wlan_rsn/key/exchange/
mod.rs

Help
1// Copyright 2018 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5pub mod handshake;
6
7use self::handshake::fourway::{self, Fourway};
8use self::handshake::group_key::{self, GroupKey};
9use crate::key::gtk::Gtk;
10use crate::key::igtk::Igtk;
11use crate::key::ptk::Ptk;
12use crate::rsna::{Dot11VerifiedKeyFrame, NegotiatedProtection, UpdateSink};
13use crate::Error;
14use zerocopy::SplitByteSlice;
15
16#[derive(Debug, Clone, PartialEq)]
17pub enum Key {
18    Pmk(Vec<u8>),
19    Ptk(Ptk),
20    Gtk(Gtk),
21    Igtk(Igtk),
22    MicRx(Vec<u8>),
23    MicTx(Vec<u8>),
24    Smk(Vec<u8>),
25    Stk(Vec<u8>),
26}
27
28impl Key {
29    pub fn name(&self) -> &'static str {
30        match self {
31            Key::Pmk(..) => "PMK",
32            Key::Ptk(..) => "PTK",
33            Key::Gtk(..) => "GTK",
34            Key::Igtk(..) => "IGTK",
35            Key::MicRx(..) => "MIC_RX",
36            Key::MicTx(..) => "MIC_TX",
37            Key::Smk(..) => "SMK",
38            Key::Stk(..) => "STK",
39        }
40    }
41}
42
43#[derive(Debug, PartialEq)]
44#[allow(clippy::large_enum_variant)]
45pub enum Method {
46    FourWayHandshake(Fourway),
47    GroupKeyHandshake(GroupKey),
48}
49
50impl Method {
51    #[allow(clippy::result_large_err, reason = "mass allow for https://fxbug.dev/381896734")]
52    pub fn on_eapol_key_frame<B: SplitByteSlice>(
53        &mut self,
54        update_sink: &mut UpdateSink,
55        frame: Dot11VerifiedKeyFrame<B>,
56    ) -> Result<(), Error> {
57        match self {
58            Method::FourWayHandshake(hs) => hs.on_eapol_key_frame(update_sink, frame),
59            Method::GroupKeyHandshake(hs) => hs.on_eapol_key_frame(update_sink, frame),
60        }
61    }
62
63    #[allow(clippy::result_large_err, reason = "mass allow for https://fxbug.dev/381896734")]
64    pub fn on_rsna_response_timeout(&self) -> Result<(), Error> {
65        match self {
66            Method::FourWayHandshake(hs) => hs.on_rsna_response_timeout(),
67            // Only 4-Way Handshake returns critical RSNA timeout errors.
68            _ => Ok(()),
69        }
70    }
71
72    pub fn destroy(self) -> Config {
73        match self {
74            Method::FourWayHandshake(hs) => hs.destroy(),
75            Method::GroupKeyHandshake(hs) => hs.destroy(),
76        }
77    }
78}
79
80#[derive(Clone, Debug, PartialEq)]
81pub enum Config {
82    FourWayHandshake(fourway::Config),
83    GroupKeyHandshake(group_key::Config),
84}
85
86#[allow(clippy::result_large_err, reason = "mass allow for https://fxbug.dev/381896734")]
87/// Computes and returns a serialized key frame's MIC.
88/// Fails if the AKM has no associated integrity algorithm or MIC size.
89pub fn compute_mic_from_buf(
90    kck: &[u8],
91    protection: &NegotiatedProtection,
92    frame: &[u8],
93) -> Result<Vec<u8>, Error> {
94    let integrity_alg = protection.integrity_algorithm()?;
95    let mic_len = protection.akm.mic_bytes().ok_or(Error::UnsupportedAkmSuite)? as usize;
96    let mut mic = integrity_alg.compute(kck, frame)?;
97    mic.truncate(mic_len);
98    Ok(mic)
99}
100
101#[allow(clippy::result_large_err, reason = "mass allow for https://fxbug.dev/381896734")]
102/// Computes and returns a key frame's MIC.
103/// Fails if the AKM has no associated integrity algorithm or MIC size, the given Key Frame's MIC
104/// has a different size than the MIC length derived from the AKM or the Key Frame doesn't have its
105/// MIC bit set.
106pub fn compute_mic<B: SplitByteSlice>(
107    kck: &[u8],
108    protection: &NegotiatedProtection,
109    frame: &eapol::KeyFrameRx<B>,
110) -> Result<Vec<u8>, Error> {
111    let integrity_alg = protection.integrity_algorithm()?;
112    let mic_len = protection.akm.mic_bytes().ok_or(Error::UnsupportedAkmSuite)? as usize;
113    if !frame.key_frame_fields.key_info().key_mic() {
114        return Err(Error::ComputingMicForUnprotectedFrame);
115    }
116    if frame.key_mic.len() != mic_len {
117        return Err(Error::MicSizesDiffer(frame.key_mic.len(), mic_len));
118    }
119
120    let buf = frame.to_bytes(true);
121    let mut mic = integrity_alg.compute(kck, &buf[..])?;
122    mic.truncate(mic_len);
123    Ok(mic)
124}
125
126#[cfg(test)]
127mod tests {
128    use super::*;
129    use crate::integrity::{self, Algorithm};
130    use crate::rsna::test_util;
131    use wlan_common::assert_variant;
132    use wlan_common::ie::rsn::akm::Akm;
133
134    fn fake_key_frame(mic_len: usize) -> eapol::KeyFrameTx {
135        let key_info = eapol::KeyInformation(0).with_key_mic(true);
136        eapol::KeyFrameTx::new(
137            eapol::ProtocolVersion::IEEE802DOT1X2010,
138            eapol::KeyFrameFields::new(
139                eapol::KeyDescriptor::IEEE802DOT11,
140                key_info,
141                16,
142                0,
143                [0u8; 32],
144                [0u8; 16],
145                0,
146            ),
147            vec![],
148            mic_len,
149        )
150    }
151
152    #[test]
153    fn compute_mic_unknown_akm() {
154        const KCK: [u8; 16] = [5; 16];
155        let frame = fake_key_frame(16)
156            .serialize()
157            .finalize_with_mic(&[0u8; 16][..])
158            .expect("failed to create fake key frame");
159        let mut protection = test_util::get_rsne_protection();
160        protection.akm = Akm::new_dot11(200);
161        let result = compute_mic(&KCK[..], &protection, &frame.keyframe());
162        assert_variant!(result, Err(Error::UnknownIntegrityAlgorithm));
163    }
164
165    #[test]
166    fn compute_mic_bit_not_set() {
167        const KCK: [u8; 16] = [5; 16];
168        let mut frame = fake_key_frame(16);
169        frame.key_frame_fields.set_key_info(eapol::KeyInformation(0));
170        let frame =
171            frame.serialize().finalize_without_mic().expect("failed to create fake key frame");
172        let result = compute_mic(&KCK[..], &test_util::get_rsne_protection(), &frame.keyframe());
173        assert_variant!(result, Err(Error::ComputingMicForUnprotectedFrame));
174    }
175
176    #[test]
177    fn compute_mic_different_mic_sizes() {
178        const KCK: [u8; 16] = [5; 16];
179        let frame = fake_key_frame(0)
180            .serialize()
181            .finalize_with_mic(&[][..])
182            .expect("failed to create fake key frame");
183        let result = compute_mic(&KCK[..], &test_util::get_rsne_protection(), &frame.keyframe());
184        assert_variant!(result, Err(Error::MicSizesDiffer(0, 16)));
185    }
186
187    #[test]
188    fn compute_mic_success() {
189        const KCK: [u8; 16] = [5; 16];
190        let frame = fake_key_frame(16)
191            .serialize()
192            .finalize_with_mic(&[0u8; 16][..])
193            .expect("failed to create fake key frame");
194        let mic = compute_mic(&KCK[..], &test_util::get_rsne_protection(), &frame.keyframe())
195            .expect("expected failure with unsupported AKM");
196        assert!(integrity::hmac_sha1::HmacSha1::new().verify(&KCK[..], &frame[..], &mic[..]));
197    }
198}
wlan_rsn/key/exchange/mod.rs

wlan_rsn/key/exchange/
mod.rs
