src/rsn_supp/wpa_ie.c

   1 /*
   2  * wpa_supplicant - WPA/RSN IE and KDE processing
   3  * Copyright (c) 2003-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "wpa.h"
  19 #include "pmksa_cache.h"
  20 #include "common/ieee802_11_defs.h"
  21 #include "wpa_i.h"
  22 #include "wpa_ie.h"
  23
  24
  25 /**
  26  * wpa_parse_wpa_ie - Parse WPA/RSN IE
  27  * @wpa_ie: Pointer to WPA or RSN IE
  28  * @wpa_ie_len: Length of the WPA/RSN IE
  29  * @data: Pointer to data area for parsing results
  30  * Returns: 0 on success, -1 on failure
  31  *
  32  * Parse the contents of WPA or RSN IE and write the parsed data into data.
  33  */
  34 int wpa_parse_wpa_ie(const u8 *wpa_ie, size_t wpa_ie_len,
  35                      struct wpa_ie_data *data)
  36 {
  37         if (wpa_ie_len >= 1 && wpa_ie[0] == WLAN_EID_RSN)
  38                 return wpa_parse_wpa_ie_rsn(wpa_ie, wpa_ie_len, data);
  39         else
  40                 return wpa_parse_wpa_ie_wpa(wpa_ie, wpa_ie_len, data);
  41 }
  42
  43
  44 static int wpa_gen_wpa_ie_wpa(u8 *wpa_ie, size_t wpa_ie_len,
  45                               int pairwise_cipher, int group_cipher,
  46                               int key_mgmt)
  47 {
  48         u8 *pos;
  49         struct wpa_ie_hdr *hdr;
  50
  51         if (wpa_ie_len < sizeof(*hdr) + WPA_SELECTOR_LEN +
  52             2 + WPA_SELECTOR_LEN + 2 + WPA_SELECTOR_LEN)
  53                 return -1;
  54
  55         hdr = (struct wpa_ie_hdr *) wpa_ie;
  56         hdr->elem_id = WLAN_EID_VENDOR_SPECIFIC;
  57         RSN_SELECTOR_PUT(hdr->oui, WPA_OUI_TYPE);
  58         WPA_PUT_LE16(hdr->version, WPA_VERSION);
  59         pos = (u8 *) (hdr + 1);
  60
  61         if (group_cipher == WPA_CIPHER_CCMP) {
  62                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
  63         } else if (group_cipher == WPA_CIPHER_TKIP) {
  64                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
  65         } else if (group_cipher == WPA_CIPHER_WEP104) {
  66                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_WEP104);
  67         } else if (group_cipher == WPA_CIPHER_WEP40) {
  68                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_WEP40);
  69         } else {
  70                 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
  71                            group_cipher);
  72                 return -1;
  73         }
  74         pos += WPA_SELECTOR_LEN;
  75
  76         *pos++ = 1;
  77         *pos++ = 0;
  78         if (pairwise_cipher == WPA_CIPHER_CCMP) {
  79                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
  80         } else if (pairwise_cipher == WPA_CIPHER_TKIP) {
  81                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
  82         } else if (pairwise_cipher == WPA_CIPHER_NONE) {
  83                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
  84         } else {
  85                 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
  86                            pairwise_cipher);
  87                 return -1;
  88         }
  89         pos += WPA_SELECTOR_LEN;
  90
  91         *pos++ = 1;
  92         *pos++ = 0;
  93         if (key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
  94                 RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
  95         } else if (key_mgmt == WPA_KEY_MGMT_PSK) {
  96                 RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
  97         } else if (key_mgmt == WPA_KEY_MGMT_WPA_NONE) {
  98                 RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_NONE);
  99         } else {
 100                 wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
 101                            key_mgmt);
 102                 return -1;
 103         }
 104         pos += WPA_SELECTOR_LEN;
 105
 106         /* WPA Capabilities; use defaults, so no need to include it */
 107
 108         hdr->len = (pos - wpa_ie) - 2;
 109
 110         WPA_ASSERT((size_t) (pos - wpa_ie) <= wpa_ie_len);
 111
 112         return pos - wpa_ie;
 113 }
 114
 115
 116 static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
 117                               int pairwise_cipher, int group_cipher,
 118                               int key_mgmt, int mgmt_group_cipher,
 119                               struct wpa_sm *sm)
 120 {
 121 #ifndef CONFIG_NO_WPA2
 122         u8 *pos;
 123         struct rsn_ie_hdr *hdr;
 124         u16 capab;
 125
 126         if (rsn_ie_len < sizeof(*hdr) + RSN_SELECTOR_LEN +
 127             2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN + 2 +
 128             (sm->cur_pmksa ? 2 + PMKID_LEN : 0)) {
 129                 wpa_printf(MSG_DEBUG, "RSN: Too short IE buffer (%lu bytes)",
 130                            (unsigned long) rsn_ie_len);
 131                 return -1;
 132         }
 133
 134         hdr = (struct rsn_ie_hdr *) rsn_ie;
 135         hdr->elem_id = WLAN_EID_RSN;
 136         WPA_PUT_LE16(hdr->version, RSN_VERSION);
 137         pos = (u8 *) (hdr + 1);
 138
 139         if (group_cipher == WPA_CIPHER_CCMP) {
 140                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
 141         } else if (group_cipher == WPA_CIPHER_TKIP) {
 142                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
 143         } else if (group_cipher == WPA_CIPHER_WEP104) {
 144                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_WEP104);
 145         } else if (group_cipher == WPA_CIPHER_WEP40) {
 146                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_WEP40);
 147         } else {
 148                 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
 149                            group_cipher);
 150                 return -1;
 151         }
 152         pos += RSN_SELECTOR_LEN;
 153
 154         *pos++ = 1;
 155         *pos++ = 0;
 156         if (pairwise_cipher == WPA_CIPHER_CCMP) {
 157                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
 158         } else if (pairwise_cipher == WPA_CIPHER_TKIP) {
 159                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
 160         } else if (pairwise_cipher == WPA_CIPHER_NONE) {
 161                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
 162         } else {
 163                 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
 164                            pairwise_cipher);
 165                 return -1;
 166         }
 167         pos += RSN_SELECTOR_LEN;
 168
 169         *pos++ = 1;
 170         *pos++ = 0;
 171         if (key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
 172                 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X);
 173         } else if (key_mgmt == WPA_KEY_MGMT_PSK) {
 174                 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X);
 175 #ifdef CONFIG_IEEE80211R
 176         } else if (key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
 177                 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
 178         } else if (key_mgmt == WPA_KEY_MGMT_FT_PSK) {
 179                 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
 180 #endif /* CONFIG_IEEE80211R */
 181 #ifdef CONFIG_IEEE80211W
 182         } else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SHA256) {
 183                 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA256);
 184         } else if (key_mgmt == WPA_KEY_MGMT_PSK_SHA256) {
 185                 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PSK_SHA256);
 186 #endif /* CONFIG_IEEE80211W */
 187         } else {
 188                 wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
 189                            key_mgmt);
 190                 return -1;
 191         }
 192         pos += RSN_SELECTOR_LEN;
 193
 194         /* RSN Capabilities */
 195         capab = 0;
 196 #ifdef CONFIG_IEEE80211W
 197         if (sm->mfp)
 198                 capab |= WPA_CAPABILITY_MFPC;
 199         if (sm->mfp == 2)
 200                 capab |= WPA_CAPABILITY_MFPR;
 201 #endif /* CONFIG_IEEE80211W */
 202         WPA_PUT_LE16(pos, capab);
 203         pos += 2;
 204
 205         if (sm->cur_pmksa) {
 206                 /* PMKID Count (2 octets, little endian) */
 207                 *pos++ = 1;
 208                 *pos++ = 0;
 209                 /* PMKID */
 210                 os_memcpy(pos, sm->cur_pmksa->pmkid, PMKID_LEN);
 211                 pos += PMKID_LEN;
 212         }
 213
 214 #ifdef CONFIG_IEEE80211W
 215         if (mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
 216                 if (!sm->cur_pmksa) {
 217                         /* PMKID Count */
 218                         WPA_PUT_LE16(pos, 0);
 219                         pos += 2;
 220                 }
 221
 222                 /* Management Group Cipher Suite */
 223                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
 224                 pos += RSN_SELECTOR_LEN;
 225         }
 226 #endif /* CONFIG_IEEE80211W */
 227
 228         hdr->len = (pos - rsn_ie) - 2;
 229
 230         WPA_ASSERT((size_t) (pos - rsn_ie) <= rsn_ie_len);
 231
 232         return pos - rsn_ie;
 233 #else /* CONFIG_NO_WPA2 */
 234         return -1;
 235 #endif /* CONFIG_NO_WPA2 */
 236 }
 237
 238
 239 /**
 240  * wpa_gen_wpa_ie - Generate WPA/RSN IE based on current security policy
 241  * @sm: Pointer to WPA state machine data from wpa_sm_init()
 242  * @wpa_ie: Pointer to memory area for the generated WPA/RSN IE
 243  * @wpa_ie_len: Maximum length of the generated WPA/RSN IE
 244  * Returns: Length of the generated WPA/RSN IE or -1 on failure
 245  */
 246 int wpa_gen_wpa_ie(struct wpa_sm *sm, u8 *wpa_ie, size_t wpa_ie_len)
 247 {
 248         if (sm->proto == WPA_PROTO_RSN)
 249                 return wpa_gen_wpa_ie_rsn(wpa_ie, wpa_ie_len,
 250                                           sm->pairwise_cipher,
 251                                           sm->group_cipher,
 252                                           sm->key_mgmt, sm->mgmt_group_cipher,
 253                                           sm);
 254         else
 255                 return wpa_gen_wpa_ie_wpa(wpa_ie, wpa_ie_len,
 256                                           sm->pairwise_cipher,
 257                                           sm->group_cipher,
 258                                           sm->key_mgmt);
 259 }
 260
 261
 262 /**
 263  * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
 264  * @pos: Pointer to the IE header
 265  * @end: Pointer to the end of the Key Data buffer
 266  * @ie: Pointer to parsed IE data
 267  * Returns: 0 on success, 1 if end mark is found, -1 on failure
 268  */
 269 static int wpa_parse_generic(const u8 *pos, const u8 *end,
 270                              struct wpa_eapol_ie_parse *ie)
 271 {
 272         if (pos[1] == 0)
 273                 return 1;
 274
 275         if (pos[1] >= 6 &&
 276             RSN_SELECTOR_GET(pos + 2) == WPA_OUI_TYPE &&
 277             pos[2 + WPA_SELECTOR_LEN] == 1 &&
 278             pos[2 + WPA_SELECTOR_LEN + 1] == 0) {
 279                 ie->wpa_ie = pos;
 280                 ie->wpa_ie_len = pos[1] + 2;
 281                 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE in EAPOL-Key",
 282                             ie->wpa_ie, ie->wpa_ie_len);
 283                 return 0;
 284         }
 285
 286         if (pos + 1 + RSN_SELECTOR_LEN < end &&
 287             pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
 288             RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
 289                 ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
 290                 wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key",
 291                             pos, pos[1] + 2);
 292                 return 0;
 293         }
 294
 295         if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 296             RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_GROUPKEY) {
 297                 ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
 298                 ie->gtk_len = pos[1] - RSN_SELECTOR_LEN;
 299                 wpa_hexdump_key(MSG_DEBUG, "WPA: GTK in EAPOL-Key",
 300                                 pos, pos[1] + 2);
 301                 return 0;
 302         }
 303
 304         if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 305             RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_MAC_ADDR) {
 306                 ie->mac_addr = pos + 2 + RSN_SELECTOR_LEN;
 307                 ie->mac_addr_len = pos[1] - RSN_SELECTOR_LEN;
 308                 wpa_hexdump(MSG_DEBUG, "WPA: MAC Address in EAPOL-Key",
 309                             pos, pos[1] + 2);
 310                 return 0;
 311         }
 312
 313 #ifdef CONFIG_PEERKEY
 314         if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 315             RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_SMK) {
 316                 ie->smk = pos + 2 + RSN_SELECTOR_LEN;
 317                 ie->smk_len = pos[1] - RSN_SELECTOR_LEN;
 318                 wpa_hexdump_key(MSG_DEBUG, "WPA: SMK in EAPOL-Key",
 319                                 pos, pos[1] + 2);
 320                 return 0;
 321         }
 322
 323         if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 324             RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_NONCE) {
 325                 ie->nonce = pos + 2 + RSN_SELECTOR_LEN;
 326                 ie->nonce_len = pos[1] - RSN_SELECTOR_LEN;
 327                 wpa_hexdump(MSG_DEBUG, "WPA: Nonce in EAPOL-Key",
 328                             pos, pos[1] + 2);
 329                 return 0;
 330         }
 331
 332         if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 333             RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_LIFETIME) {
 334                 ie->lifetime = pos + 2 + RSN_SELECTOR_LEN;
 335                 ie->lifetime_len = pos[1] - RSN_SELECTOR_LEN;
 336                 wpa_hexdump(MSG_DEBUG, "WPA: Lifetime in EAPOL-Key",
 337                             pos, pos[1] + 2);
 338                 return 0;
 339         }
 340
 341         if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 342             RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_ERROR) {
 343                 ie->error = pos + 2 + RSN_SELECTOR_LEN;
 344                 ie->error_len = pos[1] - RSN_SELECTOR_LEN;
 345                 wpa_hexdump(MSG_DEBUG, "WPA: Error in EAPOL-Key",
 346                             pos, pos[1] + 2);
 347                 return 0;
 348         }
 349 #endif /* CONFIG_PEERKEY */
 350
 351 #ifdef CONFIG_IEEE80211W
 352         if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 353             RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_IGTK) {
 354                 ie->igtk = pos + 2 + RSN_SELECTOR_LEN;
 355                 ie->igtk_len = pos[1] - RSN_SELECTOR_LEN;
 356                 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK in EAPOL-Key",
 357                                 pos, pos[1] + 2);
 358                 return 0;
 359         }
 360 #endif /* CONFIG_IEEE80211W */
 361
 362         return 0;
 363 }
 364
 365
 366 /**
 367  * wpa_supplicant_parse_ies - Parse EAPOL-Key Key Data IEs
 368  * @buf: Pointer to the Key Data buffer
 369  * @len: Key Data Length
 370  * @ie: Pointer to parsed IE data
 371  * Returns: 0 on success, -1 on failure
 372  */
 373 int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
 374                              struct wpa_eapol_ie_parse *ie)
 375 {
 376         const u8 *pos, *end;
 377         int ret = 0;
 378
 379         os_memset(ie, 0, sizeof(*ie));
 380         for (pos = buf, end = pos + len; pos + 1 < end; pos += 2 + pos[1]) {
 381                 if (pos[0] == 0xdd &&
 382                     ((pos == buf + len - 1) || pos[1] == 0)) {
 383                         /* Ignore padding */
 384                         break;
 385                 }
 386                 if (pos + 2 + pos[1] > end) {
 387                         wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Key Data "
 388                                    "underflow (ie=%d len=%d pos=%d)",
 389                                    pos[0], pos[1], (int) (pos - buf));
 390                         wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data",
 391                                         buf, len);
 392                         ret = -1;
 393                         break;
 394                 }
 395                 if (*pos == WLAN_EID_RSN) {
 396                         ie->rsn_ie = pos;
 397                         ie->rsn_ie_len = pos[1] + 2;
 398                         wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
 399                                     ie->rsn_ie, ie->rsn_ie_len);
 400                 } else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
 401                         ie->mdie = pos;
 402                         ie->mdie_len = pos[1] + 2;
 403                         wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
 404                                     ie->mdie, ie->mdie_len);
 405                 } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
 406                         ie->ftie = pos;
 407                         ie->ftie_len = pos[1] + 2;
 408                         wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
 409                                     ie->ftie, ie->ftie_len);
 410                 } else if (*pos == WLAN_EID_TIMEOUT_INTERVAL && pos[1] >= 5) {
 411                         if (pos[2] == WLAN_TIMEOUT_REASSOC_DEADLINE) {
 412                                 ie->reassoc_deadline = pos;
 413                                 wpa_hexdump(MSG_DEBUG, "WPA: Reassoc Deadline "
 414                                             "in EAPOL-Key",
 415                                             ie->reassoc_deadline, pos[1] + 2);
 416                         } else if (pos[2] == WLAN_TIMEOUT_KEY_LIFETIME) {
 417                                 ie->key_lifetime = pos;
 418                                 wpa_hexdump(MSG_DEBUG, "WPA: KeyLifetime "
 419                                             "in EAPOL-Key",
 420                                             ie->key_lifetime, pos[1] + 2);
 421                         } else {
 422                                 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized "
 423                                             "EAPOL-Key Key Data IE",
 424                                             pos, 2 + pos[1]);
 425                         }
 426                 } else if (*pos == WLAN_EID_LINK_ID) {
 427                         ie->lnkid = pos;
 428                         ie->lnkid_len = pos[1] + 2;
 429                 } else if (*pos == WLAN_EID_EXT_CAPAB) {
 430                         ie->ext_capab = pos;
 431                         ie->ext_capab_len = pos[1] + 2;
 432                 } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
 433                         ret = wpa_parse_generic(pos, end, ie);
 434                         if (ret < 0)
 435                                 break;
 436                         if (ret > 0) {
 437                                 ret = 0;
 438                                 break;
 439                         }
 440                 } else {
 441                         wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized EAPOL-Key "
 442                                     "Key Data IE", pos, 2 + pos[1]);
 443                 }
 444         }
 445
 446         return ret;
 447 }