/* * * Wireless daemon for Linux * * Copyright (C) 2019 Intel Corporation. All rights reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA * */ #ifdef HAVE_CONFIG_H #include #endif #include #include "src/ie.h" #include "src/fils.h" #include "src/handshake.h" #include "src/mpdu.h" #include "src/crypto.h" #include "src/util.h" #include "src/missing.h" #include "src/erp.h" #include "src/auth-proto.h" #define FILS_NONCE_LEN 16 #define FILS_SESSION_LEN 8 struct fils_sm { struct auth_proto ap; struct erp_state *erp; struct handshake_state *hs; void *user_data; fils_tx_authenticate_func_t auth; fils_tx_associate_func_t assoc; uint8_t nonce[FILS_NONCE_LEN]; uint8_t anonce[FILS_NONCE_LEN]; uint8_t session[FILS_SESSION_LEN]; uint8_t ick[48]; size_t ick_len; uint8_t kek_and_tk[64 + 16]; size_t kek_len; uint8_t pmk[48]; size_t pmk_len; uint8_t pmkid[16]; uint8_t fils_ft[48]; size_t fils_ft_len; }; static void fils_derive_pmkid(struct fils_sm *fils, const uint8_t *erp_data, size_t len) { struct l_checksum *sha; enum l_checksum_type type; if (fils->hs->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA256 | IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)) type = L_CHECKSUM_SHA256; else type = L_CHECKSUM_SHA384; sha = l_checksum_new(type); l_checksum_update(sha, erp_data, len); l_checksum_get_digest(sha, fils->pmkid, sizeof(fils->pmkid)); l_checksum_free(sha); } static void fils_erp_tx_func(const uint8_t *eap_data, size_t len, void *user_data) { struct fils_sm *fils = user_data; struct ie_tlv_builder builder; uint8_t data[256]; uint8_t *ptr = data; unsigned int tlv_len; struct ie_rsn_info rsn_info; uint8_t *rsne; l_getrandom(fils->nonce, 16); l_getrandom(fils->session, 8); fils_derive_pmkid(fils, eap_data, len); /* transaction */ l_put_le16(1, ptr); ptr += 2; /* status success */ l_put_le16(0, ptr); ptr += 2; ie_tlv_builder_init(&builder, ptr, sizeof(data) - 4); ie_parse_rsne_from_data(fils->hs->supplicant_ie, fils->hs->supplicant_ie[1] + 2, &rsn_info); rsne = alloca(256); ie_build_rsne(&rsn_info, rsne); ie_tlv_builder_next(&builder, IE_TYPE_RSN); ie_tlv_builder_set_data(&builder, rsne + 2, rsne[1]); ie_tlv_builder_next(&builder, IE_TYPE_FILS_NONCE); ie_tlv_builder_set_data(&builder, fils->nonce, sizeof(fils->nonce)); ie_tlv_builder_next(&builder, IE_TYPE_FILS_SESSION); ie_tlv_builder_set_data(&builder, fils->session, sizeof(fils->session)); ie_tlv_builder_next(&builder, IE_TYPE_FILS_WRAPPED_DATA); ie_tlv_builder_set_data(&builder, eap_data, len); if (fils->hs->mde) { ie_tlv_builder_next(&builder, IE_TYPE_MOBILITY_DOMAIN); ie_tlv_builder_set_data(&builder, fils->hs->mde + 2, fils->hs->mde[1]); } ie_tlv_builder_finalize(&builder, &tlv_len); fils->auth(data, ptr - data + tlv_len, fils->user_data); } static int fils_derive_key_data(struct fils_sm *fils) { const void *rmsk; size_t rmsk_len; struct ie_tlv_builder builder; uint8_t key[FILS_NONCE_LEN * 2]; uint8_t key_data[64 + 48 + 16 + 48]; /* largest ICK, KEK, TK, FILS-FT */ uint8_t key_auth[48]; uint8_t data[44]; uint8_t *ptr = data; size_t hash_len; struct iovec iov[4]; size_t iov_elems = 0; size_t fils_ft_len = 0; bool sha384; unsigned int ie_len; uint8_t *rsne = NULL; rmsk = erp_get_rmsk(fils->erp, &rmsk_len); if (fils->hs->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256) fils_ft_len = 32; else if (fils->hs->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384) fils_ft_len = 48; /* * IEEE 802.11ai - Section 12.12.2.5.3 */ if (fils->hs->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA256 | IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)) { sha384 = false; hash_len = 32; } else { sha384 = true; hash_len = 48; } fils->kek_len = handshake_state_get_kek_len(fils->hs); /* key is SNonce || ANonce */ memcpy(key, fils->nonce, sizeof(fils->nonce)); memcpy(key + FILS_NONCE_LEN, fils->anonce, sizeof(fils->anonce)); if (sha384) hmac_sha384(key, sizeof(key), rmsk, rmsk_len, fils->pmk, hash_len); else hmac_sha256(key, sizeof(key), rmsk, rmsk_len, fils->pmk, hash_len); fils->pmk_len = hash_len; /* * IEEE 802.11ai - 12.12.2.5.3 PTKSA key derivation with FILS * authentication * * FILS-Key-Data = PRF-X(PMK, “FILS PTK Derivation”, SPA || AA || * SNonce || ANonce) */ memcpy(ptr, fils->hs->spa, 6); ptr += 6; memcpy(ptr, fils->hs->aa, 6); ptr += 6; memcpy(ptr, fils->nonce, sizeof(fils->nonce)); ptr += sizeof(fils->nonce); memcpy(ptr, fils->anonce, sizeof(fils->anonce)); ptr += sizeof(fils->anonce); if (sha384) kdf_sha384(fils->pmk, hash_len, "FILS PTK Derivation", strlen("FILS PTK Derivation"), data, sizeof(data), key_data, hash_len + fils->kek_len + 16 + fils_ft_len); else kdf_sha256(fils->pmk, hash_len, "FILS PTK Derivation", strlen("FILS PTK Derivation"), data, sizeof(data), key_data, hash_len + fils->kek_len + 16 + fils_ft_len); ptr = data; /* * IEEE 802.11ai - 12.12.2.6.2 (Re)Association Request for FILS key * confirmation * * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID) */ memcpy(ptr, fils->nonce, sizeof(fils->nonce)); ptr += sizeof(fils->nonce); memcpy(ptr, fils->anonce, sizeof(fils->anonce)); ptr += sizeof(fils->anonce); memcpy(ptr, fils->hs->spa, 6); ptr += 6; memcpy(ptr, fils->hs->aa, 6); ptr += 6; memcpy(fils->ick, key_data, hash_len); fils->ick_len = hash_len; if (fils_ft_len) { memcpy(fils->fils_ft, key_data + hash_len + fils->kek_len + 16, fils_ft_len); fils->fils_ft_len = fils_ft_len; } handshake_state_set_fils_ft(fils->hs, fils->fils_ft, fils->fils_ft_len); if (sha384) hmac_sha384(fils->ick, hash_len, data, ptr - data, key_auth, hash_len); else hmac_sha256(fils->ick, hash_len, data, ptr - data, key_auth, hash_len); ie_tlv_builder_init(&builder, NULL, 0); ie_tlv_builder_next(&builder, IE_TYPE_FILS_KEY_CONFIRMATION); ie_tlv_builder_set_data(&builder, key_auth, hash_len); ie_tlv_builder_next(&builder, IE_TYPE_FILS_SESSION); ie_tlv_builder_set_data(&builder, fils->session, sizeof(fils->session)); iov[iov_elems].iov_base = ie_tlv_builder_finalize(&builder, &ie_len); iov[iov_elems].iov_len = ie_len; iov_elems++; iov[iov_elems].iov_base = fils->hs->supplicant_ie; iov[iov_elems].iov_len = fils->hs->supplicant_ie[1] + 2; iov_elems++; if (fils->hs->mde) { struct ie_rsn_info rsn_info; /* * IEEE 8021.11ai Section 13.2.4: * * If a key hierarchy already exists for this STA belonging to * the same mobility domain (i.e., having the same MDID), the * R0KH shall delete the existing PMK-R0 security association * and PMK-R1 security associations. * * All this means is we need to re-derive the new FT keys. This * will rederive the PTK too, but it will be overwritten with * the FILS PTK after associate */ handshake_state_derive_ptk(fils->hs); iov[iov_elems].iov_base = fils->hs->mde; iov[iov_elems].iov_len = fils->hs->mde[1] + 2; iov_elems++; if (ie_parse_rsne_from_data(fils->hs->supplicant_ie, fils->hs->supplicant_ie[1] + 2, &rsn_info) < 0) return -EBADMSG; rsn_info.num_pmkids = 1; rsn_info.pmkids = fils->hs->pmk_r1_name; rsne = alloca(256); ie_build_rsne(&rsn_info, rsne); iov[iov_elems].iov_base = rsne; iov[iov_elems].iov_len = rsne[1] + 2; iov_elems += 1; } memcpy(data, fils->nonce, sizeof(fils->nonce)); memcpy(data + sizeof(fils->nonce), fils->anonce, sizeof(fils->anonce)); memcpy(fils->kek_and_tk, key_data + hash_len, fils->kek_len + 16); fils->assoc(iov, iov_elems, fils->kek_and_tk, fils->kek_len, data, FILS_NONCE_LEN * 2, fils->user_data); return 0; } static bool fils_start(struct auth_proto *driver) { struct fils_sm *fils = l_container_of(driver, struct fils_sm, ap); return erp_start(fils->erp); } static void fils_free(struct auth_proto *driver) { struct fils_sm *fils = l_container_of(driver, struct fils_sm, ap); erp_free(fils->erp); explicit_bzero(fils->ick, sizeof(fils->ick)); explicit_bzero(fils->kek_and_tk, sizeof(fils->kek_and_tk)); explicit_bzero(fils->pmk, fils->pmk_len); explicit_bzero(fils->pmkid, sizeof(fils->pmkid)); l_free(fils); } static int fils_rx_authenticate(struct auth_proto *driver, const uint8_t *frame, size_t len) { struct fils_sm *fils = l_container_of(driver, struct fils_sm, ap); const struct mmpdu_header *hdr = mpdu_validate(frame, len); const struct mmpdu_authentication *auth; uint16_t alg; struct ie_tlv_iter iter; const uint8_t *anonce = NULL; const uint8_t *session = NULL; const uint8_t *wrapped = NULL; size_t wrapped_len = 0; const uint8_t *rsne = NULL; const uint8_t *mde = NULL; const uint8_t *fte = NULL; if (!hdr) { l_debug("Auth frame header did not validate"); return -EBADMSG; } auth = mmpdu_body(hdr); if (!auth) { l_debug("Auth frame body did not validate"); return -EBADMSG; } if (auth->status != 0) { l_debug("invalid status %u", auth->status); return L_LE16_TO_CPU(auth->status); } alg = L_LE16_TO_CPU(auth->algorithm); if (alg != MMPDU_AUTH_ALGO_FILS_SK && alg != MMPDU_AUTH_ALGO_FILS_SK_PFS) { l_debug("invalid auth algorithm %u", auth->algorithm); return MMPDU_STATUS_CODE_UNSUP_AUTH_ALG; } ie_tlv_iter_init(&iter, auth->ies, (const uint8_t *) hdr + len - auth->ies); while (ie_tlv_iter_next(&iter)) { switch (iter.tag) { case IE_TYPE_FILS_NONCE: if (iter.len != FILS_NONCE_LEN) goto invalid_ies; anonce = iter.data; break; case IE_TYPE_FILS_SESSION: if (iter.len != FILS_SESSION_LEN) goto invalid_ies; session = iter.data; break; case IE_TYPE_FILS_WRAPPED_DATA: wrapped = iter.data; wrapped_len = iter.len; break; case IE_TYPE_RSN: if (rsne) goto invalid_ies; rsne = ie_tlv_iter_get_data(&iter) - 2; break; case IE_TYPE_MOBILITY_DOMAIN: if (mde) goto invalid_ies; mde = ie_tlv_iter_get_data(&iter) - 2; break; case IE_TYPE_FAST_BSS_TRANSITION: if (fte) goto invalid_ies; fte = ie_tlv_iter_get_data(&iter) - 2; break; default: continue; } } if (!anonce || !session || !wrapped) { l_debug("Auth did not include required IEs"); goto invalid_ies; } if (mde) handshake_state_set_mde(fils->hs, mde); if (fte) { struct handshake_state *hs = fils->hs; uint32_t kck_len = handshake_state_get_kck_len(hs); struct ie_ft_info ft_info; if (ie_parse_fast_bss_transition_from_data(fte, fte[1] + 2, kck_len, &ft_info) < 0) goto invalid_ies; handshake_state_set_fte(fils->hs, fte); handshake_state_set_kh_ids(fils->hs, ft_info.r0khid, ft_info.r0khid_len, ft_info.r1khid); } memcpy(fils->anonce, anonce, FILS_NONCE_LEN); if (erp_rx_packet(fils->erp, wrapped, wrapped_len) < 0) goto invalid_ies; return fils_derive_key_data(fils); invalid_ies: return MMPDU_STATUS_CODE_INVALID_ELEMENT; } static int fils_rx_associate(struct auth_proto *driver, const uint8_t *frame, size_t len) { struct fils_sm *fils = l_container_of(driver, struct fils_sm, ap); const struct mmpdu_header *hdr = mpdu_validate(frame, len); const struct mmpdu_association_response *assoc; struct ie_tlv_iter iter; uint8_t key_rsc[8]; const uint8_t *gtk = NULL; size_t gtk_len; uint8_t gtk_key_index; const uint8_t *igtk = NULL; size_t igtk_len; uint8_t igtk_key_index; const uint8_t *ap_key_auth = NULL; uint8_t expected_key_auth[48]; bool sha384 = (fils->hs->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA384 | IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)); uint8_t data[44]; uint8_t *ptr = data; if (!hdr) { l_debug("Assoc frame header did not validate"); return -EBADMSG; } assoc = mmpdu_body(hdr); if (!assoc) { l_debug("Assoc frame body did not validate"); return -EBADMSG; } if (assoc->status_code != 0) return L_CPU_TO_LE16(assoc->status_code); ie_tlv_iter_init(&iter, assoc->ies, (const uint8_t *) hdr + len - assoc->ies); while (ie_tlv_iter_next(&iter)) { switch (iter.tag) { case IE_TYPE_KEY_DELIVERY: if (iter.len < 8) goto invalid_ies; memcpy(key_rsc, iter.data, 8); gtk = handshake_util_find_gtk_kde(iter.data + 8, iter.len - 8, >k_len); if (!gtk) goto invalid_ies; gtk_key_index = util_bit_field(gtk[0], 0, 2); gtk += 2; gtk_len -= 2; if (!fils->hs->mfp) break; igtk = handshake_util_find_igtk_kde(iter.data + 8, iter.len - 8, &igtk_len); if (!igtk) goto invalid_ies; igtk_key_index = l_get_le16(igtk); igtk += 2; igtk_len -= 2; break; case IE_TYPE_FILS_KEY_CONFIRMATION: if (sha384 && iter.len != 48) goto invalid_ies; if (!sha384 && iter.len != 32) goto invalid_ies; ap_key_auth = iter.data; break; } } if (!ap_key_auth) { l_debug("Associate did not include KeyAuth IE"); goto invalid_ies; } ptr = data; memcpy(ptr, fils->anonce, sizeof(fils->anonce)); ptr += sizeof(fils->anonce); memcpy(ptr, fils->nonce, sizeof(fils->nonce)); ptr += sizeof(fils->nonce); memcpy(ptr, fils->hs->aa, 6); ptr += 6; memcpy(ptr, fils->hs->spa, 6); ptr += 6; if (sha384) hmac_sha384(fils->ick, fils->ick_len, data, ptr - data, expected_key_auth, fils->ick_len); else hmac_sha256(fils->ick, fils->ick_len, data, ptr - data, expected_key_auth, fils->ick_len); if (memcmp(ap_key_auth, expected_key_auth, fils->ick_len)) { l_error("AP KeyAuth did not verify"); return -EBADMSG; } handshake_state_set_pmk(fils->hs, fils->pmk, fils->pmk_len); handshake_state_set_pmkid(fils->hs, fils->pmkid); if (gtk) handshake_state_install_gtk(fils->hs, gtk_key_index, gtk, gtk_len, key_rsc, 6); if (igtk) handshake_state_install_igtk(fils->hs, igtk_key_index, igtk + 6, igtk_len - 6, igtk); handshake_state_set_ptk(fils->hs, fils->kek_and_tk, fils->kek_len + 16); handshake_state_install_ptk(fils->hs); return 0; invalid_ies: return MMPDU_STATUS_CODE_INVALID_ELEMENT; } struct auth_proto *fils_sm_new(struct handshake_state *hs, fils_tx_authenticate_func_t auth, fils_tx_associate_func_t assoc, void *user_data) { struct fils_sm *fils; fils = l_new(struct fils_sm, 1); fils->auth = auth; fils->assoc = assoc; fils->user_data = user_data; fils->hs = hs; fils->ap.start = fils_start; fils->ap.free = fils_free; fils->ap.rx_authenticate = fils_rx_authenticate; fils->ap.rx_associate = fils_rx_associate; fils->erp = erp_new(hs->erp_cache, fils_erp_tx_func, fils); return &fils->ap; }