wpa_auth.c revision 04949598a23f501be6eec21697465fd46a28840a
1/* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/state_machine.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/aes_wrap.h" 16#include "crypto/crypto.h" 17#include "crypto/sha1.h" 18#include "crypto/sha256.h" 19#include "crypto/random.h" 20#include "eapol_auth/eapol_auth_sm.h" 21#include "ap_config.h" 22#include "ieee802_11.h" 23#include "wpa_auth.h" 24#include "pmksa_cache_auth.h" 25#include "wpa_auth_i.h" 26#include "wpa_auth_ie.h" 27 28#define STATE_MACHINE_DATA struct wpa_state_machine 29#define STATE_MACHINE_DEBUG_PREFIX "WPA" 30#define STATE_MACHINE_ADDR sm->addr 31 32 33static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 34static int wpa_sm_step(struct wpa_state_machine *sm); 35static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len); 36static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 37static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 38 struct wpa_group *group); 39static void wpa_request_new_ptk(struct wpa_state_machine *sm); 40static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 41 struct wpa_group *group); 42static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 45static const u32 dot11RSNAConfigGroupUpdateCount = 4; 46static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 47static const u32 eapol_key_timeout_first = 100; /* ms */ 48static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 49static const u32 eapol_key_timeout_first_group = 500; /* ms */ 50 51/* TODO: make these configurable */ 52static const int dot11RSNAConfigPMKLifetime = 43200; 53static const int dot11RSNAConfigPMKReauthThreshold = 70; 54static const int dot11RSNAConfigSATimeout = 60; 55 56 57static inline void wpa_auth_mic_failure_report( 58 struct wpa_authenticator *wpa_auth, const u8 *addr) 59{ 60 if (wpa_auth->cb.mic_failure_report) 61 wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 62} 63 64 65static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 66 const u8 *addr, wpa_eapol_variable var, 67 int value) 68{ 69 if (wpa_auth->cb.set_eapol) 70 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 71} 72 73 74static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 75 const u8 *addr, wpa_eapol_variable var) 76{ 77 if (wpa_auth->cb.get_eapol == NULL) 78 return -1; 79 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 80} 81 82 83static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 84 const u8 *addr, const u8 *prev_psk) 85{ 86 if (wpa_auth->cb.get_psk == NULL) 87 return NULL; 88 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, prev_psk); 89} 90 91 92static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 93 const u8 *addr, u8 *msk, size_t *len) 94{ 95 if (wpa_auth->cb.get_msk == NULL) 96 return -1; 97 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 98} 99 100 101static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 102 int vlan_id, 103 enum wpa_alg alg, const u8 *addr, int idx, 104 u8 *key, size_t key_len) 105{ 106 if (wpa_auth->cb.set_key == NULL) 107 return -1; 108 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 109 key, key_len); 110} 111 112 113static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 114 const u8 *addr, int idx, u8 *seq) 115{ 116 if (wpa_auth->cb.get_seqnum == NULL) 117 return -1; 118 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 119} 120 121 122static inline int 123wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 124 const u8 *data, size_t data_len, int encrypt) 125{ 126 if (wpa_auth->cb.send_eapol == NULL) 127 return -1; 128 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 129 encrypt); 130} 131 132 133int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 134 int (*cb)(struct wpa_state_machine *sm, void *ctx), 135 void *cb_ctx) 136{ 137 if (wpa_auth->cb.for_each_sta == NULL) 138 return 0; 139 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 140} 141 142 143int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 144 int (*cb)(struct wpa_authenticator *a, void *ctx), 145 void *cb_ctx) 146{ 147 if (wpa_auth->cb.for_each_auth == NULL) 148 return 0; 149 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 150} 151 152 153void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 154 logger_level level, const char *txt) 155{ 156 if (wpa_auth->cb.logger == NULL) 157 return; 158 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 159} 160 161 162void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 163 logger_level level, const char *fmt, ...) 164{ 165 char *format; 166 int maxlen; 167 va_list ap; 168 169 if (wpa_auth->cb.logger == NULL) 170 return; 171 172 maxlen = os_strlen(fmt) + 100; 173 format = os_malloc(maxlen); 174 if (!format) 175 return; 176 177 va_start(ap, fmt); 178 vsnprintf(format, maxlen, fmt, ap); 179 va_end(ap); 180 181 wpa_auth_logger(wpa_auth, addr, level, format); 182 183 os_free(format); 184} 185 186 187static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 188 const u8 *addr) 189{ 190 if (wpa_auth->cb.disconnect == NULL) 191 return; 192 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 193 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 194 WLAN_REASON_PREV_AUTH_NOT_VALID); 195} 196 197 198static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 199{ 200 int ret = 0; 201#ifdef CONFIG_IEEE80211R 202 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 203 ret = 1; 204#endif /* CONFIG_IEEE80211R */ 205#ifdef CONFIG_IEEE80211W 206 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 207 ret = 1; 208#endif /* CONFIG_IEEE80211W */ 209 return ret; 210} 211 212 213static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 214{ 215 struct wpa_authenticator *wpa_auth = eloop_ctx; 216 217 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 218 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 219 "initialization."); 220 } else { 221 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 222 wpa_hexdump_key(MSG_DEBUG, "GMK", 223 wpa_auth->group->GMK, WPA_GMK_LEN); 224 } 225 226 if (wpa_auth->conf.wpa_gmk_rekey) { 227 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 228 wpa_rekey_gmk, wpa_auth, NULL); 229 } 230} 231 232 233static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 234{ 235 struct wpa_authenticator *wpa_auth = eloop_ctx; 236 struct wpa_group *group; 237 238 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 239 for (group = wpa_auth->group; group; group = group->next) { 240 group->GTKReKey = TRUE; 241 do { 242 group->changed = FALSE; 243 wpa_group_sm_step(wpa_auth, group); 244 } while (group->changed); 245 } 246 247 if (wpa_auth->conf.wpa_group_rekey) { 248 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 249 0, wpa_rekey_gtk, wpa_auth, NULL); 250 } 251} 252 253 254static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 255{ 256 struct wpa_authenticator *wpa_auth = eloop_ctx; 257 struct wpa_state_machine *sm = timeout_ctx; 258 259 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 260 wpa_request_new_ptk(sm); 261 wpa_sm_step(sm); 262} 263 264 265static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 266{ 267 if (sm->pmksa == ctx) 268 sm->pmksa = NULL; 269 return 0; 270} 271 272 273static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 274 void *ctx) 275{ 276 struct wpa_authenticator *wpa_auth = ctx; 277 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 278} 279 280 281static void wpa_group_set_key_len(struct wpa_group *group, int cipher) 282{ 283 switch (cipher) { 284 case WPA_CIPHER_CCMP: 285 group->GTK_len = 16; 286 break; 287 case WPA_CIPHER_TKIP: 288 group->GTK_len = 32; 289 break; 290 case WPA_CIPHER_WEP104: 291 group->GTK_len = 13; 292 break; 293 case WPA_CIPHER_WEP40: 294 group->GTK_len = 5; 295 break; 296 } 297} 298 299 300static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 301 struct wpa_group *group) 302{ 303 u8 buf[ETH_ALEN + 8 + sizeof(group)]; 304 u8 rkey[32]; 305 306 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 307 return -1; 308 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 309 310 /* 311 * Counter = PRF-256(Random number, "Init Counter", 312 * Local MAC Address || Time) 313 */ 314 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 315 wpa_get_ntp_timestamp(buf + ETH_ALEN); 316 os_memcpy(buf + ETH_ALEN + 8, &group, sizeof(group)); 317 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 318 return -1; 319 320 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 321 group->Counter, WPA_NONCE_LEN) < 0) 322 return -1; 323 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 324 group->Counter, WPA_NONCE_LEN); 325 326 return 0; 327} 328 329 330static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 331 int vlan_id, int delay_init) 332{ 333 struct wpa_group *group; 334 335 group = os_zalloc(sizeof(struct wpa_group)); 336 if (group == NULL) 337 return NULL; 338 339 group->GTKAuthenticator = TRUE; 340 group->vlan_id = vlan_id; 341 342 wpa_group_set_key_len(group, wpa_auth->conf.wpa_group); 343 344 if (random_pool_ready() != 1) { 345 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 346 "for secure operations - update keys later when " 347 "the first station connects"); 348 } 349 350 /* 351 * Set initial GMK/Counter value here. The actual values that will be 352 * used in negotiations will be set once the first station tries to 353 * connect. This allows more time for collecting additional randomness 354 * on embedded devices. 355 */ 356 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 357 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 358 "initialization."); 359 os_free(group); 360 return NULL; 361 } 362 363 group->GInit = TRUE; 364 if (delay_init) { 365 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 366 "until Beacon frames have been configured"); 367 /* Initialization is completed in wpa_init_keys(). */ 368 } else { 369 wpa_group_sm_step(wpa_auth, group); 370 group->GInit = FALSE; 371 wpa_group_sm_step(wpa_auth, group); 372 } 373 374 return group; 375} 376 377 378/** 379 * wpa_init - Initialize WPA authenticator 380 * @addr: Authenticator address 381 * @conf: Configuration for WPA authenticator 382 * @cb: Callback functions for WPA authenticator 383 * Returns: Pointer to WPA authenticator data or %NULL on failure 384 */ 385struct wpa_authenticator * wpa_init(const u8 *addr, 386 struct wpa_auth_config *conf, 387 struct wpa_auth_callbacks *cb) 388{ 389 struct wpa_authenticator *wpa_auth; 390 391 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 392 if (wpa_auth == NULL) 393 return NULL; 394 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 395 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 396 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 397 398 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 399 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 400 os_free(wpa_auth); 401 return NULL; 402 } 403 404 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 405 if (wpa_auth->group == NULL) { 406 os_free(wpa_auth->wpa_ie); 407 os_free(wpa_auth); 408 return NULL; 409 } 410 411 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 412 wpa_auth); 413 if (wpa_auth->pmksa == NULL) { 414 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 415 os_free(wpa_auth->wpa_ie); 416 os_free(wpa_auth); 417 return NULL; 418 } 419 420#ifdef CONFIG_IEEE80211R 421 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 422 if (wpa_auth->ft_pmk_cache == NULL) { 423 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 424 os_free(wpa_auth->wpa_ie); 425 pmksa_cache_auth_deinit(wpa_auth->pmksa); 426 os_free(wpa_auth); 427 return NULL; 428 } 429#endif /* CONFIG_IEEE80211R */ 430 431 if (wpa_auth->conf.wpa_gmk_rekey) { 432 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 433 wpa_rekey_gmk, wpa_auth, NULL); 434 } 435 436 if (wpa_auth->conf.wpa_group_rekey) { 437 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 438 wpa_rekey_gtk, wpa_auth, NULL); 439 } 440 441 return wpa_auth; 442} 443 444 445int wpa_init_keys(struct wpa_authenticator *wpa_auth) 446{ 447 struct wpa_group *group = wpa_auth->group; 448 449 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 450 "keys"); 451 wpa_group_sm_step(wpa_auth, group); 452 group->GInit = FALSE; 453 wpa_group_sm_step(wpa_auth, group); 454 return 0; 455} 456 457 458/** 459 * wpa_deinit - Deinitialize WPA authenticator 460 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 461 */ 462void wpa_deinit(struct wpa_authenticator *wpa_auth) 463{ 464 struct wpa_group *group, *prev; 465 466 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 467 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 468 469#ifdef CONFIG_PEERKEY 470 while (wpa_auth->stsl_negotiations) 471 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 472#endif /* CONFIG_PEERKEY */ 473 474 pmksa_cache_auth_deinit(wpa_auth->pmksa); 475 476#ifdef CONFIG_IEEE80211R 477 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 478 wpa_auth->ft_pmk_cache = NULL; 479#endif /* CONFIG_IEEE80211R */ 480 481 os_free(wpa_auth->wpa_ie); 482 483 group = wpa_auth->group; 484 while (group) { 485 prev = group; 486 group = group->next; 487 os_free(prev); 488 } 489 490 os_free(wpa_auth); 491} 492 493 494/** 495 * wpa_reconfig - Update WPA authenticator configuration 496 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 497 * @conf: Configuration for WPA authenticator 498 */ 499int wpa_reconfig(struct wpa_authenticator *wpa_auth, 500 struct wpa_auth_config *conf) 501{ 502 struct wpa_group *group; 503 if (wpa_auth == NULL) 504 return 0; 505 506 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 507 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 508 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 509 return -1; 510 } 511 512 /* 513 * Reinitialize GTK to make sure it is suitable for the new 514 * configuration. 515 */ 516 group = wpa_auth->group; 517 wpa_group_set_key_len(group, wpa_auth->conf.wpa_group); 518 group->GInit = TRUE; 519 wpa_group_sm_step(wpa_auth, group); 520 group->GInit = FALSE; 521 wpa_group_sm_step(wpa_auth, group); 522 523 return 0; 524} 525 526 527struct wpa_state_machine * 528wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr) 529{ 530 struct wpa_state_machine *sm; 531 532 sm = os_zalloc(sizeof(struct wpa_state_machine)); 533 if (sm == NULL) 534 return NULL; 535 os_memcpy(sm->addr, addr, ETH_ALEN); 536 537 sm->wpa_auth = wpa_auth; 538 sm->group = wpa_auth->group; 539 540 return sm; 541} 542 543 544int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 545 struct wpa_state_machine *sm) 546{ 547 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 548 return -1; 549 550#ifdef CONFIG_IEEE80211R 551 if (sm->ft_completed) { 552 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 553 "FT authentication already completed - do not " 554 "start 4-way handshake"); 555 return 0; 556 } 557#endif /* CONFIG_IEEE80211R */ 558 559 if (sm->started) { 560 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 561 sm->ReAuthenticationRequest = TRUE; 562 return wpa_sm_step(sm); 563 } 564 565 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 566 "start authentication"); 567 sm->started = 1; 568 569 sm->Init = TRUE; 570 if (wpa_sm_step(sm) == 1) 571 return 1; /* should not really happen */ 572 sm->Init = FALSE; 573 sm->AuthenticationRequest = TRUE; 574 return wpa_sm_step(sm); 575} 576 577 578void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 579{ 580 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 581 * reassociates back to the same AP while the previous entry for the 582 * STA has not yet been removed. */ 583 if (sm == NULL) 584 return; 585 586 sm->wpa_key_mgmt = 0; 587} 588 589 590static void wpa_free_sta_sm(struct wpa_state_machine *sm) 591{ 592 if (sm->GUpdateStationKeys) { 593 sm->group->GKeyDoneStations--; 594 sm->GUpdateStationKeys = FALSE; 595 } 596#ifdef CONFIG_IEEE80211R 597 os_free(sm->assoc_resp_ftie); 598#endif /* CONFIG_IEEE80211R */ 599 os_free(sm->last_rx_eapol_key); 600 os_free(sm->wpa_ie); 601 os_free(sm); 602} 603 604 605void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 606{ 607 if (sm == NULL) 608 return; 609 610 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 611 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 612 "strict rekeying - force GTK rekey since STA " 613 "is leaving"); 614 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 615 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 616 NULL); 617 } 618 619 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 620 sm->pending_1_of_4_timeout = 0; 621 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 622 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 623 if (sm->in_step_loop) { 624 /* Must not free state machine while wpa_sm_step() is running. 625 * Freeing will be completed in the end of wpa_sm_step(). */ 626 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 627 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 628 sm->pending_deinit = 1; 629 } else 630 wpa_free_sta_sm(sm); 631} 632 633 634static void wpa_request_new_ptk(struct wpa_state_machine *sm) 635{ 636 if (sm == NULL) 637 return; 638 639 sm->PTKRequest = TRUE; 640 sm->PTK_valid = 0; 641} 642 643 644static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 645 const u8 *replay_counter) 646{ 647 int i; 648 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 649 if (!ctr[i].valid) 650 break; 651 if (os_memcmp(replay_counter, ctr[i].counter, 652 WPA_REPLAY_COUNTER_LEN) == 0) 653 return 1; 654 } 655 return 0; 656} 657 658 659static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 660 const u8 *replay_counter) 661{ 662 int i; 663 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 664 if (ctr[i].valid && 665 (replay_counter == NULL || 666 os_memcmp(replay_counter, ctr[i].counter, 667 WPA_REPLAY_COUNTER_LEN) == 0)) 668 ctr[i].valid = FALSE; 669 } 670} 671 672 673#ifdef CONFIG_IEEE80211R 674static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 675 struct wpa_state_machine *sm, 676 struct wpa_eapol_ie_parse *kde) 677{ 678 struct wpa_ie_data ie; 679 struct rsn_mdie *mdie; 680 681 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 682 ie.num_pmkid != 1 || ie.pmkid == NULL) { 683 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 684 "FT 4-way handshake message 2/4"); 685 return -1; 686 } 687 688 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 689 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 690 sm->sup_pmk_r1_name, PMKID_LEN); 691 692 if (!kde->mdie || !kde->ftie) { 693 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 694 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 695 return -1; 696 } 697 698 mdie = (struct rsn_mdie *) (kde->mdie + 2); 699 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 700 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 701 MOBILITY_DOMAIN_ID_LEN) != 0) { 702 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 703 return -1; 704 } 705 706 if (sm->assoc_resp_ftie && 707 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 708 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 709 2 + sm->assoc_resp_ftie[1]) != 0)) { 710 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 711 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 712 kde->ftie, kde->ftie_len); 713 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 714 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 715 return -1; 716 } 717 718 return 0; 719} 720#endif /* CONFIG_IEEE80211R */ 721 722 723static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 724 struct wpa_state_machine *sm, int group) 725{ 726 /* Supplicant reported a Michael MIC error */ 727 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 728 "received EAPOL-Key Error Request " 729 "(STA detected Michael MIC failure (group=%d))", 730 group); 731 732 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 733 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 734 "ignore Michael MIC failure report since " 735 "group cipher is not TKIP"); 736 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 737 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 738 "ignore Michael MIC failure report since " 739 "pairwise cipher is not TKIP"); 740 } else { 741 wpa_auth_mic_failure_report(wpa_auth, sm->addr); 742 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 743 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 744 } 745 746 /* 747 * Error report is not a request for a new key handshake, but since 748 * Authenticator may do it, let's change the keys now anyway. 749 */ 750 wpa_request_new_ptk(sm); 751} 752 753 754void wpa_receive(struct wpa_authenticator *wpa_auth, 755 struct wpa_state_machine *sm, 756 u8 *data, size_t data_len) 757{ 758 struct ieee802_1x_hdr *hdr; 759 struct wpa_eapol_key *key; 760 u16 key_info, key_data_length; 761 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 762 SMK_M1, SMK_M3, SMK_ERROR } msg; 763 char *msgtxt; 764 struct wpa_eapol_ie_parse kde; 765 int ft; 766 const u8 *eapol_key_ie; 767 size_t eapol_key_ie_len; 768 769 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 770 return; 771 772 if (data_len < sizeof(*hdr) + sizeof(*key)) 773 return; 774 775 hdr = (struct ieee802_1x_hdr *) data; 776 key = (struct wpa_eapol_key *) (hdr + 1); 777 key_info = WPA_GET_BE16(key->key_info); 778 key_data_length = WPA_GET_BE16(key->key_data_length); 779 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 780 " key_info=0x%x type=%u key_data_length=%u", 781 MAC2STR(sm->addr), key_info, key->type, key_data_length); 782 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { 783 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 784 "key_data overflow (%d > %lu)", 785 key_data_length, 786 (unsigned long) (data_len - sizeof(*hdr) - 787 sizeof(*key))); 788 return; 789 } 790 791 if (sm->wpa == WPA_VERSION_WPA2) { 792 if (key->type == EAPOL_KEY_TYPE_WPA) { 793 /* 794 * Some deployed station implementations seem to send 795 * msg 4/4 with incorrect type value in WPA2 mode. 796 */ 797 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 798 "with unexpected WPA type in RSN mode"); 799 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 800 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 801 "unexpected type %d in RSN mode", 802 key->type); 803 return; 804 } 805 } else { 806 if (key->type != EAPOL_KEY_TYPE_WPA) { 807 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 808 "unexpected type %d in WPA mode", 809 key->type); 810 return; 811 } 812 } 813 814 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 815 WPA_NONCE_LEN); 816 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 817 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 818 819 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 820 * are set */ 821 822 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 823 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 824 if (key_info & WPA_KEY_INFO_ERROR) { 825 msg = SMK_ERROR; 826 msgtxt = "SMK Error"; 827 } else { 828 msg = SMK_M1; 829 msgtxt = "SMK M1"; 830 } 831 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 832 msg = SMK_M3; 833 msgtxt = "SMK M3"; 834 } else if (key_info & WPA_KEY_INFO_REQUEST) { 835 msg = REQUEST; 836 msgtxt = "Request"; 837 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 838 msg = GROUP_2; 839 msgtxt = "2/2 Group"; 840 } else if (key_data_length == 0) { 841 msg = PAIRWISE_4; 842 msgtxt = "4/4 Pairwise"; 843 } else { 844 msg = PAIRWISE_2; 845 msgtxt = "2/4 Pairwise"; 846 } 847 848 /* TODO: key_info type validation for PeerKey */ 849 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 850 msg == GROUP_2) { 851 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 852 if (sm->pairwise == WPA_CIPHER_CCMP) { 853 if (wpa_use_aes_cmac(sm) && 854 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 855 wpa_auth_logger(wpa_auth, sm->addr, 856 LOGGER_WARNING, 857 "advertised support for " 858 "AES-128-CMAC, but did not " 859 "use it"); 860 return; 861 } 862 863 if (!wpa_use_aes_cmac(sm) && 864 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 865 wpa_auth_logger(wpa_auth, sm->addr, 866 LOGGER_WARNING, 867 "did not use HMAC-SHA1-AES " 868 "with CCMP"); 869 return; 870 } 871 } 872 } 873 874 if (key_info & WPA_KEY_INFO_REQUEST) { 875 if (sm->req_replay_counter_used && 876 os_memcmp(key->replay_counter, sm->req_replay_counter, 877 WPA_REPLAY_COUNTER_LEN) <= 0) { 878 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 879 "received EAPOL-Key request with " 880 "replayed counter"); 881 return; 882 } 883 } 884 885 if (!(key_info & WPA_KEY_INFO_REQUEST) && 886 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 887 int i; 888 889 if (msg == PAIRWISE_2 && 890 wpa_replay_counter_valid(sm->prev_key_replay, 891 key->replay_counter) && 892 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 893 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 894 { 895 /* 896 * Some supplicant implementations (e.g., Windows XP 897 * WZC) update SNonce for each EAPOL-Key 2/4. This 898 * breaks the workaround on accepting any of the 899 * pending requests, so allow the SNonce to be updated 900 * even if we have already sent out EAPOL-Key 3/4. 901 */ 902 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 903 "Process SNonce update from STA " 904 "based on retransmitted EAPOL-Key " 905 "1/4"); 906 sm->update_snonce = 1; 907 wpa_replay_counter_mark_invalid(sm->prev_key_replay, 908 key->replay_counter); 909 goto continue_processing; 910 } 911 912 if (msg == PAIRWISE_2 && 913 wpa_replay_counter_valid(sm->prev_key_replay, 914 key->replay_counter) && 915 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 916 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 917 "ignore retransmitted EAPOL-Key %s - " 918 "SNonce did not change", msgtxt); 919 } else { 920 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 921 "received EAPOL-Key %s with " 922 "unexpected replay counter", msgtxt); 923 } 924 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 925 if (!sm->key_replay[i].valid) 926 break; 927 wpa_hexdump(MSG_DEBUG, "pending replay counter", 928 sm->key_replay[i].counter, 929 WPA_REPLAY_COUNTER_LEN); 930 } 931 wpa_hexdump(MSG_DEBUG, "received replay counter", 932 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 933 return; 934 } 935 936continue_processing: 937 switch (msg) { 938 case PAIRWISE_2: 939 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 940 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 941 (!sm->update_snonce || 942 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 943 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 944 "received EAPOL-Key msg 2/4 in " 945 "invalid state (%d) - dropped", 946 sm->wpa_ptk_state); 947 return; 948 } 949 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 950 if (sm->group->reject_4way_hs_for_entropy) { 951 /* 952 * The system did not have enough entropy to generate 953 * strong random numbers. Reject the first 4-way 954 * handshake(s) and collect some entropy based on the 955 * information from it. Once enough entropy is 956 * available, the next atempt will trigger GMK/Key 957 * Counter update and the station will be allowed to 958 * continue. 959 */ 960 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 961 "collect more entropy for random number " 962 "generation"); 963 random_mark_pool_ready(); 964 wpa_sta_disconnect(wpa_auth, sm->addr); 965 return; 966 } 967 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length, 968 &kde) < 0) { 969 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 970 "received EAPOL-Key msg 2/4 with " 971 "invalid Key Data contents"); 972 return; 973 } 974 if (kde.rsn_ie) { 975 eapol_key_ie = kde.rsn_ie; 976 eapol_key_ie_len = kde.rsn_ie_len; 977 } else { 978 eapol_key_ie = kde.wpa_ie; 979 eapol_key_ie_len = kde.wpa_ie_len; 980 } 981 ft = sm->wpa == WPA_VERSION_WPA2 && 982 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 983 if (sm->wpa_ie == NULL || 984 wpa_compare_rsn_ie(ft, 985 sm->wpa_ie, sm->wpa_ie_len, 986 eapol_key_ie, eapol_key_ie_len)) { 987 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 988 "WPA IE from (Re)AssocReq did not " 989 "match with msg 2/4"); 990 if (sm->wpa_ie) { 991 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 992 sm->wpa_ie, sm->wpa_ie_len); 993 } 994 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 995 eapol_key_ie, eapol_key_ie_len); 996 /* MLME-DEAUTHENTICATE.request */ 997 wpa_sta_disconnect(wpa_auth, sm->addr); 998 return; 999 } 1000#ifdef CONFIG_IEEE80211R 1001 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 1002 wpa_sta_disconnect(wpa_auth, sm->addr); 1003 return; 1004 } 1005#endif /* CONFIG_IEEE80211R */ 1006 break; 1007 case PAIRWISE_4: 1008 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1009 !sm->PTK_valid) { 1010 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1011 "received EAPOL-Key msg 4/4 in " 1012 "invalid state (%d) - dropped", 1013 sm->wpa_ptk_state); 1014 return; 1015 } 1016 break; 1017 case GROUP_2: 1018 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1019 || !sm->PTK_valid) { 1020 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1021 "received EAPOL-Key msg 2/2 in " 1022 "invalid state (%d) - dropped", 1023 sm->wpa_ptk_group_state); 1024 return; 1025 } 1026 break; 1027#ifdef CONFIG_PEERKEY 1028 case SMK_M1: 1029 case SMK_M3: 1030 case SMK_ERROR: 1031 if (!wpa_auth->conf.peerkey) { 1032 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1033 "PeerKey use disabled - ignoring message"); 1034 return; 1035 } 1036 if (!sm->PTK_valid) { 1037 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1038 "received EAPOL-Key msg SMK in " 1039 "invalid state - dropped"); 1040 return; 1041 } 1042 break; 1043#else /* CONFIG_PEERKEY */ 1044 case SMK_M1: 1045 case SMK_M3: 1046 case SMK_ERROR: 1047 return; /* STSL disabled - ignore SMK messages */ 1048#endif /* CONFIG_PEERKEY */ 1049 case REQUEST: 1050 break; 1051 } 1052 1053 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1054 "received EAPOL-Key frame (%s)", msgtxt); 1055 1056 if (key_info & WPA_KEY_INFO_ACK) { 1057 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1058 "received invalid EAPOL-Key: Key Ack set"); 1059 return; 1060 } 1061 1062 if (!(key_info & WPA_KEY_INFO_MIC)) { 1063 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1064 "received invalid EAPOL-Key: Key MIC not set"); 1065 return; 1066 } 1067 1068 sm->MICVerified = FALSE; 1069 if (sm->PTK_valid && !sm->update_snonce) { 1070 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) { 1071 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1072 "received EAPOL-Key with invalid MIC"); 1073 return; 1074 } 1075 sm->MICVerified = TRUE; 1076 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1077 sm->pending_1_of_4_timeout = 0; 1078 } 1079 1080 if (key_info & WPA_KEY_INFO_REQUEST) { 1081 if (sm->MICVerified) { 1082 sm->req_replay_counter_used = 1; 1083 os_memcpy(sm->req_replay_counter, key->replay_counter, 1084 WPA_REPLAY_COUNTER_LEN); 1085 } else { 1086 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1087 "received EAPOL-Key request with " 1088 "invalid MIC"); 1089 return; 1090 } 1091 1092 /* 1093 * TODO: should decrypt key data field if encryption was used; 1094 * even though MAC address KDE is not normally encrypted, 1095 * supplicant is allowed to encrypt it. 1096 */ 1097 if (msg == SMK_ERROR) { 1098#ifdef CONFIG_PEERKEY 1099 wpa_smk_error(wpa_auth, sm, key); 1100#endif /* CONFIG_PEERKEY */ 1101 return; 1102 } else if (key_info & WPA_KEY_INFO_ERROR) { 1103 wpa_receive_error_report( 1104 wpa_auth, sm, 1105 !(key_info & WPA_KEY_INFO_KEY_TYPE)); 1106 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1107 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1108 "received EAPOL-Key Request for new " 1109 "4-Way Handshake"); 1110 wpa_request_new_ptk(sm); 1111#ifdef CONFIG_PEERKEY 1112 } else if (msg == SMK_M1) { 1113 wpa_smk_m1(wpa_auth, sm, key); 1114#endif /* CONFIG_PEERKEY */ 1115 } else if (key_data_length > 0 && 1116 wpa_parse_kde_ies((const u8 *) (key + 1), 1117 key_data_length, &kde) == 0 && 1118 kde.mac_addr) { 1119 } else { 1120 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1121 "received EAPOL-Key Request for GTK " 1122 "rekeying"); 1123 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1124 wpa_rekey_gtk(wpa_auth, NULL); 1125 } 1126 } else { 1127 /* Do not allow the same key replay counter to be reused. */ 1128 wpa_replay_counter_mark_invalid(sm->key_replay, 1129 key->replay_counter); 1130 1131 if (msg == PAIRWISE_2) { 1132 /* 1133 * Maintain a copy of the pending EAPOL-Key frames in 1134 * case the EAPOL-Key frame was retransmitted. This is 1135 * needed to allow EAPOL-Key msg 2/4 reply to another 1136 * pending msg 1/4 to update the SNonce to work around 1137 * unexpected supplicant behavior. 1138 */ 1139 os_memcpy(sm->prev_key_replay, sm->key_replay, 1140 sizeof(sm->key_replay)); 1141 } else { 1142 os_memset(sm->prev_key_replay, 0, 1143 sizeof(sm->prev_key_replay)); 1144 } 1145 1146 /* 1147 * Make sure old valid counters are not accepted anymore and 1148 * do not get copied again. 1149 */ 1150 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1151 } 1152 1153#ifdef CONFIG_PEERKEY 1154 if (msg == SMK_M3) { 1155 wpa_smk_m3(wpa_auth, sm, key); 1156 return; 1157 } 1158#endif /* CONFIG_PEERKEY */ 1159 1160 os_free(sm->last_rx_eapol_key); 1161 sm->last_rx_eapol_key = os_malloc(data_len); 1162 if (sm->last_rx_eapol_key == NULL) 1163 return; 1164 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1165 sm->last_rx_eapol_key_len = data_len; 1166 1167 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1168 sm->EAPOLKeyReceived = TRUE; 1169 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1170 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1171 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1172 wpa_sm_step(sm); 1173} 1174 1175 1176static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1177 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1178{ 1179 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1180 u8 *pos; 1181 int ret = 0; 1182 1183 /* GTK = PRF-X(GMK, "Group key expansion", 1184 * AA || GNonce || Time || random data) 1185 * The example described in the IEEE 802.11 standard uses only AA and 1186 * GNonce as inputs here. Add some more entropy since this derivation 1187 * is done only at the Authenticator and as such, does not need to be 1188 * exactly same. 1189 */ 1190 os_memcpy(data, addr, ETH_ALEN); 1191 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1192 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1193 wpa_get_ntp_timestamp(pos); 1194 pos += 8; 1195 if (random_get_bytes(pos, 16) < 0) 1196 ret = -1; 1197 1198#ifdef CONFIG_IEEE80211W 1199 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1200#else /* CONFIG_IEEE80211W */ 1201 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1202 < 0) 1203 ret = -1; 1204#endif /* CONFIG_IEEE80211W */ 1205 1206 return ret; 1207} 1208 1209 1210static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1211{ 1212 struct wpa_authenticator *wpa_auth = eloop_ctx; 1213 struct wpa_state_machine *sm = timeout_ctx; 1214 1215 sm->pending_1_of_4_timeout = 0; 1216 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1217 sm->TimeoutEvt = TRUE; 1218 wpa_sm_step(sm); 1219} 1220 1221 1222void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1223 struct wpa_state_machine *sm, int key_info, 1224 const u8 *key_rsc, const u8 *nonce, 1225 const u8 *kde, size_t kde_len, 1226 int keyidx, int encr, int force_version) 1227{ 1228 struct ieee802_1x_hdr *hdr; 1229 struct wpa_eapol_key *key; 1230 size_t len; 1231 int alg; 1232 int key_data_len, pad_len = 0; 1233 u8 *buf, *pos; 1234 int version, pairwise; 1235 int i; 1236 1237 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key); 1238 1239 if (force_version) 1240 version = force_version; 1241 else if (wpa_use_aes_cmac(sm)) 1242 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1243 else if (sm->pairwise == WPA_CIPHER_CCMP) 1244 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1245 else 1246 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1247 1248 pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1249 1250 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1251 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1252 "encr=%d)", 1253 version, 1254 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1255 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1256 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1257 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1258 pairwise, (unsigned long) kde_len, keyidx, encr); 1259 1260 key_data_len = kde_len; 1261 1262 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1263 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1264 pad_len = key_data_len % 8; 1265 if (pad_len) 1266 pad_len = 8 - pad_len; 1267 key_data_len += pad_len + 8; 1268 } 1269 1270 len += key_data_len; 1271 1272 hdr = os_zalloc(len); 1273 if (hdr == NULL) 1274 return; 1275 hdr->version = wpa_auth->conf.eapol_version; 1276 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1277 hdr->length = host_to_be16(len - sizeof(*hdr)); 1278 key = (struct wpa_eapol_key *) (hdr + 1); 1279 1280 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1281 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1282 key_info |= version; 1283 if (encr && sm->wpa == WPA_VERSION_WPA2) 1284 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1285 if (sm->wpa != WPA_VERSION_WPA2) 1286 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1287 WPA_PUT_BE16(key->key_info, key_info); 1288 1289 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1290 switch (alg) { 1291 case WPA_CIPHER_CCMP: 1292 WPA_PUT_BE16(key->key_length, 16); 1293 break; 1294 case WPA_CIPHER_TKIP: 1295 WPA_PUT_BE16(key->key_length, 32); 1296 break; 1297 case WPA_CIPHER_WEP40: 1298 WPA_PUT_BE16(key->key_length, 5); 1299 break; 1300 case WPA_CIPHER_WEP104: 1301 WPA_PUT_BE16(key->key_length, 13); 1302 break; 1303 } 1304 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1305 WPA_PUT_BE16(key->key_length, 0); 1306 1307 /* FIX: STSL: what to use as key_replay_counter? */ 1308 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1309 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1310 os_memcpy(sm->key_replay[i].counter, 1311 sm->key_replay[i - 1].counter, 1312 WPA_REPLAY_COUNTER_LEN); 1313 } 1314 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1315 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1316 WPA_REPLAY_COUNTER_LEN); 1317 sm->key_replay[0].valid = TRUE; 1318 1319 if (nonce) 1320 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1321 1322 if (key_rsc) 1323 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1324 1325 if (kde && !encr) { 1326 os_memcpy(key + 1, kde, kde_len); 1327 WPA_PUT_BE16(key->key_data_length, kde_len); 1328 } else if (encr && kde) { 1329 buf = os_zalloc(key_data_len); 1330 if (buf == NULL) { 1331 os_free(hdr); 1332 return; 1333 } 1334 pos = buf; 1335 os_memcpy(pos, kde, kde_len); 1336 pos += kde_len; 1337 1338 if (pad_len) 1339 *pos++ = 0xdd; 1340 1341 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1342 buf, key_data_len); 1343 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1344 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1345 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf, 1346 (u8 *) (key + 1))) { 1347 os_free(hdr); 1348 os_free(buf); 1349 return; 1350 } 1351 WPA_PUT_BE16(key->key_data_length, key_data_len); 1352 } else { 1353 u8 ek[32]; 1354 os_memcpy(key->key_iv, 1355 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1356 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1357 os_memcpy(ek, key->key_iv, 16); 1358 os_memcpy(ek + 16, sm->PTK.kek, 16); 1359 os_memcpy(key + 1, buf, key_data_len); 1360 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len); 1361 WPA_PUT_BE16(key->key_data_length, key_data_len); 1362 } 1363 os_free(buf); 1364 } 1365 1366 if (key_info & WPA_KEY_INFO_MIC) { 1367 if (!sm->PTK_valid) { 1368 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1369 "PTK not valid when sending EAPOL-Key " 1370 "frame"); 1371 os_free(hdr); 1372 return; 1373 } 1374 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len, 1375 key->key_mic); 1376 } 1377 1378 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1379 1); 1380 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1381 sm->pairwise_set); 1382 os_free(hdr); 1383} 1384 1385 1386static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1387 struct wpa_state_machine *sm, int key_info, 1388 const u8 *key_rsc, const u8 *nonce, 1389 const u8 *kde, size_t kde_len, 1390 int keyidx, int encr) 1391{ 1392 int timeout_ms; 1393 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1394 int ctr; 1395 1396 if (sm == NULL) 1397 return; 1398 1399 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1400 keyidx, encr, 0); 1401 1402 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1403 if (ctr == 1 && wpa_auth->conf.tx_status) 1404 timeout_ms = pairwise ? eapol_key_timeout_first : 1405 eapol_key_timeout_first_group; 1406 else 1407 timeout_ms = eapol_key_timeout_subseq; 1408 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1409 sm->pending_1_of_4_timeout = 1; 1410 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1411 "counter %d)", timeout_ms, ctr); 1412 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1413 wpa_send_eapol_timeout, wpa_auth, sm); 1414} 1415 1416 1417static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len) 1418{ 1419 struct ieee802_1x_hdr *hdr; 1420 struct wpa_eapol_key *key; 1421 u16 key_info; 1422 int ret = 0; 1423 u8 mic[16]; 1424 1425 if (data_len < sizeof(*hdr) + sizeof(*key)) 1426 return -1; 1427 1428 hdr = (struct ieee802_1x_hdr *) data; 1429 key = (struct wpa_eapol_key *) (hdr + 1); 1430 key_info = WPA_GET_BE16(key->key_info); 1431 os_memcpy(mic, key->key_mic, 16); 1432 os_memset(key->key_mic, 0, 16); 1433 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK, 1434 data, data_len, key->key_mic) || 1435 os_memcmp(mic, key->key_mic, 16) != 0) 1436 ret = -1; 1437 os_memcpy(key->key_mic, mic, 16); 1438 return ret; 1439} 1440 1441 1442void wpa_remove_ptk(struct wpa_state_machine *sm) 1443{ 1444 sm->PTK_valid = FALSE; 1445 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1446 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1447 sm->pairwise_set = FALSE; 1448 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1449} 1450 1451 1452int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event) 1453{ 1454 int remove_ptk = 1; 1455 1456 if (sm == NULL) 1457 return -1; 1458 1459 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1460 "event %d notification", event); 1461 1462 switch (event) { 1463 case WPA_AUTH: 1464 case WPA_ASSOC: 1465 break; 1466 case WPA_DEAUTH: 1467 case WPA_DISASSOC: 1468 sm->DeauthenticationRequest = TRUE; 1469 break; 1470 case WPA_REAUTH: 1471 case WPA_REAUTH_EAPOL: 1472 if (!sm->started) { 1473 /* 1474 * When using WPS, we may end up here if the STA 1475 * manages to re-associate without the previous STA 1476 * entry getting removed. Consequently, we need to make 1477 * sure that the WPA state machines gets initialized 1478 * properly at this point. 1479 */ 1480 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1481 "started - initialize now"); 1482 sm->started = 1; 1483 sm->Init = TRUE; 1484 if (wpa_sm_step(sm) == 1) 1485 return 1; /* should not really happen */ 1486 sm->Init = FALSE; 1487 sm->AuthenticationRequest = TRUE; 1488 break; 1489 } 1490 if (sm->GUpdateStationKeys) { 1491 /* 1492 * Reauthentication cancels the pending group key 1493 * update for this STA. 1494 */ 1495 sm->group->GKeyDoneStations--; 1496 sm->GUpdateStationKeys = FALSE; 1497 sm->PtkGroupInit = TRUE; 1498 } 1499 sm->ReAuthenticationRequest = TRUE; 1500 break; 1501 case WPA_ASSOC_FT: 1502#ifdef CONFIG_IEEE80211R 1503 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1504 "after association"); 1505 wpa_ft_install_ptk(sm); 1506 1507 /* Using FT protocol, not WPA auth state machine */ 1508 sm->ft_completed = 1; 1509 return 0; 1510#else /* CONFIG_IEEE80211R */ 1511 break; 1512#endif /* CONFIG_IEEE80211R */ 1513 } 1514 1515#ifdef CONFIG_IEEE80211R 1516 sm->ft_completed = 0; 1517#endif /* CONFIG_IEEE80211R */ 1518 1519#ifdef CONFIG_IEEE80211W 1520 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1521 remove_ptk = 0; 1522#endif /* CONFIG_IEEE80211W */ 1523 1524 if (remove_ptk) { 1525 sm->PTK_valid = FALSE; 1526 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1527 1528 if (event != WPA_REAUTH_EAPOL) 1529 wpa_remove_ptk(sm); 1530 } 1531 1532 return wpa_sm_step(sm); 1533} 1534 1535 1536static enum wpa_alg wpa_alg_enum(int alg) 1537{ 1538 switch (alg) { 1539 case WPA_CIPHER_CCMP: 1540 return WPA_ALG_CCMP; 1541 case WPA_CIPHER_TKIP: 1542 return WPA_ALG_TKIP; 1543 case WPA_CIPHER_WEP104: 1544 case WPA_CIPHER_WEP40: 1545 return WPA_ALG_WEP; 1546 default: 1547 return WPA_ALG_NONE; 1548 } 1549} 1550 1551 1552SM_STATE(WPA_PTK, INITIALIZE) 1553{ 1554 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1555 if (sm->Init) { 1556 /* Init flag is not cleared here, so avoid busy 1557 * loop by claiming nothing changed. */ 1558 sm->changed = FALSE; 1559 } 1560 1561 sm->keycount = 0; 1562 if (sm->GUpdateStationKeys) 1563 sm->group->GKeyDoneStations--; 1564 sm->GUpdateStationKeys = FALSE; 1565 if (sm->wpa == WPA_VERSION_WPA) 1566 sm->PInitAKeys = FALSE; 1567 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1568 * Local AA > Remote AA)) */) { 1569 sm->Pair = TRUE; 1570 } 1571 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1572 wpa_remove_ptk(sm); 1573 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1574 sm->TimeoutCtr = 0; 1575 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1576 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1577 WPA_EAPOL_authorized, 0); 1578 } 1579} 1580 1581 1582SM_STATE(WPA_PTK, DISCONNECT) 1583{ 1584 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1585 sm->Disconnect = FALSE; 1586 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1587} 1588 1589 1590SM_STATE(WPA_PTK, DISCONNECTED) 1591{ 1592 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1593 sm->DeauthenticationRequest = FALSE; 1594} 1595 1596 1597SM_STATE(WPA_PTK, AUTHENTICATION) 1598{ 1599 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1600 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1601 sm->PTK_valid = FALSE; 1602 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1603 1); 1604 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1605 sm->AuthenticationRequest = FALSE; 1606} 1607 1608 1609static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1610 struct wpa_group *group) 1611{ 1612 if (group->first_sta_seen) 1613 return; 1614 /* 1615 * System has run bit further than at the time hostapd was started 1616 * potentially very early during boot up. This provides better chances 1617 * of collecting more randomness on embedded systems. Re-initialize the 1618 * GMK and Counter here to improve their strength if there was not 1619 * enough entropy available immediately after system startup. 1620 */ 1621 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1622 "station"); 1623 if (random_pool_ready() != 1) { 1624 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1625 "to proceed - reject first 4-way handshake"); 1626 group->reject_4way_hs_for_entropy = TRUE; 1627 } else { 1628 group->first_sta_seen = TRUE; 1629 group->reject_4way_hs_for_entropy = FALSE; 1630 } 1631 1632 wpa_group_init_gmk_and_counter(wpa_auth, group); 1633 wpa_gtk_update(wpa_auth, group); 1634 wpa_group_config_group_keys(wpa_auth, group); 1635} 1636 1637 1638SM_STATE(WPA_PTK, AUTHENTICATION2) 1639{ 1640 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1641 1642 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1643 1644 /* 1645 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1646 * ambiguous. The Authenticator state machine uses a counter that is 1647 * incremented by one for each 4-way handshake. However, the security 1648 * analysis of 4-way handshake points out that unpredictable nonces 1649 * help in preventing precomputation attacks. Instead of the state 1650 * machine definition, use an unpredictable nonce value here to provide 1651 * stronger protection against potential precomputation attacks. 1652 */ 1653 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1654 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1655 "ANonce."); 1656 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1657 return; 1658 } 1659 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1660 WPA_NONCE_LEN); 1661 sm->ReAuthenticationRequest = FALSE; 1662 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1663 * logical place than INITIALIZE since AUTHENTICATION2 can be 1664 * re-entered on ReAuthenticationRequest without going through 1665 * INITIALIZE. */ 1666 sm->TimeoutCtr = 0; 1667} 1668 1669 1670SM_STATE(WPA_PTK, INITPMK) 1671{ 1672 u8 msk[2 * PMK_LEN]; 1673 size_t len = 2 * PMK_LEN; 1674 1675 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1676#ifdef CONFIG_IEEE80211R 1677 sm->xxkey_len = 0; 1678#endif /* CONFIG_IEEE80211R */ 1679 if (sm->pmksa) { 1680 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1681 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN); 1682 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1683 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1684 "(len=%lu)", (unsigned long) len); 1685 os_memcpy(sm->PMK, msk, PMK_LEN); 1686#ifdef CONFIG_IEEE80211R 1687 if (len >= 2 * PMK_LEN) { 1688 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1689 sm->xxkey_len = PMK_LEN; 1690 } 1691#endif /* CONFIG_IEEE80211R */ 1692 } else { 1693 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK"); 1694 } 1695 1696 sm->req_replay_counter_used = 0; 1697 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1698 * will break reauthentication since EAPOL state machines may not be 1699 * get into AUTHENTICATING state that clears keyRun before WPA state 1700 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1701 * state and takes PMK from the previously used AAA Key. This will 1702 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1703 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1704 * be good workaround for this issue. */ 1705 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1706} 1707 1708 1709SM_STATE(WPA_PTK, INITPSK) 1710{ 1711 const u8 *psk; 1712 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1713 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL); 1714 if (psk) { 1715 os_memcpy(sm->PMK, psk, PMK_LEN); 1716#ifdef CONFIG_IEEE80211R 1717 os_memcpy(sm->xxkey, psk, PMK_LEN); 1718 sm->xxkey_len = PMK_LEN; 1719#endif /* CONFIG_IEEE80211R */ 1720 } 1721 sm->req_replay_counter_used = 0; 1722} 1723 1724 1725SM_STATE(WPA_PTK, PTKSTART) 1726{ 1727 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1728 size_t pmkid_len = 0; 1729 1730 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1731 sm->PTKRequest = FALSE; 1732 sm->TimeoutEvt = FALSE; 1733 1734 sm->TimeoutCtr++; 1735 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1736 /* No point in sending the EAPOL-Key - we will disconnect 1737 * immediately following this. */ 1738 return; 1739 } 1740 1741 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1742 "sending 1/4 msg of 4-Way Handshake"); 1743 /* 1744 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1745 * one possible PSK for this STA. 1746 */ 1747 if (sm->wpa == WPA_VERSION_WPA2 && 1748 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) { 1749 pmkid = buf; 1750 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 1751 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 1752 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 1753 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 1754 if (sm->pmksa) 1755 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 1756 sm->pmksa->pmkid, PMKID_LEN); 1757 else { 1758 /* 1759 * Calculate PMKID since no PMKSA cache entry was 1760 * available with pre-calculated PMKID. 1761 */ 1762 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr, 1763 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 1764 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1765 } 1766 } 1767 wpa_send_eapol(sm->wpa_auth, sm, 1768 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 1769 sm->ANonce, pmkid, pmkid_len, 0, 0); 1770} 1771 1772 1773static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk, 1774 struct wpa_ptk *ptk) 1775{ 1776 size_t ptk_len = sm->pairwise == WPA_CIPHER_CCMP ? 48 : 64; 1777#ifdef CONFIG_IEEE80211R 1778 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 1779 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len); 1780#endif /* CONFIG_IEEE80211R */ 1781 1782 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion", 1783 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce, 1784 (u8 *) ptk, ptk_len, 1785 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1786 1787 return 0; 1788} 1789 1790 1791SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 1792{ 1793 struct wpa_ptk PTK; 1794 int ok = 0; 1795 const u8 *pmk = NULL; 1796 1797 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 1798 sm->EAPOLKeyReceived = FALSE; 1799 sm->update_snonce = FALSE; 1800 1801 /* WPA with IEEE 802.1X: use the derived PMK from EAP 1802 * WPA-PSK: iterate through possible PSKs and select the one matching 1803 * the packet */ 1804 for (;;) { 1805 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1806 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, pmk); 1807 if (pmk == NULL) 1808 break; 1809 } else 1810 pmk = sm->PMK; 1811 1812 wpa_derive_ptk(sm, pmk, &PTK); 1813 1814 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key, 1815 sm->last_rx_eapol_key_len) == 0) { 1816 ok = 1; 1817 break; 1818 } 1819 1820 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 1821 break; 1822 } 1823 1824 if (!ok) { 1825 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1826 "invalid MIC in msg 2/4 of 4-Way Handshake"); 1827 return; 1828 } 1829 1830#ifdef CONFIG_IEEE80211R 1831 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1832 /* 1833 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 1834 * with the value we derived. 1835 */ 1836 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name, 1837 WPA_PMK_NAME_LEN) != 0) { 1838 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1839 "PMKR1Name mismatch in FT 4-way " 1840 "handshake"); 1841 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 1842 "Supplicant", 1843 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 1844 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1845 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1846 return; 1847 } 1848 } 1849#endif /* CONFIG_IEEE80211R */ 1850 1851 sm->pending_1_of_4_timeout = 0; 1852 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 1853 1854 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1855 /* PSK may have changed from the previous choice, so update 1856 * state machine data based on whatever PSK was selected here. 1857 */ 1858 os_memcpy(sm->PMK, pmk, PMK_LEN); 1859 } 1860 1861 sm->MICVerified = TRUE; 1862 1863 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 1864 sm->PTK_valid = TRUE; 1865} 1866 1867 1868SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 1869{ 1870 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 1871 sm->TimeoutCtr = 0; 1872} 1873 1874 1875#ifdef CONFIG_IEEE80211W 1876 1877static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1878{ 1879 if (sm->mgmt_frame_prot) { 1880 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde); 1881 } 1882 1883 return 0; 1884} 1885 1886 1887static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1888{ 1889 struct wpa_igtk_kde igtk; 1890 struct wpa_group *gsm = sm->group; 1891 1892 if (!sm->mgmt_frame_prot) 1893 return pos; 1894 1895 igtk.keyid[0] = gsm->GN_igtk; 1896 igtk.keyid[1] = 0; 1897 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 1898 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0) 1899 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 1900 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 1901 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 1902 (const u8 *) &igtk, sizeof(igtk), NULL, 0); 1903 1904 return pos; 1905} 1906 1907#else /* CONFIG_IEEE80211W */ 1908 1909static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1910{ 1911 return 0; 1912} 1913 1914 1915static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1916{ 1917 return pos; 1918} 1919 1920#endif /* CONFIG_IEEE80211W */ 1921 1922 1923SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 1924{ 1925 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos; 1926 size_t gtk_len, kde_len; 1927 struct wpa_group *gsm = sm->group; 1928 u8 *wpa_ie; 1929 int wpa_ie_len, secure, keyidx, encr = 0; 1930 1931 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 1932 sm->TimeoutEvt = FALSE; 1933 1934 sm->TimeoutCtr++; 1935 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1936 /* No point in sending the EAPOL-Key - we will disconnect 1937 * immediately following this. */ 1938 return; 1939 } 1940 1941 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 1942 GTK[GN], IGTK, [FTIE], [TIE * 2]) 1943 */ 1944 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 1945 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 1946 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 1947 wpa_ie = sm->wpa_auth->wpa_ie; 1948 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 1949 if (sm->wpa == WPA_VERSION_WPA && 1950 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 1951 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 1952 /* WPA-only STA, remove RSN IE */ 1953 wpa_ie = wpa_ie + wpa_ie[1] + 2; 1954 wpa_ie_len = wpa_ie[1] + 2; 1955 } 1956 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1957 "sending 3/4 msg of 4-Way Handshake"); 1958 if (sm->wpa == WPA_VERSION_WPA2) { 1959 /* WPA2 send GTK in the 4-way handshake */ 1960 secure = 1; 1961 gtk = gsm->GTK[gsm->GN - 1]; 1962 gtk_len = gsm->GTK_len; 1963 keyidx = gsm->GN; 1964 _rsc = rsc; 1965 encr = 1; 1966 } else { 1967 /* WPA does not include GTK in msg 3/4 */ 1968 secure = 0; 1969 gtk = NULL; 1970 gtk_len = 0; 1971 keyidx = 0; 1972 _rsc = NULL; 1973 if (sm->rx_eapol_key_secure) { 1974 /* 1975 * It looks like Windows 7 supplicant tries to use 1976 * Secure bit in msg 2/4 after having reported Michael 1977 * MIC failure and it then rejects the 4-way handshake 1978 * if msg 3/4 does not set Secure bit. Work around this 1979 * by setting the Secure bit here even in the case of 1980 * WPA if the supplicant used it first. 1981 */ 1982 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1983 "STA used Secure bit in WPA msg 2/4 - " 1984 "set Secure for 3/4 as workaround"); 1985 secure = 1; 1986 } 1987 } 1988 1989 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 1990 if (gtk) 1991 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 1992#ifdef CONFIG_IEEE80211R 1993 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1994 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 1995 kde_len += 300; /* FTIE + 2 * TIE */ 1996 } 1997#endif /* CONFIG_IEEE80211R */ 1998 kde = os_malloc(kde_len); 1999 if (kde == NULL) 2000 return; 2001 2002 pos = kde; 2003 os_memcpy(pos, wpa_ie, wpa_ie_len); 2004 pos += wpa_ie_len; 2005#ifdef CONFIG_IEEE80211R 2006 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2007 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name); 2008 if (res < 0) { 2009 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2010 "PMKR1Name into RSN IE in EAPOL-Key data"); 2011 os_free(kde); 2012 return; 2013 } 2014 pos += res; 2015 } 2016#endif /* CONFIG_IEEE80211R */ 2017 if (gtk) { 2018 u8 hdr[2]; 2019 hdr[0] = keyidx & 0x03; 2020 hdr[1] = 0; 2021 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2022 gtk, gtk_len); 2023 } 2024 pos = ieee80211w_kde_add(sm, pos); 2025 2026#ifdef CONFIG_IEEE80211R 2027 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2028 int res; 2029 struct wpa_auth_config *conf; 2030 2031 conf = &sm->wpa_auth->conf; 2032 res = wpa_write_ftie(conf, conf->r0_key_holder, 2033 conf->r0_key_holder_len, 2034 NULL, NULL, pos, kde + kde_len - pos, 2035 NULL, 0); 2036 if (res < 0) { 2037 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2038 "into EAPOL-Key Key Data"); 2039 os_free(kde); 2040 return; 2041 } 2042 pos += res; 2043 2044 /* TIE[ReassociationDeadline] (TU) */ 2045 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2046 *pos++ = 5; 2047 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2048 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2049 pos += 4; 2050 2051 /* TIE[KeyLifetime] (seconds) */ 2052 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2053 *pos++ = 5; 2054 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2055 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2056 pos += 4; 2057 } 2058#endif /* CONFIG_IEEE80211R */ 2059 2060 wpa_send_eapol(sm->wpa_auth, sm, 2061 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2062 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2063 WPA_KEY_INFO_KEY_TYPE, 2064 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2065 os_free(kde); 2066} 2067 2068 2069SM_STATE(WPA_PTK, PTKINITDONE) 2070{ 2071 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2072 sm->EAPOLKeyReceived = FALSE; 2073 if (sm->Pair) { 2074 enum wpa_alg alg; 2075 int klen; 2076 if (sm->pairwise == WPA_CIPHER_TKIP) { 2077 alg = WPA_ALG_TKIP; 2078 klen = 32; 2079 } else { 2080 alg = WPA_ALG_CCMP; 2081 klen = 16; 2082 } 2083 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2084 sm->PTK.tk1, klen)) { 2085 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2086 return; 2087 } 2088 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2089 sm->pairwise_set = TRUE; 2090 2091 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2092 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2093 eloop_register_timeout(sm->wpa_auth->conf. 2094 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2095 sm->wpa_auth, sm); 2096 } 2097 2098 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2099 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2100 WPA_EAPOL_authorized, 1); 2101 } 2102 } 2103 2104 if (0 /* IBSS == TRUE */) { 2105 sm->keycount++; 2106 if (sm->keycount == 2) { 2107 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2108 WPA_EAPOL_portValid, 1); 2109 } 2110 } else { 2111 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2112 1); 2113 } 2114 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2115 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2116 if (sm->wpa == WPA_VERSION_WPA) 2117 sm->PInitAKeys = TRUE; 2118 else 2119 sm->has_GTK = TRUE; 2120 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2121 "pairwise key handshake completed (%s)", 2122 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2123 2124#ifdef CONFIG_IEEE80211R 2125 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2126#endif /* CONFIG_IEEE80211R */ 2127} 2128 2129 2130SM_STEP(WPA_PTK) 2131{ 2132 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2133 2134 if (sm->Init) 2135 SM_ENTER(WPA_PTK, INITIALIZE); 2136 else if (sm->Disconnect 2137 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2138 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2139 "WPA_PTK: sm->Disconnect"); 2140 SM_ENTER(WPA_PTK, DISCONNECT); 2141 } 2142 else if (sm->DeauthenticationRequest) 2143 SM_ENTER(WPA_PTK, DISCONNECTED); 2144 else if (sm->AuthenticationRequest) 2145 SM_ENTER(WPA_PTK, AUTHENTICATION); 2146 else if (sm->ReAuthenticationRequest) 2147 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2148 else if (sm->PTKRequest) 2149 SM_ENTER(WPA_PTK, PTKSTART); 2150 else switch (sm->wpa_ptk_state) { 2151 case WPA_PTK_INITIALIZE: 2152 break; 2153 case WPA_PTK_DISCONNECT: 2154 SM_ENTER(WPA_PTK, DISCONNECTED); 2155 break; 2156 case WPA_PTK_DISCONNECTED: 2157 SM_ENTER(WPA_PTK, INITIALIZE); 2158 break; 2159 case WPA_PTK_AUTHENTICATION: 2160 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2161 break; 2162 case WPA_PTK_AUTHENTICATION2: 2163 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2164 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2165 WPA_EAPOL_keyRun) > 0) 2166 SM_ENTER(WPA_PTK, INITPMK); 2167 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2168 /* FIX: && 802.1X::keyRun */) 2169 SM_ENTER(WPA_PTK, INITPSK); 2170 break; 2171 case WPA_PTK_INITPMK: 2172 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2173 WPA_EAPOL_keyAvailable) > 0) 2174 SM_ENTER(WPA_PTK, PTKSTART); 2175 else { 2176 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2177 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2178 "INITPMK - keyAvailable = false"); 2179 SM_ENTER(WPA_PTK, DISCONNECT); 2180 } 2181 break; 2182 case WPA_PTK_INITPSK: 2183 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL)) 2184 SM_ENTER(WPA_PTK, PTKSTART); 2185 else { 2186 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2187 "no PSK configured for the STA"); 2188 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2189 SM_ENTER(WPA_PTK, DISCONNECT); 2190 } 2191 break; 2192 case WPA_PTK_PTKSTART: 2193 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2194 sm->EAPOLKeyPairwise) 2195 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2196 else if (sm->TimeoutCtr > 2197 (int) dot11RSNAConfigPairwiseUpdateCount) { 2198 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2199 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2200 "PTKSTART: Retry limit %d reached", 2201 dot11RSNAConfigPairwiseUpdateCount); 2202 SM_ENTER(WPA_PTK, DISCONNECT); 2203 } else if (sm->TimeoutEvt) 2204 SM_ENTER(WPA_PTK, PTKSTART); 2205 break; 2206 case WPA_PTK_PTKCALCNEGOTIATING: 2207 if (sm->MICVerified) 2208 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2209 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2210 sm->EAPOLKeyPairwise) 2211 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2212 else if (sm->TimeoutEvt) 2213 SM_ENTER(WPA_PTK, PTKSTART); 2214 break; 2215 case WPA_PTK_PTKCALCNEGOTIATING2: 2216 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2217 break; 2218 case WPA_PTK_PTKINITNEGOTIATING: 2219 if (sm->update_snonce) 2220 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2221 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2222 sm->EAPOLKeyPairwise && sm->MICVerified) 2223 SM_ENTER(WPA_PTK, PTKINITDONE); 2224 else if (sm->TimeoutCtr > 2225 (int) dot11RSNAConfigPairwiseUpdateCount) { 2226 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2227 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2228 "PTKINITNEGOTIATING: Retry limit %d " 2229 "reached", 2230 dot11RSNAConfigPairwiseUpdateCount); 2231 SM_ENTER(WPA_PTK, DISCONNECT); 2232 } else if (sm->TimeoutEvt) 2233 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2234 break; 2235 case WPA_PTK_PTKINITDONE: 2236 break; 2237 } 2238} 2239 2240 2241SM_STATE(WPA_PTK_GROUP, IDLE) 2242{ 2243 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2244 if (sm->Init) { 2245 /* Init flag is not cleared here, so avoid busy 2246 * loop by claiming nothing changed. */ 2247 sm->changed = FALSE; 2248 } 2249 sm->GTimeoutCtr = 0; 2250} 2251 2252 2253SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2254{ 2255 u8 rsc[WPA_KEY_RSC_LEN]; 2256 struct wpa_group *gsm = sm->group; 2257 u8 *kde, *pos, hdr[2]; 2258 size_t kde_len; 2259 2260 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2261 2262 sm->GTimeoutCtr++; 2263 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2264 /* No point in sending the EAPOL-Key - we will disconnect 2265 * immediately following this. */ 2266 return; 2267 } 2268 2269 if (sm->wpa == WPA_VERSION_WPA) 2270 sm->PInitAKeys = FALSE; 2271 sm->TimeoutEvt = FALSE; 2272 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2273 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2274 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2275 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2276 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2277 "sending 1/2 msg of Group Key Handshake"); 2278 2279 if (sm->wpa == WPA_VERSION_WPA2) { 2280 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2281 ieee80211w_kde_len(sm); 2282 kde = os_malloc(kde_len); 2283 if (kde == NULL) 2284 return; 2285 2286 pos = kde; 2287 hdr[0] = gsm->GN & 0x03; 2288 hdr[1] = 0; 2289 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2290 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2291 pos = ieee80211w_kde_add(sm, pos); 2292 } else { 2293 kde = gsm->GTK[gsm->GN - 1]; 2294 pos = kde + gsm->GTK_len; 2295 } 2296 2297 wpa_send_eapol(sm->wpa_auth, sm, 2298 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2299 WPA_KEY_INFO_ACK | 2300 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2301 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1); 2302 if (sm->wpa == WPA_VERSION_WPA2) 2303 os_free(kde); 2304} 2305 2306 2307SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2308{ 2309 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2310 sm->EAPOLKeyReceived = FALSE; 2311 if (sm->GUpdateStationKeys) 2312 sm->group->GKeyDoneStations--; 2313 sm->GUpdateStationKeys = FALSE; 2314 sm->GTimeoutCtr = 0; 2315 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2316 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2317 "group key handshake completed (%s)", 2318 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2319 sm->has_GTK = TRUE; 2320} 2321 2322 2323SM_STATE(WPA_PTK_GROUP, KEYERROR) 2324{ 2325 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2326 if (sm->GUpdateStationKeys) 2327 sm->group->GKeyDoneStations--; 2328 sm->GUpdateStationKeys = FALSE; 2329 sm->Disconnect = TRUE; 2330} 2331 2332 2333SM_STEP(WPA_PTK_GROUP) 2334{ 2335 if (sm->Init || sm->PtkGroupInit) { 2336 SM_ENTER(WPA_PTK_GROUP, IDLE); 2337 sm->PtkGroupInit = FALSE; 2338 } else switch (sm->wpa_ptk_group_state) { 2339 case WPA_PTK_GROUP_IDLE: 2340 if (sm->GUpdateStationKeys || 2341 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2342 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2343 break; 2344 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2345 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2346 !sm->EAPOLKeyPairwise && sm->MICVerified) 2347 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2348 else if (sm->GTimeoutCtr > 2349 (int) dot11RSNAConfigGroupUpdateCount) 2350 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2351 else if (sm->TimeoutEvt) 2352 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2353 break; 2354 case WPA_PTK_GROUP_KEYERROR: 2355 SM_ENTER(WPA_PTK_GROUP, IDLE); 2356 break; 2357 case WPA_PTK_GROUP_REKEYESTABLISHED: 2358 SM_ENTER(WPA_PTK_GROUP, IDLE); 2359 break; 2360 } 2361} 2362 2363 2364static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2365 struct wpa_group *group) 2366{ 2367 int ret = 0; 2368 2369 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2370 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2371 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2372 wpa_auth->addr, group->GNonce, 2373 group->GTK[group->GN - 1], group->GTK_len) < 0) 2374 ret = -1; 2375 wpa_hexdump_key(MSG_DEBUG, "GTK", 2376 group->GTK[group->GN - 1], group->GTK_len); 2377 2378#ifdef CONFIG_IEEE80211W 2379 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2380 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2381 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2382 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2383 wpa_auth->addr, group->GNonce, 2384 group->IGTK[group->GN_igtk - 4], 2385 WPA_IGTK_LEN) < 0) 2386 ret = -1; 2387 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2388 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN); 2389 } 2390#endif /* CONFIG_IEEE80211W */ 2391 2392 return ret; 2393} 2394 2395 2396static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2397 struct wpa_group *group) 2398{ 2399 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2400 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2401 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2402 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2403 2404 /* GTK[0..N] = 0 */ 2405 os_memset(group->GTK, 0, sizeof(group->GTK)); 2406 group->GN = 1; 2407 group->GM = 2; 2408#ifdef CONFIG_IEEE80211W 2409 group->GN_igtk = 4; 2410 group->GM_igtk = 5; 2411#endif /* CONFIG_IEEE80211W */ 2412 /* GTK[GN] = CalcGTK() */ 2413 wpa_gtk_update(wpa_auth, group); 2414} 2415 2416 2417static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2418{ 2419 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2420 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2421 "Not in PTKINITDONE; skip Group Key update"); 2422 sm->GUpdateStationKeys = FALSE; 2423 return 0; 2424 } 2425 if (sm->GUpdateStationKeys) { 2426 /* 2427 * This should not really happen, so add a debug log entry. 2428 * Since we clear the GKeyDoneStations before the loop, the 2429 * station needs to be counted here anyway. 2430 */ 2431 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2432 "GUpdateStationKeys was already set when " 2433 "marking station for GTK rekeying"); 2434 } 2435 2436 sm->group->GKeyDoneStations++; 2437 sm->GUpdateStationKeys = TRUE; 2438 2439 wpa_sm_step(sm); 2440 return 0; 2441} 2442 2443 2444static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2445 struct wpa_group *group) 2446{ 2447 int tmp; 2448 2449 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2450 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2451 group->changed = TRUE; 2452 group->wpa_group_state = WPA_GROUP_SETKEYS; 2453 group->GTKReKey = FALSE; 2454 tmp = group->GM; 2455 group->GM = group->GN; 2456 group->GN = tmp; 2457#ifdef CONFIG_IEEE80211W 2458 tmp = group->GM_igtk; 2459 group->GM_igtk = group->GN_igtk; 2460 group->GN_igtk = tmp; 2461#endif /* CONFIG_IEEE80211W */ 2462 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2463 * counting the STAs that are marked with GUpdateStationKeys instead of 2464 * including all STAs that could be in not-yet-completed state. */ 2465 wpa_gtk_update(wpa_auth, group); 2466 2467 if (group->GKeyDoneStations) { 2468 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2469 "GKeyDoneStations=%d when starting new GTK rekey", 2470 group->GKeyDoneStations); 2471 group->GKeyDoneStations = 0; 2472 } 2473 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, NULL); 2474 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2475 group->GKeyDoneStations); 2476} 2477 2478 2479static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2480 struct wpa_group *group) 2481{ 2482 int ret = 0; 2483 2484 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2485 wpa_alg_enum(wpa_auth->conf.wpa_group), 2486 broadcast_ether_addr, group->GN, 2487 group->GTK[group->GN - 1], group->GTK_len) < 0) 2488 ret = -1; 2489 2490#ifdef CONFIG_IEEE80211W 2491 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION && 2492 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK, 2493 broadcast_ether_addr, group->GN_igtk, 2494 group->IGTK[group->GN_igtk - 4], 2495 WPA_IGTK_LEN) < 0) 2496 ret = -1; 2497#endif /* CONFIG_IEEE80211W */ 2498 2499 return ret; 2500} 2501 2502 2503static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2504 struct wpa_group *group) 2505{ 2506 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2507 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2508 group->changed = TRUE; 2509 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2510 2511 if (wpa_group_config_group_keys(wpa_auth, group) < 0) 2512 return -1; 2513 2514 return 0; 2515} 2516 2517 2518static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2519 struct wpa_group *group) 2520{ 2521 if (group->GInit) { 2522 wpa_group_gtk_init(wpa_auth, group); 2523 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2524 group->GTKAuthenticator) { 2525 wpa_group_setkeysdone(wpa_auth, group); 2526 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2527 group->GTKReKey) { 2528 wpa_group_setkeys(wpa_auth, group); 2529 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2530 if (group->GKeyDoneStations == 0) 2531 wpa_group_setkeysdone(wpa_auth, group); 2532 else if (group->GTKReKey) 2533 wpa_group_setkeys(wpa_auth, group); 2534 } 2535} 2536 2537 2538static int wpa_sm_step(struct wpa_state_machine *sm) 2539{ 2540 if (sm == NULL) 2541 return 0; 2542 2543 if (sm->in_step_loop) { 2544 /* This should not happen, but if it does, make sure we do not 2545 * end up freeing the state machine too early by exiting the 2546 * recursive call. */ 2547 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2548 return 0; 2549 } 2550 2551 sm->in_step_loop = 1; 2552 do { 2553 if (sm->pending_deinit) 2554 break; 2555 2556 sm->changed = FALSE; 2557 sm->wpa_auth->group->changed = FALSE; 2558 2559 SM_STEP_RUN(WPA_PTK); 2560 if (sm->pending_deinit) 2561 break; 2562 SM_STEP_RUN(WPA_PTK_GROUP); 2563 if (sm->pending_deinit) 2564 break; 2565 wpa_group_sm_step(sm->wpa_auth, sm->group); 2566 } while (sm->changed || sm->wpa_auth->group->changed); 2567 sm->in_step_loop = 0; 2568 2569 if (sm->pending_deinit) { 2570 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 2571 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 2572 wpa_free_sta_sm(sm); 2573 return 1; 2574 } 2575 return 0; 2576} 2577 2578 2579static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 2580{ 2581 struct wpa_state_machine *sm = eloop_ctx; 2582 wpa_sm_step(sm); 2583} 2584 2585 2586void wpa_auth_sm_notify(struct wpa_state_machine *sm) 2587{ 2588 if (sm == NULL) 2589 return; 2590 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 2591} 2592 2593 2594void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 2595{ 2596 int tmp, i; 2597 struct wpa_group *group; 2598 2599 if (wpa_auth == NULL) 2600 return; 2601 2602 group = wpa_auth->group; 2603 2604 for (i = 0; i < 2; i++) { 2605 tmp = group->GM; 2606 group->GM = group->GN; 2607 group->GN = tmp; 2608#ifdef CONFIG_IEEE80211W 2609 tmp = group->GM_igtk; 2610 group->GM_igtk = group->GN_igtk; 2611 group->GN_igtk = tmp; 2612#endif /* CONFIG_IEEE80211W */ 2613 wpa_gtk_update(wpa_auth, group); 2614 wpa_group_config_group_keys(wpa_auth, group); 2615 } 2616} 2617 2618 2619static const char * wpa_bool_txt(int bool) 2620{ 2621 return bool ? "TRUE" : "FALSE"; 2622} 2623 2624 2625static int wpa_cipher_bits(int cipher) 2626{ 2627 switch (cipher) { 2628 case WPA_CIPHER_CCMP: 2629 return 128; 2630 case WPA_CIPHER_TKIP: 2631 return 256; 2632 case WPA_CIPHER_WEP104: 2633 return 104; 2634 case WPA_CIPHER_WEP40: 2635 return 40; 2636 default: 2637 return 0; 2638 } 2639} 2640 2641 2642#define RSN_SUITE "%02x-%02x-%02x-%d" 2643#define RSN_SUITE_ARG(s) \ 2644((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2645 2646int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 2647{ 2648 int len = 0, ret; 2649 char pmkid_txt[PMKID_LEN * 2 + 1]; 2650#ifdef CONFIG_RSN_PREAUTH 2651 const int preauth = 1; 2652#else /* CONFIG_RSN_PREAUTH */ 2653 const int preauth = 0; 2654#endif /* CONFIG_RSN_PREAUTH */ 2655 2656 if (wpa_auth == NULL) 2657 return len; 2658 2659 ret = os_snprintf(buf + len, buflen - len, 2660 "dot11RSNAOptionImplemented=TRUE\n" 2661 "dot11RSNAPreauthenticationImplemented=%s\n" 2662 "dot11RSNAEnabled=%s\n" 2663 "dot11RSNAPreauthenticationEnabled=%s\n", 2664 wpa_bool_txt(preauth), 2665 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 2666 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 2667 if (ret < 0 || (size_t) ret >= buflen - len) 2668 return len; 2669 len += ret; 2670 2671 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2672 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 2673 2674 ret = os_snprintf( 2675 buf + len, buflen - len, 2676 "dot11RSNAConfigVersion=%u\n" 2677 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 2678 /* FIX: dot11RSNAConfigGroupCipher */ 2679 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 2680 /* FIX: dot11RSNAConfigGroupRekeyTime */ 2681 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 2682 "dot11RSNAConfigGroupRekeyStrict=%u\n" 2683 "dot11RSNAConfigGroupUpdateCount=%u\n" 2684 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 2685 "dot11RSNAConfigGroupCipherSize=%u\n" 2686 "dot11RSNAConfigPMKLifetime=%u\n" 2687 "dot11RSNAConfigPMKReauthThreshold=%u\n" 2688 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 2689 "dot11RSNAConfigSATimeout=%u\n" 2690 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2691 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2692 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2693 "dot11RSNAPMKIDUsed=%s\n" 2694 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2695 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2696 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2697 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 2698 "dot11RSNA4WayHandshakeFailures=%u\n" 2699 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 2700 RSN_VERSION, 2701 !!wpa_auth->conf.wpa_strict_rekey, 2702 dot11RSNAConfigGroupUpdateCount, 2703 dot11RSNAConfigPairwiseUpdateCount, 2704 wpa_cipher_bits(wpa_auth->conf.wpa_group), 2705 dot11RSNAConfigPMKLifetime, 2706 dot11RSNAConfigPMKReauthThreshold, 2707 dot11RSNAConfigSATimeout, 2708 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 2709 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 2710 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 2711 pmkid_txt, 2712 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 2713 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 2714 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 2715 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 2716 wpa_auth->dot11RSNA4WayHandshakeFailures); 2717 if (ret < 0 || (size_t) ret >= buflen - len) 2718 return len; 2719 len += ret; 2720 2721 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 2722 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 2723 2724 /* Private MIB */ 2725 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 2726 wpa_auth->group->wpa_group_state); 2727 if (ret < 0 || (size_t) ret >= buflen - len) 2728 return len; 2729 len += ret; 2730 2731 return len; 2732} 2733 2734 2735int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 2736{ 2737 int len = 0, ret; 2738 u32 pairwise = 0; 2739 2740 if (sm == NULL) 2741 return 0; 2742 2743 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 2744 2745 /* dot11RSNAStatsEntry */ 2746 2747 if (sm->wpa == WPA_VERSION_WPA) { 2748 if (sm->pairwise == WPA_CIPHER_CCMP) 2749 pairwise = WPA_CIPHER_SUITE_CCMP; 2750 else if (sm->pairwise == WPA_CIPHER_TKIP) 2751 pairwise = WPA_CIPHER_SUITE_TKIP; 2752 else if (sm->pairwise == WPA_CIPHER_WEP104) 2753 pairwise = WPA_CIPHER_SUITE_WEP104; 2754 else if (sm->pairwise == WPA_CIPHER_WEP40) 2755 pairwise = WPA_CIPHER_SUITE_WEP40; 2756 else if (sm->pairwise == WPA_CIPHER_NONE) 2757 pairwise = WPA_CIPHER_SUITE_NONE; 2758 } else if (sm->wpa == WPA_VERSION_WPA2) { 2759 if (sm->pairwise == WPA_CIPHER_CCMP) 2760 pairwise = RSN_CIPHER_SUITE_CCMP; 2761 else if (sm->pairwise == WPA_CIPHER_TKIP) 2762 pairwise = RSN_CIPHER_SUITE_TKIP; 2763 else if (sm->pairwise == WPA_CIPHER_WEP104) 2764 pairwise = RSN_CIPHER_SUITE_WEP104; 2765 else if (sm->pairwise == WPA_CIPHER_WEP40) 2766 pairwise = RSN_CIPHER_SUITE_WEP40; 2767 else if (sm->pairwise == WPA_CIPHER_NONE) 2768 pairwise = RSN_CIPHER_SUITE_NONE; 2769 } else 2770 return 0; 2771 2772 ret = os_snprintf( 2773 buf + len, buflen - len, 2774 /* TODO: dot11RSNAStatsIndex */ 2775 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 2776 "dot11RSNAStatsVersion=1\n" 2777 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 2778 /* TODO: dot11RSNAStatsTKIPICVErrors */ 2779 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 2780 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 2781 /* TODO: dot11RSNAStatsCCMPReplays */ 2782 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 2783 /* TODO: dot11RSNAStatsTKIPReplays */, 2784 MAC2STR(sm->addr), 2785 RSN_SUITE_ARG(pairwise), 2786 sm->dot11RSNAStatsTKIPLocalMICFailures, 2787 sm->dot11RSNAStatsTKIPRemoteMICFailures); 2788 if (ret < 0 || (size_t) ret >= buflen - len) 2789 return len; 2790 len += ret; 2791 2792 /* Private MIB */ 2793 ret = os_snprintf(buf + len, buflen - len, 2794 "hostapdWPAPTKState=%d\n" 2795 "hostapdWPAPTKGroupState=%d\n", 2796 sm->wpa_ptk_state, 2797 sm->wpa_ptk_group_state); 2798 if (ret < 0 || (size_t) ret >= buflen - len) 2799 return len; 2800 len += ret; 2801 2802 return len; 2803} 2804 2805 2806void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 2807{ 2808 if (wpa_auth) 2809 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 2810} 2811 2812 2813int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 2814{ 2815 return sm && sm->pairwise_set; 2816} 2817 2818 2819int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 2820{ 2821 return sm->pairwise; 2822} 2823 2824 2825int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 2826{ 2827 if (sm == NULL) 2828 return -1; 2829 return sm->wpa_key_mgmt; 2830} 2831 2832 2833int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 2834{ 2835 if (sm == NULL) 2836 return 0; 2837 return sm->wpa; 2838} 2839 2840 2841int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 2842 struct rsn_pmksa_cache_entry *entry) 2843{ 2844 if (sm == NULL || sm->pmksa != entry) 2845 return -1; 2846 sm->pmksa = NULL; 2847 return 0; 2848} 2849 2850 2851struct rsn_pmksa_cache_entry * 2852wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 2853{ 2854 return sm ? sm->pmksa : NULL; 2855} 2856 2857 2858void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 2859{ 2860 if (sm) 2861 sm->dot11RSNAStatsTKIPLocalMICFailures++; 2862} 2863 2864 2865const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 2866{ 2867 if (wpa_auth == NULL) 2868 return NULL; 2869 *len = wpa_auth->wpa_ie_len; 2870 return wpa_auth->wpa_ie; 2871} 2872 2873 2874int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 2875 int session_timeout, struct eapol_state_machine *eapol) 2876{ 2877 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 2878 sm->wpa_auth->conf.disable_pmksa_caching) 2879 return -1; 2880 2881 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, 2882 sm->wpa_auth->addr, sm->addr, session_timeout, 2883 eapol, sm->wpa_key_mgmt)) 2884 return 0; 2885 2886 return -1; 2887} 2888 2889 2890int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 2891 const u8 *pmk, size_t len, const u8 *sta_addr, 2892 int session_timeout, 2893 struct eapol_state_machine *eapol) 2894{ 2895 if (wpa_auth == NULL) 2896 return -1; 2897 2898 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr, 2899 sta_addr, session_timeout, eapol, 2900 WPA_KEY_MGMT_IEEE8021X)) 2901 return 0; 2902 2903 return -1; 2904} 2905 2906 2907static struct wpa_group * 2908wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 2909{ 2910 struct wpa_group *group; 2911 2912 if (wpa_auth == NULL || wpa_auth->group == NULL) 2913 return NULL; 2914 2915 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 2916 vlan_id); 2917 group = wpa_group_init(wpa_auth, vlan_id, 0); 2918 if (group == NULL) 2919 return NULL; 2920 2921 group->next = wpa_auth->group->next; 2922 wpa_auth->group->next = group; 2923 2924 return group; 2925} 2926 2927 2928int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 2929{ 2930 struct wpa_group *group; 2931 2932 if (sm == NULL || sm->wpa_auth == NULL) 2933 return 0; 2934 2935 group = sm->wpa_auth->group; 2936 while (group) { 2937 if (group->vlan_id == vlan_id) 2938 break; 2939 group = group->next; 2940 } 2941 2942 if (group == NULL) { 2943 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 2944 if (group == NULL) 2945 return -1; 2946 } 2947 2948 if (sm->group == group) 2949 return 0; 2950 2951 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 2952 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 2953 2954 sm->group = group; 2955 return 0; 2956} 2957 2958 2959void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 2960 struct wpa_state_machine *sm, int ack) 2961{ 2962 if (wpa_auth == NULL || sm == NULL) 2963 return; 2964 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 2965 " ack=%d", MAC2STR(sm->addr), ack); 2966 if (sm->pending_1_of_4_timeout && ack) { 2967 /* 2968 * Some deployed supplicant implementations update their SNonce 2969 * for each EAPOL-Key 2/4 message even within the same 4-way 2970 * handshake and then fail to use the first SNonce when 2971 * deriving the PTK. This results in unsuccessful 4-way 2972 * handshake whenever the relatively short initial timeout is 2973 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 2974 * around this by increasing the timeout now that we know that 2975 * the station has received the frame. 2976 */ 2977 int timeout_ms = eapol_key_timeout_subseq; 2978 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 2979 "timeout by %u ms because of acknowledged frame", 2980 timeout_ms); 2981 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 2982 eloop_register_timeout(timeout_ms / 1000, 2983 (timeout_ms % 1000) * 1000, 2984 wpa_send_eapol_timeout, wpa_auth, sm); 2985 } 2986} 2987