wpa_auth.c revision 391c59f0632df8db1c325da1d31d479b2eedce45
1/* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/state_machine.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/aes_wrap.h" 16#include "crypto/crypto.h" 17#include "crypto/sha1.h" 18#include "crypto/sha256.h" 19#include "crypto/random.h" 20#include "eapol_auth/eapol_auth_sm.h" 21#include "ap_config.h" 22#include "ieee802_11.h" 23#include "wpa_auth.h" 24#include "pmksa_cache_auth.h" 25#include "wpa_auth_i.h" 26#include "wpa_auth_ie.h" 27 28#define STATE_MACHINE_DATA struct wpa_state_machine 29#define STATE_MACHINE_DEBUG_PREFIX "WPA" 30#define STATE_MACHINE_ADDR sm->addr 31 32 33static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 34static int wpa_sm_step(struct wpa_state_machine *sm); 35static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len); 36static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 37static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 38 struct wpa_group *group); 39static void wpa_request_new_ptk(struct wpa_state_machine *sm); 40static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 41 struct wpa_group *group); 42static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 45static const u32 dot11RSNAConfigGroupUpdateCount = 4; 46static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 47static const u32 eapol_key_timeout_first = 100; /* ms */ 48static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 49static const u32 eapol_key_timeout_first_group = 500; /* ms */ 50 51/* TODO: make these configurable */ 52static const int dot11RSNAConfigPMKLifetime = 43200; 53static const int dot11RSNAConfigPMKReauthThreshold = 70; 54static const int dot11RSNAConfigSATimeout = 60; 55 56 57static inline int wpa_auth_mic_failure_report( 58 struct wpa_authenticator *wpa_auth, const u8 *addr) 59{ 60 if (wpa_auth->cb.mic_failure_report) 61 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 62 return 0; 63} 64 65 66static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 67 const u8 *addr, wpa_eapol_variable var, 68 int value) 69{ 70 if (wpa_auth->cb.set_eapol) 71 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 72} 73 74 75static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 76 const u8 *addr, wpa_eapol_variable var) 77{ 78 if (wpa_auth->cb.get_eapol == NULL) 79 return -1; 80 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 81} 82 83 84static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 85 const u8 *addr, 86 const u8 *p2p_dev_addr, 87 const u8 *prev_psk) 88{ 89 if (wpa_auth->cb.get_psk == NULL) 90 return NULL; 91 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr, 92 prev_psk); 93} 94 95 96static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 97 const u8 *addr, u8 *msk, size_t *len) 98{ 99 if (wpa_auth->cb.get_msk == NULL) 100 return -1; 101 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 102} 103 104 105static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 106 int vlan_id, 107 enum wpa_alg alg, const u8 *addr, int idx, 108 u8 *key, size_t key_len) 109{ 110 if (wpa_auth->cb.set_key == NULL) 111 return -1; 112 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 113 key, key_len); 114} 115 116 117static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 118 const u8 *addr, int idx, u8 *seq) 119{ 120 if (wpa_auth->cb.get_seqnum == NULL) 121 return -1; 122 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 123} 124 125 126static inline int 127wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 128 const u8 *data, size_t data_len, int encrypt) 129{ 130 if (wpa_auth->cb.send_eapol == NULL) 131 return -1; 132 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 133 encrypt); 134} 135 136 137int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 138 int (*cb)(struct wpa_state_machine *sm, void *ctx), 139 void *cb_ctx) 140{ 141 if (wpa_auth->cb.for_each_sta == NULL) 142 return 0; 143 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 144} 145 146 147int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 148 int (*cb)(struct wpa_authenticator *a, void *ctx), 149 void *cb_ctx) 150{ 151 if (wpa_auth->cb.for_each_auth == NULL) 152 return 0; 153 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 154} 155 156 157void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 158 logger_level level, const char *txt) 159{ 160 if (wpa_auth->cb.logger == NULL) 161 return; 162 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 163} 164 165 166void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 167 logger_level level, const char *fmt, ...) 168{ 169 char *format; 170 int maxlen; 171 va_list ap; 172 173 if (wpa_auth->cb.logger == NULL) 174 return; 175 176 maxlen = os_strlen(fmt) + 100; 177 format = os_malloc(maxlen); 178 if (!format) 179 return; 180 181 va_start(ap, fmt); 182 vsnprintf(format, maxlen, fmt, ap); 183 va_end(ap); 184 185 wpa_auth_logger(wpa_auth, addr, level, format); 186 187 os_free(format); 188} 189 190 191static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 192 const u8 *addr) 193{ 194 if (wpa_auth->cb.disconnect == NULL) 195 return; 196 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 197 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 198 WLAN_REASON_PREV_AUTH_NOT_VALID); 199} 200 201 202static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 203{ 204 int ret = 0; 205#ifdef CONFIG_IEEE80211R 206 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 207 ret = 1; 208#endif /* CONFIG_IEEE80211R */ 209#ifdef CONFIG_IEEE80211W 210 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 211 ret = 1; 212#endif /* CONFIG_IEEE80211W */ 213 return ret; 214} 215 216 217static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 218{ 219 struct wpa_authenticator *wpa_auth = eloop_ctx; 220 221 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 222 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 223 "initialization."); 224 } else { 225 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 226 wpa_hexdump_key(MSG_DEBUG, "GMK", 227 wpa_auth->group->GMK, WPA_GMK_LEN); 228 } 229 230 if (wpa_auth->conf.wpa_gmk_rekey) { 231 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 232 wpa_rekey_gmk, wpa_auth, NULL); 233 } 234} 235 236 237static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 238{ 239 struct wpa_authenticator *wpa_auth = eloop_ctx; 240 struct wpa_group *group; 241 242 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 243 for (group = wpa_auth->group; group; group = group->next) { 244 group->GTKReKey = TRUE; 245 do { 246 group->changed = FALSE; 247 wpa_group_sm_step(wpa_auth, group); 248 } while (group->changed); 249 } 250 251 if (wpa_auth->conf.wpa_group_rekey) { 252 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 253 0, wpa_rekey_gtk, wpa_auth, NULL); 254 } 255} 256 257 258static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 259{ 260 struct wpa_authenticator *wpa_auth = eloop_ctx; 261 struct wpa_state_machine *sm = timeout_ctx; 262 263 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 264 wpa_request_new_ptk(sm); 265 wpa_sm_step(sm); 266} 267 268 269static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 270{ 271 if (sm->pmksa == ctx) 272 sm->pmksa = NULL; 273 return 0; 274} 275 276 277static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 278 void *ctx) 279{ 280 struct wpa_authenticator *wpa_auth = ctx; 281 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 282} 283 284 285static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 286 struct wpa_group *group) 287{ 288 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 289 u8 rkey[32]; 290 unsigned long ptr; 291 292 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 293 return -1; 294 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 295 296 /* 297 * Counter = PRF-256(Random number, "Init Counter", 298 * Local MAC Address || Time) 299 */ 300 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 301 wpa_get_ntp_timestamp(buf + ETH_ALEN); 302 ptr = (unsigned long) group; 303 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 304 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 305 return -1; 306 307 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 308 group->Counter, WPA_NONCE_LEN) < 0) 309 return -1; 310 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 311 group->Counter, WPA_NONCE_LEN); 312 313 return 0; 314} 315 316 317static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 318 int vlan_id, int delay_init) 319{ 320 struct wpa_group *group; 321 322 group = os_zalloc(sizeof(struct wpa_group)); 323 if (group == NULL) 324 return NULL; 325 326 group->GTKAuthenticator = TRUE; 327 group->vlan_id = vlan_id; 328 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 329 330 if (random_pool_ready() != 1) { 331 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 332 "for secure operations - update keys later when " 333 "the first station connects"); 334 } 335 336 /* 337 * Set initial GMK/Counter value here. The actual values that will be 338 * used in negotiations will be set once the first station tries to 339 * connect. This allows more time for collecting additional randomness 340 * on embedded devices. 341 */ 342 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 343 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 344 "initialization."); 345 os_free(group); 346 return NULL; 347 } 348 349 group->GInit = TRUE; 350 if (delay_init) { 351 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 352 "until Beacon frames have been configured"); 353 /* Initialization is completed in wpa_init_keys(). */ 354 } else { 355 wpa_group_sm_step(wpa_auth, group); 356 group->GInit = FALSE; 357 wpa_group_sm_step(wpa_auth, group); 358 } 359 360 return group; 361} 362 363 364/** 365 * wpa_init - Initialize WPA authenticator 366 * @addr: Authenticator address 367 * @conf: Configuration for WPA authenticator 368 * @cb: Callback functions for WPA authenticator 369 * Returns: Pointer to WPA authenticator data or %NULL on failure 370 */ 371struct wpa_authenticator * wpa_init(const u8 *addr, 372 struct wpa_auth_config *conf, 373 struct wpa_auth_callbacks *cb) 374{ 375 struct wpa_authenticator *wpa_auth; 376 377 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 378 if (wpa_auth == NULL) 379 return NULL; 380 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 381 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 382 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 383 384 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 385 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 386 os_free(wpa_auth); 387 return NULL; 388 } 389 390 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 391 if (wpa_auth->group == NULL) { 392 os_free(wpa_auth->wpa_ie); 393 os_free(wpa_auth); 394 return NULL; 395 } 396 397 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 398 wpa_auth); 399 if (wpa_auth->pmksa == NULL) { 400 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 401 os_free(wpa_auth->wpa_ie); 402 os_free(wpa_auth); 403 return NULL; 404 } 405 406#ifdef CONFIG_IEEE80211R 407 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 408 if (wpa_auth->ft_pmk_cache == NULL) { 409 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 410 os_free(wpa_auth->wpa_ie); 411 pmksa_cache_auth_deinit(wpa_auth->pmksa); 412 os_free(wpa_auth); 413 return NULL; 414 } 415#endif /* CONFIG_IEEE80211R */ 416 417 if (wpa_auth->conf.wpa_gmk_rekey) { 418 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 419 wpa_rekey_gmk, wpa_auth, NULL); 420 } 421 422 if (wpa_auth->conf.wpa_group_rekey) { 423 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 424 wpa_rekey_gtk, wpa_auth, NULL); 425 } 426 427 return wpa_auth; 428} 429 430 431int wpa_init_keys(struct wpa_authenticator *wpa_auth) 432{ 433 struct wpa_group *group = wpa_auth->group; 434 435 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 436 "keys"); 437 wpa_group_sm_step(wpa_auth, group); 438 group->GInit = FALSE; 439 wpa_group_sm_step(wpa_auth, group); 440 return 0; 441} 442 443 444/** 445 * wpa_deinit - Deinitialize WPA authenticator 446 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 447 */ 448void wpa_deinit(struct wpa_authenticator *wpa_auth) 449{ 450 struct wpa_group *group, *prev; 451 452 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 453 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 454 455#ifdef CONFIG_PEERKEY 456 while (wpa_auth->stsl_negotiations) 457 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 458#endif /* CONFIG_PEERKEY */ 459 460 pmksa_cache_auth_deinit(wpa_auth->pmksa); 461 462#ifdef CONFIG_IEEE80211R 463 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 464 wpa_auth->ft_pmk_cache = NULL; 465#endif /* CONFIG_IEEE80211R */ 466 467 os_free(wpa_auth->wpa_ie); 468 469 group = wpa_auth->group; 470 while (group) { 471 prev = group; 472 group = group->next; 473 os_free(prev); 474 } 475 476 os_free(wpa_auth); 477} 478 479 480/** 481 * wpa_reconfig - Update WPA authenticator configuration 482 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 483 * @conf: Configuration for WPA authenticator 484 */ 485int wpa_reconfig(struct wpa_authenticator *wpa_auth, 486 struct wpa_auth_config *conf) 487{ 488 struct wpa_group *group; 489 if (wpa_auth == NULL) 490 return 0; 491 492 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 493 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 494 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 495 return -1; 496 } 497 498 /* 499 * Reinitialize GTK to make sure it is suitable for the new 500 * configuration. 501 */ 502 group = wpa_auth->group; 503 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 504 group->GInit = TRUE; 505 wpa_group_sm_step(wpa_auth, group); 506 group->GInit = FALSE; 507 wpa_group_sm_step(wpa_auth, group); 508 509 return 0; 510} 511 512 513struct wpa_state_machine * 514wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 515 const u8 *p2p_dev_addr) 516{ 517 struct wpa_state_machine *sm; 518 519 sm = os_zalloc(sizeof(struct wpa_state_machine)); 520 if (sm == NULL) 521 return NULL; 522 os_memcpy(sm->addr, addr, ETH_ALEN); 523 if (p2p_dev_addr) 524 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 525 526 sm->wpa_auth = wpa_auth; 527 sm->group = wpa_auth->group; 528 529 return sm; 530} 531 532 533int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 534 struct wpa_state_machine *sm) 535{ 536 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 537 return -1; 538 539#ifdef CONFIG_IEEE80211R 540 if (sm->ft_completed) { 541 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 542 "FT authentication already completed - do not " 543 "start 4-way handshake"); 544 return 0; 545 } 546#endif /* CONFIG_IEEE80211R */ 547 548 if (sm->started) { 549 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 550 sm->ReAuthenticationRequest = TRUE; 551 return wpa_sm_step(sm); 552 } 553 554 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 555 "start authentication"); 556 sm->started = 1; 557 558 sm->Init = TRUE; 559 if (wpa_sm_step(sm) == 1) 560 return 1; /* should not really happen */ 561 sm->Init = FALSE; 562 sm->AuthenticationRequest = TRUE; 563 return wpa_sm_step(sm); 564} 565 566 567void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 568{ 569 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 570 * reassociates back to the same AP while the previous entry for the 571 * STA has not yet been removed. */ 572 if (sm == NULL) 573 return; 574 575 sm->wpa_key_mgmt = 0; 576} 577 578 579static void wpa_free_sta_sm(struct wpa_state_machine *sm) 580{ 581 if (sm->GUpdateStationKeys) { 582 sm->group->GKeyDoneStations--; 583 sm->GUpdateStationKeys = FALSE; 584 } 585#ifdef CONFIG_IEEE80211R 586 os_free(sm->assoc_resp_ftie); 587#endif /* CONFIG_IEEE80211R */ 588 os_free(sm->last_rx_eapol_key); 589 os_free(sm->wpa_ie); 590 os_free(sm); 591} 592 593 594void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 595{ 596 if (sm == NULL) 597 return; 598 599 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 600 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 601 "strict rekeying - force GTK rekey since STA " 602 "is leaving"); 603 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 604 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 605 NULL); 606 } 607 608 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 609 sm->pending_1_of_4_timeout = 0; 610 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 611 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 612 if (sm->in_step_loop) { 613 /* Must not free state machine while wpa_sm_step() is running. 614 * Freeing will be completed in the end of wpa_sm_step(). */ 615 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 616 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 617 sm->pending_deinit = 1; 618 } else 619 wpa_free_sta_sm(sm); 620} 621 622 623static void wpa_request_new_ptk(struct wpa_state_machine *sm) 624{ 625 if (sm == NULL) 626 return; 627 628 sm->PTKRequest = TRUE; 629 sm->PTK_valid = 0; 630} 631 632 633static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 634 const u8 *replay_counter) 635{ 636 int i; 637 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 638 if (!ctr[i].valid) 639 break; 640 if (os_memcmp(replay_counter, ctr[i].counter, 641 WPA_REPLAY_COUNTER_LEN) == 0) 642 return 1; 643 } 644 return 0; 645} 646 647 648static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 649 const u8 *replay_counter) 650{ 651 int i; 652 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 653 if (ctr[i].valid && 654 (replay_counter == NULL || 655 os_memcmp(replay_counter, ctr[i].counter, 656 WPA_REPLAY_COUNTER_LEN) == 0)) 657 ctr[i].valid = FALSE; 658 } 659} 660 661 662#ifdef CONFIG_IEEE80211R 663static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 664 struct wpa_state_machine *sm, 665 struct wpa_eapol_ie_parse *kde) 666{ 667 struct wpa_ie_data ie; 668 struct rsn_mdie *mdie; 669 670 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 671 ie.num_pmkid != 1 || ie.pmkid == NULL) { 672 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 673 "FT 4-way handshake message 2/4"); 674 return -1; 675 } 676 677 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 678 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 679 sm->sup_pmk_r1_name, PMKID_LEN); 680 681 if (!kde->mdie || !kde->ftie) { 682 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 683 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 684 return -1; 685 } 686 687 mdie = (struct rsn_mdie *) (kde->mdie + 2); 688 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 689 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 690 MOBILITY_DOMAIN_ID_LEN) != 0) { 691 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 692 return -1; 693 } 694 695 if (sm->assoc_resp_ftie && 696 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 697 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 698 2 + sm->assoc_resp_ftie[1]) != 0)) { 699 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 700 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 701 kde->ftie, kde->ftie_len); 702 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 703 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 704 return -1; 705 } 706 707 return 0; 708} 709#endif /* CONFIG_IEEE80211R */ 710 711 712static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 713 struct wpa_state_machine *sm, int group) 714{ 715 /* Supplicant reported a Michael MIC error */ 716 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 717 "received EAPOL-Key Error Request " 718 "(STA detected Michael MIC failure (group=%d))", 719 group); 720 721 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 722 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 723 "ignore Michael MIC failure report since " 724 "group cipher is not TKIP"); 725 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 726 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 727 "ignore Michael MIC failure report since " 728 "pairwise cipher is not TKIP"); 729 } else { 730 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 731 return 1; /* STA entry was removed */ 732 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 733 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 734 } 735 736 /* 737 * Error report is not a request for a new key handshake, but since 738 * Authenticator may do it, let's change the keys now anyway. 739 */ 740 wpa_request_new_ptk(sm); 741 return 0; 742} 743 744 745void wpa_receive(struct wpa_authenticator *wpa_auth, 746 struct wpa_state_machine *sm, 747 u8 *data, size_t data_len) 748{ 749 struct ieee802_1x_hdr *hdr; 750 struct wpa_eapol_key *key; 751 u16 key_info, key_data_length; 752 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 753 SMK_M1, SMK_M3, SMK_ERROR } msg; 754 char *msgtxt; 755 struct wpa_eapol_ie_parse kde; 756 int ft; 757 const u8 *eapol_key_ie; 758 size_t eapol_key_ie_len; 759 760 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 761 return; 762 763 if (data_len < sizeof(*hdr) + sizeof(*key)) 764 return; 765 766 hdr = (struct ieee802_1x_hdr *) data; 767 key = (struct wpa_eapol_key *) (hdr + 1); 768 key_info = WPA_GET_BE16(key->key_info); 769 key_data_length = WPA_GET_BE16(key->key_data_length); 770 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 771 " key_info=0x%x type=%u key_data_length=%u", 772 MAC2STR(sm->addr), key_info, key->type, key_data_length); 773 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { 774 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 775 "key_data overflow (%d > %lu)", 776 key_data_length, 777 (unsigned long) (data_len - sizeof(*hdr) - 778 sizeof(*key))); 779 return; 780 } 781 782 if (sm->wpa == WPA_VERSION_WPA2) { 783 if (key->type == EAPOL_KEY_TYPE_WPA) { 784 /* 785 * Some deployed station implementations seem to send 786 * msg 4/4 with incorrect type value in WPA2 mode. 787 */ 788 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 789 "with unexpected WPA type in RSN mode"); 790 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 791 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 792 "unexpected type %d in RSN mode", 793 key->type); 794 return; 795 } 796 } else { 797 if (key->type != EAPOL_KEY_TYPE_WPA) { 798 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 799 "unexpected type %d in WPA mode", 800 key->type); 801 return; 802 } 803 } 804 805 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 806 WPA_NONCE_LEN); 807 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 808 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 809 810 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 811 * are set */ 812 813 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 814 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 815 if (key_info & WPA_KEY_INFO_ERROR) { 816 msg = SMK_ERROR; 817 msgtxt = "SMK Error"; 818 } else { 819 msg = SMK_M1; 820 msgtxt = "SMK M1"; 821 } 822 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 823 msg = SMK_M3; 824 msgtxt = "SMK M3"; 825 } else if (key_info & WPA_KEY_INFO_REQUEST) { 826 msg = REQUEST; 827 msgtxt = "Request"; 828 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 829 msg = GROUP_2; 830 msgtxt = "2/2 Group"; 831 } else if (key_data_length == 0) { 832 msg = PAIRWISE_4; 833 msgtxt = "4/4 Pairwise"; 834 } else { 835 msg = PAIRWISE_2; 836 msgtxt = "2/4 Pairwise"; 837 } 838 839 /* TODO: key_info type validation for PeerKey */ 840 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 841 msg == GROUP_2) { 842 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 843 if (sm->pairwise == WPA_CIPHER_CCMP || 844 sm->pairwise == WPA_CIPHER_GCMP) { 845 if (wpa_use_aes_cmac(sm) && 846 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 847 wpa_auth_logger(wpa_auth, sm->addr, 848 LOGGER_WARNING, 849 "advertised support for " 850 "AES-128-CMAC, but did not " 851 "use it"); 852 return; 853 } 854 855 if (!wpa_use_aes_cmac(sm) && 856 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 857 wpa_auth_logger(wpa_auth, sm->addr, 858 LOGGER_WARNING, 859 "did not use HMAC-SHA1-AES " 860 "with CCMP/GCMP"); 861 return; 862 } 863 } 864 } 865 866 if (key_info & WPA_KEY_INFO_REQUEST) { 867 if (sm->req_replay_counter_used && 868 os_memcmp(key->replay_counter, sm->req_replay_counter, 869 WPA_REPLAY_COUNTER_LEN) <= 0) { 870 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 871 "received EAPOL-Key request with " 872 "replayed counter"); 873 return; 874 } 875 } 876 877 if (!(key_info & WPA_KEY_INFO_REQUEST) && 878 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 879 int i; 880 881 if (msg == PAIRWISE_2 && 882 wpa_replay_counter_valid(sm->prev_key_replay, 883 key->replay_counter) && 884 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 885 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 886 { 887 /* 888 * Some supplicant implementations (e.g., Windows XP 889 * WZC) update SNonce for each EAPOL-Key 2/4. This 890 * breaks the workaround on accepting any of the 891 * pending requests, so allow the SNonce to be updated 892 * even if we have already sent out EAPOL-Key 3/4. 893 */ 894 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 895 "Process SNonce update from STA " 896 "based on retransmitted EAPOL-Key " 897 "1/4"); 898 sm->update_snonce = 1; 899 wpa_replay_counter_mark_invalid(sm->prev_key_replay, 900 key->replay_counter); 901 goto continue_processing; 902 } 903 904 if (msg == PAIRWISE_2 && 905 wpa_replay_counter_valid(sm->prev_key_replay, 906 key->replay_counter) && 907 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 908 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 909 "ignore retransmitted EAPOL-Key %s - " 910 "SNonce did not change", msgtxt); 911 } else { 912 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 913 "received EAPOL-Key %s with " 914 "unexpected replay counter", msgtxt); 915 } 916 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 917 if (!sm->key_replay[i].valid) 918 break; 919 wpa_hexdump(MSG_DEBUG, "pending replay counter", 920 sm->key_replay[i].counter, 921 WPA_REPLAY_COUNTER_LEN); 922 } 923 wpa_hexdump(MSG_DEBUG, "received replay counter", 924 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 925 return; 926 } 927 928continue_processing: 929 switch (msg) { 930 case PAIRWISE_2: 931 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 932 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 933 (!sm->update_snonce || 934 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 935 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 936 "received EAPOL-Key msg 2/4 in " 937 "invalid state (%d) - dropped", 938 sm->wpa_ptk_state); 939 return; 940 } 941 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 942 if (sm->group->reject_4way_hs_for_entropy) { 943 /* 944 * The system did not have enough entropy to generate 945 * strong random numbers. Reject the first 4-way 946 * handshake(s) and collect some entropy based on the 947 * information from it. Once enough entropy is 948 * available, the next atempt will trigger GMK/Key 949 * Counter update and the station will be allowed to 950 * continue. 951 */ 952 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 953 "collect more entropy for random number " 954 "generation"); 955 random_mark_pool_ready(); 956 wpa_sta_disconnect(wpa_auth, sm->addr); 957 return; 958 } 959 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length, 960 &kde) < 0) { 961 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 962 "received EAPOL-Key msg 2/4 with " 963 "invalid Key Data contents"); 964 return; 965 } 966 if (kde.rsn_ie) { 967 eapol_key_ie = kde.rsn_ie; 968 eapol_key_ie_len = kde.rsn_ie_len; 969 } else { 970 eapol_key_ie = kde.wpa_ie; 971 eapol_key_ie_len = kde.wpa_ie_len; 972 } 973 ft = sm->wpa == WPA_VERSION_WPA2 && 974 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 975 if (sm->wpa_ie == NULL || 976 wpa_compare_rsn_ie(ft, 977 sm->wpa_ie, sm->wpa_ie_len, 978 eapol_key_ie, eapol_key_ie_len)) { 979 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 980 "WPA IE from (Re)AssocReq did not " 981 "match with msg 2/4"); 982 if (sm->wpa_ie) { 983 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 984 sm->wpa_ie, sm->wpa_ie_len); 985 } 986 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 987 eapol_key_ie, eapol_key_ie_len); 988 /* MLME-DEAUTHENTICATE.request */ 989 wpa_sta_disconnect(wpa_auth, sm->addr); 990 return; 991 } 992#ifdef CONFIG_IEEE80211R 993 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 994 wpa_sta_disconnect(wpa_auth, sm->addr); 995 return; 996 } 997#endif /* CONFIG_IEEE80211R */ 998 break; 999 case PAIRWISE_4: 1000 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1001 !sm->PTK_valid) { 1002 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1003 "received EAPOL-Key msg 4/4 in " 1004 "invalid state (%d) - dropped", 1005 sm->wpa_ptk_state); 1006 return; 1007 } 1008 break; 1009 case GROUP_2: 1010 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1011 || !sm->PTK_valid) { 1012 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1013 "received EAPOL-Key msg 2/2 in " 1014 "invalid state (%d) - dropped", 1015 sm->wpa_ptk_group_state); 1016 return; 1017 } 1018 break; 1019#ifdef CONFIG_PEERKEY 1020 case SMK_M1: 1021 case SMK_M3: 1022 case SMK_ERROR: 1023 if (!wpa_auth->conf.peerkey) { 1024 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1025 "PeerKey use disabled - ignoring message"); 1026 return; 1027 } 1028 if (!sm->PTK_valid) { 1029 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1030 "received EAPOL-Key msg SMK in " 1031 "invalid state - dropped"); 1032 return; 1033 } 1034 break; 1035#else /* CONFIG_PEERKEY */ 1036 case SMK_M1: 1037 case SMK_M3: 1038 case SMK_ERROR: 1039 return; /* STSL disabled - ignore SMK messages */ 1040#endif /* CONFIG_PEERKEY */ 1041 case REQUEST: 1042 break; 1043 } 1044 1045 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1046 "received EAPOL-Key frame (%s)", msgtxt); 1047 1048 if (key_info & WPA_KEY_INFO_ACK) { 1049 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1050 "received invalid EAPOL-Key: Key Ack set"); 1051 return; 1052 } 1053 1054 if (!(key_info & WPA_KEY_INFO_MIC)) { 1055 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1056 "received invalid EAPOL-Key: Key MIC not set"); 1057 return; 1058 } 1059 1060 sm->MICVerified = FALSE; 1061 if (sm->PTK_valid && !sm->update_snonce) { 1062 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) { 1063 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1064 "received EAPOL-Key with invalid MIC"); 1065 return; 1066 } 1067 sm->MICVerified = TRUE; 1068 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1069 sm->pending_1_of_4_timeout = 0; 1070 } 1071 1072 if (key_info & WPA_KEY_INFO_REQUEST) { 1073 if (sm->MICVerified) { 1074 sm->req_replay_counter_used = 1; 1075 os_memcpy(sm->req_replay_counter, key->replay_counter, 1076 WPA_REPLAY_COUNTER_LEN); 1077 } else { 1078 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1079 "received EAPOL-Key request with " 1080 "invalid MIC"); 1081 return; 1082 } 1083 1084 /* 1085 * TODO: should decrypt key data field if encryption was used; 1086 * even though MAC address KDE is not normally encrypted, 1087 * supplicant is allowed to encrypt it. 1088 */ 1089 if (msg == SMK_ERROR) { 1090#ifdef CONFIG_PEERKEY 1091 wpa_smk_error(wpa_auth, sm, key); 1092#endif /* CONFIG_PEERKEY */ 1093 return; 1094 } else if (key_info & WPA_KEY_INFO_ERROR) { 1095 if (wpa_receive_error_report( 1096 wpa_auth, sm, 1097 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1098 return; /* STA entry was removed */ 1099 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1100 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1101 "received EAPOL-Key Request for new " 1102 "4-Way Handshake"); 1103 wpa_request_new_ptk(sm); 1104#ifdef CONFIG_PEERKEY 1105 } else if (msg == SMK_M1) { 1106 wpa_smk_m1(wpa_auth, sm, key); 1107#endif /* CONFIG_PEERKEY */ 1108 } else if (key_data_length > 0 && 1109 wpa_parse_kde_ies((const u8 *) (key + 1), 1110 key_data_length, &kde) == 0 && 1111 kde.mac_addr) { 1112 } else { 1113 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1114 "received EAPOL-Key Request for GTK " 1115 "rekeying"); 1116 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1117 wpa_rekey_gtk(wpa_auth, NULL); 1118 } 1119 } else { 1120 /* Do not allow the same key replay counter to be reused. */ 1121 wpa_replay_counter_mark_invalid(sm->key_replay, 1122 key->replay_counter); 1123 1124 if (msg == PAIRWISE_2) { 1125 /* 1126 * Maintain a copy of the pending EAPOL-Key frames in 1127 * case the EAPOL-Key frame was retransmitted. This is 1128 * needed to allow EAPOL-Key msg 2/4 reply to another 1129 * pending msg 1/4 to update the SNonce to work around 1130 * unexpected supplicant behavior. 1131 */ 1132 os_memcpy(sm->prev_key_replay, sm->key_replay, 1133 sizeof(sm->key_replay)); 1134 } else { 1135 os_memset(sm->prev_key_replay, 0, 1136 sizeof(sm->prev_key_replay)); 1137 } 1138 1139 /* 1140 * Make sure old valid counters are not accepted anymore and 1141 * do not get copied again. 1142 */ 1143 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1144 } 1145 1146#ifdef CONFIG_PEERKEY 1147 if (msg == SMK_M3) { 1148 wpa_smk_m3(wpa_auth, sm, key); 1149 return; 1150 } 1151#endif /* CONFIG_PEERKEY */ 1152 1153 os_free(sm->last_rx_eapol_key); 1154 sm->last_rx_eapol_key = os_malloc(data_len); 1155 if (sm->last_rx_eapol_key == NULL) 1156 return; 1157 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1158 sm->last_rx_eapol_key_len = data_len; 1159 1160 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1161 sm->EAPOLKeyReceived = TRUE; 1162 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1163 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1164 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1165 wpa_sm_step(sm); 1166} 1167 1168 1169static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1170 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1171{ 1172 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1173 u8 *pos; 1174 int ret = 0; 1175 1176 /* GTK = PRF-X(GMK, "Group key expansion", 1177 * AA || GNonce || Time || random data) 1178 * The example described in the IEEE 802.11 standard uses only AA and 1179 * GNonce as inputs here. Add some more entropy since this derivation 1180 * is done only at the Authenticator and as such, does not need to be 1181 * exactly same. 1182 */ 1183 os_memcpy(data, addr, ETH_ALEN); 1184 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1185 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1186 wpa_get_ntp_timestamp(pos); 1187 pos += 8; 1188 if (random_get_bytes(pos, 16) < 0) 1189 ret = -1; 1190 1191#ifdef CONFIG_IEEE80211W 1192 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1193#else /* CONFIG_IEEE80211W */ 1194 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1195 < 0) 1196 ret = -1; 1197#endif /* CONFIG_IEEE80211W */ 1198 1199 return ret; 1200} 1201 1202 1203static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1204{ 1205 struct wpa_authenticator *wpa_auth = eloop_ctx; 1206 struct wpa_state_machine *sm = timeout_ctx; 1207 1208 sm->pending_1_of_4_timeout = 0; 1209 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1210 sm->TimeoutEvt = TRUE; 1211 wpa_sm_step(sm); 1212} 1213 1214 1215void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1216 struct wpa_state_machine *sm, int key_info, 1217 const u8 *key_rsc, const u8 *nonce, 1218 const u8 *kde, size_t kde_len, 1219 int keyidx, int encr, int force_version) 1220{ 1221 struct ieee802_1x_hdr *hdr; 1222 struct wpa_eapol_key *key; 1223 size_t len; 1224 int alg; 1225 int key_data_len, pad_len = 0; 1226 u8 *buf, *pos; 1227 int version, pairwise; 1228 int i; 1229 1230 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key); 1231 1232 if (force_version) 1233 version = force_version; 1234 else if (wpa_use_aes_cmac(sm)) 1235 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1236 else if (sm->pairwise != WPA_CIPHER_TKIP) 1237 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1238 else 1239 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1240 1241 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1242 1243 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1244 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1245 "encr=%d)", 1246 version, 1247 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1248 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1249 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1250 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1251 pairwise, (unsigned long) kde_len, keyidx, encr); 1252 1253 key_data_len = kde_len; 1254 1255 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1256 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1257 pad_len = key_data_len % 8; 1258 if (pad_len) 1259 pad_len = 8 - pad_len; 1260 key_data_len += pad_len + 8; 1261 } 1262 1263 len += key_data_len; 1264 1265 hdr = os_zalloc(len); 1266 if (hdr == NULL) 1267 return; 1268 hdr->version = wpa_auth->conf.eapol_version; 1269 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1270 hdr->length = host_to_be16(len - sizeof(*hdr)); 1271 key = (struct wpa_eapol_key *) (hdr + 1); 1272 1273 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1274 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1275 key_info |= version; 1276 if (encr && sm->wpa == WPA_VERSION_WPA2) 1277 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1278 if (sm->wpa != WPA_VERSION_WPA2) 1279 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1280 WPA_PUT_BE16(key->key_info, key_info); 1281 1282 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1283 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1284 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1285 WPA_PUT_BE16(key->key_length, 0); 1286 1287 /* FIX: STSL: what to use as key_replay_counter? */ 1288 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1289 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1290 os_memcpy(sm->key_replay[i].counter, 1291 sm->key_replay[i - 1].counter, 1292 WPA_REPLAY_COUNTER_LEN); 1293 } 1294 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1295 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1296 WPA_REPLAY_COUNTER_LEN); 1297 sm->key_replay[0].valid = TRUE; 1298 1299 if (nonce) 1300 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1301 1302 if (key_rsc) 1303 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1304 1305 if (kde && !encr) { 1306 os_memcpy(key + 1, kde, kde_len); 1307 WPA_PUT_BE16(key->key_data_length, kde_len); 1308 } else if (encr && kde) { 1309 buf = os_zalloc(key_data_len); 1310 if (buf == NULL) { 1311 os_free(hdr); 1312 return; 1313 } 1314 pos = buf; 1315 os_memcpy(pos, kde, kde_len); 1316 pos += kde_len; 1317 1318 if (pad_len) 1319 *pos++ = 0xdd; 1320 1321 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1322 buf, key_data_len); 1323 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1324 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1325 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf, 1326 (u8 *) (key + 1))) { 1327 os_free(hdr); 1328 os_free(buf); 1329 return; 1330 } 1331 WPA_PUT_BE16(key->key_data_length, key_data_len); 1332 } else { 1333 u8 ek[32]; 1334 os_memcpy(key->key_iv, 1335 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1336 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1337 os_memcpy(ek, key->key_iv, 16); 1338 os_memcpy(ek + 16, sm->PTK.kek, 16); 1339 os_memcpy(key + 1, buf, key_data_len); 1340 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len); 1341 WPA_PUT_BE16(key->key_data_length, key_data_len); 1342 } 1343 os_free(buf); 1344 } 1345 1346 if (key_info & WPA_KEY_INFO_MIC) { 1347 if (!sm->PTK_valid) { 1348 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1349 "PTK not valid when sending EAPOL-Key " 1350 "frame"); 1351 os_free(hdr); 1352 return; 1353 } 1354 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len, 1355 key->key_mic); 1356#ifdef CONFIG_TESTING_OPTIONS 1357 if (!pairwise && 1358 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0d && 1359 drand48() < 1360 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1361 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1362 "Corrupting group EAPOL-Key Key MIC"); 1363 key->key_mic[0]++; 1364 } 1365#endif /* CONFIG_TESTING_OPTIONS */ 1366 } 1367 1368 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1369 1); 1370 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1371 sm->pairwise_set); 1372 os_free(hdr); 1373} 1374 1375 1376static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1377 struct wpa_state_machine *sm, int key_info, 1378 const u8 *key_rsc, const u8 *nonce, 1379 const u8 *kde, size_t kde_len, 1380 int keyidx, int encr) 1381{ 1382 int timeout_ms; 1383 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1384 int ctr; 1385 1386 if (sm == NULL) 1387 return; 1388 1389 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1390 keyidx, encr, 0); 1391 1392 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1393 if (ctr == 1 && wpa_auth->conf.tx_status) 1394 timeout_ms = pairwise ? eapol_key_timeout_first : 1395 eapol_key_timeout_first_group; 1396 else 1397 timeout_ms = eapol_key_timeout_subseq; 1398 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1399 sm->pending_1_of_4_timeout = 1; 1400 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1401 "counter %d)", timeout_ms, ctr); 1402 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1403 wpa_send_eapol_timeout, wpa_auth, sm); 1404} 1405 1406 1407static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len) 1408{ 1409 struct ieee802_1x_hdr *hdr; 1410 struct wpa_eapol_key *key; 1411 u16 key_info; 1412 int ret = 0; 1413 u8 mic[16]; 1414 1415 if (data_len < sizeof(*hdr) + sizeof(*key)) 1416 return -1; 1417 1418 hdr = (struct ieee802_1x_hdr *) data; 1419 key = (struct wpa_eapol_key *) (hdr + 1); 1420 key_info = WPA_GET_BE16(key->key_info); 1421 os_memcpy(mic, key->key_mic, 16); 1422 os_memset(key->key_mic, 0, 16); 1423 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK, 1424 data, data_len, key->key_mic) || 1425 os_memcmp(mic, key->key_mic, 16) != 0) 1426 ret = -1; 1427 os_memcpy(key->key_mic, mic, 16); 1428 return ret; 1429} 1430 1431 1432void wpa_remove_ptk(struct wpa_state_machine *sm) 1433{ 1434 sm->PTK_valid = FALSE; 1435 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1436 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1437 sm->pairwise_set = FALSE; 1438 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1439} 1440 1441 1442int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event) 1443{ 1444 int remove_ptk = 1; 1445 1446 if (sm == NULL) 1447 return -1; 1448 1449 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1450 "event %d notification", event); 1451 1452 switch (event) { 1453 case WPA_AUTH: 1454 case WPA_ASSOC: 1455 break; 1456 case WPA_DEAUTH: 1457 case WPA_DISASSOC: 1458 sm->DeauthenticationRequest = TRUE; 1459 break; 1460 case WPA_REAUTH: 1461 case WPA_REAUTH_EAPOL: 1462 if (!sm->started) { 1463 /* 1464 * When using WPS, we may end up here if the STA 1465 * manages to re-associate without the previous STA 1466 * entry getting removed. Consequently, we need to make 1467 * sure that the WPA state machines gets initialized 1468 * properly at this point. 1469 */ 1470 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1471 "started - initialize now"); 1472 sm->started = 1; 1473 sm->Init = TRUE; 1474 if (wpa_sm_step(sm) == 1) 1475 return 1; /* should not really happen */ 1476 sm->Init = FALSE; 1477 sm->AuthenticationRequest = TRUE; 1478 break; 1479 } 1480 if (sm->GUpdateStationKeys) { 1481 /* 1482 * Reauthentication cancels the pending group key 1483 * update for this STA. 1484 */ 1485 sm->group->GKeyDoneStations--; 1486 sm->GUpdateStationKeys = FALSE; 1487 sm->PtkGroupInit = TRUE; 1488 } 1489 sm->ReAuthenticationRequest = TRUE; 1490 break; 1491 case WPA_ASSOC_FT: 1492#ifdef CONFIG_IEEE80211R 1493 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1494 "after association"); 1495 wpa_ft_install_ptk(sm); 1496 1497 /* Using FT protocol, not WPA auth state machine */ 1498 sm->ft_completed = 1; 1499 return 0; 1500#else /* CONFIG_IEEE80211R */ 1501 break; 1502#endif /* CONFIG_IEEE80211R */ 1503 } 1504 1505#ifdef CONFIG_IEEE80211R 1506 sm->ft_completed = 0; 1507#endif /* CONFIG_IEEE80211R */ 1508 1509#ifdef CONFIG_IEEE80211W 1510 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1511 remove_ptk = 0; 1512#endif /* CONFIG_IEEE80211W */ 1513 1514 if (remove_ptk) { 1515 sm->PTK_valid = FALSE; 1516 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1517 1518 if (event != WPA_REAUTH_EAPOL) 1519 wpa_remove_ptk(sm); 1520 } 1521 1522 return wpa_sm_step(sm); 1523} 1524 1525 1526SM_STATE(WPA_PTK, INITIALIZE) 1527{ 1528 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1529 if (sm->Init) { 1530 /* Init flag is not cleared here, so avoid busy 1531 * loop by claiming nothing changed. */ 1532 sm->changed = FALSE; 1533 } 1534 1535 sm->keycount = 0; 1536 if (sm->GUpdateStationKeys) 1537 sm->group->GKeyDoneStations--; 1538 sm->GUpdateStationKeys = FALSE; 1539 if (sm->wpa == WPA_VERSION_WPA) 1540 sm->PInitAKeys = FALSE; 1541 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1542 * Local AA > Remote AA)) */) { 1543 sm->Pair = TRUE; 1544 } 1545 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1546 wpa_remove_ptk(sm); 1547 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1548 sm->TimeoutCtr = 0; 1549 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1550 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1551 WPA_EAPOL_authorized, 0); 1552 } 1553} 1554 1555 1556SM_STATE(WPA_PTK, DISCONNECT) 1557{ 1558 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1559 sm->Disconnect = FALSE; 1560 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1561} 1562 1563 1564SM_STATE(WPA_PTK, DISCONNECTED) 1565{ 1566 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1567 sm->DeauthenticationRequest = FALSE; 1568} 1569 1570 1571SM_STATE(WPA_PTK, AUTHENTICATION) 1572{ 1573 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1574 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1575 sm->PTK_valid = FALSE; 1576 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1577 1); 1578 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1579 sm->AuthenticationRequest = FALSE; 1580} 1581 1582 1583static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1584 struct wpa_group *group) 1585{ 1586 if (group->first_sta_seen) 1587 return; 1588 /* 1589 * System has run bit further than at the time hostapd was started 1590 * potentially very early during boot up. This provides better chances 1591 * of collecting more randomness on embedded systems. Re-initialize the 1592 * GMK and Counter here to improve their strength if there was not 1593 * enough entropy available immediately after system startup. 1594 */ 1595 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1596 "station"); 1597 if (random_pool_ready() != 1) { 1598 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1599 "to proceed - reject first 4-way handshake"); 1600 group->reject_4way_hs_for_entropy = TRUE; 1601 } else { 1602 group->first_sta_seen = TRUE; 1603 group->reject_4way_hs_for_entropy = FALSE; 1604 } 1605 1606 wpa_group_init_gmk_and_counter(wpa_auth, group); 1607 wpa_gtk_update(wpa_auth, group); 1608 wpa_group_config_group_keys(wpa_auth, group); 1609} 1610 1611 1612SM_STATE(WPA_PTK, AUTHENTICATION2) 1613{ 1614 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1615 1616 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1617 sm->ReAuthenticationRequest = FALSE; 1618 1619 /* 1620 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1621 * ambiguous. The Authenticator state machine uses a counter that is 1622 * incremented by one for each 4-way handshake. However, the security 1623 * analysis of 4-way handshake points out that unpredictable nonces 1624 * help in preventing precomputation attacks. Instead of the state 1625 * machine definition, use an unpredictable nonce value here to provide 1626 * stronger protection against potential precomputation attacks. 1627 */ 1628 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1629 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1630 "ANonce."); 1631 sm->Disconnect = TRUE; 1632 return; 1633 } 1634 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1635 WPA_NONCE_LEN); 1636 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1637 * logical place than INITIALIZE since AUTHENTICATION2 can be 1638 * re-entered on ReAuthenticationRequest without going through 1639 * INITIALIZE. */ 1640 sm->TimeoutCtr = 0; 1641} 1642 1643 1644SM_STATE(WPA_PTK, INITPMK) 1645{ 1646 u8 msk[2 * PMK_LEN]; 1647 size_t len = 2 * PMK_LEN; 1648 1649 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1650#ifdef CONFIG_IEEE80211R 1651 sm->xxkey_len = 0; 1652#endif /* CONFIG_IEEE80211R */ 1653 if (sm->pmksa) { 1654 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1655 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN); 1656 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1657 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1658 "(len=%lu)", (unsigned long) len); 1659 os_memcpy(sm->PMK, msk, PMK_LEN); 1660#ifdef CONFIG_IEEE80211R 1661 if (len >= 2 * PMK_LEN) { 1662 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1663 sm->xxkey_len = PMK_LEN; 1664 } 1665#endif /* CONFIG_IEEE80211R */ 1666 } else { 1667 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK"); 1668 } 1669 1670 sm->req_replay_counter_used = 0; 1671 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1672 * will break reauthentication since EAPOL state machines may not be 1673 * get into AUTHENTICATING state that clears keyRun before WPA state 1674 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1675 * state and takes PMK from the previously used AAA Key. This will 1676 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1677 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1678 * be good workaround for this issue. */ 1679 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1680} 1681 1682 1683SM_STATE(WPA_PTK, INITPSK) 1684{ 1685 const u8 *psk; 1686 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1687 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1688 if (psk) { 1689 os_memcpy(sm->PMK, psk, PMK_LEN); 1690#ifdef CONFIG_IEEE80211R 1691 os_memcpy(sm->xxkey, psk, PMK_LEN); 1692 sm->xxkey_len = PMK_LEN; 1693#endif /* CONFIG_IEEE80211R */ 1694 } 1695 sm->req_replay_counter_used = 0; 1696} 1697 1698 1699SM_STATE(WPA_PTK, PTKSTART) 1700{ 1701 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1702 size_t pmkid_len = 0; 1703 1704 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1705 sm->PTKRequest = FALSE; 1706 sm->TimeoutEvt = FALSE; 1707 1708 sm->TimeoutCtr++; 1709 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1710 /* No point in sending the EAPOL-Key - we will disconnect 1711 * immediately following this. */ 1712 return; 1713 } 1714 1715 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1716 "sending 1/4 msg of 4-Way Handshake"); 1717 /* 1718 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1719 * one possible PSK for this STA. 1720 */ 1721 if (sm->wpa == WPA_VERSION_WPA2 && 1722 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) { 1723 pmkid = buf; 1724 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 1725 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 1726 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 1727 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 1728 if (sm->pmksa) 1729 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 1730 sm->pmksa->pmkid, PMKID_LEN); 1731 else { 1732 /* 1733 * Calculate PMKID since no PMKSA cache entry was 1734 * available with pre-calculated PMKID. 1735 */ 1736 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr, 1737 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 1738 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1739 } 1740 } 1741 wpa_send_eapol(sm->wpa_auth, sm, 1742 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 1743 sm->ANonce, pmkid, pmkid_len, 0, 0); 1744} 1745 1746 1747static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk, 1748 struct wpa_ptk *ptk) 1749{ 1750 size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64; 1751#ifdef CONFIG_IEEE80211R 1752 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 1753 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len); 1754#endif /* CONFIG_IEEE80211R */ 1755 1756 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion", 1757 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce, 1758 (u8 *) ptk, ptk_len, 1759 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1760 1761 return 0; 1762} 1763 1764 1765SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 1766{ 1767 struct wpa_ptk PTK; 1768 int ok = 0; 1769 const u8 *pmk = NULL; 1770 1771 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 1772 sm->EAPOLKeyReceived = FALSE; 1773 sm->update_snonce = FALSE; 1774 1775 /* WPA with IEEE 802.1X: use the derived PMK from EAP 1776 * WPA-PSK: iterate through possible PSKs and select the one matching 1777 * the packet */ 1778 for (;;) { 1779 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1780 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 1781 sm->p2p_dev_addr, pmk); 1782 if (pmk == NULL) 1783 break; 1784 } else 1785 pmk = sm->PMK; 1786 1787 wpa_derive_ptk(sm, pmk, &PTK); 1788 1789 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key, 1790 sm->last_rx_eapol_key_len) == 0) { 1791 ok = 1; 1792 break; 1793 } 1794 1795 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 1796 break; 1797 } 1798 1799 if (!ok) { 1800 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1801 "invalid MIC in msg 2/4 of 4-Way Handshake"); 1802 return; 1803 } 1804 1805#ifdef CONFIG_IEEE80211R 1806 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1807 /* 1808 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 1809 * with the value we derived. 1810 */ 1811 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name, 1812 WPA_PMK_NAME_LEN) != 0) { 1813 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1814 "PMKR1Name mismatch in FT 4-way " 1815 "handshake"); 1816 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 1817 "Supplicant", 1818 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 1819 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1820 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1821 return; 1822 } 1823 } 1824#endif /* CONFIG_IEEE80211R */ 1825 1826 sm->pending_1_of_4_timeout = 0; 1827 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 1828 1829 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1830 /* PSK may have changed from the previous choice, so update 1831 * state machine data based on whatever PSK was selected here. 1832 */ 1833 os_memcpy(sm->PMK, pmk, PMK_LEN); 1834 } 1835 1836 sm->MICVerified = TRUE; 1837 1838 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 1839 sm->PTK_valid = TRUE; 1840} 1841 1842 1843SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 1844{ 1845 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 1846 sm->TimeoutCtr = 0; 1847} 1848 1849 1850#ifdef CONFIG_IEEE80211W 1851 1852static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1853{ 1854 if (sm->mgmt_frame_prot) { 1855 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde); 1856 } 1857 1858 return 0; 1859} 1860 1861 1862static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1863{ 1864 struct wpa_igtk_kde igtk; 1865 struct wpa_group *gsm = sm->group; 1866 1867 if (!sm->mgmt_frame_prot) 1868 return pos; 1869 1870 igtk.keyid[0] = gsm->GN_igtk; 1871 igtk.keyid[1] = 0; 1872 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 1873 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0) 1874 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 1875 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 1876 if (sm->wpa_auth->conf.disable_gtk) { 1877 /* 1878 * Provide unique random IGTK to each STA to prevent use of 1879 * IGTK in the BSS. 1880 */ 1881 if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0) 1882 return pos; 1883 } 1884 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 1885 (const u8 *) &igtk, sizeof(igtk), NULL, 0); 1886 1887 return pos; 1888} 1889 1890#else /* CONFIG_IEEE80211W */ 1891 1892static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1893{ 1894 return 0; 1895} 1896 1897 1898static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1899{ 1900 return pos; 1901} 1902 1903#endif /* CONFIG_IEEE80211W */ 1904 1905 1906SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 1907{ 1908 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 1909 size_t gtk_len, kde_len; 1910 struct wpa_group *gsm = sm->group; 1911 u8 *wpa_ie; 1912 int wpa_ie_len, secure, keyidx, encr = 0; 1913 1914 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 1915 sm->TimeoutEvt = FALSE; 1916 1917 sm->TimeoutCtr++; 1918 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1919 /* No point in sending the EAPOL-Key - we will disconnect 1920 * immediately following this. */ 1921 return; 1922 } 1923 1924 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 1925 GTK[GN], IGTK, [FTIE], [TIE * 2]) 1926 */ 1927 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 1928 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 1929 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 1930 wpa_ie = sm->wpa_auth->wpa_ie; 1931 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 1932 if (sm->wpa == WPA_VERSION_WPA && 1933 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 1934 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 1935 /* WPA-only STA, remove RSN IE */ 1936 wpa_ie = wpa_ie + wpa_ie[1] + 2; 1937 wpa_ie_len = wpa_ie[1] + 2; 1938 } 1939 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1940 "sending 3/4 msg of 4-Way Handshake"); 1941 if (sm->wpa == WPA_VERSION_WPA2) { 1942 /* WPA2 send GTK in the 4-way handshake */ 1943 secure = 1; 1944 gtk = gsm->GTK[gsm->GN - 1]; 1945 gtk_len = gsm->GTK_len; 1946 if (sm->wpa_auth->conf.disable_gtk) { 1947 /* 1948 * Provide unique random GTK to each STA to prevent use 1949 * of GTK in the BSS. 1950 */ 1951 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 1952 return; 1953 gtk = dummy_gtk; 1954 } 1955 keyidx = gsm->GN; 1956 _rsc = rsc; 1957 encr = 1; 1958 } else { 1959 /* WPA does not include GTK in msg 3/4 */ 1960 secure = 0; 1961 gtk = NULL; 1962 gtk_len = 0; 1963 keyidx = 0; 1964 _rsc = NULL; 1965 if (sm->rx_eapol_key_secure) { 1966 /* 1967 * It looks like Windows 7 supplicant tries to use 1968 * Secure bit in msg 2/4 after having reported Michael 1969 * MIC failure and it then rejects the 4-way handshake 1970 * if msg 3/4 does not set Secure bit. Work around this 1971 * by setting the Secure bit here even in the case of 1972 * WPA if the supplicant used it first. 1973 */ 1974 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1975 "STA used Secure bit in WPA msg 2/4 - " 1976 "set Secure for 3/4 as workaround"); 1977 secure = 1; 1978 } 1979 } 1980 1981 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 1982 if (gtk) 1983 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 1984#ifdef CONFIG_IEEE80211R 1985 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1986 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 1987 kde_len += 300; /* FTIE + 2 * TIE */ 1988 } 1989#endif /* CONFIG_IEEE80211R */ 1990 kde = os_malloc(kde_len); 1991 if (kde == NULL) 1992 return; 1993 1994 pos = kde; 1995 os_memcpy(pos, wpa_ie, wpa_ie_len); 1996 pos += wpa_ie_len; 1997#ifdef CONFIG_IEEE80211R 1998 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1999 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name); 2000 if (res < 0) { 2001 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2002 "PMKR1Name into RSN IE in EAPOL-Key data"); 2003 os_free(kde); 2004 return; 2005 } 2006 pos += res; 2007 } 2008#endif /* CONFIG_IEEE80211R */ 2009 if (gtk) { 2010 u8 hdr[2]; 2011 hdr[0] = keyidx & 0x03; 2012 hdr[1] = 0; 2013 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2014 gtk, gtk_len); 2015 } 2016 pos = ieee80211w_kde_add(sm, pos); 2017 2018#ifdef CONFIG_IEEE80211R 2019 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2020 int res; 2021 struct wpa_auth_config *conf; 2022 2023 conf = &sm->wpa_auth->conf; 2024 res = wpa_write_ftie(conf, conf->r0_key_holder, 2025 conf->r0_key_holder_len, 2026 NULL, NULL, pos, kde + kde_len - pos, 2027 NULL, 0); 2028 if (res < 0) { 2029 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2030 "into EAPOL-Key Key Data"); 2031 os_free(kde); 2032 return; 2033 } 2034 pos += res; 2035 2036 /* TIE[ReassociationDeadline] (TU) */ 2037 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2038 *pos++ = 5; 2039 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2040 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2041 pos += 4; 2042 2043 /* TIE[KeyLifetime] (seconds) */ 2044 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2045 *pos++ = 5; 2046 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2047 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2048 pos += 4; 2049 } 2050#endif /* CONFIG_IEEE80211R */ 2051 2052 wpa_send_eapol(sm->wpa_auth, sm, 2053 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2054 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2055 WPA_KEY_INFO_KEY_TYPE, 2056 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2057 os_free(kde); 2058} 2059 2060 2061SM_STATE(WPA_PTK, PTKINITDONE) 2062{ 2063 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2064 sm->EAPOLKeyReceived = FALSE; 2065 if (sm->Pair) { 2066 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2067 int klen = wpa_cipher_key_len(sm->pairwise); 2068 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2069 sm->PTK.tk1, klen)) { 2070 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2071 return; 2072 } 2073 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2074 sm->pairwise_set = TRUE; 2075 2076 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2077 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2078 eloop_register_timeout(sm->wpa_auth->conf. 2079 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2080 sm->wpa_auth, sm); 2081 } 2082 2083 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2084 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2085 WPA_EAPOL_authorized, 1); 2086 } 2087 } 2088 2089 if (0 /* IBSS == TRUE */) { 2090 sm->keycount++; 2091 if (sm->keycount == 2) { 2092 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2093 WPA_EAPOL_portValid, 1); 2094 } 2095 } else { 2096 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2097 1); 2098 } 2099 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2100 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2101 if (sm->wpa == WPA_VERSION_WPA) 2102 sm->PInitAKeys = TRUE; 2103 else 2104 sm->has_GTK = TRUE; 2105 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2106 "pairwise key handshake completed (%s)", 2107 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2108 2109#ifdef CONFIG_IEEE80211R 2110 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2111#endif /* CONFIG_IEEE80211R */ 2112} 2113 2114 2115SM_STEP(WPA_PTK) 2116{ 2117 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2118 2119 if (sm->Init) 2120 SM_ENTER(WPA_PTK, INITIALIZE); 2121 else if (sm->Disconnect 2122 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2123 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2124 "WPA_PTK: sm->Disconnect"); 2125 SM_ENTER(WPA_PTK, DISCONNECT); 2126 } 2127 else if (sm->DeauthenticationRequest) 2128 SM_ENTER(WPA_PTK, DISCONNECTED); 2129 else if (sm->AuthenticationRequest) 2130 SM_ENTER(WPA_PTK, AUTHENTICATION); 2131 else if (sm->ReAuthenticationRequest) 2132 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2133 else if (sm->PTKRequest) 2134 SM_ENTER(WPA_PTK, PTKSTART); 2135 else switch (sm->wpa_ptk_state) { 2136 case WPA_PTK_INITIALIZE: 2137 break; 2138 case WPA_PTK_DISCONNECT: 2139 SM_ENTER(WPA_PTK, DISCONNECTED); 2140 break; 2141 case WPA_PTK_DISCONNECTED: 2142 SM_ENTER(WPA_PTK, INITIALIZE); 2143 break; 2144 case WPA_PTK_AUTHENTICATION: 2145 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2146 break; 2147 case WPA_PTK_AUTHENTICATION2: 2148 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2149 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2150 WPA_EAPOL_keyRun) > 0) 2151 SM_ENTER(WPA_PTK, INITPMK); 2152 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2153 /* FIX: && 802.1X::keyRun */) 2154 SM_ENTER(WPA_PTK, INITPSK); 2155 break; 2156 case WPA_PTK_INITPMK: 2157 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2158 WPA_EAPOL_keyAvailable) > 0) 2159 SM_ENTER(WPA_PTK, PTKSTART); 2160 else { 2161 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2162 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2163 "INITPMK - keyAvailable = false"); 2164 SM_ENTER(WPA_PTK, DISCONNECT); 2165 } 2166 break; 2167 case WPA_PTK_INITPSK: 2168 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2169 NULL)) 2170 SM_ENTER(WPA_PTK, PTKSTART); 2171 else { 2172 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2173 "no PSK configured for the STA"); 2174 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2175 SM_ENTER(WPA_PTK, DISCONNECT); 2176 } 2177 break; 2178 case WPA_PTK_PTKSTART: 2179 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2180 sm->EAPOLKeyPairwise) 2181 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2182 else if (sm->TimeoutCtr > 2183 (int) dot11RSNAConfigPairwiseUpdateCount) { 2184 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2185 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2186 "PTKSTART: Retry limit %d reached", 2187 dot11RSNAConfigPairwiseUpdateCount); 2188 SM_ENTER(WPA_PTK, DISCONNECT); 2189 } else if (sm->TimeoutEvt) 2190 SM_ENTER(WPA_PTK, PTKSTART); 2191 break; 2192 case WPA_PTK_PTKCALCNEGOTIATING: 2193 if (sm->MICVerified) 2194 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2195 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2196 sm->EAPOLKeyPairwise) 2197 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2198 else if (sm->TimeoutEvt) 2199 SM_ENTER(WPA_PTK, PTKSTART); 2200 break; 2201 case WPA_PTK_PTKCALCNEGOTIATING2: 2202 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2203 break; 2204 case WPA_PTK_PTKINITNEGOTIATING: 2205 if (sm->update_snonce) 2206 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2207 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2208 sm->EAPOLKeyPairwise && sm->MICVerified) 2209 SM_ENTER(WPA_PTK, PTKINITDONE); 2210 else if (sm->TimeoutCtr > 2211 (int) dot11RSNAConfigPairwiseUpdateCount) { 2212 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2213 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2214 "PTKINITNEGOTIATING: Retry limit %d " 2215 "reached", 2216 dot11RSNAConfigPairwiseUpdateCount); 2217 SM_ENTER(WPA_PTK, DISCONNECT); 2218 } else if (sm->TimeoutEvt) 2219 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2220 break; 2221 case WPA_PTK_PTKINITDONE: 2222 break; 2223 } 2224} 2225 2226 2227SM_STATE(WPA_PTK_GROUP, IDLE) 2228{ 2229 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2230 if (sm->Init) { 2231 /* Init flag is not cleared here, so avoid busy 2232 * loop by claiming nothing changed. */ 2233 sm->changed = FALSE; 2234 } 2235 sm->GTimeoutCtr = 0; 2236} 2237 2238 2239SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2240{ 2241 u8 rsc[WPA_KEY_RSC_LEN]; 2242 struct wpa_group *gsm = sm->group; 2243 u8 *kde, *pos, hdr[2]; 2244 size_t kde_len; 2245 u8 *gtk, dummy_gtk[32]; 2246 2247 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2248 2249 sm->GTimeoutCtr++; 2250 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2251 /* No point in sending the EAPOL-Key - we will disconnect 2252 * immediately following this. */ 2253 return; 2254 } 2255 2256 if (sm->wpa == WPA_VERSION_WPA) 2257 sm->PInitAKeys = FALSE; 2258 sm->TimeoutEvt = FALSE; 2259 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2260 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2261 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2262 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2263 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2264 "sending 1/2 msg of Group Key Handshake"); 2265 2266 gtk = gsm->GTK[gsm->GN - 1]; 2267 if (sm->wpa_auth->conf.disable_gtk) { 2268 /* 2269 * Provide unique random GTK to each STA to prevent use 2270 * of GTK in the BSS. 2271 */ 2272 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2273 return; 2274 gtk = dummy_gtk; 2275 } 2276 if (sm->wpa == WPA_VERSION_WPA2) { 2277 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2278 ieee80211w_kde_len(sm); 2279 kde = os_malloc(kde_len); 2280 if (kde == NULL) 2281 return; 2282 2283 pos = kde; 2284 hdr[0] = gsm->GN & 0x03; 2285 hdr[1] = 0; 2286 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2287 gtk, gsm->GTK_len); 2288 pos = ieee80211w_kde_add(sm, pos); 2289 } else { 2290 kde = gtk; 2291 pos = kde + gsm->GTK_len; 2292 } 2293 2294 wpa_send_eapol(sm->wpa_auth, sm, 2295 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2296 WPA_KEY_INFO_ACK | 2297 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2298 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1); 2299 if (sm->wpa == WPA_VERSION_WPA2) 2300 os_free(kde); 2301} 2302 2303 2304SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2305{ 2306 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2307 sm->EAPOLKeyReceived = FALSE; 2308 if (sm->GUpdateStationKeys) 2309 sm->group->GKeyDoneStations--; 2310 sm->GUpdateStationKeys = FALSE; 2311 sm->GTimeoutCtr = 0; 2312 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2313 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2314 "group key handshake completed (%s)", 2315 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2316 sm->has_GTK = TRUE; 2317} 2318 2319 2320SM_STATE(WPA_PTK_GROUP, KEYERROR) 2321{ 2322 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2323 if (sm->GUpdateStationKeys) 2324 sm->group->GKeyDoneStations--; 2325 sm->GUpdateStationKeys = FALSE; 2326 sm->Disconnect = TRUE; 2327} 2328 2329 2330SM_STEP(WPA_PTK_GROUP) 2331{ 2332 if (sm->Init || sm->PtkGroupInit) { 2333 SM_ENTER(WPA_PTK_GROUP, IDLE); 2334 sm->PtkGroupInit = FALSE; 2335 } else switch (sm->wpa_ptk_group_state) { 2336 case WPA_PTK_GROUP_IDLE: 2337 if (sm->GUpdateStationKeys || 2338 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2339 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2340 break; 2341 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2342 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2343 !sm->EAPOLKeyPairwise && sm->MICVerified) 2344 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2345 else if (sm->GTimeoutCtr > 2346 (int) dot11RSNAConfigGroupUpdateCount) 2347 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2348 else if (sm->TimeoutEvt) 2349 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2350 break; 2351 case WPA_PTK_GROUP_KEYERROR: 2352 SM_ENTER(WPA_PTK_GROUP, IDLE); 2353 break; 2354 case WPA_PTK_GROUP_REKEYESTABLISHED: 2355 SM_ENTER(WPA_PTK_GROUP, IDLE); 2356 break; 2357 } 2358} 2359 2360 2361static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2362 struct wpa_group *group) 2363{ 2364 int ret = 0; 2365 2366 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2367 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2368 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2369 wpa_auth->addr, group->GNonce, 2370 group->GTK[group->GN - 1], group->GTK_len) < 0) 2371 ret = -1; 2372 wpa_hexdump_key(MSG_DEBUG, "GTK", 2373 group->GTK[group->GN - 1], group->GTK_len); 2374 2375#ifdef CONFIG_IEEE80211W 2376 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2377 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2378 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2379 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2380 wpa_auth->addr, group->GNonce, 2381 group->IGTK[group->GN_igtk - 4], 2382 WPA_IGTK_LEN) < 0) 2383 ret = -1; 2384 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2385 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN); 2386 } 2387#endif /* CONFIG_IEEE80211W */ 2388 2389 return ret; 2390} 2391 2392 2393static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2394 struct wpa_group *group) 2395{ 2396 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2397 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2398 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2399 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2400 2401 /* GTK[0..N] = 0 */ 2402 os_memset(group->GTK, 0, sizeof(group->GTK)); 2403 group->GN = 1; 2404 group->GM = 2; 2405#ifdef CONFIG_IEEE80211W 2406 group->GN_igtk = 4; 2407 group->GM_igtk = 5; 2408#endif /* CONFIG_IEEE80211W */ 2409 /* GTK[GN] = CalcGTK() */ 2410 wpa_gtk_update(wpa_auth, group); 2411} 2412 2413 2414static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2415{ 2416 if (ctx != NULL && ctx != sm->group) 2417 return 0; 2418 2419 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2420 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2421 "Not in PTKINITDONE; skip Group Key update"); 2422 sm->GUpdateStationKeys = FALSE; 2423 return 0; 2424 } 2425 if (sm->GUpdateStationKeys) { 2426 /* 2427 * This should not really happen, so add a debug log entry. 2428 * Since we clear the GKeyDoneStations before the loop, the 2429 * station needs to be counted here anyway. 2430 */ 2431 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2432 "GUpdateStationKeys was already set when " 2433 "marking station for GTK rekeying"); 2434 } 2435 2436 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 2437 if (sm->is_wnmsleep) 2438 return 0; 2439 2440 sm->group->GKeyDoneStations++; 2441 sm->GUpdateStationKeys = TRUE; 2442 2443 wpa_sm_step(sm); 2444 return 0; 2445} 2446 2447 2448#ifdef CONFIG_WNM 2449/* update GTK when exiting WNM-Sleep Mode */ 2450void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2451{ 2452 if (sm->is_wnmsleep) 2453 return; 2454 2455 wpa_group_update_sta(sm, NULL); 2456} 2457 2458 2459void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2460{ 2461 sm->is_wnmsleep = !!flag; 2462} 2463 2464 2465int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2466{ 2467 struct wpa_group *gsm = sm->group; 2468 u8 *start = pos; 2469 2470 /* 2471 * GTK subelement: 2472 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2473 * Key[5..32] 2474 */ 2475 *pos++ = WNM_SLEEP_SUBELEM_GTK; 2476 *pos++ = 11 + gsm->GTK_len; 2477 /* Key ID in B0-B1 of Key Info */ 2478 WPA_PUT_LE16(pos, gsm->GN & 0x03); 2479 pos += 2; 2480 *pos++ = gsm->GTK_len; 2481 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 2482 return 0; 2483 pos += 8; 2484 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2485 pos += gsm->GTK_len; 2486 2487 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 2488 gsm->GN); 2489 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 2490 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2491 2492 return pos - start; 2493} 2494 2495 2496#ifdef CONFIG_IEEE80211W 2497int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2498{ 2499 struct wpa_group *gsm = sm->group; 2500 u8 *start = pos; 2501 2502 /* 2503 * IGTK subelement: 2504 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 2505 */ 2506 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 2507 *pos++ = 2 + 6 + WPA_IGTK_LEN; 2508 WPA_PUT_LE16(pos, gsm->GN_igtk); 2509 pos += 2; 2510 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 2511 return 0; 2512 pos += 6; 2513 2514 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2515 pos += WPA_IGTK_LEN; 2516 2517 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 2518 gsm->GN_igtk); 2519 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 2520 gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2521 2522 return pos - start; 2523} 2524#endif /* CONFIG_IEEE80211W */ 2525#endif /* CONFIG_WNM */ 2526 2527 2528static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2529 struct wpa_group *group) 2530{ 2531 int tmp; 2532 2533 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2534 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2535 group->changed = TRUE; 2536 group->wpa_group_state = WPA_GROUP_SETKEYS; 2537 group->GTKReKey = FALSE; 2538 tmp = group->GM; 2539 group->GM = group->GN; 2540 group->GN = tmp; 2541#ifdef CONFIG_IEEE80211W 2542 tmp = group->GM_igtk; 2543 group->GM_igtk = group->GN_igtk; 2544 group->GN_igtk = tmp; 2545#endif /* CONFIG_IEEE80211W */ 2546 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2547 * counting the STAs that are marked with GUpdateStationKeys instead of 2548 * including all STAs that could be in not-yet-completed state. */ 2549 wpa_gtk_update(wpa_auth, group); 2550 2551 if (group->GKeyDoneStations) { 2552 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2553 "GKeyDoneStations=%d when starting new GTK rekey", 2554 group->GKeyDoneStations); 2555 group->GKeyDoneStations = 0; 2556 } 2557 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2558 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2559 group->GKeyDoneStations); 2560} 2561 2562 2563static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2564 struct wpa_group *group) 2565{ 2566 int ret = 0; 2567 2568 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2569 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2570 broadcast_ether_addr, group->GN, 2571 group->GTK[group->GN - 1], group->GTK_len) < 0) 2572 ret = -1; 2573 2574#ifdef CONFIG_IEEE80211W 2575 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION && 2576 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK, 2577 broadcast_ether_addr, group->GN_igtk, 2578 group->IGTK[group->GN_igtk - 4], 2579 WPA_IGTK_LEN) < 0) 2580 ret = -1; 2581#endif /* CONFIG_IEEE80211W */ 2582 2583 return ret; 2584} 2585 2586 2587static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2588 struct wpa_group *group) 2589{ 2590 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2591 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2592 group->changed = TRUE; 2593 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2594 2595 if (wpa_group_config_group_keys(wpa_auth, group) < 0) 2596 return -1; 2597 2598 return 0; 2599} 2600 2601 2602static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2603 struct wpa_group *group) 2604{ 2605 if (group->GInit) { 2606 wpa_group_gtk_init(wpa_auth, group); 2607 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2608 group->GTKAuthenticator) { 2609 wpa_group_setkeysdone(wpa_auth, group); 2610 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2611 group->GTKReKey) { 2612 wpa_group_setkeys(wpa_auth, group); 2613 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2614 if (group->GKeyDoneStations == 0) 2615 wpa_group_setkeysdone(wpa_auth, group); 2616 else if (group->GTKReKey) 2617 wpa_group_setkeys(wpa_auth, group); 2618 } 2619} 2620 2621 2622static int wpa_sm_step(struct wpa_state_machine *sm) 2623{ 2624 if (sm == NULL) 2625 return 0; 2626 2627 if (sm->in_step_loop) { 2628 /* This should not happen, but if it does, make sure we do not 2629 * end up freeing the state machine too early by exiting the 2630 * recursive call. */ 2631 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2632 return 0; 2633 } 2634 2635 sm->in_step_loop = 1; 2636 do { 2637 if (sm->pending_deinit) 2638 break; 2639 2640 sm->changed = FALSE; 2641 sm->wpa_auth->group->changed = FALSE; 2642 2643 SM_STEP_RUN(WPA_PTK); 2644 if (sm->pending_deinit) 2645 break; 2646 SM_STEP_RUN(WPA_PTK_GROUP); 2647 if (sm->pending_deinit) 2648 break; 2649 wpa_group_sm_step(sm->wpa_auth, sm->group); 2650 } while (sm->changed || sm->wpa_auth->group->changed); 2651 sm->in_step_loop = 0; 2652 2653 if (sm->pending_deinit) { 2654 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 2655 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 2656 wpa_free_sta_sm(sm); 2657 return 1; 2658 } 2659 return 0; 2660} 2661 2662 2663static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 2664{ 2665 struct wpa_state_machine *sm = eloop_ctx; 2666 wpa_sm_step(sm); 2667} 2668 2669 2670void wpa_auth_sm_notify(struct wpa_state_machine *sm) 2671{ 2672 if (sm == NULL) 2673 return; 2674 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 2675} 2676 2677 2678void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 2679{ 2680 int tmp, i; 2681 struct wpa_group *group; 2682 2683 if (wpa_auth == NULL) 2684 return; 2685 2686 group = wpa_auth->group; 2687 2688 for (i = 0; i < 2; i++) { 2689 tmp = group->GM; 2690 group->GM = group->GN; 2691 group->GN = tmp; 2692#ifdef CONFIG_IEEE80211W 2693 tmp = group->GM_igtk; 2694 group->GM_igtk = group->GN_igtk; 2695 group->GN_igtk = tmp; 2696#endif /* CONFIG_IEEE80211W */ 2697 wpa_gtk_update(wpa_auth, group); 2698 wpa_group_config_group_keys(wpa_auth, group); 2699 } 2700} 2701 2702 2703static const char * wpa_bool_txt(int bool) 2704{ 2705 return bool ? "TRUE" : "FALSE"; 2706} 2707 2708 2709#define RSN_SUITE "%02x-%02x-%02x-%d" 2710#define RSN_SUITE_ARG(s) \ 2711((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2712 2713int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 2714{ 2715 int len = 0, ret; 2716 char pmkid_txt[PMKID_LEN * 2 + 1]; 2717#ifdef CONFIG_RSN_PREAUTH 2718 const int preauth = 1; 2719#else /* CONFIG_RSN_PREAUTH */ 2720 const int preauth = 0; 2721#endif /* CONFIG_RSN_PREAUTH */ 2722 2723 if (wpa_auth == NULL) 2724 return len; 2725 2726 ret = os_snprintf(buf + len, buflen - len, 2727 "dot11RSNAOptionImplemented=TRUE\n" 2728 "dot11RSNAPreauthenticationImplemented=%s\n" 2729 "dot11RSNAEnabled=%s\n" 2730 "dot11RSNAPreauthenticationEnabled=%s\n", 2731 wpa_bool_txt(preauth), 2732 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 2733 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 2734 if (ret < 0 || (size_t) ret >= buflen - len) 2735 return len; 2736 len += ret; 2737 2738 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2739 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 2740 2741 ret = os_snprintf( 2742 buf + len, buflen - len, 2743 "dot11RSNAConfigVersion=%u\n" 2744 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 2745 /* FIX: dot11RSNAConfigGroupCipher */ 2746 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 2747 /* FIX: dot11RSNAConfigGroupRekeyTime */ 2748 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 2749 "dot11RSNAConfigGroupRekeyStrict=%u\n" 2750 "dot11RSNAConfigGroupUpdateCount=%u\n" 2751 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 2752 "dot11RSNAConfigGroupCipherSize=%u\n" 2753 "dot11RSNAConfigPMKLifetime=%u\n" 2754 "dot11RSNAConfigPMKReauthThreshold=%u\n" 2755 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 2756 "dot11RSNAConfigSATimeout=%u\n" 2757 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2758 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2759 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2760 "dot11RSNAPMKIDUsed=%s\n" 2761 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2762 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2763 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2764 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 2765 "dot11RSNA4WayHandshakeFailures=%u\n" 2766 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 2767 RSN_VERSION, 2768 !!wpa_auth->conf.wpa_strict_rekey, 2769 dot11RSNAConfigGroupUpdateCount, 2770 dot11RSNAConfigPairwiseUpdateCount, 2771 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 2772 dot11RSNAConfigPMKLifetime, 2773 dot11RSNAConfigPMKReauthThreshold, 2774 dot11RSNAConfigSATimeout, 2775 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 2776 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 2777 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 2778 pmkid_txt, 2779 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 2780 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 2781 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 2782 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 2783 wpa_auth->dot11RSNA4WayHandshakeFailures); 2784 if (ret < 0 || (size_t) ret >= buflen - len) 2785 return len; 2786 len += ret; 2787 2788 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 2789 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 2790 2791 /* Private MIB */ 2792 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 2793 wpa_auth->group->wpa_group_state); 2794 if (ret < 0 || (size_t) ret >= buflen - len) 2795 return len; 2796 len += ret; 2797 2798 return len; 2799} 2800 2801 2802int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 2803{ 2804 int len = 0, ret; 2805 u32 pairwise = 0; 2806 2807 if (sm == NULL) 2808 return 0; 2809 2810 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 2811 2812 /* dot11RSNAStatsEntry */ 2813 2814 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 2815 WPA_PROTO_RSN : WPA_PROTO_WPA, 2816 sm->pairwise); 2817 if (pairwise == 0) 2818 return 0; 2819 2820 ret = os_snprintf( 2821 buf + len, buflen - len, 2822 /* TODO: dot11RSNAStatsIndex */ 2823 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 2824 "dot11RSNAStatsVersion=1\n" 2825 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 2826 /* TODO: dot11RSNAStatsTKIPICVErrors */ 2827 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 2828 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 2829 /* TODO: dot11RSNAStatsCCMPReplays */ 2830 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 2831 /* TODO: dot11RSNAStatsTKIPReplays */, 2832 MAC2STR(sm->addr), 2833 RSN_SUITE_ARG(pairwise), 2834 sm->dot11RSNAStatsTKIPLocalMICFailures, 2835 sm->dot11RSNAStatsTKIPRemoteMICFailures); 2836 if (ret < 0 || (size_t) ret >= buflen - len) 2837 return len; 2838 len += ret; 2839 2840 /* Private MIB */ 2841 ret = os_snprintf(buf + len, buflen - len, 2842 "hostapdWPAPTKState=%d\n" 2843 "hostapdWPAPTKGroupState=%d\n", 2844 sm->wpa_ptk_state, 2845 sm->wpa_ptk_group_state); 2846 if (ret < 0 || (size_t) ret >= buflen - len) 2847 return len; 2848 len += ret; 2849 2850 return len; 2851} 2852 2853 2854void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 2855{ 2856 if (wpa_auth) 2857 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 2858} 2859 2860 2861int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 2862{ 2863 return sm && sm->pairwise_set; 2864} 2865 2866 2867int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 2868{ 2869 return sm->pairwise; 2870} 2871 2872 2873int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 2874{ 2875 if (sm == NULL) 2876 return -1; 2877 return sm->wpa_key_mgmt; 2878} 2879 2880 2881int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 2882{ 2883 if (sm == NULL) 2884 return 0; 2885 return sm->wpa; 2886} 2887 2888 2889int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 2890 struct rsn_pmksa_cache_entry *entry) 2891{ 2892 if (sm == NULL || sm->pmksa != entry) 2893 return -1; 2894 sm->pmksa = NULL; 2895 return 0; 2896} 2897 2898 2899struct rsn_pmksa_cache_entry * 2900wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 2901{ 2902 return sm ? sm->pmksa : NULL; 2903} 2904 2905 2906void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 2907{ 2908 if (sm) 2909 sm->dot11RSNAStatsTKIPLocalMICFailures++; 2910} 2911 2912 2913const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 2914{ 2915 if (wpa_auth == NULL) 2916 return NULL; 2917 *len = wpa_auth->wpa_ie_len; 2918 return wpa_auth->wpa_ie; 2919} 2920 2921 2922int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 2923 int session_timeout, struct eapol_state_machine *eapol) 2924{ 2925 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 2926 sm->wpa_auth->conf.disable_pmksa_caching) 2927 return -1; 2928 2929 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, 2930 sm->wpa_auth->addr, sm->addr, session_timeout, 2931 eapol, sm->wpa_key_mgmt)) 2932 return 0; 2933 2934 return -1; 2935} 2936 2937 2938int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 2939 const u8 *pmk, size_t len, const u8 *sta_addr, 2940 int session_timeout, 2941 struct eapol_state_machine *eapol) 2942{ 2943 if (wpa_auth == NULL) 2944 return -1; 2945 2946 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr, 2947 sta_addr, session_timeout, eapol, 2948 WPA_KEY_MGMT_IEEE8021X)) 2949 return 0; 2950 2951 return -1; 2952} 2953 2954 2955void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 2956 const u8 *sta_addr) 2957{ 2958 struct rsn_pmksa_cache_entry *pmksa; 2959 2960 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 2961 return; 2962 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 2963 if (pmksa) { 2964 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 2965 MACSTR " based on request", MAC2STR(sta_addr)); 2966 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 2967 } 2968} 2969 2970 2971static struct wpa_group * 2972wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 2973{ 2974 struct wpa_group *group; 2975 2976 if (wpa_auth == NULL || wpa_auth->group == NULL) 2977 return NULL; 2978 2979 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 2980 vlan_id); 2981 group = wpa_group_init(wpa_auth, vlan_id, 0); 2982 if (group == NULL) 2983 return NULL; 2984 2985 group->next = wpa_auth->group->next; 2986 wpa_auth->group->next = group; 2987 2988 return group; 2989} 2990 2991 2992int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 2993{ 2994 struct wpa_group *group; 2995 2996 if (sm == NULL || sm->wpa_auth == NULL) 2997 return 0; 2998 2999 group = sm->wpa_auth->group; 3000 while (group) { 3001 if (group->vlan_id == vlan_id) 3002 break; 3003 group = group->next; 3004 } 3005 3006 if (group == NULL) { 3007 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 3008 if (group == NULL) 3009 return -1; 3010 } 3011 3012 if (sm->group == group) 3013 return 0; 3014 3015 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 3016 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 3017 3018 sm->group = group; 3019 return 0; 3020} 3021 3022 3023void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 3024 struct wpa_state_machine *sm, int ack) 3025{ 3026 if (wpa_auth == NULL || sm == NULL) 3027 return; 3028 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 3029 " ack=%d", MAC2STR(sm->addr), ack); 3030 if (sm->pending_1_of_4_timeout && ack) { 3031 /* 3032 * Some deployed supplicant implementations update their SNonce 3033 * for each EAPOL-Key 2/4 message even within the same 4-way 3034 * handshake and then fail to use the first SNonce when 3035 * deriving the PTK. This results in unsuccessful 4-way 3036 * handshake whenever the relatively short initial timeout is 3037 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3038 * around this by increasing the timeout now that we know that 3039 * the station has received the frame. 3040 */ 3041 int timeout_ms = eapol_key_timeout_subseq; 3042 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3043 "timeout by %u ms because of acknowledged frame", 3044 timeout_ms); 3045 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3046 eloop_register_timeout(timeout_ms / 1000, 3047 (timeout_ms % 1000) * 1000, 3048 wpa_send_eapol_timeout, wpa_auth, sm); 3049 } 3050} 3051 3052 3053int wpa_auth_uses_sae(struct wpa_state_machine *sm) 3054{ 3055 if (sm == NULL) 3056 return 0; 3057 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 3058} 3059