1 /* $OpenBSD: ieee80211_crypto.c,v 1.62 2014/07/12 18:44:22 tedu Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> 20 #include <sys/systm.h> 21 #include <sys/mbuf.h> 22 #include <sys/malloc.h> 23 #include <sys/kernel.h> 24 #include <sys/socket.h> 25 #include <sys/sockio.h> 26 #include <sys/endian.h> 27 #include <sys/errno.h> 28 #include <sys/proc.h> 29 #include <sys/sysctl.h> 30 31 #include <net/if.h> 32 #include <net/if_dl.h> 33 #include <net/if_media.h> 34 #include <net/if_arp.h> 35 36 #ifdef INET 37 #include <netinet/in.h> 38 #include <netinet/if_ether.h> 39 #endif 40 41 #include <net80211/ieee80211_var.h> 42 #include <net80211/ieee80211_priv.h> 43 44 #include <dev/rndvar.h> 45 #include <crypto/arc4.h> 46 #include <crypto/md5.h> 47 #include <crypto/sha1.h> 48 #include <crypto/sha2.h> 49 #include <crypto/hmac.h> 50 #include <crypto/rijndael.h> 51 #include <crypto/cmac.h> 52 #include <crypto/key_wrap.h> 53 54 void ieee80211_prf(const u_int8_t *, size_t, const u_int8_t *, size_t, 55 const u_int8_t *, size_t, u_int8_t *, size_t); 56 void ieee80211_kdf(const u_int8_t *, size_t, const u_int8_t *, size_t, 57 const u_int8_t *, size_t, u_int8_t *, size_t); 58 void ieee80211_derive_pmkid(enum ieee80211_akm, const u_int8_t *, 59 const u_int8_t *, const u_int8_t *, u_int8_t *); 60 61 void 62 ieee80211_crypto_attach(struct ifnet *ifp) 63 { 64 struct ieee80211com *ic = (void *)ifp; 65 66 TAILQ_INIT(&ic->ic_pmksa); 67 if (ic->ic_caps & IEEE80211_C_RSN) { 68 ic->ic_rsnprotos = IEEE80211_PROTO_WPA | IEEE80211_PROTO_RSN; 69 ic->ic_rsnakms = IEEE80211_AKM_PSK; 70 ic->ic_rsnciphers = IEEE80211_CIPHER_TKIP | 71 IEEE80211_CIPHER_CCMP; 72 ic->ic_rsngroupcipher = IEEE80211_CIPHER_TKIP; 73 ic->ic_rsngroupmgmtcipher = IEEE80211_CIPHER_BIP; 74 } 75 ic->ic_set_key = ieee80211_set_key; 76 ic->ic_delete_key = ieee80211_delete_key; 77 } 78 79 void 80 ieee80211_crypto_detach(struct ifnet *ifp) 81 { 82 struct ieee80211com *ic = (void *)ifp; 83 struct ieee80211_pmk *pmk; 84 int i; 85 86 /* purge the PMKSA cache */ 87 while ((pmk = TAILQ_FIRST(&ic->ic_pmksa)) != NULL) { 88 TAILQ_REMOVE(&ic->ic_pmksa, pmk, pmk_next); 89 explicit_bzero(pmk, sizeof(*pmk)); 90 free(pmk, M_DEVBUF, 0); 91 } 92 93 /* clear all group keys from memory */ 94 for (i = 0; i < IEEE80211_GROUP_NKID; i++) { 95 struct ieee80211_key *k = &ic->ic_nw_keys[i]; 96 if (k->k_cipher != IEEE80211_CIPHER_NONE) 97 (*ic->ic_delete_key)(ic, NULL, k); 98 explicit_bzero(k, sizeof(*k)); 99 } 100 101 /* clear pre-shared key from memory */ 102 explicit_bzero(ic->ic_psk, IEEE80211_PMK_LEN); 103 } 104 105 /* 106 * Return the length in bytes of a cipher suite key (see Table 60). 107 */ 108 int 109 ieee80211_cipher_keylen(enum ieee80211_cipher cipher) 110 { 111 switch (cipher) { 112 case IEEE80211_CIPHER_WEP40: 113 return 5; 114 case IEEE80211_CIPHER_TKIP: 115 return 32; 116 case IEEE80211_CIPHER_CCMP: 117 return 16; 118 case IEEE80211_CIPHER_WEP104: 119 return 13; 120 case IEEE80211_CIPHER_BIP: 121 return 16; 122 default: /* unknown cipher */ 123 return 0; 124 } 125 } 126 127 int 128 ieee80211_set_key(struct ieee80211com *ic, struct ieee80211_node *ni, 129 struct ieee80211_key *k) 130 { 131 int error; 132 133 switch (k->k_cipher) { 134 case IEEE80211_CIPHER_WEP40: 135 case IEEE80211_CIPHER_WEP104: 136 error = ieee80211_wep_set_key(ic, k); 137 break; 138 case IEEE80211_CIPHER_TKIP: 139 error = ieee80211_tkip_set_key(ic, k); 140 break; 141 case IEEE80211_CIPHER_CCMP: 142 error = ieee80211_ccmp_set_key(ic, k); 143 break; 144 case IEEE80211_CIPHER_BIP: 145 error = ieee80211_bip_set_key(ic, k); 146 break; 147 default: 148 /* should not get there */ 149 error = EINVAL; 150 } 151 return error; 152 } 153 154 void 155 ieee80211_delete_key(struct ieee80211com *ic, struct ieee80211_node *ni, 156 struct ieee80211_key *k) 157 { 158 switch (k->k_cipher) { 159 case IEEE80211_CIPHER_WEP40: 160 case IEEE80211_CIPHER_WEP104: 161 ieee80211_wep_delete_key(ic, k); 162 break; 163 case IEEE80211_CIPHER_TKIP: 164 ieee80211_tkip_delete_key(ic, k); 165 break; 166 case IEEE80211_CIPHER_CCMP: 167 ieee80211_ccmp_delete_key(ic, k); 168 break; 169 case IEEE80211_CIPHER_BIP: 170 ieee80211_bip_delete_key(ic, k); 171 break; 172 default: 173 /* should not get there */ 174 break; 175 } 176 explicit_bzero(k, sizeof(*k)); 177 } 178 179 struct ieee80211_key * 180 ieee80211_get_txkey(struct ieee80211com *ic, const struct ieee80211_frame *wh, 181 struct ieee80211_node *ni) 182 { 183 int kid; 184 185 if ((ic->ic_flags & IEEE80211_F_RSNON) && 186 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 187 ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) 188 return &ni->ni_pairwise_key; 189 190 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) || 191 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != 192 IEEE80211_FC0_TYPE_MGT) 193 kid = ic->ic_def_txkey; 194 else 195 kid = ic->ic_igtk_kid; 196 return &ic->ic_nw_keys[kid]; 197 } 198 199 struct mbuf * 200 ieee80211_encrypt(struct ieee80211com *ic, struct mbuf *m0, 201 struct ieee80211_key *k) 202 { 203 switch (k->k_cipher) { 204 case IEEE80211_CIPHER_WEP40: 205 case IEEE80211_CIPHER_WEP104: 206 m0 = ieee80211_wep_encrypt(ic, m0, k); 207 break; 208 case IEEE80211_CIPHER_TKIP: 209 m0 = ieee80211_tkip_encrypt(ic, m0, k); 210 break; 211 case IEEE80211_CIPHER_CCMP: 212 m0 = ieee80211_ccmp_encrypt(ic, m0, k); 213 break; 214 case IEEE80211_CIPHER_BIP: 215 m0 = ieee80211_bip_encap(ic, m0, k); 216 break; 217 default: 218 /* should not get there */ 219 m_freem(m0); 220 m0 = NULL; 221 } 222 return m0; 223 } 224 225 struct mbuf * 226 ieee80211_decrypt(struct ieee80211com *ic, struct mbuf *m0, 227 struct ieee80211_node *ni) 228 { 229 struct ieee80211_frame *wh; 230 struct ieee80211_key *k; 231 u_int8_t *ivp, *mmie; 232 u_int16_t kid; 233 int hdrlen; 234 235 /* find key for decryption */ 236 wh = mtod(m0, struct ieee80211_frame *); 237 if ((ic->ic_flags & IEEE80211_F_RSNON) && 238 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 239 ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 240 k = &ni->ni_pairwise_key; 241 242 } else if (!IEEE80211_IS_MULTICAST(wh->i_addr1) || 243 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != 244 IEEE80211_FC0_TYPE_MGT) { 245 /* retrieve group data key id from IV field */ 246 hdrlen = ieee80211_get_hdrlen(wh); 247 /* check that IV field is present */ 248 if (m0->m_len < hdrlen + 4) { 249 m_freem(m0); 250 return NULL; 251 } 252 ivp = (u_int8_t *)wh + hdrlen; 253 kid = ivp[3] >> 6; 254 k = &ic->ic_nw_keys[kid]; 255 } else { 256 /* retrieve integrity group key id from MMIE */ 257 if (m0->m_len < sizeof(*wh) + IEEE80211_MMIE_LEN) { 258 m_freem(m0); 259 return NULL; 260 } 261 /* it is assumed management frames are contiguous */ 262 mmie = (u_int8_t *)wh + m0->m_len - IEEE80211_MMIE_LEN; 263 /* check that MMIE is valid */ 264 if (mmie[0] != IEEE80211_ELEMID_MMIE || mmie[1] != 16) { 265 m_freem(m0); 266 return NULL; 267 } 268 kid = LE_READ_2(&mmie[2]); 269 if (kid != 4 && kid != 5) { 270 m_freem(m0); 271 return NULL; 272 } 273 k = &ic->ic_nw_keys[kid]; 274 } 275 switch (k->k_cipher) { 276 case IEEE80211_CIPHER_WEP40: 277 case IEEE80211_CIPHER_WEP104: 278 m0 = ieee80211_wep_decrypt(ic, m0, k); 279 break; 280 case IEEE80211_CIPHER_TKIP: 281 m0 = ieee80211_tkip_decrypt(ic, m0, k); 282 break; 283 case IEEE80211_CIPHER_CCMP: 284 m0 = ieee80211_ccmp_decrypt(ic, m0, k); 285 break; 286 case IEEE80211_CIPHER_BIP: 287 m0 = ieee80211_bip_decap(ic, m0, k); 288 break; 289 default: 290 /* key not defined */ 291 m_freem(m0); 292 m0 = NULL; 293 } 294 return m0; 295 } 296 297 /* 298 * SHA1-based Pseudo-Random Function (see 8.5.1.1). 299 */ 300 void 301 ieee80211_prf(const u_int8_t *key, size_t key_len, const u_int8_t *label, 302 size_t label_len, const u_int8_t *context, size_t context_len, 303 u_int8_t *output, size_t len) 304 { 305 HMAC_SHA1_CTX ctx; 306 u_int8_t digest[SHA1_DIGEST_LENGTH]; 307 u_int8_t count; 308 309 for (count = 0; len != 0; count++) { 310 HMAC_SHA1_Init(&ctx, key, key_len); 311 HMAC_SHA1_Update(&ctx, label, label_len); 312 HMAC_SHA1_Update(&ctx, context, context_len); 313 HMAC_SHA1_Update(&ctx, &count, 1); 314 if (len < SHA1_DIGEST_LENGTH) { 315 HMAC_SHA1_Final(digest, &ctx); 316 /* truncate HMAC-SHA1 to len bytes */ 317 memcpy(output, digest, len); 318 break; 319 } 320 HMAC_SHA1_Final(output, &ctx); 321 output += SHA1_DIGEST_LENGTH; 322 len -= SHA1_DIGEST_LENGTH; 323 } 324 } 325 326 /* 327 * SHA256-based Key Derivation Function (see 8.5.1.5.2). 328 */ 329 void 330 ieee80211_kdf(const u_int8_t *key, size_t key_len, const u_int8_t *label, 331 size_t label_len, const u_int8_t *context, size_t context_len, 332 u_int8_t *output, size_t len) 333 { 334 HMAC_SHA256_CTX ctx; 335 u_int8_t digest[SHA256_DIGEST_LENGTH]; 336 u_int16_t i, iter, length; 337 338 length = htole16(len * NBBY); 339 for (i = 1; len != 0; i++) { 340 HMAC_SHA256_Init(&ctx, key, key_len); 341 iter = htole16(i); 342 HMAC_SHA256_Update(&ctx, (u_int8_t *)&iter, sizeof iter); 343 HMAC_SHA256_Update(&ctx, label, label_len); 344 HMAC_SHA256_Update(&ctx, context, context_len); 345 HMAC_SHA256_Update(&ctx, (u_int8_t *)&length, sizeof length); 346 if (len < SHA256_DIGEST_LENGTH) { 347 HMAC_SHA256_Final(digest, &ctx); 348 /* truncate HMAC-SHA-256 to len bytes */ 349 memcpy(output, digest, len); 350 break; 351 } 352 HMAC_SHA256_Final(output, &ctx); 353 output += SHA256_DIGEST_LENGTH; 354 len -= SHA256_DIGEST_LENGTH; 355 } 356 } 357 358 /* 359 * Derive Pairwise Transient Key (PTK) (see 8.5.1.2). 360 */ 361 void 362 ieee80211_derive_ptk(enum ieee80211_akm akm, const u_int8_t *pmk, 363 const u_int8_t *aa, const u_int8_t *spa, const u_int8_t *anonce, 364 const u_int8_t *snonce, struct ieee80211_ptk *ptk) 365 { 366 void (*kdf)(const u_int8_t *, size_t, const u_int8_t *, size_t, 367 const u_int8_t *, size_t, u_int8_t *, size_t); 368 u_int8_t buf[2 * IEEE80211_ADDR_LEN + 2 * EAPOL_KEY_NONCE_LEN]; 369 int ret; 370 371 /* Min(AA,SPA) || Max(AA,SPA) */ 372 ret = memcmp(aa, spa, IEEE80211_ADDR_LEN) < 0; 373 memcpy(&buf[ 0], ret ? aa : spa, IEEE80211_ADDR_LEN); 374 memcpy(&buf[ 6], ret ? spa : aa, IEEE80211_ADDR_LEN); 375 376 /* Min(ANonce,SNonce) || Max(ANonce,SNonce) */ 377 ret = memcmp(anonce, snonce, EAPOL_KEY_NONCE_LEN) < 0; 378 memcpy(&buf[12], ret ? anonce : snonce, EAPOL_KEY_NONCE_LEN); 379 memcpy(&buf[44], ret ? snonce : anonce, EAPOL_KEY_NONCE_LEN); 380 381 kdf = ieee80211_is_sha256_akm(akm) ? ieee80211_kdf : ieee80211_prf; 382 (*kdf)(pmk, IEEE80211_PMK_LEN, "Pairwise key expansion", 23, 383 buf, sizeof buf, (u_int8_t *)ptk, sizeof(*ptk)); 384 } 385 386 static void 387 ieee80211_pmkid_sha1(const u_int8_t *pmk, const u_int8_t *aa, 388 const u_int8_t *spa, u_int8_t *pmkid) 389 { 390 HMAC_SHA1_CTX ctx; 391 u_int8_t digest[SHA1_DIGEST_LENGTH]; 392 393 HMAC_SHA1_Init(&ctx, pmk, IEEE80211_PMK_LEN); 394 HMAC_SHA1_Update(&ctx, "PMK Name", 8); 395 HMAC_SHA1_Update(&ctx, aa, IEEE80211_ADDR_LEN); 396 HMAC_SHA1_Update(&ctx, spa, IEEE80211_ADDR_LEN); 397 HMAC_SHA1_Final(digest, &ctx); 398 /* use the first 128 bits of HMAC-SHA1 */ 399 memcpy(pmkid, digest, IEEE80211_PMKID_LEN); 400 } 401 402 static void 403 ieee80211_pmkid_sha256(const u_int8_t *pmk, const u_int8_t *aa, 404 const u_int8_t *spa, u_int8_t *pmkid) 405 { 406 HMAC_SHA256_CTX ctx; 407 u_int8_t digest[SHA256_DIGEST_LENGTH]; 408 409 HMAC_SHA256_Init(&ctx, pmk, IEEE80211_PMK_LEN); 410 HMAC_SHA256_Update(&ctx, "PMK Name", 8); 411 HMAC_SHA256_Update(&ctx, aa, IEEE80211_ADDR_LEN); 412 HMAC_SHA256_Update(&ctx, spa, IEEE80211_ADDR_LEN); 413 HMAC_SHA256_Final(digest, &ctx); 414 /* use the first 128 bits of HMAC-SHA-256 */ 415 memcpy(pmkid, digest, IEEE80211_PMKID_LEN); 416 } 417 418 /* 419 * Derive Pairwise Master Key Identifier (PMKID) (see 8.5.1.2). 420 */ 421 void 422 ieee80211_derive_pmkid(enum ieee80211_akm akm, const u_int8_t *pmk, 423 const u_int8_t *aa, const u_int8_t *spa, u_int8_t *pmkid) 424 { 425 if (ieee80211_is_sha256_akm(akm)) 426 ieee80211_pmkid_sha256(pmk, aa, spa, pmkid); 427 else 428 ieee80211_pmkid_sha1(pmk, aa, spa, pmkid); 429 } 430 431 typedef union _ANY_CTX { 432 HMAC_MD5_CTX md5; 433 HMAC_SHA1_CTX sha1; 434 AES_CMAC_CTX cmac; 435 } ANY_CTX; 436 437 /* 438 * Compute the Key MIC field of an EAPOL-Key frame using the specified Key 439 * Confirmation Key (KCK). The hash function can be HMAC-MD5, HMAC-SHA1 440 * or AES-128-CMAC depending on the EAPOL-Key Key Descriptor Version. 441 */ 442 void 443 ieee80211_eapol_key_mic(struct ieee80211_eapol_key *key, const u_int8_t *kck) 444 { 445 u_int8_t digest[SHA1_DIGEST_LENGTH]; 446 ANY_CTX ctx; /* XXX off stack? */ 447 u_int len; 448 449 len = BE_READ_2(key->len) + 4; 450 451 switch (BE_READ_2(key->info) & EAPOL_KEY_VERSION_MASK) { 452 case EAPOL_KEY_DESC_V1: 453 HMAC_MD5_Init(&ctx.md5, kck, 16); 454 HMAC_MD5_Update(&ctx.md5, (u_int8_t *)key, len); 455 HMAC_MD5_Final(key->mic, &ctx.md5); 456 break; 457 case EAPOL_KEY_DESC_V2: 458 HMAC_SHA1_Init(&ctx.sha1, kck, 16); 459 HMAC_SHA1_Update(&ctx.sha1, (u_int8_t *)key, len); 460 HMAC_SHA1_Final(digest, &ctx.sha1); 461 /* truncate HMAC-SHA1 to its 128 MSBs */ 462 memcpy(key->mic, digest, EAPOL_KEY_MIC_LEN); 463 break; 464 case EAPOL_KEY_DESC_V3: 465 AES_CMAC_Init(&ctx.cmac); 466 AES_CMAC_SetKey(&ctx.cmac, kck); 467 AES_CMAC_Update(&ctx.cmac, (u_int8_t *)key, len); 468 AES_CMAC_Final(key->mic, &ctx.cmac); 469 break; 470 } 471 } 472 473 /* 474 * Check the MIC of a received EAPOL-Key frame using the specified Key 475 * Confirmation Key (KCK). 476 */ 477 int 478 ieee80211_eapol_key_check_mic(struct ieee80211_eapol_key *key, 479 const u_int8_t *kck) 480 { 481 u_int8_t mic[EAPOL_KEY_MIC_LEN]; 482 483 memcpy(mic, key->mic, EAPOL_KEY_MIC_LEN); 484 memset(key->mic, 0, EAPOL_KEY_MIC_LEN); 485 ieee80211_eapol_key_mic(key, kck); 486 487 return timingsafe_bcmp(key->mic, mic, EAPOL_KEY_MIC_LEN) != 0; 488 } 489 490 #ifndef IEEE80211_STA_ONLY 491 /* 492 * Encrypt the Key Data field of an EAPOL-Key frame using the specified Key 493 * Encryption Key (KEK). The encryption algorithm can be either ARC4 or 494 * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version. 495 */ 496 void 497 ieee80211_eapol_key_encrypt(struct ieee80211com *ic, 498 struct ieee80211_eapol_key *key, const u_int8_t *kek) 499 { 500 union { 501 struct rc4_ctx rc4; 502 aes_key_wrap_ctx aes; 503 } ctx; /* XXX off stack? */ 504 u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16]; 505 u_int16_t len, info; 506 u_int8_t *data; 507 int n; 508 509 len = BE_READ_2(key->paylen); 510 info = BE_READ_2(key->info); 511 data = (u_int8_t *)(key + 1); 512 513 switch (info & EAPOL_KEY_VERSION_MASK) { 514 case EAPOL_KEY_DESC_V1: 515 /* set IV to the lower 16 octets of our global key counter */ 516 memcpy(key->iv, ic->ic_globalcnt + 16, 16); 517 /* increment our global key counter (256-bit, big-endian) */ 518 for (n = 31; n >= 0 && ++ic->ic_globalcnt[n] == 0; n--); 519 520 /* concatenate the EAPOL-Key IV field and the KEK */ 521 memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN); 522 memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16); 523 524 rc4_keysetup(&ctx.rc4, keybuf, sizeof keybuf); 525 /* discard the first 256 octets of the ARC4 key stream */ 526 rc4_skip(&ctx.rc4, RC4STATE); 527 rc4_crypt(&ctx.rc4, data, data, len); 528 break; 529 case EAPOL_KEY_DESC_V2: 530 case EAPOL_KEY_DESC_V3: 531 if (len < 16 || (len & 7) != 0) { 532 /* insert padding */ 533 n = (len < 16) ? 16 - len : 8 - (len & 7); 534 data[len++] = IEEE80211_ELEMID_VENDOR; 535 memset(&data[len], 0, n - 1); 536 len += n - 1; 537 } 538 aes_key_wrap_set_key_wrap_only(&ctx.aes, kek, 16); 539 aes_key_wrap(&ctx.aes, data, len / 8, data); 540 len += 8; /* AES Key Wrap adds 8 bytes */ 541 /* update key data length */ 542 BE_WRITE_2(key->paylen, len); 543 /* update packet body length */ 544 BE_WRITE_2(key->len, sizeof(*key) + len - 4); 545 break; 546 } 547 } 548 #endif /* IEEE80211_STA_ONLY */ 549 550 /* 551 * Decrypt the Key Data field of an EAPOL-Key frame using the specified Key 552 * Encryption Key (KEK). The encryption algorithm can be either ARC4 or 553 * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version. 554 */ 555 int 556 ieee80211_eapol_key_decrypt(struct ieee80211_eapol_key *key, 557 const u_int8_t *kek) 558 { 559 union { 560 struct rc4_ctx rc4; 561 aes_key_wrap_ctx aes; 562 } ctx; /* XXX off stack? */ 563 u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16]; 564 u_int16_t len, info; 565 u_int8_t *data; 566 567 len = BE_READ_2(key->paylen); 568 info = BE_READ_2(key->info); 569 data = (u_int8_t *)(key + 1); 570 571 switch (info & EAPOL_KEY_VERSION_MASK) { 572 case EAPOL_KEY_DESC_V1: 573 /* concatenate the EAPOL-Key IV field and the KEK */ 574 memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN); 575 memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16); 576 577 rc4_keysetup(&ctx.rc4, keybuf, sizeof keybuf); 578 /* discard the first 256 octets of the ARC4 key stream */ 579 rc4_skip(&ctx.rc4, RC4STATE); 580 rc4_crypt(&ctx.rc4, data, data, len); 581 return 0; 582 case EAPOL_KEY_DESC_V2: 583 case EAPOL_KEY_DESC_V3: 584 /* Key Data Length must be a multiple of 8 */ 585 if (len < 16 + 8 || (len & 7) != 0) 586 return 1; 587 len -= 8; /* AES Key Wrap adds 8 bytes */ 588 aes_key_wrap_set_key(&ctx.aes, kek, 16); 589 return aes_key_unwrap(&ctx.aes, data, data, len / 8); 590 } 591 592 return 1; /* unknown Key Descriptor Version */ 593 } 594 595 /* 596 * Add a PMK entry to the PMKSA cache. 597 */ 598 struct ieee80211_pmk * 599 ieee80211_pmksa_add(struct ieee80211com *ic, enum ieee80211_akm akm, 600 const u_int8_t *macaddr, const u_int8_t *key, u_int32_t lifetime) 601 { 602 struct ieee80211_pmk *pmk; 603 604 /* check if an entry already exists for this (STA,AKMP) */ 605 TAILQ_FOREACH(pmk, &ic->ic_pmksa, pmk_next) { 606 if (pmk->pmk_akm == akm && 607 IEEE80211_ADDR_EQ(pmk->pmk_macaddr, macaddr)) 608 break; 609 } 610 if (pmk == NULL) { 611 /* allocate a new PMKSA entry */ 612 if ((pmk = malloc(sizeof(*pmk), M_DEVBUF, M_NOWAIT)) == NULL) 613 return NULL; 614 pmk->pmk_akm = akm; 615 IEEE80211_ADDR_COPY(pmk->pmk_macaddr, macaddr); 616 TAILQ_INSERT_TAIL(&ic->ic_pmksa, pmk, pmk_next); 617 } 618 memcpy(pmk->pmk_key, key, IEEE80211_PMK_LEN); 619 pmk->pmk_lifetime = lifetime; /* XXX not used yet */ 620 #ifndef IEEE80211_STA_ONLY 621 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 622 ieee80211_derive_pmkid(pmk->pmk_akm, pmk->pmk_key, 623 ic->ic_myaddr, macaddr, pmk->pmk_pmkid); 624 } else 625 #endif 626 { 627 ieee80211_derive_pmkid(pmk->pmk_akm, pmk->pmk_key, 628 macaddr, ic->ic_myaddr, pmk->pmk_pmkid); 629 } 630 return pmk; 631 } 632 633 /* 634 * Check if we have a cached PMK entry for the specified node and PMKID. 635 */ 636 struct ieee80211_pmk * 637 ieee80211_pmksa_find(struct ieee80211com *ic, struct ieee80211_node *ni, 638 const u_int8_t *pmkid) 639 { 640 struct ieee80211_pmk *pmk; 641 642 TAILQ_FOREACH(pmk, &ic->ic_pmksa, pmk_next) { 643 if (pmk->pmk_akm == ni->ni_rsnakms && 644 IEEE80211_ADDR_EQ(pmk->pmk_macaddr, ni->ni_macaddr) && 645 (pmkid == NULL || 646 memcmp(pmk->pmk_pmkid, pmkid, IEEE80211_PMKID_LEN) == 0)) 647 break; 648 } 649 return pmk; 650 } 651