1 /* $OpenBSD: ieee80211_crypto.c,v 1.65 2014/12/23 03:24:08 tedu Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> 20 #include <sys/systm.h> 21 #include <sys/mbuf.h> 22 #include <sys/malloc.h> 23 #include <sys/kernel.h> 24 #include <sys/socket.h> 25 #include <sys/sockio.h> 26 #include <sys/endian.h> 27 #include <sys/errno.h> 28 #include <sys/sysctl.h> 29 30 #include <net/if.h> 31 #include <net/if_dl.h> 32 #include <net/if_media.h> 33 #include <net/if_arp.h> 34 35 #include <netinet/in.h> 36 #include <netinet/if_ether.h> 37 38 #include <net80211/ieee80211_var.h> 39 #include <net80211/ieee80211_priv.h> 40 41 #include <crypto/arc4.h> 42 #include <crypto/md5.h> 43 #include <crypto/sha1.h> 44 #include <crypto/sha2.h> 45 #include <crypto/hmac.h> 46 #include <crypto/rijndael.h> 47 #include <crypto/cmac.h> 48 #include <crypto/key_wrap.h> 49 50 void ieee80211_prf(const u_int8_t *, size_t, const u_int8_t *, size_t, 51 const u_int8_t *, size_t, u_int8_t *, size_t); 52 void ieee80211_kdf(const u_int8_t *, size_t, const u_int8_t *, size_t, 53 const u_int8_t *, size_t, u_int8_t *, size_t); 54 void ieee80211_derive_pmkid(enum ieee80211_akm, const u_int8_t *, 55 const u_int8_t *, const u_int8_t *, u_int8_t *); 56 57 void 58 ieee80211_crypto_attach(struct ifnet *ifp) 59 { 60 struct ieee80211com *ic = (void *)ifp; 61 62 TAILQ_INIT(&ic->ic_pmksa); 63 if (ic->ic_caps & IEEE80211_C_RSN) { 64 ic->ic_rsnprotos = IEEE80211_PROTO_WPA | IEEE80211_PROTO_RSN; 65 ic->ic_rsnakms = IEEE80211_AKM_PSK; 66 ic->ic_rsnciphers = IEEE80211_CIPHER_TKIP | 67 IEEE80211_CIPHER_CCMP; 68 ic->ic_rsngroupcipher = IEEE80211_CIPHER_TKIP; 69 ic->ic_rsngroupmgmtcipher = IEEE80211_CIPHER_BIP; 70 } 71 ic->ic_set_key = ieee80211_set_key; 72 ic->ic_delete_key = ieee80211_delete_key; 73 } 74 75 void 76 ieee80211_crypto_detach(struct ifnet *ifp) 77 { 78 struct ieee80211com *ic = (void *)ifp; 79 struct ieee80211_pmk *pmk; 80 int i; 81 82 /* purge the PMKSA cache */ 83 while ((pmk = TAILQ_FIRST(&ic->ic_pmksa)) != NULL) { 84 TAILQ_REMOVE(&ic->ic_pmksa, pmk, pmk_next); 85 explicit_bzero(pmk, sizeof(*pmk)); 86 free(pmk, M_DEVBUF, 0); 87 } 88 89 /* clear all group keys from memory */ 90 for (i = 0; i < IEEE80211_GROUP_NKID; i++) { 91 struct ieee80211_key *k = &ic->ic_nw_keys[i]; 92 if (k->k_cipher != IEEE80211_CIPHER_NONE) 93 (*ic->ic_delete_key)(ic, NULL, k); 94 explicit_bzero(k, sizeof(*k)); 95 } 96 97 /* clear pre-shared key from memory */ 98 explicit_bzero(ic->ic_psk, IEEE80211_PMK_LEN); 99 } 100 101 /* 102 * Return the length in bytes of a cipher suite key (see Table 60). 103 */ 104 int 105 ieee80211_cipher_keylen(enum ieee80211_cipher cipher) 106 { 107 switch (cipher) { 108 case IEEE80211_CIPHER_WEP40: 109 return 5; 110 case IEEE80211_CIPHER_TKIP: 111 return 32; 112 case IEEE80211_CIPHER_CCMP: 113 return 16; 114 case IEEE80211_CIPHER_WEP104: 115 return 13; 116 case IEEE80211_CIPHER_BIP: 117 return 16; 118 default: /* unknown cipher */ 119 return 0; 120 } 121 } 122 123 int 124 ieee80211_set_key(struct ieee80211com *ic, struct ieee80211_node *ni, 125 struct ieee80211_key *k) 126 { 127 int error; 128 129 switch (k->k_cipher) { 130 case IEEE80211_CIPHER_WEP40: 131 case IEEE80211_CIPHER_WEP104: 132 error = ieee80211_wep_set_key(ic, k); 133 break; 134 case IEEE80211_CIPHER_TKIP: 135 error = ieee80211_tkip_set_key(ic, k); 136 break; 137 case IEEE80211_CIPHER_CCMP: 138 error = ieee80211_ccmp_set_key(ic, k); 139 break; 140 case IEEE80211_CIPHER_BIP: 141 error = ieee80211_bip_set_key(ic, k); 142 break; 143 default: 144 /* should not get there */ 145 error = EINVAL; 146 } 147 return error; 148 } 149 150 void 151 ieee80211_delete_key(struct ieee80211com *ic, struct ieee80211_node *ni, 152 struct ieee80211_key *k) 153 { 154 switch (k->k_cipher) { 155 case IEEE80211_CIPHER_WEP40: 156 case IEEE80211_CIPHER_WEP104: 157 ieee80211_wep_delete_key(ic, k); 158 break; 159 case IEEE80211_CIPHER_TKIP: 160 ieee80211_tkip_delete_key(ic, k); 161 break; 162 case IEEE80211_CIPHER_CCMP: 163 ieee80211_ccmp_delete_key(ic, k); 164 break; 165 case IEEE80211_CIPHER_BIP: 166 ieee80211_bip_delete_key(ic, k); 167 break; 168 default: 169 /* should not get there */ 170 break; 171 } 172 explicit_bzero(k, sizeof(*k)); 173 } 174 175 struct ieee80211_key * 176 ieee80211_get_txkey(struct ieee80211com *ic, const struct ieee80211_frame *wh, 177 struct ieee80211_node *ni) 178 { 179 int kid; 180 181 if ((ic->ic_flags & IEEE80211_F_RSNON) && 182 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 183 ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) 184 return &ni->ni_pairwise_key; 185 186 if (!IEEE80211_IS_MULTICAST(wh->i_addr1) || 187 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != 188 IEEE80211_FC0_TYPE_MGT) 189 kid = ic->ic_def_txkey; 190 else 191 kid = ic->ic_igtk_kid; 192 return &ic->ic_nw_keys[kid]; 193 } 194 195 struct mbuf * 196 ieee80211_encrypt(struct ieee80211com *ic, struct mbuf *m0, 197 struct ieee80211_key *k) 198 { 199 switch (k->k_cipher) { 200 case IEEE80211_CIPHER_WEP40: 201 case IEEE80211_CIPHER_WEP104: 202 m0 = ieee80211_wep_encrypt(ic, m0, k); 203 break; 204 case IEEE80211_CIPHER_TKIP: 205 m0 = ieee80211_tkip_encrypt(ic, m0, k); 206 break; 207 case IEEE80211_CIPHER_CCMP: 208 m0 = ieee80211_ccmp_encrypt(ic, m0, k); 209 break; 210 case IEEE80211_CIPHER_BIP: 211 m0 = ieee80211_bip_encap(ic, m0, k); 212 break; 213 default: 214 /* should not get there */ 215 m_freem(m0); 216 m0 = NULL; 217 } 218 return m0; 219 } 220 221 struct mbuf * 222 ieee80211_decrypt(struct ieee80211com *ic, struct mbuf *m0, 223 struct ieee80211_node *ni) 224 { 225 struct ieee80211_frame *wh; 226 struct ieee80211_key *k; 227 u_int8_t *ivp, *mmie; 228 u_int16_t kid; 229 int hdrlen; 230 231 /* find key for decryption */ 232 wh = mtod(m0, struct ieee80211_frame *); 233 if ((ic->ic_flags & IEEE80211_F_RSNON) && 234 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 235 ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 236 k = &ni->ni_pairwise_key; 237 238 } else if (!IEEE80211_IS_MULTICAST(wh->i_addr1) || 239 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != 240 IEEE80211_FC0_TYPE_MGT) { 241 /* retrieve group data key id from IV field */ 242 hdrlen = ieee80211_get_hdrlen(wh); 243 /* check that IV field is present */ 244 if (m0->m_len < hdrlen + 4) { 245 m_freem(m0); 246 return NULL; 247 } 248 ivp = (u_int8_t *)wh + hdrlen; 249 kid = ivp[3] >> 6; 250 k = &ic->ic_nw_keys[kid]; 251 } else { 252 /* retrieve integrity group key id from MMIE */ 253 if (m0->m_len < sizeof(*wh) + IEEE80211_MMIE_LEN) { 254 m_freem(m0); 255 return NULL; 256 } 257 /* it is assumed management frames are contiguous */ 258 mmie = (u_int8_t *)wh + m0->m_len - IEEE80211_MMIE_LEN; 259 /* check that MMIE is valid */ 260 if (mmie[0] != IEEE80211_ELEMID_MMIE || mmie[1] != 16) { 261 m_freem(m0); 262 return NULL; 263 } 264 kid = LE_READ_2(&mmie[2]); 265 if (kid != 4 && kid != 5) { 266 m_freem(m0); 267 return NULL; 268 } 269 k = &ic->ic_nw_keys[kid]; 270 } 271 switch (k->k_cipher) { 272 case IEEE80211_CIPHER_WEP40: 273 case IEEE80211_CIPHER_WEP104: 274 m0 = ieee80211_wep_decrypt(ic, m0, k); 275 break; 276 case IEEE80211_CIPHER_TKIP: 277 m0 = ieee80211_tkip_decrypt(ic, m0, k); 278 break; 279 case IEEE80211_CIPHER_CCMP: 280 m0 = ieee80211_ccmp_decrypt(ic, m0, k); 281 break; 282 case IEEE80211_CIPHER_BIP: 283 m0 = ieee80211_bip_decap(ic, m0, k); 284 break; 285 default: 286 /* key not defined */ 287 m_freem(m0); 288 m0 = NULL; 289 } 290 return m0; 291 } 292 293 /* 294 * SHA1-based Pseudo-Random Function (see 8.5.1.1). 295 */ 296 void 297 ieee80211_prf(const u_int8_t *key, size_t key_len, const u_int8_t *label, 298 size_t label_len, const u_int8_t *context, size_t context_len, 299 u_int8_t *output, size_t len) 300 { 301 HMAC_SHA1_CTX ctx; 302 u_int8_t digest[SHA1_DIGEST_LENGTH]; 303 u_int8_t count; 304 305 for (count = 0; len != 0; count++) { 306 HMAC_SHA1_Init(&ctx, key, key_len); 307 HMAC_SHA1_Update(&ctx, label, label_len); 308 HMAC_SHA1_Update(&ctx, context, context_len); 309 HMAC_SHA1_Update(&ctx, &count, 1); 310 if (len < SHA1_DIGEST_LENGTH) { 311 HMAC_SHA1_Final(digest, &ctx); 312 /* truncate HMAC-SHA1 to len bytes */ 313 memcpy(output, digest, len); 314 break; 315 } 316 HMAC_SHA1_Final(output, &ctx); 317 output += SHA1_DIGEST_LENGTH; 318 len -= SHA1_DIGEST_LENGTH; 319 } 320 } 321 322 /* 323 * SHA256-based Key Derivation Function (see 8.5.1.5.2). 324 */ 325 void 326 ieee80211_kdf(const u_int8_t *key, size_t key_len, const u_int8_t *label, 327 size_t label_len, const u_int8_t *context, size_t context_len, 328 u_int8_t *output, size_t len) 329 { 330 HMAC_SHA256_CTX ctx; 331 u_int8_t digest[SHA256_DIGEST_LENGTH]; 332 u_int16_t i, iter, length; 333 334 length = htole16(len * NBBY); 335 for (i = 1; len != 0; i++) { 336 HMAC_SHA256_Init(&ctx, key, key_len); 337 iter = htole16(i); 338 HMAC_SHA256_Update(&ctx, (u_int8_t *)&iter, sizeof iter); 339 HMAC_SHA256_Update(&ctx, label, label_len); 340 HMAC_SHA256_Update(&ctx, context, context_len); 341 HMAC_SHA256_Update(&ctx, (u_int8_t *)&length, sizeof length); 342 if (len < SHA256_DIGEST_LENGTH) { 343 HMAC_SHA256_Final(digest, &ctx); 344 /* truncate HMAC-SHA-256 to len bytes */ 345 memcpy(output, digest, len); 346 break; 347 } 348 HMAC_SHA256_Final(output, &ctx); 349 output += SHA256_DIGEST_LENGTH; 350 len -= SHA256_DIGEST_LENGTH; 351 } 352 } 353 354 /* 355 * Derive Pairwise Transient Key (PTK) (see 8.5.1.2). 356 */ 357 void 358 ieee80211_derive_ptk(enum ieee80211_akm akm, const u_int8_t *pmk, 359 const u_int8_t *aa, const u_int8_t *spa, const u_int8_t *anonce, 360 const u_int8_t *snonce, struct ieee80211_ptk *ptk) 361 { 362 void (*kdf)(const u_int8_t *, size_t, const u_int8_t *, size_t, 363 const u_int8_t *, size_t, u_int8_t *, size_t); 364 u_int8_t buf[2 * IEEE80211_ADDR_LEN + 2 * EAPOL_KEY_NONCE_LEN]; 365 int ret; 366 367 /* Min(AA,SPA) || Max(AA,SPA) */ 368 ret = memcmp(aa, spa, IEEE80211_ADDR_LEN) < 0; 369 memcpy(&buf[ 0], ret ? aa : spa, IEEE80211_ADDR_LEN); 370 memcpy(&buf[ 6], ret ? spa : aa, IEEE80211_ADDR_LEN); 371 372 /* Min(ANonce,SNonce) || Max(ANonce,SNonce) */ 373 ret = memcmp(anonce, snonce, EAPOL_KEY_NONCE_LEN) < 0; 374 memcpy(&buf[12], ret ? anonce : snonce, EAPOL_KEY_NONCE_LEN); 375 memcpy(&buf[44], ret ? snonce : anonce, EAPOL_KEY_NONCE_LEN); 376 377 kdf = ieee80211_is_sha256_akm(akm) ? ieee80211_kdf : ieee80211_prf; 378 (*kdf)(pmk, IEEE80211_PMK_LEN, "Pairwise key expansion", 23, 379 buf, sizeof buf, (u_int8_t *)ptk, sizeof(*ptk)); 380 } 381 382 static void 383 ieee80211_pmkid_sha1(const u_int8_t *pmk, const u_int8_t *aa, 384 const u_int8_t *spa, u_int8_t *pmkid) 385 { 386 HMAC_SHA1_CTX ctx; 387 u_int8_t digest[SHA1_DIGEST_LENGTH]; 388 389 HMAC_SHA1_Init(&ctx, pmk, IEEE80211_PMK_LEN); 390 HMAC_SHA1_Update(&ctx, "PMK Name", 8); 391 HMAC_SHA1_Update(&ctx, aa, IEEE80211_ADDR_LEN); 392 HMAC_SHA1_Update(&ctx, spa, IEEE80211_ADDR_LEN); 393 HMAC_SHA1_Final(digest, &ctx); 394 /* use the first 128 bits of HMAC-SHA1 */ 395 memcpy(pmkid, digest, IEEE80211_PMKID_LEN); 396 } 397 398 static void 399 ieee80211_pmkid_sha256(const u_int8_t *pmk, const u_int8_t *aa, 400 const u_int8_t *spa, u_int8_t *pmkid) 401 { 402 HMAC_SHA256_CTX ctx; 403 u_int8_t digest[SHA256_DIGEST_LENGTH]; 404 405 HMAC_SHA256_Init(&ctx, pmk, IEEE80211_PMK_LEN); 406 HMAC_SHA256_Update(&ctx, "PMK Name", 8); 407 HMAC_SHA256_Update(&ctx, aa, IEEE80211_ADDR_LEN); 408 HMAC_SHA256_Update(&ctx, spa, IEEE80211_ADDR_LEN); 409 HMAC_SHA256_Final(digest, &ctx); 410 /* use the first 128 bits of HMAC-SHA-256 */ 411 memcpy(pmkid, digest, IEEE80211_PMKID_LEN); 412 } 413 414 /* 415 * Derive Pairwise Master Key Identifier (PMKID) (see 8.5.1.2). 416 */ 417 void 418 ieee80211_derive_pmkid(enum ieee80211_akm akm, const u_int8_t *pmk, 419 const u_int8_t *aa, const u_int8_t *spa, u_int8_t *pmkid) 420 { 421 if (ieee80211_is_sha256_akm(akm)) 422 ieee80211_pmkid_sha256(pmk, aa, spa, pmkid); 423 else 424 ieee80211_pmkid_sha1(pmk, aa, spa, pmkid); 425 } 426 427 typedef union _ANY_CTX { 428 HMAC_MD5_CTX md5; 429 HMAC_SHA1_CTX sha1; 430 AES_CMAC_CTX cmac; 431 } ANY_CTX; 432 433 /* 434 * Compute the Key MIC field of an EAPOL-Key frame using the specified Key 435 * Confirmation Key (KCK). The hash function can be HMAC-MD5, HMAC-SHA1 436 * or AES-128-CMAC depending on the EAPOL-Key Key Descriptor Version. 437 */ 438 void 439 ieee80211_eapol_key_mic(struct ieee80211_eapol_key *key, const u_int8_t *kck) 440 { 441 u_int8_t digest[SHA1_DIGEST_LENGTH]; 442 ANY_CTX ctx; /* XXX off stack? */ 443 u_int len; 444 445 len = BE_READ_2(key->len) + 4; 446 447 switch (BE_READ_2(key->info) & EAPOL_KEY_VERSION_MASK) { 448 case EAPOL_KEY_DESC_V1: 449 HMAC_MD5_Init(&ctx.md5, kck, 16); 450 HMAC_MD5_Update(&ctx.md5, (u_int8_t *)key, len); 451 HMAC_MD5_Final(key->mic, &ctx.md5); 452 break; 453 case EAPOL_KEY_DESC_V2: 454 HMAC_SHA1_Init(&ctx.sha1, kck, 16); 455 HMAC_SHA1_Update(&ctx.sha1, (u_int8_t *)key, len); 456 HMAC_SHA1_Final(digest, &ctx.sha1); 457 /* truncate HMAC-SHA1 to its 128 MSBs */ 458 memcpy(key->mic, digest, EAPOL_KEY_MIC_LEN); 459 break; 460 case EAPOL_KEY_DESC_V3: 461 AES_CMAC_Init(&ctx.cmac); 462 AES_CMAC_SetKey(&ctx.cmac, kck); 463 AES_CMAC_Update(&ctx.cmac, (u_int8_t *)key, len); 464 AES_CMAC_Final(key->mic, &ctx.cmac); 465 break; 466 } 467 } 468 469 /* 470 * Check the MIC of a received EAPOL-Key frame using the specified Key 471 * Confirmation Key (KCK). 472 */ 473 int 474 ieee80211_eapol_key_check_mic(struct ieee80211_eapol_key *key, 475 const u_int8_t *kck) 476 { 477 u_int8_t mic[EAPOL_KEY_MIC_LEN]; 478 479 memcpy(mic, key->mic, EAPOL_KEY_MIC_LEN); 480 memset(key->mic, 0, EAPOL_KEY_MIC_LEN); 481 ieee80211_eapol_key_mic(key, kck); 482 483 return timingsafe_bcmp(key->mic, mic, EAPOL_KEY_MIC_LEN) != 0; 484 } 485 486 #ifndef IEEE80211_STA_ONLY 487 /* 488 * Encrypt the Key Data field of an EAPOL-Key frame using the specified Key 489 * Encryption Key (KEK). The encryption algorithm can be either ARC4 or 490 * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version. 491 */ 492 void 493 ieee80211_eapol_key_encrypt(struct ieee80211com *ic, 494 struct ieee80211_eapol_key *key, const u_int8_t *kek) 495 { 496 union { 497 struct rc4_ctx rc4; 498 aes_key_wrap_ctx aes; 499 } ctx; /* XXX off stack? */ 500 u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16]; 501 u_int16_t len, info; 502 u_int8_t *data; 503 int n; 504 505 len = BE_READ_2(key->paylen); 506 info = BE_READ_2(key->info); 507 data = (u_int8_t *)(key + 1); 508 509 switch (info & EAPOL_KEY_VERSION_MASK) { 510 case EAPOL_KEY_DESC_V1: 511 /* set IV to the lower 16 octets of our global key counter */ 512 memcpy(key->iv, ic->ic_globalcnt + 16, 16); 513 /* increment our global key counter (256-bit, big-endian) */ 514 for (n = 31; n >= 0 && ++ic->ic_globalcnt[n] == 0; n--); 515 516 /* concatenate the EAPOL-Key IV field and the KEK */ 517 memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN); 518 memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16); 519 520 rc4_keysetup(&ctx.rc4, keybuf, sizeof keybuf); 521 /* discard the first 256 octets of the ARC4 key stream */ 522 rc4_skip(&ctx.rc4, RC4STATE); 523 rc4_crypt(&ctx.rc4, data, data, len); 524 break; 525 case EAPOL_KEY_DESC_V2: 526 case EAPOL_KEY_DESC_V3: 527 if (len < 16 || (len & 7) != 0) { 528 /* insert padding */ 529 n = (len < 16) ? 16 - len : 8 - (len & 7); 530 data[len++] = IEEE80211_ELEMID_VENDOR; 531 memset(&data[len], 0, n - 1); 532 len += n - 1; 533 } 534 aes_key_wrap_set_key_wrap_only(&ctx.aes, kek, 16); 535 aes_key_wrap(&ctx.aes, data, len / 8, data); 536 len += 8; /* AES Key Wrap adds 8 bytes */ 537 /* update key data length */ 538 BE_WRITE_2(key->paylen, len); 539 /* update packet body length */ 540 BE_WRITE_2(key->len, sizeof(*key) + len - 4); 541 break; 542 } 543 } 544 #endif /* IEEE80211_STA_ONLY */ 545 546 /* 547 * Decrypt the Key Data field of an EAPOL-Key frame using the specified Key 548 * Encryption Key (KEK). The encryption algorithm can be either ARC4 or 549 * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version. 550 */ 551 int 552 ieee80211_eapol_key_decrypt(struct ieee80211_eapol_key *key, 553 const u_int8_t *kek) 554 { 555 union { 556 struct rc4_ctx rc4; 557 aes_key_wrap_ctx aes; 558 } ctx; /* XXX off stack? */ 559 u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16]; 560 u_int16_t len, info; 561 u_int8_t *data; 562 563 len = BE_READ_2(key->paylen); 564 info = BE_READ_2(key->info); 565 data = (u_int8_t *)(key + 1); 566 567 switch (info & EAPOL_KEY_VERSION_MASK) { 568 case EAPOL_KEY_DESC_V1: 569 /* concatenate the EAPOL-Key IV field and the KEK */ 570 memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN); 571 memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16); 572 573 rc4_keysetup(&ctx.rc4, keybuf, sizeof keybuf); 574 /* discard the first 256 octets of the ARC4 key stream */ 575 rc4_skip(&ctx.rc4, RC4STATE); 576 rc4_crypt(&ctx.rc4, data, data, len); 577 return 0; 578 case EAPOL_KEY_DESC_V2: 579 case EAPOL_KEY_DESC_V3: 580 /* Key Data Length must be a multiple of 8 */ 581 if (len < 16 + 8 || (len & 7) != 0) 582 return 1; 583 len -= 8; /* AES Key Wrap adds 8 bytes */ 584 aes_key_wrap_set_key(&ctx.aes, kek, 16); 585 return aes_key_unwrap(&ctx.aes, data, data, len / 8); 586 } 587 588 return 1; /* unknown Key Descriptor Version */ 589 } 590 591 /* 592 * Add a PMK entry to the PMKSA cache. 593 */ 594 struct ieee80211_pmk * 595 ieee80211_pmksa_add(struct ieee80211com *ic, enum ieee80211_akm akm, 596 const u_int8_t *macaddr, const u_int8_t *key, u_int32_t lifetime) 597 { 598 struct ieee80211_pmk *pmk; 599 600 /* check if an entry already exists for this (STA,AKMP) */ 601 TAILQ_FOREACH(pmk, &ic->ic_pmksa, pmk_next) { 602 if (pmk->pmk_akm == akm && 603 IEEE80211_ADDR_EQ(pmk->pmk_macaddr, macaddr)) 604 break; 605 } 606 if (pmk == NULL) { 607 /* allocate a new PMKSA entry */ 608 if ((pmk = malloc(sizeof(*pmk), M_DEVBUF, M_NOWAIT)) == NULL) 609 return NULL; 610 pmk->pmk_akm = akm; 611 IEEE80211_ADDR_COPY(pmk->pmk_macaddr, macaddr); 612 TAILQ_INSERT_TAIL(&ic->ic_pmksa, pmk, pmk_next); 613 } 614 memcpy(pmk->pmk_key, key, IEEE80211_PMK_LEN); 615 pmk->pmk_lifetime = lifetime; /* XXX not used yet */ 616 #ifndef IEEE80211_STA_ONLY 617 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 618 ieee80211_derive_pmkid(pmk->pmk_akm, pmk->pmk_key, 619 ic->ic_myaddr, macaddr, pmk->pmk_pmkid); 620 } else 621 #endif 622 { 623 ieee80211_derive_pmkid(pmk->pmk_akm, pmk->pmk_key, 624 macaddr, ic->ic_myaddr, pmk->pmk_pmkid); 625 } 626 return pmk; 627 } 628 629 /* 630 * Check if we have a cached PMK entry for the specified node and PMKID. 631 */ 632 struct ieee80211_pmk * 633 ieee80211_pmksa_find(struct ieee80211com *ic, struct ieee80211_node *ni, 634 const u_int8_t *pmkid) 635 { 636 struct ieee80211_pmk *pmk; 637 638 TAILQ_FOREACH(pmk, &ic->ic_pmksa, pmk_next) { 639 if (pmk->pmk_akm == ni->ni_rsnakms && 640 IEEE80211_ADDR_EQ(pmk->pmk_macaddr, ni->ni_macaddr) && 641 (pmkid == NULL || 642 memcmp(pmk->pmk_pmkid, pmkid, IEEE80211_PMKID_LEN) == 0)) 643 break; 644 } 645 return pmk; 646 } 647