src/wps/wps_common.c

   1 /*
   2  * Wi-Fi Protected Setup - common functionality
   3  * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "dh_groups.h"
  19 #include "sha256.h"
  20 #include "aes_wrap.h"
  21 #include "crypto.h"
  22 #include "wps_i.h"
  23 #include "wps_dev_attr.h"
  24
  25
  26 void wps_kdf(const u8 *key, const u8 *label_prefix, size_t label_prefix_len,
  27              const char *label, u8 *res, size_t res_len)
  28 {
  29         u8 i_buf[4], key_bits[4];
  30         const u8 *addr[4];
  31         size_t len[4];
  32         int i, iter;
  33         u8 hash[SHA256_MAC_LEN], *opos;
  34         size_t left;
  35
  36         WPA_PUT_BE32(key_bits, res_len * 8);
  37
  38         addr[0] = i_buf;
  39         len[0] = sizeof(i_buf);
  40         addr[1] = label_prefix;
  41         len[1] = label_prefix_len;
  42         addr[2] = (const u8 *) label;
  43         len[2] = os_strlen(label);
  44         addr[3] = key_bits;
  45         len[3] = sizeof(key_bits);
  46
  47         iter = (res_len + SHA256_MAC_LEN - 1) / SHA256_MAC_LEN;
  48         opos = res;
  49         left = res_len;
  50
  51         for (i = 1; i <= iter; i++) {
  52                 WPA_PUT_BE32(i_buf, i);
  53                 hmac_sha256_vector(key, SHA256_MAC_LEN, 4, addr, len, hash);
  54                 if (i < iter) {
  55                         os_memcpy(opos, hash, SHA256_MAC_LEN);
  56                         opos += SHA256_MAC_LEN;
  57                         left -= SHA256_MAC_LEN;
  58                 } else
  59                         os_memcpy(opos, hash, left);
  60         }
  61 }
  62
  63
  64 int wps_derive_keys(struct wps_data *wps)
  65 {
  66         struct wpabuf *pubkey, *dh_shared;
  67         u8 dhkey[SHA256_MAC_LEN], kdk[SHA256_MAC_LEN];
  68         const u8 *addr[3];
  69         size_t len[3];
  70         u8 keys[WPS_AUTHKEY_LEN + WPS_KEYWRAPKEY_LEN + WPS_EMSK_LEN];
  71
  72         if (wps->dh_privkey == NULL) {
  73                 wpa_printf(MSG_DEBUG, "WPS: Own DH private key not available");
  74                 return -1;
  75         }
  76
  77         pubkey = wps->registrar ? wps->dh_pubkey_e : wps->dh_pubkey_r;
  78         if (pubkey == NULL) {
  79                 wpa_printf(MSG_DEBUG, "WPS: Peer DH public key not available");
  80                 return -1;
  81         }
  82
  83         dh_shared = dh_derive_shared(pubkey, wps->dh_privkey,
  84                                      dh_groups_get(WPS_DH_GROUP));
  85         if (dh_shared == NULL) {
  86                 wpa_printf(MSG_DEBUG, "WPS: Failed to derive DH shared key");
  87                 return -1;
  88         }
  89
  90         /* Own DH private key is not needed anymore */
  91         wpabuf_free(wps->dh_privkey);
  92         wps->dh_privkey = NULL;
  93
  94         wpa_hexdump_buf_key(MSG_DEBUG, "WPS: DH shared key", dh_shared);
  95
  96         /* DHKey = SHA-256(g^AB mod p) */
  97         addr[0] = wpabuf_head(dh_shared);
  98         len[0] = wpabuf_len(dh_shared);
  99         sha256_vector(1, addr, len, dhkey);
 100         wpa_hexdump_key(MSG_DEBUG, "WPS: DHKey", dhkey, sizeof(dhkey));
 101         wpabuf_free(dh_shared);
 102
 103         /* KDK = HMAC-SHA-256_DHKey(N1 || EnrolleeMAC || N2) */
 104         addr[0] = wps->nonce_e;
 105         len[0] = WPS_NONCE_LEN;
 106         addr[1] = wps->mac_addr_e;
 107         len[1] = ETH_ALEN;
 108         addr[2] = wps->nonce_r;
 109         len[2] = WPS_NONCE_LEN;
 110         hmac_sha256_vector(dhkey, sizeof(dhkey), 3, addr, len, kdk);
 111         wpa_hexdump_key(MSG_DEBUG, "WPS: KDK", kdk, sizeof(kdk));
 112
 113         wps_kdf(kdk, NULL, 0, "Wi-Fi Easy and Secure Key Derivation",
 114                 keys, sizeof(keys));
 115         os_memcpy(wps->authkey, keys, WPS_AUTHKEY_LEN);
 116         os_memcpy(wps->keywrapkey, keys + WPS_AUTHKEY_LEN, WPS_KEYWRAPKEY_LEN);
 117         os_memcpy(wps->emsk, keys + WPS_AUTHKEY_LEN + WPS_KEYWRAPKEY_LEN,
 118                   WPS_EMSK_LEN);
 119
 120         wpa_hexdump_key(MSG_DEBUG, "WPS: AuthKey",
 121                         wps->authkey, WPS_AUTHKEY_LEN);
 122         wpa_hexdump_key(MSG_DEBUG, "WPS: KeyWrapKey",
 123                         wps->keywrapkey, WPS_KEYWRAPKEY_LEN);
 124         wpa_hexdump_key(MSG_DEBUG, "WPS: EMSK", wps->emsk, WPS_EMSK_LEN);
 125
 126         return 0;
 127 }
 128
 129
 130 int wps_derive_mgmt_keys(struct wps_data *wps)
 131 {
 132         u8 nonces[2 * WPS_NONCE_LEN];
 133         u8 keys[WPS_MGMTAUTHKEY_LEN + WPS_MGMTENCKEY_LEN];
 134         u8 hash[SHA256_MAC_LEN];
 135         const u8 *addr[2];
 136         size_t len[2];
 137         const char *auth_label = "WFA-WLAN-Management-MgmtAuthKey";
 138         const char *enc_label = "WFA-WLAN-Management-MgmtEncKey";
 139
 140         /* MgmtAuthKey || MgmtEncKey =
 141          * kdf(EMSK, N1 || N2 || "WFA-WLAN-Management-Keys", 384) */
 142         os_memcpy(nonces, wps->nonce_e, WPS_NONCE_LEN);
 143         os_memcpy(nonces + WPS_NONCE_LEN, wps->nonce_r, WPS_NONCE_LEN);
 144         wps_kdf(wps->emsk, nonces, sizeof(nonces), "WFA-WLAN-Management-Keys",
 145                 keys, sizeof(keys));
 146         os_memcpy(wps->mgmt_auth_key, keys, WPS_MGMTAUTHKEY_LEN);
 147         os_memcpy(wps->mgmt_enc_key, keys + WPS_MGMTAUTHKEY_LEN,
 148                   WPS_MGMTENCKEY_LEN);
 149
 150         addr[0] = nonces;
 151         len[0] = sizeof(nonces);
 152
 153         /* MgmtEncKeyID = first 128 bits of
 154          * SHA-256(N1 || N2 || "WFA-WLAN-Management-MgmtAuthKey") */
 155         addr[1] = (const u8 *) auth_label;
 156         len[1] = os_strlen(auth_label);
 157         sha256_vector(2, addr, len, hash);
 158         os_memcpy(wps->mgmt_auth_key_id, hash, WPS_MGMT_KEY_ID_LEN);
 159
 160         /* MgmtEncKeyID = first 128 bits of
 161          * SHA-256(N1 || N2 || "WFA-WLAN-Management-MgmtEncKey") */
 162         addr[1] = (const u8 *) enc_label;
 163         len[1] = os_strlen(enc_label);
 164         sha256_vector(2, addr, len, hash);
 165         os_memcpy(wps->mgmt_enc_key_id, hash, WPS_MGMT_KEY_ID_LEN);
 166
 167         wpa_hexdump_key(MSG_DEBUG, "WPS: MgmtAuthKey",
 168                         wps->mgmt_auth_key, WPS_MGMTAUTHKEY_LEN);
 169         wpa_hexdump(MSG_DEBUG, "WPS: MgmtAuthKeyID",
 170                     wps->mgmt_auth_key_id, WPS_MGMT_KEY_ID_LEN);
 171         wpa_hexdump_key(MSG_DEBUG, "WPS: MgmtEncKey",
 172                         wps->mgmt_enc_key, WPS_MGMTENCKEY_LEN);
 173         wpa_hexdump(MSG_DEBUG, "WPS: MgmtEncKeyID",
 174                     wps->mgmt_enc_key_id, WPS_MGMT_KEY_ID_LEN);
 175
 176         return 0;
 177 }
 178
 179
 180 void wps_derive_psk(struct wps_data *wps, const u8 *dev_passwd,
 181                     size_t dev_passwd_len)
 182 {
 183         u8 hash[SHA256_MAC_LEN];
 184
 185         hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, dev_passwd,
 186                     (dev_passwd_len + 1) / 2, hash);
 187         os_memcpy(wps->psk1, hash, WPS_PSK_LEN);
 188         hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN,
 189                     dev_passwd + (dev_passwd_len + 1) / 2,
 190                     dev_passwd_len / 2, hash);
 191         os_memcpy(wps->psk2, hash, WPS_PSK_LEN);
 192
 193         wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Device Password",
 194                               dev_passwd, dev_passwd_len);
 195         wpa_hexdump_key(MSG_DEBUG, "WPS: PSK1", wps->psk1, WPS_PSK_LEN);
 196         wpa_hexdump_key(MSG_DEBUG, "WPS: PSK2", wps->psk2, WPS_PSK_LEN);
 197 }
 198
 199
 200 struct wpabuf * wps_decrypt_encr_settings(struct wps_data *wps, const u8 *encr,
 201                                           size_t encr_len)
 202 {
 203         struct wpabuf *decrypted;
 204         const size_t block_size = 16;
 205         size_t i;
 206         u8 pad;
 207         const u8 *pos;
 208
 209         /* AES-128-CBC */
 210         if (encr == NULL || encr_len < 2 * block_size || encr_len % block_size)
 211         {
 212                 wpa_printf(MSG_DEBUG, "WPS: No Encrypted Settings received");
 213                 return NULL;
 214         }
 215
 216         decrypted = wpabuf_alloc(encr_len - block_size);
 217         if (decrypted == NULL)
 218                 return NULL;
 219
 220         wpa_hexdump(MSG_MSGDUMP, "WPS: Encrypted Settings", encr, encr_len);
 221         wpabuf_put_data(decrypted, encr + block_size, encr_len - block_size);
 222         if (aes_128_cbc_decrypt(wps->keywrapkey, encr, wpabuf_mhead(decrypted),
 223                                 wpabuf_len(decrypted))) {
 224                 wpabuf_free(decrypted);
 225                 return NULL;
 226         }
 227
 228         wpa_hexdump_buf_key(MSG_MSGDUMP, "WPS: Decrypted Encrypted Settings",
 229                             decrypted);
 230
 231         pos = wpabuf_head_u8(decrypted) + wpabuf_len(decrypted) - 1;
 232         pad = *pos;
 233         if (pad > wpabuf_len(decrypted)) {
 234                 wpa_printf(MSG_DEBUG, "WPS: Invalid PKCS#5 v2.0 pad value");
 235                 wpabuf_free(decrypted);
 236                 return NULL;
 237         }
 238         for (i = 0; i < pad; i++) {
 239                 if (*pos-- != pad) {
 240                         wpa_printf(MSG_DEBUG, "WPS: Invalid PKCS#5 v2.0 pad "
 241                                    "string");
 242                         wpabuf_free(decrypted);
 243                         return NULL;
 244                 }
 245         }
 246         decrypted->used -= pad;
 247
 248         return decrypted;
 249 }
 250
 251
 252 /**
 253  * wps_pin_checksum - Compute PIN checksum
 254  * @pin: Seven digit PIN (i.e., eight digit PIN without the checksum digit)
 255  * Returns: Checksum digit
 256  */
 257 unsigned int wps_pin_checksum(unsigned int pin)
 258 {
 259         unsigned int accum = 0;
 260         while (pin) {
 261                 accum += 3 * (pin % 10);
 262                 pin /= 10;
 263                 accum += pin % 10;
 264                 pin /= 10;
 265         }
 266
 267         return (10 - accum % 10) % 10;
 268 }
 269
 270
 271 /**
 272  * wps_pin_valid - Check whether a PIN has a valid checksum
 273  * @pin: Eight digit PIN (i.e., including the checksum digit)
 274  * Returns: 1 if checksum digit is valid, or 0 if not
 275  */
 276 unsigned int wps_pin_valid(unsigned int pin)
 277 {
 278         return wps_pin_checksum(pin / 10) == (pin % 10);
 279 }
 280
 281
 282 /**
 283  * wps_generate_pin - Generate a random PIN
 284  * Returns: Eight digit PIN (i.e., including the checksum digit)
 285  */
 286 unsigned int wps_generate_pin(void)
 287 {
 288         unsigned int val;
 289
 290         /* Generate seven random digits for the PIN */
 291         if (os_get_random((unsigned char *) &val, sizeof(val)) < 0) {
 292                 struct os_time now;
 293                 os_get_time(&now);
 294                 val = os_random() ^ now.sec ^ now.usec;
 295         }
 296         val %= 10000000;
 297
 298         /* Append checksum digit */
 299         return val * 10 + wps_pin_checksum(val);
 300 }
 301
 302
 303 void wps_fail_event(struct wps_context *wps, enum wps_msg_type msg)
 304 {
 305         union wps_event_data data;
 306
 307         if (wps->event_cb == NULL)
 308                 return;
 309
 310         os_memset(&data, 0, sizeof(data));
 311         data.fail.msg = msg;
 312         wps->event_cb(wps->cb_ctx, WPS_EV_FAIL, &data);
 313 }