29 Keydescrlen = 1+2+2+8+32+16+8+8+16+2,
32 typedef struct Keydescr Keydescr;
48 typedef struct Cipher Cipher;
55 typedef struct Eapconn Eapconn;
56 typedef struct TLStunn TLStunn;
69 void (*write)(Eapconn*, uchar *data, int datalen);
83 Cipher tkip = { "tkip", 32 };
84 Cipher ccmp = { "ccmp", 16 };
105 uchar rsntkipoui[4] = {0x00, 0x0F, 0xAC, 0x02};
106 uchar rsnccmpoui[4] = {0x00, 0x0F, 0xAC, 0x04};
107 uchar rsnapskoui[4] = {0x00, 0x0F, 0xAC, 0x02};
108 uchar rsnawpaoui[4] = {0x00, 0x0F, 0xAC, 0x01};
113 0x01, 0x00, /* version 1 */
114 0x00, 0x0F, 0xAC, 0x04, /* group cipher suite CCMP */
115 0x01, 0x00, /* pairwise cipher suite count 1 */
116 0x00, 0x0F, 0xAC, 0x04, /* pairwise cipher suite CCMP */
117 0x01, 0x00, /* authentication suite count 1 */
118 0x00, 0x0F, 0xAC, 0x02, /* authentication suite PSK */
119 0x00, 0x00, /* capabilities */
122 uchar wpa1oui[4] = {0x00, 0x50, 0xF2, 0x01};
123 uchar wpatkipoui[4] = {0x00, 0x50, 0xF2, 0x02};
124 uchar wpaapskoui[4] = {0x00, 0x50, 0xF2, 0x02};
125 uchar wpaawpaoui[4] = {0x00, 0x50, 0xF2, 0x01};
128 0xdd, /* vendor specific */
130 0x00, 0x50, 0xf2, 0x01, /* WPAIE type 1 */
131 0x01, 0x00, /* version 1 */
132 0x00, 0x50, 0xf2, 0x02, /* group cipher suite TKIP */
133 0x01, 0x00, /* pairwise cipher suite count 1 */
134 0x00, 0x50, 0xf2, 0x02, /* pairwise cipher suite TKIP */
135 0x01, 0x00, /* authentication suite count 1 */
136 0x00, 0x50, 0xf2, 0x02, /* authentication suite PSK */
144 if((v = mallocz(len, 1)) == nil)
145 sysfatal("malloc: %r");
150 hextob(char *s, char **sp, uchar *b, int n)
155 for(r = 0; r < n && *s; s++){
157 if(*s >= '0' && *s <= '9')
159 else if(*s >= 'a' && *s <= 'f')
161 else if(*s >= 'A' && *s <= 'F')
173 getifstats(char *key, char *val, int nval)
175 char buf[8*1024], *f[2], *p, *e;
178 snprint(buf, sizeof(buf), "%s/ifstats", devdir);
179 if((fd = open(buf, OREAD)) < 0)
181 n = readn(fd, buf, sizeof(buf)-1);
186 for(p = buf; (e = strchr(p, '\n')) != nil; p = e){
188 if(gettokens(p, f, 2, "\t\r\n ") != 2)
190 if(strcmp(f[0], key) != 0)
192 strncpy(val, f[1], nval);
202 return getifstats("essid:", essid, sizeof(essid));
206 getbssid(uchar mac[Eaddrlen])
210 if(getifstats("bssid:", buf, sizeof(buf)) != nil)
211 return parseether(mac, buf);
220 if(getifstats("status:", status, sizeof(status)) == nil)
222 if(strcmp(status, "connecting") == 0)
224 if(strcmp(status, "unauthenticated") == 0)
227 fprint(2, "status: %s\n", status);
232 buildrsne(uchar rsne[258])
240 if(getifstats("brsne:", buf, sizeof(buf)) == nil)
241 return 0; /* not an error, might be old kernel */
243 brsnelen = hextob(buf, nil, brsne, sizeof(brsne));
245 trunc: sysfatal("invalid or truncated RSNE; brsne: %s", buf);
257 *w++ = 0; /* length */
258 } else if(p[0] == 0xDD){
260 if((e - p) < 4 || memcmp(p, wpa1oui, 4) != 0){
261 sysfatal("unrecognized WPAIE type; brsne: %s", buf);
267 *w++ = 0; /* length */
269 memmove(w, wpa1oui, 4);
273 sysfatal("unrecognized RSNE type; brsne: %s", buf);
280 *w++ = *p++; /* version */
284 if(memcmp(p, rsnccmpoui, 4) == 0)
286 else if(memcmp(p, rsntkipoui, 4) == 0)
289 sysfatal("unrecognized RSN group cipher; brsne: %s", buf);
293 if(memcmp(p, wpatkipoui, 4) != 0){
294 sysfatal("unrecognized WPA group cipher; brsne: %s", buf);
300 memmove(w, p, 4); /* group cipher */
307 *w++ = 0x01; /* # of peer ciphers */
320 if(rsne[0] == 0x30 && memcmp(p, rsnccmpoui, 4) == 0 && peercipher == &tkip)
324 if(peercipher == &ccmp)
325 memmove(w, rsnccmpoui, 4);
326 else if(rsne[0] == 0x30)
327 memmove(w, rsntkipoui, 4);
329 memmove(w, wpatkipoui, 4);
335 *w++ = 0x01; /* # of auth suites */
348 /* look for PSK oui */
349 if(memcmp(p, rsnapskoui, 4) == 0)
351 /* look for WPA oui */
352 if(memcmp(p, rsnawpaoui, 4) == 0){
357 /* look for PSK oui */
358 if(memcmp(p, wpaapskoui, 4) == 0)
360 /* look for WPA oui */
361 if(memcmp(p, wpaawpaoui, 4) == 0){
369 sysfatal("auth suite is not PSK or WPA; brsne: %s", buf);
382 rsne[1] = (w - rsne) - 2;
387 factotumattr(char *attr, char *fmt, ...)
396 if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
398 if((rpc = auth_allocrpc(afd)) == nil){
403 vsnprint(buf, sizeof(buf), fmt, list);
406 if(auth_rpc(rpc, "start", buf, strlen(buf)) == 0){
407 if((a = auth_attr(rpc)) != nil){
408 if((val = _strfindattr(a, attr)) != nil)
420 freeup(UserPasswd *up)
422 memset(up->user, 0, strlen(up->user));
423 memset(up->passwd, 0, strlen(up->passwd));
430 static char *identity;
435 if(getessid() == nil)
437 if((s = factotumattr("user", "proto=pass service=wpa essid=%q", essid)) != nil)
439 if((s = factotumattr("user", "proto=mschapv2 role=client service=wpa essid=%q", essid)) != nil)
446 } else if(identity == nil)
447 identity = strdup("anonymous");
449 fprint(2, "identity: %s\n", identity);
454 factotumctl(char *fmt, ...)
461 if((fd = open("/mnt/factotum/ctl", OWRITE)) >= 0){
463 s = vsmprint(fmt, list);
477 setpmk(uchar pmk[PMKlen])
479 if(getessid() == nil)
481 return factotumctl("key proto=wpapsk role=client essid=%q !password=%.*H\n", essid, PMKlen, pmk);
485 getptk(AuthGetkey *getkey,
486 uchar smac[Eaddrlen], uchar amac[Eaddrlen],
487 uchar snonce[Noncelen], uchar anonce[Noncelen],
490 uchar buf[2*Eaddrlen + 2*Noncelen], *p;
498 if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
500 if((rpc = auth_allocrpc(afd)) == nil)
502 if((s = getessid()) == nil)
504 if((s = smprint("proto=wpapsk role=client essid=%q", s)) == nil)
506 if((ret = auth_rpc(rpc, "start", s, strlen(s))) != ARok)
509 memmove(p, smac, Eaddrlen); p += Eaddrlen;
510 memmove(p, amac, Eaddrlen); p += Eaddrlen;
511 memmove(p, snonce, Noncelen); p += Noncelen;
512 memmove(p, anonce, Noncelen); p += Noncelen;
513 if((ret = auth_rpc(rpc, "write", buf, p - buf)) != ARok)
515 if((ret = auth_rpc(rpc, "read", nil, 0)) != ARok)
517 if(rpc->narg != PTKlen){
521 memmove(ptk, rpc->arg, PTKlen);
533 if(afd >= 0) close(afd);
534 if(rpc != nil) auth_freerpc(rpc);
539 dumpkeydescr(Keydescr *kd)
556 f = kd->flags[0]<<8 | kd->flags[1];
557 fprint(2, "type=%.*H vers=%d flags=%.*H ( ",
558 sizeof(kd->type), kd->type, kd->flags[1] & 7,
559 sizeof(kd->flags), kd->flags);
560 for(i=0; i<nelem(flags); i++)
561 if(flags[i].flag & f)
562 fprint(2, "%s ", flags[i].name);
563 fprint(2, ") len=%.*H\nrepc=%.*H nonce=%.*H\neapoliv=%.*H rsc=%.*H id=%.*H mic=%.*H\n",
564 sizeof(kd->keylen), kd->keylen,
565 sizeof(kd->repc), kd->repc,
566 sizeof(kd->nonce), kd->nonce,
567 sizeof(kd->eapoliv), kd->eapoliv,
568 sizeof(kd->rsc), kd->rsc,
569 sizeof(kd->id), kd->id,
570 sizeof(kd->mic), kd->mic);
571 i = kd->datalen[0]<<8 | kd->datalen[1];
572 fprint(2, "data[%.4x]=%.*H\n", i, i, kd->data);
576 rc4unwrap(uchar key[16], uchar iv[16], uchar *data, int len)
581 memmove(seed, iv, 16);
582 memmove(seed+16, key, 16);
583 setupRC4state(&rs, seed, sizeof(seed));
590 aesunwrap(uchar *key, int nkey, uchar *data, int len)
592 static uchar IV[8] = { 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, };
599 if(len < 16 || (len % 8) != 0)
603 setupAESstate(&s, key, nkey, 0);
605 memmove(data, data+8, n*8);
607 for(R = data + (n - 1)*8; R >= data; t--, R -= 8){
613 aes_decrypt(s.dkey, s.rounds, B, B);
617 if(tsmemcmp(B, IV, 8) != 0)
623 calcmic(Keydescr *kd, uchar *msg, int msglen)
627 vers = kd->flags[1] & 7;
628 memset(kd->mic, 0, MIClen);
630 uchar digest[MD5dlen];
632 hmac_md5(msg, msglen, ptk, 16, digest, nil);
633 memmove(kd->mic, digest, MIClen);
637 uchar digest[SHA1dlen];
639 hmac_sha1(msg, msglen, ptk, 16, digest, nil);
640 memmove(kd->mic, digest, MIClen);
647 checkmic(Keydescr *kd, uchar *msg, int msglen)
651 memmove(tmp, kd->mic, MIClen);
652 if(calcmic(kd, msg, msglen) != 0)
654 return tsmemcmp(tmp, kd->mic, MIClen) != 0;
658 fdwrite(Eapconn *conn, uchar *data, int len)
660 if(write(conn->fd, data, len) != len)
661 sysfatal("write: %r");
665 etherwrite(Eapconn *conn, uchar *data, int len)
671 fprint(2, "\nreply(v%d,t%d) %E -> %E: ", conn->version, conn->type, conn->smac, conn->amac);
672 n = 2*Eaddrlen + 2 + len;
673 if(n < 60) n = 60; /* ETHERMINTU */
674 p = buf = emalloc(n);
675 /* ethernet header */
676 memmove(p, conn->amac, Eaddrlen); p += Eaddrlen;
677 memmove(p, conn->smac, Eaddrlen); p += Eaddrlen;
681 memmove(p, data, len);
682 fdwrite(conn, buf, n);
687 eapwrite(Eapconn *conn, uchar *data, int len)
691 p = buf = emalloc(len + 4);
693 *p++ = conn->version;
698 memmove(p, data, len); p += len;
699 etherwrite(conn, buf, p - buf);
704 replykey(Eapconn *conn, int flags, Keydescr *kd, uchar *data, int datalen)
706 uchar buf[4096], *p = buf;
709 *p++ = conn->version;
711 datalen += Keydescrlen;
714 datalen -= Keydescrlen;
716 memmove(p, kd, Keydescrlen);
718 kd->flags[0] = flags >> 8;
719 kd->flags[1] = flags;
720 kd->datalen[0] = datalen >> 8;
721 kd->datalen[1] = datalen;
724 memmove(p, data, datalen);
727 memset(kd->mic, 0, MIClen);
729 calcmic(kd, buf, p - buf);
730 etherwrite(conn, buf, p - buf);
736 eapresp(Eapconn *conn, int code, int id, uchar *data, int len)
741 p = buf = emalloc(len);
747 memmove(p, data, len-4);
748 (*conn->write)(conn, buf, len);
752 fprint(2, "eapresp(code=%d, id=%d, data=%.*H)\n", code, id, len-4, data);
756 tlsreader(TLStunn *tunn, Eapconn *conn)
772 if((p = realloc(rec, (w - rec) + Tlshdrsz)) == nil)
774 w = p + (w - rec), rec = p;
775 if(readn(fd, w, Tlshdrsz) != Tlshdrsz)
780 if((p = realloc(rec, (w - rec) + Tlshdrsz+n)) == nil)
782 w = p + (w - rec), rec = p;
783 if(readn(fd, w+Tlshdrsz, n) != n)
787 /* batch records that need to be send together */
789 /* Client Certificate */
790 if(w[0] == 22 && w[5] == 11)
792 /* Client Key Exchange */
793 if(w[0] == 22 && w[5] == 16)
795 /* Change Cipher Spec */
802 /* do not forward alert, close connection */
806 /* check if we'r still the tunnel for this connection */
807 if(conn->tunn != tunn)
810 /* flush records in encapsulation */
811 p = rec + TLStunnhdrsz;
818 *(--p) = 0x80; /* flags: Length included */
821 eapresp(conn, 2, tunn->id, p, w - p);
827 void ttlsclient(int);
828 void peapclient(int);
831 eapreset(Eapconn *conn)
839 fprint(2, "eapreset: kill client %d\n", tunn->clientpid);
841 postnote(PNPROC, tunn->clientpid, "kill");
845 tlswrap(int fd, char *label)
849 tls = emalloc(sizeof(TLSconn));
853 /* tls client computes the 1024 bit MSK for us */
854 tls->sessionType = "ttls";
855 tls->sessionConst = label;
856 tls->sessionKeylen = 128;
857 tls->sessionKey = emalloc(tls->sessionKeylen);
859 fd = tlsClient(fd, tls);
861 sysfatal("tlsClient: %r");
862 if(label != nil && tls->sessionKey != nil){
864 * PMK is derived from MSK by taking the first 256 bits.
865 * we store the PMK into factotum with setpmk() associated
866 * with the current essid.
868 if(setpmk(tls->sessionKey) < 0)
869 sysfatal("setpmk: %r");
871 /* destroy session key */
872 memset(tls->sessionKey, 0, tls->sessionKeylen);
874 free(tls->cert); /* TODO: check cert */
875 free(tls->sessionID);
876 free(tls->sessionKey);
882 eapreq(Eapconn *conn, int code, int id, uchar *data, int datalen)
889 fprint(2, "eapreq(code=%d, id=%d, data=%.*H)\n", code, id, datalen, data);
892 case 1: /* Request */
895 case 3: /* Success */
897 if(code == 4 || debug)
898 fprint(2, "%s: eap code %s\n", argv0, code == 3 ? "Success" : "NAK");
903 fprint(2, "unhandled: %.*H\n", datalen < 0 ? 0 : datalen, data);
911 case 1: /* Identity */
912 user = getidentity();
913 datalen = 1+strlen(user);
914 memmove(data+1, user, datalen-1);
915 eapresp(conn, 2, id, data, datalen);
918 fprint(2, "%s: eap error: %.*s\n", argv0, datalen-1, (char*)data+1);
920 case 33: /* EAP Extensions (AVP) */
922 fprint(2, "eap extension: %.*H\n", datalen, data);
923 eapresp(conn, 2, id, data, datalen);
925 case 26: /* MS-CHAP-V2 */
933 case 1: /* Challenge */
935 uchar cid, chal[16], resp[48];
940 len = data[2]<<8 | data[3];
941 if(data[4] != sizeof(chal))
943 if(len > datalen || (5 + data[4]) > len)
945 memmove(chal, data+5, sizeof(chal));
946 memset(user, 0, sizeof(user));
947 memset(resp, 0, sizeof(resp));
948 if(auth_respond(chal, sizeof(chal), user, sizeof(user), resp, sizeof(resp), nil,
949 "proto=mschapv2 role=client service=wpa essid=%q", essid) < 0){
950 fprint(2, "%s: eap mschapv2: auth_respond: %r\n", argv0);
953 len = 5 + sizeof(resp) + 1 + strlen(user);
954 data[0] = 2; /* OpCode - Response */
955 data[1] = cid; /* Identifier */
958 data[4] = sizeof(resp)+1; /* ValueSize */
959 memmove(data+5, resp, sizeof(resp));
960 data[5 + sizeof(resp)] = 0; /* flags */
961 strcpy((char*)&data[5 + sizeof(resp) + 1], user);
963 *(--data) = tp, len++;
964 eapresp(conn, 2, id, data, len);
969 case 3: /* Success */
970 case 4: /* Failure */
971 if(debug || data[0] == 4)
972 fprint(2, "%s: eap mschapv2 %s: %.*s\n", argv0,
973 data[0] == 3 ? "Success" : "Failure",
974 datalen < 4 ? 0 : datalen-4, (char*)data+4);
976 eapresp(conn, 2, id, data, 2);
981 case 21: /* EAP-TTLS */
988 if(*data & 0x20){ /* flags: start */
992 if(tunn->id == id && tunn->tp == tp)
993 break; /* is retransmit, ignore */
997 sysfatal("pipe: %r");
998 if((pid = fork()) == -1)
999 sysfatal("fork: %r");
1013 tunn = emalloc(sizeof(TLStunn));
1017 tunn->clientpid = pid;
1019 if((pid = rfork(RFPROC|RFMEM)) == -1)
1020 sysfatal("fork: %r");
1022 tunn->readerpid = getpid();
1023 tlsreader(tunn, conn);
1024 if(conn->tunn == tunn)
1034 if(id <= tunn->id || tunn->tp != tp)
1037 frag = *data & 0x40; /* flags: more fragments */
1038 if(*data & 0x80){ /* flags: length included */
1044 write(tunn->fd, data, datalen);
1045 if(frag || (tp == 25 && data[0] == 20)){ /* ack change cipher spec */
1049 eapresp(conn, 2, id, data, 2);
1057 avp(uchar *p, int n, int code, void *val, int len, int pad)
1059 pad = 8 + ((len + pad) & ~pad); /* header + data + data pad */
1060 assert(((pad + 3) & ~3) <= n);
1069 memmove(p+8, val, len);
1071 pad = (pad + 3) & ~3; /* packet padding */
1072 memset(p+len, 0, pad - len);
1091 fd = tlswrap(fd, "ttls keying material");
1092 if((up = auth_getuserpasswd(nil, "proto=pass service=wpa essid=%q", essid)) == nil)
1093 sysfatal("auth_getuserpasswd: %r");
1094 n = avp(buf, sizeof(buf), AvpUserName, up->user, strlen(up->user), 0);
1095 n += avp(buf+n, sizeof(buf)-n, AvpUserPass, up->passwd, strlen(up->passwd), 15);
1102 peapwrite(Eapconn *conn, uchar *data, int len)
1105 fdwrite(conn, data + 4, len - 4);
1111 static Eapconn conn;
1112 uchar buf[4096], *p;
1115 conn.fd = fd = tlswrap(fd, "client EAP encryption");
1116 while((n = read(fd, p = buf, sizeof(buf))) > 0){
1117 if(n > 4 && (p[2] << 8 | p[3]) == n && p[4] == 33){
1121 conn.write = fdwrite;
1125 conn.write = peapwrite;
1127 eapreq(&conn, code, id, p, n);
1134 fprint(2, "%s: [-dp12] [-s essid] dev\n", argv0);
1143 switch(rfork(RFNOTEG|RFREND|RFPROC|RFNOWAIT)){
1147 sysfatal("fork: %r");
1156 main(int argc, char *argv[])
1158 uchar mac[Eaddrlen], buf[4096], snonce[Noncelen], anonce[Noncelen];
1159 static uchar brsne[258];
1160 static Eapconn conn;
1163 int newptk; /* gate key reinstallation */
1168 fmtinstall('H', encodefmt);
1169 fmtinstall('E', eipfmt);
1184 strncpy(essid, EARGF(usage()), 32);
1188 rsnelen = sizeof(wpaie);
1190 groupcipher = &tkip;
1194 rsnelen = sizeof(rsnie);
1196 groupcipher = &ccmp;
1205 if(*argv != nil || dev == nil)
1208 if(myetheraddr(mac, dev) < 0)
1209 sysfatal("can't get mac address: %r");
1211 snprint(addr, sizeof(addr), "%s!0x888e", dev);
1212 if((fd = dial(addr, nil, devdir, &cfd)) < 0)
1213 sysfatal("dial: %r");
1216 if(fprint(cfd, "essid %q", essid) < 0)
1217 sysfatal("write essid: %r");
1221 sysfatal("no essid set");
1227 /* bss scan might not be complete yet, so check for 10 seconds. */
1228 for(try = 100; (forked || try >= 0) && !connected(); try--)
1232 if(rsnelen <= 0 || rsne == brsne){
1234 rsnelen = buildrsne(rsne);
1238 fprint(2, "rsne: %.*H\n", rsnelen, rsne);
1240 * we use write() instead of fprint so the message gets written
1241 * at once and not chunked up on fprint buffer.
1243 n = sprint((char*)buf, "auth %.*H", rsnelen, rsne);
1244 if(write(cfd, buf, n) != n)
1245 sysfatal("write auth: %r");
1247 authtype = AuthNone;
1251 conn.write = eapwrite;
1252 conn.type = 1; /* Start */
1254 memmove(conn.smac, mac, Eaddrlen);
1255 getbssid(conn.amac);
1262 print("no authentication required\n");
1265 /* dummy to for factotum keyprompt */
1266 genrandom(anonce, sizeof(anonce));
1267 genrandom(snonce, sizeof(snonce));
1268 getptk(auth_getkey, conn.smac, conn.amac, snonce, anonce, ptk);
1271 up = auth_getuserpasswd(auth_getkey, "proto=pass service=wpa essid=%q", essid);
1273 factotumctl("key proto=mschapv2 role=client service=wpa"
1274 " essid=%q user=%q !password=%q\n",
1275 essid, up->user, up->passwd);
1283 genrandom(ptk, sizeof(ptk));
1289 int proto, flags, vers, datalen;
1290 uvlong repc, rsc, tsc;
1293 if((n = read(fd, buf, sizeof(buf))) < 0)
1294 sysfatal("read: %r");
1298 fprint(2, "got deassociation\n");
1305 if(n < 2*Eaddrlen + 2)
1308 memmove(conn.smac, p, Eaddrlen); p += Eaddrlen;
1309 memmove(conn.amac, p, Eaddrlen); p += Eaddrlen;
1310 proto = p[0]<<8 | p[1]; p += 2;
1312 if(proto != 0x888e || memcmp(conn.smac, mac, Eaddrlen) != 0)
1320 conn.version = p[0];
1321 if(conn.version != 0x01 && conn.version != 0x02)
1331 fprint(2, "\nrecv(v%d,t%d) %E <- %E: ", conn.version, conn.type, conn.smac, conn.amac);
1333 if(authtype == AuthNone)
1336 if(conn.type == 0x00 && authtype == AuthWPA){
1344 if(n < 4 || p + n > e)
1347 eapreq(&conn, code, id, p, n);
1351 if(conn.type != 0x03)
1354 if(n < Keydescrlen){
1356 fprint(2, "bad kd size\n");
1363 if(kd->type[0] != 0xFE && kd->type[0] != 0x02)
1366 vers = kd->flags[1] & 7;
1367 flags = kd->flags[0]<<8 | kd->flags[1];
1368 datalen = kd->datalen[0]<<8 | kd->datalen[1];
1369 if(kd->data + datalen > e)
1372 if((flags & Fmic) == 0){
1373 if((flags & (Fptk|Fack)) != (Fptk|Fack))
1376 memmove(anonce, kd->nonce, sizeof(anonce));
1377 genrandom(snonce, sizeof(snonce));
1378 if(getptk(nil, conn.smac, conn.amac, snonce, anonce, ptk) != 0){
1380 fprint(2, "getptk: %r\n");
1383 /* allow installation of new keys */
1386 /* ack key exchange with mic */
1387 memset(kd->rsc, 0, sizeof(kd->rsc));
1388 memset(kd->eapoliv, 0, sizeof(kd->eapoliv));
1389 memmove(kd->nonce, snonce, sizeof(kd->nonce));
1390 replykey(&conn, (flags & ~(Fack|Fins)) | Fmic, kd, rsne, rsnelen);
1395 if(checkmic(kd, m, e - m) != 0){
1397 fprint(2, "bad mic\n");
1401 repc = (uvlong)kd->repc[7] |
1402 (uvlong)kd->repc[6]<<8 |
1403 (uvlong)kd->repc[5]<<16 |
1404 (uvlong)kd->repc[4]<<24 |
1405 (uvlong)kd->repc[3]<<32 |
1406 (uvlong)kd->repc[2]<<40 |
1407 (uvlong)kd->repc[1]<<48 |
1408 (uvlong)kd->repc[0]<<56;
1409 if(repc <= lastrepc){
1411 fprint(2, "bad repc: %llux <= %llux\n", repc, lastrepc);
1416 rsc = (uvlong)kd->rsc[0] |
1417 (uvlong)kd->rsc[1]<<8 |
1418 (uvlong)kd->rsc[2]<<16 |
1419 (uvlong)kd->rsc[3]<<24 |
1420 (uvlong)kd->rsc[4]<<32 |
1421 (uvlong)kd->rsc[5]<<40;
1423 if(datalen > 0 && (flags & Fenc) != 0){
1425 datalen = rc4unwrap(ptk+16, kd->eapoliv, kd->data, datalen);
1427 datalen = aesunwrap(ptk+16, 16, kd->data, datalen);
1430 fprint(2, "bad keywrap\n");
1434 fprint(2, "unwraped keydata[%.4x]=%.*H\n", datalen, datalen, kd->data);
1440 if(kd->type[0] != 0xFE || (flags & (Fptk|Fack)) == (Fptk|Fack)){
1445 for(; p+2 <= e; p = x){
1446 if((x = p+2+p[1]) > e)
1449 fprint(2, "ie=%.2x data[%.2x]=%.*H\n", p[0], p[1], p[1], p+2);
1450 if(p[0] == 0x30){ /* RSN */
1452 if(p[0] == 0xDD){ /* WPA */
1453 static uchar oui[] = { 0x00, 0x0f, 0xac, 0x01, };
1455 if(p+2+sizeof(oui) > x || memcmp(p+2, oui, sizeof(oui)) != 0)
1457 if((flags & Fenc) == 0)
1458 continue; /* ignore gorup key if unencrypted */
1459 gtklen = x - (p + 8);
1462 if(gtklen > sizeof(gtk))
1463 gtklen = sizeof(gtk);
1464 memmove(gtk, p + 8, gtklen);
1470 if((flags & (Fptk|Fack)) == (Fptk|Fack)){
1471 if(!newptk) /* a retransmit, already installed PTK */
1473 if(vers != 1) /* in WPA2, RSC is for group key only */
1479 /* install pairwise receive key (PTK) */
1480 if(fprint(cfd, "rxkey %E %s:%.*H@%llux", conn.amac,
1481 peercipher->name, peercipher->keylen, ptk+32, tsc) < 0)
1482 sysfatal("write rxkey: %r");
1484 memset(kd->rsc, 0, sizeof(kd->rsc));
1485 memset(kd->eapoliv, 0, sizeof(kd->eapoliv));
1486 memset(kd->nonce, 0, sizeof(kd->nonce));
1487 replykey(&conn, flags & ~(Fack|Fenc|Fins), kd, nil, 0);
1491 /* install pairwise transmit key (PTK) */
1492 if(fprint(cfd, "txkey %E %s:%.*H@%llux", conn.amac,
1493 peercipher->name, peercipher->keylen, ptk+32, tsc) < 0)
1494 sysfatal("write txkey: %r");
1495 newptk = 0; /* prevent PTK re-installation on (replayed) retransmits */
1497 if((flags & (Fptk|Fsec|Fack)) == (Fsec|Fack)){
1498 if(kd->type[0] == 0xFE){
1499 /* WPA always RC4 encrypts the GTK, even tho the flag isnt set */
1500 if((flags & Fenc) == 0)
1501 datalen = rc4unwrap(ptk+16, kd->eapoliv, kd->data, datalen);
1503 if(gtklen > sizeof(gtk))
1504 gtklen = sizeof(gtk);
1505 memmove(gtk, kd->data, gtklen);
1506 gtkkid = (flags >> 4) & 3;
1508 memset(kd->rsc, 0, sizeof(kd->rsc));
1509 memset(kd->eapoliv, 0, sizeof(kd->eapoliv));
1510 memset(kd->nonce, 0, sizeof(kd->nonce));
1511 replykey(&conn, flags & ~(Fenc|Fack), kd, nil, 0);
1514 /* install group key (GTK) */
1515 if(gtklen >= groupcipher->keylen && gtkkid != -1)
1516 if(fprint(cfd, "rxkey%d %E %s:%.*H@%llux",
1518 groupcipher->name, groupcipher->keylen, gtk, rsc) < 0)
1519 sysfatal("write rxkey%d: %r", gtkkid);