1 /* $OpenBSD: ieee80211_crypto.c,v 1.56 2008/09/27 15:16:09 damien Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> 20 #include <sys/systm.h> 21 #include <sys/mbuf.h> 22 #include <sys/malloc.h> 23 #include <sys/kernel.h> 24 #include <sys/socket.h> 25 #include <sys/sockio.h> 26 #include <sys/endian.h> 27 #include <sys/errno.h> 28 #include <sys/proc.h> 29 #include <sys/sysctl.h> 30 31 #include <net/if.h> 32 #include <net/if_dl.h> 33 #include <net/if_media.h> 34 #include <net/if_arp.h> 35 #include <net/if_llc.h> 36 37 #ifdef INET 38 #include <netinet/in.h> 39 #include <netinet/if_ether.h> 40 #endif 41 42 #include <net80211/ieee80211_var.h> 43 #include <net80211/ieee80211_priv.h> 44 45 #include <dev/rndvar.h> 46 #include <crypto/arc4.h> 47 #include <crypto/md5.h> 48 #include <crypto/sha1.h> 49 #include <crypto/sha2.h> 50 #include <crypto/hmac.h> 51 #include <crypto/rijndael.h> 52 #include <crypto/cmac.h> 53 #include <crypto/key_wrap.h> 54 55 void ieee80211_prf(const u_int8_t *, size_t, const u_int8_t *, size_t, 56 const u_int8_t *, size_t, u_int8_t *, size_t); 57 void ieee80211_kdf(const u_int8_t *, size_t, const u_int8_t *, size_t, 58 const u_int8_t *, size_t, u_int8_t *, size_t); 59 void ieee80211_derive_pmkid(enum ieee80211_akm, const u_int8_t *, 60 const u_int8_t *, const u_int8_t *, u_int8_t *); 61 62 void 63 ieee80211_crypto_attach(struct ifnet *ifp) 64 { 65 struct ieee80211com *ic = (void *)ifp; 66 67 TAILQ_INIT(&ic->ic_pmksa); 68 if (ic->ic_caps & IEEE80211_C_RSN) { 69 ic->ic_rsnprotos = IEEE80211_PROTO_WPA | IEEE80211_PROTO_RSN; 70 ic->ic_rsnakms = IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK | 71 IEEE80211_AKM_8021X | IEEE80211_AKM_SHA256_8021X; 72 ic->ic_rsnciphers = IEEE80211_CIPHER_TKIP | 73 IEEE80211_CIPHER_CCMP; 74 ic->ic_rsngroupcipher = IEEE80211_CIPHER_TKIP; 75 ic->ic_rsngroupmgmtcipher = IEEE80211_CIPHER_AES128_CMAC; 76 } 77 ic->ic_set_key = ieee80211_set_key; 78 ic->ic_delete_key = ieee80211_delete_key; 79 } 80 81 void 82 ieee80211_crypto_detach(struct ifnet *ifp) 83 { 84 struct ieee80211com *ic = (void *)ifp; 85 struct ieee80211_pmk *pmk; 86 int i; 87 88 /* purge the PMKSA cache */ 89 while ((pmk = TAILQ_FIRST(&ic->ic_pmksa)) != NULL) { 90 TAILQ_REMOVE(&ic->ic_pmksa, pmk, pmk_next); 91 memset(pmk, 0, sizeof(*pmk)); 92 free(pmk, M_DEVBUF); 93 } 94 95 /* clear all group keys from memory */ 96 for (i = 0; i < IEEE80211_GROUP_NKID; i++) { 97 struct ieee80211_key *k = &ic->ic_nw_keys[i]; 98 if (k->k_cipher != IEEE80211_CIPHER_NONE) 99 (*ic->ic_delete_key)(ic, NULL, k); 100 memset(k, 0, sizeof(*k)); 101 } 102 103 /* clear pre-shared key from memory */ 104 memset(ic->ic_psk, 0, IEEE80211_PMK_LEN); 105 } 106 107 /* 108 * Return the length in bytes of a cipher suite key (see Table 60). 109 */ 110 int 111 ieee80211_cipher_keylen(enum ieee80211_cipher cipher) 112 { 113 switch (cipher) { 114 case IEEE80211_CIPHER_WEP40: 115 return 5; 116 case IEEE80211_CIPHER_TKIP: 117 return 32; 118 case IEEE80211_CIPHER_CCMP: 119 return 16; 120 case IEEE80211_CIPHER_WEP104: 121 return 13; 122 case IEEE80211_CIPHER_AES128_CMAC: 123 return 16; 124 default: /* unknown cipher */ 125 return 0; 126 } 127 } 128 129 int 130 ieee80211_set_key(struct ieee80211com *ic, struct ieee80211_node *ni, 131 struct ieee80211_key *k) 132 { 133 int error; 134 135 switch (k->k_cipher) { 136 case IEEE80211_CIPHER_WEP40: 137 case IEEE80211_CIPHER_WEP104: 138 error = ieee80211_wep_set_key(ic, k); 139 break; 140 case IEEE80211_CIPHER_TKIP: 141 error = ieee80211_tkip_set_key(ic, k); 142 break; 143 case IEEE80211_CIPHER_CCMP: 144 error = ieee80211_ccmp_set_key(ic, k); 145 break; 146 case IEEE80211_CIPHER_AES128_CMAC: 147 error = ieee80211_bip_set_key(ic, k); 148 break; 149 default: 150 /* should not get there */ 151 error = EINVAL; 152 } 153 return error; 154 } 155 156 void 157 ieee80211_delete_key(struct ieee80211com *ic, struct ieee80211_node *ni, 158 struct ieee80211_key *k) 159 { 160 switch (k->k_cipher) { 161 case IEEE80211_CIPHER_WEP40: 162 case IEEE80211_CIPHER_WEP104: 163 ieee80211_wep_delete_key(ic, k); 164 break; 165 case IEEE80211_CIPHER_TKIP: 166 ieee80211_tkip_delete_key(ic, k); 167 break; 168 case IEEE80211_CIPHER_CCMP: 169 ieee80211_ccmp_delete_key(ic, k); 170 break; 171 case IEEE80211_CIPHER_AES128_CMAC: 172 ieee80211_bip_delete_key(ic, k); 173 break; 174 default: 175 /* should not get there */ 176 break; 177 } 178 memset(k, 0, sizeof(*k)); 179 } 180 181 struct ieee80211_key * 182 ieee80211_get_txkey(struct ieee80211com *ic, const struct ieee80211_frame *wh, 183 struct ieee80211_node *ni) 184 { 185 int kid; 186 187 if ((ic->ic_flags & IEEE80211_F_RSNON) && 188 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 189 ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) 190 return &ni->ni_pairwise_key; 191 192 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) || 193 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != 194 IEEE80211_FC0_TYPE_MGT) 195 kid = ic->ic_def_txkey; 196 else 197 kid = ic->ic_igtk_kid; 198 return &ic->ic_nw_keys[kid]; 199 } 200 201 struct mbuf * 202 ieee80211_encrypt(struct ieee80211com *ic, struct mbuf *m0, 203 struct ieee80211_key *k) 204 { 205 switch (k->k_cipher) { 206 case IEEE80211_CIPHER_WEP40: 207 case IEEE80211_CIPHER_WEP104: 208 m0 = ieee80211_wep_encrypt(ic, m0, k); 209 break; 210 case IEEE80211_CIPHER_TKIP: 211 m0 = ieee80211_tkip_encrypt(ic, m0, k); 212 break; 213 case IEEE80211_CIPHER_CCMP: 214 m0 = ieee80211_ccmp_encrypt(ic, m0, k); 215 break; 216 case IEEE80211_CIPHER_AES128_CMAC: 217 m0 = ieee80211_bip_encap(ic, m0, k); 218 break; 219 default: 220 /* should not get there */ 221 m_freem(m0); 222 m0 = NULL; 223 } 224 return m0; 225 } 226 227 struct mbuf * 228 ieee80211_decrypt(struct ieee80211com *ic, struct mbuf *m0, 229 struct ieee80211_node *ni) 230 { 231 struct ieee80211_frame *wh; 232 struct ieee80211_key *k; 233 u_int8_t *ivp, *mmie; 234 u_int16_t kid; 235 int hdrlen; 236 237 /* find key for decryption */ 238 wh = mtod(m0, struct ieee80211_frame *); 239 if ((ic->ic_flags & IEEE80211_F_RSNON) && 240 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 241 ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 242 k = &ni->ni_pairwise_key; 243 244 } else if (!IEEE80211_IS_MULTICAST(wh->i_addr1) || 245 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != 246 IEEE80211_FC0_TYPE_MGT) { 247 /* retrieve group data key id from IV field */ 248 hdrlen = ieee80211_get_hdrlen(wh); 249 /* check that IV field is present */ 250 if (m0->m_len < hdrlen + 4) { 251 m_freem(m0); 252 return NULL; 253 } 254 ivp = (u_int8_t *)wh + hdrlen; 255 kid = ivp[3] >> 6; 256 k = &ic->ic_nw_keys[kid]; 257 } else { 258 /* retrieve integrity group key id from MMIE */ 259 if (m0->m_len < sizeof(*wh) + IEEE80211_MMIE_LEN) { 260 m_freem(m0); 261 return NULL; 262 } 263 /* it is assumed management frames are contiguous */ 264 mmie = (u_int8_t *)wh + m0->m_len - IEEE80211_MMIE_LEN; 265 /* check that MMIE is valid */ 266 if (mmie[0] != IEEE80211_ELEMID_MMIE || mmie[1] != 16) { 267 m_freem(m0); 268 return NULL; 269 } 270 kid = LE_READ_2(&mmie[2]); 271 if (kid != 4 && kid != 5) { 272 m_freem(m0); 273 return NULL; 274 } 275 k = &ic->ic_nw_keys[kid]; 276 } 277 switch (k->k_cipher) { 278 case IEEE80211_CIPHER_WEP40: 279 case IEEE80211_CIPHER_WEP104: 280 m0 = ieee80211_wep_decrypt(ic, m0, k); 281 break; 282 case IEEE80211_CIPHER_TKIP: 283 m0 = ieee80211_tkip_decrypt(ic, m0, k); 284 break; 285 case IEEE80211_CIPHER_CCMP: 286 m0 = ieee80211_ccmp_decrypt(ic, m0, k); 287 break; 288 case IEEE80211_CIPHER_AES128_CMAC: 289 m0 = ieee80211_bip_decap(ic, m0, k); 290 break; 291 default: 292 /* key not defined */ 293 m_freem(m0); 294 m0 = NULL; 295 } 296 return m0; 297 } 298 299 /* 300 * SHA1-based Pseudo-Random Function (see 8.5.1.1). 301 */ 302 void 303 ieee80211_prf(const u_int8_t *key, size_t key_len, const u_int8_t *label, 304 size_t label_len, const u_int8_t *context, size_t context_len, 305 u_int8_t *output, size_t len) 306 { 307 HMAC_SHA1_CTX ctx; 308 u_int8_t digest[SHA1_DIGEST_LENGTH]; 309 u_int8_t count; 310 311 for (count = 0; len != 0; count++) { 312 HMAC_SHA1_Init(&ctx, key, key_len); 313 HMAC_SHA1_Update(&ctx, label, label_len); 314 HMAC_SHA1_Update(&ctx, context, context_len); 315 HMAC_SHA1_Update(&ctx, &count, 1); 316 if (len < SHA1_DIGEST_LENGTH) { 317 HMAC_SHA1_Final(digest, &ctx); 318 /* truncate HMAC-SHA1 to len bytes */ 319 memcpy(output, digest, len); 320 break; 321 } 322 HMAC_SHA1_Final(output, &ctx); 323 output += SHA1_DIGEST_LENGTH; 324 len -= SHA1_DIGEST_LENGTH; 325 } 326 } 327 328 /* 329 * SHA256-based Key Derivation Function (see 8.5.1.5.2). 330 */ 331 void 332 ieee80211_kdf(const u_int8_t *key, size_t key_len, const u_int8_t *label, 333 size_t label_len, const u_int8_t *context, size_t context_len, 334 u_int8_t *output, size_t len) 335 { 336 HMAC_SHA256_CTX ctx; 337 u_int8_t digest[SHA256_DIGEST_LENGTH]; 338 u_int16_t i, iter, length; 339 340 length = htole16(len * NBBY); 341 for (i = 1; len != 0; i++) { 342 HMAC_SHA256_Init(&ctx, key, key_len); 343 iter = htole16(i); 344 HMAC_SHA256_Update(&ctx, (u_int8_t *)&iter, sizeof iter); 345 HMAC_SHA256_Update(&ctx, label, label_len); 346 HMAC_SHA256_Update(&ctx, context, context_len); 347 HMAC_SHA256_Update(&ctx, (u_int8_t *)&length, sizeof length); 348 if (len < SHA256_DIGEST_LENGTH) { 349 HMAC_SHA256_Final(digest, &ctx); 350 /* truncate HMAC-SHA-256 to len bytes */ 351 memcpy(output, digest, len); 352 break; 353 } 354 HMAC_SHA256_Final(output, &ctx); 355 output += SHA256_DIGEST_LENGTH; 356 len -= SHA256_DIGEST_LENGTH; 357 } 358 } 359 360 /* 361 * Derive Pairwise Transient Key (PTK) (see 8.5.1.2). 362 */ 363 void 364 ieee80211_derive_ptk(enum ieee80211_akm akm, const u_int8_t *pmk, 365 const u_int8_t *aa, const u_int8_t *spa, const u_int8_t *anonce, 366 const u_int8_t *snonce, struct ieee80211_ptk *ptk) 367 { 368 void (*kdf)(const u_int8_t *, size_t, const u_int8_t *, size_t, 369 const u_int8_t *, size_t, u_int8_t *, size_t); 370 u_int8_t buf[2 * IEEE80211_ADDR_LEN + 2 * EAPOL_KEY_NONCE_LEN]; 371 int ret; 372 373 /* Min(AA,SPA) || Max(AA,SPA) */ 374 ret = memcmp(aa, spa, IEEE80211_ADDR_LEN) < 0; 375 memcpy(&buf[ 0], ret ? aa : spa, IEEE80211_ADDR_LEN); 376 memcpy(&buf[ 6], ret ? spa : aa, IEEE80211_ADDR_LEN); 377 378 /* Min(ANonce,SNonce) || Max(ANonce,SNonce) */ 379 ret = memcmp(anonce, snonce, EAPOL_KEY_NONCE_LEN) < 0; 380 memcpy(&buf[12], ret ? anonce : snonce, EAPOL_KEY_NONCE_LEN); 381 memcpy(&buf[44], ret ? snonce : anonce, EAPOL_KEY_NONCE_LEN); 382 383 kdf = ieee80211_is_sha256_akm(akm) ? ieee80211_kdf : ieee80211_prf; 384 (*kdf)(pmk, IEEE80211_PMK_LEN, "Pairwise key expansion", 23, 385 buf, sizeof buf, (u_int8_t *)ptk, sizeof(*ptk)); 386 } 387 388 static void 389 ieee80211_pmkid_sha1(const u_int8_t *pmk, const u_int8_t *aa, 390 const u_int8_t *spa, u_int8_t *pmkid) 391 { 392 HMAC_SHA1_CTX ctx; 393 u_int8_t digest[SHA1_DIGEST_LENGTH]; 394 395 HMAC_SHA1_Init(&ctx, pmk, IEEE80211_PMK_LEN); 396 HMAC_SHA1_Update(&ctx, "PMK Name", 8); 397 HMAC_SHA1_Update(&ctx, aa, IEEE80211_ADDR_LEN); 398 HMAC_SHA1_Update(&ctx, spa, IEEE80211_ADDR_LEN); 399 HMAC_SHA1_Final(digest, &ctx); 400 /* use the first 128 bits of HMAC-SHA1 */ 401 memcpy(pmkid, digest, IEEE80211_PMKID_LEN); 402 } 403 404 static void 405 ieee80211_pmkid_sha256(const u_int8_t *pmk, const u_int8_t *aa, 406 const u_int8_t *spa, u_int8_t *pmkid) 407 { 408 HMAC_SHA256_CTX ctx; 409 u_int8_t digest[SHA256_DIGEST_LENGTH]; 410 411 HMAC_SHA256_Init(&ctx, pmk, IEEE80211_PMK_LEN); 412 HMAC_SHA256_Update(&ctx, "PMK Name", 8); 413 HMAC_SHA256_Update(&ctx, aa, IEEE80211_ADDR_LEN); 414 HMAC_SHA256_Update(&ctx, spa, IEEE80211_ADDR_LEN); 415 HMAC_SHA256_Final(digest, &ctx); 416 /* use the first 128 bits of HMAC-SHA-256 */ 417 memcpy(pmkid, digest, IEEE80211_PMKID_LEN); 418 } 419 420 /* 421 * Derive Pairwise Master Key Identifier (PMKID) (see 8.5.1.2). 422 */ 423 void 424 ieee80211_derive_pmkid(enum ieee80211_akm akm, const u_int8_t *pmk, 425 const u_int8_t *aa, const u_int8_t *spa, u_int8_t *pmkid) 426 { 427 if (ieee80211_is_sha256_akm(akm)) 428 ieee80211_pmkid_sha256(pmk, aa, spa, pmkid); 429 else 430 ieee80211_pmkid_sha1(pmk, aa, spa, pmkid); 431 } 432 433 typedef union _ANY_CTX { 434 HMAC_MD5_CTX md5; 435 HMAC_SHA1_CTX sha1; 436 AES_CMAC_CTX cmac; 437 } ANY_CTX; 438 439 /* 440 * Compute the Key MIC field of an EAPOL-Key frame using the specified Key 441 * Confirmation Key (KCK). The hash function can be HMAC-MD5, HMAC-SHA1 442 * or AES-128-CMAC depending on the EAPOL-Key Key Descriptor Version. 443 */ 444 void 445 ieee80211_eapol_key_mic(struct ieee80211_eapol_key *key, const u_int8_t *kck) 446 { 447 u_int8_t digest[SHA1_DIGEST_LENGTH]; 448 ANY_CTX ctx; /* XXX off stack? */ 449 u_int len; 450 451 len = BE_READ_2(key->len) + 4; 452 453 switch (BE_READ_2(key->info) & EAPOL_KEY_VERSION_MASK) { 454 case EAPOL_KEY_DESC_V1: 455 HMAC_MD5_Init(&ctx.md5, kck, 16); 456 HMAC_MD5_Update(&ctx.md5, (u_int8_t *)key, len); 457 HMAC_MD5_Final(key->mic, &ctx.md5); 458 break; 459 case EAPOL_KEY_DESC_V2: 460 HMAC_SHA1_Init(&ctx.sha1, kck, 16); 461 HMAC_SHA1_Update(&ctx.sha1, (u_int8_t *)key, len); 462 HMAC_SHA1_Final(digest, &ctx.sha1); 463 /* truncate HMAC-SHA1 to its 128 MSBs */ 464 memcpy(key->mic, digest, EAPOL_KEY_MIC_LEN); 465 break; 466 case EAPOL_KEY_DESC_V3: 467 AES_CMAC_Init(&ctx.cmac); 468 AES_CMAC_SetKey(&ctx.cmac, kck); 469 AES_CMAC_Update(&ctx.cmac, (u_int8_t *)key, len); 470 AES_CMAC_Final(key->mic, &ctx.cmac); 471 break; 472 } 473 } 474 475 /* 476 * Check the MIC of a received EAPOL-Key frame using the specified Key 477 * Confirmation Key (KCK). 478 */ 479 int 480 ieee80211_eapol_key_check_mic(struct ieee80211_eapol_key *key, 481 const u_int8_t *kck) 482 { 483 u_int8_t mic[EAPOL_KEY_MIC_LEN]; 484 485 memcpy(mic, key->mic, EAPOL_KEY_MIC_LEN); 486 memset(key->mic, 0, EAPOL_KEY_MIC_LEN); 487 ieee80211_eapol_key_mic(key, kck); 488 489 return memcmp(key->mic, mic, EAPOL_KEY_MIC_LEN) != 0; 490 } 491 492 #ifndef IEEE80211_STA_ONLY 493 /* 494 * Encrypt the Key Data field of an EAPOL-Key frame using the specified Key 495 * Encryption Key (KEK). The encryption algorithm can be either ARC4 or 496 * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version. 497 */ 498 void 499 ieee80211_eapol_key_encrypt(struct ieee80211com *ic, 500 struct ieee80211_eapol_key *key, const u_int8_t *kek) 501 { 502 union { 503 struct rc4_ctx rc4; 504 aes_key_wrap_ctx aes; 505 } ctx; /* XXX off stack? */ 506 u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16]; 507 u_int16_t len, info; 508 u_int8_t *data; 509 int n; 510 511 len = BE_READ_2(key->paylen); 512 info = BE_READ_2(key->info); 513 data = (u_int8_t *)(key + 1); 514 515 switch (info & EAPOL_KEY_VERSION_MASK) { 516 case EAPOL_KEY_DESC_V1: 517 /* set IV to the lower 16 octets of our global key counter */ 518 memcpy(key->iv, ic->ic_globalcnt + 16, 16); 519 /* increment our global key counter (256-bit, big-endian) */ 520 for (n = 31; n >= 0 && ++ic->ic_globalcnt[n] == 0; n--); 521 522 /* concatenate the EAPOL-Key IV field and the KEK */ 523 memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN); 524 memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16); 525 526 rc4_keysetup(&ctx.rc4, keybuf, sizeof keybuf); 527 /* discard the first 256 octets of the ARC4 key stream */ 528 rc4_skip(&ctx.rc4, RC4STATE); 529 rc4_crypt(&ctx.rc4, data, data, len); 530 break; 531 case EAPOL_KEY_DESC_V2: 532 case EAPOL_KEY_DESC_V3: 533 if (len < 16 || (len & 7) != 0) { 534 /* insert padding */ 535 n = (len < 16) ? 16 - len : 8 - (len & 7); 536 data[len++] = IEEE80211_ELEMID_VENDOR; 537 memset(&data[len], 0, n - 1); 538 len += n - 1; 539 } 540 aes_key_wrap_set_key_wrap_only(&ctx.aes, kek, 16); 541 aes_key_wrap(&ctx.aes, data, len / 8, data); 542 len += 8; /* AES Key Wrap adds 8 bytes */ 543 /* update key data length */ 544 BE_WRITE_2(key->paylen, len); 545 /* update packet body length */ 546 BE_WRITE_2(key->len, sizeof(*key) + len - 4); 547 break; 548 } 549 } 550 #endif /* IEEE80211_STA_ONLY */ 551 552 /* 553 * Decrypt the Key Data field of an EAPOL-Key frame using the specified Key 554 * Encryption Key (KEK). The encryption algorithm can be either ARC4 or 555 * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version. 556 */ 557 int 558 ieee80211_eapol_key_decrypt(struct ieee80211_eapol_key *key, 559 const u_int8_t *kek) 560 { 561 union { 562 struct rc4_ctx rc4; 563 aes_key_wrap_ctx aes; 564 } ctx; /* XXX off stack? */ 565 u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16]; 566 u_int16_t len, info; 567 u_int8_t *data; 568 569 len = BE_READ_2(key->paylen); 570 info = BE_READ_2(key->info); 571 data = (u_int8_t *)(key + 1); 572 573 switch (info & EAPOL_KEY_VERSION_MASK) { 574 case EAPOL_KEY_DESC_V1: 575 /* concatenate the EAPOL-Key IV field and the KEK */ 576 memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN); 577 memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16); 578 579 rc4_keysetup(&ctx.rc4, keybuf, sizeof keybuf); 580 /* discard the first 256 octets of the ARC4 key stream */ 581 rc4_skip(&ctx.rc4, RC4STATE); 582 rc4_crypt(&ctx.rc4, data, data, len); 583 return 0; 584 case EAPOL_KEY_DESC_V2: 585 case EAPOL_KEY_DESC_V3: 586 /* Key Data Length must be a multiple of 8 */ 587 if (len < 16 + 8 || (len & 7) != 0) 588 return 1; 589 len -= 8; /* AES Key Wrap adds 8 bytes */ 590 aes_key_wrap_set_key(&ctx.aes, kek, 16); 591 return aes_key_unwrap(&ctx.aes, data, data, len / 8); 592 } 593 594 return 1; /* unknown Key Descriptor Version */ 595 } 596 597 /* 598 * Add a PMK entry to the PMKSA cache. 599 */ 600 struct ieee80211_pmk * 601 ieee80211_pmksa_add(struct ieee80211com *ic, enum ieee80211_akm akm, 602 const u_int8_t *macaddr, const u_int8_t *key, u_int32_t lifetime) 603 { 604 struct ieee80211_pmk *pmk; 605 606 /* check if an entry already exists for this (STA,AKMP) */ 607 TAILQ_FOREACH(pmk, &ic->ic_pmksa, pmk_next) { 608 if (pmk->pmk_akm == akm && 609 IEEE80211_ADDR_EQ(pmk->pmk_macaddr, macaddr)) 610 break; 611 } 612 if (pmk == NULL) { 613 /* allocate a new PMKSA entry */ 614 if ((pmk = malloc(sizeof(*pmk), M_DEVBUF, M_NOWAIT)) == NULL) 615 return NULL; 616 pmk->pmk_akm = akm; 617 IEEE80211_ADDR_COPY(pmk->pmk_macaddr, macaddr); 618 TAILQ_INSERT_TAIL(&ic->ic_pmksa, pmk, pmk_next); 619 } 620 memcpy(pmk->pmk_key, key, IEEE80211_PMK_LEN); 621 pmk->pmk_lifetime = lifetime; /* XXX not used yet */ 622 #ifndef IEEE80211_STA_ONLY 623 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 624 ieee80211_derive_pmkid(pmk->pmk_akm, pmk->pmk_key, 625 ic->ic_myaddr, macaddr, pmk->pmk_pmkid); 626 } else 627 #endif 628 { 629 ieee80211_derive_pmkid(pmk->pmk_akm, pmk->pmk_key, 630 macaddr, ic->ic_myaddr, pmk->pmk_pmkid); 631 } 632 return pmk; 633 } 634 635 /* 636 * Check if we have a cached PMK entry for the specified node and PMKID. 637 */ 638 struct ieee80211_pmk * 639 ieee80211_pmksa_find(struct ieee80211com *ic, struct ieee80211_node *ni, 640 const u_int8_t *pmkid) 641 { 642 struct ieee80211_pmk *pmk; 643 644 TAILQ_FOREACH(pmk, &ic->ic_pmksa, pmk_next) { 645 if (pmk->pmk_akm == ni->ni_rsnakms && 646 IEEE80211_ADDR_EQ(pmk->pmk_macaddr, ni->ni_macaddr) && 647 (pmkid == NULL || 648 memcmp(pmk->pmk_pmkid, pmkid, IEEE80211_PMKID_LEN) == 0)) 649 break; 650 } 651 return pmk; 652 } 653