wpa_auth.c revision 68d0e3ed07847339aedfac8e02f50db68c702e52
1/* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/state_machine.h" 14#include "common/ieee802_11_defs.h" 15#include "crypto/aes_wrap.h" 16#include "crypto/crypto.h" 17#include "crypto/sha1.h" 18#include "crypto/sha256.h" 19#include "crypto/random.h" 20#include "eapol_auth/eapol_auth_sm.h" 21#include "ap_config.h" 22#include "ieee802_11.h" 23#include "wpa_auth.h" 24#include "pmksa_cache_auth.h" 25#include "wpa_auth_i.h" 26#include "wpa_auth_ie.h" 27 28#define STATE_MACHINE_DATA struct wpa_state_machine 29#define STATE_MACHINE_DEBUG_PREFIX "WPA" 30#define STATE_MACHINE_ADDR sm->addr 31 32 33static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 34static int wpa_sm_step(struct wpa_state_machine *sm); 35static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len); 36static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 37static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 38 struct wpa_group *group); 39static void wpa_request_new_ptk(struct wpa_state_machine *sm); 40static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 41 struct wpa_group *group); 42static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 45static const u32 dot11RSNAConfigGroupUpdateCount = 4; 46static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 47static const u32 eapol_key_timeout_first = 100; /* ms */ 48static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 49static const u32 eapol_key_timeout_first_group = 500; /* ms */ 50 51/* TODO: make these configurable */ 52static const int dot11RSNAConfigPMKLifetime = 43200; 53static const int dot11RSNAConfigPMKReauthThreshold = 70; 54static const int dot11RSNAConfigSATimeout = 60; 55 56 57static inline int wpa_auth_mic_failure_report( 58 struct wpa_authenticator *wpa_auth, const u8 *addr) 59{ 60 if (wpa_auth->cb.mic_failure_report) 61 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 62 return 0; 63} 64 65 66static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 67 const u8 *addr, wpa_eapol_variable var, 68 int value) 69{ 70 if (wpa_auth->cb.set_eapol) 71 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 72} 73 74 75static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 76 const u8 *addr, wpa_eapol_variable var) 77{ 78 if (wpa_auth->cb.get_eapol == NULL) 79 return -1; 80 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 81} 82 83 84static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 85 const u8 *addr, 86 const u8 *p2p_dev_addr, 87 const u8 *prev_psk) 88{ 89 if (wpa_auth->cb.get_psk == NULL) 90 return NULL; 91 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr, 92 prev_psk); 93} 94 95 96static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 97 const u8 *addr, u8 *msk, size_t *len) 98{ 99 if (wpa_auth->cb.get_msk == NULL) 100 return -1; 101 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 102} 103 104 105static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 106 int vlan_id, 107 enum wpa_alg alg, const u8 *addr, int idx, 108 u8 *key, size_t key_len) 109{ 110 if (wpa_auth->cb.set_key == NULL) 111 return -1; 112 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 113 key, key_len); 114} 115 116 117static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 118 const u8 *addr, int idx, u8 *seq) 119{ 120 if (wpa_auth->cb.get_seqnum == NULL) 121 return -1; 122 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 123} 124 125 126static inline int 127wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 128 const u8 *data, size_t data_len, int encrypt) 129{ 130 if (wpa_auth->cb.send_eapol == NULL) 131 return -1; 132 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 133 encrypt); 134} 135 136 137int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 138 int (*cb)(struct wpa_state_machine *sm, void *ctx), 139 void *cb_ctx) 140{ 141 if (wpa_auth->cb.for_each_sta == NULL) 142 return 0; 143 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 144} 145 146 147int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 148 int (*cb)(struct wpa_authenticator *a, void *ctx), 149 void *cb_ctx) 150{ 151 if (wpa_auth->cb.for_each_auth == NULL) 152 return 0; 153 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 154} 155 156 157void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 158 logger_level level, const char *txt) 159{ 160 if (wpa_auth->cb.logger == NULL) 161 return; 162 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 163} 164 165 166void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 167 logger_level level, const char *fmt, ...) 168{ 169 char *format; 170 int maxlen; 171 va_list ap; 172 173 if (wpa_auth->cb.logger == NULL) 174 return; 175 176 maxlen = os_strlen(fmt) + 100; 177 format = os_malloc(maxlen); 178 if (!format) 179 return; 180 181 va_start(ap, fmt); 182 vsnprintf(format, maxlen, fmt, ap); 183 va_end(ap); 184 185 wpa_auth_logger(wpa_auth, addr, level, format); 186 187 os_free(format); 188} 189 190 191static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 192 const u8 *addr) 193{ 194 if (wpa_auth->cb.disconnect == NULL) 195 return; 196 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 197 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 198 WLAN_REASON_PREV_AUTH_NOT_VALID); 199} 200 201 202static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 203{ 204 int ret = 0; 205#ifdef CONFIG_IEEE80211R 206 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 207 ret = 1; 208#endif /* CONFIG_IEEE80211R */ 209#ifdef CONFIG_IEEE80211W 210 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 211 ret = 1; 212#endif /* CONFIG_IEEE80211W */ 213 return ret; 214} 215 216 217static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 218{ 219 struct wpa_authenticator *wpa_auth = eloop_ctx; 220 221 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 222 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 223 "initialization."); 224 } else { 225 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 226 wpa_hexdump_key(MSG_DEBUG, "GMK", 227 wpa_auth->group->GMK, WPA_GMK_LEN); 228 } 229 230 if (wpa_auth->conf.wpa_gmk_rekey) { 231 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 232 wpa_rekey_gmk, wpa_auth, NULL); 233 } 234} 235 236 237static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 238{ 239 struct wpa_authenticator *wpa_auth = eloop_ctx; 240 struct wpa_group *group; 241 242 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 243 for (group = wpa_auth->group; group; group = group->next) { 244 group->GTKReKey = TRUE; 245 do { 246 group->changed = FALSE; 247 wpa_group_sm_step(wpa_auth, group); 248 } while (group->changed); 249 } 250 251 if (wpa_auth->conf.wpa_group_rekey) { 252 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 253 0, wpa_rekey_gtk, wpa_auth, NULL); 254 } 255} 256 257 258static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 259{ 260 struct wpa_authenticator *wpa_auth = eloop_ctx; 261 struct wpa_state_machine *sm = timeout_ctx; 262 263 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 264 wpa_request_new_ptk(sm); 265 wpa_sm_step(sm); 266} 267 268 269static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 270{ 271 if (sm->pmksa == ctx) 272 sm->pmksa = NULL; 273 return 0; 274} 275 276 277static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 278 void *ctx) 279{ 280 struct wpa_authenticator *wpa_auth = ctx; 281 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 282} 283 284 285static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 286 struct wpa_group *group) 287{ 288 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 289 u8 rkey[32]; 290 unsigned long ptr; 291 292 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 293 return -1; 294 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 295 296 /* 297 * Counter = PRF-256(Random number, "Init Counter", 298 * Local MAC Address || Time) 299 */ 300 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 301 wpa_get_ntp_timestamp(buf + ETH_ALEN); 302 ptr = (unsigned long) group; 303 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 304 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 305 return -1; 306 307 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 308 group->Counter, WPA_NONCE_LEN) < 0) 309 return -1; 310 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 311 group->Counter, WPA_NONCE_LEN); 312 313 return 0; 314} 315 316 317static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 318 int vlan_id, int delay_init) 319{ 320 struct wpa_group *group; 321 322 group = os_zalloc(sizeof(struct wpa_group)); 323 if (group == NULL) 324 return NULL; 325 326 group->GTKAuthenticator = TRUE; 327 group->vlan_id = vlan_id; 328 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 329 330 if (random_pool_ready() != 1) { 331 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 332 "for secure operations - update keys later when " 333 "the first station connects"); 334 } 335 336 /* 337 * Set initial GMK/Counter value here. The actual values that will be 338 * used in negotiations will be set once the first station tries to 339 * connect. This allows more time for collecting additional randomness 340 * on embedded devices. 341 */ 342 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 343 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 344 "initialization."); 345 os_free(group); 346 return NULL; 347 } 348 349 group->GInit = TRUE; 350 if (delay_init) { 351 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 352 "until Beacon frames have been configured"); 353 /* Initialization is completed in wpa_init_keys(). */ 354 } else { 355 wpa_group_sm_step(wpa_auth, group); 356 group->GInit = FALSE; 357 wpa_group_sm_step(wpa_auth, group); 358 } 359 360 return group; 361} 362 363 364/** 365 * wpa_init - Initialize WPA authenticator 366 * @addr: Authenticator address 367 * @conf: Configuration for WPA authenticator 368 * @cb: Callback functions for WPA authenticator 369 * Returns: Pointer to WPA authenticator data or %NULL on failure 370 */ 371struct wpa_authenticator * wpa_init(const u8 *addr, 372 struct wpa_auth_config *conf, 373 struct wpa_auth_callbacks *cb) 374{ 375 struct wpa_authenticator *wpa_auth; 376 377 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 378 if (wpa_auth == NULL) 379 return NULL; 380 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 381 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 382 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 383 384 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 385 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 386 os_free(wpa_auth); 387 return NULL; 388 } 389 390 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 391 if (wpa_auth->group == NULL) { 392 os_free(wpa_auth->wpa_ie); 393 os_free(wpa_auth); 394 return NULL; 395 } 396 397 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 398 wpa_auth); 399 if (wpa_auth->pmksa == NULL) { 400 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 401 os_free(wpa_auth->wpa_ie); 402 os_free(wpa_auth); 403 return NULL; 404 } 405 406#ifdef CONFIG_IEEE80211R 407 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 408 if (wpa_auth->ft_pmk_cache == NULL) { 409 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 410 os_free(wpa_auth->wpa_ie); 411 pmksa_cache_auth_deinit(wpa_auth->pmksa); 412 os_free(wpa_auth); 413 return NULL; 414 } 415#endif /* CONFIG_IEEE80211R */ 416 417 if (wpa_auth->conf.wpa_gmk_rekey) { 418 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 419 wpa_rekey_gmk, wpa_auth, NULL); 420 } 421 422 if (wpa_auth->conf.wpa_group_rekey) { 423 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 424 wpa_rekey_gtk, wpa_auth, NULL); 425 } 426 427 return wpa_auth; 428} 429 430 431int wpa_init_keys(struct wpa_authenticator *wpa_auth) 432{ 433 struct wpa_group *group = wpa_auth->group; 434 435 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 436 "keys"); 437 wpa_group_sm_step(wpa_auth, group); 438 group->GInit = FALSE; 439 wpa_group_sm_step(wpa_auth, group); 440 return 0; 441} 442 443 444/** 445 * wpa_deinit - Deinitialize WPA authenticator 446 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 447 */ 448void wpa_deinit(struct wpa_authenticator *wpa_auth) 449{ 450 struct wpa_group *group, *prev; 451 452 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 453 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 454 455#ifdef CONFIG_PEERKEY 456 while (wpa_auth->stsl_negotiations) 457 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 458#endif /* CONFIG_PEERKEY */ 459 460 pmksa_cache_auth_deinit(wpa_auth->pmksa); 461 462#ifdef CONFIG_IEEE80211R 463 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 464 wpa_auth->ft_pmk_cache = NULL; 465#endif /* CONFIG_IEEE80211R */ 466 467 os_free(wpa_auth->wpa_ie); 468 469 group = wpa_auth->group; 470 while (group) { 471 prev = group; 472 group = group->next; 473 os_free(prev); 474 } 475 476 os_free(wpa_auth); 477} 478 479 480/** 481 * wpa_reconfig - Update WPA authenticator configuration 482 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 483 * @conf: Configuration for WPA authenticator 484 */ 485int wpa_reconfig(struct wpa_authenticator *wpa_auth, 486 struct wpa_auth_config *conf) 487{ 488 struct wpa_group *group; 489 if (wpa_auth == NULL) 490 return 0; 491 492 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 493 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 494 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 495 return -1; 496 } 497 498 /* 499 * Reinitialize GTK to make sure it is suitable for the new 500 * configuration. 501 */ 502 group = wpa_auth->group; 503 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 504 group->GInit = TRUE; 505 wpa_group_sm_step(wpa_auth, group); 506 group->GInit = FALSE; 507 wpa_group_sm_step(wpa_auth, group); 508 509 return 0; 510} 511 512 513struct wpa_state_machine * 514wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 515 const u8 *p2p_dev_addr) 516{ 517 struct wpa_state_machine *sm; 518 519 sm = os_zalloc(sizeof(struct wpa_state_machine)); 520 if (sm == NULL) 521 return NULL; 522 os_memcpy(sm->addr, addr, ETH_ALEN); 523 if (p2p_dev_addr) 524 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 525 526 sm->wpa_auth = wpa_auth; 527 sm->group = wpa_auth->group; 528 529 return sm; 530} 531 532 533int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 534 struct wpa_state_machine *sm) 535{ 536 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 537 return -1; 538 539#ifdef CONFIG_IEEE80211R 540 if (sm->ft_completed) { 541 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 542 "FT authentication already completed - do not " 543 "start 4-way handshake"); 544 return 0; 545 } 546#endif /* CONFIG_IEEE80211R */ 547 548 if (sm->started) { 549 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 550 sm->ReAuthenticationRequest = TRUE; 551 return wpa_sm_step(sm); 552 } 553 554 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 555 "start authentication"); 556 sm->started = 1; 557 558 sm->Init = TRUE; 559 if (wpa_sm_step(sm) == 1) 560 return 1; /* should not really happen */ 561 sm->Init = FALSE; 562 sm->AuthenticationRequest = TRUE; 563 return wpa_sm_step(sm); 564} 565 566 567void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 568{ 569 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 570 * reassociates back to the same AP while the previous entry for the 571 * STA has not yet been removed. */ 572 if (sm == NULL) 573 return; 574 575 sm->wpa_key_mgmt = 0; 576} 577 578 579static void wpa_free_sta_sm(struct wpa_state_machine *sm) 580{ 581 if (sm->GUpdateStationKeys) { 582 sm->group->GKeyDoneStations--; 583 sm->GUpdateStationKeys = FALSE; 584 } 585#ifdef CONFIG_IEEE80211R 586 os_free(sm->assoc_resp_ftie); 587#endif /* CONFIG_IEEE80211R */ 588 os_free(sm->last_rx_eapol_key); 589 os_free(sm->wpa_ie); 590 os_free(sm); 591} 592 593 594void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 595{ 596 if (sm == NULL) 597 return; 598 599 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 600 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 601 "strict rekeying - force GTK rekey since STA " 602 "is leaving"); 603 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 604 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 605 NULL); 606 } 607 608 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 609 sm->pending_1_of_4_timeout = 0; 610 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 611 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 612 if (sm->in_step_loop) { 613 /* Must not free state machine while wpa_sm_step() is running. 614 * Freeing will be completed in the end of wpa_sm_step(). */ 615 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 616 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 617 sm->pending_deinit = 1; 618 } else 619 wpa_free_sta_sm(sm); 620} 621 622 623static void wpa_request_new_ptk(struct wpa_state_machine *sm) 624{ 625 if (sm == NULL) 626 return; 627 628 sm->PTKRequest = TRUE; 629 sm->PTK_valid = 0; 630} 631 632 633static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 634 const u8 *replay_counter) 635{ 636 int i; 637 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 638 if (!ctr[i].valid) 639 break; 640 if (os_memcmp(replay_counter, ctr[i].counter, 641 WPA_REPLAY_COUNTER_LEN) == 0) 642 return 1; 643 } 644 return 0; 645} 646 647 648static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 649 const u8 *replay_counter) 650{ 651 int i; 652 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 653 if (ctr[i].valid && 654 (replay_counter == NULL || 655 os_memcmp(replay_counter, ctr[i].counter, 656 WPA_REPLAY_COUNTER_LEN) == 0)) 657 ctr[i].valid = FALSE; 658 } 659} 660 661 662#ifdef CONFIG_IEEE80211R 663static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 664 struct wpa_state_machine *sm, 665 struct wpa_eapol_ie_parse *kde) 666{ 667 struct wpa_ie_data ie; 668 struct rsn_mdie *mdie; 669 670 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 671 ie.num_pmkid != 1 || ie.pmkid == NULL) { 672 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 673 "FT 4-way handshake message 2/4"); 674 return -1; 675 } 676 677 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 678 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 679 sm->sup_pmk_r1_name, PMKID_LEN); 680 681 if (!kde->mdie || !kde->ftie) { 682 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 683 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 684 return -1; 685 } 686 687 mdie = (struct rsn_mdie *) (kde->mdie + 2); 688 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 689 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 690 MOBILITY_DOMAIN_ID_LEN) != 0) { 691 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 692 return -1; 693 } 694 695 if (sm->assoc_resp_ftie && 696 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 697 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 698 2 + sm->assoc_resp_ftie[1]) != 0)) { 699 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 700 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 701 kde->ftie, kde->ftie_len); 702 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 703 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 704 return -1; 705 } 706 707 return 0; 708} 709#endif /* CONFIG_IEEE80211R */ 710 711 712static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 713 struct wpa_state_machine *sm, int group) 714{ 715 /* Supplicant reported a Michael MIC error */ 716 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 717 "received EAPOL-Key Error Request " 718 "(STA detected Michael MIC failure (group=%d))", 719 group); 720 721 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 722 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 723 "ignore Michael MIC failure report since " 724 "group cipher is not TKIP"); 725 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 726 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 727 "ignore Michael MIC failure report since " 728 "pairwise cipher is not TKIP"); 729 } else { 730 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 731 return 1; /* STA entry was removed */ 732 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 733 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 734 } 735 736 /* 737 * Error report is not a request for a new key handshake, but since 738 * Authenticator may do it, let's change the keys now anyway. 739 */ 740 wpa_request_new_ptk(sm); 741 return 0; 742} 743 744 745void wpa_receive(struct wpa_authenticator *wpa_auth, 746 struct wpa_state_machine *sm, 747 u8 *data, size_t data_len) 748{ 749 struct ieee802_1x_hdr *hdr; 750 struct wpa_eapol_key *key; 751 u16 key_info, key_data_length; 752 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 753 SMK_M1, SMK_M3, SMK_ERROR } msg; 754 char *msgtxt; 755 struct wpa_eapol_ie_parse kde; 756 int ft; 757 const u8 *eapol_key_ie; 758 size_t eapol_key_ie_len; 759 760 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 761 return; 762 763 if (data_len < sizeof(*hdr) + sizeof(*key)) 764 return; 765 766 hdr = (struct ieee802_1x_hdr *) data; 767 key = (struct wpa_eapol_key *) (hdr + 1); 768 key_info = WPA_GET_BE16(key->key_info); 769 key_data_length = WPA_GET_BE16(key->key_data_length); 770 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 771 " key_info=0x%x type=%u key_data_length=%u", 772 MAC2STR(sm->addr), key_info, key->type, key_data_length); 773 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { 774 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 775 "key_data overflow (%d > %lu)", 776 key_data_length, 777 (unsigned long) (data_len - sizeof(*hdr) - 778 sizeof(*key))); 779 return; 780 } 781 782 if (sm->wpa == WPA_VERSION_WPA2) { 783 if (key->type == EAPOL_KEY_TYPE_WPA) { 784 /* 785 * Some deployed station implementations seem to send 786 * msg 4/4 with incorrect type value in WPA2 mode. 787 */ 788 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 789 "with unexpected WPA type in RSN mode"); 790 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 791 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 792 "unexpected type %d in RSN mode", 793 key->type); 794 return; 795 } 796 } else { 797 if (key->type != EAPOL_KEY_TYPE_WPA) { 798 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 799 "unexpected type %d in WPA mode", 800 key->type); 801 return; 802 } 803 } 804 805 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 806 WPA_NONCE_LEN); 807 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 808 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 809 810 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 811 * are set */ 812 813 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 814 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 815 if (key_info & WPA_KEY_INFO_ERROR) { 816 msg = SMK_ERROR; 817 msgtxt = "SMK Error"; 818 } else { 819 msg = SMK_M1; 820 msgtxt = "SMK M1"; 821 } 822 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 823 msg = SMK_M3; 824 msgtxt = "SMK M3"; 825 } else if (key_info & WPA_KEY_INFO_REQUEST) { 826 msg = REQUEST; 827 msgtxt = "Request"; 828 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 829 msg = GROUP_2; 830 msgtxt = "2/2 Group"; 831 } else if (key_data_length == 0) { 832 msg = PAIRWISE_4; 833 msgtxt = "4/4 Pairwise"; 834 } else { 835 msg = PAIRWISE_2; 836 msgtxt = "2/4 Pairwise"; 837 } 838 839 /* TODO: key_info type validation for PeerKey */ 840 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 841 msg == GROUP_2) { 842 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 843 if (sm->pairwise == WPA_CIPHER_CCMP || 844 sm->pairwise == WPA_CIPHER_GCMP) { 845 if (wpa_use_aes_cmac(sm) && 846 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 847 wpa_auth_logger(wpa_auth, sm->addr, 848 LOGGER_WARNING, 849 "advertised support for " 850 "AES-128-CMAC, but did not " 851 "use it"); 852 return; 853 } 854 855 if (!wpa_use_aes_cmac(sm) && 856 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 857 wpa_auth_logger(wpa_auth, sm->addr, 858 LOGGER_WARNING, 859 "did not use HMAC-SHA1-AES " 860 "with CCMP/GCMP"); 861 return; 862 } 863 } 864 } 865 866 if (key_info & WPA_KEY_INFO_REQUEST) { 867 if (sm->req_replay_counter_used && 868 os_memcmp(key->replay_counter, sm->req_replay_counter, 869 WPA_REPLAY_COUNTER_LEN) <= 0) { 870 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 871 "received EAPOL-Key request with " 872 "replayed counter"); 873 return; 874 } 875 } 876 877 if (!(key_info & WPA_KEY_INFO_REQUEST) && 878 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 879 int i; 880 881 if (msg == PAIRWISE_2 && 882 wpa_replay_counter_valid(sm->prev_key_replay, 883 key->replay_counter) && 884 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 885 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 886 { 887 /* 888 * Some supplicant implementations (e.g., Windows XP 889 * WZC) update SNonce for each EAPOL-Key 2/4. This 890 * breaks the workaround on accepting any of the 891 * pending requests, so allow the SNonce to be updated 892 * even if we have already sent out EAPOL-Key 3/4. 893 */ 894 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 895 "Process SNonce update from STA " 896 "based on retransmitted EAPOL-Key " 897 "1/4"); 898 sm->update_snonce = 1; 899 wpa_replay_counter_mark_invalid(sm->prev_key_replay, 900 key->replay_counter); 901 goto continue_processing; 902 } 903 904 if (msg == PAIRWISE_2 && 905 wpa_replay_counter_valid(sm->prev_key_replay, 906 key->replay_counter) && 907 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 908 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 909 "ignore retransmitted EAPOL-Key %s - " 910 "SNonce did not change", msgtxt); 911 } else { 912 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 913 "received EAPOL-Key %s with " 914 "unexpected replay counter", msgtxt); 915 } 916 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 917 if (!sm->key_replay[i].valid) 918 break; 919 wpa_hexdump(MSG_DEBUG, "pending replay counter", 920 sm->key_replay[i].counter, 921 WPA_REPLAY_COUNTER_LEN); 922 } 923 wpa_hexdump(MSG_DEBUG, "received replay counter", 924 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 925 return; 926 } 927 928continue_processing: 929 switch (msg) { 930 case PAIRWISE_2: 931 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 932 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 933 (!sm->update_snonce || 934 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 935 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 936 "received EAPOL-Key msg 2/4 in " 937 "invalid state (%d) - dropped", 938 sm->wpa_ptk_state); 939 return; 940 } 941 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 942 if (sm->group->reject_4way_hs_for_entropy) { 943 /* 944 * The system did not have enough entropy to generate 945 * strong random numbers. Reject the first 4-way 946 * handshake(s) and collect some entropy based on the 947 * information from it. Once enough entropy is 948 * available, the next atempt will trigger GMK/Key 949 * Counter update and the station will be allowed to 950 * continue. 951 */ 952 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 953 "collect more entropy for random number " 954 "generation"); 955 random_mark_pool_ready(); 956 wpa_sta_disconnect(wpa_auth, sm->addr); 957 return; 958 } 959 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length, 960 &kde) < 0) { 961 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 962 "received EAPOL-Key msg 2/4 with " 963 "invalid Key Data contents"); 964 return; 965 } 966 if (kde.rsn_ie) { 967 eapol_key_ie = kde.rsn_ie; 968 eapol_key_ie_len = kde.rsn_ie_len; 969 } else { 970 eapol_key_ie = kde.wpa_ie; 971 eapol_key_ie_len = kde.wpa_ie_len; 972 } 973 ft = sm->wpa == WPA_VERSION_WPA2 && 974 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 975 if (sm->wpa_ie == NULL || 976 wpa_compare_rsn_ie(ft, 977 sm->wpa_ie, sm->wpa_ie_len, 978 eapol_key_ie, eapol_key_ie_len)) { 979 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 980 "WPA IE from (Re)AssocReq did not " 981 "match with msg 2/4"); 982 if (sm->wpa_ie) { 983 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 984 sm->wpa_ie, sm->wpa_ie_len); 985 } 986 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 987 eapol_key_ie, eapol_key_ie_len); 988 /* MLME-DEAUTHENTICATE.request */ 989 wpa_sta_disconnect(wpa_auth, sm->addr); 990 return; 991 } 992#ifdef CONFIG_IEEE80211R 993 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 994 wpa_sta_disconnect(wpa_auth, sm->addr); 995 return; 996 } 997#endif /* CONFIG_IEEE80211R */ 998 break; 999 case PAIRWISE_4: 1000 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1001 !sm->PTK_valid) { 1002 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1003 "received EAPOL-Key msg 4/4 in " 1004 "invalid state (%d) - dropped", 1005 sm->wpa_ptk_state); 1006 return; 1007 } 1008 break; 1009 case GROUP_2: 1010 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1011 || !sm->PTK_valid) { 1012 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1013 "received EAPOL-Key msg 2/2 in " 1014 "invalid state (%d) - dropped", 1015 sm->wpa_ptk_group_state); 1016 return; 1017 } 1018 break; 1019#ifdef CONFIG_PEERKEY 1020 case SMK_M1: 1021 case SMK_M3: 1022 case SMK_ERROR: 1023 if (!wpa_auth->conf.peerkey) { 1024 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1025 "PeerKey use disabled - ignoring message"); 1026 return; 1027 } 1028 if (!sm->PTK_valid) { 1029 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1030 "received EAPOL-Key msg SMK in " 1031 "invalid state - dropped"); 1032 return; 1033 } 1034 break; 1035#else /* CONFIG_PEERKEY */ 1036 case SMK_M1: 1037 case SMK_M3: 1038 case SMK_ERROR: 1039 return; /* STSL disabled - ignore SMK messages */ 1040#endif /* CONFIG_PEERKEY */ 1041 case REQUEST: 1042 break; 1043 } 1044 1045 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1046 "received EAPOL-Key frame (%s)", msgtxt); 1047 1048 if (key_info & WPA_KEY_INFO_ACK) { 1049 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1050 "received invalid EAPOL-Key: Key Ack set"); 1051 return; 1052 } 1053 1054 if (!(key_info & WPA_KEY_INFO_MIC)) { 1055 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1056 "received invalid EAPOL-Key: Key MIC not set"); 1057 return; 1058 } 1059 1060 sm->MICVerified = FALSE; 1061 if (sm->PTK_valid && !sm->update_snonce) { 1062 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) { 1063 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1064 "received EAPOL-Key with invalid MIC"); 1065 return; 1066 } 1067 sm->MICVerified = TRUE; 1068 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1069 sm->pending_1_of_4_timeout = 0; 1070 } 1071 1072 if (key_info & WPA_KEY_INFO_REQUEST) { 1073 if (sm->MICVerified) { 1074 sm->req_replay_counter_used = 1; 1075 os_memcpy(sm->req_replay_counter, key->replay_counter, 1076 WPA_REPLAY_COUNTER_LEN); 1077 } else { 1078 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1079 "received EAPOL-Key request with " 1080 "invalid MIC"); 1081 return; 1082 } 1083 1084 /* 1085 * TODO: should decrypt key data field if encryption was used; 1086 * even though MAC address KDE is not normally encrypted, 1087 * supplicant is allowed to encrypt it. 1088 */ 1089 if (msg == SMK_ERROR) { 1090#ifdef CONFIG_PEERKEY 1091 wpa_smk_error(wpa_auth, sm, key); 1092#endif /* CONFIG_PEERKEY */ 1093 return; 1094 } else if (key_info & WPA_KEY_INFO_ERROR) { 1095 if (wpa_receive_error_report( 1096 wpa_auth, sm, 1097 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1098 return; /* STA entry was removed */ 1099 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1100 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1101 "received EAPOL-Key Request for new " 1102 "4-Way Handshake"); 1103 wpa_request_new_ptk(sm); 1104#ifdef CONFIG_PEERKEY 1105 } else if (msg == SMK_M1) { 1106 wpa_smk_m1(wpa_auth, sm, key); 1107#endif /* CONFIG_PEERKEY */ 1108 } else if (key_data_length > 0 && 1109 wpa_parse_kde_ies((const u8 *) (key + 1), 1110 key_data_length, &kde) == 0 && 1111 kde.mac_addr) { 1112 } else { 1113 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1114 "received EAPOL-Key Request for GTK " 1115 "rekeying"); 1116 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1117 wpa_rekey_gtk(wpa_auth, NULL); 1118 } 1119 } else { 1120 /* Do not allow the same key replay counter to be reused. */ 1121 wpa_replay_counter_mark_invalid(sm->key_replay, 1122 key->replay_counter); 1123 1124 if (msg == PAIRWISE_2) { 1125 /* 1126 * Maintain a copy of the pending EAPOL-Key frames in 1127 * case the EAPOL-Key frame was retransmitted. This is 1128 * needed to allow EAPOL-Key msg 2/4 reply to another 1129 * pending msg 1/4 to update the SNonce to work around 1130 * unexpected supplicant behavior. 1131 */ 1132 os_memcpy(sm->prev_key_replay, sm->key_replay, 1133 sizeof(sm->key_replay)); 1134 } else { 1135 os_memset(sm->prev_key_replay, 0, 1136 sizeof(sm->prev_key_replay)); 1137 } 1138 1139 /* 1140 * Make sure old valid counters are not accepted anymore and 1141 * do not get copied again. 1142 */ 1143 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1144 } 1145 1146#ifdef CONFIG_PEERKEY 1147 if (msg == SMK_M3) { 1148 wpa_smk_m3(wpa_auth, sm, key); 1149 return; 1150 } 1151#endif /* CONFIG_PEERKEY */ 1152 1153 os_free(sm->last_rx_eapol_key); 1154 sm->last_rx_eapol_key = os_malloc(data_len); 1155 if (sm->last_rx_eapol_key == NULL) 1156 return; 1157 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1158 sm->last_rx_eapol_key_len = data_len; 1159 1160 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1161 sm->EAPOLKeyReceived = TRUE; 1162 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1163 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1164 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1165 wpa_sm_step(sm); 1166} 1167 1168 1169static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1170 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1171{ 1172 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1173 u8 *pos; 1174 int ret = 0; 1175 1176 /* GTK = PRF-X(GMK, "Group key expansion", 1177 * AA || GNonce || Time || random data) 1178 * The example described in the IEEE 802.11 standard uses only AA and 1179 * GNonce as inputs here. Add some more entropy since this derivation 1180 * is done only at the Authenticator and as such, does not need to be 1181 * exactly same. 1182 */ 1183 os_memcpy(data, addr, ETH_ALEN); 1184 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1185 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1186 wpa_get_ntp_timestamp(pos); 1187 pos += 8; 1188 if (random_get_bytes(pos, 16) < 0) 1189 ret = -1; 1190 1191#ifdef CONFIG_IEEE80211W 1192 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1193#else /* CONFIG_IEEE80211W */ 1194 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1195 < 0) 1196 ret = -1; 1197#endif /* CONFIG_IEEE80211W */ 1198 1199 return ret; 1200} 1201 1202 1203static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1204{ 1205 struct wpa_authenticator *wpa_auth = eloop_ctx; 1206 struct wpa_state_machine *sm = timeout_ctx; 1207 1208 sm->pending_1_of_4_timeout = 0; 1209 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1210 sm->TimeoutEvt = TRUE; 1211 wpa_sm_step(sm); 1212} 1213 1214 1215void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1216 struct wpa_state_machine *sm, int key_info, 1217 const u8 *key_rsc, const u8 *nonce, 1218 const u8 *kde, size_t kde_len, 1219 int keyidx, int encr, int force_version) 1220{ 1221 struct ieee802_1x_hdr *hdr; 1222 struct wpa_eapol_key *key; 1223 size_t len; 1224 int alg; 1225 int key_data_len, pad_len = 0; 1226 u8 *buf, *pos; 1227 int version, pairwise; 1228 int i; 1229 1230 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key); 1231 1232 if (force_version) 1233 version = force_version; 1234 else if (wpa_use_aes_cmac(sm)) 1235 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1236 else if (sm->pairwise != WPA_CIPHER_TKIP) 1237 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1238 else 1239 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1240 1241 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1242 1243 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1244 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1245 "encr=%d)", 1246 version, 1247 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1248 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1249 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1250 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1251 pairwise, (unsigned long) kde_len, keyidx, encr); 1252 1253 key_data_len = kde_len; 1254 1255 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1256 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1257 pad_len = key_data_len % 8; 1258 if (pad_len) 1259 pad_len = 8 - pad_len; 1260 key_data_len += pad_len + 8; 1261 } 1262 1263 len += key_data_len; 1264 1265 hdr = os_zalloc(len); 1266 if (hdr == NULL) 1267 return; 1268 hdr->version = wpa_auth->conf.eapol_version; 1269 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1270 hdr->length = host_to_be16(len - sizeof(*hdr)); 1271 key = (struct wpa_eapol_key *) (hdr + 1); 1272 1273 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1274 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1275 key_info |= version; 1276 if (encr && sm->wpa == WPA_VERSION_WPA2) 1277 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1278 if (sm->wpa != WPA_VERSION_WPA2) 1279 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1280 WPA_PUT_BE16(key->key_info, key_info); 1281 1282 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1283 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1284 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1285 WPA_PUT_BE16(key->key_length, 0); 1286 1287 /* FIX: STSL: what to use as key_replay_counter? */ 1288 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1289 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1290 os_memcpy(sm->key_replay[i].counter, 1291 sm->key_replay[i - 1].counter, 1292 WPA_REPLAY_COUNTER_LEN); 1293 } 1294 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1295 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1296 WPA_REPLAY_COUNTER_LEN); 1297 sm->key_replay[0].valid = TRUE; 1298 1299 if (nonce) 1300 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1301 1302 if (key_rsc) 1303 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1304 1305 if (kde && !encr) { 1306 os_memcpy(key + 1, kde, kde_len); 1307 WPA_PUT_BE16(key->key_data_length, kde_len); 1308 } else if (encr && kde) { 1309 buf = os_zalloc(key_data_len); 1310 if (buf == NULL) { 1311 os_free(hdr); 1312 return; 1313 } 1314 pos = buf; 1315 os_memcpy(pos, kde, kde_len); 1316 pos += kde_len; 1317 1318 if (pad_len) 1319 *pos++ = 0xdd; 1320 1321 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1322 buf, key_data_len); 1323 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1324 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1325 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf, 1326 (u8 *) (key + 1))) { 1327 os_free(hdr); 1328 os_free(buf); 1329 return; 1330 } 1331 WPA_PUT_BE16(key->key_data_length, key_data_len); 1332 } else { 1333 u8 ek[32]; 1334 os_memcpy(key->key_iv, 1335 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1336 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1337 os_memcpy(ek, key->key_iv, 16); 1338 os_memcpy(ek + 16, sm->PTK.kek, 16); 1339 os_memcpy(key + 1, buf, key_data_len); 1340 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len); 1341 WPA_PUT_BE16(key->key_data_length, key_data_len); 1342 } 1343 os_free(buf); 1344 } 1345 1346 if (key_info & WPA_KEY_INFO_MIC) { 1347 if (!sm->PTK_valid) { 1348 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1349 "PTK not valid when sending EAPOL-Key " 1350 "frame"); 1351 os_free(hdr); 1352 return; 1353 } 1354 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len, 1355 key->key_mic); 1356#ifdef CONFIG_TESTING_OPTIONS 1357 if (!pairwise && 1358 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0d && 1359 drand48() < 1360 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1361 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1362 "Corrupting group EAPOL-Key Key MIC"); 1363 key->key_mic[0]++; 1364 } 1365#endif /* CONFIG_TESTING_OPTIONS */ 1366 } 1367 1368 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1369 1); 1370 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1371 sm->pairwise_set); 1372 os_free(hdr); 1373} 1374 1375 1376static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1377 struct wpa_state_machine *sm, int key_info, 1378 const u8 *key_rsc, const u8 *nonce, 1379 const u8 *kde, size_t kde_len, 1380 int keyidx, int encr) 1381{ 1382 int timeout_ms; 1383 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1384 int ctr; 1385 1386 if (sm == NULL) 1387 return; 1388 1389 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1390 keyidx, encr, 0); 1391 1392 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1393 if (ctr == 1 && wpa_auth->conf.tx_status) 1394 timeout_ms = pairwise ? eapol_key_timeout_first : 1395 eapol_key_timeout_first_group; 1396 else 1397 timeout_ms = eapol_key_timeout_subseq; 1398 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1399 sm->pending_1_of_4_timeout = 1; 1400 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1401 "counter %d)", timeout_ms, ctr); 1402 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1403 wpa_send_eapol_timeout, wpa_auth, sm); 1404} 1405 1406 1407static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len) 1408{ 1409 struct ieee802_1x_hdr *hdr; 1410 struct wpa_eapol_key *key; 1411 u16 key_info; 1412 int ret = 0; 1413 u8 mic[16]; 1414 1415 if (data_len < sizeof(*hdr) + sizeof(*key)) 1416 return -1; 1417 1418 hdr = (struct ieee802_1x_hdr *) data; 1419 key = (struct wpa_eapol_key *) (hdr + 1); 1420 key_info = WPA_GET_BE16(key->key_info); 1421 os_memcpy(mic, key->key_mic, 16); 1422 os_memset(key->key_mic, 0, 16); 1423 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK, 1424 data, data_len, key->key_mic) || 1425 os_memcmp(mic, key->key_mic, 16) != 0) 1426 ret = -1; 1427 os_memcpy(key->key_mic, mic, 16); 1428 return ret; 1429} 1430 1431 1432void wpa_remove_ptk(struct wpa_state_machine *sm) 1433{ 1434 sm->PTK_valid = FALSE; 1435 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1436 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1437 sm->pairwise_set = FALSE; 1438 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1439} 1440 1441 1442int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event) 1443{ 1444 int remove_ptk = 1; 1445 1446 if (sm == NULL) 1447 return -1; 1448 1449 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1450 "event %d notification", event); 1451 1452 switch (event) { 1453 case WPA_AUTH: 1454 case WPA_ASSOC: 1455 break; 1456 case WPA_DEAUTH: 1457 case WPA_DISASSOC: 1458 sm->DeauthenticationRequest = TRUE; 1459 break; 1460 case WPA_REAUTH: 1461 case WPA_REAUTH_EAPOL: 1462 if (!sm->started) { 1463 /* 1464 * When using WPS, we may end up here if the STA 1465 * manages to re-associate without the previous STA 1466 * entry getting removed. Consequently, we need to make 1467 * sure that the WPA state machines gets initialized 1468 * properly at this point. 1469 */ 1470 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1471 "started - initialize now"); 1472 sm->started = 1; 1473 sm->Init = TRUE; 1474 if (wpa_sm_step(sm) == 1) 1475 return 1; /* should not really happen */ 1476 sm->Init = FALSE; 1477 sm->AuthenticationRequest = TRUE; 1478 break; 1479 } 1480 if (sm->GUpdateStationKeys) { 1481 /* 1482 * Reauthentication cancels the pending group key 1483 * update for this STA. 1484 */ 1485 sm->group->GKeyDoneStations--; 1486 sm->GUpdateStationKeys = FALSE; 1487 sm->PtkGroupInit = TRUE; 1488 } 1489 sm->ReAuthenticationRequest = TRUE; 1490 break; 1491 case WPA_ASSOC_FT: 1492#ifdef CONFIG_IEEE80211R 1493 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1494 "after association"); 1495 wpa_ft_install_ptk(sm); 1496 1497 /* Using FT protocol, not WPA auth state machine */ 1498 sm->ft_completed = 1; 1499 return 0; 1500#else /* CONFIG_IEEE80211R */ 1501 break; 1502#endif /* CONFIG_IEEE80211R */ 1503 } 1504 1505#ifdef CONFIG_IEEE80211R 1506 sm->ft_completed = 0; 1507#endif /* CONFIG_IEEE80211R */ 1508 1509#ifdef CONFIG_IEEE80211W 1510 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1511 remove_ptk = 0; 1512#endif /* CONFIG_IEEE80211W */ 1513 1514 if (remove_ptk) { 1515 sm->PTK_valid = FALSE; 1516 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1517 1518 if (event != WPA_REAUTH_EAPOL) 1519 wpa_remove_ptk(sm); 1520 } 1521 1522 return wpa_sm_step(sm); 1523} 1524 1525 1526SM_STATE(WPA_PTK, INITIALIZE) 1527{ 1528 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1529 if (sm->Init) { 1530 /* Init flag is not cleared here, so avoid busy 1531 * loop by claiming nothing changed. */ 1532 sm->changed = FALSE; 1533 } 1534 1535 sm->keycount = 0; 1536 if (sm->GUpdateStationKeys) 1537 sm->group->GKeyDoneStations--; 1538 sm->GUpdateStationKeys = FALSE; 1539 if (sm->wpa == WPA_VERSION_WPA) 1540 sm->PInitAKeys = FALSE; 1541 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1542 * Local AA > Remote AA)) */) { 1543 sm->Pair = TRUE; 1544 } 1545 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1546 wpa_remove_ptk(sm); 1547 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1548 sm->TimeoutCtr = 0; 1549 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1550 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1551 WPA_EAPOL_authorized, 0); 1552 } 1553} 1554 1555 1556SM_STATE(WPA_PTK, DISCONNECT) 1557{ 1558 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1559 sm->Disconnect = FALSE; 1560 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1561} 1562 1563 1564SM_STATE(WPA_PTK, DISCONNECTED) 1565{ 1566 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1567 sm->DeauthenticationRequest = FALSE; 1568} 1569 1570 1571SM_STATE(WPA_PTK, AUTHENTICATION) 1572{ 1573 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1574 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1575 sm->PTK_valid = FALSE; 1576 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1577 1); 1578 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1579 sm->AuthenticationRequest = FALSE; 1580} 1581 1582 1583static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1584 struct wpa_group *group) 1585{ 1586 if (group->first_sta_seen) 1587 return; 1588 /* 1589 * System has run bit further than at the time hostapd was started 1590 * potentially very early during boot up. This provides better chances 1591 * of collecting more randomness on embedded systems. Re-initialize the 1592 * GMK and Counter here to improve their strength if there was not 1593 * enough entropy available immediately after system startup. 1594 */ 1595 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1596 "station"); 1597 if (random_pool_ready() != 1) { 1598 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1599 "to proceed - reject first 4-way handshake"); 1600 group->reject_4way_hs_for_entropy = TRUE; 1601 } else { 1602 group->first_sta_seen = TRUE; 1603 group->reject_4way_hs_for_entropy = FALSE; 1604 } 1605 1606 wpa_group_init_gmk_and_counter(wpa_auth, group); 1607 wpa_gtk_update(wpa_auth, group); 1608 wpa_group_config_group_keys(wpa_auth, group); 1609} 1610 1611 1612SM_STATE(WPA_PTK, AUTHENTICATION2) 1613{ 1614 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1615 1616 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1617 sm->ReAuthenticationRequest = FALSE; 1618 1619 /* 1620 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1621 * ambiguous. The Authenticator state machine uses a counter that is 1622 * incremented by one for each 4-way handshake. However, the security 1623 * analysis of 4-way handshake points out that unpredictable nonces 1624 * help in preventing precomputation attacks. Instead of the state 1625 * machine definition, use an unpredictable nonce value here to provide 1626 * stronger protection against potential precomputation attacks. 1627 */ 1628 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1629 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1630 "ANonce."); 1631 sm->Disconnect = TRUE; 1632 return; 1633 } 1634 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1635 WPA_NONCE_LEN); 1636 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1637 * logical place than INITIALIZE since AUTHENTICATION2 can be 1638 * re-entered on ReAuthenticationRequest without going through 1639 * INITIALIZE. */ 1640 sm->TimeoutCtr = 0; 1641} 1642 1643 1644SM_STATE(WPA_PTK, INITPMK) 1645{ 1646 u8 msk[2 * PMK_LEN]; 1647 size_t len = 2 * PMK_LEN; 1648 1649 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1650#ifdef CONFIG_IEEE80211R 1651 sm->xxkey_len = 0; 1652#endif /* CONFIG_IEEE80211R */ 1653 if (sm->pmksa) { 1654 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1655 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN); 1656 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1657 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1658 "(len=%lu)", (unsigned long) len); 1659 os_memcpy(sm->PMK, msk, PMK_LEN); 1660#ifdef CONFIG_IEEE80211R 1661 if (len >= 2 * PMK_LEN) { 1662 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1663 sm->xxkey_len = PMK_LEN; 1664 } 1665#endif /* CONFIG_IEEE80211R */ 1666 } else { 1667 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK"); 1668 } 1669 1670 sm->req_replay_counter_used = 0; 1671 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1672 * will break reauthentication since EAPOL state machines may not be 1673 * get into AUTHENTICATING state that clears keyRun before WPA state 1674 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1675 * state and takes PMK from the previously used AAA Key. This will 1676 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1677 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1678 * be good workaround for this issue. */ 1679 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1680} 1681 1682 1683SM_STATE(WPA_PTK, INITPSK) 1684{ 1685 const u8 *psk; 1686 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1687 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1688 if (psk) { 1689 os_memcpy(sm->PMK, psk, PMK_LEN); 1690#ifdef CONFIG_IEEE80211R 1691 os_memcpy(sm->xxkey, psk, PMK_LEN); 1692 sm->xxkey_len = PMK_LEN; 1693#endif /* CONFIG_IEEE80211R */ 1694 } 1695 sm->req_replay_counter_used = 0; 1696} 1697 1698 1699SM_STATE(WPA_PTK, PTKSTART) 1700{ 1701 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1702 size_t pmkid_len = 0; 1703 1704 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1705 sm->PTKRequest = FALSE; 1706 sm->TimeoutEvt = FALSE; 1707 1708 sm->TimeoutCtr++; 1709 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1710 /* No point in sending the EAPOL-Key - we will disconnect 1711 * immediately following this. */ 1712 return; 1713 } 1714 1715 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1716 "sending 1/4 msg of 4-Way Handshake"); 1717 /* 1718 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1719 * one possible PSK for this STA. 1720 */ 1721 if (sm->wpa == WPA_VERSION_WPA2 && 1722 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) { 1723 pmkid = buf; 1724 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 1725 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 1726 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 1727 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 1728 if (sm->pmksa) 1729 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 1730 sm->pmksa->pmkid, PMKID_LEN); 1731 else { 1732 /* 1733 * Calculate PMKID since no PMKSA cache entry was 1734 * available with pre-calculated PMKID. 1735 */ 1736 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr, 1737 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 1738 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1739 } 1740 } 1741 wpa_send_eapol(sm->wpa_auth, sm, 1742 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 1743 sm->ANonce, pmkid, pmkid_len, 0, 0); 1744} 1745 1746 1747static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk, 1748 struct wpa_ptk *ptk) 1749{ 1750 size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64; 1751#ifdef CONFIG_IEEE80211R 1752 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 1753 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len); 1754#endif /* CONFIG_IEEE80211R */ 1755 1756 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion", 1757 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce, 1758 (u8 *) ptk, ptk_len, 1759 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1760 1761 return 0; 1762} 1763 1764 1765SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 1766{ 1767 struct wpa_ptk PTK; 1768 int ok = 0; 1769 const u8 *pmk = NULL; 1770 1771 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 1772 sm->EAPOLKeyReceived = FALSE; 1773 sm->update_snonce = FALSE; 1774 1775 /* WPA with IEEE 802.1X: use the derived PMK from EAP 1776 * WPA-PSK: iterate through possible PSKs and select the one matching 1777 * the packet */ 1778 for (;;) { 1779 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1780 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 1781 sm->p2p_dev_addr, pmk); 1782 if (pmk == NULL) 1783 break; 1784 } else 1785 pmk = sm->PMK; 1786 1787 wpa_derive_ptk(sm, pmk, &PTK); 1788 1789 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key, 1790 sm->last_rx_eapol_key_len) == 0) { 1791 ok = 1; 1792 break; 1793 } 1794 1795 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 1796 break; 1797 } 1798 1799 if (!ok) { 1800 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1801 "invalid MIC in msg 2/4 of 4-Way Handshake"); 1802 return; 1803 } 1804 1805#ifdef CONFIG_IEEE80211R 1806 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1807 /* 1808 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 1809 * with the value we derived. 1810 */ 1811 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name, 1812 WPA_PMK_NAME_LEN) != 0) { 1813 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1814 "PMKR1Name mismatch in FT 4-way " 1815 "handshake"); 1816 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 1817 "Supplicant", 1818 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 1819 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1820 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1821 return; 1822 } 1823 } 1824#endif /* CONFIG_IEEE80211R */ 1825 1826 sm->pending_1_of_4_timeout = 0; 1827 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 1828 1829 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1830 /* PSK may have changed from the previous choice, so update 1831 * state machine data based on whatever PSK was selected here. 1832 */ 1833 os_memcpy(sm->PMK, pmk, PMK_LEN); 1834 } 1835 1836 sm->MICVerified = TRUE; 1837 1838 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 1839 sm->PTK_valid = TRUE; 1840} 1841 1842 1843SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 1844{ 1845 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 1846 sm->TimeoutCtr = 0; 1847} 1848 1849 1850#ifdef CONFIG_IEEE80211W 1851 1852static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1853{ 1854 if (sm->mgmt_frame_prot) { 1855 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde); 1856 } 1857 1858 return 0; 1859} 1860 1861 1862static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1863{ 1864 struct wpa_igtk_kde igtk; 1865 struct wpa_group *gsm = sm->group; 1866 u8 rsc[WPA_KEY_RSC_LEN]; 1867 1868 if (!sm->mgmt_frame_prot) 1869 return pos; 1870 1871 igtk.keyid[0] = gsm->GN_igtk; 1872 igtk.keyid[1] = 0; 1873 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 1874 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 1875 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 1876 else 1877 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 1878 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 1879 if (sm->wpa_auth->conf.disable_gtk) { 1880 /* 1881 * Provide unique random IGTK to each STA to prevent use of 1882 * IGTK in the BSS. 1883 */ 1884 if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0) 1885 return pos; 1886 } 1887 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 1888 (const u8 *) &igtk, sizeof(igtk), NULL, 0); 1889 1890 return pos; 1891} 1892 1893#else /* CONFIG_IEEE80211W */ 1894 1895static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1896{ 1897 return 0; 1898} 1899 1900 1901static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1902{ 1903 return pos; 1904} 1905 1906#endif /* CONFIG_IEEE80211W */ 1907 1908 1909SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 1910{ 1911 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 1912 size_t gtk_len, kde_len; 1913 struct wpa_group *gsm = sm->group; 1914 u8 *wpa_ie; 1915 int wpa_ie_len, secure, keyidx, encr = 0; 1916 1917 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 1918 sm->TimeoutEvt = FALSE; 1919 1920 sm->TimeoutCtr++; 1921 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1922 /* No point in sending the EAPOL-Key - we will disconnect 1923 * immediately following this. */ 1924 return; 1925 } 1926 1927 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 1928 GTK[GN], IGTK, [FTIE], [TIE * 2]) 1929 */ 1930 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 1931 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 1932 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 1933 wpa_ie = sm->wpa_auth->wpa_ie; 1934 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 1935 if (sm->wpa == WPA_VERSION_WPA && 1936 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 1937 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 1938 /* WPA-only STA, remove RSN IE */ 1939 wpa_ie = wpa_ie + wpa_ie[1] + 2; 1940 wpa_ie_len = wpa_ie[1] + 2; 1941 } 1942 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1943 "sending 3/4 msg of 4-Way Handshake"); 1944 if (sm->wpa == WPA_VERSION_WPA2) { 1945 /* WPA2 send GTK in the 4-way handshake */ 1946 secure = 1; 1947 gtk = gsm->GTK[gsm->GN - 1]; 1948 gtk_len = gsm->GTK_len; 1949 if (sm->wpa_auth->conf.disable_gtk) { 1950 /* 1951 * Provide unique random GTK to each STA to prevent use 1952 * of GTK in the BSS. 1953 */ 1954 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 1955 return; 1956 gtk = dummy_gtk; 1957 } 1958 keyidx = gsm->GN; 1959 _rsc = rsc; 1960 encr = 1; 1961 } else { 1962 /* WPA does not include GTK in msg 3/4 */ 1963 secure = 0; 1964 gtk = NULL; 1965 gtk_len = 0; 1966 keyidx = 0; 1967 _rsc = NULL; 1968 if (sm->rx_eapol_key_secure) { 1969 /* 1970 * It looks like Windows 7 supplicant tries to use 1971 * Secure bit in msg 2/4 after having reported Michael 1972 * MIC failure and it then rejects the 4-way handshake 1973 * if msg 3/4 does not set Secure bit. Work around this 1974 * by setting the Secure bit here even in the case of 1975 * WPA if the supplicant used it first. 1976 */ 1977 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1978 "STA used Secure bit in WPA msg 2/4 - " 1979 "set Secure for 3/4 as workaround"); 1980 secure = 1; 1981 } 1982 } 1983 1984 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 1985 if (gtk) 1986 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 1987#ifdef CONFIG_IEEE80211R 1988 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1989 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 1990 kde_len += 300; /* FTIE + 2 * TIE */ 1991 } 1992#endif /* CONFIG_IEEE80211R */ 1993 kde = os_malloc(kde_len); 1994 if (kde == NULL) 1995 return; 1996 1997 pos = kde; 1998 os_memcpy(pos, wpa_ie, wpa_ie_len); 1999 pos += wpa_ie_len; 2000#ifdef CONFIG_IEEE80211R 2001 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2002 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name); 2003 if (res < 0) { 2004 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2005 "PMKR1Name into RSN IE in EAPOL-Key data"); 2006 os_free(kde); 2007 return; 2008 } 2009 pos += res; 2010 } 2011#endif /* CONFIG_IEEE80211R */ 2012 if (gtk) { 2013 u8 hdr[2]; 2014 hdr[0] = keyidx & 0x03; 2015 hdr[1] = 0; 2016 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2017 gtk, gtk_len); 2018 } 2019 pos = ieee80211w_kde_add(sm, pos); 2020 2021#ifdef CONFIG_IEEE80211R 2022 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2023 int res; 2024 struct wpa_auth_config *conf; 2025 2026 conf = &sm->wpa_auth->conf; 2027 res = wpa_write_ftie(conf, conf->r0_key_holder, 2028 conf->r0_key_holder_len, 2029 NULL, NULL, pos, kde + kde_len - pos, 2030 NULL, 0); 2031 if (res < 0) { 2032 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2033 "into EAPOL-Key Key Data"); 2034 os_free(kde); 2035 return; 2036 } 2037 pos += res; 2038 2039 /* TIE[ReassociationDeadline] (TU) */ 2040 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2041 *pos++ = 5; 2042 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2043 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2044 pos += 4; 2045 2046 /* TIE[KeyLifetime] (seconds) */ 2047 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2048 *pos++ = 5; 2049 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2050 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2051 pos += 4; 2052 } 2053#endif /* CONFIG_IEEE80211R */ 2054 2055 wpa_send_eapol(sm->wpa_auth, sm, 2056 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2057 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2058 WPA_KEY_INFO_KEY_TYPE, 2059 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2060 os_free(kde); 2061} 2062 2063 2064SM_STATE(WPA_PTK, PTKINITDONE) 2065{ 2066 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2067 sm->EAPOLKeyReceived = FALSE; 2068 if (sm->Pair) { 2069 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2070 int klen = wpa_cipher_key_len(sm->pairwise); 2071 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2072 sm->PTK.tk1, klen)) { 2073 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2074 return; 2075 } 2076 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2077 sm->pairwise_set = TRUE; 2078 2079 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2080 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2081 eloop_register_timeout(sm->wpa_auth->conf. 2082 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2083 sm->wpa_auth, sm); 2084 } 2085 2086 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2087 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2088 WPA_EAPOL_authorized, 1); 2089 } 2090 } 2091 2092 if (0 /* IBSS == TRUE */) { 2093 sm->keycount++; 2094 if (sm->keycount == 2) { 2095 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2096 WPA_EAPOL_portValid, 1); 2097 } 2098 } else { 2099 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2100 1); 2101 } 2102 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2103 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2104 if (sm->wpa == WPA_VERSION_WPA) 2105 sm->PInitAKeys = TRUE; 2106 else 2107 sm->has_GTK = TRUE; 2108 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2109 "pairwise key handshake completed (%s)", 2110 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2111 2112#ifdef CONFIG_IEEE80211R 2113 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2114#endif /* CONFIG_IEEE80211R */ 2115} 2116 2117 2118SM_STEP(WPA_PTK) 2119{ 2120 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2121 2122 if (sm->Init) 2123 SM_ENTER(WPA_PTK, INITIALIZE); 2124 else if (sm->Disconnect 2125 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2126 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2127 "WPA_PTK: sm->Disconnect"); 2128 SM_ENTER(WPA_PTK, DISCONNECT); 2129 } 2130 else if (sm->DeauthenticationRequest) 2131 SM_ENTER(WPA_PTK, DISCONNECTED); 2132 else if (sm->AuthenticationRequest) 2133 SM_ENTER(WPA_PTK, AUTHENTICATION); 2134 else if (sm->ReAuthenticationRequest) 2135 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2136 else if (sm->PTKRequest) 2137 SM_ENTER(WPA_PTK, PTKSTART); 2138 else switch (sm->wpa_ptk_state) { 2139 case WPA_PTK_INITIALIZE: 2140 break; 2141 case WPA_PTK_DISCONNECT: 2142 SM_ENTER(WPA_PTK, DISCONNECTED); 2143 break; 2144 case WPA_PTK_DISCONNECTED: 2145 SM_ENTER(WPA_PTK, INITIALIZE); 2146 break; 2147 case WPA_PTK_AUTHENTICATION: 2148 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2149 break; 2150 case WPA_PTK_AUTHENTICATION2: 2151 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2152 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2153 WPA_EAPOL_keyRun) > 0) 2154 SM_ENTER(WPA_PTK, INITPMK); 2155 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2156 /* FIX: && 802.1X::keyRun */) 2157 SM_ENTER(WPA_PTK, INITPSK); 2158 break; 2159 case WPA_PTK_INITPMK: 2160 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2161 WPA_EAPOL_keyAvailable) > 0) 2162 SM_ENTER(WPA_PTK, PTKSTART); 2163 else { 2164 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2165 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2166 "INITPMK - keyAvailable = false"); 2167 SM_ENTER(WPA_PTK, DISCONNECT); 2168 } 2169 break; 2170 case WPA_PTK_INITPSK: 2171 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2172 NULL)) 2173 SM_ENTER(WPA_PTK, PTKSTART); 2174 else { 2175 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2176 "no PSK configured for the STA"); 2177 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2178 SM_ENTER(WPA_PTK, DISCONNECT); 2179 } 2180 break; 2181 case WPA_PTK_PTKSTART: 2182 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2183 sm->EAPOLKeyPairwise) 2184 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2185 else if (sm->TimeoutCtr > 2186 (int) dot11RSNAConfigPairwiseUpdateCount) { 2187 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2188 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2189 "PTKSTART: Retry limit %d reached", 2190 dot11RSNAConfigPairwiseUpdateCount); 2191 SM_ENTER(WPA_PTK, DISCONNECT); 2192 } else if (sm->TimeoutEvt) 2193 SM_ENTER(WPA_PTK, PTKSTART); 2194 break; 2195 case WPA_PTK_PTKCALCNEGOTIATING: 2196 if (sm->MICVerified) 2197 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2198 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2199 sm->EAPOLKeyPairwise) 2200 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2201 else if (sm->TimeoutEvt) 2202 SM_ENTER(WPA_PTK, PTKSTART); 2203 break; 2204 case WPA_PTK_PTKCALCNEGOTIATING2: 2205 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2206 break; 2207 case WPA_PTK_PTKINITNEGOTIATING: 2208 if (sm->update_snonce) 2209 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2210 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2211 sm->EAPOLKeyPairwise && sm->MICVerified) 2212 SM_ENTER(WPA_PTK, PTKINITDONE); 2213 else if (sm->TimeoutCtr > 2214 (int) dot11RSNAConfigPairwiseUpdateCount) { 2215 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2216 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2217 "PTKINITNEGOTIATING: Retry limit %d " 2218 "reached", 2219 dot11RSNAConfigPairwiseUpdateCount); 2220 SM_ENTER(WPA_PTK, DISCONNECT); 2221 } else if (sm->TimeoutEvt) 2222 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2223 break; 2224 case WPA_PTK_PTKINITDONE: 2225 break; 2226 } 2227} 2228 2229 2230SM_STATE(WPA_PTK_GROUP, IDLE) 2231{ 2232 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2233 if (sm->Init) { 2234 /* Init flag is not cleared here, so avoid busy 2235 * loop by claiming nothing changed. */ 2236 sm->changed = FALSE; 2237 } 2238 sm->GTimeoutCtr = 0; 2239} 2240 2241 2242SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2243{ 2244 u8 rsc[WPA_KEY_RSC_LEN]; 2245 struct wpa_group *gsm = sm->group; 2246 u8 *kde, *pos, hdr[2]; 2247 size_t kde_len; 2248 u8 *gtk, dummy_gtk[32]; 2249 2250 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2251 2252 sm->GTimeoutCtr++; 2253 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2254 /* No point in sending the EAPOL-Key - we will disconnect 2255 * immediately following this. */ 2256 return; 2257 } 2258 2259 if (sm->wpa == WPA_VERSION_WPA) 2260 sm->PInitAKeys = FALSE; 2261 sm->TimeoutEvt = FALSE; 2262 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2263 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2264 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2265 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2266 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2267 "sending 1/2 msg of Group Key Handshake"); 2268 2269 gtk = gsm->GTK[gsm->GN - 1]; 2270 if (sm->wpa_auth->conf.disable_gtk) { 2271 /* 2272 * Provide unique random GTK to each STA to prevent use 2273 * of GTK in the BSS. 2274 */ 2275 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2276 return; 2277 gtk = dummy_gtk; 2278 } 2279 if (sm->wpa == WPA_VERSION_WPA2) { 2280 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2281 ieee80211w_kde_len(sm); 2282 kde = os_malloc(kde_len); 2283 if (kde == NULL) 2284 return; 2285 2286 pos = kde; 2287 hdr[0] = gsm->GN & 0x03; 2288 hdr[1] = 0; 2289 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2290 gtk, gsm->GTK_len); 2291 pos = ieee80211w_kde_add(sm, pos); 2292 } else { 2293 kde = gtk; 2294 pos = kde + gsm->GTK_len; 2295 } 2296 2297 wpa_send_eapol(sm->wpa_auth, sm, 2298 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2299 WPA_KEY_INFO_ACK | 2300 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2301 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1); 2302 if (sm->wpa == WPA_VERSION_WPA2) 2303 os_free(kde); 2304} 2305 2306 2307SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2308{ 2309 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2310 sm->EAPOLKeyReceived = FALSE; 2311 if (sm->GUpdateStationKeys) 2312 sm->group->GKeyDoneStations--; 2313 sm->GUpdateStationKeys = FALSE; 2314 sm->GTimeoutCtr = 0; 2315 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2316 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2317 "group key handshake completed (%s)", 2318 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2319 sm->has_GTK = TRUE; 2320} 2321 2322 2323SM_STATE(WPA_PTK_GROUP, KEYERROR) 2324{ 2325 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2326 if (sm->GUpdateStationKeys) 2327 sm->group->GKeyDoneStations--; 2328 sm->GUpdateStationKeys = FALSE; 2329 sm->Disconnect = TRUE; 2330} 2331 2332 2333SM_STEP(WPA_PTK_GROUP) 2334{ 2335 if (sm->Init || sm->PtkGroupInit) { 2336 SM_ENTER(WPA_PTK_GROUP, IDLE); 2337 sm->PtkGroupInit = FALSE; 2338 } else switch (sm->wpa_ptk_group_state) { 2339 case WPA_PTK_GROUP_IDLE: 2340 if (sm->GUpdateStationKeys || 2341 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2342 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2343 break; 2344 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2345 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2346 !sm->EAPOLKeyPairwise && sm->MICVerified) 2347 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2348 else if (sm->GTimeoutCtr > 2349 (int) dot11RSNAConfigGroupUpdateCount) 2350 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2351 else if (sm->TimeoutEvt) 2352 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2353 break; 2354 case WPA_PTK_GROUP_KEYERROR: 2355 SM_ENTER(WPA_PTK_GROUP, IDLE); 2356 break; 2357 case WPA_PTK_GROUP_REKEYESTABLISHED: 2358 SM_ENTER(WPA_PTK_GROUP, IDLE); 2359 break; 2360 } 2361} 2362 2363 2364static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2365 struct wpa_group *group) 2366{ 2367 int ret = 0; 2368 2369 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2370 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2371 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2372 wpa_auth->addr, group->GNonce, 2373 group->GTK[group->GN - 1], group->GTK_len) < 0) 2374 ret = -1; 2375 wpa_hexdump_key(MSG_DEBUG, "GTK", 2376 group->GTK[group->GN - 1], group->GTK_len); 2377 2378#ifdef CONFIG_IEEE80211W 2379 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2380 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2381 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2382 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2383 wpa_auth->addr, group->GNonce, 2384 group->IGTK[group->GN_igtk - 4], 2385 WPA_IGTK_LEN) < 0) 2386 ret = -1; 2387 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2388 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN); 2389 } 2390#endif /* CONFIG_IEEE80211W */ 2391 2392 return ret; 2393} 2394 2395 2396static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2397 struct wpa_group *group) 2398{ 2399 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2400 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2401 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2402 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2403 2404 /* GTK[0..N] = 0 */ 2405 os_memset(group->GTK, 0, sizeof(group->GTK)); 2406 group->GN = 1; 2407 group->GM = 2; 2408#ifdef CONFIG_IEEE80211W 2409 group->GN_igtk = 4; 2410 group->GM_igtk = 5; 2411#endif /* CONFIG_IEEE80211W */ 2412 /* GTK[GN] = CalcGTK() */ 2413 wpa_gtk_update(wpa_auth, group); 2414} 2415 2416 2417static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2418{ 2419 if (ctx != NULL && ctx != sm->group) 2420 return 0; 2421 2422 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2423 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2424 "Not in PTKINITDONE; skip Group Key update"); 2425 sm->GUpdateStationKeys = FALSE; 2426 return 0; 2427 } 2428 if (sm->GUpdateStationKeys) { 2429 /* 2430 * This should not really happen, so add a debug log entry. 2431 * Since we clear the GKeyDoneStations before the loop, the 2432 * station needs to be counted here anyway. 2433 */ 2434 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2435 "GUpdateStationKeys was already set when " 2436 "marking station for GTK rekeying"); 2437 } 2438 2439 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 2440 if (sm->is_wnmsleep) 2441 return 0; 2442 2443 sm->group->GKeyDoneStations++; 2444 sm->GUpdateStationKeys = TRUE; 2445 2446 wpa_sm_step(sm); 2447 return 0; 2448} 2449 2450 2451#ifdef CONFIG_WNM 2452/* update GTK when exiting WNM-Sleep Mode */ 2453void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2454{ 2455 if (sm->is_wnmsleep) 2456 return; 2457 2458 wpa_group_update_sta(sm, NULL); 2459} 2460 2461 2462void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2463{ 2464 sm->is_wnmsleep = !!flag; 2465} 2466 2467 2468int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2469{ 2470 struct wpa_group *gsm = sm->group; 2471 u8 *start = pos; 2472 2473 /* 2474 * GTK subelement: 2475 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2476 * Key[5..32] 2477 */ 2478 *pos++ = WNM_SLEEP_SUBELEM_GTK; 2479 *pos++ = 11 + gsm->GTK_len; 2480 /* Key ID in B0-B1 of Key Info */ 2481 WPA_PUT_LE16(pos, gsm->GN & 0x03); 2482 pos += 2; 2483 *pos++ = gsm->GTK_len; 2484 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 2485 return 0; 2486 pos += 8; 2487 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2488 pos += gsm->GTK_len; 2489 2490 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 2491 gsm->GN); 2492 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 2493 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2494 2495 return pos - start; 2496} 2497 2498 2499#ifdef CONFIG_IEEE80211W 2500int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2501{ 2502 struct wpa_group *gsm = sm->group; 2503 u8 *start = pos; 2504 2505 /* 2506 * IGTK subelement: 2507 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 2508 */ 2509 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 2510 *pos++ = 2 + 6 + WPA_IGTK_LEN; 2511 WPA_PUT_LE16(pos, gsm->GN_igtk); 2512 pos += 2; 2513 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 2514 return 0; 2515 pos += 6; 2516 2517 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2518 pos += WPA_IGTK_LEN; 2519 2520 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 2521 gsm->GN_igtk); 2522 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 2523 gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2524 2525 return pos - start; 2526} 2527#endif /* CONFIG_IEEE80211W */ 2528#endif /* CONFIG_WNM */ 2529 2530 2531static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2532 struct wpa_group *group) 2533{ 2534 int tmp; 2535 2536 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2537 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2538 group->changed = TRUE; 2539 group->wpa_group_state = WPA_GROUP_SETKEYS; 2540 group->GTKReKey = FALSE; 2541 tmp = group->GM; 2542 group->GM = group->GN; 2543 group->GN = tmp; 2544#ifdef CONFIG_IEEE80211W 2545 tmp = group->GM_igtk; 2546 group->GM_igtk = group->GN_igtk; 2547 group->GN_igtk = tmp; 2548#endif /* CONFIG_IEEE80211W */ 2549 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2550 * counting the STAs that are marked with GUpdateStationKeys instead of 2551 * including all STAs that could be in not-yet-completed state. */ 2552 wpa_gtk_update(wpa_auth, group); 2553 2554 if (group->GKeyDoneStations) { 2555 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2556 "GKeyDoneStations=%d when starting new GTK rekey", 2557 group->GKeyDoneStations); 2558 group->GKeyDoneStations = 0; 2559 } 2560 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2561 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2562 group->GKeyDoneStations); 2563} 2564 2565 2566static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2567 struct wpa_group *group) 2568{ 2569 int ret = 0; 2570 2571 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2572 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2573 broadcast_ether_addr, group->GN, 2574 group->GTK[group->GN - 1], group->GTK_len) < 0) 2575 ret = -1; 2576 2577#ifdef CONFIG_IEEE80211W 2578 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION && 2579 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK, 2580 broadcast_ether_addr, group->GN_igtk, 2581 group->IGTK[group->GN_igtk - 4], 2582 WPA_IGTK_LEN) < 0) 2583 ret = -1; 2584#endif /* CONFIG_IEEE80211W */ 2585 2586 return ret; 2587} 2588 2589 2590static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2591 struct wpa_group *group) 2592{ 2593 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2594 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2595 group->changed = TRUE; 2596 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2597 2598 if (wpa_group_config_group_keys(wpa_auth, group) < 0) 2599 return -1; 2600 2601 return 0; 2602} 2603 2604 2605static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2606 struct wpa_group *group) 2607{ 2608 if (group->GInit) { 2609 wpa_group_gtk_init(wpa_auth, group); 2610 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2611 group->GTKAuthenticator) { 2612 wpa_group_setkeysdone(wpa_auth, group); 2613 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2614 group->GTKReKey) { 2615 wpa_group_setkeys(wpa_auth, group); 2616 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2617 if (group->GKeyDoneStations == 0) 2618 wpa_group_setkeysdone(wpa_auth, group); 2619 else if (group->GTKReKey) 2620 wpa_group_setkeys(wpa_auth, group); 2621 } 2622} 2623 2624 2625static int wpa_sm_step(struct wpa_state_machine *sm) 2626{ 2627 if (sm == NULL) 2628 return 0; 2629 2630 if (sm->in_step_loop) { 2631 /* This should not happen, but if it does, make sure we do not 2632 * end up freeing the state machine too early by exiting the 2633 * recursive call. */ 2634 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2635 return 0; 2636 } 2637 2638 sm->in_step_loop = 1; 2639 do { 2640 if (sm->pending_deinit) 2641 break; 2642 2643 sm->changed = FALSE; 2644 sm->wpa_auth->group->changed = FALSE; 2645 2646 SM_STEP_RUN(WPA_PTK); 2647 if (sm->pending_deinit) 2648 break; 2649 SM_STEP_RUN(WPA_PTK_GROUP); 2650 if (sm->pending_deinit) 2651 break; 2652 wpa_group_sm_step(sm->wpa_auth, sm->group); 2653 } while (sm->changed || sm->wpa_auth->group->changed); 2654 sm->in_step_loop = 0; 2655 2656 if (sm->pending_deinit) { 2657 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 2658 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 2659 wpa_free_sta_sm(sm); 2660 return 1; 2661 } 2662 return 0; 2663} 2664 2665 2666static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 2667{ 2668 struct wpa_state_machine *sm = eloop_ctx; 2669 wpa_sm_step(sm); 2670} 2671 2672 2673void wpa_auth_sm_notify(struct wpa_state_machine *sm) 2674{ 2675 if (sm == NULL) 2676 return; 2677 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 2678} 2679 2680 2681void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 2682{ 2683 int tmp, i; 2684 struct wpa_group *group; 2685 2686 if (wpa_auth == NULL) 2687 return; 2688 2689 group = wpa_auth->group; 2690 2691 for (i = 0; i < 2; i++) { 2692 tmp = group->GM; 2693 group->GM = group->GN; 2694 group->GN = tmp; 2695#ifdef CONFIG_IEEE80211W 2696 tmp = group->GM_igtk; 2697 group->GM_igtk = group->GN_igtk; 2698 group->GN_igtk = tmp; 2699#endif /* CONFIG_IEEE80211W */ 2700 wpa_gtk_update(wpa_auth, group); 2701 wpa_group_config_group_keys(wpa_auth, group); 2702 } 2703} 2704 2705 2706static const char * wpa_bool_txt(int bool) 2707{ 2708 return bool ? "TRUE" : "FALSE"; 2709} 2710 2711 2712#define RSN_SUITE "%02x-%02x-%02x-%d" 2713#define RSN_SUITE_ARG(s) \ 2714((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2715 2716int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 2717{ 2718 int len = 0, ret; 2719 char pmkid_txt[PMKID_LEN * 2 + 1]; 2720#ifdef CONFIG_RSN_PREAUTH 2721 const int preauth = 1; 2722#else /* CONFIG_RSN_PREAUTH */ 2723 const int preauth = 0; 2724#endif /* CONFIG_RSN_PREAUTH */ 2725 2726 if (wpa_auth == NULL) 2727 return len; 2728 2729 ret = os_snprintf(buf + len, buflen - len, 2730 "dot11RSNAOptionImplemented=TRUE\n" 2731 "dot11RSNAPreauthenticationImplemented=%s\n" 2732 "dot11RSNAEnabled=%s\n" 2733 "dot11RSNAPreauthenticationEnabled=%s\n", 2734 wpa_bool_txt(preauth), 2735 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 2736 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 2737 if (ret < 0 || (size_t) ret >= buflen - len) 2738 return len; 2739 len += ret; 2740 2741 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2742 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 2743 2744 ret = os_snprintf( 2745 buf + len, buflen - len, 2746 "dot11RSNAConfigVersion=%u\n" 2747 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 2748 /* FIX: dot11RSNAConfigGroupCipher */ 2749 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 2750 /* FIX: dot11RSNAConfigGroupRekeyTime */ 2751 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 2752 "dot11RSNAConfigGroupRekeyStrict=%u\n" 2753 "dot11RSNAConfigGroupUpdateCount=%u\n" 2754 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 2755 "dot11RSNAConfigGroupCipherSize=%u\n" 2756 "dot11RSNAConfigPMKLifetime=%u\n" 2757 "dot11RSNAConfigPMKReauthThreshold=%u\n" 2758 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 2759 "dot11RSNAConfigSATimeout=%u\n" 2760 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2761 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2762 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2763 "dot11RSNAPMKIDUsed=%s\n" 2764 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2765 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2766 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2767 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 2768 "dot11RSNA4WayHandshakeFailures=%u\n" 2769 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 2770 RSN_VERSION, 2771 !!wpa_auth->conf.wpa_strict_rekey, 2772 dot11RSNAConfigGroupUpdateCount, 2773 dot11RSNAConfigPairwiseUpdateCount, 2774 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 2775 dot11RSNAConfigPMKLifetime, 2776 dot11RSNAConfigPMKReauthThreshold, 2777 dot11RSNAConfigSATimeout, 2778 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 2779 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 2780 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 2781 pmkid_txt, 2782 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 2783 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 2784 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 2785 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 2786 wpa_auth->dot11RSNA4WayHandshakeFailures); 2787 if (ret < 0 || (size_t) ret >= buflen - len) 2788 return len; 2789 len += ret; 2790 2791 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 2792 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 2793 2794 /* Private MIB */ 2795 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 2796 wpa_auth->group->wpa_group_state); 2797 if (ret < 0 || (size_t) ret >= buflen - len) 2798 return len; 2799 len += ret; 2800 2801 return len; 2802} 2803 2804 2805int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 2806{ 2807 int len = 0, ret; 2808 u32 pairwise = 0; 2809 2810 if (sm == NULL) 2811 return 0; 2812 2813 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 2814 2815 /* dot11RSNAStatsEntry */ 2816 2817 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 2818 WPA_PROTO_RSN : WPA_PROTO_WPA, 2819 sm->pairwise); 2820 if (pairwise == 0) 2821 return 0; 2822 2823 ret = os_snprintf( 2824 buf + len, buflen - len, 2825 /* TODO: dot11RSNAStatsIndex */ 2826 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 2827 "dot11RSNAStatsVersion=1\n" 2828 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 2829 /* TODO: dot11RSNAStatsTKIPICVErrors */ 2830 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 2831 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 2832 /* TODO: dot11RSNAStatsCCMPReplays */ 2833 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 2834 /* TODO: dot11RSNAStatsTKIPReplays */, 2835 MAC2STR(sm->addr), 2836 RSN_SUITE_ARG(pairwise), 2837 sm->dot11RSNAStatsTKIPLocalMICFailures, 2838 sm->dot11RSNAStatsTKIPRemoteMICFailures); 2839 if (ret < 0 || (size_t) ret >= buflen - len) 2840 return len; 2841 len += ret; 2842 2843 /* Private MIB */ 2844 ret = os_snprintf(buf + len, buflen - len, 2845 "hostapdWPAPTKState=%d\n" 2846 "hostapdWPAPTKGroupState=%d\n", 2847 sm->wpa_ptk_state, 2848 sm->wpa_ptk_group_state); 2849 if (ret < 0 || (size_t) ret >= buflen - len) 2850 return len; 2851 len += ret; 2852 2853 return len; 2854} 2855 2856 2857void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 2858{ 2859 if (wpa_auth) 2860 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 2861} 2862 2863 2864int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 2865{ 2866 return sm && sm->pairwise_set; 2867} 2868 2869 2870int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 2871{ 2872 return sm->pairwise; 2873} 2874 2875 2876int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 2877{ 2878 if (sm == NULL) 2879 return -1; 2880 return sm->wpa_key_mgmt; 2881} 2882 2883 2884int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 2885{ 2886 if (sm == NULL) 2887 return 0; 2888 return sm->wpa; 2889} 2890 2891 2892int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 2893 struct rsn_pmksa_cache_entry *entry) 2894{ 2895 if (sm == NULL || sm->pmksa != entry) 2896 return -1; 2897 sm->pmksa = NULL; 2898 return 0; 2899} 2900 2901 2902struct rsn_pmksa_cache_entry * 2903wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 2904{ 2905 return sm ? sm->pmksa : NULL; 2906} 2907 2908 2909void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 2910{ 2911 if (sm) 2912 sm->dot11RSNAStatsTKIPLocalMICFailures++; 2913} 2914 2915 2916const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 2917{ 2918 if (wpa_auth == NULL) 2919 return NULL; 2920 *len = wpa_auth->wpa_ie_len; 2921 return wpa_auth->wpa_ie; 2922} 2923 2924 2925int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 2926 int session_timeout, struct eapol_state_machine *eapol) 2927{ 2928 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 2929 sm->wpa_auth->conf.disable_pmksa_caching) 2930 return -1; 2931 2932 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, 2933 sm->wpa_auth->addr, sm->addr, session_timeout, 2934 eapol, sm->wpa_key_mgmt)) 2935 return 0; 2936 2937 return -1; 2938} 2939 2940 2941int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 2942 const u8 *pmk, size_t len, const u8 *sta_addr, 2943 int session_timeout, 2944 struct eapol_state_machine *eapol) 2945{ 2946 if (wpa_auth == NULL) 2947 return -1; 2948 2949 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr, 2950 sta_addr, session_timeout, eapol, 2951 WPA_KEY_MGMT_IEEE8021X)) 2952 return 0; 2953 2954 return -1; 2955} 2956 2957 2958void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 2959 const u8 *sta_addr) 2960{ 2961 struct rsn_pmksa_cache_entry *pmksa; 2962 2963 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 2964 return; 2965 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 2966 if (pmksa) { 2967 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 2968 MACSTR " based on request", MAC2STR(sta_addr)); 2969 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 2970 } 2971} 2972 2973 2974static struct wpa_group * 2975wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 2976{ 2977 struct wpa_group *group; 2978 2979 if (wpa_auth == NULL || wpa_auth->group == NULL) 2980 return NULL; 2981 2982 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 2983 vlan_id); 2984 group = wpa_group_init(wpa_auth, vlan_id, 0); 2985 if (group == NULL) 2986 return NULL; 2987 2988 group->next = wpa_auth->group->next; 2989 wpa_auth->group->next = group; 2990 2991 return group; 2992} 2993 2994 2995int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 2996{ 2997 struct wpa_group *group; 2998 2999 if (sm == NULL || sm->wpa_auth == NULL) 3000 return 0; 3001 3002 group = sm->wpa_auth->group; 3003 while (group) { 3004 if (group->vlan_id == vlan_id) 3005 break; 3006 group = group->next; 3007 } 3008 3009 if (group == NULL) { 3010 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 3011 if (group == NULL) 3012 return -1; 3013 } 3014 3015 if (sm->group == group) 3016 return 0; 3017 3018 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 3019 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 3020 3021 sm->group = group; 3022 return 0; 3023} 3024 3025 3026void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 3027 struct wpa_state_machine *sm, int ack) 3028{ 3029 if (wpa_auth == NULL || sm == NULL) 3030 return; 3031 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 3032 " ack=%d", MAC2STR(sm->addr), ack); 3033 if (sm->pending_1_of_4_timeout && ack) { 3034 /* 3035 * Some deployed supplicant implementations update their SNonce 3036 * for each EAPOL-Key 2/4 message even within the same 4-way 3037 * handshake and then fail to use the first SNonce when 3038 * deriving the PTK. This results in unsuccessful 4-way 3039 * handshake whenever the relatively short initial timeout is 3040 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3041 * around this by increasing the timeout now that we know that 3042 * the station has received the frame. 3043 */ 3044 int timeout_ms = eapol_key_timeout_subseq; 3045 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3046 "timeout by %u ms because of acknowledged frame", 3047 timeout_ms); 3048 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3049 eloop_register_timeout(timeout_ms / 1000, 3050 (timeout_ms % 1000) * 1000, 3051 wpa_send_eapol_timeout, wpa_auth, sm); 3052 } 3053} 3054 3055 3056int wpa_auth_uses_sae(struct wpa_state_machine *sm) 3057{ 3058 if (sm == NULL) 3059 return 0; 3060 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 3061} 3062