mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-26 09:18:24 -05:00
5c6787a6ca
This extends the earlier PeerKey station side design to be used on the AP side as well by passing pointer and already validated length from the caller rather than parsing the length again from the frame buffer. This avoids false warnings from static analyzer (CID 62870, CID 62871, CID 62872). Signed-off-by: Jouni Malinen <j@w1.fi>
397 lines
10 KiB
C
397 lines
10 KiB
C
/*
|
|
* hostapd - PeerKey for Direct Link Setup (DLS)
|
|
* Copyright (c) 2006-2009, Jouni Malinen <j@w1.fi>
|
|
*
|
|
* This software may be distributed under the terms of the BSD license.
|
|
* See README for more details.
|
|
*/
|
|
|
|
#include "utils/includes.h"
|
|
|
|
#include "utils/common.h"
|
|
#include "utils/eloop.h"
|
|
#include "crypto/sha1.h"
|
|
#include "crypto/sha256.h"
|
|
#include "crypto/random.h"
|
|
#include "wpa_auth.h"
|
|
#include "wpa_auth_i.h"
|
|
#include "wpa_auth_ie.h"
|
|
|
|
#ifdef CONFIG_PEERKEY
|
|
|
|
static void wpa_stsl_step(void *eloop_ctx, void *timeout_ctx)
|
|
{
|
|
#if 0
|
|
struct wpa_authenticator *wpa_auth = eloop_ctx;
|
|
struct wpa_stsl_negotiation *neg = timeout_ctx;
|
|
#endif
|
|
|
|
/* TODO: ? */
|
|
}
|
|
|
|
|
|
struct wpa_stsl_search {
|
|
const u8 *addr;
|
|
struct wpa_state_machine *sm;
|
|
};
|
|
|
|
|
|
static int wpa_stsl_select_sta(struct wpa_state_machine *sm, void *ctx)
|
|
{
|
|
struct wpa_stsl_search *search = ctx;
|
|
if (os_memcmp(search->addr, sm->addr, ETH_ALEN) == 0) {
|
|
search->sm = sm;
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
static void wpa_smk_send_error(struct wpa_authenticator *wpa_auth,
|
|
struct wpa_state_machine *sm, const u8 *peer,
|
|
u16 mui, u16 error_type)
|
|
{
|
|
u8 kde[2 + RSN_SELECTOR_LEN + ETH_ALEN +
|
|
2 + RSN_SELECTOR_LEN + sizeof(struct rsn_error_kde)];
|
|
u8 *pos;
|
|
struct rsn_error_kde error;
|
|
|
|
wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
|
|
"Sending SMK Error");
|
|
|
|
pos = kde;
|
|
|
|
if (peer) {
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN,
|
|
NULL, 0);
|
|
}
|
|
|
|
error.mui = host_to_be16(mui);
|
|
error.error_type = host_to_be16(error_type);
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_ERROR,
|
|
(u8 *) &error, sizeof(error), NULL, 0);
|
|
|
|
__wpa_send_eapol(wpa_auth, sm,
|
|
WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
|
|
WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_ERROR,
|
|
NULL, NULL, kde, pos - kde, 0, 0, 0);
|
|
}
|
|
|
|
|
|
void wpa_smk_m1(struct wpa_authenticator *wpa_auth,
|
|
struct wpa_state_machine *sm, struct wpa_eapol_key *key,
|
|
const u8 *key_data, size_t key_data_len)
|
|
{
|
|
struct wpa_eapol_ie_parse kde;
|
|
struct wpa_stsl_search search;
|
|
u8 *buf, *pos;
|
|
size_t buf_len;
|
|
|
|
if (wpa_parse_kde_ies(key_data, key_data_len, &kde) < 0) {
|
|
wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M1");
|
|
return;
|
|
}
|
|
|
|
if (kde.rsn_ie == NULL || kde.mac_addr == NULL ||
|
|
kde.mac_addr_len < ETH_ALEN) {
|
|
wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in "
|
|
"SMK M1");
|
|
return;
|
|
}
|
|
|
|
/* Initiator = sm->addr; Peer = kde.mac_addr */
|
|
|
|
search.addr = kde.mac_addr;
|
|
search.sm = NULL;
|
|
if (wpa_auth_for_each_sta(wpa_auth, wpa_stsl_select_sta, &search) ==
|
|
0 || search.sm == NULL) {
|
|
wpa_printf(MSG_DEBUG, "RSN: SMK handshake with " MACSTR
|
|
" aborted - STA not associated anymore",
|
|
MAC2STR(kde.mac_addr));
|
|
wpa_smk_send_error(wpa_auth, sm, kde.mac_addr, STK_MUI_SMK,
|
|
STK_ERR_STA_NR);
|
|
/* FIX: wpa_stsl_remove(wpa_auth, neg); */
|
|
return;
|
|
}
|
|
|
|
buf_len = kde.rsn_ie_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN;
|
|
buf = os_malloc(buf_len);
|
|
if (buf == NULL)
|
|
return;
|
|
/* Initiator RSN IE */
|
|
os_memcpy(buf, kde.rsn_ie, kde.rsn_ie_len);
|
|
pos = buf + kde.rsn_ie_len;
|
|
/* Initiator MAC Address */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->addr, ETH_ALEN,
|
|
NULL, 0);
|
|
|
|
/* SMK M2:
|
|
* EAPOL-Key(S=1, M=1, A=1, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce,
|
|
* MIC=MIC, DataKDs=(RSNIE_I, MAC_I KDE)
|
|
*/
|
|
|
|
wpa_auth_logger(wpa_auth, search.sm->addr, LOGGER_DEBUG,
|
|
"Sending SMK M2");
|
|
|
|
__wpa_send_eapol(wpa_auth, search.sm,
|
|
WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
|
|
WPA_KEY_INFO_ACK | WPA_KEY_INFO_SMK_MESSAGE,
|
|
NULL, key->key_nonce, buf, pos - buf, 0, 0, 0);
|
|
|
|
os_free(buf);
|
|
}
|
|
|
|
|
|
static void wpa_send_smk_m4(struct wpa_authenticator *wpa_auth,
|
|
struct wpa_state_machine *sm,
|
|
struct wpa_eapol_key *key,
|
|
struct wpa_eapol_ie_parse *kde,
|
|
const u8 *smk)
|
|
{
|
|
u8 *buf, *pos;
|
|
size_t buf_len;
|
|
u32 lifetime;
|
|
|
|
/* SMK M4:
|
|
* EAPOL-Key(S=1, M=1, A=0, I=1, K=0, SM=1, KeyRSC=0, Nonce=PNonce,
|
|
* MIC=MIC, DataKDs=(MAC_I KDE, INonce KDE, SMK KDE,
|
|
* Lifetime KDE)
|
|
*/
|
|
|
|
buf_len = 2 + RSN_SELECTOR_LEN + ETH_ALEN +
|
|
2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN +
|
|
2 + RSN_SELECTOR_LEN + PMK_LEN + WPA_NONCE_LEN +
|
|
2 + RSN_SELECTOR_LEN + sizeof(lifetime);
|
|
pos = buf = os_malloc(buf_len);
|
|
if (buf == NULL)
|
|
return;
|
|
|
|
/* Initiator MAC Address */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, kde->mac_addr, ETH_ALEN,
|
|
NULL, 0);
|
|
|
|
/* Initiator Nonce */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_NONCE, kde->nonce, WPA_NONCE_LEN,
|
|
NULL, 0);
|
|
|
|
/* SMK with PNonce */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_SMK, smk, PMK_LEN,
|
|
key->key_nonce, WPA_NONCE_LEN);
|
|
|
|
/* Lifetime */
|
|
lifetime = htonl(43200); /* dot11RSNAConfigSMKLifetime */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
|
|
(u8 *) &lifetime, sizeof(lifetime), NULL, 0);
|
|
|
|
wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
|
|
"Sending SMK M4");
|
|
|
|
__wpa_send_eapol(wpa_auth, sm,
|
|
WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
|
|
WPA_KEY_INFO_INSTALL | WPA_KEY_INFO_SMK_MESSAGE,
|
|
NULL, key->key_nonce, buf, pos - buf, 0, 1, 0);
|
|
|
|
os_free(buf);
|
|
}
|
|
|
|
|
|
static void wpa_send_smk_m5(struct wpa_authenticator *wpa_auth,
|
|
struct wpa_state_machine *sm,
|
|
struct wpa_eapol_key *key,
|
|
struct wpa_eapol_ie_parse *kde,
|
|
const u8 *smk, const u8 *peer)
|
|
{
|
|
u8 *buf, *pos;
|
|
size_t buf_len;
|
|
u32 lifetime;
|
|
|
|
/* SMK M5:
|
|
* EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce,
|
|
* MIC=MIC, DataKDs=(RSNIE_P, MAC_P KDE, PNonce, SMK KDE,
|
|
* Lifetime KDE))
|
|
*/
|
|
|
|
buf_len = kde->rsn_ie_len +
|
|
2 + RSN_SELECTOR_LEN + ETH_ALEN +
|
|
2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN +
|
|
2 + RSN_SELECTOR_LEN + PMK_LEN + WPA_NONCE_LEN +
|
|
2 + RSN_SELECTOR_LEN + sizeof(lifetime);
|
|
pos = buf = os_malloc(buf_len);
|
|
if (buf == NULL)
|
|
return;
|
|
|
|
/* Peer RSN IE */
|
|
os_memcpy(pos, kde->rsn_ie, kde->rsn_ie_len);
|
|
pos += kde->rsn_ie_len;
|
|
|
|
/* Peer MAC Address */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN, NULL, 0);
|
|
|
|
/* PNonce */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_NONCE, key->key_nonce,
|
|
WPA_NONCE_LEN, NULL, 0);
|
|
|
|
/* SMK and INonce */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_SMK, smk, PMK_LEN,
|
|
kde->nonce, WPA_NONCE_LEN);
|
|
|
|
/* Lifetime */
|
|
lifetime = htonl(43200); /* dot11RSNAConfigSMKLifetime */
|
|
pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
|
|
(u8 *) &lifetime, sizeof(lifetime), NULL, 0);
|
|
|
|
wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
|
|
"Sending SMK M5");
|
|
|
|
__wpa_send_eapol(wpa_auth, sm,
|
|
WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
|
|
WPA_KEY_INFO_SMK_MESSAGE,
|
|
NULL, kde->nonce, buf, pos - buf, 0, 1, 0);
|
|
|
|
os_free(buf);
|
|
}
|
|
|
|
|
|
void wpa_smk_m3(struct wpa_authenticator *wpa_auth,
|
|
struct wpa_state_machine *sm, struct wpa_eapol_key *key,
|
|
const u8 *key_data, size_t key_data_len)
|
|
{
|
|
struct wpa_eapol_ie_parse kde;
|
|
struct wpa_stsl_search search;
|
|
u8 smk[32], buf[ETH_ALEN + 8 + 2 * WPA_NONCE_LEN], *pos;
|
|
|
|
if (wpa_parse_kde_ies(key_data, key_data_len, &kde) < 0) {
|
|
wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M3");
|
|
return;
|
|
}
|
|
|
|
if (kde.rsn_ie == NULL ||
|
|
kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN ||
|
|
kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN) {
|
|
wpa_printf(MSG_INFO, "RSN: No RSN IE, MAC address KDE, or "
|
|
"Nonce KDE in SMK M3");
|
|
return;
|
|
}
|
|
|
|
/* Peer = sm->addr; Initiator = kde.mac_addr;
|
|
* Peer Nonce = key->key_nonce; Initiator Nonce = kde.nonce */
|
|
|
|
search.addr = kde.mac_addr;
|
|
search.sm = NULL;
|
|
if (wpa_auth_for_each_sta(wpa_auth, wpa_stsl_select_sta, &search) ==
|
|
0 || search.sm == NULL) {
|
|
wpa_printf(MSG_DEBUG, "RSN: SMK handshake with " MACSTR
|
|
" aborted - STA not associated anymore",
|
|
MAC2STR(kde.mac_addr));
|
|
wpa_smk_send_error(wpa_auth, sm, kde.mac_addr, STK_MUI_SMK,
|
|
STK_ERR_STA_NR);
|
|
/* FIX: wpa_stsl_remove(wpa_auth, neg); */
|
|
return;
|
|
}
|
|
|
|
if (random_get_bytes(smk, PMK_LEN)) {
|
|
wpa_printf(MSG_DEBUG, "RSN: Failed to generate SMK");
|
|
return;
|
|
}
|
|
|
|
/* SMK = PRF-256(Random number, "SMK Derivation",
|
|
* AA || Time || INonce || PNonce)
|
|
*/
|
|
os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
|
|
pos = buf + ETH_ALEN;
|
|
wpa_get_ntp_timestamp(pos);
|
|
pos += 8;
|
|
os_memcpy(pos, kde.nonce, WPA_NONCE_LEN);
|
|
pos += WPA_NONCE_LEN;
|
|
os_memcpy(pos, key->key_nonce, WPA_NONCE_LEN);
|
|
#ifdef CONFIG_IEEE80211W
|
|
sha256_prf(smk, PMK_LEN, "SMK Derivation", buf, sizeof(buf),
|
|
smk, PMK_LEN);
|
|
#else /* CONFIG_IEEE80211W */
|
|
sha1_prf(smk, PMK_LEN, "SMK Derivation", buf, sizeof(buf),
|
|
smk, PMK_LEN);
|
|
#endif /* CONFIG_IEEE80211W */
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", smk, PMK_LEN);
|
|
|
|
wpa_send_smk_m4(wpa_auth, sm, key, &kde, smk);
|
|
wpa_send_smk_m5(wpa_auth, search.sm, key, &kde, smk, sm->addr);
|
|
|
|
/* Authenticator does not need SMK anymore and it is required to forget
|
|
* it. */
|
|
os_memset(smk, 0, sizeof(*smk));
|
|
}
|
|
|
|
|
|
void wpa_smk_error(struct wpa_authenticator *wpa_auth,
|
|
struct wpa_state_machine *sm,
|
|
const u8 *key_data, size_t key_data_len)
|
|
{
|
|
struct wpa_eapol_ie_parse kde;
|
|
struct wpa_stsl_search search;
|
|
struct rsn_error_kde error;
|
|
u16 mui, error_type;
|
|
|
|
if (wpa_parse_kde_ies(key_data, key_data_len, &kde) < 0) {
|
|
wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error");
|
|
return;
|
|
}
|
|
|
|
if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN ||
|
|
kde.error == NULL || kde.error_len < sizeof(error)) {
|
|
wpa_printf(MSG_INFO, "RSN: No MAC address or Error KDE in "
|
|
"SMK Error");
|
|
return;
|
|
}
|
|
|
|
search.addr = kde.mac_addr;
|
|
search.sm = NULL;
|
|
if (wpa_auth_for_each_sta(wpa_auth, wpa_stsl_select_sta, &search) ==
|
|
0 || search.sm == NULL) {
|
|
wpa_printf(MSG_DEBUG, "RSN: Peer STA " MACSTR " not "
|
|
"associated for SMK Error message from " MACSTR,
|
|
MAC2STR(kde.mac_addr), MAC2STR(sm->addr));
|
|
return;
|
|
}
|
|
|
|
os_memcpy(&error, kde.error, sizeof(error));
|
|
mui = be_to_host16(error.mui);
|
|
error_type = be_to_host16(error.error_type);
|
|
wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
|
|
"STA reported SMK Error: Peer " MACSTR
|
|
" MUI %d Error Type %d",
|
|
MAC2STR(kde.mac_addr), mui, error_type);
|
|
|
|
wpa_smk_send_error(wpa_auth, search.sm, sm->addr, mui, error_type);
|
|
}
|
|
|
|
|
|
int wpa_stsl_remove(struct wpa_authenticator *wpa_auth,
|
|
struct wpa_stsl_negotiation *neg)
|
|
{
|
|
struct wpa_stsl_negotiation *pos, *prev;
|
|
|
|
if (wpa_auth == NULL)
|
|
return -1;
|
|
pos = wpa_auth->stsl_negotiations;
|
|
prev = NULL;
|
|
while (pos) {
|
|
if (pos == neg) {
|
|
if (prev)
|
|
prev->next = pos->next;
|
|
else
|
|
wpa_auth->stsl_negotiations = pos->next;
|
|
|
|
eloop_cancel_timeout(wpa_stsl_step, wpa_auth, pos);
|
|
os_free(pos);
|
|
return 0;
|
|
}
|
|
prev = pos;
|
|
pos = pos->next;
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
#endif /* CONFIG_PEERKEY */
|