = key_len < 16 ? 16 : align_len(key_len, 8);
|
2017-01-31 03:42:52 +01:00
|
|
|
|
|
|
|
if (!aes_unwrap(ptk->kek, wrapped, padded_len + 8, key_out))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (key_len < padded_len && key_out[key_len++] != 0xdd)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
while (key_len < padded_len)
|
|
|
|
if (key_out[key_len++] != 0x00)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|