summaryrefslogtreecommitdiff
path: root/sys/net80211/ieee80211_crypto.c
AgeCommit message (Collapse)Author
2010-07-20Switch some obvious network stack MAC comparisons from bcmp() toMatthew Dempsky
timingsafe_bcmp(). ok deraadt@; committed over WPA.
2009-02-13Change ifconfig wpaakms default setting to `psk' instead of `psk,802.1x'.Damien Bergamini
Some supplicants will autoselect 802.1X without giving users the possibility to choose between PSK or 802.1X. Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined in Draft 802.11w) by default in the RSN IE of beacons and probe responses as it confuses some broken supplicants. This kind of sacrifies security for interoperability with shitty (but unfortunately widespread) clients that do not follow the 802.11 standard properly. This fixes associations from Intel PROSet on XP and also reportedly fixes some Mac OS clients. I will likely make `psk-sha256' configurable through ifconfig wpaakms after the 4.5 release.
2009-01-26Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:Damien Bergamini
- implement A-MPDU frames buffering and reordering - implement A-MSDU decapsulation - process/send ADDBA Request, ADDBA Response and DELBA action frames - process Block Ack Request control frames (including MTBAR) - implement PBAC support (Protected Block Ack) - add some incomplete HT Capabilities and HT Operation IEs parsing Add more Management Frame Protection bits based on 802.11w Draft 7.0: - implement SA Query procedure (both AP and STA) - cleanup BIP Fix some bugs: - fix check for WEP key length that otherwise caused a stack smash in ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc) - properly stop EAPOL timeout: fixes a panic that occured in HostAP mode when turning the interface down while a 4-way handshake is in progress (pointed out by Doughertys) Did some code cleanup too. The HT bits are currently not compiled in (IEEE80211_NO_HT is defined) because they won't be ready until after the next release and I didn't want to grow the kernel or to inadvertently introduce new bugs. They are here such that other people can look at the code. Notice that I had to add an extra parameter to ic_send_mgmt() for action frames, that is why there are small changes in drivers defining their own ic_send_mgmt() handler. Sorry for the not very incremental diff but this has been sitting in my tree for too long now.
2008-09-27Initial implementation of PMKSA caching and pre-authentication.Damien Bergamini
This will be required for future WPA-Enterprise support (802.1X). Add ieee80211_needs_auth() function (not implemented yet) to notify the userland 802.1X PACP machine when an 802.1X port becomes enabled (that is after successfull 802.11 Open System authentication). Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the PACP state machine can kick the 802.11 key state machine and install PMKs obtained from 802.1X (pre-)authentication. Enable SHA-256 based AKMPs by default while I'm here (TGw). This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC for data integrity, and AES Key Wrap for data protection of EAPOL-Key frames. An OpenBSD AP will always advertise this capability and an OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based ones if both are supported by an AP.
2008-08-27introduce new IEEE80211_STA_ONLY kernel option that can be set toDamien Bergamini
remove IBSS and HostAP support from net80211 and 802.11 drivers. it can be used to shrink RAMDISK kernels for instance (like what was done for wi(4)). it also has the benefit of highlighting what is specific to IBSS and HostAP modes in the code. the cost is that we now have two code paths to maintain.
2008-08-14ieee80211_derive_pmkid() is not used eitherDamien Bergamini
2008-08-14#ifdef notyet ieee80211_kdf() as it is not used yet (shrink kernel a bit)Damien Bergamini
2008-08-12add the code to encrypt/decrypt management frames, retrieve key idDamien Bergamini
from MMIE etc... this code can't be triggered as no drivers claim MFP capability yet.
2008-08-12missing SHA-256 bits.Damien Bergamini
2008-08-12new SHA-256 based AKMPs.Damien Bergamini
2008-08-12add support for EAPOL-Key v3 descriptors (similar to v2 except that theDamien Bergamini
MIC is computed using AES-128-CMAC instead of HMAC-SHA1). add a SHA-256 based key derivation function (not used yet).
2008-08-12the only integrity group cipher currently supported is AES-128-CMAC.Damien Bergamini
2008-08-12extend the ic_nw_keys[] array to 6 elements.Damien Bergamini
indices 0-3 will be used for group data keys while indices 4-5 will be used for integrity group keys. add a ic_rsngroupmgmtcipher field too.
2008-08-12get rid of the map_ptk()/map_gtk() functions, just inline themDamien Bergamini
which makes things easier to track.
2008-08-12simplify ieee80211_derive_ptk() prototype.Damien Bergamini
pass the AKMP so we can support other key derivation functions in the future.
2008-08-12use HMAC-MD5, HMAC-SHA1 and AES Key Wrap sys/crypto/Damien Bergamini
2008-07-21add ieee80211_priv.h file: contains definitions private to net80211.Damien Bergamini
this must not be included by drivers.
2008-06-16remove now useless casts since the rijndael_* protos have beenDamien Bergamini
constified.
2008-04-26move things from ieee80211_ifattach() to ieee80211_crypto_attach().Damien Bergamini
2008-04-21- do not process ethernet PAE frames if RSN is not enabledDamien Bergamini
- add a ieee80211_recv_action() function (will be used later) - some cleanup, remove unused prototypes, get rid of the IEEE80211_VERIFY_* macros
2008-04-18extend the if_ethersubr.c crc functions to support updating a runningDamien Miller
crc in addition to the existing "oneshot" mode and use them to replace ieee80211_crc_update() with the new ether_crc32_le_update(). Saves 1k kernel bss + some code. Mark the new ether_crc32_[lb]e_update functions as __pure for a ~25x speedup (on my i386 at least). feedback and ok damien@
2008-04-17call ieee80211_crc_init() only once, when the first 802.11 deviceDamien Bergamini
attaches instead of at every attach. discussed with deraadt@
2008-04-16Kernel implementation of the 4-way handshake and group-keyDamien Bergamini
handshake protocols (both supplicant and authenticator state machines) as defined in the IEEE 802.11i standard. Software implementation of the TKIP (Temporal Key Integrity Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols. This diff doesn't implement any of the 802.1X authentication protocols and thus only PSK authentication (using pre-shared keys) is currently supported. In concrete terms, this adds support for WPA-PSK and WPA2-PSK protocols, both in station and hostap modes. The following drivers are marked as WPA-capable and should work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4), rum(4), upgt(4), and zyd(4) The following options have been added to ifconfig(8): wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher wpa-psk(8) can be used to generate keys from passphrases. tested by many@ ok deraadt@
2007-09-11remove horrid casts now that SHA1Update() has been constified.Damien Bergamini
2007-08-29- use ieee80211_get_hdrlen() where appropriate.Damien Bergamini
- discard all EAPOL-Key frames with an unknown descriptor version. - when receiving message 3/4 of the 4-way handshake, do not install the PTK if the INSTALL bit is not set. this fixes 4-way handshake with APs using group keys only. - similarly, do not mark the 802.1X port as valid if the SECURE bit is not set (it will be marked as valid after group key handshake).
2007-08-23fix ieee80211_map_ptk() for TKIP.Damien Bergamini
2007-08-22add a ieee80211_get_txkey() function to determine the key to use forDamien Bergamini
transmitting a frame to a given node. change ieee80211_encrypt() so that it now takes the key as parameter. this change is required because drivers doing hardware crypto need to know what key is being used.
2007-08-22- add k_rxmic and k_txmic fields to struct ieee80211_key to store theDamien Bergamini
Tx/Rx MIC for TKIP. - add two functions to map a PTK and a GTK to an IEEE 802.11 key and use them in ieee80211_input.c instead of duplicating the same code. properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP. - add ic_psk to struct ieee80211com to store the pre-shared key. - fix setting of the SECURE bit in outgoing EAPOL-Key frames. - when receiving msg 2 of the 4-way handshake, deauthenticate the station if the RSN IE does not match that of the (Re)Association request. - before parsing an RSN or WPA IE, check that there's enough room for the version field (2 bytes) which is mandatory. - various tweaks while i'm here.
2007-08-03add a ni_eapol_desc field to struct ieee80211_node to know whetherDamien Bergamini
a station is using WPA1 or RSN descriptors. make sure that a station that advertises WPA1 capability in an IE uses the WPA1 EAPOL-Key descriptor type and not the RSN one. fix construction of EAPOL-Key frames for WPA1. i can now successfuly complete a 4-way and group-key handshake with both a WPA1 and a WPA2 access point. add some TKIP encapsulation code (no SW crypto yet). ok deraadt@
2007-08-01add generic ieee80211_encrypt() and ieee80211_decrypt() functions thatDamien Bergamini
can handle multiple ciphers (the key to use is determined automatically by these functions based on the frame's destination address). add ieee80211_ccmp_encrypt() and ieee80211_ccmp_decrypt(). those two functions only do encapsulation/decapsulation of CCMP frames for now (they don't do SW crypto). they will help to test things with drivers that can do HW crypto. add a ni_pairwise_key field to struct ieee80211_node to actually install the pairwise transient key. install the GTK in ic_nw_keys[].
2007-08-01group key handshake message 1 is very different between RSN and WPA1.Damien Bergamini
RSN uses a GTK KDE while WPA1 stores the GTK in the EAPOL-Key frame data field (encrypted) and uses some bits in the info field. split ieee80211_recv_group_msg1() in two separate functions.
2007-08-01all WPA implementations i have tested use EAPOL-Key frames version 1,Damien Bergamini
so use that too and remove a check in ieee80211_recv_eapol(). WPA1 stores the group key id into bits 4-5 of the EAPOL-Key frame info field and uses bit 6 to indicate if the key is Rx/Tx or Rx only. remove a check in ieee80211_eapol_key_decrypt() because WPA1 encrypts the payload of message 1 of the group-key handshake without setting the encrypted bit in the info field.
2007-08-01the EAPOL-Key MIC must be computed with the MIC bit set.Damien Bergamini
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic() quite a bit. set the EAPOL-Key body length before computing the MIC since the MIC is computed with the 802.1X header too. add a missing htons() while i'm here.
2007-07-28extend the ieee80211_key structure with a key identifier, a flags fieldDamien Bergamini
and a 64-bit receive sequence counter (for group keys). add a ieee80211_cipher_keylen() function to retrieve the key length in bytes used by a specific cipher. account for 802.1X header size when computing the Key MIC. some cleanup in comments and variable names while i'm here.
2007-07-24new function to check the MIC of a received EAPOL-Key frame.Damien Bergamini
2007-07-24use rc4_skip().Damien Bergamini
fix ieee80211_eapol_key_encrypt() so that we don't add more padding bytes than necessary in the case of AES Key Wrap encryption.
2007-07-24remove some unused key derivation functions.Damien Bergamini
we won't support PeerKey handshake in a first time.
2007-07-24remove arc4_ compatibility macros.Damien Bergamini
2007-07-24add functions to compute EAPOL-Key Key MIC fields and to encrypt/decryptDamien Bergamini
EAPOL-Key Data fields.
2007-07-24add ic_globalcnt to struct ieee80211com:Damien Bergamini
in an RSNA, each STA must maintain a 256-bit global key counter that must be initialized to a random value (see 8.5.7).
2007-07-18modify ieee80211_aes_key_wrap() to support in-place encryption.Damien Bergamini
explicitly use ovbcopy() even if our kernel memcpy() supports overlapping buffers.
2007-07-18add AES Key Wrap algorithm (see RFC 3394).Damien Bergamini
this will be used to encrypt/decrypt EAPOL-Key frames payload.
2007-07-18replace the ieee80211_wepkey structure with a more generic ieee80211_keyDamien Bergamini
one that can be used with other ciphers than WEP.
2007-07-14s/uint8_t/u_int8_t/ for consistency.Damien Bergamini
2007-07-14update QoS Tx/Rx sequence numbers for each TID.Damien Bergamini
add a parameter to ieee80211_decap() to handle different 802.11 header sizes. cleanup and clarify ieee80211_classify().
2007-07-05add myself to the copyright list.Damien Bergamini
2007-07-05add the pseudo-random function (PRF) and various key derivationDamien Bergamini
functions defined in 802.11i.
2007-06-16constifyDamien Bergamini
2007-06-16de-staticDamien Bergamini
ok jsg@
2007-06-06The license permits us to redistribute this code under the BSD or the GPLv2.Damien Bergamini
Choose the BSD license so that future enhancements will be BSD-only. ok jsg@ reyk@ deraadt@