mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-10-06 11:28:38 +02:00
4d2176df29
Like in ap.c, allow the event callback to mark the handshake state as destroyed, without causing invalid accesses after the callback has returned. In this case the crash was because try_handshake_complete needed to access members of handshake_state after emitting the event, as well as access the netdev, which also has been destroyed: ==257707== Invalid read of size 8 ==257707== at 0x408C85: try_handshake_complete (netdev.c:1487) ==257707== by 0x408C85: try_handshake_complete (netdev.c:1480) (...) ==257707== Address 0x4e187e8 is 856 bytes inside a block of size 872 free'd ==257707== at 0x484621F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==257707== by 0x437887: ap_stop_handshake (ap.c:151) ==257707== by 0x439793: ap_del_station (ap.c:316) ==257707== by 0x43EA92: ap_station_disconnect (ap.c:3411) ==257707== by 0x43EA92: ap_station_disconnect (ap.c:3399) ==257707== by 0x454276: p2p_group_event (p2p.c:1006) ==257707== by 0x439147: ap_event (ap.c:281) ==257707== by 0x4393AB: ap_new_rsna (ap.c:390) ==257707== by 0x4393AB: ap_handshake_event (ap.c:1010) ==257707== by 0x408C7F: try_handshake_complete (netdev.c:1485) ==257707== by 0x408C7F: try_handshake_complete (netdev.c:1480) (...)
1104 lines
25 KiB
C
1104 lines
25 KiB
C
/*
|
|
*
|
|
* Wireless daemon for Linux
|
|
*
|
|
* Copyright (C) 2013-2019 Intel Corporation. All rights reserved.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include <config.h>
|
|
#endif
|
|
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <errno.h>
|
|
#include <sys/socket.h>
|
|
#include <linux/if.h>
|
|
#include <linux/if_packet.h>
|
|
#include <linux/if_ether.h>
|
|
#include <arpa/inet.h>
|
|
#include <linux/filter.h>
|
|
|
|
#include <ell/ell.h>
|
|
|
|
#include "src/missing.h"
|
|
#include "src/crypto.h"
|
|
#include "src/ie.h"
|
|
#include "src/util.h"
|
|
#include "src/handshake.h"
|
|
#include "src/erp.h"
|
|
#include "src/band.h"
|
|
|
|
static inline unsigned int n_ecc_groups(void)
|
|
{
|
|
const unsigned int *groups = l_ecc_supported_ike_groups();
|
|
unsigned int j = 0;
|
|
|
|
while (groups[j])
|
|
j += 1;
|
|
|
|
return j;
|
|
}
|
|
|
|
static inline int ecc_group_index(unsigned int group)
|
|
{
|
|
const unsigned int *groups = l_ecc_supported_ike_groups();
|
|
int j;
|
|
|
|
for (j = 0; groups[j]; j++)
|
|
if (groups[j] == group)
|
|
return j;
|
|
|
|
return -ENOENT;
|
|
}
|
|
|
|
static bool handshake_get_nonce(uint8_t nonce[])
|
|
{
|
|
return l_getrandom(nonce, 32);
|
|
}
|
|
|
|
static handshake_get_nonce_func_t get_nonce = handshake_get_nonce;
|
|
static handshake_install_tk_func_t install_tk = NULL;
|
|
static handshake_install_gtk_func_t install_gtk = NULL;
|
|
static handshake_install_igtk_func_t install_igtk = NULL;
|
|
static handshake_install_ext_tk_func_t install_ext_tk = NULL;
|
|
|
|
void __handshake_set_get_nonce_func(handshake_get_nonce_func_t func)
|
|
{
|
|
get_nonce = func;
|
|
}
|
|
|
|
void __handshake_set_install_tk_func(handshake_install_tk_func_t func)
|
|
{
|
|
install_tk = func;
|
|
}
|
|
|
|
void __handshake_set_install_gtk_func(handshake_install_gtk_func_t func)
|
|
{
|
|
install_gtk = func;
|
|
}
|
|
|
|
void __handshake_set_install_igtk_func(handshake_install_igtk_func_t func)
|
|
{
|
|
install_igtk = func;
|
|
}
|
|
|
|
void __handshake_set_install_ext_tk_func(handshake_install_ext_tk_func_t func)
|
|
{
|
|
install_ext_tk = func;
|
|
}
|
|
|
|
void handshake_state_free(struct handshake_state *s)
|
|
{
|
|
__typeof__(s->free) destroy = s->free;
|
|
|
|
if (s->in_event) {
|
|
s->in_event = false;
|
|
return;
|
|
}
|
|
|
|
l_free(s->authenticator_ie);
|
|
l_free(s->supplicant_ie);
|
|
l_free(s->authenticator_rsnxe);
|
|
l_free(s->supplicant_rsnxe);
|
|
l_free(s->mde);
|
|
l_free(s->fte);
|
|
l_free(s->fils_ip_req_ie);
|
|
l_free(s->fils_ip_resp_ie);
|
|
l_free(s->vendor_ies);
|
|
|
|
if (s->erp_cache)
|
|
erp_cache_put(s->erp_cache);
|
|
|
|
l_free(s->chandef);
|
|
|
|
if (s->passphrase) {
|
|
explicit_bzero(s->passphrase, strlen(s->passphrase));
|
|
l_free(s->passphrase);
|
|
}
|
|
|
|
if (s->ecc_sae_pts) {
|
|
unsigned int i;
|
|
|
|
for (i = 0; i < n_ecc_groups(); i++)
|
|
l_ecc_point_free(s->ecc_sae_pts[i]);
|
|
|
|
l_free(s->ecc_sae_pts);
|
|
}
|
|
|
|
explicit_bzero(s, sizeof(*s));
|
|
|
|
if (destroy)
|
|
destroy(s);
|
|
}
|
|
|
|
void handshake_state_set_supplicant_address(struct handshake_state *s,
|
|
const uint8_t *spa)
|
|
{
|
|
memcpy(s->spa, spa, sizeof(s->spa));
|
|
}
|
|
|
|
void handshake_state_set_authenticator_address(struct handshake_state *s,
|
|
const uint8_t *aa)
|
|
{
|
|
memcpy(s->aa, aa, sizeof(s->aa));
|
|
}
|
|
|
|
void handshake_state_set_authenticator(struct handshake_state *s, bool auth)
|
|
{
|
|
s->authenticator = auth;
|
|
}
|
|
|
|
void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk,
|
|
size_t pmk_len)
|
|
{
|
|
memcpy(s->pmk, pmk, pmk_len);
|
|
s->pmk_len = pmk_len;
|
|
s->have_pmk = true;
|
|
}
|
|
|
|
void handshake_state_set_ptk(struct handshake_state *s, const uint8_t *ptk,
|
|
size_t ptk_len)
|
|
{
|
|
memcpy(s->ptk, ptk, ptk_len);
|
|
s->ptk_complete = true;
|
|
}
|
|
|
|
void handshake_state_set_8021x_config(struct handshake_state *s,
|
|
struct l_settings *settings)
|
|
{
|
|
s->settings_8021x = settings;
|
|
}
|
|
|
|
bool handshake_state_set_authenticator_ie(struct handshake_state *s,
|
|
const uint8_t *ie)
|
|
{
|
|
struct ie_rsn_info info;
|
|
|
|
if (!ie_parse_rsne_from_data(ie, ie[1] + 2, &info))
|
|
goto valid_ie;
|
|
|
|
if (!ie_parse_wpa_from_data(ie, ie[1] + 2, &info))
|
|
goto valid_ie;
|
|
|
|
if (ie_parse_osen_from_data(ie, ie[1] + 2, &info) < 0)
|
|
return false;
|
|
|
|
valid_ie:
|
|
l_free(s->authenticator_ie);
|
|
s->authenticator_ie = l_memdup(ie, ie[1] + 2u);
|
|
|
|
s->authenticator_ocvc = info.ocvc;
|
|
|
|
return true;
|
|
}
|
|
|
|
bool handshake_state_set_supplicant_ie(struct handshake_state *s,
|
|
const uint8_t *ie)
|
|
{
|
|
struct ie_rsn_info info;
|
|
bool wpa_ie = false;
|
|
bool osen_ie = false;
|
|
|
|
if (!ie_parse_rsne_from_data(ie, ie[1] + 2, &info))
|
|
goto valid_ie;
|
|
|
|
if (!ie_parse_wpa_from_data(ie, ie[1] + 2, &info)) {
|
|
wpa_ie = true;
|
|
goto valid_ie;
|
|
}
|
|
|
|
if (ie_parse_osen_from_data(ie, ie[1] + 2, &info) < 0)
|
|
return false;
|
|
|
|
osen_ie = true;
|
|
|
|
valid_ie:
|
|
if (__builtin_popcount(info.pairwise_ciphers) != 1)
|
|
return false;
|
|
|
|
if (__builtin_popcount(info.akm_suites) != 1)
|
|
return false;
|
|
|
|
l_free(s->supplicant_ie);
|
|
s->supplicant_ie = l_memdup(ie, ie[1] + 2u);
|
|
|
|
s->osen_ie = osen_ie;
|
|
s->wpa_ie = wpa_ie;
|
|
|
|
s->pairwise_cipher = info.pairwise_ciphers;
|
|
s->group_cipher = info.group_cipher;
|
|
s->group_management_cipher = info.group_management_cipher;
|
|
s->akm_suite = info.akm_suites;
|
|
s->supplicant_ocvc = info.ocvc;
|
|
s->ext_key_id_capable = info.extended_key_id;
|
|
|
|
/*
|
|
* Don't set MFP for OSEN otherwise EAPoL will attempt to negotiate a
|
|
* iGTK which is not allowed for OSEN.
|
|
*/
|
|
if (!s->osen_ie)
|
|
s->mfp = info.mfpc;
|
|
|
|
return true;
|
|
}
|
|
|
|
static void replace_ie(uint8_t **old, const uint8_t *new)
|
|
{
|
|
if (*old == NULL) {
|
|
*old = new ? l_memdup(new, new[1] + 2) : NULL;
|
|
return;
|
|
}
|
|
|
|
if (!new) {
|
|
l_free(*old);
|
|
*old = NULL;
|
|
return;
|
|
}
|
|
|
|
if ((*old)[1] == new[1] && !memcmp(*old, new, new[1] + 2))
|
|
return;
|
|
|
|
l_free(*old);
|
|
*old = l_memdup(new, new[1] + 2);
|
|
}
|
|
|
|
void handshake_state_set_authenticator_rsnxe(struct handshake_state *s,
|
|
const uint8_t *ie)
|
|
{
|
|
l_free(s->authenticator_rsnxe);
|
|
s->authenticator_rsnxe = ie ? l_memdup(ie, ie[1] + 2) : NULL;
|
|
}
|
|
|
|
void handshake_state_set_supplicant_rsnxe(struct handshake_state *s,
|
|
const uint8_t *ie)
|
|
{
|
|
replace_ie(&s->supplicant_rsnxe, ie);
|
|
}
|
|
|
|
void handshake_state_set_ssid(struct handshake_state *s, const uint8_t *ssid,
|
|
size_t ssid_len)
|
|
{
|
|
memcpy(s->ssid, ssid, ssid_len);
|
|
s->ssid_len = ssid_len;
|
|
}
|
|
|
|
void handshake_state_set_mde(struct handshake_state *s, const uint8_t *mde)
|
|
{
|
|
replace_ie(&s->mde, mde);
|
|
}
|
|
|
|
void handshake_state_set_fte(struct handshake_state *s, const uint8_t *fte)
|
|
{
|
|
replace_ie(&s->fte, fte);
|
|
}
|
|
|
|
void handshake_state_set_vendor_ies(struct handshake_state *s,
|
|
const struct iovec *iov,
|
|
size_t n_iovs)
|
|
{
|
|
size_t i;
|
|
size_t len;
|
|
|
|
l_free(s->vendor_ies);
|
|
s->vendor_ies = NULL;
|
|
|
|
if (n_iovs == 0) {
|
|
s->vendor_ies_len = 0;
|
|
return;
|
|
}
|
|
|
|
for (i = 0, len = 0; i < n_iovs; i++)
|
|
len += iov[i].iov_len;
|
|
|
|
s->vendor_ies_len = len;
|
|
s->vendor_ies = l_malloc(len);
|
|
|
|
for (i = 0, len = 0; i < n_iovs; i++) {
|
|
memcpy(s->vendor_ies + len, iov[i].iov_base, iov[i].iov_len);
|
|
len += iov[i].iov_len;
|
|
}
|
|
}
|
|
|
|
void handshake_state_set_kh_ids(struct handshake_state *s,
|
|
const uint8_t *r0khid, size_t r0khid_len,
|
|
const uint8_t *r1khid)
|
|
{
|
|
memcpy(s->r0khid, r0khid, r0khid_len);
|
|
s->r0khid_len = r0khid_len;
|
|
|
|
memcpy(s->r1khid, r1khid, 6);
|
|
}
|
|
|
|
void handshake_state_set_event_func(struct handshake_state *s,
|
|
handshake_event_func_t func,
|
|
void *user_data)
|
|
{
|
|
s->event_func = func;
|
|
s->user_data = user_data;
|
|
}
|
|
|
|
void handshake_state_set_passphrase(struct handshake_state *s,
|
|
const char *passphrase)
|
|
{
|
|
s->passphrase = l_strdup(passphrase);
|
|
}
|
|
|
|
void handshake_state_set_no_rekey(struct handshake_state *s, bool no_rekey)
|
|
{
|
|
s->no_rekey = no_rekey;
|
|
}
|
|
|
|
void handshake_state_set_fils_ft(struct handshake_state *s,
|
|
const uint8_t *fils_ft,
|
|
size_t fils_ft_len)
|
|
{
|
|
memcpy(s->fils_ft, fils_ft, fils_ft_len);
|
|
s->fils_ft_len = fils_ft_len;
|
|
}
|
|
|
|
/*
|
|
* Override the protocol version used for EAPoL packets. The selection is as
|
|
* follows:
|
|
* 0 -> Automatic, use same proto as the request for the response and
|
|
* 2004 when in authenticator mode
|
|
* 1 -> Chooses 2001 Protocol Version
|
|
* 2 -> Chooses 2004 Protocol Version
|
|
* 3 -> Chooses 2010 Protocol Version
|
|
*/
|
|
void handshake_state_set_protocol_version(struct handshake_state *s,
|
|
uint8_t proto_version)
|
|
{
|
|
s->proto_version = proto_version;
|
|
}
|
|
|
|
void handshake_state_new_snonce(struct handshake_state *s)
|
|
{
|
|
get_nonce(s->snonce);
|
|
|
|
s->have_snonce = true;
|
|
}
|
|
|
|
void handshake_state_new_anonce(struct handshake_state *s)
|
|
{
|
|
get_nonce(s->anonce);
|
|
|
|
s->have_anonce = true;
|
|
}
|
|
|
|
void handshake_state_set_anonce(struct handshake_state *s,
|
|
const uint8_t *anonce)
|
|
{
|
|
memcpy(s->anonce, anonce, 32);
|
|
}
|
|
|
|
/* A multi-purpose getter for key sizes */
|
|
static bool handshake_get_key_sizes(struct handshake_state *s, size_t *ptk_size,
|
|
size_t *kck_size, size_t *kek_size)
|
|
{
|
|
size_t kck;
|
|
size_t kek;
|
|
size_t tk;
|
|
enum crypto_cipher cipher =
|
|
ie_rsn_cipher_suite_to_cipher(s->pairwise_cipher);
|
|
|
|
tk = crypto_cipher_key_len(cipher);
|
|
|
|
/*
|
|
* IEEE 802.11-2016 Table 12-8: Integrity and key-wrap algorithms
|
|
*
|
|
* From the table, only 00-0F-AC:12 and 00-0F-AC:13 use longer KCK and
|
|
* KEK keys, which are 24 and 32 bytes respectively. The remainder use
|
|
* 16 and 16 respectively.
|
|
*/
|
|
switch (s->akm_suite) {
|
|
case IE_RSN_AKM_SUITE_8021X_SUITE_B_SHA256:
|
|
case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384:
|
|
kck = 24;
|
|
kek = 32;
|
|
break;
|
|
case IE_RSN_AKM_SUITE_OWE:
|
|
/*
|
|
* RFC 8110 Section 4.4 Table 2
|
|
*
|
|
* Luckily with OWE we can deduce the key lengths from the PMK
|
|
* size, since the PMK size maps to unique KCK/KEK lengths.
|
|
*/
|
|
switch (s->pmk_len) {
|
|
case 32:
|
|
/* SHA-256 used for PMK */
|
|
kck = 16;
|
|
kek = 16;
|
|
break;
|
|
case 48:
|
|
/* SHA-384 used for PMK */
|
|
kck = 24;
|
|
kek = 32;
|
|
break;
|
|
case 64:
|
|
/* SHA-512 used for PMK */
|
|
kck = 32;
|
|
kek = 32;
|
|
break;
|
|
default:
|
|
l_error("Invalid PMK length for OWE %zu\n", s->pmk_len);
|
|
return false;
|
|
}
|
|
|
|
break;
|
|
case IE_RSN_AKM_SUITE_FILS_SHA256:
|
|
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
|
|
kck = 0;
|
|
kek = 32;
|
|
break;
|
|
case IE_RSN_AKM_SUITE_FILS_SHA384:
|
|
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
|
|
kck = 0;
|
|
kek = 64;
|
|
break;
|
|
default:
|
|
kck = 16;
|
|
kek = 16;
|
|
break;
|
|
}
|
|
|
|
if (ptk_size) {
|
|
*ptk_size = kck + kek + tk;
|
|
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
|
|
*ptk_size += 32;
|
|
else if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
|
|
*ptk_size += 56;
|
|
}
|
|
|
|
if (kck_size)
|
|
*kck_size = kck;
|
|
|
|
if (kek_size)
|
|
*kek_size = kek;
|
|
|
|
return true;
|
|
}
|
|
|
|
bool handshake_state_derive_ptk(struct handshake_state *s)
|
|
{
|
|
size_t ptk_size;
|
|
enum l_checksum_type type;
|
|
|
|
if (!(s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)))
|
|
if (!s->have_snonce || !s->have_pmk)
|
|
return false;
|
|
|
|
if ((s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
|
|
IE_RSN_AKM_SUITE_FT_USING_PSK |
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) &&
|
|
(!s->mde || !s->fte))
|
|
return false;
|
|
|
|
s->ptk_complete = false;
|
|
|
|
if (s->akm_suite & IE_RSN_AKM_SUITE_OWE) {
|
|
if (s->pmk_len == 32)
|
|
type = L_CHECKSUM_SHA256;
|
|
else if (s->pmk_len == 48)
|
|
type = L_CHECKSUM_SHA384;
|
|
else if (s->pmk_len == 64)
|
|
type = L_CHECKSUM_SHA512;
|
|
else
|
|
return false;
|
|
} else if (s->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA384 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))
|
|
type = L_CHECKSUM_SHA384;
|
|
else if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
|
|
IE_RSN_AKM_SUITE_PSK_SHA256 |
|
|
IE_RSN_AKM_SUITE_SAE_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
|
|
IE_RSN_AKM_SUITE_FILS_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
IE_RSN_AKM_SUITE_OSEN))
|
|
type = L_CHECKSUM_SHA256;
|
|
else
|
|
type = L_CHECKSUM_SHA1;
|
|
|
|
ptk_size = handshake_state_get_ptk_size(s);
|
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
|
|
IE_RSN_AKM_SUITE_FT_USING_PSK |
|
|
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
|
|
uint16_t mdid;
|
|
uint8_t ptk_name[16];
|
|
const uint8_t *xxkey = s->pmk;
|
|
size_t xxkey_len = 32;
|
|
bool sha384 = (s->akm_suite &
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384);
|
|
|
|
/*
|
|
* In a Fast Transition initial mobility domain association
|
|
* the PMK maps to the XXKey, except with EAP:
|
|
* 802.11-2016 12.7.1.7.3:
|
|
* "If the AKM negotiated is 00-0F-AC:3, then [...] XXKey
|
|
* shall be the second 256 bits of the MSK (which is
|
|
* derived from the IEEE 802.1X authentication), i.e.,
|
|
* XXKey = L(MSK, 256, 256)."
|
|
*/
|
|
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X)
|
|
xxkey = s->pmk + 32;
|
|
else if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
|
|
xxkey = s->fils_ft;
|
|
xxkey_len = s->fils_ft_len;
|
|
}
|
|
|
|
ie_parse_mobility_domain_from_data(s->mde, s->mde[1] + 2,
|
|
&mdid, NULL, NULL);
|
|
|
|
if (!crypto_derive_pmk_r0(xxkey, xxkey_len, s->ssid,
|
|
s->ssid_len, mdid,
|
|
s->r0khid, s->r0khid_len,
|
|
s->spa, sha384,
|
|
s->pmk_r0, s->pmk_r0_name))
|
|
return false;
|
|
|
|
if (!crypto_derive_pmk_r1(s->pmk_r0, s->r1khid, s->spa,
|
|
s->pmk_r0_name, sha384,
|
|
s->pmk_r1, s->pmk_r1_name))
|
|
return false;
|
|
|
|
if (!crypto_derive_ft_ptk(s->pmk_r1, s->pmk_r1_name, s->aa,
|
|
s->spa, s->snonce, s->anonce,
|
|
sha384, s->ptk, ptk_size,
|
|
ptk_name))
|
|
return false;
|
|
} else
|
|
if (!crypto_derive_pairwise_ptk(s->pmk, s->pmk_len, s->spa,
|
|
s->aa, s->anonce, s->snonce,
|
|
s->ptk, ptk_size, type))
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
size_t handshake_state_get_ptk_size(struct handshake_state *s)
|
|
{
|
|
size_t ptk_size;
|
|
|
|
if (!handshake_get_key_sizes(s, &ptk_size, NULL, NULL))
|
|
return 0;
|
|
|
|
return ptk_size;
|
|
}
|
|
|
|
const uint8_t *handshake_state_get_kck(struct handshake_state *s)
|
|
{
|
|
/*
|
|
* FILS itself does not derive a KCK, but FILS-FT derives additional
|
|
* key bytes at the end of the PTK, which contains a special KCK used
|
|
* for fast transition. Since the normal FILS protocol will never call
|
|
* this, we can assume that its only being called for FILS-FT and is
|
|
* requesting this special KCK.
|
|
*/
|
|
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
|
|
return s->ptk + 48;
|
|
else if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
|
|
return s->ptk + 80;
|
|
|
|
return s->ptk;
|
|
}
|
|
|
|
size_t handshake_state_get_kck_len(struct handshake_state *s)
|
|
{
|
|
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
|
|
return 24;
|
|
|
|
return 16;
|
|
}
|
|
|
|
size_t handshake_state_get_kek_len(struct handshake_state *s)
|
|
{
|
|
size_t kek_size;
|
|
|
|
if (!handshake_get_key_sizes(s, NULL, NULL, &kek_size))
|
|
return 0;
|
|
|
|
return kek_size;
|
|
}
|
|
|
|
const uint8_t *handshake_state_get_kek(struct handshake_state *s)
|
|
{
|
|
size_t kck_size;
|
|
|
|
if (!handshake_get_key_sizes(s, NULL, &kck_size, NULL))
|
|
return NULL;
|
|
|
|
return s->ptk + kck_size;
|
|
}
|
|
|
|
static const uint8_t *handshake_get_tk(struct handshake_state *s)
|
|
{
|
|
size_t kck_size, kek_size;
|
|
|
|
if (!handshake_get_key_sizes(s, NULL, &kck_size, &kek_size))
|
|
return NULL;
|
|
|
|
return s->ptk + kck_size + kek_size;
|
|
}
|
|
|
|
void handshake_state_install_ptk(struct handshake_state *s)
|
|
{
|
|
s->ptk_complete = true;
|
|
|
|
if (install_tk) {
|
|
uint32_t cipher = ie_rsn_cipher_suite_to_cipher(
|
|
s->pairwise_cipher);
|
|
|
|
handshake_event(s, HANDSHAKE_EVENT_SETTING_KEYS);
|
|
|
|
install_tk(s, s->active_tk_index, handshake_get_tk(s), cipher);
|
|
}
|
|
}
|
|
|
|
void handshake_state_install_ext_ptk(struct handshake_state *s,
|
|
uint8_t key_idx,
|
|
struct eapol_frame *ek, uint16_t proto,
|
|
bool noencrypt)
|
|
{
|
|
s->ptk_complete = true;
|
|
|
|
if (install_ext_tk) {
|
|
uint32_t cipher =
|
|
ie_rsn_cipher_suite_to_cipher(s->pairwise_cipher);
|
|
|
|
install_ext_tk(s, key_idx, handshake_get_tk(s), cipher, ek,
|
|
proto, noencrypt);
|
|
}
|
|
}
|
|
|
|
|
|
void handshake_state_install_gtk(struct handshake_state *s,
|
|
uint16_t gtk_key_index,
|
|
const uint8_t *gtk, size_t gtk_len,
|
|
const uint8_t *rsc, uint8_t rsc_len)
|
|
{
|
|
if (install_gtk) {
|
|
uint32_t cipher =
|
|
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
|
|
|
|
install_gtk(s, gtk_key_index, gtk, gtk_len,
|
|
rsc, rsc_len, cipher);
|
|
}
|
|
}
|
|
|
|
void handshake_state_install_igtk(struct handshake_state *s,
|
|
uint16_t igtk_key_index,
|
|
const uint8_t *igtk, size_t igtk_len,
|
|
const uint8_t *ipn)
|
|
{
|
|
if (install_igtk) {
|
|
uint32_t cipher =
|
|
ie_rsn_cipher_suite_to_cipher(
|
|
s->group_management_cipher);
|
|
|
|
install_igtk(s, igtk_key_index, igtk, igtk_len,
|
|
ipn, 6, cipher);
|
|
}
|
|
}
|
|
|
|
void handshake_state_override_pairwise_cipher(struct handshake_state *s,
|
|
enum ie_rsn_cipher_suite pairwise)
|
|
{
|
|
s->pairwise_cipher = pairwise;
|
|
}
|
|
|
|
void handshake_state_set_pmkid(struct handshake_state *s, const uint8_t *pmkid)
|
|
{
|
|
memcpy(s->pmkid, pmkid, 16);
|
|
s->have_pmkid = true;
|
|
}
|
|
|
|
bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
|
|
{
|
|
bool use_sha256;
|
|
|
|
/* SAE exports pmkid */
|
|
if (s->have_pmkid) {
|
|
memcpy(out_pmkid, s->pmkid, 16);
|
|
return true;
|
|
}
|
|
|
|
if (!s->have_pmk)
|
|
return false;
|
|
|
|
/*
|
|
* Note 802.11 section 11.6.1.3:
|
|
* "When the PMKID is calculated for the PMKSA as part of RSN
|
|
* preauthentication, the AKM has not yet been negotiated. In this
|
|
* case, the HMAC-SHA1-128 based derivation is used for the PMKID
|
|
* calculation."
|
|
*/
|
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
|
|
IE_RSN_AKM_SUITE_PSK_SHA256))
|
|
use_sha256 = true;
|
|
else
|
|
use_sha256 = false;
|
|
|
|
return crypto_derive_pmkid(s->pmk, s->spa, s->aa, out_pmkid,
|
|
use_sha256);
|
|
}
|
|
|
|
void handshake_state_set_gtk(struct handshake_state *s, const uint8_t *key,
|
|
unsigned int key_index, const uint8_t *rsc)
|
|
{
|
|
enum crypto_cipher cipher =
|
|
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
|
|
int key_len = crypto_cipher_key_len(cipher);
|
|
|
|
if (!key_len)
|
|
return;
|
|
|
|
memcpy(s->gtk, key, key_len);
|
|
s->gtk_index = key_index;
|
|
memcpy(s->gtk_rsc, rsc, 6);
|
|
}
|
|
|
|
/*
|
|
* This function performs a match of the RSN/WPA IE obtained from the scan
|
|
* results vs the RSN/WPA IE obtained as part of the 4-way handshake. If they
|
|
* don't match, the EAPoL packet must be silently discarded.
|
|
*/
|
|
bool handshake_util_ap_ie_matches(const struct ie_rsn_info *msg_info,
|
|
const uint8_t *scan_ie, bool is_wpa)
|
|
{
|
|
struct ie_rsn_info scan_info;
|
|
int r;
|
|
|
|
if (!is_wpa)
|
|
r = ie_parse_rsne_from_data(scan_ie,
|
|
scan_ie[1] + 2, &scan_info);
|
|
else
|
|
r = ie_parse_wpa_from_data(scan_ie, scan_ie[1] + 2, &scan_info);
|
|
|
|
if (r < 0)
|
|
return false;
|
|
|
|
if (msg_info->group_cipher != scan_info.group_cipher)
|
|
return false;
|
|
|
|
if (msg_info->pairwise_ciphers != scan_info.pairwise_ciphers)
|
|
return false;
|
|
|
|
if (msg_info->akm_suites != scan_info.akm_suites)
|
|
return false;
|
|
|
|
if (msg_info->preauthentication != scan_info.preauthentication)
|
|
return false;
|
|
|
|
if (msg_info->no_pairwise != scan_info.no_pairwise)
|
|
return false;
|
|
|
|
if (msg_info->ptksa_replay_counter != scan_info.ptksa_replay_counter)
|
|
return false;
|
|
|
|
if (msg_info->gtksa_replay_counter != scan_info.gtksa_replay_counter)
|
|
return false;
|
|
|
|
if (msg_info->mfpr != scan_info.mfpr)
|
|
return false;
|
|
|
|
if (msg_info->mfpc != scan_info.mfpc)
|
|
return false;
|
|
|
|
if (msg_info->peerkey_enabled != scan_info.peerkey_enabled)
|
|
return false;
|
|
|
|
if (msg_info->spp_a_msdu_capable != scan_info.spp_a_msdu_capable)
|
|
return false;
|
|
|
|
if (msg_info->spp_a_msdu_required != scan_info.spp_a_msdu_required)
|
|
return false;
|
|
|
|
if (msg_info->pbac != scan_info.pbac)
|
|
return false;
|
|
|
|
if (msg_info->extended_key_id != scan_info.extended_key_id)
|
|
return false;
|
|
|
|
if (msg_info->ocvc != scan_info.ocvc)
|
|
return false;
|
|
|
|
/* We don't check the PMKIDs since these might actually be different */
|
|
|
|
if (msg_info->group_management_cipher !=
|
|
scan_info.group_management_cipher)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
const uint8_t *handshake_util_find_kde(enum handshake_kde selector,
|
|
const uint8_t *data, size_t data_len,
|
|
size_t *out_kde_len)
|
|
{
|
|
struct ie_tlv_iter iter;
|
|
const uint8_t *result;
|
|
unsigned int len;
|
|
|
|
ie_tlv_iter_init(&iter, data, data_len);
|
|
|
|
while (ie_tlv_iter_next(&iter)) {
|
|
if (ie_tlv_iter_get_tag(&iter) != IE_TYPE_VENDOR_SPECIFIC)
|
|
continue;
|
|
|
|
len = ie_tlv_iter_get_length(&iter);
|
|
if (len < 4) /* Take care of padding */
|
|
return NULL;
|
|
|
|
/* Check OUI */
|
|
result = ie_tlv_iter_get_data(&iter);
|
|
if (l_get_be32(result) != selector)
|
|
continue;
|
|
|
|
if (out_kde_len)
|
|
*out_kde_len = len - 4;
|
|
|
|
return result + 4;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
const uint8_t *handshake_util_find_gtk_kde(const uint8_t *data, size_t data_len,
|
|
size_t *out_gtk_len)
|
|
{
|
|
size_t gtk_len;
|
|
const uint8_t *gtk = handshake_util_find_kde(HANDSHAKE_KDE_GTK,
|
|
data, data_len, >k_len);
|
|
|
|
if (!gtk)
|
|
return NULL;
|
|
|
|
/*
|
|
* Account for KeyId, TX and Reserved octet
|
|
* See 802.11-2016, Figure 12-35
|
|
*/
|
|
if (gtk_len < CRYPTO_MIN_GTK_LEN + 2)
|
|
return NULL;
|
|
|
|
if (gtk_len > CRYPTO_MAX_GTK_LEN + 2)
|
|
return NULL;
|
|
|
|
if (out_gtk_len)
|
|
*out_gtk_len = gtk_len;
|
|
|
|
return gtk;
|
|
}
|
|
|
|
const uint8_t *handshake_util_find_igtk_kde(const uint8_t *data,
|
|
size_t data_len,
|
|
size_t *out_igtk_len)
|
|
{
|
|
size_t igtk_len;
|
|
const uint8_t *igtk = handshake_util_find_kde(HANDSHAKE_KDE_IGTK,
|
|
data, data_len, &igtk_len);
|
|
|
|
if (!igtk)
|
|
return NULL;
|
|
|
|
/*
|
|
* Account for KeyId and IPN
|
|
* See 802.11-2016, Figure 12-42
|
|
*/
|
|
if (igtk_len < CRYPTO_MIN_IGTK_LEN + 8)
|
|
return NULL;
|
|
|
|
if (igtk_len > CRYPTO_MAX_IGTK_LEN + 8)
|
|
return NULL;
|
|
|
|
if (out_igtk_len)
|
|
*out_igtk_len = igtk_len;
|
|
|
|
return igtk;
|
|
}
|
|
|
|
const uint8_t *handshake_util_find_pmkid_kde(const uint8_t *data,
|
|
size_t data_len)
|
|
{
|
|
const uint8_t *pmkid;
|
|
size_t pmkid_len;
|
|
|
|
pmkid = handshake_util_find_kde(HANDSHAKE_KDE_PMKID, data, data_len,
|
|
&pmkid_len);
|
|
|
|
if (pmkid && pmkid_len != 16)
|
|
return NULL;
|
|
|
|
return pmkid;
|
|
}
|
|
|
|
/* Defined in 802.11-2016 12.7.2 j), Figure 12-34 */
|
|
void handshake_util_build_gtk_kde(enum crypto_cipher cipher, const uint8_t *key,
|
|
unsigned int key_index, uint8_t *to)
|
|
{
|
|
size_t key_len = crypto_cipher_key_len(cipher);
|
|
|
|
*to++ = IE_TYPE_VENDOR_SPECIFIC;
|
|
*to++ = 6 + key_len;
|
|
l_put_be32(HANDSHAKE_KDE_GTK, to);
|
|
to += 4;
|
|
*to++ = key_index;
|
|
*to++ = 0;
|
|
memcpy(to, key, key_len);
|
|
}
|
|
|
|
static const uint8_t *handshake_state_get_ft_fils_kek(struct handshake_state *s,
|
|
size_t *len)
|
|
{
|
|
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256) {
|
|
if (len)
|
|
*len = 16;
|
|
|
|
return s->ptk + 64;
|
|
} else if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384) {
|
|
if (len)
|
|
*len = 32;
|
|
|
|
return s->ptk + 104;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* Unwrap a GTK / IGTK included in an FTE following 802.11-2012, Section 12.8.5:
|
|
*
|
|
* "If a GTK or an IGTK are included, the Key field of the subelement shall be
|
|
* encrypted using KEK and the NIST AES key wrap algorithm. The Key field shall
|
|
* be padded before encrypting if the key length is less than 16 octets or if
|
|
* it is not a multiple of 8. The padding consists of appending a single octet
|
|
* 0xdd followed by zero or more 0x00 octets. When processing a received
|
|
* message, the receiver shall ignore this trailing padding. Addition of
|
|
* padding does not change the value of the Key Length field. Note that the
|
|
* length of the encrypted Key field can be determined from the length of the
|
|
* GTK or IGTK subelement.
|
|
*/
|
|
bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped,
|
|
size_t key_len, uint8_t *key_out)
|
|
{
|
|
const uint8_t *kek;
|
|
size_t kek_len = 16;
|
|
size_t padded_len = key_len < 16 ? 16 : align_len(key_len, 8);
|
|
|
|
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
|
|
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))
|
|
kek = handshake_state_get_ft_fils_kek(s, &kek_len);
|
|
else
|
|
kek = handshake_state_get_kek(s);
|
|
|
|
if (!aes_unwrap(kek, kek_len, wrapped, padded_len + 8, key_out))
|
|
return false;
|
|
|
|
if (key_len < padded_len && key_out[key_len++] != 0xdd)
|
|
return false;
|
|
|
|
while (key_len < padded_len)
|
|
if (key_out[key_len++] != 0x00)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
/* Add SAE-PT for ECC groups. The group is carried by the point itself */
|
|
bool handshake_state_add_ecc_sae_pt(struct handshake_state *s,
|
|
const struct l_ecc_point *pt)
|
|
{
|
|
const struct l_ecc_curve *curve;
|
|
int i;
|
|
|
|
if (!pt)
|
|
return false;
|
|
|
|
curve = l_ecc_point_get_curve(pt);
|
|
|
|
if (!s->ecc_sae_pts)
|
|
s->ecc_sae_pts = l_new(struct l_ecc_point *, n_ecc_groups());
|
|
|
|
if ((i = ecc_group_index(l_ecc_curve_get_ike_group(curve))) < 0)
|
|
return false;
|
|
|
|
if (s->ecc_sae_pts[i])
|
|
return false;
|
|
|
|
s->ecc_sae_pts[i] = l_ecc_point_clone(pt);
|
|
return true;
|
|
}
|
|
|
|
void handshake_state_set_chandef(struct handshake_state *s,
|
|
struct band_chandef *chandef)
|
|
{
|
|
if (s->chandef)
|
|
l_free(s->chandef);
|
|
|
|
s->chandef = chandef;
|
|
}
|
|
|
|
int handshake_state_verify_oci(struct handshake_state *s, const uint8_t *oci,
|
|
size_t oci_len)
|
|
{
|
|
int r = -ENOENT;
|
|
bool ocvc;
|
|
|
|
l_debug("oci_len: %zu", oci ? oci_len : 0);
|
|
|
|
if (!oci)
|
|
goto done;
|
|
|
|
r = -EBADMSG;
|
|
if (oci_len != 3)
|
|
goto done;
|
|
|
|
l_debug("operating_class: %hu", oci[0]);
|
|
l_debug("primary_channel_number: %hu", oci[1]);
|
|
l_debug("frequency segment 1 channel number: %hu", oci[2]);
|
|
|
|
r = -EINVAL;
|
|
|
|
if (!s->chandef) {
|
|
l_debug("Own chandef unavailable");
|
|
goto done;
|
|
}
|
|
|
|
r = oci_verify(oci, s->chandef);
|
|
if (r < 0)
|
|
l_debug("OCI verification failed: %s", strerror(-r));
|
|
|
|
done:
|
|
if (!r)
|
|
return r;
|
|
|
|
/* Only enforce validation if we're configured to do so */
|
|
ocvc = s->authenticator ? s->authenticator_ocvc : s->supplicant_ocvc;
|
|
if (!ocvc)
|
|
r = 0;
|
|
|
|
return r;
|
|
}
|