3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-22 21:22:37 +01:00
iwd/src/handshake.c
2020-04-02 00:41:02 -05:00

923 lines
22 KiB
C

/*
*
* Wireless daemon for Linux
*
* Copyright (C) 2013-2019 Intel Corporation. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <arpa/inet.h>
#include <linux/filter.h>
#include <ell/ell.h>
#include "src/missing.h"
#include "src/crypto.h"
#include "src/ie.h"
#include "src/util.h"
#include "src/handshake.h"
static bool handshake_get_nonce(uint8_t nonce[])
{
return l_getrandom(nonce, 32);
}
static handshake_get_nonce_func_t get_nonce = handshake_get_nonce;
static handshake_install_tk_func_t install_tk = NULL;
static handshake_install_gtk_func_t install_gtk = NULL;
static handshake_install_igtk_func_t install_igtk = NULL;
void __handshake_set_get_nonce_func(handshake_get_nonce_func_t func)
{
get_nonce = func;
}
void __handshake_set_install_tk_func(handshake_install_tk_func_t func)
{
install_tk = func;
}
void __handshake_set_install_gtk_func(handshake_install_gtk_func_t func)
{
install_gtk = func;
}
void __handshake_set_install_igtk_func(handshake_install_igtk_func_t func)
{
install_igtk = func;
}
void handshake_state_free(struct handshake_state *s)
{
__typeof__(s->free) destroy = s->free;
l_free(s->authenticator_ie);
l_free(s->supplicant_ie);
l_free(s->mde);
l_free(s->fte);
if (s->passphrase) {
explicit_bzero(s->passphrase, strlen(s->passphrase));
l_free(s->passphrase);
}
explicit_bzero(s, sizeof(*s));
if (destroy)
destroy(s);
}
void handshake_state_set_supplicant_address(struct handshake_state *s,
const uint8_t *spa)
{
memcpy(s->spa, spa, sizeof(s->spa));
}
void handshake_state_set_authenticator_address(struct handshake_state *s,
const uint8_t *aa)
{
memcpy(s->aa, aa, sizeof(s->aa));
}
void handshake_state_set_authenticator(struct handshake_state *s, bool auth)
{
s->authenticator = auth;
}
void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk,
size_t pmk_len)
{
memcpy(s->pmk, pmk, pmk_len);
s->pmk_len = pmk_len;
s->have_pmk = true;
}
void handshake_state_set_ptk(struct handshake_state *s, const uint8_t *ptk,
size_t ptk_len)
{
memcpy(s->ptk, ptk, ptk_len);
s->ptk_complete = true;
}
void handshake_state_set_8021x_config(struct handshake_state *s,
struct l_settings *settings)
{
s->settings_8021x = settings;
}
static bool handshake_state_setup_own_ciphers(struct handshake_state *s,
const struct ie_rsn_info *info)
{
if (__builtin_popcount(info->pairwise_ciphers) != 1)
return false;
if (__builtin_popcount(info->akm_suites) != 1)
return false;
s->akm_suite = info->akm_suites;
s->pairwise_cipher = info->pairwise_ciphers;
s->group_cipher = info->group_cipher;
s->group_management_cipher = info->group_management_cipher;
/*
* Don't set MFP for OSEN otherwise EAPoL will attempt to negotiate a
* iGTK which is not allowed for OSEN.
*/
if (!s->osen_ie)
s->mfp = info->mfpc;
return true;
}
bool handshake_state_set_authenticator_ie(struct handshake_state *s,
const uint8_t *ie)
{
struct ie_rsn_info info;
l_free(s->authenticator_ie);
s->authenticator_ie = l_memdup(ie, ie[1] + 2u);
s->wpa_ie = is_ie_wpa_ie(ie + 2, ie[1]);
s->osen_ie = is_ie_wfa_ie(ie + 2, ie[1], IE_WFA_OI_OSEN);
if (!s->authenticator)
return true;
if (s->wpa_ie) {
if (ie_parse_wpa_from_data(ie, ie[1] + 2, &info) < 0)
return false;
} else if (s->osen_ie) {
if (ie_parse_osen_from_data(ie, ie[1] + 2, &info) < 0)
return false;
} else {
if (ie_parse_rsne_from_data(ie, ie[1] + 2, &info) < 0)
return false;
}
return handshake_state_setup_own_ciphers(s, &info);
}
bool handshake_state_set_supplicant_ie(struct handshake_state *s,
const uint8_t *ie)
{
struct ie_rsn_info info;
l_free(s->supplicant_ie);
s->supplicant_ie = l_memdup(ie, ie[1] + 2u);
s->wpa_ie = is_ie_wpa_ie(ie + 2, ie[1]);
s->osen_ie = is_ie_wfa_ie(ie + 2, ie[1], IE_WFA_OI_OSEN);
if (s->authenticator)
return true;
if (s->wpa_ie) {
if (ie_parse_wpa_from_data(ie, ie[1] + 2, &info) < 0)
return false;
} else if (s->osen_ie) {
if (ie_parse_osen_from_data(ie, ie[1] + 2, &info) < 0)
return false;
} else {
if (ie_parse_rsne_from_data(ie, ie[1] + 2, &info) < 0)
return false;
}
return handshake_state_setup_own_ciphers(s, &info);
}
void handshake_state_set_ssid(struct handshake_state *s, const uint8_t *ssid,
size_t ssid_len)
{
memcpy(s->ssid, ssid, ssid_len);
s->ssid_len = ssid_len;
}
void handshake_state_set_mde(struct handshake_state *s, const uint8_t *mde)
{
if (s->mde)
l_free(s->mde);
s->mde = mde ? l_memdup(mde, mde[1] + 2) : NULL;
}
void handshake_state_set_fte(struct handshake_state *s, const uint8_t *fte)
{
if (s->fte)
l_free(s->fte);
s->fte = fte ? l_memdup(fte, fte[1] + 2) : NULL;
}
void handshake_state_set_kh_ids(struct handshake_state *s,
const uint8_t *r0khid, size_t r0khid_len,
const uint8_t *r1khid)
{
memcpy(s->r0khid, r0khid, r0khid_len);
s->r0khid_len = r0khid_len;
memcpy(s->r1khid, r1khid, 6);
}
void handshake_state_set_event_func(struct handshake_state *s,
handshake_event_func_t func,
void *user_data)
{
s->event_func = func;
s->user_data = user_data;
}
void handshake_state_set_passphrase(struct handshake_state *s,
const char *passphrase)
{
s->passphrase = l_strdup(passphrase);
}
void handshake_state_set_no_rekey(struct handshake_state *s, bool no_rekey)
{
s->no_rekey = no_rekey;
}
void handshake_state_set_fils_ft(struct handshake_state *s,
const uint8_t *fils_ft,
size_t fils_ft_len)
{
memcpy(s->fils_ft, fils_ft, fils_ft_len);
s->fils_ft_len = fils_ft_len;
}
/*
* Override the protocol version used for EAPoL packets. The selection is as
* follows:
* 0 -> Automatic, use same proto as the request for the response and
* 2004 when in authenticator mode
* 1 -> Chooses 2001 Protocol Version
* 2 -> Chooses 2004 Protocol Version
* 3 -> Chooses 2010 Protocol Version
*/
void handshake_state_set_protocol_version(struct handshake_state *s,
uint8_t proto_version)
{
s->proto_version = proto_version;
}
void handshake_state_new_snonce(struct handshake_state *s)
{
get_nonce(s->snonce);
s->have_snonce = true;
}
void handshake_state_new_anonce(struct handshake_state *s)
{
get_nonce(s->anonce);
s->have_anonce = true;
}
void handshake_state_set_anonce(struct handshake_state *s,
const uint8_t *anonce)
{
memcpy(s->anonce, anonce, 32);
}
/* A multi-purpose getter for key sizes */
static bool handshake_get_key_sizes(struct handshake_state *s, size_t *ptk_size,
size_t *kck_size, size_t *kek_size)
{
size_t kck;
size_t kek;
size_t tk;
enum crypto_cipher cipher =
ie_rsn_cipher_suite_to_cipher(s->pairwise_cipher);
tk = crypto_cipher_key_len(cipher);
/*
* IEEE 802.11-2016 Table 12-8: Integrity and key-wrap algorithms
*
* From the table, only 00-0F-AC:12 and 00-0F-AC:13 use longer KCK and
* KEK keys, which are 24 and 32 bytes respectively. The remainder use
* 16 and 16 respectively.
*/
switch (s->akm_suite) {
case IE_RSN_AKM_SUITE_8021X_SUITE_B_SHA256:
case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384:
kck = 24;
kek = 32;
break;
case IE_RSN_AKM_SUITE_OWE:
/*
* RFC 8110 Section 4.4 Table 2
*
* Luckily with OWE we can deduce the key lengths from the PMK
* size, since the PMK size maps to unique KCK/KEK lengths.
*/
switch (s->pmk_len) {
case 32:
/* SHA-256 used for PMK */
kck = 16;
kek = 16;
break;
case 48:
/* SHA-384 used for PMK */
kck = 24;
kek = 32;
break;
case 64:
/* SHA-512 used for PMK */
kck = 32;
kek = 32;
break;
default:
l_error("Invalid PMK length for OWE %zu\n", s->pmk_len);
return false;
}
break;
case IE_RSN_AKM_SUITE_FILS_SHA256:
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
kck = 0;
kek = 32;
break;
case IE_RSN_AKM_SUITE_FILS_SHA384:
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
kck = 0;
kek = 64;
break;
default:
kck = 16;
kek = 16;
break;
}
if (ptk_size) {
*ptk_size = kck + kek + tk;
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
*ptk_size += 32;
else if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
*ptk_size += 56;
}
if (kck_size)
*kck_size = kck;
if (kek_size)
*kek_size = kek;
return true;
}
bool handshake_state_derive_ptk(struct handshake_state *s)
{
size_t ptk_size;
enum l_checksum_type type;
if (!(s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)))
if (!s->have_snonce || !s->have_pmk)
return false;
if ((s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
IE_RSN_AKM_SUITE_FT_USING_PSK |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) &&
(!s->mde || !s->fte))
return false;
s->ptk_complete = false;
if (s->akm_suite & IE_RSN_AKM_SUITE_OWE) {
if (s->pmk_len == 32)
type = L_CHECKSUM_SHA256;
else if (s->pmk_len == 48)
type = L_CHECKSUM_SHA384;
else if (s->pmk_len == 64)
type = L_CHECKSUM_SHA512;
else
return false;
} else if (s->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA384 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))
type = L_CHECKSUM_SHA384;
else if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
IE_RSN_AKM_SUITE_PSK_SHA256 |
IE_RSN_AKM_SUITE_SAE_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
IE_RSN_AKM_SUITE_FILS_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
IE_RSN_AKM_SUITE_OSEN))
type = L_CHECKSUM_SHA256;
else
type = L_CHECKSUM_SHA1;
ptk_size = handshake_state_get_ptk_size(s);
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
IE_RSN_AKM_SUITE_FT_USING_PSK |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
uint16_t mdid;
uint8_t ptk_name[16];
const uint8_t *xxkey = s->pmk;
size_t xxkey_len = 32;
bool sha384 = (s->akm_suite &
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384);
/*
* In a Fast Transition initial mobility domain association
* the PMK maps to the XXKey, except with EAP:
* 802.11-2016 12.7.1.7.3:
* "If the AKM negotiated is 00-0F-AC:3, then [...] XXKey
* shall be the second 256 bits of the MSK (which is
* derived from the IEEE 802.1X authentication), i.e.,
* XXKey = L(MSK, 256, 256)."
*/
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X)
xxkey = s->pmk + 32;
else if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
xxkey = s->fils_ft;
xxkey_len = s->fils_ft_len;
}
ie_parse_mobility_domain_from_data(s->mde, s->mde[1] + 2,
&mdid, NULL, NULL);
if (!crypto_derive_pmk_r0(xxkey, xxkey_len, s->ssid,
s->ssid_len, mdid,
s->r0khid, s->r0khid_len,
s->spa, sha384,
s->pmk_r0, s->pmk_r0_name))
return false;
if (!crypto_derive_pmk_r1(s->pmk_r0, s->r1khid, s->spa,
s->pmk_r0_name, sha384,
s->pmk_r1, s->pmk_r1_name))
return false;
if (!crypto_derive_ft_ptk(s->pmk_r1, s->pmk_r1_name, s->aa,
s->spa, s->snonce, s->anonce,
sha384, s->ptk, ptk_size,
ptk_name))
return false;
} else
if (!crypto_derive_pairwise_ptk(s->pmk, s->pmk_len, s->spa,
s->aa, s->anonce, s->snonce,
s->ptk, ptk_size, type))
return false;
return true;
}
size_t handshake_state_get_ptk_size(struct handshake_state *s)
{
size_t ptk_size;
if (!handshake_get_key_sizes(s, &ptk_size, NULL, NULL))
return 0;
return ptk_size;
}
const uint8_t *handshake_state_get_kck(struct handshake_state *s)
{
/*
* FILS itself does not derive a KCK, but FILS-FT derives additional
* key bytes at the end of the PTK, which contains a special KCK used
* for fast transition. Since the normal FILS protocol will never call
* this, we can assume that its only being called for FILS-FT and is
* requesting this special KCK.
*/
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
return s->ptk + 48;
else if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
return s->ptk + 80;
return s->ptk;
}
size_t handshake_state_get_kck_len(struct handshake_state *s)
{
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
return 24;
return 16;
}
size_t handshake_state_get_kek_len(struct handshake_state *s)
{
size_t kek_size;
if (!handshake_get_key_sizes(s, NULL, NULL, &kek_size))
return 0;
return kek_size;
}
const uint8_t *handshake_state_get_kek(struct handshake_state *s)
{
size_t kck_size;
if (!handshake_get_key_sizes(s, NULL, &kck_size, NULL))
return NULL;
return s->ptk + kck_size;
}
static const uint8_t *handshake_get_tk(struct handshake_state *s)
{
size_t kck_size, kek_size;
if (!handshake_get_key_sizes(s, NULL, &kck_size, &kek_size))
return NULL;
return s->ptk + kck_size + kek_size;
}
void handshake_state_install_ptk(struct handshake_state *s)
{
s->ptk_complete = true;
if (install_tk) {
uint32_t cipher = ie_rsn_cipher_suite_to_cipher(
s->pairwise_cipher);
handshake_event(s, HANDSHAKE_EVENT_SETTING_KEYS);
install_tk(s, handshake_get_tk(s), cipher);
}
}
void handshake_state_install_gtk(struct handshake_state *s,
uint16_t gtk_key_index,
const uint8_t *gtk, size_t gtk_len,
const uint8_t *rsc, uint8_t rsc_len)
{
if (install_gtk) {
uint32_t cipher =
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
install_gtk(s, gtk_key_index, gtk, gtk_len,
rsc, rsc_len, cipher);
}
}
void handshake_state_install_igtk(struct handshake_state *s,
uint16_t igtk_key_index,
const uint8_t *igtk, size_t igtk_len,
const uint8_t *ipn)
{
if (install_igtk) {
uint32_t cipher =
ie_rsn_cipher_suite_to_cipher(
s->group_management_cipher);
install_igtk(s, igtk_key_index, igtk, igtk_len,
ipn, 6, cipher);
}
}
void handshake_state_override_pairwise_cipher(struct handshake_state *s,
enum ie_rsn_cipher_suite pairwise)
{
s->pairwise_cipher = pairwise;
}
void handshake_state_set_pmkid(struct handshake_state *s, const uint8_t *pmkid)
{
memcpy(s->pmkid, pmkid, 16);
s->have_pmkid = true;
}
bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
{
bool use_sha256;
/* SAE exports pmkid */
if (s->have_pmkid) {
memcpy(out_pmkid, s->pmkid, 16);
return true;
}
if (!s->have_pmk)
return false;
/*
* Note 802.11 section 11.6.1.3:
* "When the PMKID is calculated for the PMKSA as part of RSN
* preauthentication, the AKM has not yet been negotiated. In this
* case, the HMAC-SHA1-128 based derivation is used for the PMKID
* calculation."
*/
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
IE_RSN_AKM_SUITE_PSK_SHA256))
use_sha256 = true;
else
use_sha256 = false;
return crypto_derive_pmkid(s->pmk, s->spa, s->aa, out_pmkid,
use_sha256);
}
void handshake_state_set_gtk(struct handshake_state *s, const uint8_t *key,
unsigned int key_index, const uint8_t *rsc)
{
enum crypto_cipher cipher =
ie_rsn_cipher_suite_to_cipher(s->group_cipher);
int key_len = crypto_cipher_key_len(cipher);
if (!key_len)
return;
memcpy(s->gtk, key, key_len);
s->gtk_index = key_index;
memcpy(s->gtk_rsc, rsc, 6);
}
/*
* This function performs a match of the RSN/WPA IE obtained from the scan
* results vs the RSN/WPA IE obtained as part of the 4-way handshake. If they
* don't match, the EAPoL packet must be silently discarded.
*/
bool handshake_util_ap_ie_matches(const uint8_t *msg_ie,
const uint8_t *scan_ie, bool is_wpa)
{
struct ie_rsn_info msg_info;
struct ie_rsn_info scan_info;
/*
* First check that the sizes match, if they do, run a bitwise
* comparison.
*/
if (msg_ie[1] == scan_ie[1] &&
!memcmp(msg_ie + 2, scan_ie + 2, msg_ie[1]))
return true;
/*
* Otherwise we have to parse the IEs and compare the individual
* fields
*/
if (!is_wpa) {
if (ie_parse_rsne_from_data(msg_ie, msg_ie[1] + 2,
&msg_info) < 0)
return false;
if (ie_parse_rsne_from_data(scan_ie, scan_ie[1] + 2,
&scan_info) < 0)
return false;
} else {
if (ie_parse_wpa_from_data(msg_ie, msg_ie[1] + 2,
&msg_info) < 0)
return false;
if (ie_parse_wpa_from_data(scan_ie, scan_ie[1] + 2,
&scan_info) < 0)
return false;
}
if (msg_info.group_cipher != scan_info.group_cipher)
return false;
if (msg_info.pairwise_ciphers != scan_info.pairwise_ciphers)
return false;
if (msg_info.akm_suites != scan_info.akm_suites)
return false;
if (msg_info.preauthentication != scan_info.preauthentication)
return false;
if (msg_info.no_pairwise != scan_info.no_pairwise)
return false;
if (msg_info.ptksa_replay_counter != scan_info.ptksa_replay_counter)
return false;
if (msg_info.gtksa_replay_counter != scan_info.gtksa_replay_counter)
return false;
if (msg_info.mfpr != scan_info.mfpr)
return false;
if (msg_info.mfpc != scan_info.mfpc)
return false;
if (msg_info.peerkey_enabled != scan_info.peerkey_enabled)
return false;
if (msg_info.spp_a_msdu_capable != scan_info.spp_a_msdu_capable)
return false;
if (msg_info.spp_a_msdu_required != scan_info.spp_a_msdu_required)
return false;
if (msg_info.pbac != scan_info.pbac)
return false;
if (msg_info.extended_key_id != scan_info.extended_key_id)
return false;
/* We don't check the PMKIDs since these might actually be different */
if (msg_info.group_management_cipher !=
scan_info.group_management_cipher)
return false;
return true;
}
static const uint8_t *find_kde(const uint8_t *data, size_t data_len,
size_t *out_len, enum handshake_kde selector)
{
struct ie_tlv_iter iter;
const uint8_t *result;
unsigned int len;
ie_tlv_iter_init(&iter, data, data_len);
while (ie_tlv_iter_next(&iter)) {
if (ie_tlv_iter_get_tag(&iter) != IE_TYPE_VENDOR_SPECIFIC)
continue;
len = ie_tlv_iter_get_length(&iter);
if (len < 4) /* Take care of padding */
return NULL;
/* Check OUI */
result = ie_tlv_iter_get_data(&iter);
if (l_get_be32(result) != selector)
continue;
if (out_len)
*out_len = len - 4;
return result + 4;
}
return NULL;
}
const uint8_t *handshake_util_find_gtk_kde(const uint8_t *data, size_t data_len,
size_t *out_gtk_len)
{
size_t gtk_len;
const uint8_t *gtk = find_kde(data, data_len, &gtk_len,
HANDSHAKE_KDE_GTK);
if (!gtk)
return NULL;
/*
* Account for KeyId, TX and Reserved octet
* See 802.11-2016, Figure 12-35
*/
if (gtk_len < CRYPTO_MIN_GTK_LEN + 2)
return NULL;
if (gtk_len > CRYPTO_MAX_GTK_LEN + 2)
return NULL;
if (out_gtk_len)
*out_gtk_len = gtk_len;
return gtk;
}
const uint8_t *handshake_util_find_igtk_kde(const uint8_t *data,
size_t data_len,
size_t *out_igtk_len)
{
size_t igtk_len;
const uint8_t *igtk = find_kde(data, data_len, &igtk_len,
HANDSHAKE_KDE_IGTK);
if (!igtk)
return NULL;
/*
* Account for KeyId and IPN
* See 802.11-2016, Figure 12-42
*/
if (igtk_len < CRYPTO_MIN_IGTK_LEN + 8)
return NULL;
if (igtk_len > CRYPTO_MAX_IGTK_LEN + 8)
return NULL;
if (out_igtk_len)
*out_igtk_len = igtk_len;
return igtk;
}
const uint8_t *handshake_util_find_pmkid_kde(const uint8_t *data,
size_t data_len)
{
const uint8_t *pmkid;
size_t pmkid_len;
pmkid = find_kde(data, data_len, &pmkid_len, HANDSHAKE_KDE_PMKID);
if (pmkid && pmkid_len != 16)
return NULL;
return pmkid;
}
/* Defined in 802.11-2016 12.7.2 j), Figure 12-34 */
void handshake_util_build_gtk_kde(enum crypto_cipher cipher, const uint8_t *key,
unsigned int key_index, uint8_t *to)
{
size_t key_len = crypto_cipher_key_len(cipher);
*to++ = IE_TYPE_VENDOR_SPECIFIC;
*to++ = 6 + key_len;
l_put_be32(HANDSHAKE_KDE_GTK, to);
to += 4;
*to++ = key_index;
*to++ = 0;
memcpy(to, key, key_len);
}
static const uint8_t *handshake_state_get_ft_fils_kek(struct handshake_state *s,
size_t *len)
{
if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256) {
if (len)
*len = 16;
return s->ptk + 64;
} else if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384) {
if (len)
*len = 32;
return s->ptk + 104;
}
return NULL;
}
/*
* Unwrap a GTK / IGTK included in an FTE following 802.11-2012, Section 12.8.5:
*
* "If a GTK or an IGTK are included, the Key field of the subelement shall be
* encrypted using KEK and the NIST AES key wrap algorithm. The Key field shall
* be padded before encrypting if the key length is less than 16 octets or if
* it is not a multiple of 8. The padding consists of appending a single octet
* 0xdd followed by zero or more 0x00 octets. When processing a received
* message, the receiver shall ignore this trailing padding. Addition of
* padding does not change the value of the Key Length field. Note that the
* length of the encrypted Key field can be determined from the length of the
* GTK or IGTK subelement.
*/
bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped,
size_t key_len, uint8_t *key_out)
{
const uint8_t *kek;
size_t kek_len = 16;
size_t padded_len = key_len < 16 ? 16 : align_len(key_len, 8);
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))
kek = handshake_state_get_ft_fils_kek(s, &kek_len);
else
kek = handshake_state_get_kek(s);
if (!aes_unwrap(kek, kek_len, wrapped, padded_len + 8, key_out))
return false;
if (key_len < padded_len && key_out[key_len++] != 0xdd)
return false;
while (key_len < padded_len)
if (key_out[key_len++] != 0x00)
return false;
return true;
}