1 /* $OpenBSD: ieee80211_crypto.c,v 1.66 2015/11/24 13:45:06 mpi Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> 20 #include <sys/systm.h> 21 #include <sys/mbuf.h> 22 #include <sys/malloc.h> 23 #include <sys/kernel.h> 24 #include <sys/socket.h> 25 #include <sys/sockio.h> 26 #include <sys/endian.h> 27 #include <sys/errno.h> 28 #include <sys/sysctl.h> 29 30 #include <net/if.h> 31 #include <net/if_dl.h> 32 #include <net/if_media.h> 33 34 #include <netinet/in.h> 35 #include <netinet/if_ether.h> 36 37 #include <net80211/ieee80211_var.h> 38 #include <net80211/ieee80211_priv.h> 39 40 #include <crypto/arc4.h> 41 #include <crypto/md5.h> 42 #include <crypto/sha1.h> 43 #include <crypto/sha2.h> 44 #include <crypto/hmac.h> 45 #include <crypto/rijndael.h> 46 #include <crypto/cmac.h> 47 #include <crypto/key_wrap.h> 48 49 void ieee80211_prf(const u_int8_t *, size_t, const u_int8_t *, size_t, 50 const u_int8_t *, size_t, u_int8_t *, size_t); 51 void ieee80211_kdf(const u_int8_t *, size_t, const u_int8_t *, size_t, 52 const u_int8_t *, size_t, u_int8_t *, size_t); 53 void ieee80211_derive_pmkid(enum ieee80211_akm, const u_int8_t *, 54 const u_int8_t *, const u_int8_t *, u_int8_t *); 55 56 void 57 ieee80211_crypto_attach(struct ifnet *ifp) 58 { 59 struct ieee80211com *ic = (void *)ifp; 60 61 TAILQ_INIT(&ic->ic_pmksa); 62 if (ic->ic_caps & IEEE80211_C_RSN) { 63 ic->ic_rsnprotos = IEEE80211_PROTO_WPA | IEEE80211_PROTO_RSN; 64 ic->ic_rsnakms = IEEE80211_AKM_PSK; 65 ic->ic_rsnciphers = IEEE80211_CIPHER_TKIP | 66 IEEE80211_CIPHER_CCMP; 67 ic->ic_rsngroupcipher = IEEE80211_CIPHER_TKIP; 68 ic->ic_rsngroupmgmtcipher = IEEE80211_CIPHER_BIP; 69 } 70 ic->ic_set_key = ieee80211_set_key; 71 ic->ic_delete_key = ieee80211_delete_key; 72 } 73 74 void 75 ieee80211_crypto_detach(struct ifnet *ifp) 76 { 77 struct ieee80211com *ic = (void *)ifp; 78 struct ieee80211_pmk *pmk; 79 int i; 80 81 /* purge the PMKSA cache */ 82 while ((pmk = TAILQ_FIRST(&ic->ic_pmksa)) != NULL) { 83 TAILQ_REMOVE(&ic->ic_pmksa, pmk, pmk_next); 84 explicit_bzero(pmk, sizeof(*pmk)); 85 free(pmk, M_DEVBUF, 0); 86 } 87 88 /* clear all group keys from memory */ 89 for (i = 0; i < IEEE80211_GROUP_NKID; i++) { 90 struct ieee80211_key *k = &ic->ic_nw_keys[i]; 91 if (k->k_cipher != IEEE80211_CIPHER_NONE) 92 (*ic->ic_delete_key)(ic, NULL, k); 93 explicit_bzero(k, sizeof(*k)); 94 } 95 96 /* clear pre-shared key from memory */ 97 explicit_bzero(ic->ic_psk, IEEE80211_PMK_LEN); 98 } 99 100 /* 101 * Return the length in bytes of a cipher suite key (see Table 60). 102 */ 103 int 104 ieee80211_cipher_keylen(enum ieee80211_cipher cipher) 105 { 106 switch (cipher) { 107 case IEEE80211_CIPHER_WEP40: 108 return 5; 109 case IEEE80211_CIPHER_TKIP: 110 return 32; 111 case IEEE80211_CIPHER_CCMP: 112 return 16; 113 case IEEE80211_CIPHER_WEP104: 114 return 13; 115 case IEEE80211_CIPHER_BIP: 116 return 16; 117 default: /* unknown cipher */ 118 return 0; 119 } 120 } 121 122 int 123 ieee80211_set_key(struct ieee80211com *ic, struct ieee80211_node *ni, 124 struct ieee80211_key *k) 125 { 126 int error; 127 128 switch (k->k_cipher) { 129 case IEEE80211_CIPHER_WEP40: 130 case IEEE80211_CIPHER_WEP104: 131 error = ieee80211_wep_set_key(ic, k); 132 break; 133 case IEEE80211_CIPHER_TKIP: 134 error = ieee80211_tkip_set_key(ic, k); 135 break; 136 case IEEE80211_CIPHER_CCMP: 137 error = ieee80211_ccmp_set_key(ic, k); 138 break; 139 case IEEE80211_CIPHER_BIP: 140 error = ieee80211_bip_set_key(ic, k); 141 break; 142 default: 143 /* should not get there */ 144 error = EINVAL; 145 } 146 return error; 147 } 148 149 void 150 ieee80211_delete_key(struct ieee80211com *ic, struct ieee80211_node *ni, 151 struct ieee80211_key *k) 152 { 153 switch (k->k_cipher) { 154 case IEEE80211_CIPHER_WEP40: 155 case IEEE80211_CIPHER_WEP104: 156 ieee80211_wep_delete_key(ic, k); 157 break; 158 case IEEE80211_CIPHER_TKIP: 159 ieee80211_tkip_delete_key(ic, k); 160 break; 161 case IEEE80211_CIPHER_CCMP: 162 ieee80211_ccmp_delete_key(ic, k); 163 break; 164 case IEEE80211_CIPHER_BIP: 165 ieee80211_bip_delete_key(ic, k); 166 break; 167 default: 168 /* should not get there */ 169 break; 170 } 171 explicit_bzero(k, sizeof(*k)); 172 } 173 174 struct ieee80211_key * 175 ieee80211_get_txkey(struct ieee80211com *ic, const struct ieee80211_frame *wh, 176 struct ieee80211_node *ni) 177 { 178 int kid; 179 180 if ((ic->ic_flags & IEEE80211_F_RSNON) && 181 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 182 ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) 183 return &ni->ni_pairwise_key; 184 185 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) || 186 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != 187 IEEE80211_FC0_TYPE_MGT) 188 kid = ic->ic_def_txkey; 189 else 190 kid = ic->ic_igtk_kid; 191 return &ic->ic_nw_keys[kid]; 192 } 193 194 struct mbuf * 195 ieee80211_encrypt(struct ieee80211com *ic, struct mbuf *m0, 196 struct ieee80211_key *k) 197 { 198 switch (k->k_cipher) { 199 case IEEE80211_CIPHER_WEP40: 200 case IEEE80211_CIPHER_WEP104: 201 m0 = ieee80211_wep_encrypt(ic, m0, k); 202 break; 203 case IEEE80211_CIPHER_TKIP: 204 m0 = ieee80211_tkip_encrypt(ic, m0, k); 205 break; 206 case IEEE80211_CIPHER_CCMP: 207 m0 = ieee80211_ccmp_encrypt(ic, m0, k); 208 break; 209 case IEEE80211_CIPHER_BIP: 210 m0 = ieee80211_bip_encap(ic, m0, k); 211 break; 212 default: 213 /* should not get there */ 214 m_freem(m0); 215 m0 = NULL; 216 } 217 return m0; 218 } 219 220 struct mbuf * 221 ieee80211_decrypt(struct ieee80211com *ic, struct mbuf *m0, 222 struct ieee80211_node *ni) 223 { 224 struct ieee80211_frame *wh; 225 struct ieee80211_key *k; 226 u_int8_t *ivp, *mmie; 227 u_int16_t kid; 228 int hdrlen; 229 230 /* find key for decryption */ 231 wh = mtod(m0, struct ieee80211_frame *); 232 if ((ic->ic_flags & IEEE80211_F_RSNON) && 233 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 234 ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 235 k = &ni->ni_pairwise_key; 236 237 } else if (!IEEE80211_IS_MULTICAST(wh->i_addr1) || 238 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != 239 IEEE80211_FC0_TYPE_MGT) { 240 /* retrieve group data key id from IV field */ 241 hdrlen = ieee80211_get_hdrlen(wh); 242 /* check that IV field is present */ 243 if (m0->m_len < hdrlen + 4) { 244 m_freem(m0); 245 return NULL; 246 } 247 ivp = (u_int8_t *)wh + hdrlen; 248 kid = ivp[3] >> 6; 249 k = &ic->ic_nw_keys[kid]; 250 } else { 251 /* retrieve integrity group key id from MMIE */ 252 if (m0->m_len < sizeof(*wh) + IEEE80211_MMIE_LEN) { 253 m_freem(m0); 254 return NULL; 255 } 256 /* it is assumed management frames are contiguous */ 257 mmie = (u_int8_t *)wh + m0->m_len - IEEE80211_MMIE_LEN; 258 /* check that MMIE is valid */ 259 if (mmie[0] != IEEE80211_ELEMID_MMIE || mmie[1] != 16) { 260 m_freem(m0); 261 return NULL; 262 } 263 kid = LE_READ_2(&mmie[2]); 264 if (kid != 4 && kid != 5) { 265 m_freem(m0); 266 return NULL; 267 } 268 k = &ic->ic_nw_keys[kid]; 269 } 270 switch (k->k_cipher) { 271 case IEEE80211_CIPHER_WEP40: 272 case IEEE80211_CIPHER_WEP104: 273 m0 = ieee80211_wep_decrypt(ic, m0, k); 274 break; 275 case IEEE80211_CIPHER_TKIP: 276 m0 = ieee80211_tkip_decrypt(ic, m0, k); 277 break; 278 case IEEE80211_CIPHER_CCMP: 279 m0 = ieee80211_ccmp_decrypt(ic, m0, k); 280 break; 281 case IEEE80211_CIPHER_BIP: 282 m0 = ieee80211_bip_decap(ic, m0, k); 283 break; 284 default: 285 /* key not defined */ 286 m_freem(m0); 287 m0 = NULL; 288 } 289 return m0; 290 } 291 292 /* 293 * SHA1-based Pseudo-Random Function (see 8.5.1.1). 294 */ 295 void 296 ieee80211_prf(const u_int8_t *key, size_t key_len, const u_int8_t *label, 297 size_t label_len, const u_int8_t *context, size_t context_len, 298 u_int8_t *output, size_t len) 299 { 300 HMAC_SHA1_CTX ctx; 301 u_int8_t digest[SHA1_DIGEST_LENGTH]; 302 u_int8_t count; 303 304 for (count = 0; len != 0; count++) { 305 HMAC_SHA1_Init(&ctx, key, key_len); 306 HMAC_SHA1_Update(&ctx, label, label_len); 307 HMAC_SHA1_Update(&ctx, context, context_len); 308 HMAC_SHA1_Update(&ctx, &count, 1); 309 if (len < SHA1_DIGEST_LENGTH) { 310 HMAC_SHA1_Final(digest, &ctx); 311 /* truncate HMAC-SHA1 to len bytes */ 312 memcpy(output, digest, len); 313 break; 314 } 315 HMAC_SHA1_Final(output, &ctx); 316 output += SHA1_DIGEST_LENGTH; 317 len -= SHA1_DIGEST_LENGTH; 318 } 319 } 320 321 /* 322 * SHA256-based Key Derivation Function (see 8.5.1.5.2). 323 */ 324 void 325 ieee80211_kdf(const u_int8_t *key, size_t key_len, const u_int8_t *label, 326 size_t label_len, const u_int8_t *context, size_t context_len, 327 u_int8_t *output, size_t len) 328 { 329 HMAC_SHA256_CTX ctx; 330 u_int8_t digest[SHA256_DIGEST_LENGTH]; 331 u_int16_t i, iter, length; 332 333 length = htole16(len * NBBY); 334 for (i = 1; len != 0; i++) { 335 HMAC_SHA256_Init(&ctx, key, key_len); 336 iter = htole16(i); 337 HMAC_SHA256_Update(&ctx, (u_int8_t *)&iter, sizeof iter); 338 HMAC_SHA256_Update(&ctx, label, label_len); 339 HMAC_SHA256_Update(&ctx, context, context_len); 340 HMAC_SHA256_Update(&ctx, (u_int8_t *)&length, sizeof length); 341 if (len < SHA256_DIGEST_LENGTH) { 342 HMAC_SHA256_Final(digest, &ctx); 343 /* truncate HMAC-SHA-256 to len bytes */ 344 memcpy(output, digest, len); 345 break; 346 } 347 HMAC_SHA256_Final(output, &ctx); 348 output += SHA256_DIGEST_LENGTH; 349 len -= SHA256_DIGEST_LENGTH; 350 } 351 } 352 353 /* 354 * Derive Pairwise Transient Key (PTK) (see 8.5.1.2). 355 */ 356 void 357 ieee80211_derive_ptk(enum ieee80211_akm akm, const u_int8_t *pmk, 358 const u_int8_t *aa, const u_int8_t *spa, const u_int8_t *anonce, 359 const u_int8_t *snonce, struct ieee80211_ptk *ptk) 360 { 361 void (*kdf)(const u_int8_t *, size_t, const u_int8_t *, size_t, 362 const u_int8_t *, size_t, u_int8_t *, size_t); 363 u_int8_t buf[2 * IEEE80211_ADDR_LEN + 2 * EAPOL_KEY_NONCE_LEN]; 364 int ret; 365 366 /* Min(AA,SPA) || Max(AA,SPA) */ 367 ret = memcmp(aa, spa, IEEE80211_ADDR_LEN) < 0; 368 memcpy(&buf[ 0], ret ? aa : spa, IEEE80211_ADDR_LEN); 369 memcpy(&buf[ 6], ret ? spa : aa, IEEE80211_ADDR_LEN); 370 371 /* Min(ANonce,SNonce) || Max(ANonce,SNonce) */ 372 ret = memcmp(anonce, snonce, EAPOL_KEY_NONCE_LEN) < 0; 373 memcpy(&buf[12], ret ? anonce : snonce, EAPOL_KEY_NONCE_LEN); 374 memcpy(&buf[44], ret ? snonce : anonce, EAPOL_KEY_NONCE_LEN); 375 376 kdf = ieee80211_is_sha256_akm(akm) ? ieee80211_kdf : ieee80211_prf; 377 (*kdf)(pmk, IEEE80211_PMK_LEN, "Pairwise key expansion", 23, 378 buf, sizeof buf, (u_int8_t *)ptk, sizeof(*ptk)); 379 } 380 381 static void 382 ieee80211_pmkid_sha1(const u_int8_t *pmk, const u_int8_t *aa, 383 const u_int8_t *spa, u_int8_t *pmkid) 384 { 385 HMAC_SHA1_CTX ctx; 386 u_int8_t digest[SHA1_DIGEST_LENGTH]; 387 388 HMAC_SHA1_Init(&ctx, pmk, IEEE80211_PMK_LEN); 389 HMAC_SHA1_Update(&ctx, "PMK Name", 8); 390 HMAC_SHA1_Update(&ctx, aa, IEEE80211_ADDR_LEN); 391 HMAC_SHA1_Update(&ctx, spa, IEEE80211_ADDR_LEN); 392 HMAC_SHA1_Final(digest, &ctx); 393 /* use the first 128 bits of HMAC-SHA1 */ 394 memcpy(pmkid, digest, IEEE80211_PMKID_LEN); 395 } 396 397 static void 398 ieee80211_pmkid_sha256(const u_int8_t *pmk, const u_int8_t *aa, 399 const u_int8_t *spa, u_int8_t *pmkid) 400 { 401 HMAC_SHA256_CTX ctx; 402 u_int8_t digest[SHA256_DIGEST_LENGTH]; 403 404 HMAC_SHA256_Init(&ctx, pmk, IEEE80211_PMK_LEN); 405 HMAC_SHA256_Update(&ctx, "PMK Name", 8); 406 HMAC_SHA256_Update(&ctx, aa, IEEE80211_ADDR_LEN); 407 HMAC_SHA256_Update(&ctx, spa, IEEE80211_ADDR_LEN); 408 HMAC_SHA256_Final(digest, &ctx); 409 /* use the first 128 bits of HMAC-SHA-256 */ 410 memcpy(pmkid, digest, IEEE80211_PMKID_LEN); 411 } 412 413 /* 414 * Derive Pairwise Master Key Identifier (PMKID) (see 8.5.1.2). 415 */ 416 void 417 ieee80211_derive_pmkid(enum ieee80211_akm akm, const u_int8_t *pmk, 418 const u_int8_t *aa, const u_int8_t *spa, u_int8_t *pmkid) 419 { 420 if (ieee80211_is_sha256_akm(akm)) 421 ieee80211_pmkid_sha256(pmk, aa, spa, pmkid); 422 else 423 ieee80211_pmkid_sha1(pmk, aa, spa, pmkid); 424 } 425 426 typedef union _ANY_CTX { 427 HMAC_MD5_CTX md5; 428 HMAC_SHA1_CTX sha1; 429 AES_CMAC_CTX cmac; 430 } ANY_CTX; 431 432 /* 433 * Compute the Key MIC field of an EAPOL-Key frame using the specified Key 434 * Confirmation Key (KCK). The hash function can be HMAC-MD5, HMAC-SHA1 435 * or AES-128-CMAC depending on the EAPOL-Key Key Descriptor Version. 436 */ 437 void 438 ieee80211_eapol_key_mic(struct ieee80211_eapol_key *key, const u_int8_t *kck) 439 { 440 u_int8_t digest[SHA1_DIGEST_LENGTH]; 441 ANY_CTX ctx; /* XXX off stack? */ 442 u_int len; 443 444 len = BE_READ_2(key->len) + 4; 445 446 switch (BE_READ_2(key->info) & EAPOL_KEY_VERSION_MASK) { 447 case EAPOL_KEY_DESC_V1: 448 HMAC_MD5_Init(&ctx.md5, kck, 16); 449 HMAC_MD5_Update(&ctx.md5, (u_int8_t *)key, len); 450 HMAC_MD5_Final(key->mic, &ctx.md5); 451 break; 452 case EAPOL_KEY_DESC_V2: 453 HMAC_SHA1_Init(&ctx.sha1, kck, 16); 454 HMAC_SHA1_Update(&ctx.sha1, (u_int8_t *)key, len); 455 HMAC_SHA1_Final(digest, &ctx.sha1); 456 /* truncate HMAC-SHA1 to its 128 MSBs */ 457 memcpy(key->mic, digest, EAPOL_KEY_MIC_LEN); 458 break; 459 case EAPOL_KEY_DESC_V3: 460 AES_CMAC_Init(&ctx.cmac); 461 AES_CMAC_SetKey(&ctx.cmac, kck); 462 AES_CMAC_Update(&ctx.cmac, (u_int8_t *)key, len); 463 AES_CMAC_Final(key->mic, &ctx.cmac); 464 break; 465 } 466 } 467 468 /* 469 * Check the MIC of a received EAPOL-Key frame using the specified Key 470 * Confirmation Key (KCK). 471 */ 472 int 473 ieee80211_eapol_key_check_mic(struct ieee80211_eapol_key *key, 474 const u_int8_t *kck) 475 { 476 u_int8_t mic[EAPOL_KEY_MIC_LEN]; 477 478 memcpy(mic, key->mic, EAPOL_KEY_MIC_LEN); 479 memset(key->mic, 0, EAPOL_KEY_MIC_LEN); 480 ieee80211_eapol_key_mic(key, kck); 481 482 return timingsafe_bcmp(key->mic, mic, EAPOL_KEY_MIC_LEN) != 0; 483 } 484 485 #ifndef IEEE80211_STA_ONLY 486 /* 487 * Encrypt the Key Data field of an EAPOL-Key frame using the specified Key 488 * Encryption Key (KEK). The encryption algorithm can be either ARC4 or 489 * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version. 490 */ 491 void 492 ieee80211_eapol_key_encrypt(struct ieee80211com *ic, 493 struct ieee80211_eapol_key *key, const u_int8_t *kek) 494 { 495 union { 496 struct rc4_ctx rc4; 497 aes_key_wrap_ctx aes; 498 } ctx; /* XXX off stack? */ 499 u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16]; 500 u_int16_t len, info; 501 u_int8_t *data; 502 int n; 503 504 len = BE_READ_2(key->paylen); 505 info = BE_READ_2(key->info); 506 data = (u_int8_t *)(key + 1); 507 508 switch (info & EAPOL_KEY_VERSION_MASK) { 509 case EAPOL_KEY_DESC_V1: 510 /* set IV to the lower 16 octets of our global key counter */ 511 memcpy(key->iv, ic->ic_globalcnt + 16, 16); 512 /* increment our global key counter (256-bit, big-endian) */ 513 for (n = 31; n >= 0 && ++ic->ic_globalcnt[n] == 0; n--); 514 515 /* concatenate the EAPOL-Key IV field and the KEK */ 516 memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN); 517 memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16); 518 519 rc4_keysetup(&ctx.rc4, keybuf, sizeof keybuf); 520 /* discard the first 256 octets of the ARC4 key stream */ 521 rc4_skip(&ctx.rc4, RC4STATE); 522 rc4_crypt(&ctx.rc4, data, data, len); 523 break; 524 case EAPOL_KEY_DESC_V2: 525 case EAPOL_KEY_DESC_V3: 526 if (len < 16 || (len & 7) != 0) { 527 /* insert padding */ 528 n = (len < 16) ? 16 - len : 8 - (len & 7); 529 data[len++] = IEEE80211_ELEMID_VENDOR; 530 memset(&data[len], 0, n - 1); 531 len += n - 1; 532 } 533 aes_key_wrap_set_key_wrap_only(&ctx.aes, kek, 16); 534 aes_key_wrap(&ctx.aes, data, len / 8, data); 535 len += 8; /* AES Key Wrap adds 8 bytes */ 536 /* update key data length */ 537 BE_WRITE_2(key->paylen, len); 538 /* update packet body length */ 539 BE_WRITE_2(key->len, sizeof(*key) + len - 4); 540 break; 541 } 542 } 543 #endif /* IEEE80211_STA_ONLY */ 544 545 /* 546 * Decrypt the Key Data field of an EAPOL-Key frame using the specified Key 547 * Encryption Key (KEK). The encryption algorithm can be either ARC4 or 548 * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version. 549 */ 550 int 551 ieee80211_eapol_key_decrypt(struct ieee80211_eapol_key *key, 552 const u_int8_t *kek) 553 { 554 union { 555 struct rc4_ctx rc4; 556 aes_key_wrap_ctx aes; 557 } ctx; /* XXX off stack? */ 558 u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16]; 559 u_int16_t len, info; 560 u_int8_t *data; 561 562 len = BE_READ_2(key->paylen); 563 info = BE_READ_2(key->info); 564 data = (u_int8_t *)(key + 1); 565 566 switch (info & EAPOL_KEY_VERSION_MASK) { 567 case EAPOL_KEY_DESC_V1: 568 /* concatenate the EAPOL-Key IV field and the KEK */ 569 memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN); 570 memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16); 571 572 rc4_keysetup(&ctx.rc4, keybuf, sizeof keybuf); 573 /* discard the first 256 octets of the ARC4 key stream */ 574 rc4_skip(&ctx.rc4, RC4STATE); 575 rc4_crypt(&ctx.rc4, data, data, len); 576 return 0; 577 case EAPOL_KEY_DESC_V2: 578 case EAPOL_KEY_DESC_V3: 579 /* Key Data Length must be a multiple of 8 */ 580 if (len < 16 + 8 || (len & 7) != 0) 581 return 1; 582 len -= 8; /* AES Key Wrap adds 8 bytes */ 583 aes_key_wrap_set_key(&ctx.aes, kek, 16); 584 return aes_key_unwrap(&ctx.aes, data, data, len / 8); 585 } 586 587 return 1; /* unknown Key Descriptor Version */ 588 } 589 590 /* 591 * Add a PMK entry to the PMKSA cache. 592 */ 593 struct ieee80211_pmk * 594 ieee80211_pmksa_add(struct ieee80211com *ic, enum ieee80211_akm akm, 595 const u_int8_t *macaddr, const u_int8_t *key, u_int32_t lifetime) 596 { 597 struct ieee80211_pmk *pmk; 598 599 /* check if an entry already exists for this (STA,AKMP) */ 600 TAILQ_FOREACH(pmk, &ic->ic_pmksa, pmk_next) { 601 if (pmk->pmk_akm == akm && 602 IEEE80211_ADDR_EQ(pmk->pmk_macaddr, macaddr)) 603 break; 604 } 605 if (pmk == NULL) { 606 /* allocate a new PMKSA entry */ 607 if ((pmk = malloc(sizeof(*pmk), M_DEVBUF, M_NOWAIT)) == NULL) 608 return NULL; 609 pmk->pmk_akm = akm; 610 IEEE80211_ADDR_COPY(pmk->pmk_macaddr, macaddr); 611 TAILQ_INSERT_TAIL(&ic->ic_pmksa, pmk, pmk_next); 612 } 613 memcpy(pmk->pmk_key, key, IEEE80211_PMK_LEN); 614 pmk->pmk_lifetime = lifetime; /* XXX not used yet */ 615 #ifndef IEEE80211_STA_ONLY 616 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 617 ieee80211_derive_pmkid(pmk->pmk_akm, pmk->pmk_key, 618 ic->ic_myaddr, macaddr, pmk->pmk_pmkid); 619 } else 620 #endif 621 { 622 ieee80211_derive_pmkid(pmk->pmk_akm, pmk->pmk_key, 623 macaddr, ic->ic_myaddr, pmk->pmk_pmkid); 624 } 625 return pmk; 626 } 627 628 /* 629 * Check if we have a cached PMK entry for the specified node and PMKID. 630 */ 631 struct ieee80211_pmk * 632 ieee80211_pmksa_find(struct ieee80211com *ic, struct ieee80211_node *ni, 633 const u_int8_t *pmkid) 634 { 635 struct ieee80211_pmk *pmk; 636 637 TAILQ_FOREACH(pmk, &ic->ic_pmksa, pmk_next) { 638 if (pmk->pmk_akm == ni->ni_rsnakms && 639 IEEE80211_ADDR_EQ(pmk->pmk_macaddr, ni->ni_macaddr) && 640 (pmkid == NULL || 641 memcmp(pmk->pmk_pmkid, pmkid, IEEE80211_PMKID_LEN) == 0)) 642 break; 643 } 644 return pmk; 645 } 646