wpa_auth.c revision 2f74e36e84064ffa32f82f3decf36b653c7e4fad
1/* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/state_machine.h" 14#include "utils/bitfield.h" 15#include "common/ieee802_11_defs.h" 16#include "crypto/aes_wrap.h" 17#include "crypto/crypto.h" 18#include "crypto/sha1.h" 19#include "crypto/sha256.h" 20#include "crypto/random.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "ap_config.h" 23#include "ieee802_11.h" 24#include "wpa_auth.h" 25#include "pmksa_cache_auth.h" 26#include "wpa_auth_i.h" 27#include "wpa_auth_ie.h" 28 29#define STATE_MACHINE_DATA struct wpa_state_machine 30#define STATE_MACHINE_DEBUG_PREFIX "WPA" 31#define STATE_MACHINE_ADDR sm->addr 32 33 34static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 35static int wpa_sm_step(struct wpa_state_machine *sm); 36static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 37 size_t data_len); 38static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 39static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 40 struct wpa_group *group); 41static void wpa_request_new_ptk(struct wpa_state_machine *sm); 42static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 45 struct wpa_group *group); 46static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 47 const u8 *pmk, struct wpa_ptk *ptk); 48 49static const u32 dot11RSNAConfigGroupUpdateCount = 4; 50static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 51static const u32 eapol_key_timeout_first = 100; /* ms */ 52static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 53static const u32 eapol_key_timeout_first_group = 500; /* ms */ 54 55/* TODO: make these configurable */ 56static const int dot11RSNAConfigPMKLifetime = 43200; 57static const int dot11RSNAConfigPMKReauthThreshold = 70; 58static const int dot11RSNAConfigSATimeout = 60; 59 60 61static inline int wpa_auth_mic_failure_report( 62 struct wpa_authenticator *wpa_auth, const u8 *addr) 63{ 64 if (wpa_auth->cb.mic_failure_report) 65 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 66 return 0; 67} 68 69 70static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 71 const u8 *addr, wpa_eapol_variable var, 72 int value) 73{ 74 if (wpa_auth->cb.set_eapol) 75 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 76} 77 78 79static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 80 const u8 *addr, wpa_eapol_variable var) 81{ 82 if (wpa_auth->cb.get_eapol == NULL) 83 return -1; 84 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 85} 86 87 88static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 89 const u8 *addr, 90 const u8 *p2p_dev_addr, 91 const u8 *prev_psk) 92{ 93 if (wpa_auth->cb.get_psk == NULL) 94 return NULL; 95 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr, 96 prev_psk); 97} 98 99 100static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 101 const u8 *addr, u8 *msk, size_t *len) 102{ 103 if (wpa_auth->cb.get_msk == NULL) 104 return -1; 105 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 106} 107 108 109static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 110 int vlan_id, 111 enum wpa_alg alg, const u8 *addr, int idx, 112 u8 *key, size_t key_len) 113{ 114 if (wpa_auth->cb.set_key == NULL) 115 return -1; 116 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 117 key, key_len); 118} 119 120 121static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 122 const u8 *addr, int idx, u8 *seq) 123{ 124 if (wpa_auth->cb.get_seqnum == NULL) 125 return -1; 126 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 127} 128 129 130static inline int 131wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 132 const u8 *data, size_t data_len, int encrypt) 133{ 134 if (wpa_auth->cb.send_eapol == NULL) 135 return -1; 136 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 137 encrypt); 138} 139 140 141#ifdef CONFIG_MESH 142static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 143 const u8 *addr) 144{ 145 if (wpa_auth->cb.start_ampe == NULL) 146 return -1; 147 return wpa_auth->cb.start_ampe(wpa_auth->cb.ctx, addr); 148} 149#endif /* CONFIG_MESH */ 150 151 152int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 153 int (*cb)(struct wpa_state_machine *sm, void *ctx), 154 void *cb_ctx) 155{ 156 if (wpa_auth->cb.for_each_sta == NULL) 157 return 0; 158 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 159} 160 161 162int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 163 int (*cb)(struct wpa_authenticator *a, void *ctx), 164 void *cb_ctx) 165{ 166 if (wpa_auth->cb.for_each_auth == NULL) 167 return 0; 168 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 169} 170 171 172void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 173 logger_level level, const char *txt) 174{ 175 if (wpa_auth->cb.logger == NULL) 176 return; 177 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 178} 179 180 181void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 182 logger_level level, const char *fmt, ...) 183{ 184 char *format; 185 int maxlen; 186 va_list ap; 187 188 if (wpa_auth->cb.logger == NULL) 189 return; 190 191 maxlen = os_strlen(fmt) + 100; 192 format = os_malloc(maxlen); 193 if (!format) 194 return; 195 196 va_start(ap, fmt); 197 vsnprintf(format, maxlen, fmt, ap); 198 va_end(ap); 199 200 wpa_auth_logger(wpa_auth, addr, level, format); 201 202 os_free(format); 203} 204 205 206static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 207 const u8 *addr) 208{ 209 if (wpa_auth->cb.disconnect == NULL) 210 return; 211 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 212 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 213 WLAN_REASON_PREV_AUTH_NOT_VALID); 214} 215 216 217static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 218{ 219 int ret = 0; 220#ifdef CONFIG_IEEE80211R 221 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 222 ret = 1; 223#endif /* CONFIG_IEEE80211R */ 224#ifdef CONFIG_IEEE80211W 225 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 226 ret = 1; 227#endif /* CONFIG_IEEE80211W */ 228 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) 229 ret = 1; 230 return ret; 231} 232 233 234static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 235{ 236 struct wpa_authenticator *wpa_auth = eloop_ctx; 237 238 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 239 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 240 "initialization."); 241 } else { 242 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 243 wpa_hexdump_key(MSG_DEBUG, "GMK", 244 wpa_auth->group->GMK, WPA_GMK_LEN); 245 } 246 247 if (wpa_auth->conf.wpa_gmk_rekey) { 248 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 249 wpa_rekey_gmk, wpa_auth, NULL); 250 } 251} 252 253 254static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 255{ 256 struct wpa_authenticator *wpa_auth = eloop_ctx; 257 struct wpa_group *group; 258 259 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 260 for (group = wpa_auth->group; group; group = group->next) { 261 group->GTKReKey = TRUE; 262 do { 263 group->changed = FALSE; 264 wpa_group_sm_step(wpa_auth, group); 265 } while (group->changed); 266 } 267 268 if (wpa_auth->conf.wpa_group_rekey) { 269 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 270 0, wpa_rekey_gtk, wpa_auth, NULL); 271 } 272} 273 274 275static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 276{ 277 struct wpa_authenticator *wpa_auth = eloop_ctx; 278 struct wpa_state_machine *sm = timeout_ctx; 279 280 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 281 wpa_request_new_ptk(sm); 282 wpa_sm_step(sm); 283} 284 285 286static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 287{ 288 if (sm->pmksa == ctx) 289 sm->pmksa = NULL; 290 return 0; 291} 292 293 294static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 295 void *ctx) 296{ 297 struct wpa_authenticator *wpa_auth = ctx; 298 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 299} 300 301 302static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 303 struct wpa_group *group) 304{ 305 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 306 u8 rkey[32]; 307 unsigned long ptr; 308 309 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 310 return -1; 311 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 312 313 /* 314 * Counter = PRF-256(Random number, "Init Counter", 315 * Local MAC Address || Time) 316 */ 317 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 318 wpa_get_ntp_timestamp(buf + ETH_ALEN); 319 ptr = (unsigned long) group; 320 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 321 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 322 return -1; 323 324 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 325 group->Counter, WPA_NONCE_LEN) < 0) 326 return -1; 327 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 328 group->Counter, WPA_NONCE_LEN); 329 330 return 0; 331} 332 333 334static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 335 int vlan_id, int delay_init) 336{ 337 struct wpa_group *group; 338 339 group = os_zalloc(sizeof(struct wpa_group)); 340 if (group == NULL) 341 return NULL; 342 343 group->GTKAuthenticator = TRUE; 344 group->vlan_id = vlan_id; 345 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 346 347 if (random_pool_ready() != 1) { 348 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 349 "for secure operations - update keys later when " 350 "the first station connects"); 351 } 352 353 /* 354 * Set initial GMK/Counter value here. The actual values that will be 355 * used in negotiations will be set once the first station tries to 356 * connect. This allows more time for collecting additional randomness 357 * on embedded devices. 358 */ 359 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 360 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 361 "initialization."); 362 os_free(group); 363 return NULL; 364 } 365 366 group->GInit = TRUE; 367 if (delay_init) { 368 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 369 "until Beacon frames have been configured"); 370 /* Initialization is completed in wpa_init_keys(). */ 371 } else { 372 wpa_group_sm_step(wpa_auth, group); 373 group->GInit = FALSE; 374 wpa_group_sm_step(wpa_auth, group); 375 } 376 377 return group; 378} 379 380 381/** 382 * wpa_init - Initialize WPA authenticator 383 * @addr: Authenticator address 384 * @conf: Configuration for WPA authenticator 385 * @cb: Callback functions for WPA authenticator 386 * Returns: Pointer to WPA authenticator data or %NULL on failure 387 */ 388struct wpa_authenticator * wpa_init(const u8 *addr, 389 struct wpa_auth_config *conf, 390 struct wpa_auth_callbacks *cb) 391{ 392 struct wpa_authenticator *wpa_auth; 393 394 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 395 if (wpa_auth == NULL) 396 return NULL; 397 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 398 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 399 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 400 401 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 402 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 403 os_free(wpa_auth); 404 return NULL; 405 } 406 407 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 408 if (wpa_auth->group == NULL) { 409 os_free(wpa_auth->wpa_ie); 410 os_free(wpa_auth); 411 return NULL; 412 } 413 414 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 415 wpa_auth); 416 if (wpa_auth->pmksa == NULL) { 417 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 418 os_free(wpa_auth->group); 419 os_free(wpa_auth->wpa_ie); 420 os_free(wpa_auth); 421 return NULL; 422 } 423 424#ifdef CONFIG_IEEE80211R 425 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 426 if (wpa_auth->ft_pmk_cache == NULL) { 427 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 428 os_free(wpa_auth->group); 429 os_free(wpa_auth->wpa_ie); 430 pmksa_cache_auth_deinit(wpa_auth->pmksa); 431 os_free(wpa_auth); 432 return NULL; 433 } 434#endif /* CONFIG_IEEE80211R */ 435 436 if (wpa_auth->conf.wpa_gmk_rekey) { 437 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 438 wpa_rekey_gmk, wpa_auth, NULL); 439 } 440 441 if (wpa_auth->conf.wpa_group_rekey) { 442 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 443 wpa_rekey_gtk, wpa_auth, NULL); 444 } 445 446#ifdef CONFIG_P2P 447 if (WPA_GET_BE32(conf->ip_addr_start)) { 448 int count = WPA_GET_BE32(conf->ip_addr_end) - 449 WPA_GET_BE32(conf->ip_addr_start) + 1; 450 if (count > 1000) 451 count = 1000; 452 if (count > 0) 453 wpa_auth->ip_pool = bitfield_alloc(count); 454 } 455#endif /* CONFIG_P2P */ 456 457 return wpa_auth; 458} 459 460 461int wpa_init_keys(struct wpa_authenticator *wpa_auth) 462{ 463 struct wpa_group *group = wpa_auth->group; 464 465 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 466 "keys"); 467 wpa_group_sm_step(wpa_auth, group); 468 group->GInit = FALSE; 469 wpa_group_sm_step(wpa_auth, group); 470 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 471 return -1; 472 return 0; 473} 474 475 476/** 477 * wpa_deinit - Deinitialize WPA authenticator 478 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 479 */ 480void wpa_deinit(struct wpa_authenticator *wpa_auth) 481{ 482 struct wpa_group *group, *prev; 483 484 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 485 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 486 487#ifdef CONFIG_PEERKEY 488 while (wpa_auth->stsl_negotiations) 489 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 490#endif /* CONFIG_PEERKEY */ 491 492 pmksa_cache_auth_deinit(wpa_auth->pmksa); 493 494#ifdef CONFIG_IEEE80211R 495 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 496 wpa_auth->ft_pmk_cache = NULL; 497#endif /* CONFIG_IEEE80211R */ 498 499#ifdef CONFIG_P2P 500 bitfield_free(wpa_auth->ip_pool); 501#endif /* CONFIG_P2P */ 502 503 504 os_free(wpa_auth->wpa_ie); 505 506 group = wpa_auth->group; 507 while (group) { 508 prev = group; 509 group = group->next; 510 os_free(prev); 511 } 512 513 os_free(wpa_auth); 514} 515 516 517/** 518 * wpa_reconfig - Update WPA authenticator configuration 519 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 520 * @conf: Configuration for WPA authenticator 521 */ 522int wpa_reconfig(struct wpa_authenticator *wpa_auth, 523 struct wpa_auth_config *conf) 524{ 525 struct wpa_group *group; 526 if (wpa_auth == NULL) 527 return 0; 528 529 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 530 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 531 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 532 return -1; 533 } 534 535 /* 536 * Reinitialize GTK to make sure it is suitable for the new 537 * configuration. 538 */ 539 group = wpa_auth->group; 540 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 541 group->GInit = TRUE; 542 wpa_group_sm_step(wpa_auth, group); 543 group->GInit = FALSE; 544 wpa_group_sm_step(wpa_auth, group); 545 546 return 0; 547} 548 549 550struct wpa_state_machine * 551wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 552 const u8 *p2p_dev_addr) 553{ 554 struct wpa_state_machine *sm; 555 556 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 557 return NULL; 558 559 sm = os_zalloc(sizeof(struct wpa_state_machine)); 560 if (sm == NULL) 561 return NULL; 562 os_memcpy(sm->addr, addr, ETH_ALEN); 563 if (p2p_dev_addr) 564 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 565 566 sm->wpa_auth = wpa_auth; 567 sm->group = wpa_auth->group; 568 569 return sm; 570} 571 572 573int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 574 struct wpa_state_machine *sm) 575{ 576 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 577 return -1; 578 579#ifdef CONFIG_IEEE80211R 580 if (sm->ft_completed) { 581 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 582 "FT authentication already completed - do not " 583 "start 4-way handshake"); 584 /* Go to PTKINITDONE state to allow GTK rekeying */ 585 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 586 return 0; 587 } 588#endif /* CONFIG_IEEE80211R */ 589 590 if (sm->started) { 591 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 592 sm->ReAuthenticationRequest = TRUE; 593 return wpa_sm_step(sm); 594 } 595 596 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 597 "start authentication"); 598 sm->started = 1; 599 600 sm->Init = TRUE; 601 if (wpa_sm_step(sm) == 1) 602 return 1; /* should not really happen */ 603 sm->Init = FALSE; 604 sm->AuthenticationRequest = TRUE; 605 return wpa_sm_step(sm); 606} 607 608 609void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 610{ 611 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 612 * reassociates back to the same AP while the previous entry for the 613 * STA has not yet been removed. */ 614 if (sm == NULL) 615 return; 616 617 sm->wpa_key_mgmt = 0; 618} 619 620 621static void wpa_free_sta_sm(struct wpa_state_machine *sm) 622{ 623#ifdef CONFIG_P2P 624 if (WPA_GET_BE32(sm->ip_addr)) { 625 u32 start; 626 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 627 "address %u.%u.%u.%u from " MACSTR, 628 sm->ip_addr[0], sm->ip_addr[1], 629 sm->ip_addr[2], sm->ip_addr[3], 630 MAC2STR(sm->addr)); 631 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 632 bitfield_clear(sm->wpa_auth->ip_pool, 633 WPA_GET_BE32(sm->ip_addr) - start); 634 } 635#endif /* CONFIG_P2P */ 636 if (sm->GUpdateStationKeys) { 637 sm->group->GKeyDoneStations--; 638 sm->GUpdateStationKeys = FALSE; 639 } 640#ifdef CONFIG_IEEE80211R 641 os_free(sm->assoc_resp_ftie); 642 wpabuf_free(sm->ft_pending_req_ies); 643#endif /* CONFIG_IEEE80211R */ 644 os_free(sm->last_rx_eapol_key); 645 os_free(sm->wpa_ie); 646 os_free(sm); 647} 648 649 650void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 651{ 652 if (sm == NULL) 653 return; 654 655 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 656 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 657 "strict rekeying - force GTK rekey since STA " 658 "is leaving"); 659 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 660 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 661 NULL); 662 } 663 664 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 665 sm->pending_1_of_4_timeout = 0; 666 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 667 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 668 if (sm->in_step_loop) { 669 /* Must not free state machine while wpa_sm_step() is running. 670 * Freeing will be completed in the end of wpa_sm_step(). */ 671 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 672 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 673 sm->pending_deinit = 1; 674 } else 675 wpa_free_sta_sm(sm); 676} 677 678 679static void wpa_request_new_ptk(struct wpa_state_machine *sm) 680{ 681 if (sm == NULL) 682 return; 683 684 sm->PTKRequest = TRUE; 685 sm->PTK_valid = 0; 686} 687 688 689static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 690 const u8 *replay_counter) 691{ 692 int i; 693 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 694 if (!ctr[i].valid) 695 break; 696 if (os_memcmp(replay_counter, ctr[i].counter, 697 WPA_REPLAY_COUNTER_LEN) == 0) 698 return 1; 699 } 700 return 0; 701} 702 703 704static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 705 const u8 *replay_counter) 706{ 707 int i; 708 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 709 if (ctr[i].valid && 710 (replay_counter == NULL || 711 os_memcmp(replay_counter, ctr[i].counter, 712 WPA_REPLAY_COUNTER_LEN) == 0)) 713 ctr[i].valid = FALSE; 714 } 715} 716 717 718#ifdef CONFIG_IEEE80211R 719static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 720 struct wpa_state_machine *sm, 721 struct wpa_eapol_ie_parse *kde) 722{ 723 struct wpa_ie_data ie; 724 struct rsn_mdie *mdie; 725 726 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 727 ie.num_pmkid != 1 || ie.pmkid == NULL) { 728 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 729 "FT 4-way handshake message 2/4"); 730 return -1; 731 } 732 733 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 734 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 735 sm->sup_pmk_r1_name, PMKID_LEN); 736 737 if (!kde->mdie || !kde->ftie) { 738 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 739 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 740 return -1; 741 } 742 743 mdie = (struct rsn_mdie *) (kde->mdie + 2); 744 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 745 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 746 MOBILITY_DOMAIN_ID_LEN) != 0) { 747 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 748 return -1; 749 } 750 751 if (sm->assoc_resp_ftie && 752 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 753 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 754 2 + sm->assoc_resp_ftie[1]) != 0)) { 755 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 756 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 757 kde->ftie, kde->ftie_len); 758 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 759 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 760 return -1; 761 } 762 763 return 0; 764} 765#endif /* CONFIG_IEEE80211R */ 766 767 768static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 769 struct wpa_state_machine *sm, int group) 770{ 771 /* Supplicant reported a Michael MIC error */ 772 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 773 "received EAPOL-Key Error Request " 774 "(STA detected Michael MIC failure (group=%d))", 775 group); 776 777 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 778 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 779 "ignore Michael MIC failure report since " 780 "group cipher is not TKIP"); 781 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 782 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 783 "ignore Michael MIC failure report since " 784 "pairwise cipher is not TKIP"); 785 } else { 786 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 787 return 1; /* STA entry was removed */ 788 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 789 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 790 } 791 792 /* 793 * Error report is not a request for a new key handshake, but since 794 * Authenticator may do it, let's change the keys now anyway. 795 */ 796 wpa_request_new_ptk(sm); 797 return 0; 798} 799 800 801static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 802 size_t data_len) 803{ 804 struct wpa_ptk PTK; 805 int ok = 0; 806 const u8 *pmk = NULL; 807 808 for (;;) { 809 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 810 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 811 sm->p2p_dev_addr, pmk); 812 if (pmk == NULL) 813 break; 814 } else 815 pmk = sm->PMK; 816 817 wpa_derive_ptk(sm, sm->alt_SNonce, pmk, &PTK); 818 819 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len) 820 == 0) { 821 ok = 1; 822 break; 823 } 824 825 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 826 break; 827 } 828 829 if (!ok) { 830 wpa_printf(MSG_DEBUG, 831 "WPA: Earlier SNonce did not result in matching MIC"); 832 return -1; 833 } 834 835 wpa_printf(MSG_DEBUG, 836 "WPA: Earlier SNonce resulted in matching MIC"); 837 sm->alt_snonce_valid = 0; 838 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 839 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 840 sm->PTK_valid = TRUE; 841 842 return 0; 843} 844 845 846void wpa_receive(struct wpa_authenticator *wpa_auth, 847 struct wpa_state_machine *sm, 848 u8 *data, size_t data_len) 849{ 850 struct ieee802_1x_hdr *hdr; 851 struct wpa_eapol_key *key; 852 u16 key_info, key_data_length; 853 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 854 SMK_M1, SMK_M3, SMK_ERROR } msg; 855 char *msgtxt; 856 struct wpa_eapol_ie_parse kde; 857 int ft; 858 const u8 *eapol_key_ie; 859 size_t eapol_key_ie_len; 860 861 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 862 return; 863 864 if (data_len < sizeof(*hdr) + sizeof(*key)) 865 return; 866 867 hdr = (struct ieee802_1x_hdr *) data; 868 key = (struct wpa_eapol_key *) (hdr + 1); 869 key_info = WPA_GET_BE16(key->key_info); 870 key_data_length = WPA_GET_BE16(key->key_data_length); 871 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 872 " key_info=0x%x type=%u key_data_length=%u", 873 MAC2STR(sm->addr), key_info, key->type, key_data_length); 874 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { 875 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 876 "key_data overflow (%d > %lu)", 877 key_data_length, 878 (unsigned long) (data_len - sizeof(*hdr) - 879 sizeof(*key))); 880 return; 881 } 882 883 if (sm->wpa == WPA_VERSION_WPA2) { 884 if (key->type == EAPOL_KEY_TYPE_WPA) { 885 /* 886 * Some deployed station implementations seem to send 887 * msg 4/4 with incorrect type value in WPA2 mode. 888 */ 889 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 890 "with unexpected WPA type in RSN mode"); 891 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 892 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 893 "unexpected type %d in RSN mode", 894 key->type); 895 return; 896 } 897 } else { 898 if (key->type != EAPOL_KEY_TYPE_WPA) { 899 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 900 "unexpected type %d in WPA mode", 901 key->type); 902 return; 903 } 904 } 905 906 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 907 WPA_NONCE_LEN); 908 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 909 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 910 911 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 912 * are set */ 913 914 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 915 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 916 if (key_info & WPA_KEY_INFO_ERROR) { 917 msg = SMK_ERROR; 918 msgtxt = "SMK Error"; 919 } else { 920 msg = SMK_M1; 921 msgtxt = "SMK M1"; 922 } 923 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 924 msg = SMK_M3; 925 msgtxt = "SMK M3"; 926 } else if (key_info & WPA_KEY_INFO_REQUEST) { 927 msg = REQUEST; 928 msgtxt = "Request"; 929 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 930 msg = GROUP_2; 931 msgtxt = "2/2 Group"; 932 } else if (key_data_length == 0) { 933 msg = PAIRWISE_4; 934 msgtxt = "4/4 Pairwise"; 935 } else { 936 msg = PAIRWISE_2; 937 msgtxt = "2/4 Pairwise"; 938 } 939 940 /* TODO: key_info type validation for PeerKey */ 941 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 942 msg == GROUP_2) { 943 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 944 if (sm->pairwise == WPA_CIPHER_CCMP || 945 sm->pairwise == WPA_CIPHER_GCMP) { 946 if (wpa_use_aes_cmac(sm) && 947 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN && 948 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 949 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 950 wpa_auth_logger(wpa_auth, sm->addr, 951 LOGGER_WARNING, 952 "advertised support for " 953 "AES-128-CMAC, but did not " 954 "use it"); 955 return; 956 } 957 958 if (!wpa_use_aes_cmac(sm) && 959 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 960 wpa_auth_logger(wpa_auth, sm->addr, 961 LOGGER_WARNING, 962 "did not use HMAC-SHA1-AES " 963 "with CCMP/GCMP"); 964 return; 965 } 966 } 967 968 if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 969 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 970 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 971 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 972 return; 973 } 974 } 975 976 if (key_info & WPA_KEY_INFO_REQUEST) { 977 if (sm->req_replay_counter_used && 978 os_memcmp(key->replay_counter, sm->req_replay_counter, 979 WPA_REPLAY_COUNTER_LEN) <= 0) { 980 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 981 "received EAPOL-Key request with " 982 "replayed counter"); 983 return; 984 } 985 } 986 987 if (!(key_info & WPA_KEY_INFO_REQUEST) && 988 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 989 int i; 990 991 if (msg == PAIRWISE_2 && 992 wpa_replay_counter_valid(sm->prev_key_replay, 993 key->replay_counter) && 994 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 995 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 996 { 997 /* 998 * Some supplicant implementations (e.g., Windows XP 999 * WZC) update SNonce for each EAPOL-Key 2/4. This 1000 * breaks the workaround on accepting any of the 1001 * pending requests, so allow the SNonce to be updated 1002 * even if we have already sent out EAPOL-Key 3/4. 1003 */ 1004 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1005 "Process SNonce update from STA " 1006 "based on retransmitted EAPOL-Key " 1007 "1/4"); 1008 sm->update_snonce = 1; 1009 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1010 sm->alt_snonce_valid = TRUE; 1011 os_memcpy(sm->alt_replay_counter, 1012 sm->key_replay[0].counter, 1013 WPA_REPLAY_COUNTER_LEN); 1014 goto continue_processing; 1015 } 1016 1017 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1018 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1019 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1020 WPA_REPLAY_COUNTER_LEN) == 0) { 1021 /* 1022 * Supplicant may still be using the old SNonce since 1023 * there was two EAPOL-Key 2/4 messages and they had 1024 * different SNonce values. 1025 */ 1026 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1027 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1028 goto continue_processing; 1029 } 1030 1031 if (msg == PAIRWISE_2 && 1032 wpa_replay_counter_valid(sm->prev_key_replay, 1033 key->replay_counter) && 1034 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1035 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1036 "ignore retransmitted EAPOL-Key %s - " 1037 "SNonce did not change", msgtxt); 1038 } else { 1039 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1040 "received EAPOL-Key %s with " 1041 "unexpected replay counter", msgtxt); 1042 } 1043 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1044 if (!sm->key_replay[i].valid) 1045 break; 1046 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1047 sm->key_replay[i].counter, 1048 WPA_REPLAY_COUNTER_LEN); 1049 } 1050 wpa_hexdump(MSG_DEBUG, "received replay counter", 1051 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1052 return; 1053 } 1054 1055continue_processing: 1056 switch (msg) { 1057 case PAIRWISE_2: 1058 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1059 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1060 (!sm->update_snonce || 1061 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1062 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1063 "received EAPOL-Key msg 2/4 in " 1064 "invalid state (%d) - dropped", 1065 sm->wpa_ptk_state); 1066 return; 1067 } 1068 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1069 if (sm->group->reject_4way_hs_for_entropy) { 1070 /* 1071 * The system did not have enough entropy to generate 1072 * strong random numbers. Reject the first 4-way 1073 * handshake(s) and collect some entropy based on the 1074 * information from it. Once enough entropy is 1075 * available, the next atempt will trigger GMK/Key 1076 * Counter update and the station will be allowed to 1077 * continue. 1078 */ 1079 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1080 "collect more entropy for random number " 1081 "generation"); 1082 random_mark_pool_ready(); 1083 wpa_sta_disconnect(wpa_auth, sm->addr); 1084 return; 1085 } 1086 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length, 1087 &kde) < 0) { 1088 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1089 "received EAPOL-Key msg 2/4 with " 1090 "invalid Key Data contents"); 1091 return; 1092 } 1093 if (kde.rsn_ie) { 1094 eapol_key_ie = kde.rsn_ie; 1095 eapol_key_ie_len = kde.rsn_ie_len; 1096 } else if (kde.osen) { 1097 eapol_key_ie = kde.osen; 1098 eapol_key_ie_len = kde.osen_len; 1099 } else { 1100 eapol_key_ie = kde.wpa_ie; 1101 eapol_key_ie_len = kde.wpa_ie_len; 1102 } 1103 ft = sm->wpa == WPA_VERSION_WPA2 && 1104 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 1105 if (sm->wpa_ie == NULL || 1106 wpa_compare_rsn_ie(ft, 1107 sm->wpa_ie, sm->wpa_ie_len, 1108 eapol_key_ie, eapol_key_ie_len)) { 1109 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1110 "WPA IE from (Re)AssocReq did not " 1111 "match with msg 2/4"); 1112 if (sm->wpa_ie) { 1113 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 1114 sm->wpa_ie, sm->wpa_ie_len); 1115 } 1116 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 1117 eapol_key_ie, eapol_key_ie_len); 1118 /* MLME-DEAUTHENTICATE.request */ 1119 wpa_sta_disconnect(wpa_auth, sm->addr); 1120 return; 1121 } 1122#ifdef CONFIG_IEEE80211R 1123 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 1124 wpa_sta_disconnect(wpa_auth, sm->addr); 1125 return; 1126 } 1127#endif /* CONFIG_IEEE80211R */ 1128#ifdef CONFIG_P2P 1129 if (kde.ip_addr_req && kde.ip_addr_req[0] && 1130 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 1131 int idx; 1132 wpa_printf(MSG_DEBUG, "P2P: IP address requested in " 1133 "EAPOL-Key exchange"); 1134 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 1135 if (idx >= 0) { 1136 u32 start = WPA_GET_BE32(wpa_auth->conf. 1137 ip_addr_start); 1138 bitfield_set(wpa_auth->ip_pool, idx); 1139 WPA_PUT_BE32(sm->ip_addr, start + idx); 1140 wpa_printf(MSG_DEBUG, "P2P: Assigned IP " 1141 "address %u.%u.%u.%u to " MACSTR, 1142 sm->ip_addr[0], sm->ip_addr[1], 1143 sm->ip_addr[2], sm->ip_addr[3], 1144 MAC2STR(sm->addr)); 1145 } 1146 } 1147#endif /* CONFIG_P2P */ 1148 break; 1149 case PAIRWISE_4: 1150 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1151 !sm->PTK_valid) { 1152 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1153 "received EAPOL-Key msg 4/4 in " 1154 "invalid state (%d) - dropped", 1155 sm->wpa_ptk_state); 1156 return; 1157 } 1158 break; 1159 case GROUP_2: 1160 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1161 || !sm->PTK_valid) { 1162 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1163 "received EAPOL-Key msg 2/2 in " 1164 "invalid state (%d) - dropped", 1165 sm->wpa_ptk_group_state); 1166 return; 1167 } 1168 break; 1169#ifdef CONFIG_PEERKEY 1170 case SMK_M1: 1171 case SMK_M3: 1172 case SMK_ERROR: 1173 if (!wpa_auth->conf.peerkey) { 1174 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1175 "PeerKey use disabled - ignoring message"); 1176 return; 1177 } 1178 if (!sm->PTK_valid) { 1179 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1180 "received EAPOL-Key msg SMK in " 1181 "invalid state - dropped"); 1182 return; 1183 } 1184 break; 1185#else /* CONFIG_PEERKEY */ 1186 case SMK_M1: 1187 case SMK_M3: 1188 case SMK_ERROR: 1189 return; /* STSL disabled - ignore SMK messages */ 1190#endif /* CONFIG_PEERKEY */ 1191 case REQUEST: 1192 break; 1193 } 1194 1195 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1196 "received EAPOL-Key frame (%s)", msgtxt); 1197 1198 if (key_info & WPA_KEY_INFO_ACK) { 1199 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1200 "received invalid EAPOL-Key: Key Ack set"); 1201 return; 1202 } 1203 1204 if (!(key_info & WPA_KEY_INFO_MIC)) { 1205 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1206 "received invalid EAPOL-Key: Key MIC not set"); 1207 return; 1208 } 1209 1210 sm->MICVerified = FALSE; 1211 if (sm->PTK_valid && !sm->update_snonce) { 1212 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data, 1213 data_len) && 1214 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1215 wpa_try_alt_snonce(sm, data, data_len))) { 1216 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1217 "received EAPOL-Key with invalid MIC"); 1218 return; 1219 } 1220 sm->MICVerified = TRUE; 1221 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1222 sm->pending_1_of_4_timeout = 0; 1223 } 1224 1225 if (key_info & WPA_KEY_INFO_REQUEST) { 1226 if (sm->MICVerified) { 1227 sm->req_replay_counter_used = 1; 1228 os_memcpy(sm->req_replay_counter, key->replay_counter, 1229 WPA_REPLAY_COUNTER_LEN); 1230 } else { 1231 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1232 "received EAPOL-Key request with " 1233 "invalid MIC"); 1234 return; 1235 } 1236 1237 /* 1238 * TODO: should decrypt key data field if encryption was used; 1239 * even though MAC address KDE is not normally encrypted, 1240 * supplicant is allowed to encrypt it. 1241 */ 1242 if (msg == SMK_ERROR) { 1243#ifdef CONFIG_PEERKEY 1244 wpa_smk_error(wpa_auth, sm, (const u8 *) (key + 1), 1245 key_data_length); 1246#endif /* CONFIG_PEERKEY */ 1247 return; 1248 } else if (key_info & WPA_KEY_INFO_ERROR) { 1249 if (wpa_receive_error_report( 1250 wpa_auth, sm, 1251 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1252 return; /* STA entry was removed */ 1253 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1254 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1255 "received EAPOL-Key Request for new " 1256 "4-Way Handshake"); 1257 wpa_request_new_ptk(sm); 1258#ifdef CONFIG_PEERKEY 1259 } else if (msg == SMK_M1) { 1260 wpa_smk_m1(wpa_auth, sm, key, (const u8 *) (key + 1), 1261 key_data_length); 1262#endif /* CONFIG_PEERKEY */ 1263 } else if (key_data_length > 0 && 1264 wpa_parse_kde_ies((const u8 *) (key + 1), 1265 key_data_length, &kde) == 0 && 1266 kde.mac_addr) { 1267 } else { 1268 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1269 "received EAPOL-Key Request for GTK " 1270 "rekeying"); 1271 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1272 wpa_rekey_gtk(wpa_auth, NULL); 1273 } 1274 } else { 1275 /* Do not allow the same key replay counter to be reused. */ 1276 wpa_replay_counter_mark_invalid(sm->key_replay, 1277 key->replay_counter); 1278 1279 if (msg == PAIRWISE_2) { 1280 /* 1281 * Maintain a copy of the pending EAPOL-Key frames in 1282 * case the EAPOL-Key frame was retransmitted. This is 1283 * needed to allow EAPOL-Key msg 2/4 reply to another 1284 * pending msg 1/4 to update the SNonce to work around 1285 * unexpected supplicant behavior. 1286 */ 1287 os_memcpy(sm->prev_key_replay, sm->key_replay, 1288 sizeof(sm->key_replay)); 1289 } else { 1290 os_memset(sm->prev_key_replay, 0, 1291 sizeof(sm->prev_key_replay)); 1292 } 1293 1294 /* 1295 * Make sure old valid counters are not accepted anymore and 1296 * do not get copied again. 1297 */ 1298 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1299 } 1300 1301#ifdef CONFIG_PEERKEY 1302 if (msg == SMK_M3) { 1303 wpa_smk_m3(wpa_auth, sm, key, (const u8 *) (key + 1), 1304 key_data_length); 1305 return; 1306 } 1307#endif /* CONFIG_PEERKEY */ 1308 1309 os_free(sm->last_rx_eapol_key); 1310 sm->last_rx_eapol_key = os_malloc(data_len); 1311 if (sm->last_rx_eapol_key == NULL) 1312 return; 1313 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1314 sm->last_rx_eapol_key_len = data_len; 1315 1316 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1317 sm->EAPOLKeyReceived = TRUE; 1318 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1319 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1320 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1321 wpa_sm_step(sm); 1322} 1323 1324 1325static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1326 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1327{ 1328 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1329 u8 *pos; 1330 int ret = 0; 1331 1332 /* GTK = PRF-X(GMK, "Group key expansion", 1333 * AA || GNonce || Time || random data) 1334 * The example described in the IEEE 802.11 standard uses only AA and 1335 * GNonce as inputs here. Add some more entropy since this derivation 1336 * is done only at the Authenticator and as such, does not need to be 1337 * exactly same. 1338 */ 1339 os_memcpy(data, addr, ETH_ALEN); 1340 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1341 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1342 wpa_get_ntp_timestamp(pos); 1343 pos += 8; 1344 if (random_get_bytes(pos, 16) < 0) 1345 ret = -1; 1346 1347#ifdef CONFIG_IEEE80211W 1348 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1349#else /* CONFIG_IEEE80211W */ 1350 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1351 < 0) 1352 ret = -1; 1353#endif /* CONFIG_IEEE80211W */ 1354 1355 return ret; 1356} 1357 1358 1359static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1360{ 1361 struct wpa_authenticator *wpa_auth = eloop_ctx; 1362 struct wpa_state_machine *sm = timeout_ctx; 1363 1364 sm->pending_1_of_4_timeout = 0; 1365 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1366 sm->TimeoutEvt = TRUE; 1367 wpa_sm_step(sm); 1368} 1369 1370 1371void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1372 struct wpa_state_machine *sm, int key_info, 1373 const u8 *key_rsc, const u8 *nonce, 1374 const u8 *kde, size_t kde_len, 1375 int keyidx, int encr, int force_version) 1376{ 1377 struct ieee802_1x_hdr *hdr; 1378 struct wpa_eapol_key *key; 1379 size_t len; 1380 int alg; 1381 int key_data_len, pad_len = 0; 1382 u8 *buf, *pos; 1383 int version, pairwise; 1384 int i; 1385 1386 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key); 1387 1388 if (force_version) 1389 version = force_version; 1390 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1391 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) 1392 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1393 else if (wpa_use_aes_cmac(sm)) 1394 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1395 else if (sm->pairwise != WPA_CIPHER_TKIP) 1396 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1397 else 1398 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1399 1400 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1401 1402 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1403 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1404 "encr=%d)", 1405 version, 1406 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1407 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1408 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1409 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1410 pairwise, (unsigned long) kde_len, keyidx, encr); 1411 1412 key_data_len = kde_len; 1413 1414 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1415 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1416 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1417 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1418 pad_len = key_data_len % 8; 1419 if (pad_len) 1420 pad_len = 8 - pad_len; 1421 key_data_len += pad_len + 8; 1422 } 1423 1424 len += key_data_len; 1425 1426 hdr = os_zalloc(len); 1427 if (hdr == NULL) 1428 return; 1429 hdr->version = wpa_auth->conf.eapol_version; 1430 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1431 hdr->length = host_to_be16(len - sizeof(*hdr)); 1432 key = (struct wpa_eapol_key *) (hdr + 1); 1433 1434 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1435 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1436 key_info |= version; 1437 if (encr && sm->wpa == WPA_VERSION_WPA2) 1438 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1439 if (sm->wpa != WPA_VERSION_WPA2) 1440 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1441 WPA_PUT_BE16(key->key_info, key_info); 1442 1443 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1444 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1445 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1446 WPA_PUT_BE16(key->key_length, 0); 1447 1448 /* FIX: STSL: what to use as key_replay_counter? */ 1449 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1450 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1451 os_memcpy(sm->key_replay[i].counter, 1452 sm->key_replay[i - 1].counter, 1453 WPA_REPLAY_COUNTER_LEN); 1454 } 1455 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1456 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1457 WPA_REPLAY_COUNTER_LEN); 1458 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1459 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1460 sm->key_replay[0].valid = TRUE; 1461 1462 if (nonce) 1463 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1464 1465 if (key_rsc) 1466 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1467 1468 if (kde && !encr) { 1469 os_memcpy(key + 1, kde, kde_len); 1470 WPA_PUT_BE16(key->key_data_length, kde_len); 1471 } else if (encr && kde) { 1472 buf = os_zalloc(key_data_len); 1473 if (buf == NULL) { 1474 os_free(hdr); 1475 return; 1476 } 1477 pos = buf; 1478 os_memcpy(pos, kde, kde_len); 1479 pos += kde_len; 1480 1481 if (pad_len) 1482 *pos++ = 0xdd; 1483 1484 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1485 buf, key_data_len); 1486 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1487 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1488 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1489 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1490 if (aes_wrap(sm->PTK.kek, 16, 1491 (key_data_len - 8) / 8, buf, 1492 (u8 *) (key + 1))) { 1493 os_free(hdr); 1494 os_free(buf); 1495 return; 1496 } 1497 WPA_PUT_BE16(key->key_data_length, key_data_len); 1498 } else { 1499 u8 ek[32]; 1500 os_memcpy(key->key_iv, 1501 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1502 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1503 os_memcpy(ek, key->key_iv, 16); 1504 os_memcpy(ek + 16, sm->PTK.kek, 16); 1505 os_memcpy(key + 1, buf, key_data_len); 1506 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len); 1507 WPA_PUT_BE16(key->key_data_length, key_data_len); 1508 } 1509 os_free(buf); 1510 } 1511 1512 if (key_info & WPA_KEY_INFO_MIC) { 1513 if (!sm->PTK_valid) { 1514 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1515 "PTK not valid when sending EAPOL-Key " 1516 "frame"); 1517 os_free(hdr); 1518 return; 1519 } 1520 wpa_eapol_key_mic(sm->PTK.kck, sm->wpa_key_mgmt, version, 1521 (u8 *) hdr, len, key->key_mic); 1522#ifdef CONFIG_TESTING_OPTIONS 1523 if (!pairwise && 1524 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1525 drand48() < 1526 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1527 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1528 "Corrupting group EAPOL-Key Key MIC"); 1529 key->key_mic[0]++; 1530 } 1531#endif /* CONFIG_TESTING_OPTIONS */ 1532 } 1533 1534 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1535 1); 1536 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1537 sm->pairwise_set); 1538 os_free(hdr); 1539} 1540 1541 1542static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1543 struct wpa_state_machine *sm, int key_info, 1544 const u8 *key_rsc, const u8 *nonce, 1545 const u8 *kde, size_t kde_len, 1546 int keyidx, int encr) 1547{ 1548 int timeout_ms; 1549 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1550 int ctr; 1551 1552 if (sm == NULL) 1553 return; 1554 1555 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1556 keyidx, encr, 0); 1557 1558 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1559 if (ctr == 1 && wpa_auth->conf.tx_status) 1560 timeout_ms = pairwise ? eapol_key_timeout_first : 1561 eapol_key_timeout_first_group; 1562 else 1563 timeout_ms = eapol_key_timeout_subseq; 1564 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1565 sm->pending_1_of_4_timeout = 1; 1566 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1567 "counter %d)", timeout_ms, ctr); 1568 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1569 wpa_send_eapol_timeout, wpa_auth, sm); 1570} 1571 1572 1573static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 1574 size_t data_len) 1575{ 1576 struct ieee802_1x_hdr *hdr; 1577 struct wpa_eapol_key *key; 1578 u16 key_info; 1579 int ret = 0; 1580 u8 mic[16]; 1581 1582 if (data_len < sizeof(*hdr) + sizeof(*key)) 1583 return -1; 1584 1585 hdr = (struct ieee802_1x_hdr *) data; 1586 key = (struct wpa_eapol_key *) (hdr + 1); 1587 key_info = WPA_GET_BE16(key->key_info); 1588 os_memcpy(mic, key->key_mic, 16); 1589 os_memset(key->key_mic, 0, 16); 1590 if (wpa_eapol_key_mic(PTK->kck, akmp, key_info & WPA_KEY_INFO_TYPE_MASK, 1591 data, data_len, key->key_mic) || 1592 os_memcmp_const(mic, key->key_mic, 16) != 0) 1593 ret = -1; 1594 os_memcpy(key->key_mic, mic, 16); 1595 return ret; 1596} 1597 1598 1599void wpa_remove_ptk(struct wpa_state_machine *sm) 1600{ 1601 sm->PTK_valid = FALSE; 1602 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1603 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1604 sm->pairwise_set = FALSE; 1605 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1606} 1607 1608 1609int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event) 1610{ 1611 int remove_ptk = 1; 1612 1613 if (sm == NULL) 1614 return -1; 1615 1616 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1617 "event %d notification", event); 1618 1619 switch (event) { 1620 case WPA_AUTH: 1621#ifdef CONFIG_MESH 1622 /* PTKs are derived through AMPE */ 1623 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1624 /* not mesh */ 1625 break; 1626 } 1627 return 0; 1628#endif /* CONFIG_MESH */ 1629 case WPA_ASSOC: 1630 break; 1631 case WPA_DEAUTH: 1632 case WPA_DISASSOC: 1633 sm->DeauthenticationRequest = TRUE; 1634 break; 1635 case WPA_REAUTH: 1636 case WPA_REAUTH_EAPOL: 1637 if (!sm->started) { 1638 /* 1639 * When using WPS, we may end up here if the STA 1640 * manages to re-associate without the previous STA 1641 * entry getting removed. Consequently, we need to make 1642 * sure that the WPA state machines gets initialized 1643 * properly at this point. 1644 */ 1645 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1646 "started - initialize now"); 1647 sm->started = 1; 1648 sm->Init = TRUE; 1649 if (wpa_sm_step(sm) == 1) 1650 return 1; /* should not really happen */ 1651 sm->Init = FALSE; 1652 sm->AuthenticationRequest = TRUE; 1653 break; 1654 } 1655 if (sm->GUpdateStationKeys) { 1656 /* 1657 * Reauthentication cancels the pending group key 1658 * update for this STA. 1659 */ 1660 sm->group->GKeyDoneStations--; 1661 sm->GUpdateStationKeys = FALSE; 1662 sm->PtkGroupInit = TRUE; 1663 } 1664 sm->ReAuthenticationRequest = TRUE; 1665 break; 1666 case WPA_ASSOC_FT: 1667#ifdef CONFIG_IEEE80211R 1668 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1669 "after association"); 1670 wpa_ft_install_ptk(sm); 1671 1672 /* Using FT protocol, not WPA auth state machine */ 1673 sm->ft_completed = 1; 1674 return 0; 1675#else /* CONFIG_IEEE80211R */ 1676 break; 1677#endif /* CONFIG_IEEE80211R */ 1678 } 1679 1680#ifdef CONFIG_IEEE80211R 1681 sm->ft_completed = 0; 1682#endif /* CONFIG_IEEE80211R */ 1683 1684#ifdef CONFIG_IEEE80211W 1685 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1686 remove_ptk = 0; 1687#endif /* CONFIG_IEEE80211W */ 1688 1689 if (remove_ptk) { 1690 sm->PTK_valid = FALSE; 1691 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1692 1693 if (event != WPA_REAUTH_EAPOL) 1694 wpa_remove_ptk(sm); 1695 } 1696 1697 return wpa_sm_step(sm); 1698} 1699 1700 1701SM_STATE(WPA_PTK, INITIALIZE) 1702{ 1703 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1704 if (sm->Init) { 1705 /* Init flag is not cleared here, so avoid busy 1706 * loop by claiming nothing changed. */ 1707 sm->changed = FALSE; 1708 } 1709 1710 sm->keycount = 0; 1711 if (sm->GUpdateStationKeys) 1712 sm->group->GKeyDoneStations--; 1713 sm->GUpdateStationKeys = FALSE; 1714 if (sm->wpa == WPA_VERSION_WPA) 1715 sm->PInitAKeys = FALSE; 1716 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1717 * Local AA > Remote AA)) */) { 1718 sm->Pair = TRUE; 1719 } 1720 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1721 wpa_remove_ptk(sm); 1722 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1723 sm->TimeoutCtr = 0; 1724 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1725 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1726 WPA_EAPOL_authorized, 0); 1727 } 1728} 1729 1730 1731SM_STATE(WPA_PTK, DISCONNECT) 1732{ 1733 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1734 sm->Disconnect = FALSE; 1735 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1736} 1737 1738 1739SM_STATE(WPA_PTK, DISCONNECTED) 1740{ 1741 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1742 sm->DeauthenticationRequest = FALSE; 1743} 1744 1745 1746SM_STATE(WPA_PTK, AUTHENTICATION) 1747{ 1748 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1749 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1750 sm->PTK_valid = FALSE; 1751 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1752 1); 1753 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1754 sm->AuthenticationRequest = FALSE; 1755} 1756 1757 1758static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1759 struct wpa_group *group) 1760{ 1761 if (group->first_sta_seen) 1762 return; 1763 /* 1764 * System has run bit further than at the time hostapd was started 1765 * potentially very early during boot up. This provides better chances 1766 * of collecting more randomness on embedded systems. Re-initialize the 1767 * GMK and Counter here to improve their strength if there was not 1768 * enough entropy available immediately after system startup. 1769 */ 1770 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1771 "station"); 1772 if (random_pool_ready() != 1) { 1773 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1774 "to proceed - reject first 4-way handshake"); 1775 group->reject_4way_hs_for_entropy = TRUE; 1776 } else { 1777 group->first_sta_seen = TRUE; 1778 group->reject_4way_hs_for_entropy = FALSE; 1779 } 1780 1781 wpa_group_init_gmk_and_counter(wpa_auth, group); 1782 wpa_gtk_update(wpa_auth, group); 1783 wpa_group_config_group_keys(wpa_auth, group); 1784} 1785 1786 1787SM_STATE(WPA_PTK, AUTHENTICATION2) 1788{ 1789 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1790 1791 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1792 sm->ReAuthenticationRequest = FALSE; 1793 1794 /* 1795 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1796 * ambiguous. The Authenticator state machine uses a counter that is 1797 * incremented by one for each 4-way handshake. However, the security 1798 * analysis of 4-way handshake points out that unpredictable nonces 1799 * help in preventing precomputation attacks. Instead of the state 1800 * machine definition, use an unpredictable nonce value here to provide 1801 * stronger protection against potential precomputation attacks. 1802 */ 1803 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1804 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1805 "ANonce."); 1806 sm->Disconnect = TRUE; 1807 return; 1808 } 1809 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1810 WPA_NONCE_LEN); 1811 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1812 * logical place than INITIALIZE since AUTHENTICATION2 can be 1813 * re-entered on ReAuthenticationRequest without going through 1814 * INITIALIZE. */ 1815 sm->TimeoutCtr = 0; 1816} 1817 1818 1819SM_STATE(WPA_PTK, INITPMK) 1820{ 1821 u8 msk[2 * PMK_LEN]; 1822 size_t len = 2 * PMK_LEN; 1823 1824 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1825#ifdef CONFIG_IEEE80211R 1826 sm->xxkey_len = 0; 1827#endif /* CONFIG_IEEE80211R */ 1828 if (sm->pmksa) { 1829 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1830 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN); 1831 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1832 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1833 "(len=%lu)", (unsigned long) len); 1834 os_memcpy(sm->PMK, msk, PMK_LEN); 1835#ifdef CONFIG_IEEE80211R 1836 if (len >= 2 * PMK_LEN) { 1837 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1838 sm->xxkey_len = PMK_LEN; 1839 } 1840#endif /* CONFIG_IEEE80211R */ 1841 } else { 1842 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK"); 1843 } 1844 1845 sm->req_replay_counter_used = 0; 1846 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1847 * will break reauthentication since EAPOL state machines may not be 1848 * get into AUTHENTICATING state that clears keyRun before WPA state 1849 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1850 * state and takes PMK from the previously used AAA Key. This will 1851 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1852 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1853 * be good workaround for this issue. */ 1854 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1855} 1856 1857 1858SM_STATE(WPA_PTK, INITPSK) 1859{ 1860 const u8 *psk; 1861 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1862 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1863 if (psk) { 1864 os_memcpy(sm->PMK, psk, PMK_LEN); 1865#ifdef CONFIG_IEEE80211R 1866 os_memcpy(sm->xxkey, psk, PMK_LEN); 1867 sm->xxkey_len = PMK_LEN; 1868#endif /* CONFIG_IEEE80211R */ 1869 } 1870 sm->req_replay_counter_used = 0; 1871} 1872 1873 1874SM_STATE(WPA_PTK, PTKSTART) 1875{ 1876 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1877 size_t pmkid_len = 0; 1878 1879 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1880 sm->PTKRequest = FALSE; 1881 sm->TimeoutEvt = FALSE; 1882 sm->alt_snonce_valid = FALSE; 1883 1884 sm->TimeoutCtr++; 1885 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1886 /* No point in sending the EAPOL-Key - we will disconnect 1887 * immediately following this. */ 1888 return; 1889 } 1890 1891 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1892 "sending 1/4 msg of 4-Way Handshake"); 1893 /* 1894 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1895 * one possible PSK for this STA. 1896 */ 1897 if (sm->wpa == WPA_VERSION_WPA2 && 1898 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 1899 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 1900 pmkid = buf; 1901 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 1902 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 1903 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 1904 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 1905 if (sm->pmksa) { 1906 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 1907 sm->pmksa->pmkid, PMKID_LEN); 1908 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 1909 /* No KCK available to derive PMKID */ 1910 pmkid = NULL; 1911 } else { 1912 /* 1913 * Calculate PMKID since no PMKSA cache entry was 1914 * available with pre-calculated PMKID. 1915 */ 1916 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr, 1917 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 1918 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1919 } 1920 } 1921 wpa_send_eapol(sm->wpa_auth, sm, 1922 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 1923 sm->ANonce, pmkid, pmkid_len, 0, 0); 1924} 1925 1926 1927static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 1928 const u8 *pmk, struct wpa_ptk *ptk) 1929{ 1930 size_t ptk_len = wpa_cipher_key_len(sm->pairwise) + 32; 1931#ifdef CONFIG_IEEE80211R 1932 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 1933 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len); 1934#endif /* CONFIG_IEEE80211R */ 1935 1936 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion", 1937 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 1938 (u8 *) ptk, ptk_len, 1939 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1940 1941 return 0; 1942} 1943 1944 1945SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 1946{ 1947 struct wpa_ptk PTK; 1948 int ok = 0; 1949 const u8 *pmk = NULL; 1950 1951 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 1952 sm->EAPOLKeyReceived = FALSE; 1953 sm->update_snonce = FALSE; 1954 1955 /* WPA with IEEE 802.1X: use the derived PMK from EAP 1956 * WPA-PSK: iterate through possible PSKs and select the one matching 1957 * the packet */ 1958 for (;;) { 1959 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1960 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 1961 sm->p2p_dev_addr, pmk); 1962 if (pmk == NULL) 1963 break; 1964 } else 1965 pmk = sm->PMK; 1966 1967 wpa_derive_ptk(sm, sm->SNonce, pmk, &PTK); 1968 1969 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, 1970 sm->last_rx_eapol_key, 1971 sm->last_rx_eapol_key_len) == 0) { 1972 ok = 1; 1973 break; 1974 } 1975 1976 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 1977 break; 1978 } 1979 1980 if (!ok) { 1981 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1982 "invalid MIC in msg 2/4 of 4-Way Handshake"); 1983 return; 1984 } 1985 1986#ifdef CONFIG_IEEE80211R 1987 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1988 /* 1989 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 1990 * with the value we derived. 1991 */ 1992 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 1993 WPA_PMK_NAME_LEN) != 0) { 1994 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1995 "PMKR1Name mismatch in FT 4-way " 1996 "handshake"); 1997 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 1998 "Supplicant", 1999 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2000 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2001 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2002 return; 2003 } 2004 } 2005#endif /* CONFIG_IEEE80211R */ 2006 2007 sm->pending_1_of_4_timeout = 0; 2008 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2009 2010 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2011 /* PSK may have changed from the previous choice, so update 2012 * state machine data based on whatever PSK was selected here. 2013 */ 2014 os_memcpy(sm->PMK, pmk, PMK_LEN); 2015 } 2016 2017 sm->MICVerified = TRUE; 2018 2019 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2020 sm->PTK_valid = TRUE; 2021} 2022 2023 2024SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2025{ 2026 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2027 sm->TimeoutCtr = 0; 2028} 2029 2030 2031#ifdef CONFIG_IEEE80211W 2032 2033static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2034{ 2035 if (sm->mgmt_frame_prot) { 2036 size_t len; 2037 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2038 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2039 } 2040 2041 return 0; 2042} 2043 2044 2045static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2046{ 2047 struct wpa_igtk_kde igtk; 2048 struct wpa_group *gsm = sm->group; 2049 u8 rsc[WPA_KEY_RSC_LEN]; 2050 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2051 2052 if (!sm->mgmt_frame_prot) 2053 return pos; 2054 2055 igtk.keyid[0] = gsm->GN_igtk; 2056 igtk.keyid[1] = 0; 2057 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 2058 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 2059 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 2060 else 2061 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 2062 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 2063 if (sm->wpa_auth->conf.disable_gtk) { 2064 /* 2065 * Provide unique random IGTK to each STA to prevent use of 2066 * IGTK in the BSS. 2067 */ 2068 if (random_get_bytes(igtk.igtk, len) < 0) 2069 return pos; 2070 } 2071 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 2072 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 2073 NULL, 0); 2074 2075 return pos; 2076} 2077 2078#else /* CONFIG_IEEE80211W */ 2079 2080static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2081{ 2082 return 0; 2083} 2084 2085 2086static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2087{ 2088 return pos; 2089} 2090 2091#endif /* CONFIG_IEEE80211W */ 2092 2093 2094SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 2095{ 2096 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 2097 size_t gtk_len, kde_len; 2098 struct wpa_group *gsm = sm->group; 2099 u8 *wpa_ie; 2100 int wpa_ie_len, secure, keyidx, encr = 0; 2101 2102 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 2103 sm->TimeoutEvt = FALSE; 2104 2105 sm->TimeoutCtr++; 2106 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 2107 /* No point in sending the EAPOL-Key - we will disconnect 2108 * immediately following this. */ 2109 return; 2110 } 2111 2112 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 2113 GTK[GN], IGTK, [FTIE], [TIE * 2]) 2114 */ 2115 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2116 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2117 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 2118 wpa_ie = sm->wpa_auth->wpa_ie; 2119 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 2120 if (sm->wpa == WPA_VERSION_WPA && 2121 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 2122 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 2123 /* WPA-only STA, remove RSN IE and possible MDIE */ 2124 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2125 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 2126 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2127 wpa_ie_len = wpa_ie[1] + 2; 2128 } 2129 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2130 "sending 3/4 msg of 4-Way Handshake"); 2131 if (sm->wpa == WPA_VERSION_WPA2) { 2132 /* WPA2 send GTK in the 4-way handshake */ 2133 secure = 1; 2134 gtk = gsm->GTK[gsm->GN - 1]; 2135 gtk_len = gsm->GTK_len; 2136 if (sm->wpa_auth->conf.disable_gtk) { 2137 /* 2138 * Provide unique random GTK to each STA to prevent use 2139 * of GTK in the BSS. 2140 */ 2141 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2142 return; 2143 gtk = dummy_gtk; 2144 } 2145 keyidx = gsm->GN; 2146 _rsc = rsc; 2147 encr = 1; 2148 } else { 2149 /* WPA does not include GTK in msg 3/4 */ 2150 secure = 0; 2151 gtk = NULL; 2152 gtk_len = 0; 2153 keyidx = 0; 2154 _rsc = NULL; 2155 if (sm->rx_eapol_key_secure) { 2156 /* 2157 * It looks like Windows 7 supplicant tries to use 2158 * Secure bit in msg 2/4 after having reported Michael 2159 * MIC failure and it then rejects the 4-way handshake 2160 * if msg 3/4 does not set Secure bit. Work around this 2161 * by setting the Secure bit here even in the case of 2162 * WPA if the supplicant used it first. 2163 */ 2164 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2165 "STA used Secure bit in WPA msg 2/4 - " 2166 "set Secure for 3/4 as workaround"); 2167 secure = 1; 2168 } 2169 } 2170 2171 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2172 if (gtk) 2173 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2174#ifdef CONFIG_IEEE80211R 2175 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2176 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2177 kde_len += 300; /* FTIE + 2 * TIE */ 2178 } 2179#endif /* CONFIG_IEEE80211R */ 2180#ifdef CONFIG_P2P 2181 if (WPA_GET_BE32(sm->ip_addr) > 0) 2182 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2183#endif /* CONFIG_P2P */ 2184 kde = os_malloc(kde_len); 2185 if (kde == NULL) 2186 return; 2187 2188 pos = kde; 2189 os_memcpy(pos, wpa_ie, wpa_ie_len); 2190 pos += wpa_ie_len; 2191#ifdef CONFIG_IEEE80211R 2192 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2193 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name); 2194 if (res < 0) { 2195 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2196 "PMKR1Name into RSN IE in EAPOL-Key data"); 2197 os_free(kde); 2198 return; 2199 } 2200 pos += res; 2201 } 2202#endif /* CONFIG_IEEE80211R */ 2203 if (gtk) { 2204 u8 hdr[2]; 2205 hdr[0] = keyidx & 0x03; 2206 hdr[1] = 0; 2207 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2208 gtk, gtk_len); 2209 } 2210 pos = ieee80211w_kde_add(sm, pos); 2211 2212#ifdef CONFIG_IEEE80211R 2213 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2214 int res; 2215 struct wpa_auth_config *conf; 2216 2217 conf = &sm->wpa_auth->conf; 2218 res = wpa_write_ftie(conf, conf->r0_key_holder, 2219 conf->r0_key_holder_len, 2220 NULL, NULL, pos, kde + kde_len - pos, 2221 NULL, 0); 2222 if (res < 0) { 2223 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2224 "into EAPOL-Key Key Data"); 2225 os_free(kde); 2226 return; 2227 } 2228 pos += res; 2229 2230 /* TIE[ReassociationDeadline] (TU) */ 2231 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2232 *pos++ = 5; 2233 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2234 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2235 pos += 4; 2236 2237 /* TIE[KeyLifetime] (seconds) */ 2238 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2239 *pos++ = 5; 2240 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2241 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2242 pos += 4; 2243 } 2244#endif /* CONFIG_IEEE80211R */ 2245#ifdef CONFIG_P2P 2246 if (WPA_GET_BE32(sm->ip_addr) > 0) { 2247 u8 addr[3 * 4]; 2248 os_memcpy(addr, sm->ip_addr, 4); 2249 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 2250 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 2251 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 2252 addr, sizeof(addr), NULL, 0); 2253 } 2254#endif /* CONFIG_P2P */ 2255 2256 wpa_send_eapol(sm->wpa_auth, sm, 2257 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2258 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2259 WPA_KEY_INFO_KEY_TYPE, 2260 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2261 os_free(kde); 2262} 2263 2264 2265SM_STATE(WPA_PTK, PTKINITDONE) 2266{ 2267 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2268 sm->EAPOLKeyReceived = FALSE; 2269 if (sm->Pair) { 2270 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2271 int klen = wpa_cipher_key_len(sm->pairwise); 2272 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2273 sm->PTK.tk1, klen)) { 2274 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2275 return; 2276 } 2277 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2278 sm->pairwise_set = TRUE; 2279 2280 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2281 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2282 eloop_register_timeout(sm->wpa_auth->conf. 2283 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2284 sm->wpa_auth, sm); 2285 } 2286 2287 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2288 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2289 WPA_EAPOL_authorized, 1); 2290 } 2291 } 2292 2293 if (0 /* IBSS == TRUE */) { 2294 sm->keycount++; 2295 if (sm->keycount == 2) { 2296 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2297 WPA_EAPOL_portValid, 1); 2298 } 2299 } else { 2300 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2301 1); 2302 } 2303 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2304 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2305 if (sm->wpa == WPA_VERSION_WPA) 2306 sm->PInitAKeys = TRUE; 2307 else 2308 sm->has_GTK = TRUE; 2309 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2310 "pairwise key handshake completed (%s)", 2311 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2312 2313#ifdef CONFIG_IEEE80211R 2314 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2315#endif /* CONFIG_IEEE80211R */ 2316} 2317 2318 2319SM_STEP(WPA_PTK) 2320{ 2321 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2322 2323 if (sm->Init) 2324 SM_ENTER(WPA_PTK, INITIALIZE); 2325 else if (sm->Disconnect 2326 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2327 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2328 "WPA_PTK: sm->Disconnect"); 2329 SM_ENTER(WPA_PTK, DISCONNECT); 2330 } 2331 else if (sm->DeauthenticationRequest) 2332 SM_ENTER(WPA_PTK, DISCONNECTED); 2333 else if (sm->AuthenticationRequest) 2334 SM_ENTER(WPA_PTK, AUTHENTICATION); 2335 else if (sm->ReAuthenticationRequest) 2336 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2337 else if (sm->PTKRequest) 2338 SM_ENTER(WPA_PTK, PTKSTART); 2339 else switch (sm->wpa_ptk_state) { 2340 case WPA_PTK_INITIALIZE: 2341 break; 2342 case WPA_PTK_DISCONNECT: 2343 SM_ENTER(WPA_PTK, DISCONNECTED); 2344 break; 2345 case WPA_PTK_DISCONNECTED: 2346 SM_ENTER(WPA_PTK, INITIALIZE); 2347 break; 2348 case WPA_PTK_AUTHENTICATION: 2349 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2350 break; 2351 case WPA_PTK_AUTHENTICATION2: 2352 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2353 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2354 WPA_EAPOL_keyRun) > 0) 2355 SM_ENTER(WPA_PTK, INITPMK); 2356 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2357 /* FIX: && 802.1X::keyRun */) 2358 SM_ENTER(WPA_PTK, INITPSK); 2359 break; 2360 case WPA_PTK_INITPMK: 2361 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2362 WPA_EAPOL_keyAvailable) > 0) 2363 SM_ENTER(WPA_PTK, PTKSTART); 2364 else { 2365 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2366 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2367 "INITPMK - keyAvailable = false"); 2368 SM_ENTER(WPA_PTK, DISCONNECT); 2369 } 2370 break; 2371 case WPA_PTK_INITPSK: 2372 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2373 NULL)) 2374 SM_ENTER(WPA_PTK, PTKSTART); 2375 else { 2376 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2377 "no PSK configured for the STA"); 2378 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2379 SM_ENTER(WPA_PTK, DISCONNECT); 2380 } 2381 break; 2382 case WPA_PTK_PTKSTART: 2383 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2384 sm->EAPOLKeyPairwise) 2385 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2386 else if (sm->TimeoutCtr > 2387 (int) dot11RSNAConfigPairwiseUpdateCount) { 2388 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2389 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2390 "PTKSTART: Retry limit %d reached", 2391 dot11RSNAConfigPairwiseUpdateCount); 2392 SM_ENTER(WPA_PTK, DISCONNECT); 2393 } else if (sm->TimeoutEvt) 2394 SM_ENTER(WPA_PTK, PTKSTART); 2395 break; 2396 case WPA_PTK_PTKCALCNEGOTIATING: 2397 if (sm->MICVerified) 2398 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2399 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2400 sm->EAPOLKeyPairwise) 2401 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2402 else if (sm->TimeoutEvt) 2403 SM_ENTER(WPA_PTK, PTKSTART); 2404 break; 2405 case WPA_PTK_PTKCALCNEGOTIATING2: 2406 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2407 break; 2408 case WPA_PTK_PTKINITNEGOTIATING: 2409 if (sm->update_snonce) 2410 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2411 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2412 sm->EAPOLKeyPairwise && sm->MICVerified) 2413 SM_ENTER(WPA_PTK, PTKINITDONE); 2414 else if (sm->TimeoutCtr > 2415 (int) dot11RSNAConfigPairwiseUpdateCount) { 2416 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2417 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2418 "PTKINITNEGOTIATING: Retry limit %d " 2419 "reached", 2420 dot11RSNAConfigPairwiseUpdateCount); 2421 SM_ENTER(WPA_PTK, DISCONNECT); 2422 } else if (sm->TimeoutEvt) 2423 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2424 break; 2425 case WPA_PTK_PTKINITDONE: 2426 break; 2427 } 2428} 2429 2430 2431SM_STATE(WPA_PTK_GROUP, IDLE) 2432{ 2433 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2434 if (sm->Init) { 2435 /* Init flag is not cleared here, so avoid busy 2436 * loop by claiming nothing changed. */ 2437 sm->changed = FALSE; 2438 } 2439 sm->GTimeoutCtr = 0; 2440} 2441 2442 2443SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2444{ 2445 u8 rsc[WPA_KEY_RSC_LEN]; 2446 struct wpa_group *gsm = sm->group; 2447 const u8 *kde; 2448 u8 *kde_buf = NULL, *pos, hdr[2]; 2449 size_t kde_len; 2450 u8 *gtk, dummy_gtk[32]; 2451 2452 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2453 2454 sm->GTimeoutCtr++; 2455 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2456 /* No point in sending the EAPOL-Key - we will disconnect 2457 * immediately following this. */ 2458 return; 2459 } 2460 2461 if (sm->wpa == WPA_VERSION_WPA) 2462 sm->PInitAKeys = FALSE; 2463 sm->TimeoutEvt = FALSE; 2464 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2465 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2466 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2467 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2468 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2469 "sending 1/2 msg of Group Key Handshake"); 2470 2471 gtk = gsm->GTK[gsm->GN - 1]; 2472 if (sm->wpa_auth->conf.disable_gtk) { 2473 /* 2474 * Provide unique random GTK to each STA to prevent use 2475 * of GTK in the BSS. 2476 */ 2477 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2478 return; 2479 gtk = dummy_gtk; 2480 } 2481 if (sm->wpa == WPA_VERSION_WPA2) { 2482 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2483 ieee80211w_kde_len(sm); 2484 kde_buf = os_malloc(kde_len); 2485 if (kde_buf == NULL) 2486 return; 2487 2488 kde = pos = kde_buf; 2489 hdr[0] = gsm->GN & 0x03; 2490 hdr[1] = 0; 2491 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2492 gtk, gsm->GTK_len); 2493 pos = ieee80211w_kde_add(sm, pos); 2494 kde_len = pos - kde; 2495 } else { 2496 kde = gtk; 2497 kde_len = gsm->GTK_len; 2498 } 2499 2500 wpa_send_eapol(sm->wpa_auth, sm, 2501 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2502 WPA_KEY_INFO_ACK | 2503 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2504 rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1); 2505 2506 os_free(kde_buf); 2507} 2508 2509 2510SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2511{ 2512 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2513 sm->EAPOLKeyReceived = FALSE; 2514 if (sm->GUpdateStationKeys) 2515 sm->group->GKeyDoneStations--; 2516 sm->GUpdateStationKeys = FALSE; 2517 sm->GTimeoutCtr = 0; 2518 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2519 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2520 "group key handshake completed (%s)", 2521 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2522 sm->has_GTK = TRUE; 2523} 2524 2525 2526SM_STATE(WPA_PTK_GROUP, KEYERROR) 2527{ 2528 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2529 if (sm->GUpdateStationKeys) 2530 sm->group->GKeyDoneStations--; 2531 sm->GUpdateStationKeys = FALSE; 2532 sm->Disconnect = TRUE; 2533} 2534 2535 2536SM_STEP(WPA_PTK_GROUP) 2537{ 2538 if (sm->Init || sm->PtkGroupInit) { 2539 SM_ENTER(WPA_PTK_GROUP, IDLE); 2540 sm->PtkGroupInit = FALSE; 2541 } else switch (sm->wpa_ptk_group_state) { 2542 case WPA_PTK_GROUP_IDLE: 2543 if (sm->GUpdateStationKeys || 2544 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2545 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2546 break; 2547 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2548 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2549 !sm->EAPOLKeyPairwise && sm->MICVerified) 2550 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2551 else if (sm->GTimeoutCtr > 2552 (int) dot11RSNAConfigGroupUpdateCount) 2553 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2554 else if (sm->TimeoutEvt) 2555 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2556 break; 2557 case WPA_PTK_GROUP_KEYERROR: 2558 SM_ENTER(WPA_PTK_GROUP, IDLE); 2559 break; 2560 case WPA_PTK_GROUP_REKEYESTABLISHED: 2561 SM_ENTER(WPA_PTK_GROUP, IDLE); 2562 break; 2563 } 2564} 2565 2566 2567static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2568 struct wpa_group *group) 2569{ 2570 int ret = 0; 2571 2572 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2573 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2574 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2575 wpa_auth->addr, group->GNonce, 2576 group->GTK[group->GN - 1], group->GTK_len) < 0) 2577 ret = -1; 2578 wpa_hexdump_key(MSG_DEBUG, "GTK", 2579 group->GTK[group->GN - 1], group->GTK_len); 2580 2581#ifdef CONFIG_IEEE80211W 2582 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2583 size_t len; 2584 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 2585 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2586 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2587 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2588 wpa_auth->addr, group->GNonce, 2589 group->IGTK[group->GN_igtk - 4], len) < 0) 2590 ret = -1; 2591 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2592 group->IGTK[group->GN_igtk - 4], len); 2593 } 2594#endif /* CONFIG_IEEE80211W */ 2595 2596 return ret; 2597} 2598 2599 2600static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2601 struct wpa_group *group) 2602{ 2603 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2604 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2605 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2606 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2607 2608 /* GTK[0..N] = 0 */ 2609 os_memset(group->GTK, 0, sizeof(group->GTK)); 2610 group->GN = 1; 2611 group->GM = 2; 2612#ifdef CONFIG_IEEE80211W 2613 group->GN_igtk = 4; 2614 group->GM_igtk = 5; 2615#endif /* CONFIG_IEEE80211W */ 2616 /* GTK[GN] = CalcGTK() */ 2617 wpa_gtk_update(wpa_auth, group); 2618} 2619 2620 2621static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2622{ 2623 if (ctx != NULL && ctx != sm->group) 2624 return 0; 2625 2626 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2627 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2628 "Not in PTKINITDONE; skip Group Key update"); 2629 sm->GUpdateStationKeys = FALSE; 2630 return 0; 2631 } 2632 if (sm->GUpdateStationKeys) { 2633 /* 2634 * This should not really happen, so add a debug log entry. 2635 * Since we clear the GKeyDoneStations before the loop, the 2636 * station needs to be counted here anyway. 2637 */ 2638 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2639 "GUpdateStationKeys was already set when " 2640 "marking station for GTK rekeying"); 2641 } 2642 2643 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 2644 if (sm->is_wnmsleep) 2645 return 0; 2646 2647 sm->group->GKeyDoneStations++; 2648 sm->GUpdateStationKeys = TRUE; 2649 2650 wpa_sm_step(sm); 2651 return 0; 2652} 2653 2654 2655#ifdef CONFIG_WNM 2656/* update GTK when exiting WNM-Sleep Mode */ 2657void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2658{ 2659 if (sm == NULL || sm->is_wnmsleep) 2660 return; 2661 2662 wpa_group_update_sta(sm, NULL); 2663} 2664 2665 2666void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2667{ 2668 if (sm) 2669 sm->is_wnmsleep = !!flag; 2670} 2671 2672 2673int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2674{ 2675 struct wpa_group *gsm = sm->group; 2676 u8 *start = pos; 2677 2678 /* 2679 * GTK subelement: 2680 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2681 * Key[5..32] 2682 */ 2683 *pos++ = WNM_SLEEP_SUBELEM_GTK; 2684 *pos++ = 11 + gsm->GTK_len; 2685 /* Key ID in B0-B1 of Key Info */ 2686 WPA_PUT_LE16(pos, gsm->GN & 0x03); 2687 pos += 2; 2688 *pos++ = gsm->GTK_len; 2689 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 2690 return 0; 2691 pos += 8; 2692 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2693 pos += gsm->GTK_len; 2694 2695 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 2696 gsm->GN); 2697 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 2698 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2699 2700 return pos - start; 2701} 2702 2703 2704#ifdef CONFIG_IEEE80211W 2705int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2706{ 2707 struct wpa_group *gsm = sm->group; 2708 u8 *start = pos; 2709 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2710 2711 /* 2712 * IGTK subelement: 2713 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 2714 */ 2715 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 2716 *pos++ = 2 + 6 + len; 2717 WPA_PUT_LE16(pos, gsm->GN_igtk); 2718 pos += 2; 2719 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 2720 return 0; 2721 pos += 6; 2722 2723 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 2724 pos += len; 2725 2726 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 2727 gsm->GN_igtk); 2728 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 2729 gsm->IGTK[gsm->GN_igtk - 4], len); 2730 2731 return pos - start; 2732} 2733#endif /* CONFIG_IEEE80211W */ 2734#endif /* CONFIG_WNM */ 2735 2736 2737static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2738 struct wpa_group *group) 2739{ 2740 int tmp; 2741 2742 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2743 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2744 group->changed = TRUE; 2745 group->wpa_group_state = WPA_GROUP_SETKEYS; 2746 group->GTKReKey = FALSE; 2747 tmp = group->GM; 2748 group->GM = group->GN; 2749 group->GN = tmp; 2750#ifdef CONFIG_IEEE80211W 2751 tmp = group->GM_igtk; 2752 group->GM_igtk = group->GN_igtk; 2753 group->GN_igtk = tmp; 2754#endif /* CONFIG_IEEE80211W */ 2755 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2756 * counting the STAs that are marked with GUpdateStationKeys instead of 2757 * including all STAs that could be in not-yet-completed state. */ 2758 wpa_gtk_update(wpa_auth, group); 2759 2760 if (group->GKeyDoneStations) { 2761 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2762 "GKeyDoneStations=%d when starting new GTK rekey", 2763 group->GKeyDoneStations); 2764 group->GKeyDoneStations = 0; 2765 } 2766 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2767 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2768 group->GKeyDoneStations); 2769} 2770 2771 2772static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2773 struct wpa_group *group) 2774{ 2775 int ret = 0; 2776 2777 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2778 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2779 broadcast_ether_addr, group->GN, 2780 group->GTK[group->GN - 1], group->GTK_len) < 0) 2781 ret = -1; 2782 2783#ifdef CONFIG_IEEE80211W 2784 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2785 enum wpa_alg alg; 2786 size_t len; 2787 2788 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 2789 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 2790 2791 if (ret == 0 && 2792 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 2793 broadcast_ether_addr, group->GN_igtk, 2794 group->IGTK[group->GN_igtk - 4], len) < 0) 2795 ret = -1; 2796 } 2797#endif /* CONFIG_IEEE80211W */ 2798 2799 return ret; 2800} 2801 2802 2803static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 2804{ 2805 if (sm->group == ctx) { 2806 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 2807 " for discconnection due to fatal failure", 2808 MAC2STR(sm->addr)); 2809 sm->Disconnect = TRUE; 2810 } 2811 2812 return 0; 2813} 2814 2815 2816static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 2817 struct wpa_group *group) 2818{ 2819 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 2820 group->changed = TRUE; 2821 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 2822 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 2823} 2824 2825 2826static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2827 struct wpa_group *group) 2828{ 2829 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2830 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2831 group->changed = TRUE; 2832 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2833 2834 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 2835 wpa_group_fatal_failure(wpa_auth, group); 2836 return -1; 2837 } 2838 2839 return 0; 2840} 2841 2842 2843static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2844 struct wpa_group *group) 2845{ 2846 if (group->GInit) { 2847 wpa_group_gtk_init(wpa_auth, group); 2848 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 2849 /* Do not allow group operations */ 2850 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2851 group->GTKAuthenticator) { 2852 wpa_group_setkeysdone(wpa_auth, group); 2853 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2854 group->GTKReKey) { 2855 wpa_group_setkeys(wpa_auth, group); 2856 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2857 if (group->GKeyDoneStations == 0) 2858 wpa_group_setkeysdone(wpa_auth, group); 2859 else if (group->GTKReKey) 2860 wpa_group_setkeys(wpa_auth, group); 2861 } 2862} 2863 2864 2865static int wpa_sm_step(struct wpa_state_machine *sm) 2866{ 2867 if (sm == NULL) 2868 return 0; 2869 2870 if (sm->in_step_loop) { 2871 /* This should not happen, but if it does, make sure we do not 2872 * end up freeing the state machine too early by exiting the 2873 * recursive call. */ 2874 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2875 return 0; 2876 } 2877 2878 sm->in_step_loop = 1; 2879 do { 2880 if (sm->pending_deinit) 2881 break; 2882 2883 sm->changed = FALSE; 2884 sm->wpa_auth->group->changed = FALSE; 2885 2886 SM_STEP_RUN(WPA_PTK); 2887 if (sm->pending_deinit) 2888 break; 2889 SM_STEP_RUN(WPA_PTK_GROUP); 2890 if (sm->pending_deinit) 2891 break; 2892 wpa_group_sm_step(sm->wpa_auth, sm->group); 2893 } while (sm->changed || sm->wpa_auth->group->changed); 2894 sm->in_step_loop = 0; 2895 2896 if (sm->pending_deinit) { 2897 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 2898 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 2899 wpa_free_sta_sm(sm); 2900 return 1; 2901 } 2902 return 0; 2903} 2904 2905 2906static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 2907{ 2908 struct wpa_state_machine *sm = eloop_ctx; 2909 wpa_sm_step(sm); 2910} 2911 2912 2913void wpa_auth_sm_notify(struct wpa_state_machine *sm) 2914{ 2915 if (sm == NULL) 2916 return; 2917 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 2918} 2919 2920 2921void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 2922{ 2923 int tmp, i; 2924 struct wpa_group *group; 2925 2926 if (wpa_auth == NULL) 2927 return; 2928 2929 group = wpa_auth->group; 2930 2931 for (i = 0; i < 2; i++) { 2932 tmp = group->GM; 2933 group->GM = group->GN; 2934 group->GN = tmp; 2935#ifdef CONFIG_IEEE80211W 2936 tmp = group->GM_igtk; 2937 group->GM_igtk = group->GN_igtk; 2938 group->GN_igtk = tmp; 2939#endif /* CONFIG_IEEE80211W */ 2940 wpa_gtk_update(wpa_auth, group); 2941 wpa_group_config_group_keys(wpa_auth, group); 2942 } 2943} 2944 2945 2946static const char * wpa_bool_txt(int bool) 2947{ 2948 return bool ? "TRUE" : "FALSE"; 2949} 2950 2951 2952#define RSN_SUITE "%02x-%02x-%02x-%d" 2953#define RSN_SUITE_ARG(s) \ 2954((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2955 2956int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 2957{ 2958 int len = 0, ret; 2959 char pmkid_txt[PMKID_LEN * 2 + 1]; 2960#ifdef CONFIG_RSN_PREAUTH 2961 const int preauth = 1; 2962#else /* CONFIG_RSN_PREAUTH */ 2963 const int preauth = 0; 2964#endif /* CONFIG_RSN_PREAUTH */ 2965 2966 if (wpa_auth == NULL) 2967 return len; 2968 2969 ret = os_snprintf(buf + len, buflen - len, 2970 "dot11RSNAOptionImplemented=TRUE\n" 2971 "dot11RSNAPreauthenticationImplemented=%s\n" 2972 "dot11RSNAEnabled=%s\n" 2973 "dot11RSNAPreauthenticationEnabled=%s\n", 2974 wpa_bool_txt(preauth), 2975 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 2976 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 2977 if (os_snprintf_error(buflen - len, ret)) 2978 return len; 2979 len += ret; 2980 2981 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2982 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 2983 2984 ret = os_snprintf( 2985 buf + len, buflen - len, 2986 "dot11RSNAConfigVersion=%u\n" 2987 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 2988 /* FIX: dot11RSNAConfigGroupCipher */ 2989 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 2990 /* FIX: dot11RSNAConfigGroupRekeyTime */ 2991 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 2992 "dot11RSNAConfigGroupRekeyStrict=%u\n" 2993 "dot11RSNAConfigGroupUpdateCount=%u\n" 2994 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 2995 "dot11RSNAConfigGroupCipherSize=%u\n" 2996 "dot11RSNAConfigPMKLifetime=%u\n" 2997 "dot11RSNAConfigPMKReauthThreshold=%u\n" 2998 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 2999 "dot11RSNAConfigSATimeout=%u\n" 3000 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 3001 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 3002 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 3003 "dot11RSNAPMKIDUsed=%s\n" 3004 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 3005 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 3006 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 3007 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 3008 "dot11RSNA4WayHandshakeFailures=%u\n" 3009 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 3010 RSN_VERSION, 3011 !!wpa_auth->conf.wpa_strict_rekey, 3012 dot11RSNAConfigGroupUpdateCount, 3013 dot11RSNAConfigPairwiseUpdateCount, 3014 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 3015 dot11RSNAConfigPMKLifetime, 3016 dot11RSNAConfigPMKReauthThreshold, 3017 dot11RSNAConfigSATimeout, 3018 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 3019 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 3020 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 3021 pmkid_txt, 3022 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 3023 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 3024 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 3025 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 3026 wpa_auth->dot11RSNA4WayHandshakeFailures); 3027 if (os_snprintf_error(buflen - len, ret)) 3028 return len; 3029 len += ret; 3030 3031 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 3032 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 3033 3034 /* Private MIB */ 3035 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 3036 wpa_auth->group->wpa_group_state); 3037 if (os_snprintf_error(buflen - len, ret)) 3038 return len; 3039 len += ret; 3040 3041 return len; 3042} 3043 3044 3045int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 3046{ 3047 int len = 0, ret; 3048 u32 pairwise = 0; 3049 3050 if (sm == NULL) 3051 return 0; 3052 3053 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 3054 3055 /* dot11RSNAStatsEntry */ 3056 3057 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 3058 WPA_PROTO_RSN : WPA_PROTO_WPA, 3059 sm->pairwise); 3060 if (pairwise == 0) 3061 return 0; 3062 3063 ret = os_snprintf( 3064 buf + len, buflen - len, 3065 /* TODO: dot11RSNAStatsIndex */ 3066 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 3067 "dot11RSNAStatsVersion=1\n" 3068 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 3069 /* TODO: dot11RSNAStatsTKIPICVErrors */ 3070 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 3071 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 3072 /* TODO: dot11RSNAStatsCCMPReplays */ 3073 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 3074 /* TODO: dot11RSNAStatsTKIPReplays */, 3075 MAC2STR(sm->addr), 3076 RSN_SUITE_ARG(pairwise), 3077 sm->dot11RSNAStatsTKIPLocalMICFailures, 3078 sm->dot11RSNAStatsTKIPRemoteMICFailures); 3079 if (os_snprintf_error(buflen - len, ret)) 3080 return len; 3081 len += ret; 3082 3083 /* Private MIB */ 3084 ret = os_snprintf(buf + len, buflen - len, 3085 "hostapdWPAPTKState=%d\n" 3086 "hostapdWPAPTKGroupState=%d\n", 3087 sm->wpa_ptk_state, 3088 sm->wpa_ptk_group_state); 3089 if (os_snprintf_error(buflen - len, ret)) 3090 return len; 3091 len += ret; 3092 3093 return len; 3094} 3095 3096 3097void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 3098{ 3099 if (wpa_auth) 3100 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 3101} 3102 3103 3104int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 3105{ 3106 return sm && sm->pairwise_set; 3107} 3108 3109 3110int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 3111{ 3112 return sm->pairwise; 3113} 3114 3115 3116int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 3117{ 3118 if (sm == NULL) 3119 return -1; 3120 return sm->wpa_key_mgmt; 3121} 3122 3123 3124int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 3125{ 3126 if (sm == NULL) 3127 return 0; 3128 return sm->wpa; 3129} 3130 3131 3132int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 3133 struct rsn_pmksa_cache_entry *entry) 3134{ 3135 if (sm == NULL || sm->pmksa != entry) 3136 return -1; 3137 sm->pmksa = NULL; 3138 return 0; 3139} 3140 3141 3142struct rsn_pmksa_cache_entry * 3143wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 3144{ 3145 return sm ? sm->pmksa : NULL; 3146} 3147 3148 3149void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 3150{ 3151 if (sm) 3152 sm->dot11RSNAStatsTKIPLocalMICFailures++; 3153} 3154 3155 3156const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 3157{ 3158 if (wpa_auth == NULL) 3159 return NULL; 3160 *len = wpa_auth->wpa_ie_len; 3161 return wpa_auth->wpa_ie; 3162} 3163 3164 3165int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 3166 int session_timeout, struct eapol_state_machine *eapol) 3167{ 3168 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 3169 sm->wpa_auth->conf.disable_pmksa_caching) 3170 return -1; 3171 3172 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, 3173 sm->PTK.kck, sizeof(sm->PTK.kck), 3174 sm->wpa_auth->addr, sm->addr, session_timeout, 3175 eapol, sm->wpa_key_mgmt)) 3176 return 0; 3177 3178 return -1; 3179} 3180 3181 3182int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 3183 const u8 *pmk, size_t len, const u8 *sta_addr, 3184 int session_timeout, 3185 struct eapol_state_machine *eapol) 3186{ 3187 if (wpa_auth == NULL) 3188 return -1; 3189 3190 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, 3191 NULL, 0, 3192 wpa_auth->addr, 3193 sta_addr, session_timeout, eapol, 3194 WPA_KEY_MGMT_IEEE8021X)) 3195 return 0; 3196 3197 return -1; 3198} 3199 3200 3201int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 3202 const u8 *pmk) 3203{ 3204 if (wpa_auth->conf.disable_pmksa_caching) 3205 return -1; 3206 3207 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, 3208 NULL, 0, 3209 wpa_auth->addr, addr, 0, NULL, 3210 WPA_KEY_MGMT_SAE)) 3211 return 0; 3212 3213 return -1; 3214} 3215 3216 3217void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 3218 const u8 *sta_addr) 3219{ 3220 struct rsn_pmksa_cache_entry *pmksa; 3221 3222 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 3223 return; 3224 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3225 if (pmksa) { 3226 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 3227 MACSTR " based on request", MAC2STR(sta_addr)); 3228 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 3229 } 3230} 3231 3232 3233static struct wpa_group * 3234wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3235{ 3236 struct wpa_group *group; 3237 3238 if (wpa_auth == NULL || wpa_auth->group == NULL) 3239 return NULL; 3240 3241 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 3242 vlan_id); 3243 group = wpa_group_init(wpa_auth, vlan_id, 0); 3244 if (group == NULL) 3245 return NULL; 3246 3247 group->next = wpa_auth->group->next; 3248 wpa_auth->group->next = group; 3249 3250 return group; 3251} 3252 3253 3254int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 3255{ 3256 struct wpa_group *group; 3257 3258 if (sm == NULL || sm->wpa_auth == NULL) 3259 return 0; 3260 3261 group = sm->wpa_auth->group; 3262 while (group) { 3263 if (group->vlan_id == vlan_id) 3264 break; 3265 group = group->next; 3266 } 3267 3268 if (group == NULL) { 3269 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 3270 if (group == NULL) 3271 return -1; 3272 } 3273 3274 if (sm->group == group) 3275 return 0; 3276 3277 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3278 return -1; 3279 3280 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 3281 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 3282 3283 sm->group = group; 3284 return 0; 3285} 3286 3287 3288void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 3289 struct wpa_state_machine *sm, int ack) 3290{ 3291 if (wpa_auth == NULL || sm == NULL) 3292 return; 3293 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 3294 " ack=%d", MAC2STR(sm->addr), ack); 3295 if (sm->pending_1_of_4_timeout && ack) { 3296 /* 3297 * Some deployed supplicant implementations update their SNonce 3298 * for each EAPOL-Key 2/4 message even within the same 4-way 3299 * handshake and then fail to use the first SNonce when 3300 * deriving the PTK. This results in unsuccessful 4-way 3301 * handshake whenever the relatively short initial timeout is 3302 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3303 * around this by increasing the timeout now that we know that 3304 * the station has received the frame. 3305 */ 3306 int timeout_ms = eapol_key_timeout_subseq; 3307 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3308 "timeout by %u ms because of acknowledged frame", 3309 timeout_ms); 3310 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3311 eloop_register_timeout(timeout_ms / 1000, 3312 (timeout_ms % 1000) * 1000, 3313 wpa_send_eapol_timeout, wpa_auth, sm); 3314 } 3315} 3316 3317 3318int wpa_auth_uses_sae(struct wpa_state_machine *sm) 3319{ 3320 if (sm == NULL) 3321 return 0; 3322 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 3323} 3324 3325 3326int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 3327{ 3328 if (sm == NULL) 3329 return 0; 3330 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 3331} 3332 3333 3334#ifdef CONFIG_P2P 3335int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 3336{ 3337 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 3338 return -1; 3339 os_memcpy(addr, sm->ip_addr, 4); 3340 return 0; 3341} 3342#endif /* CONFIG_P2P */ 3343 3344 3345int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 3346 struct radius_das_attrs *attr) 3347{ 3348 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 3349} 3350