wpa_auth.c revision a54fa5fb807eaeff45464139b5a7759f060cec68
1/* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/state_machine.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/aes_wrap.h" 16#include "crypto/crypto.h" 17#include "crypto/sha1.h" 18#include "crypto/sha256.h" 19#include "crypto/random.h" 20#include "eapol_auth/eapol_auth_sm.h" 21#include "ap_config.h" 22#include "ieee802_11.h" 23#include "wpa_auth.h" 24#include "pmksa_cache_auth.h" 25#include "wpa_auth_i.h" 26#include "wpa_auth_ie.h" 27 28#define STATE_MACHINE_DATA struct wpa_state_machine 29#define STATE_MACHINE_DEBUG_PREFIX "WPA" 30#define STATE_MACHINE_ADDR sm->addr 31 32 33static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 34static int wpa_sm_step(struct wpa_state_machine *sm); 35static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len); 36static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 37static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 38 struct wpa_group *group); 39static void wpa_request_new_ptk(struct wpa_state_machine *sm); 40static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 41 struct wpa_group *group); 42static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 45static const u32 dot11RSNAConfigGroupUpdateCount = 4; 46static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 47static const u32 eapol_key_timeout_first = 100; /* ms */ 48static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 49static const u32 eapol_key_timeout_first_group = 500; /* ms */ 50 51/* TODO: make these configurable */ 52static const int dot11RSNAConfigPMKLifetime = 43200; 53static const int dot11RSNAConfigPMKReauthThreshold = 70; 54static const int dot11RSNAConfigSATimeout = 60; 55 56 57static inline int wpa_auth_mic_failure_report( 58 struct wpa_authenticator *wpa_auth, const u8 *addr) 59{ 60 if (wpa_auth->cb.mic_failure_report) 61 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 62 return 0; 63} 64 65 66static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 67 const u8 *addr, wpa_eapol_variable var, 68 int value) 69{ 70 if (wpa_auth->cb.set_eapol) 71 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 72} 73 74 75static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 76 const u8 *addr, wpa_eapol_variable var) 77{ 78 if (wpa_auth->cb.get_eapol == NULL) 79 return -1; 80 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 81} 82 83 84static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 85 const u8 *addr, const u8 *prev_psk) 86{ 87 if (wpa_auth->cb.get_psk == NULL) 88 return NULL; 89 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, prev_psk); 90} 91 92 93static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 94 const u8 *addr, u8 *msk, size_t *len) 95{ 96 if (wpa_auth->cb.get_msk == NULL) 97 return -1; 98 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 99} 100 101 102static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 103 int vlan_id, 104 enum wpa_alg alg, const u8 *addr, int idx, 105 u8 *key, size_t key_len) 106{ 107 if (wpa_auth->cb.set_key == NULL) 108 return -1; 109 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 110 key, key_len); 111} 112 113 114static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 115 const u8 *addr, int idx, u8 *seq) 116{ 117 if (wpa_auth->cb.get_seqnum == NULL) 118 return -1; 119 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 120} 121 122 123static inline int 124wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 125 const u8 *data, size_t data_len, int encrypt) 126{ 127 if (wpa_auth->cb.send_eapol == NULL) 128 return -1; 129 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 130 encrypt); 131} 132 133 134int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 135 int (*cb)(struct wpa_state_machine *sm, void *ctx), 136 void *cb_ctx) 137{ 138 if (wpa_auth->cb.for_each_sta == NULL) 139 return 0; 140 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 141} 142 143 144int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 145 int (*cb)(struct wpa_authenticator *a, void *ctx), 146 void *cb_ctx) 147{ 148 if (wpa_auth->cb.for_each_auth == NULL) 149 return 0; 150 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 151} 152 153 154void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 155 logger_level level, const char *txt) 156{ 157 if (wpa_auth->cb.logger == NULL) 158 return; 159 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 160} 161 162 163void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 164 logger_level level, const char *fmt, ...) 165{ 166 char *format; 167 int maxlen; 168 va_list ap; 169 170 if (wpa_auth->cb.logger == NULL) 171 return; 172 173 maxlen = os_strlen(fmt) + 100; 174 format = os_malloc(maxlen); 175 if (!format) 176 return; 177 178 va_start(ap, fmt); 179 vsnprintf(format, maxlen, fmt, ap); 180 va_end(ap); 181 182 wpa_auth_logger(wpa_auth, addr, level, format); 183 184 os_free(format); 185} 186 187 188static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 189 const u8 *addr) 190{ 191 if (wpa_auth->cb.disconnect == NULL) 192 return; 193 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 194 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 195 WLAN_REASON_PREV_AUTH_NOT_VALID); 196} 197 198 199static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 200{ 201 int ret = 0; 202#ifdef CONFIG_IEEE80211R 203 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 204 ret = 1; 205#endif /* CONFIG_IEEE80211R */ 206#ifdef CONFIG_IEEE80211W 207 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 208 ret = 1; 209#endif /* CONFIG_IEEE80211W */ 210 return ret; 211} 212 213 214static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 215{ 216 struct wpa_authenticator *wpa_auth = eloop_ctx; 217 218 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 219 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 220 "initialization."); 221 } else { 222 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 223 wpa_hexdump_key(MSG_DEBUG, "GMK", 224 wpa_auth->group->GMK, WPA_GMK_LEN); 225 } 226 227 if (wpa_auth->conf.wpa_gmk_rekey) { 228 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 229 wpa_rekey_gmk, wpa_auth, NULL); 230 } 231} 232 233 234static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 235{ 236 struct wpa_authenticator *wpa_auth = eloop_ctx; 237 struct wpa_group *group; 238 239 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 240 for (group = wpa_auth->group; group; group = group->next) { 241 group->GTKReKey = TRUE; 242 do { 243 group->changed = FALSE; 244 wpa_group_sm_step(wpa_auth, group); 245 } while (group->changed); 246 } 247 248 if (wpa_auth->conf.wpa_group_rekey) { 249 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 250 0, wpa_rekey_gtk, wpa_auth, NULL); 251 } 252} 253 254 255static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 256{ 257 struct wpa_authenticator *wpa_auth = eloop_ctx; 258 struct wpa_state_machine *sm = timeout_ctx; 259 260 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 261 wpa_request_new_ptk(sm); 262 wpa_sm_step(sm); 263} 264 265 266static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 267{ 268 if (sm->pmksa == ctx) 269 sm->pmksa = NULL; 270 return 0; 271} 272 273 274static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 275 void *ctx) 276{ 277 struct wpa_authenticator *wpa_auth = ctx; 278 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 279} 280 281 282static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 283 struct wpa_group *group) 284{ 285 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 286 u8 rkey[32]; 287 unsigned long ptr; 288 289 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 290 return -1; 291 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 292 293 /* 294 * Counter = PRF-256(Random number, "Init Counter", 295 * Local MAC Address || Time) 296 */ 297 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 298 wpa_get_ntp_timestamp(buf + ETH_ALEN); 299 ptr = (unsigned long) group; 300 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 301 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 302 return -1; 303 304 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 305 group->Counter, WPA_NONCE_LEN) < 0) 306 return -1; 307 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 308 group->Counter, WPA_NONCE_LEN); 309 310 return 0; 311} 312 313 314static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 315 int vlan_id, int delay_init) 316{ 317 struct wpa_group *group; 318 319 group = os_zalloc(sizeof(struct wpa_group)); 320 if (group == NULL) 321 return NULL; 322 323 group->GTKAuthenticator = TRUE; 324 group->vlan_id = vlan_id; 325 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 326 327 if (random_pool_ready() != 1) { 328 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 329 "for secure operations - update keys later when " 330 "the first station connects"); 331 } 332 333 /* 334 * Set initial GMK/Counter value here. The actual values that will be 335 * used in negotiations will be set once the first station tries to 336 * connect. This allows more time for collecting additional randomness 337 * on embedded devices. 338 */ 339 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 340 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 341 "initialization."); 342 os_free(group); 343 return NULL; 344 } 345 346 group->GInit = TRUE; 347 if (delay_init) { 348 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 349 "until Beacon frames have been configured"); 350 /* Initialization is completed in wpa_init_keys(). */ 351 } else { 352 wpa_group_sm_step(wpa_auth, group); 353 group->GInit = FALSE; 354 wpa_group_sm_step(wpa_auth, group); 355 } 356 357 return group; 358} 359 360 361/** 362 * wpa_init - Initialize WPA authenticator 363 * @addr: Authenticator address 364 * @conf: Configuration for WPA authenticator 365 * @cb: Callback functions for WPA authenticator 366 * Returns: Pointer to WPA authenticator data or %NULL on failure 367 */ 368struct wpa_authenticator * wpa_init(const u8 *addr, 369 struct wpa_auth_config *conf, 370 struct wpa_auth_callbacks *cb) 371{ 372 struct wpa_authenticator *wpa_auth; 373 374 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 375 if (wpa_auth == NULL) 376 return NULL; 377 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 378 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 379 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 380 381 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 382 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 383 os_free(wpa_auth); 384 return NULL; 385 } 386 387 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 388 if (wpa_auth->group == NULL) { 389 os_free(wpa_auth->wpa_ie); 390 os_free(wpa_auth); 391 return NULL; 392 } 393 394 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 395 wpa_auth); 396 if (wpa_auth->pmksa == NULL) { 397 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 398 os_free(wpa_auth->wpa_ie); 399 os_free(wpa_auth); 400 return NULL; 401 } 402 403#ifdef CONFIG_IEEE80211R 404 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 405 if (wpa_auth->ft_pmk_cache == NULL) { 406 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 407 os_free(wpa_auth->wpa_ie); 408 pmksa_cache_auth_deinit(wpa_auth->pmksa); 409 os_free(wpa_auth); 410 return NULL; 411 } 412#endif /* CONFIG_IEEE80211R */ 413 414 if (wpa_auth->conf.wpa_gmk_rekey) { 415 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 416 wpa_rekey_gmk, wpa_auth, NULL); 417 } 418 419 if (wpa_auth->conf.wpa_group_rekey) { 420 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 421 wpa_rekey_gtk, wpa_auth, NULL); 422 } 423 424 return wpa_auth; 425} 426 427 428int wpa_init_keys(struct wpa_authenticator *wpa_auth) 429{ 430 struct wpa_group *group = wpa_auth->group; 431 432 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 433 "keys"); 434 wpa_group_sm_step(wpa_auth, group); 435 group->GInit = FALSE; 436 wpa_group_sm_step(wpa_auth, group); 437 return 0; 438} 439 440 441/** 442 * wpa_deinit - Deinitialize WPA authenticator 443 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 444 */ 445void wpa_deinit(struct wpa_authenticator *wpa_auth) 446{ 447 struct wpa_group *group, *prev; 448 449 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 450 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 451 452#ifdef CONFIG_PEERKEY 453 while (wpa_auth->stsl_negotiations) 454 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 455#endif /* CONFIG_PEERKEY */ 456 457 pmksa_cache_auth_deinit(wpa_auth->pmksa); 458 459#ifdef CONFIG_IEEE80211R 460 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 461 wpa_auth->ft_pmk_cache = NULL; 462#endif /* CONFIG_IEEE80211R */ 463 464 os_free(wpa_auth->wpa_ie); 465 466 group = wpa_auth->group; 467 while (group) { 468 prev = group; 469 group = group->next; 470 os_free(prev); 471 } 472 473 os_free(wpa_auth); 474} 475 476 477/** 478 * wpa_reconfig - Update WPA authenticator configuration 479 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 480 * @conf: Configuration for WPA authenticator 481 */ 482int wpa_reconfig(struct wpa_authenticator *wpa_auth, 483 struct wpa_auth_config *conf) 484{ 485 struct wpa_group *group; 486 if (wpa_auth == NULL) 487 return 0; 488 489 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 490 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 491 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 492 return -1; 493 } 494 495 /* 496 * Reinitialize GTK to make sure it is suitable for the new 497 * configuration. 498 */ 499 group = wpa_auth->group; 500 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 501 group->GInit = TRUE; 502 wpa_group_sm_step(wpa_auth, group); 503 group->GInit = FALSE; 504 wpa_group_sm_step(wpa_auth, group); 505 506 return 0; 507} 508 509 510struct wpa_state_machine * 511wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr) 512{ 513 struct wpa_state_machine *sm; 514 515 sm = os_zalloc(sizeof(struct wpa_state_machine)); 516 if (sm == NULL) 517 return NULL; 518 os_memcpy(sm->addr, addr, ETH_ALEN); 519 520 sm->wpa_auth = wpa_auth; 521 sm->group = wpa_auth->group; 522 523 return sm; 524} 525 526 527int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 528 struct wpa_state_machine *sm) 529{ 530 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 531 return -1; 532 533#ifdef CONFIG_IEEE80211R 534 if (sm->ft_completed) { 535 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 536 "FT authentication already completed - do not " 537 "start 4-way handshake"); 538 return 0; 539 } 540#endif /* CONFIG_IEEE80211R */ 541 542 if (sm->started) { 543 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 544 sm->ReAuthenticationRequest = TRUE; 545 return wpa_sm_step(sm); 546 } 547 548 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 549 "start authentication"); 550 sm->started = 1; 551 552 sm->Init = TRUE; 553 if (wpa_sm_step(sm) == 1) 554 return 1; /* should not really happen */ 555 sm->Init = FALSE; 556 sm->AuthenticationRequest = TRUE; 557 return wpa_sm_step(sm); 558} 559 560 561void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 562{ 563 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 564 * reassociates back to the same AP while the previous entry for the 565 * STA has not yet been removed. */ 566 if (sm == NULL) 567 return; 568 569 sm->wpa_key_mgmt = 0; 570} 571 572 573static void wpa_free_sta_sm(struct wpa_state_machine *sm) 574{ 575 if (sm->GUpdateStationKeys) { 576 sm->group->GKeyDoneStations--; 577 sm->GUpdateStationKeys = FALSE; 578 } 579#ifdef CONFIG_IEEE80211R 580 os_free(sm->assoc_resp_ftie); 581#endif /* CONFIG_IEEE80211R */ 582 os_free(sm->last_rx_eapol_key); 583 os_free(sm->wpa_ie); 584 os_free(sm); 585} 586 587 588void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 589{ 590 if (sm == NULL) 591 return; 592 593 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 594 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 595 "strict rekeying - force GTK rekey since STA " 596 "is leaving"); 597 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 598 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 599 NULL); 600 } 601 602 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 603 sm->pending_1_of_4_timeout = 0; 604 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 605 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 606 if (sm->in_step_loop) { 607 /* Must not free state machine while wpa_sm_step() is running. 608 * Freeing will be completed in the end of wpa_sm_step(). */ 609 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 610 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 611 sm->pending_deinit = 1; 612 } else 613 wpa_free_sta_sm(sm); 614} 615 616 617static void wpa_request_new_ptk(struct wpa_state_machine *sm) 618{ 619 if (sm == NULL) 620 return; 621 622 sm->PTKRequest = TRUE; 623 sm->PTK_valid = 0; 624} 625 626 627static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 628 const u8 *replay_counter) 629{ 630 int i; 631 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 632 if (!ctr[i].valid) 633 break; 634 if (os_memcmp(replay_counter, ctr[i].counter, 635 WPA_REPLAY_COUNTER_LEN) == 0) 636 return 1; 637 } 638 return 0; 639} 640 641 642static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 643 const u8 *replay_counter) 644{ 645 int i; 646 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 647 if (ctr[i].valid && 648 (replay_counter == NULL || 649 os_memcmp(replay_counter, ctr[i].counter, 650 WPA_REPLAY_COUNTER_LEN) == 0)) 651 ctr[i].valid = FALSE; 652 } 653} 654 655 656#ifdef CONFIG_IEEE80211R 657static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 658 struct wpa_state_machine *sm, 659 struct wpa_eapol_ie_parse *kde) 660{ 661 struct wpa_ie_data ie; 662 struct rsn_mdie *mdie; 663 664 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 665 ie.num_pmkid != 1 || ie.pmkid == NULL) { 666 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 667 "FT 4-way handshake message 2/4"); 668 return -1; 669 } 670 671 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 672 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 673 sm->sup_pmk_r1_name, PMKID_LEN); 674 675 if (!kde->mdie || !kde->ftie) { 676 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 677 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 678 return -1; 679 } 680 681 mdie = (struct rsn_mdie *) (kde->mdie + 2); 682 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 683 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 684 MOBILITY_DOMAIN_ID_LEN) != 0) { 685 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 686 return -1; 687 } 688 689 if (sm->assoc_resp_ftie && 690 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 691 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 692 2 + sm->assoc_resp_ftie[1]) != 0)) { 693 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 694 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 695 kde->ftie, kde->ftie_len); 696 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 697 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 698 return -1; 699 } 700 701 return 0; 702} 703#endif /* CONFIG_IEEE80211R */ 704 705 706static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 707 struct wpa_state_machine *sm, int group) 708{ 709 /* Supplicant reported a Michael MIC error */ 710 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 711 "received EAPOL-Key Error Request " 712 "(STA detected Michael MIC failure (group=%d))", 713 group); 714 715 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 716 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 717 "ignore Michael MIC failure report since " 718 "group cipher is not TKIP"); 719 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 720 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 721 "ignore Michael MIC failure report since " 722 "pairwise cipher is not TKIP"); 723 } else { 724 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 725 return 1; /* STA entry was removed */ 726 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 727 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 728 } 729 730 /* 731 * Error report is not a request for a new key handshake, but since 732 * Authenticator may do it, let's change the keys now anyway. 733 */ 734 wpa_request_new_ptk(sm); 735 return 0; 736} 737 738 739void wpa_receive(struct wpa_authenticator *wpa_auth, 740 struct wpa_state_machine *sm, 741 u8 *data, size_t data_len) 742{ 743 struct ieee802_1x_hdr *hdr; 744 struct wpa_eapol_key *key; 745 u16 key_info, key_data_length; 746 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 747 SMK_M1, SMK_M3, SMK_ERROR } msg; 748 char *msgtxt; 749 struct wpa_eapol_ie_parse kde; 750 int ft; 751 const u8 *eapol_key_ie; 752 size_t eapol_key_ie_len; 753 754 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 755 return; 756 757 if (data_len < sizeof(*hdr) + sizeof(*key)) 758 return; 759 760 hdr = (struct ieee802_1x_hdr *) data; 761 key = (struct wpa_eapol_key *) (hdr + 1); 762 key_info = WPA_GET_BE16(key->key_info); 763 key_data_length = WPA_GET_BE16(key->key_data_length); 764 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 765 " key_info=0x%x type=%u key_data_length=%u", 766 MAC2STR(sm->addr), key_info, key->type, key_data_length); 767 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { 768 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 769 "key_data overflow (%d > %lu)", 770 key_data_length, 771 (unsigned long) (data_len - sizeof(*hdr) - 772 sizeof(*key))); 773 return; 774 } 775 776 if (sm->wpa == WPA_VERSION_WPA2) { 777 if (key->type == EAPOL_KEY_TYPE_WPA) { 778 /* 779 * Some deployed station implementations seem to send 780 * msg 4/4 with incorrect type value in WPA2 mode. 781 */ 782 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 783 "with unexpected WPA type in RSN mode"); 784 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 785 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 786 "unexpected type %d in RSN mode", 787 key->type); 788 return; 789 } 790 } else { 791 if (key->type != EAPOL_KEY_TYPE_WPA) { 792 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 793 "unexpected type %d in WPA mode", 794 key->type); 795 return; 796 } 797 } 798 799 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 800 WPA_NONCE_LEN); 801 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 802 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 803 804 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 805 * are set */ 806 807 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 808 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 809 if (key_info & WPA_KEY_INFO_ERROR) { 810 msg = SMK_ERROR; 811 msgtxt = "SMK Error"; 812 } else { 813 msg = SMK_M1; 814 msgtxt = "SMK M1"; 815 } 816 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 817 msg = SMK_M3; 818 msgtxt = "SMK M3"; 819 } else if (key_info & WPA_KEY_INFO_REQUEST) { 820 msg = REQUEST; 821 msgtxt = "Request"; 822 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 823 msg = GROUP_2; 824 msgtxt = "2/2 Group"; 825 } else if (key_data_length == 0) { 826 msg = PAIRWISE_4; 827 msgtxt = "4/4 Pairwise"; 828 } else { 829 msg = PAIRWISE_2; 830 msgtxt = "2/4 Pairwise"; 831 } 832 833 /* TODO: key_info type validation for PeerKey */ 834 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 835 msg == GROUP_2) { 836 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 837 if (sm->pairwise == WPA_CIPHER_CCMP || 838 sm->pairwise == WPA_CIPHER_GCMP) { 839 if (wpa_use_aes_cmac(sm) && 840 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 841 wpa_auth_logger(wpa_auth, sm->addr, 842 LOGGER_WARNING, 843 "advertised support for " 844 "AES-128-CMAC, but did not " 845 "use it"); 846 return; 847 } 848 849 if (!wpa_use_aes_cmac(sm) && 850 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 851 wpa_auth_logger(wpa_auth, sm->addr, 852 LOGGER_WARNING, 853 "did not use HMAC-SHA1-AES " 854 "with CCMP/GCMP"); 855 return; 856 } 857 } 858 } 859 860 if (key_info & WPA_KEY_INFO_REQUEST) { 861 if (sm->req_replay_counter_used && 862 os_memcmp(key->replay_counter, sm->req_replay_counter, 863 WPA_REPLAY_COUNTER_LEN) <= 0) { 864 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 865 "received EAPOL-Key request with " 866 "replayed counter"); 867 return; 868 } 869 } 870 871 if (!(key_info & WPA_KEY_INFO_REQUEST) && 872 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 873 int i; 874 875 if (msg == PAIRWISE_2 && 876 wpa_replay_counter_valid(sm->prev_key_replay, 877 key->replay_counter) && 878 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 879 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 880 { 881 /* 882 * Some supplicant implementations (e.g., Windows XP 883 * WZC) update SNonce for each EAPOL-Key 2/4. This 884 * breaks the workaround on accepting any of the 885 * pending requests, so allow the SNonce to be updated 886 * even if we have already sent out EAPOL-Key 3/4. 887 */ 888 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 889 "Process SNonce update from STA " 890 "based on retransmitted EAPOL-Key " 891 "1/4"); 892 sm->update_snonce = 1; 893 wpa_replay_counter_mark_invalid(sm->prev_key_replay, 894 key->replay_counter); 895 goto continue_processing; 896 } 897 898 if (msg == PAIRWISE_2 && 899 wpa_replay_counter_valid(sm->prev_key_replay, 900 key->replay_counter) && 901 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 902 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 903 "ignore retransmitted EAPOL-Key %s - " 904 "SNonce did not change", msgtxt); 905 } else { 906 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 907 "received EAPOL-Key %s with " 908 "unexpected replay counter", msgtxt); 909 } 910 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 911 if (!sm->key_replay[i].valid) 912 break; 913 wpa_hexdump(MSG_DEBUG, "pending replay counter", 914 sm->key_replay[i].counter, 915 WPA_REPLAY_COUNTER_LEN); 916 } 917 wpa_hexdump(MSG_DEBUG, "received replay counter", 918 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 919 return; 920 } 921 922continue_processing: 923 switch (msg) { 924 case PAIRWISE_2: 925 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 926 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 927 (!sm->update_snonce || 928 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 929 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 930 "received EAPOL-Key msg 2/4 in " 931 "invalid state (%d) - dropped", 932 sm->wpa_ptk_state); 933 return; 934 } 935 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 936 if (sm->group->reject_4way_hs_for_entropy) { 937 /* 938 * The system did not have enough entropy to generate 939 * strong random numbers. Reject the first 4-way 940 * handshake(s) and collect some entropy based on the 941 * information from it. Once enough entropy is 942 * available, the next atempt will trigger GMK/Key 943 * Counter update and the station will be allowed to 944 * continue. 945 */ 946 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 947 "collect more entropy for random number " 948 "generation"); 949 random_mark_pool_ready(); 950 wpa_sta_disconnect(wpa_auth, sm->addr); 951 return; 952 } 953 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length, 954 &kde) < 0) { 955 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 956 "received EAPOL-Key msg 2/4 with " 957 "invalid Key Data contents"); 958 return; 959 } 960 if (kde.rsn_ie) { 961 eapol_key_ie = kde.rsn_ie; 962 eapol_key_ie_len = kde.rsn_ie_len; 963 } else { 964 eapol_key_ie = kde.wpa_ie; 965 eapol_key_ie_len = kde.wpa_ie_len; 966 } 967 ft = sm->wpa == WPA_VERSION_WPA2 && 968 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 969 if (sm->wpa_ie == NULL || 970 wpa_compare_rsn_ie(ft, 971 sm->wpa_ie, sm->wpa_ie_len, 972 eapol_key_ie, eapol_key_ie_len)) { 973 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 974 "WPA IE from (Re)AssocReq did not " 975 "match with msg 2/4"); 976 if (sm->wpa_ie) { 977 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 978 sm->wpa_ie, sm->wpa_ie_len); 979 } 980 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 981 eapol_key_ie, eapol_key_ie_len); 982 /* MLME-DEAUTHENTICATE.request */ 983 wpa_sta_disconnect(wpa_auth, sm->addr); 984 return; 985 } 986#ifdef CONFIG_IEEE80211R 987 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 988 wpa_sta_disconnect(wpa_auth, sm->addr); 989 return; 990 } 991#endif /* CONFIG_IEEE80211R */ 992 break; 993 case PAIRWISE_4: 994 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 995 !sm->PTK_valid) { 996 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 997 "received EAPOL-Key msg 4/4 in " 998 "invalid state (%d) - dropped", 999 sm->wpa_ptk_state); 1000 return; 1001 } 1002 break; 1003 case GROUP_2: 1004 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1005 || !sm->PTK_valid) { 1006 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1007 "received EAPOL-Key msg 2/2 in " 1008 "invalid state (%d) - dropped", 1009 sm->wpa_ptk_group_state); 1010 return; 1011 } 1012 break; 1013#ifdef CONFIG_PEERKEY 1014 case SMK_M1: 1015 case SMK_M3: 1016 case SMK_ERROR: 1017 if (!wpa_auth->conf.peerkey) { 1018 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1019 "PeerKey use disabled - ignoring message"); 1020 return; 1021 } 1022 if (!sm->PTK_valid) { 1023 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1024 "received EAPOL-Key msg SMK in " 1025 "invalid state - dropped"); 1026 return; 1027 } 1028 break; 1029#else /* CONFIG_PEERKEY */ 1030 case SMK_M1: 1031 case SMK_M3: 1032 case SMK_ERROR: 1033 return; /* STSL disabled - ignore SMK messages */ 1034#endif /* CONFIG_PEERKEY */ 1035 case REQUEST: 1036 break; 1037 } 1038 1039 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1040 "received EAPOL-Key frame (%s)", msgtxt); 1041 1042 if (key_info & WPA_KEY_INFO_ACK) { 1043 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1044 "received invalid EAPOL-Key: Key Ack set"); 1045 return; 1046 } 1047 1048 if (!(key_info & WPA_KEY_INFO_MIC)) { 1049 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1050 "received invalid EAPOL-Key: Key MIC not set"); 1051 return; 1052 } 1053 1054 sm->MICVerified = FALSE; 1055 if (sm->PTK_valid && !sm->update_snonce) { 1056 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) { 1057 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1058 "received EAPOL-Key with invalid MIC"); 1059 return; 1060 } 1061 sm->MICVerified = TRUE; 1062 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1063 sm->pending_1_of_4_timeout = 0; 1064 } 1065 1066 if (key_info & WPA_KEY_INFO_REQUEST) { 1067 if (sm->MICVerified) { 1068 sm->req_replay_counter_used = 1; 1069 os_memcpy(sm->req_replay_counter, key->replay_counter, 1070 WPA_REPLAY_COUNTER_LEN); 1071 } else { 1072 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1073 "received EAPOL-Key request with " 1074 "invalid MIC"); 1075 return; 1076 } 1077 1078 /* 1079 * TODO: should decrypt key data field if encryption was used; 1080 * even though MAC address KDE is not normally encrypted, 1081 * supplicant is allowed to encrypt it. 1082 */ 1083 if (msg == SMK_ERROR) { 1084#ifdef CONFIG_PEERKEY 1085 wpa_smk_error(wpa_auth, sm, key); 1086#endif /* CONFIG_PEERKEY */ 1087 return; 1088 } else if (key_info & WPA_KEY_INFO_ERROR) { 1089 if (wpa_receive_error_report( 1090 wpa_auth, sm, 1091 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1092 return; /* STA entry was removed */ 1093 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1094 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1095 "received EAPOL-Key Request for new " 1096 "4-Way Handshake"); 1097 wpa_request_new_ptk(sm); 1098#ifdef CONFIG_PEERKEY 1099 } else if (msg == SMK_M1) { 1100 wpa_smk_m1(wpa_auth, sm, key); 1101#endif /* CONFIG_PEERKEY */ 1102 } else if (key_data_length > 0 && 1103 wpa_parse_kde_ies((const u8 *) (key + 1), 1104 key_data_length, &kde) == 0 && 1105 kde.mac_addr) { 1106 } else { 1107 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1108 "received EAPOL-Key Request for GTK " 1109 "rekeying"); 1110 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1111 wpa_rekey_gtk(wpa_auth, NULL); 1112 } 1113 } else { 1114 /* Do not allow the same key replay counter to be reused. */ 1115 wpa_replay_counter_mark_invalid(sm->key_replay, 1116 key->replay_counter); 1117 1118 if (msg == PAIRWISE_2) { 1119 /* 1120 * Maintain a copy of the pending EAPOL-Key frames in 1121 * case the EAPOL-Key frame was retransmitted. This is 1122 * needed to allow EAPOL-Key msg 2/4 reply to another 1123 * pending msg 1/4 to update the SNonce to work around 1124 * unexpected supplicant behavior. 1125 */ 1126 os_memcpy(sm->prev_key_replay, sm->key_replay, 1127 sizeof(sm->key_replay)); 1128 } else { 1129 os_memset(sm->prev_key_replay, 0, 1130 sizeof(sm->prev_key_replay)); 1131 } 1132 1133 /* 1134 * Make sure old valid counters are not accepted anymore and 1135 * do not get copied again. 1136 */ 1137 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1138 } 1139 1140#ifdef CONFIG_PEERKEY 1141 if (msg == SMK_M3) { 1142 wpa_smk_m3(wpa_auth, sm, key); 1143 return; 1144 } 1145#endif /* CONFIG_PEERKEY */ 1146 1147 os_free(sm->last_rx_eapol_key); 1148 sm->last_rx_eapol_key = os_malloc(data_len); 1149 if (sm->last_rx_eapol_key == NULL) 1150 return; 1151 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1152 sm->last_rx_eapol_key_len = data_len; 1153 1154 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1155 sm->EAPOLKeyReceived = TRUE; 1156 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1157 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1158 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1159 wpa_sm_step(sm); 1160} 1161 1162 1163static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1164 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1165{ 1166 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1167 u8 *pos; 1168 int ret = 0; 1169 1170 /* GTK = PRF-X(GMK, "Group key expansion", 1171 * AA || GNonce || Time || random data) 1172 * The example described in the IEEE 802.11 standard uses only AA and 1173 * GNonce as inputs here. Add some more entropy since this derivation 1174 * is done only at the Authenticator and as such, does not need to be 1175 * exactly same. 1176 */ 1177 os_memcpy(data, addr, ETH_ALEN); 1178 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1179 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1180 wpa_get_ntp_timestamp(pos); 1181 pos += 8; 1182 if (random_get_bytes(pos, 16) < 0) 1183 ret = -1; 1184 1185#ifdef CONFIG_IEEE80211W 1186 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1187#else /* CONFIG_IEEE80211W */ 1188 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1189 < 0) 1190 ret = -1; 1191#endif /* CONFIG_IEEE80211W */ 1192 1193 return ret; 1194} 1195 1196 1197static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1198{ 1199 struct wpa_authenticator *wpa_auth = eloop_ctx; 1200 struct wpa_state_machine *sm = timeout_ctx; 1201 1202 sm->pending_1_of_4_timeout = 0; 1203 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1204 sm->TimeoutEvt = TRUE; 1205 wpa_sm_step(sm); 1206} 1207 1208 1209void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1210 struct wpa_state_machine *sm, int key_info, 1211 const u8 *key_rsc, const u8 *nonce, 1212 const u8 *kde, size_t kde_len, 1213 int keyidx, int encr, int force_version) 1214{ 1215 struct ieee802_1x_hdr *hdr; 1216 struct wpa_eapol_key *key; 1217 size_t len; 1218 int alg; 1219 int key_data_len, pad_len = 0; 1220 u8 *buf, *pos; 1221 int version, pairwise; 1222 int i; 1223 1224 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key); 1225 1226 if (force_version) 1227 version = force_version; 1228 else if (wpa_use_aes_cmac(sm)) 1229 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1230 else if (sm->pairwise != WPA_CIPHER_TKIP) 1231 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1232 else 1233 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1234 1235 pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1236 1237 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1238 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1239 "encr=%d)", 1240 version, 1241 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1242 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1243 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1244 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1245 pairwise, (unsigned long) kde_len, keyidx, encr); 1246 1247 key_data_len = kde_len; 1248 1249 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1250 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1251 pad_len = key_data_len % 8; 1252 if (pad_len) 1253 pad_len = 8 - pad_len; 1254 key_data_len += pad_len + 8; 1255 } 1256 1257 len += key_data_len; 1258 1259 hdr = os_zalloc(len); 1260 if (hdr == NULL) 1261 return; 1262 hdr->version = wpa_auth->conf.eapol_version; 1263 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1264 hdr->length = host_to_be16(len - sizeof(*hdr)); 1265 key = (struct wpa_eapol_key *) (hdr + 1); 1266 1267 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1268 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1269 key_info |= version; 1270 if (encr && sm->wpa == WPA_VERSION_WPA2) 1271 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1272 if (sm->wpa != WPA_VERSION_WPA2) 1273 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1274 WPA_PUT_BE16(key->key_info, key_info); 1275 1276 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1277 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1278 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1279 WPA_PUT_BE16(key->key_length, 0); 1280 1281 /* FIX: STSL: what to use as key_replay_counter? */ 1282 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1283 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1284 os_memcpy(sm->key_replay[i].counter, 1285 sm->key_replay[i - 1].counter, 1286 WPA_REPLAY_COUNTER_LEN); 1287 } 1288 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1289 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1290 WPA_REPLAY_COUNTER_LEN); 1291 sm->key_replay[0].valid = TRUE; 1292 1293 if (nonce) 1294 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1295 1296 if (key_rsc) 1297 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1298 1299 if (kde && !encr) { 1300 os_memcpy(key + 1, kde, kde_len); 1301 WPA_PUT_BE16(key->key_data_length, kde_len); 1302 } else if (encr && kde) { 1303 buf = os_zalloc(key_data_len); 1304 if (buf == NULL) { 1305 os_free(hdr); 1306 return; 1307 } 1308 pos = buf; 1309 os_memcpy(pos, kde, kde_len); 1310 pos += kde_len; 1311 1312 if (pad_len) 1313 *pos++ = 0xdd; 1314 1315 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1316 buf, key_data_len); 1317 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1318 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1319 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf, 1320 (u8 *) (key + 1))) { 1321 os_free(hdr); 1322 os_free(buf); 1323 return; 1324 } 1325 WPA_PUT_BE16(key->key_data_length, key_data_len); 1326 } else { 1327 u8 ek[32]; 1328 os_memcpy(key->key_iv, 1329 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1330 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1331 os_memcpy(ek, key->key_iv, 16); 1332 os_memcpy(ek + 16, sm->PTK.kek, 16); 1333 os_memcpy(key + 1, buf, key_data_len); 1334 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len); 1335 WPA_PUT_BE16(key->key_data_length, key_data_len); 1336 } 1337 os_free(buf); 1338 } 1339 1340 if (key_info & WPA_KEY_INFO_MIC) { 1341 if (!sm->PTK_valid) { 1342 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1343 "PTK not valid when sending EAPOL-Key " 1344 "frame"); 1345 os_free(hdr); 1346 return; 1347 } 1348 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len, 1349 key->key_mic); 1350 } 1351 1352 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1353 1); 1354 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1355 sm->pairwise_set); 1356 os_free(hdr); 1357} 1358 1359 1360static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1361 struct wpa_state_machine *sm, int key_info, 1362 const u8 *key_rsc, const u8 *nonce, 1363 const u8 *kde, size_t kde_len, 1364 int keyidx, int encr) 1365{ 1366 int timeout_ms; 1367 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1368 int ctr; 1369 1370 if (sm == NULL) 1371 return; 1372 1373 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1374 keyidx, encr, 0); 1375 1376 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1377 if (ctr == 1 && wpa_auth->conf.tx_status) 1378 timeout_ms = pairwise ? eapol_key_timeout_first : 1379 eapol_key_timeout_first_group; 1380 else 1381 timeout_ms = eapol_key_timeout_subseq; 1382 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1383 sm->pending_1_of_4_timeout = 1; 1384 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1385 "counter %d)", timeout_ms, ctr); 1386 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1387 wpa_send_eapol_timeout, wpa_auth, sm); 1388} 1389 1390 1391static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len) 1392{ 1393 struct ieee802_1x_hdr *hdr; 1394 struct wpa_eapol_key *key; 1395 u16 key_info; 1396 int ret = 0; 1397 u8 mic[16]; 1398 1399 if (data_len < sizeof(*hdr) + sizeof(*key)) 1400 return -1; 1401 1402 hdr = (struct ieee802_1x_hdr *) data; 1403 key = (struct wpa_eapol_key *) (hdr + 1); 1404 key_info = WPA_GET_BE16(key->key_info); 1405 os_memcpy(mic, key->key_mic, 16); 1406 os_memset(key->key_mic, 0, 16); 1407 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK, 1408 data, data_len, key->key_mic) || 1409 os_memcmp(mic, key->key_mic, 16) != 0) 1410 ret = -1; 1411 os_memcpy(key->key_mic, mic, 16); 1412 return ret; 1413} 1414 1415 1416void wpa_remove_ptk(struct wpa_state_machine *sm) 1417{ 1418 sm->PTK_valid = FALSE; 1419 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1420 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1421 sm->pairwise_set = FALSE; 1422 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1423} 1424 1425 1426int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event) 1427{ 1428 int remove_ptk = 1; 1429 1430 if (sm == NULL) 1431 return -1; 1432 1433 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1434 "event %d notification", event); 1435 1436 switch (event) { 1437 case WPA_AUTH: 1438 case WPA_ASSOC: 1439 break; 1440 case WPA_DEAUTH: 1441 case WPA_DISASSOC: 1442 sm->DeauthenticationRequest = TRUE; 1443 break; 1444 case WPA_REAUTH: 1445 case WPA_REAUTH_EAPOL: 1446 if (!sm->started) { 1447 /* 1448 * When using WPS, we may end up here if the STA 1449 * manages to re-associate without the previous STA 1450 * entry getting removed. Consequently, we need to make 1451 * sure that the WPA state machines gets initialized 1452 * properly at this point. 1453 */ 1454 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1455 "started - initialize now"); 1456 sm->started = 1; 1457 sm->Init = TRUE; 1458 if (wpa_sm_step(sm) == 1) 1459 return 1; /* should not really happen */ 1460 sm->Init = FALSE; 1461 sm->AuthenticationRequest = TRUE; 1462 break; 1463 } 1464 if (sm->GUpdateStationKeys) { 1465 /* 1466 * Reauthentication cancels the pending group key 1467 * update for this STA. 1468 */ 1469 sm->group->GKeyDoneStations--; 1470 sm->GUpdateStationKeys = FALSE; 1471 sm->PtkGroupInit = TRUE; 1472 } 1473 sm->ReAuthenticationRequest = TRUE; 1474 break; 1475 case WPA_ASSOC_FT: 1476#ifdef CONFIG_IEEE80211R 1477 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1478 "after association"); 1479 wpa_ft_install_ptk(sm); 1480 1481 /* Using FT protocol, not WPA auth state machine */ 1482 sm->ft_completed = 1; 1483 return 0; 1484#else /* CONFIG_IEEE80211R */ 1485 break; 1486#endif /* CONFIG_IEEE80211R */ 1487 } 1488 1489#ifdef CONFIG_IEEE80211R 1490 sm->ft_completed = 0; 1491#endif /* CONFIG_IEEE80211R */ 1492 1493#ifdef CONFIG_IEEE80211W 1494 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1495 remove_ptk = 0; 1496#endif /* CONFIG_IEEE80211W */ 1497 1498 if (remove_ptk) { 1499 sm->PTK_valid = FALSE; 1500 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1501 1502 if (event != WPA_REAUTH_EAPOL) 1503 wpa_remove_ptk(sm); 1504 } 1505 1506 return wpa_sm_step(sm); 1507} 1508 1509 1510SM_STATE(WPA_PTK, INITIALIZE) 1511{ 1512 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1513 if (sm->Init) { 1514 /* Init flag is not cleared here, so avoid busy 1515 * loop by claiming nothing changed. */ 1516 sm->changed = FALSE; 1517 } 1518 1519 sm->keycount = 0; 1520 if (sm->GUpdateStationKeys) 1521 sm->group->GKeyDoneStations--; 1522 sm->GUpdateStationKeys = FALSE; 1523 if (sm->wpa == WPA_VERSION_WPA) 1524 sm->PInitAKeys = FALSE; 1525 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1526 * Local AA > Remote AA)) */) { 1527 sm->Pair = TRUE; 1528 } 1529 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1530 wpa_remove_ptk(sm); 1531 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1532 sm->TimeoutCtr = 0; 1533 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1534 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1535 WPA_EAPOL_authorized, 0); 1536 } 1537} 1538 1539 1540SM_STATE(WPA_PTK, DISCONNECT) 1541{ 1542 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1543 sm->Disconnect = FALSE; 1544 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1545} 1546 1547 1548SM_STATE(WPA_PTK, DISCONNECTED) 1549{ 1550 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1551 sm->DeauthenticationRequest = FALSE; 1552} 1553 1554 1555SM_STATE(WPA_PTK, AUTHENTICATION) 1556{ 1557 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1558 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1559 sm->PTK_valid = FALSE; 1560 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1561 1); 1562 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1563 sm->AuthenticationRequest = FALSE; 1564} 1565 1566 1567static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1568 struct wpa_group *group) 1569{ 1570 if (group->first_sta_seen) 1571 return; 1572 /* 1573 * System has run bit further than at the time hostapd was started 1574 * potentially very early during boot up. This provides better chances 1575 * of collecting more randomness on embedded systems. Re-initialize the 1576 * GMK and Counter here to improve their strength if there was not 1577 * enough entropy available immediately after system startup. 1578 */ 1579 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1580 "station"); 1581 if (random_pool_ready() != 1) { 1582 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1583 "to proceed - reject first 4-way handshake"); 1584 group->reject_4way_hs_for_entropy = TRUE; 1585 } else { 1586 group->first_sta_seen = TRUE; 1587 group->reject_4way_hs_for_entropy = FALSE; 1588 } 1589 1590 wpa_group_init_gmk_and_counter(wpa_auth, group); 1591 wpa_gtk_update(wpa_auth, group); 1592 wpa_group_config_group_keys(wpa_auth, group); 1593} 1594 1595 1596SM_STATE(WPA_PTK, AUTHENTICATION2) 1597{ 1598 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1599 1600 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1601 1602 /* 1603 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1604 * ambiguous. The Authenticator state machine uses a counter that is 1605 * incremented by one for each 4-way handshake. However, the security 1606 * analysis of 4-way handshake points out that unpredictable nonces 1607 * help in preventing precomputation attacks. Instead of the state 1608 * machine definition, use an unpredictable nonce value here to provide 1609 * stronger protection against potential precomputation attacks. 1610 */ 1611 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1612 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1613 "ANonce."); 1614 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1615 return; 1616 } 1617 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1618 WPA_NONCE_LEN); 1619 sm->ReAuthenticationRequest = FALSE; 1620 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1621 * logical place than INITIALIZE since AUTHENTICATION2 can be 1622 * re-entered on ReAuthenticationRequest without going through 1623 * INITIALIZE. */ 1624 sm->TimeoutCtr = 0; 1625} 1626 1627 1628SM_STATE(WPA_PTK, INITPMK) 1629{ 1630 u8 msk[2 * PMK_LEN]; 1631 size_t len = 2 * PMK_LEN; 1632 1633 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1634#ifdef CONFIG_IEEE80211R 1635 sm->xxkey_len = 0; 1636#endif /* CONFIG_IEEE80211R */ 1637 if (sm->pmksa) { 1638 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1639 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN); 1640 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1641 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1642 "(len=%lu)", (unsigned long) len); 1643 os_memcpy(sm->PMK, msk, PMK_LEN); 1644#ifdef CONFIG_IEEE80211R 1645 if (len >= 2 * PMK_LEN) { 1646 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1647 sm->xxkey_len = PMK_LEN; 1648 } 1649#endif /* CONFIG_IEEE80211R */ 1650 } else { 1651 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK"); 1652 } 1653 1654 sm->req_replay_counter_used = 0; 1655 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1656 * will break reauthentication since EAPOL state machines may not be 1657 * get into AUTHENTICATING state that clears keyRun before WPA state 1658 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1659 * state and takes PMK from the previously used AAA Key. This will 1660 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1661 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1662 * be good workaround for this issue. */ 1663 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1664} 1665 1666 1667SM_STATE(WPA_PTK, INITPSK) 1668{ 1669 const u8 *psk; 1670 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1671 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL); 1672 if (psk) { 1673 os_memcpy(sm->PMK, psk, PMK_LEN); 1674#ifdef CONFIG_IEEE80211R 1675 os_memcpy(sm->xxkey, psk, PMK_LEN); 1676 sm->xxkey_len = PMK_LEN; 1677#endif /* CONFIG_IEEE80211R */ 1678 } 1679 sm->req_replay_counter_used = 0; 1680} 1681 1682 1683SM_STATE(WPA_PTK, PTKSTART) 1684{ 1685 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1686 size_t pmkid_len = 0; 1687 1688 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1689 sm->PTKRequest = FALSE; 1690 sm->TimeoutEvt = FALSE; 1691 1692 sm->TimeoutCtr++; 1693 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1694 /* No point in sending the EAPOL-Key - we will disconnect 1695 * immediately following this. */ 1696 return; 1697 } 1698 1699 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1700 "sending 1/4 msg of 4-Way Handshake"); 1701 /* 1702 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1703 * one possible PSK for this STA. 1704 */ 1705 if (sm->wpa == WPA_VERSION_WPA2 && 1706 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) { 1707 pmkid = buf; 1708 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 1709 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 1710 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 1711 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 1712 if (sm->pmksa) 1713 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 1714 sm->pmksa->pmkid, PMKID_LEN); 1715 else { 1716 /* 1717 * Calculate PMKID since no PMKSA cache entry was 1718 * available with pre-calculated PMKID. 1719 */ 1720 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr, 1721 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 1722 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1723 } 1724 } 1725 wpa_send_eapol(sm->wpa_auth, sm, 1726 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 1727 sm->ANonce, pmkid, pmkid_len, 0, 0); 1728} 1729 1730 1731static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk, 1732 struct wpa_ptk *ptk) 1733{ 1734 size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64; 1735#ifdef CONFIG_IEEE80211R 1736 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 1737 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len); 1738#endif /* CONFIG_IEEE80211R */ 1739 1740 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion", 1741 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce, 1742 (u8 *) ptk, ptk_len, 1743 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1744 1745 return 0; 1746} 1747 1748 1749SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 1750{ 1751 struct wpa_ptk PTK; 1752 int ok = 0; 1753 const u8 *pmk = NULL; 1754 1755 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 1756 sm->EAPOLKeyReceived = FALSE; 1757 sm->update_snonce = FALSE; 1758 1759 /* WPA with IEEE 802.1X: use the derived PMK from EAP 1760 * WPA-PSK: iterate through possible PSKs and select the one matching 1761 * the packet */ 1762 for (;;) { 1763 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1764 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, pmk); 1765 if (pmk == NULL) 1766 break; 1767 } else 1768 pmk = sm->PMK; 1769 1770 wpa_derive_ptk(sm, pmk, &PTK); 1771 1772 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key, 1773 sm->last_rx_eapol_key_len) == 0) { 1774 ok = 1; 1775 break; 1776 } 1777 1778 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 1779 break; 1780 } 1781 1782 if (!ok) { 1783 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1784 "invalid MIC in msg 2/4 of 4-Way Handshake"); 1785 return; 1786 } 1787 1788#ifdef CONFIG_IEEE80211R 1789 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1790 /* 1791 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 1792 * with the value we derived. 1793 */ 1794 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name, 1795 WPA_PMK_NAME_LEN) != 0) { 1796 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1797 "PMKR1Name mismatch in FT 4-way " 1798 "handshake"); 1799 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 1800 "Supplicant", 1801 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 1802 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1803 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1804 return; 1805 } 1806 } 1807#endif /* CONFIG_IEEE80211R */ 1808 1809 sm->pending_1_of_4_timeout = 0; 1810 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 1811 1812 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1813 /* PSK may have changed from the previous choice, so update 1814 * state machine data based on whatever PSK was selected here. 1815 */ 1816 os_memcpy(sm->PMK, pmk, PMK_LEN); 1817 } 1818 1819 sm->MICVerified = TRUE; 1820 1821 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 1822 sm->PTK_valid = TRUE; 1823} 1824 1825 1826SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 1827{ 1828 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 1829 sm->TimeoutCtr = 0; 1830} 1831 1832 1833#ifdef CONFIG_IEEE80211W 1834 1835static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1836{ 1837 if (sm->mgmt_frame_prot) { 1838 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde); 1839 } 1840 1841 return 0; 1842} 1843 1844 1845static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1846{ 1847 struct wpa_igtk_kde igtk; 1848 struct wpa_group *gsm = sm->group; 1849 1850 if (!sm->mgmt_frame_prot) 1851 return pos; 1852 1853 igtk.keyid[0] = gsm->GN_igtk; 1854 igtk.keyid[1] = 0; 1855 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 1856 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0) 1857 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 1858 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 1859 if (sm->wpa_auth->conf.disable_gtk) { 1860 /* 1861 * Provide unique random IGTK to each STA to prevent use of 1862 * IGTK in the BSS. 1863 */ 1864 if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0) 1865 return pos; 1866 } 1867 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 1868 (const u8 *) &igtk, sizeof(igtk), NULL, 0); 1869 1870 return pos; 1871} 1872 1873#else /* CONFIG_IEEE80211W */ 1874 1875static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1876{ 1877 return 0; 1878} 1879 1880 1881static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1882{ 1883 return pos; 1884} 1885 1886#endif /* CONFIG_IEEE80211W */ 1887 1888 1889SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 1890{ 1891 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 1892 size_t gtk_len, kde_len; 1893 struct wpa_group *gsm = sm->group; 1894 u8 *wpa_ie; 1895 int wpa_ie_len, secure, keyidx, encr = 0; 1896 1897 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 1898 sm->TimeoutEvt = FALSE; 1899 1900 sm->TimeoutCtr++; 1901 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1902 /* No point in sending the EAPOL-Key - we will disconnect 1903 * immediately following this. */ 1904 return; 1905 } 1906 1907 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 1908 GTK[GN], IGTK, [FTIE], [TIE * 2]) 1909 */ 1910 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 1911 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 1912 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 1913 wpa_ie = sm->wpa_auth->wpa_ie; 1914 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 1915 if (sm->wpa == WPA_VERSION_WPA && 1916 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 1917 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 1918 /* WPA-only STA, remove RSN IE */ 1919 wpa_ie = wpa_ie + wpa_ie[1] + 2; 1920 wpa_ie_len = wpa_ie[1] + 2; 1921 } 1922 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1923 "sending 3/4 msg of 4-Way Handshake"); 1924 if (sm->wpa == WPA_VERSION_WPA2) { 1925 /* WPA2 send GTK in the 4-way handshake */ 1926 secure = 1; 1927 gtk = gsm->GTK[gsm->GN - 1]; 1928 gtk_len = gsm->GTK_len; 1929 if (sm->wpa_auth->conf.disable_gtk) { 1930 /* 1931 * Provide unique random GTK to each STA to prevent use 1932 * of GTK in the BSS. 1933 */ 1934 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 1935 return; 1936 gtk = dummy_gtk; 1937 } 1938 keyidx = gsm->GN; 1939 _rsc = rsc; 1940 encr = 1; 1941 } else { 1942 /* WPA does not include GTK in msg 3/4 */ 1943 secure = 0; 1944 gtk = NULL; 1945 gtk_len = 0; 1946 keyidx = 0; 1947 _rsc = NULL; 1948 if (sm->rx_eapol_key_secure) { 1949 /* 1950 * It looks like Windows 7 supplicant tries to use 1951 * Secure bit in msg 2/4 after having reported Michael 1952 * MIC failure and it then rejects the 4-way handshake 1953 * if msg 3/4 does not set Secure bit. Work around this 1954 * by setting the Secure bit here even in the case of 1955 * WPA if the supplicant used it first. 1956 */ 1957 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1958 "STA used Secure bit in WPA msg 2/4 - " 1959 "set Secure for 3/4 as workaround"); 1960 secure = 1; 1961 } 1962 } 1963 1964 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 1965 if (gtk) 1966 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 1967#ifdef CONFIG_IEEE80211R 1968 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1969 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 1970 kde_len += 300; /* FTIE + 2 * TIE */ 1971 } 1972#endif /* CONFIG_IEEE80211R */ 1973 kde = os_malloc(kde_len); 1974 if (kde == NULL) 1975 return; 1976 1977 pos = kde; 1978 os_memcpy(pos, wpa_ie, wpa_ie_len); 1979 pos += wpa_ie_len; 1980#ifdef CONFIG_IEEE80211R 1981 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1982 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name); 1983 if (res < 0) { 1984 wpa_printf(MSG_ERROR, "FT: Failed to insert " 1985 "PMKR1Name into RSN IE in EAPOL-Key data"); 1986 os_free(kde); 1987 return; 1988 } 1989 pos += res; 1990 } 1991#endif /* CONFIG_IEEE80211R */ 1992 if (gtk) { 1993 u8 hdr[2]; 1994 hdr[0] = keyidx & 0x03; 1995 hdr[1] = 0; 1996 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 1997 gtk, gtk_len); 1998 } 1999 pos = ieee80211w_kde_add(sm, pos); 2000 2001#ifdef CONFIG_IEEE80211R 2002 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2003 int res; 2004 struct wpa_auth_config *conf; 2005 2006 conf = &sm->wpa_auth->conf; 2007 res = wpa_write_ftie(conf, conf->r0_key_holder, 2008 conf->r0_key_holder_len, 2009 NULL, NULL, pos, kde + kde_len - pos, 2010 NULL, 0); 2011 if (res < 0) { 2012 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2013 "into EAPOL-Key Key Data"); 2014 os_free(kde); 2015 return; 2016 } 2017 pos += res; 2018 2019 /* TIE[ReassociationDeadline] (TU) */ 2020 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2021 *pos++ = 5; 2022 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2023 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2024 pos += 4; 2025 2026 /* TIE[KeyLifetime] (seconds) */ 2027 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2028 *pos++ = 5; 2029 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2030 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2031 pos += 4; 2032 } 2033#endif /* CONFIG_IEEE80211R */ 2034 2035 wpa_send_eapol(sm->wpa_auth, sm, 2036 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2037 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2038 WPA_KEY_INFO_KEY_TYPE, 2039 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2040 os_free(kde); 2041} 2042 2043 2044SM_STATE(WPA_PTK, PTKINITDONE) 2045{ 2046 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2047 sm->EAPOLKeyReceived = FALSE; 2048 if (sm->Pair) { 2049 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2050 int klen = wpa_cipher_key_len(sm->pairwise); 2051 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2052 sm->PTK.tk1, klen)) { 2053 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2054 return; 2055 } 2056 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2057 sm->pairwise_set = TRUE; 2058 2059 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2060 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2061 eloop_register_timeout(sm->wpa_auth->conf. 2062 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2063 sm->wpa_auth, sm); 2064 } 2065 2066 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2067 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2068 WPA_EAPOL_authorized, 1); 2069 } 2070 } 2071 2072 if (0 /* IBSS == TRUE */) { 2073 sm->keycount++; 2074 if (sm->keycount == 2) { 2075 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2076 WPA_EAPOL_portValid, 1); 2077 } 2078 } else { 2079 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2080 1); 2081 } 2082 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2083 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2084 if (sm->wpa == WPA_VERSION_WPA) 2085 sm->PInitAKeys = TRUE; 2086 else 2087 sm->has_GTK = TRUE; 2088 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2089 "pairwise key handshake completed (%s)", 2090 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2091 2092#ifdef CONFIG_IEEE80211R 2093 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2094#endif /* CONFIG_IEEE80211R */ 2095} 2096 2097 2098SM_STEP(WPA_PTK) 2099{ 2100 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2101 2102 if (sm->Init) 2103 SM_ENTER(WPA_PTK, INITIALIZE); 2104 else if (sm->Disconnect 2105 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2106 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2107 "WPA_PTK: sm->Disconnect"); 2108 SM_ENTER(WPA_PTK, DISCONNECT); 2109 } 2110 else if (sm->DeauthenticationRequest) 2111 SM_ENTER(WPA_PTK, DISCONNECTED); 2112 else if (sm->AuthenticationRequest) 2113 SM_ENTER(WPA_PTK, AUTHENTICATION); 2114 else if (sm->ReAuthenticationRequest) 2115 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2116 else if (sm->PTKRequest) 2117 SM_ENTER(WPA_PTK, PTKSTART); 2118 else switch (sm->wpa_ptk_state) { 2119 case WPA_PTK_INITIALIZE: 2120 break; 2121 case WPA_PTK_DISCONNECT: 2122 SM_ENTER(WPA_PTK, DISCONNECTED); 2123 break; 2124 case WPA_PTK_DISCONNECTED: 2125 SM_ENTER(WPA_PTK, INITIALIZE); 2126 break; 2127 case WPA_PTK_AUTHENTICATION: 2128 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2129 break; 2130 case WPA_PTK_AUTHENTICATION2: 2131 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2132 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2133 WPA_EAPOL_keyRun) > 0) 2134 SM_ENTER(WPA_PTK, INITPMK); 2135 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2136 /* FIX: && 802.1X::keyRun */) 2137 SM_ENTER(WPA_PTK, INITPSK); 2138 break; 2139 case WPA_PTK_INITPMK: 2140 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2141 WPA_EAPOL_keyAvailable) > 0) 2142 SM_ENTER(WPA_PTK, PTKSTART); 2143 else { 2144 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2145 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2146 "INITPMK - keyAvailable = false"); 2147 SM_ENTER(WPA_PTK, DISCONNECT); 2148 } 2149 break; 2150 case WPA_PTK_INITPSK: 2151 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL)) 2152 SM_ENTER(WPA_PTK, PTKSTART); 2153 else { 2154 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2155 "no PSK configured for the STA"); 2156 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2157 SM_ENTER(WPA_PTK, DISCONNECT); 2158 } 2159 break; 2160 case WPA_PTK_PTKSTART: 2161 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2162 sm->EAPOLKeyPairwise) 2163 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2164 else if (sm->TimeoutCtr > 2165 (int) dot11RSNAConfigPairwiseUpdateCount) { 2166 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2167 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2168 "PTKSTART: Retry limit %d reached", 2169 dot11RSNAConfigPairwiseUpdateCount); 2170 SM_ENTER(WPA_PTK, DISCONNECT); 2171 } else if (sm->TimeoutEvt) 2172 SM_ENTER(WPA_PTK, PTKSTART); 2173 break; 2174 case WPA_PTK_PTKCALCNEGOTIATING: 2175 if (sm->MICVerified) 2176 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2177 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2178 sm->EAPOLKeyPairwise) 2179 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2180 else if (sm->TimeoutEvt) 2181 SM_ENTER(WPA_PTK, PTKSTART); 2182 break; 2183 case WPA_PTK_PTKCALCNEGOTIATING2: 2184 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2185 break; 2186 case WPA_PTK_PTKINITNEGOTIATING: 2187 if (sm->update_snonce) 2188 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2189 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2190 sm->EAPOLKeyPairwise && sm->MICVerified) 2191 SM_ENTER(WPA_PTK, PTKINITDONE); 2192 else if (sm->TimeoutCtr > 2193 (int) dot11RSNAConfigPairwiseUpdateCount) { 2194 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2195 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2196 "PTKINITNEGOTIATING: Retry limit %d " 2197 "reached", 2198 dot11RSNAConfigPairwiseUpdateCount); 2199 SM_ENTER(WPA_PTK, DISCONNECT); 2200 } else if (sm->TimeoutEvt) 2201 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2202 break; 2203 case WPA_PTK_PTKINITDONE: 2204 break; 2205 } 2206} 2207 2208 2209SM_STATE(WPA_PTK_GROUP, IDLE) 2210{ 2211 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2212 if (sm->Init) { 2213 /* Init flag is not cleared here, so avoid busy 2214 * loop by claiming nothing changed. */ 2215 sm->changed = FALSE; 2216 } 2217 sm->GTimeoutCtr = 0; 2218} 2219 2220 2221SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2222{ 2223 u8 rsc[WPA_KEY_RSC_LEN]; 2224 struct wpa_group *gsm = sm->group; 2225 u8 *kde, *pos, hdr[2]; 2226 size_t kde_len; 2227 u8 *gtk, dummy_gtk[32]; 2228 2229 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2230 2231 sm->GTimeoutCtr++; 2232 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2233 /* No point in sending the EAPOL-Key - we will disconnect 2234 * immediately following this. */ 2235 return; 2236 } 2237 2238 if (sm->wpa == WPA_VERSION_WPA) 2239 sm->PInitAKeys = FALSE; 2240 sm->TimeoutEvt = FALSE; 2241 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2242 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2243 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2244 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2245 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2246 "sending 1/2 msg of Group Key Handshake"); 2247 2248 gtk = gsm->GTK[gsm->GN - 1]; 2249 if (sm->wpa_auth->conf.disable_gtk) { 2250 /* 2251 * Provide unique random GTK to each STA to prevent use 2252 * of GTK in the BSS. 2253 */ 2254 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2255 return; 2256 gtk = dummy_gtk; 2257 } 2258 if (sm->wpa == WPA_VERSION_WPA2) { 2259 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2260 ieee80211w_kde_len(sm); 2261 kde = os_malloc(kde_len); 2262 if (kde == NULL) 2263 return; 2264 2265 pos = kde; 2266 hdr[0] = gsm->GN & 0x03; 2267 hdr[1] = 0; 2268 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2269 gtk, gsm->GTK_len); 2270 pos = ieee80211w_kde_add(sm, pos); 2271 } else { 2272 kde = gtk; 2273 pos = kde + gsm->GTK_len; 2274 } 2275 2276 wpa_send_eapol(sm->wpa_auth, sm, 2277 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2278 WPA_KEY_INFO_ACK | 2279 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2280 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1); 2281 if (sm->wpa == WPA_VERSION_WPA2) 2282 os_free(kde); 2283} 2284 2285 2286SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2287{ 2288 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2289 sm->EAPOLKeyReceived = FALSE; 2290 if (sm->GUpdateStationKeys) 2291 sm->group->GKeyDoneStations--; 2292 sm->GUpdateStationKeys = FALSE; 2293 sm->GTimeoutCtr = 0; 2294 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2295 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2296 "group key handshake completed (%s)", 2297 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2298 sm->has_GTK = TRUE; 2299} 2300 2301 2302SM_STATE(WPA_PTK_GROUP, KEYERROR) 2303{ 2304 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2305 if (sm->GUpdateStationKeys) 2306 sm->group->GKeyDoneStations--; 2307 sm->GUpdateStationKeys = FALSE; 2308 sm->Disconnect = TRUE; 2309} 2310 2311 2312SM_STEP(WPA_PTK_GROUP) 2313{ 2314 if (sm->Init || sm->PtkGroupInit) { 2315 SM_ENTER(WPA_PTK_GROUP, IDLE); 2316 sm->PtkGroupInit = FALSE; 2317 } else switch (sm->wpa_ptk_group_state) { 2318 case WPA_PTK_GROUP_IDLE: 2319 if (sm->GUpdateStationKeys || 2320 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2321 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2322 break; 2323 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2324 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2325 !sm->EAPOLKeyPairwise && sm->MICVerified) 2326 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2327 else if (sm->GTimeoutCtr > 2328 (int) dot11RSNAConfigGroupUpdateCount) 2329 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2330 else if (sm->TimeoutEvt) 2331 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2332 break; 2333 case WPA_PTK_GROUP_KEYERROR: 2334 SM_ENTER(WPA_PTK_GROUP, IDLE); 2335 break; 2336 case WPA_PTK_GROUP_REKEYESTABLISHED: 2337 SM_ENTER(WPA_PTK_GROUP, IDLE); 2338 break; 2339 } 2340} 2341 2342 2343static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2344 struct wpa_group *group) 2345{ 2346 int ret = 0; 2347 2348 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2349 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2350 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2351 wpa_auth->addr, group->GNonce, 2352 group->GTK[group->GN - 1], group->GTK_len) < 0) 2353 ret = -1; 2354 wpa_hexdump_key(MSG_DEBUG, "GTK", 2355 group->GTK[group->GN - 1], group->GTK_len); 2356 2357#ifdef CONFIG_IEEE80211W 2358 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2359 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2360 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2361 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2362 wpa_auth->addr, group->GNonce, 2363 group->IGTK[group->GN_igtk - 4], 2364 WPA_IGTK_LEN) < 0) 2365 ret = -1; 2366 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2367 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN); 2368 } 2369#endif /* CONFIG_IEEE80211W */ 2370 2371 return ret; 2372} 2373 2374 2375static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2376 struct wpa_group *group) 2377{ 2378 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2379 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2380 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2381 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2382 2383 /* GTK[0..N] = 0 */ 2384 os_memset(group->GTK, 0, sizeof(group->GTK)); 2385 group->GN = 1; 2386 group->GM = 2; 2387#ifdef CONFIG_IEEE80211W 2388 group->GN_igtk = 4; 2389 group->GM_igtk = 5; 2390#endif /* CONFIG_IEEE80211W */ 2391 /* GTK[GN] = CalcGTK() */ 2392 wpa_gtk_update(wpa_auth, group); 2393} 2394 2395 2396static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2397{ 2398 if (ctx != NULL && ctx != sm->group) 2399 return 0; 2400 2401 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2402 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2403 "Not in PTKINITDONE; skip Group Key update"); 2404 sm->GUpdateStationKeys = FALSE; 2405 return 0; 2406 } 2407 if (sm->GUpdateStationKeys) { 2408 /* 2409 * This should not really happen, so add a debug log entry. 2410 * Since we clear the GKeyDoneStations before the loop, the 2411 * station needs to be counted here anyway. 2412 */ 2413 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2414 "GUpdateStationKeys was already set when " 2415 "marking station for GTK rekeying"); 2416 } 2417 2418 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 2419 if (sm->is_wnmsleep) 2420 return 0; 2421 2422 sm->group->GKeyDoneStations++; 2423 sm->GUpdateStationKeys = TRUE; 2424 2425 wpa_sm_step(sm); 2426 return 0; 2427} 2428 2429 2430#ifdef CONFIG_WNM 2431/* update GTK when exiting WNM-Sleep Mode */ 2432void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2433{ 2434 if (sm->is_wnmsleep) 2435 return; 2436 2437 wpa_group_update_sta(sm, NULL); 2438} 2439 2440 2441void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2442{ 2443 sm->is_wnmsleep = !!flag; 2444} 2445 2446 2447int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2448{ 2449 struct wpa_group *gsm = sm->group; 2450 u8 *start = pos; 2451 2452 /* 2453 * GTK subelement: 2454 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2455 * Key[5..32] 2456 */ 2457 *pos++ = WNM_SLEEP_SUBELEM_GTK; 2458 *pos++ = 11 + gsm->GTK_len; 2459 /* Key ID in B0-B1 of Key Info */ 2460 WPA_PUT_LE16(pos, gsm->GN & 0x03); 2461 pos += 2; 2462 *pos++ = gsm->GTK_len; 2463 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 2464 return 0; 2465 pos += 8; 2466 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2467 pos += gsm->GTK_len; 2468 2469 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 2470 gsm->GN); 2471 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 2472 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2473 2474 return pos - start; 2475} 2476 2477 2478#ifdef CONFIG_IEEE80211W 2479int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2480{ 2481 struct wpa_group *gsm = sm->group; 2482 u8 *start = pos; 2483 2484 /* 2485 * IGTK subelement: 2486 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 2487 */ 2488 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 2489 *pos++ = 2 + 6 + WPA_IGTK_LEN; 2490 WPA_PUT_LE16(pos, gsm->GN_igtk); 2491 pos += 2; 2492 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 2493 return 0; 2494 pos += 6; 2495 2496 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2497 pos += WPA_IGTK_LEN; 2498 2499 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 2500 gsm->GN_igtk); 2501 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 2502 gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2503 2504 return pos - start; 2505} 2506#endif /* CONFIG_IEEE80211W */ 2507#endif /* CONFIG_WNM */ 2508 2509 2510static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2511 struct wpa_group *group) 2512{ 2513 int tmp; 2514 2515 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2516 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2517 group->changed = TRUE; 2518 group->wpa_group_state = WPA_GROUP_SETKEYS; 2519 group->GTKReKey = FALSE; 2520 tmp = group->GM; 2521 group->GM = group->GN; 2522 group->GN = tmp; 2523#ifdef CONFIG_IEEE80211W 2524 tmp = group->GM_igtk; 2525 group->GM_igtk = group->GN_igtk; 2526 group->GN_igtk = tmp; 2527#endif /* CONFIG_IEEE80211W */ 2528 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2529 * counting the STAs that are marked with GUpdateStationKeys instead of 2530 * including all STAs that could be in not-yet-completed state. */ 2531 wpa_gtk_update(wpa_auth, group); 2532 2533 if (group->GKeyDoneStations) { 2534 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2535 "GKeyDoneStations=%d when starting new GTK rekey", 2536 group->GKeyDoneStations); 2537 group->GKeyDoneStations = 0; 2538 } 2539 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2540 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2541 group->GKeyDoneStations); 2542} 2543 2544 2545static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2546 struct wpa_group *group) 2547{ 2548 int ret = 0; 2549 2550 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2551 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2552 broadcast_ether_addr, group->GN, 2553 group->GTK[group->GN - 1], group->GTK_len) < 0) 2554 ret = -1; 2555 2556#ifdef CONFIG_IEEE80211W 2557 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION && 2558 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK, 2559 broadcast_ether_addr, group->GN_igtk, 2560 group->IGTK[group->GN_igtk - 4], 2561 WPA_IGTK_LEN) < 0) 2562 ret = -1; 2563#endif /* CONFIG_IEEE80211W */ 2564 2565 return ret; 2566} 2567 2568 2569static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2570 struct wpa_group *group) 2571{ 2572 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2573 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2574 group->changed = TRUE; 2575 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2576 2577 if (wpa_group_config_group_keys(wpa_auth, group) < 0) 2578 return -1; 2579 2580 return 0; 2581} 2582 2583 2584static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2585 struct wpa_group *group) 2586{ 2587 if (group->GInit) { 2588 wpa_group_gtk_init(wpa_auth, group); 2589 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2590 group->GTKAuthenticator) { 2591 wpa_group_setkeysdone(wpa_auth, group); 2592 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2593 group->GTKReKey) { 2594 wpa_group_setkeys(wpa_auth, group); 2595 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2596 if (group->GKeyDoneStations == 0) 2597 wpa_group_setkeysdone(wpa_auth, group); 2598 else if (group->GTKReKey) 2599 wpa_group_setkeys(wpa_auth, group); 2600 } 2601} 2602 2603 2604static int wpa_sm_step(struct wpa_state_machine *sm) 2605{ 2606 if (sm == NULL) 2607 return 0; 2608 2609 if (sm->in_step_loop) { 2610 /* This should not happen, but if it does, make sure we do not 2611 * end up freeing the state machine too early by exiting the 2612 * recursive call. */ 2613 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2614 return 0; 2615 } 2616 2617 sm->in_step_loop = 1; 2618 do { 2619 if (sm->pending_deinit) 2620 break; 2621 2622 sm->changed = FALSE; 2623 sm->wpa_auth->group->changed = FALSE; 2624 2625 SM_STEP_RUN(WPA_PTK); 2626 if (sm->pending_deinit) 2627 break; 2628 SM_STEP_RUN(WPA_PTK_GROUP); 2629 if (sm->pending_deinit) 2630 break; 2631 wpa_group_sm_step(sm->wpa_auth, sm->group); 2632 } while (sm->changed || sm->wpa_auth->group->changed); 2633 sm->in_step_loop = 0; 2634 2635 if (sm->pending_deinit) { 2636 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 2637 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 2638 wpa_free_sta_sm(sm); 2639 return 1; 2640 } 2641 return 0; 2642} 2643 2644 2645static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 2646{ 2647 struct wpa_state_machine *sm = eloop_ctx; 2648 wpa_sm_step(sm); 2649} 2650 2651 2652void wpa_auth_sm_notify(struct wpa_state_machine *sm) 2653{ 2654 if (sm == NULL) 2655 return; 2656 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 2657} 2658 2659 2660void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 2661{ 2662 int tmp, i; 2663 struct wpa_group *group; 2664 2665 if (wpa_auth == NULL) 2666 return; 2667 2668 group = wpa_auth->group; 2669 2670 for (i = 0; i < 2; i++) { 2671 tmp = group->GM; 2672 group->GM = group->GN; 2673 group->GN = tmp; 2674#ifdef CONFIG_IEEE80211W 2675 tmp = group->GM_igtk; 2676 group->GM_igtk = group->GN_igtk; 2677 group->GN_igtk = tmp; 2678#endif /* CONFIG_IEEE80211W */ 2679 wpa_gtk_update(wpa_auth, group); 2680 wpa_group_config_group_keys(wpa_auth, group); 2681 } 2682} 2683 2684 2685static const char * wpa_bool_txt(int bool) 2686{ 2687 return bool ? "TRUE" : "FALSE"; 2688} 2689 2690 2691#define RSN_SUITE "%02x-%02x-%02x-%d" 2692#define RSN_SUITE_ARG(s) \ 2693((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2694 2695int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 2696{ 2697 int len = 0, ret; 2698 char pmkid_txt[PMKID_LEN * 2 + 1]; 2699#ifdef CONFIG_RSN_PREAUTH 2700 const int preauth = 1; 2701#else /* CONFIG_RSN_PREAUTH */ 2702 const int preauth = 0; 2703#endif /* CONFIG_RSN_PREAUTH */ 2704 2705 if (wpa_auth == NULL) 2706 return len; 2707 2708 ret = os_snprintf(buf + len, buflen - len, 2709 "dot11RSNAOptionImplemented=TRUE\n" 2710 "dot11RSNAPreauthenticationImplemented=%s\n" 2711 "dot11RSNAEnabled=%s\n" 2712 "dot11RSNAPreauthenticationEnabled=%s\n", 2713 wpa_bool_txt(preauth), 2714 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 2715 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 2716 if (ret < 0 || (size_t) ret >= buflen - len) 2717 return len; 2718 len += ret; 2719 2720 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2721 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 2722 2723 ret = os_snprintf( 2724 buf + len, buflen - len, 2725 "dot11RSNAConfigVersion=%u\n" 2726 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 2727 /* FIX: dot11RSNAConfigGroupCipher */ 2728 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 2729 /* FIX: dot11RSNAConfigGroupRekeyTime */ 2730 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 2731 "dot11RSNAConfigGroupRekeyStrict=%u\n" 2732 "dot11RSNAConfigGroupUpdateCount=%u\n" 2733 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 2734 "dot11RSNAConfigGroupCipherSize=%u\n" 2735 "dot11RSNAConfigPMKLifetime=%u\n" 2736 "dot11RSNAConfigPMKReauthThreshold=%u\n" 2737 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 2738 "dot11RSNAConfigSATimeout=%u\n" 2739 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2740 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2741 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2742 "dot11RSNAPMKIDUsed=%s\n" 2743 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2744 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2745 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2746 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 2747 "dot11RSNA4WayHandshakeFailures=%u\n" 2748 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 2749 RSN_VERSION, 2750 !!wpa_auth->conf.wpa_strict_rekey, 2751 dot11RSNAConfigGroupUpdateCount, 2752 dot11RSNAConfigPairwiseUpdateCount, 2753 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 2754 dot11RSNAConfigPMKLifetime, 2755 dot11RSNAConfigPMKReauthThreshold, 2756 dot11RSNAConfigSATimeout, 2757 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 2758 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 2759 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 2760 pmkid_txt, 2761 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 2762 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 2763 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 2764 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 2765 wpa_auth->dot11RSNA4WayHandshakeFailures); 2766 if (ret < 0 || (size_t) ret >= buflen - len) 2767 return len; 2768 len += ret; 2769 2770 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 2771 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 2772 2773 /* Private MIB */ 2774 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 2775 wpa_auth->group->wpa_group_state); 2776 if (ret < 0 || (size_t) ret >= buflen - len) 2777 return len; 2778 len += ret; 2779 2780 return len; 2781} 2782 2783 2784int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 2785{ 2786 int len = 0, ret; 2787 u32 pairwise = 0; 2788 2789 if (sm == NULL) 2790 return 0; 2791 2792 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 2793 2794 /* dot11RSNAStatsEntry */ 2795 2796 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 2797 WPA_PROTO_RSN : WPA_PROTO_WPA, 2798 sm->pairwise); 2799 if (pairwise == 0) 2800 return 0; 2801 2802 ret = os_snprintf( 2803 buf + len, buflen - len, 2804 /* TODO: dot11RSNAStatsIndex */ 2805 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 2806 "dot11RSNAStatsVersion=1\n" 2807 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 2808 /* TODO: dot11RSNAStatsTKIPICVErrors */ 2809 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 2810 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 2811 /* TODO: dot11RSNAStatsCCMPReplays */ 2812 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 2813 /* TODO: dot11RSNAStatsTKIPReplays */, 2814 MAC2STR(sm->addr), 2815 RSN_SUITE_ARG(pairwise), 2816 sm->dot11RSNAStatsTKIPLocalMICFailures, 2817 sm->dot11RSNAStatsTKIPRemoteMICFailures); 2818 if (ret < 0 || (size_t) ret >= buflen - len) 2819 return len; 2820 len += ret; 2821 2822 /* Private MIB */ 2823 ret = os_snprintf(buf + len, buflen - len, 2824 "hostapdWPAPTKState=%d\n" 2825 "hostapdWPAPTKGroupState=%d\n", 2826 sm->wpa_ptk_state, 2827 sm->wpa_ptk_group_state); 2828 if (ret < 0 || (size_t) ret >= buflen - len) 2829 return len; 2830 len += ret; 2831 2832 return len; 2833} 2834 2835 2836void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 2837{ 2838 if (wpa_auth) 2839 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 2840} 2841 2842 2843int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 2844{ 2845 return sm && sm->pairwise_set; 2846} 2847 2848 2849int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 2850{ 2851 return sm->pairwise; 2852} 2853 2854 2855int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 2856{ 2857 if (sm == NULL) 2858 return -1; 2859 return sm->wpa_key_mgmt; 2860} 2861 2862 2863int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 2864{ 2865 if (sm == NULL) 2866 return 0; 2867 return sm->wpa; 2868} 2869 2870 2871int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 2872 struct rsn_pmksa_cache_entry *entry) 2873{ 2874 if (sm == NULL || sm->pmksa != entry) 2875 return -1; 2876 sm->pmksa = NULL; 2877 return 0; 2878} 2879 2880 2881struct rsn_pmksa_cache_entry * 2882wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 2883{ 2884 return sm ? sm->pmksa : NULL; 2885} 2886 2887 2888void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 2889{ 2890 if (sm) 2891 sm->dot11RSNAStatsTKIPLocalMICFailures++; 2892} 2893 2894 2895const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 2896{ 2897 if (wpa_auth == NULL) 2898 return NULL; 2899 *len = wpa_auth->wpa_ie_len; 2900 return wpa_auth->wpa_ie; 2901} 2902 2903 2904int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 2905 int session_timeout, struct eapol_state_machine *eapol) 2906{ 2907 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 2908 sm->wpa_auth->conf.disable_pmksa_caching) 2909 return -1; 2910 2911 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, 2912 sm->wpa_auth->addr, sm->addr, session_timeout, 2913 eapol, sm->wpa_key_mgmt)) 2914 return 0; 2915 2916 return -1; 2917} 2918 2919 2920int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 2921 const u8 *pmk, size_t len, const u8 *sta_addr, 2922 int session_timeout, 2923 struct eapol_state_machine *eapol) 2924{ 2925 if (wpa_auth == NULL) 2926 return -1; 2927 2928 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr, 2929 sta_addr, session_timeout, eapol, 2930 WPA_KEY_MGMT_IEEE8021X)) 2931 return 0; 2932 2933 return -1; 2934} 2935 2936 2937static struct wpa_group * 2938wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 2939{ 2940 struct wpa_group *group; 2941 2942 if (wpa_auth == NULL || wpa_auth->group == NULL) 2943 return NULL; 2944 2945 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 2946 vlan_id); 2947 group = wpa_group_init(wpa_auth, vlan_id, 0); 2948 if (group == NULL) 2949 return NULL; 2950 2951 group->next = wpa_auth->group->next; 2952 wpa_auth->group->next = group; 2953 2954 return group; 2955} 2956 2957 2958int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 2959{ 2960 struct wpa_group *group; 2961 2962 if (sm == NULL || sm->wpa_auth == NULL) 2963 return 0; 2964 2965 group = sm->wpa_auth->group; 2966 while (group) { 2967 if (group->vlan_id == vlan_id) 2968 break; 2969 group = group->next; 2970 } 2971 2972 if (group == NULL) { 2973 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 2974 if (group == NULL) 2975 return -1; 2976 } 2977 2978 if (sm->group == group) 2979 return 0; 2980 2981 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 2982 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 2983 2984 sm->group = group; 2985 return 0; 2986} 2987 2988 2989void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 2990 struct wpa_state_machine *sm, int ack) 2991{ 2992 if (wpa_auth == NULL || sm == NULL) 2993 return; 2994 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 2995 " ack=%d", MAC2STR(sm->addr), ack); 2996 if (sm->pending_1_of_4_timeout && ack) { 2997 /* 2998 * Some deployed supplicant implementations update their SNonce 2999 * for each EAPOL-Key 2/4 message even within the same 4-way 3000 * handshake and then fail to use the first SNonce when 3001 * deriving the PTK. This results in unsuccessful 4-way 3002 * handshake whenever the relatively short initial timeout is 3003 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3004 * around this by increasing the timeout now that we know that 3005 * the station has received the frame. 3006 */ 3007 int timeout_ms = eapol_key_timeout_subseq; 3008 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3009 "timeout by %u ms because of acknowledged frame", 3010 timeout_ms); 3011 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3012 eloop_register_timeout(timeout_ms / 1000, 3013 (timeout_ms % 1000) * 1000, 3014 wpa_send_eapol_timeout, wpa_auth, sm); 3015 } 3016} 3017 3018 3019int wpa_auth_uses_sae(struct wpa_state_machine *sm) 3020{ 3021 if (sm == NULL) 3022 return 0; 3023 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 3024} 3025