search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / dist / wpa / src / common / wpa_common.c
bloba63622b942f5e4d1e96b5e0ec7f14ee4ff416388
1 /*
2 * WPA/RSN - Shared functions for supplicant and authenticator
3 * Copyright (c) 2002-2008, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "md5.h"
19 #include "sha1.h"
20 #include "sha256.h"
21 #include "aes_wrap.h"
22 #include "crypto.h"
23 #include "ieee802_11_defs.h"
24 #include "defs.h"
25 #include "wpa_common.h"
26
27
28 /**
29 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
30 * @key: EAPOL-Key Key Confirmation Key (KCK)
31 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
32 * @buf: Pointer to the beginning of the EAPOL header (version field)
33 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
34 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
35 * Returns: 0 on success, -1 on failure
36 *
37 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
38 * to be cleared (all zeroes) when calling this function.
39 *
40 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
41 * description of the Key MIC calculation. It includes packet data from the
42 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
43 * happened during final editing of the standard and the correct behavior is
44 * defined in the last draft (IEEE 802.11i/D10).
45 */
46 int wpa_eapol_key_mic(const u8 *key, int ver, const u8 *buf, size_t len,
47 u8 *mic)
48 {
49 u8 hash[SHA1_MAC_LEN];
50
51 switch (ver) {
52 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
53 hmac_md5(key, 16, buf, len, mic);
54 break;
55 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
56 hmac_sha1(key, 16, buf, len, hash);
57 os_memcpy(mic, hash, MD5_MAC_LEN);
58 break;
59 #ifdef CONFIG_IEEE80211R
60 case WPA_KEY_INFO_TYPE_AES_128_CMAC:
61 return omac1_aes_128(key, buf, len, mic);
62 #endif /* CONFIG_IEEE80211R */
63 default:
64 return -1;
65 }
66
67 return 0;
68 }
69
70
71 /**
72 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
73 * @pmk: Pairwise master key
74 * @pmk_len: Length of PMK
75 * @label: Label to use in derivation
76 * @addr1: AA or SA
77 * @addr2: SA or AA
78 * @nonce1: ANonce or SNonce
79 * @nonce2: SNonce or ANonce
80 * @ptk: Buffer for pairwise transient key
81 * @ptk_len: Length of PTK
82 *
83 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
84 * PTK = PRF-X(PMK, "Pairwise key expansion",
85 * Min(AA, SA) || Max(AA, SA) ||
86 * Min(ANonce, SNonce) || Max(ANonce, SNonce))
87 *
88 * STK = PRF-X(SMK, "Peer key expansion",
89 * Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) ||
90 * Min(INonce, PNonce) || Max(INonce, PNonce))
91 */
92 void wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
93 const u8 *addr1, const u8 *addr2,
94 const u8 *nonce1, const u8 *nonce2,
95 u8 *ptk, size_t ptk_len)
96 {
97 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN];
98
99 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
100 os_memcpy(data, addr1, ETH_ALEN);
101 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
102 } else {
103 os_memcpy(data, addr2, ETH_ALEN);
104 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
105 }
106
107 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
108 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
109 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
110 WPA_NONCE_LEN);
111 } else {
112 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
113 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
114 WPA_NONCE_LEN);
115 }
116
117 sha1_prf(pmk, pmk_len, label, data, sizeof(data), ptk, ptk_len);
118
119 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
120 MAC2STR(addr1), MAC2STR(addr2));
121 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
122 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", ptk, ptk_len);
123 }
124
125
126 #ifdef CONFIG_IEEE80211R
127 int wpa_ft_mic(const u8 *kck, const u8 *sta_addr, const u8 *ap_addr,
128 u8 transaction_seqnum, const u8 *mdie, size_t mdie_len,
129 const u8 *ftie, size_t ftie_len,
130 const u8 *rsnie, size_t rsnie_len,
131 const u8 *ric, size_t ric_len, u8 *mic)
132 {
133 u8 *buf, *pos;
134 size_t buf_len;
135
136 buf_len = 2 * ETH_ALEN + 1 + mdie_len + ftie_len + rsnie_len + ric_len;
137 buf = os_malloc(buf_len);
138 if (buf == NULL)
139 return -1;
140
141 pos = buf;
142 os_memcpy(pos, sta_addr, ETH_ALEN);
143 pos += ETH_ALEN;
144 os_memcpy(pos, ap_addr, ETH_ALEN);
145 pos += ETH_ALEN;
146 *pos++ = transaction_seqnum;
147 if (rsnie) {
148 os_memcpy(pos, rsnie, rsnie_len);
149 pos += rsnie_len;
150 }
151 if (mdie) {
152 os_memcpy(pos, mdie, mdie_len);
153 pos += mdie_len;
154 }
155 if (ftie) {
156 struct rsn_ftie *_ftie;
157 os_memcpy(pos, ftie, ftie_len);
158 if (ftie_len < 2 + sizeof(*_ftie)) {
159 os_free(buf);
160 return -1;
161 }
162 _ftie = (struct rsn_ftie *) (pos + 2);
163 os_memset(_ftie->mic, 0, sizeof(_ftie->mic));
164 pos += ftie_len;
165 }
166 if (ric) {
167 os_memcpy(pos, ric, ric_len);
168 pos += ric_len;
169 }
170
171 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", buf, pos - buf);
172 if (omac1_aes_128(kck, buf, pos - buf, mic)) {
173 os_free(buf);
174 return -1;
175 }
176
177 os_free(buf);
178
179 return 0;
180 }
181 #endif /* CONFIG_IEEE80211R */
182
183
184 #ifndef CONFIG_NO_WPA2
185 static int rsn_selector_to_bitfield(const u8 *s)
186 {
187 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
188 return WPA_CIPHER_NONE;
189 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP40)
190 return WPA_CIPHER_WEP40;
191 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
192 return WPA_CIPHER_TKIP;
193 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
194 return WPA_CIPHER_CCMP;
195 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_WEP104)
196 return WPA_CIPHER_WEP104;
197 #ifdef CONFIG_IEEE80211W
198 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
199 return WPA_CIPHER_AES_128_CMAC;
200 #endif /* CONFIG_IEEE80211W */
201 return 0;
202 }
203
204
205 static int rsn_key_mgmt_to_bitfield(const u8 *s)
206 {
207 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
208 return WPA_KEY_MGMT_IEEE8021X;
209 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
210 return WPA_KEY_MGMT_PSK;
211 #ifdef CONFIG_IEEE80211R
212 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
213 return WPA_KEY_MGMT_FT_IEEE8021X;
214 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
215 return WPA_KEY_MGMT_FT_PSK;
216 #endif /* CONFIG_IEEE80211R */
217 return 0;
218 }
219 #endif /* CONFIG_NO_WPA2 */
220
221
222 /**
223 * wpa_parse_wpa_ie_rsn - Parse RSN IE
224 * @rsn_ie: Buffer containing RSN IE
225 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
226 * @data: Pointer to structure that will be filled in with parsed data
227 * Returns: 0 on success, <0 on failure
228 */
229 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
230 struct wpa_ie_data *data)
231 {
232 #ifndef CONFIG_NO_WPA2
233 const struct rsn_ie_hdr *hdr;
234 const u8 *pos;
235 int left;
236 int i, count;
237
238 os_memset(data, 0, sizeof(*data));
239 data->proto = WPA_PROTO_RSN;
240 data->pairwise_cipher = WPA_CIPHER_CCMP;
241 data->group_cipher = WPA_CIPHER_CCMP;
242 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
243 data->capabilities = 0;
244 data->pmkid = NULL;
245 data->num_pmkid = 0;
246 #ifdef CONFIG_IEEE80211W
247 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
248 #else /* CONFIG_IEEE80211W */
249 data->mgmt_group_cipher = 0;
250 #endif /* CONFIG_IEEE80211W */
251
252 if (rsn_ie_len == 0) {
253 /* No RSN IE - fail silently */
254 return -1;
255 }
256
257 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
258 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
259 __func__, (unsigned long) rsn_ie_len);
260 return -1;
261 }
262
263 hdr = (const struct rsn_ie_hdr *) rsn_ie;
264
265 if (hdr->elem_id != WLAN_EID_RSN ||
266 hdr->len != rsn_ie_len - 2 ||
267 WPA_GET_LE16(hdr->version) != RSN_VERSION) {
268 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
269 __func__);
270 return -2;
271 }
272
273 pos = (const u8 *) (hdr + 1);
274 left = rsn_ie_len - sizeof(*hdr);
275
276 if (left >= RSN_SELECTOR_LEN) {
277 data->group_cipher = rsn_selector_to_bitfield(pos);
278 #ifdef CONFIG_IEEE80211W
279 if (data->group_cipher == WPA_CIPHER_AES_128_CMAC) {
280 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as group "
281 "cipher", __func__);
282 return -1;
283 }
284 #endif /* CONFIG_IEEE80211W */
285 pos += RSN_SELECTOR_LEN;
286 left -= RSN_SELECTOR_LEN;
287 } else if (left > 0) {
288 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
289 __func__, left);
290 return -3;
291 }
292
293 if (left >= 2) {
294 data->pairwise_cipher = 0;
295 count = WPA_GET_LE16(pos);
296 pos += 2;
297 left -= 2;
298 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
299 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
300 "count %u left %u", __func__, count, left);
301 return -4;
302 }
303 for (i = 0; i < count; i++) {
304 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
305 pos += RSN_SELECTOR_LEN;
306 left -= RSN_SELECTOR_LEN;
307 }
308 #ifdef CONFIG_IEEE80211W
309 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
310 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
311 "pairwise cipher", __func__);
312 return -1;
313 }
314 #endif /* CONFIG_IEEE80211W */
315 } else if (left == 1) {
316 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
317 __func__);
318 return -5;
319 }
320
321 if (left >= 2) {
322 data->key_mgmt = 0;
323 count = WPA_GET_LE16(pos);
324 pos += 2;
325 left -= 2;
326 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
327 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
328 "count %u left %u", __func__, count, left);
329 return -6;
330 }
331 for (i = 0; i < count; i++) {
332 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
333 pos += RSN_SELECTOR_LEN;
334 left -= RSN_SELECTOR_LEN;
335 }
336 } else if (left == 1) {
337 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
338 __func__);
339 return -7;
340 }
341
342 if (left >= 2) {
343 data->capabilities = WPA_GET_LE16(pos);
344 pos += 2;
345 left -= 2;
346 }
347
348 if (left >= 2) {
349 data->num_pmkid = WPA_GET_LE16(pos);
350 pos += 2;
351 left -= 2;
352 if (left < (int) data->num_pmkid * PMKID_LEN) {
353 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
354 "(num_pmkid=%lu left=%d)",
355 __func__, (unsigned long) data->num_pmkid,
356 left);
357 data->num_pmkid = 0;
358 return -9;
359 } else {
360 data->pmkid = pos;
361 pos += data->num_pmkid * PMKID_LEN;
362 left -= data->num_pmkid * PMKID_LEN;
363 }
364 }
365
366 #ifdef CONFIG_IEEE80211W
367 if (left >= 4) {
368 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
369 if (data->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC) {
370 wpa_printf(MSG_DEBUG, "%s: Unsupported management "
371 "group cipher 0x%x", __func__,
372 data->mgmt_group_cipher);
373 return -10;
374 }
375 pos += RSN_SELECTOR_LEN;
376 left -= RSN_SELECTOR_LEN;
377 }
378 #endif /* CONFIG_IEEE80211W */
379
380 if (left > 0) {
381 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
382 __func__, left);
383 }
384
385 return 0;
386 #else /* CONFIG_NO_WPA2 */
387 return -1;
388 #endif /* CONFIG_NO_WPA2 */
389 }
390
391
392 #ifdef CONFIG_IEEE80211R
393
394 /**
395 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
396 *
397 * IEEE 802.11r/D9.0 - 8.5.1.5.3
398 */
399 void wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
400 const u8 *ssid, size_t ssid_len,
401 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
402 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name)
403 {
404 u8 buf[1 + WPA_MAX_SSID_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
405 FT_R0KH_ID_MAX_LEN + ETH_ALEN];
406 u8 *pos, r0_key_data[48], hash[32];
407 const u8 *addr[2];
408 size_t len[2];
409
410 /*
411 * R0-Key-Data = KDF-384(XXKey, "FT-R0",
412 * SSIDlength || SSID || MDID || R0KHlength ||
413 * R0KH-ID || S0KH-ID)
414 * XXKey is either the second 256 bits of MSK or PSK.
415 * PMK-R0 = L(R0-Key-Data, 0, 256)
416 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128)
417 */
418 if (ssid_len > WPA_MAX_SSID_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
419 return;
420 pos = buf;
421 *pos++ = ssid_len;
422 os_memcpy(pos, ssid, ssid_len);
423 pos += ssid_len;
424 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
425 pos += MOBILITY_DOMAIN_ID_LEN;
426 *pos++ = r0kh_id_len;
427 os_memcpy(pos, r0kh_id, r0kh_id_len);
428 pos += r0kh_id_len;
429 os_memcpy(pos, s0kh_id, ETH_ALEN);
430 pos += ETH_ALEN;
431
432 sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
433 r0_key_data, sizeof(r0_key_data));
434 os_memcpy(pmk_r0, r0_key_data, PMK_LEN);
435
436 /*
437 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt)
438 */
439 addr[0] = (const u8 *) "FT-R0N";
440 len[0] = 6;
441 addr[1] = r0_key_data + PMK_LEN;
442 len[1] = 16;
443
444 sha256_vector(2, addr, len, hash);
445 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
446 }
447
448
449 /**
450 * wpa_derive_pmk_r1_name - Derive PMKR1Name
451 *
452 * IEEE 802.11r/D9.0 - 8.5.1.5.4
453 */
454 void wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
455 const u8 *s1kh_id, u8 *pmk_r1_name)
456 {
457 u8 hash[32];
458 const u8 *addr[4];
459 size_t len[4];
460
461 /*
462 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name ||
463 * R1KH-ID || S1KH-ID))
464 */
465 addr[0] = (const u8 *) "FT-R1N";
466 len[0] = 6;
467 addr[1] = pmk_r0_name;
468 len[1] = WPA_PMK_NAME_LEN;
469 addr[2] = r1kh_id;
470 len[2] = FT_R1KH_ID_LEN;
471 addr[3] = s1kh_id;
472 len[3] = ETH_ALEN;
473
474 sha256_vector(4, addr, len, hash);
475 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
476 }
477
478
479 /**
480 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
481 *
482 * IEEE 802.11r/D9.0 - 8.5.1.5.4
483 */
484 void wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name,
485 const u8 *r1kh_id, const u8 *s1kh_id,
486 u8 *pmk_r1, u8 *pmk_r1_name)
487 {
488 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
489 u8 *pos;
490
491 /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
492 pos = buf;
493 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
494 pos += FT_R1KH_ID_LEN;
495 os_memcpy(pos, s1kh_id, ETH_ALEN);
496 pos += ETH_ALEN;
497
498 sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf, pmk_r1, PMK_LEN);
499
500 wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, pmk_r1_name);
501 }
502
503
504 /**
505 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
506 *
507 * IEEE 802.11r/D9.0 - 8.5.1.5.5
508 */
509 void wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce,
510 const u8 *sta_addr, const u8 *bssid,
511 const u8 *pmk_r1_name,
512 u8 *ptk, size_t ptk_len, u8 *ptk_name)
513 {
514 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
515 u8 *pos, hash[32];
516 const u8 *addr[6];
517 size_t len[6];
518
519 /*
520 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
521 * BSSID || STA-ADDR)
522 */
523 pos = buf;
524 os_memcpy(pos, snonce, WPA_NONCE_LEN);
525 pos += WPA_NONCE_LEN;
526 os_memcpy(pos, anonce, WPA_NONCE_LEN);
527 pos += WPA_NONCE_LEN;
528 os_memcpy(pos, bssid, ETH_ALEN);
529 pos += ETH_ALEN;
530 os_memcpy(pos, sta_addr, ETH_ALEN);
531 pos += ETH_ALEN;
532
533 sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf, ptk, ptk_len);
534
535 /*
536 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
537 * ANonce || BSSID || STA-ADDR))
538 */
539 addr[0] = pmk_r1_name;
540 len[0] = WPA_PMK_NAME_LEN;
541 addr[1] = (const u8 *) "FT-PTKN";
542 len[1] = 7;
543 addr[2] = snonce;
544 len[2] = WPA_NONCE_LEN;
545 addr[3] = anonce;
546 len[3] = WPA_NONCE_LEN;
547 addr[4] = bssid;
548 len[4] = ETH_ALEN;
549 addr[5] = sta_addr;
550 len[5] = ETH_ALEN;
551
552 sha256_vector(6, addr, len, hash);
553 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
554 }
555
556 #endif /* CONFIG_IEEE80211R */
NetBSD on the FriendlyARM MINI2440