1 /* 2 * hostapd - WPA/RSN IE and KDE definitions 3 * Copyright (c) 2004-2008, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "utils/includes.h" 16 17 #include "utils/common.h" 18 #include "common/ieee802_11_defs.h" 19 #include "eapol_auth/eapol_auth_sm.h" 20 #include "ap_config.h" 21 #include "ieee802_11.h" 22 #include "wpa_auth.h" 23 #include "pmksa_cache_auth.h" 24 #include "wpa_auth_ie.h" 25 #include "wpa_auth_i.h" 26 27 28 #ifdef CONFIG_RSN_TESTING 29 int rsn_testing = 0; 30 #endif /* CONFIG_RSN_TESTING */ 31 32 33 static int wpa_write_wpa_ie(struct wpa_auth_config *conf, u8 *buf, size_t len) 34 { 35 struct wpa_ie_hdr *hdr; 36 int num_suites; 37 u8 *pos, *count; 38 39 hdr = (struct wpa_ie_hdr *) buf; 40 hdr->elem_id = WLAN_EID_VENDOR_SPECIFIC; 41 RSN_SELECTOR_PUT(hdr->oui, WPA_OUI_TYPE); 42 WPA_PUT_LE16(hdr->version, WPA_VERSION); 43 pos = (u8 *) (hdr + 1); 44 45 if (conf->wpa_group == WPA_CIPHER_CCMP) { 46 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP); 47 } else if (conf->wpa_group == WPA_CIPHER_TKIP) { 48 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP); 49 } else if (conf->wpa_group == WPA_CIPHER_WEP104) { 50 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_WEP104); 51 } else if (conf->wpa_group == WPA_CIPHER_WEP40) { 52 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_WEP40); 53 } else { 54 wpa_printf(MSG_DEBUG, "Invalid group cipher (%d).", 55 conf->wpa_group); 56 return -1; 57 } 58 pos += WPA_SELECTOR_LEN; 59 60 num_suites = 0; 61 count = pos; 62 pos += 2; 63 64 if (conf->wpa_pairwise & WPA_CIPHER_CCMP) { 65 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP); 66 pos += WPA_SELECTOR_LEN; 67 num_suites++; 68 } 69 if (conf->wpa_pairwise & WPA_CIPHER_TKIP) { 70 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP); 71 pos += WPA_SELECTOR_LEN; 72 num_suites++; 73 } 74 if (conf->wpa_pairwise & WPA_CIPHER_NONE) { 75 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE); 76 pos += WPA_SELECTOR_LEN; 77 num_suites++; 78 } 79 80 if (num_suites == 0) { 81 wpa_printf(MSG_DEBUG, "Invalid pairwise cipher (%d).", 82 conf->wpa_pairwise); 83 return -1; 84 } 85 WPA_PUT_LE16(count, num_suites); 86 87 num_suites = 0; 88 count = pos; 89 pos += 2; 90 91 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X) { 92 RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X); 93 pos += WPA_SELECTOR_LEN; 94 num_suites++; 95 } 96 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK) { 97 RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X); 98 pos += WPA_SELECTOR_LEN; 99 num_suites++; 100 } 101 102 if (num_suites == 0) { 103 wpa_printf(MSG_DEBUG, "Invalid key management type (%d).", 104 conf->wpa_key_mgmt); 105 return -1; 106 } 107 WPA_PUT_LE16(count, num_suites); 108 109 /* WPA Capabilities; use defaults, so no need to include it */ 110 111 hdr->len = (pos - buf) - 2; 112 113 return pos - buf; 114 } 115 116 117 int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len, 118 const u8 *pmkid) 119 { 120 struct rsn_ie_hdr *hdr; 121 int num_suites; 122 u8 *pos, *count; 123 u16 capab; 124 125 hdr = (struct rsn_ie_hdr *) buf; 126 hdr->elem_id = WLAN_EID_RSN; 127 WPA_PUT_LE16(hdr->version, RSN_VERSION); 128 pos = (u8 *) (hdr + 1); 129 130 if (conf->wpa_group == WPA_CIPHER_CCMP) { 131 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 132 } else if (conf->wpa_group == WPA_CIPHER_TKIP) { 133 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 134 } else if (conf->wpa_group == WPA_CIPHER_WEP104) { 135 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_WEP104); 136 } else if (conf->wpa_group == WPA_CIPHER_WEP40) { 137 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_WEP40); 138 } else { 139 wpa_printf(MSG_DEBUG, "Invalid group cipher (%d).", 140 conf->wpa_group); 141 return -1; 142 } 143 pos += RSN_SELECTOR_LEN; 144 145 num_suites = 0; 146 count = pos; 147 pos += 2; 148 149 #ifdef CONFIG_RSN_TESTING 150 if (rsn_testing) { 151 RSN_SELECTOR_PUT(pos, RSN_SELECTOR(0x12, 0x34, 0x56, 1)); 152 pos += RSN_SELECTOR_LEN; 153 num_suites++; 154 } 155 #endif /* CONFIG_RSN_TESTING */ 156 157 if (conf->rsn_pairwise & WPA_CIPHER_CCMP) { 158 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 159 pos += RSN_SELECTOR_LEN; 160 num_suites++; 161 } 162 if (conf->rsn_pairwise & WPA_CIPHER_TKIP) { 163 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 164 pos += RSN_SELECTOR_LEN; 165 num_suites++; 166 } 167 if (conf->rsn_pairwise & WPA_CIPHER_NONE) { 168 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE); 169 pos += RSN_SELECTOR_LEN; 170 num_suites++; 171 } 172 173 #ifdef CONFIG_RSN_TESTING 174 if (rsn_testing) { 175 RSN_SELECTOR_PUT(pos, RSN_SELECTOR(0x12, 0x34, 0x56, 2)); 176 pos += RSN_SELECTOR_LEN; 177 num_suites++; 178 } 179 #endif /* CONFIG_RSN_TESTING */ 180 181 if (num_suites == 0) { 182 wpa_printf(MSG_DEBUG, "Invalid pairwise cipher (%d).", 183 conf->rsn_pairwise); 184 return -1; 185 } 186 WPA_PUT_LE16(count, num_suites); 187 188 num_suites = 0; 189 count = pos; 190 pos += 2; 191 192 #ifdef CONFIG_RSN_TESTING 193 if (rsn_testing) { 194 RSN_SELECTOR_PUT(pos, RSN_SELECTOR(0x12, 0x34, 0x56, 1)); 195 pos += RSN_SELECTOR_LEN; 196 num_suites++; 197 } 198 #endif /* CONFIG_RSN_TESTING */ 199 200 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X) { 201 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X); 202 pos += RSN_SELECTOR_LEN; 203 num_suites++; 204 } 205 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK) { 206 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X); 207 pos += RSN_SELECTOR_LEN; 208 num_suites++; 209 } 210 #ifdef CONFIG_IEEE80211R 211 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) { 212 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X); 213 pos += RSN_SELECTOR_LEN; 214 num_suites++; 215 } 216 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_PSK) { 217 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK); 218 pos += RSN_SELECTOR_LEN; 219 num_suites++; 220 } 221 #endif /* CONFIG_IEEE80211R */ 222 #ifdef CONFIG_IEEE80211W 223 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { 224 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA256); 225 pos += RSN_SELECTOR_LEN; 226 num_suites++; 227 } 228 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK_SHA256) { 229 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PSK_SHA256); 230 pos += RSN_SELECTOR_LEN; 231 num_suites++; 232 } 233 #endif /* CONFIG_IEEE80211W */ 234 235 #ifdef CONFIG_RSN_TESTING 236 if (rsn_testing) { 237 RSN_SELECTOR_PUT(pos, RSN_SELECTOR(0x12, 0x34, 0x56, 2)); 238 pos += RSN_SELECTOR_LEN; 239 num_suites++; 240 } 241 #endif /* CONFIG_RSN_TESTING */ 242 243 if (num_suites == 0) { 244 wpa_printf(MSG_DEBUG, "Invalid key management type (%d).", 245 conf->wpa_key_mgmt); 246 return -1; 247 } 248 WPA_PUT_LE16(count, num_suites); 249 250 /* RSN Capabilities */ 251 capab = 0; 252 if (conf->rsn_preauth) 253 capab |= WPA_CAPABILITY_PREAUTH; 254 if (conf->peerkey) 255 capab |= WPA_CAPABILITY_PEERKEY_ENABLED; 256 #ifdef ANDROID_BRCM_P2P_PATCH 257 /* WAR: we should make an get_wpa_rsnie_cap() to get the cap of peer supp 258 * Temporally we force tp set replay counter tp 0x3 259 * as if wmm is enable in all of supp device 260 */ 261 capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2); 262 #else 263 if (conf->wmm_enabled) { 264 /* 4 PTKSA replay counters when using WMM */ 265 capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2); 266 } 267 #endif /* ANDROID_BRCM_P2P_PATCH */ 268 269 #ifdef CONFIG_IEEE80211W 270 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 271 capab |= WPA_CAPABILITY_MFPC; 272 if (conf->ieee80211w == MGMT_FRAME_PROTECTION_REQUIRED) 273 capab |= WPA_CAPABILITY_MFPR; 274 } 275 #endif /* CONFIG_IEEE80211W */ 276 #ifdef CONFIG_RSN_TESTING 277 if (rsn_testing) 278 capab |= BIT(8) | BIT(14) | BIT(15); 279 #endif /* CONFIG_RSN_TESTING */ 280 WPA_PUT_LE16(pos, capab); 281 pos += 2; 282 283 if (pmkid) { 284 if (pos + 2 + PMKID_LEN > buf + len) 285 return -1; 286 /* PMKID Count */ 287 WPA_PUT_LE16(pos, 1); 288 pos += 2; 289 os_memcpy(pos, pmkid, PMKID_LEN); 290 pos += PMKID_LEN; 291 } 292 293 #ifdef CONFIG_IEEE80211W 294 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 295 if (pos + 2 + 4 > buf + len) 296 return -1; 297 if (pmkid == NULL) { 298 /* PMKID Count */ 299 WPA_PUT_LE16(pos, 0); 300 pos += 2; 301 } 302 303 /* Management Group Cipher Suite */ 304 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC); 305 pos += RSN_SELECTOR_LEN; 306 } 307 #endif /* CONFIG_IEEE80211W */ 308 309 #ifdef CONFIG_RSN_TESTING 310 if (rsn_testing) { 311 /* 312 * Fill in any defined fields and add extra data to the end of 313 * the element. 314 */ 315 int pmkid_count_set = pmkid != NULL; 316 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) 317 pmkid_count_set = 1; 318 /* PMKID Count */ 319 WPA_PUT_LE16(pos, 0); 320 pos += 2; 321 if (conf->ieee80211w == NO_MGMT_FRAME_PROTECTION) { 322 /* Management Group Cipher Suite */ 323 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC); 324 pos += RSN_SELECTOR_LEN; 325 } 326 327 os_memset(pos, 0x12, 17); 328 pos += 17; 329 } 330 #endif /* CONFIG_RSN_TESTING */ 331 332 hdr->len = (pos - buf) - 2; 333 334 return pos - buf; 335 } 336 337 338 int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth) 339 { 340 u8 *pos, buf[128]; 341 int res; 342 343 pos = buf; 344 345 if (wpa_auth->conf.wpa & WPA_PROTO_RSN) { 346 res = wpa_write_rsn_ie(&wpa_auth->conf, 347 pos, buf + sizeof(buf) - pos, NULL); 348 if (res < 0) 349 return res; 350 pos += res; 351 } 352 #ifdef CONFIG_IEEE80211R 353 if (wpa_auth->conf.wpa_key_mgmt & 354 (WPA_KEY_MGMT_FT_IEEE8021X | WPA_KEY_MGMT_FT_PSK)) { 355 res = wpa_write_mdie(&wpa_auth->conf, pos, 356 buf + sizeof(buf) - pos); 357 if (res < 0) 358 return res; 359 pos += res; 360 } 361 #endif /* CONFIG_IEEE80211R */ 362 if (wpa_auth->conf.wpa & WPA_PROTO_WPA) { 363 res = wpa_write_wpa_ie(&wpa_auth->conf, 364 pos, buf + sizeof(buf) - pos); 365 if (res < 0) 366 return res; 367 pos += res; 368 } 369 370 os_free(wpa_auth->wpa_ie); 371 wpa_auth->wpa_ie = os_malloc(pos - buf); 372 if (wpa_auth->wpa_ie == NULL) 373 return -1; 374 os_memcpy(wpa_auth->wpa_ie, buf, pos - buf); 375 wpa_auth->wpa_ie_len = pos - buf; 376 377 return 0; 378 } 379 380 381 u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len, 382 const u8 *data2, size_t data2_len) 383 { 384 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 385 *pos++ = RSN_SELECTOR_LEN + data_len + data2_len; 386 RSN_SELECTOR_PUT(pos, kde); 387 pos += RSN_SELECTOR_LEN; 388 os_memcpy(pos, data, data_len); 389 pos += data_len; 390 if (data2) { 391 os_memcpy(pos, data2, data2_len); 392 pos += data2_len; 393 } 394 return pos; 395 } 396 397 398 struct wpa_auth_okc_iter_data { 399 struct rsn_pmksa_cache_entry *pmksa; 400 const u8 *aa; 401 const u8 *spa; 402 const u8 *pmkid; 403 }; 404 405 406 static int wpa_auth_okc_iter(struct wpa_authenticator *a, void *ctx) 407 { 408 struct wpa_auth_okc_iter_data *data = ctx; 409 data->pmksa = pmksa_cache_get_okc(a->pmksa, data->aa, data->spa, 410 data->pmkid); 411 if (data->pmksa) 412 return 1; 413 return 0; 414 } 415 416 417 int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, 418 struct wpa_state_machine *sm, 419 const u8 *wpa_ie, size_t wpa_ie_len, 420 const u8 *mdie, size_t mdie_len) 421 { 422 struct wpa_ie_data data; 423 int ciphers, key_mgmt, res, version; 424 u32 selector; 425 size_t i; 426 const u8 *pmkid = NULL; 427 428 if (wpa_auth == NULL || sm == NULL) 429 return WPA_NOT_ENABLED; 430 431 if (wpa_ie == NULL || wpa_ie_len < 1) 432 return WPA_INVALID_IE; 433 434 if (wpa_ie[0] == WLAN_EID_RSN) 435 version = WPA_PROTO_RSN; 436 else 437 version = WPA_PROTO_WPA; 438 439 if (!(wpa_auth->conf.wpa & version)) { 440 wpa_printf(MSG_DEBUG, "Invalid WPA proto (%d) from " MACSTR, 441 version, MAC2STR(sm->addr)); 442 return WPA_INVALID_PROTO; 443 } 444 445 if (version == WPA_PROTO_RSN) { 446 res = wpa_parse_wpa_ie_rsn(wpa_ie, wpa_ie_len, &data); 447 448 selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; 449 if (0) { 450 } 451 #ifdef CONFIG_IEEE80211R 452 else if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) 453 selector = RSN_AUTH_KEY_MGMT_FT_802_1X; 454 else if (data.key_mgmt & WPA_KEY_MGMT_FT_PSK) 455 selector = RSN_AUTH_KEY_MGMT_FT_PSK; 456 #endif /* CONFIG_IEEE80211R */ 457 #ifdef CONFIG_IEEE80211W 458 else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) 459 selector = RSN_AUTH_KEY_MGMT_802_1X_SHA256; 460 else if (data.key_mgmt & WPA_KEY_MGMT_PSK_SHA256) 461 selector = RSN_AUTH_KEY_MGMT_PSK_SHA256; 462 #endif /* CONFIG_IEEE80211W */ 463 else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X) 464 selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; 465 else if (data.key_mgmt & WPA_KEY_MGMT_PSK) 466 selector = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X; 467 wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector; 468 469 selector = RSN_CIPHER_SUITE_CCMP; 470 if (data.pairwise_cipher & WPA_CIPHER_CCMP) 471 selector = RSN_CIPHER_SUITE_CCMP; 472 else if (data.pairwise_cipher & WPA_CIPHER_TKIP) 473 selector = RSN_CIPHER_SUITE_TKIP; 474 else if (data.pairwise_cipher & WPA_CIPHER_WEP104) 475 selector = RSN_CIPHER_SUITE_WEP104; 476 else if (data.pairwise_cipher & WPA_CIPHER_WEP40) 477 selector = RSN_CIPHER_SUITE_WEP40; 478 else if (data.pairwise_cipher & WPA_CIPHER_NONE) 479 selector = RSN_CIPHER_SUITE_NONE; 480 wpa_auth->dot11RSNAPairwiseCipherSelected = selector; 481 482 selector = RSN_CIPHER_SUITE_CCMP; 483 if (data.group_cipher & WPA_CIPHER_CCMP) 484 selector = RSN_CIPHER_SUITE_CCMP; 485 else if (data.group_cipher & WPA_CIPHER_TKIP) 486 selector = RSN_CIPHER_SUITE_TKIP; 487 else if (data.group_cipher & WPA_CIPHER_WEP104) 488 selector = RSN_CIPHER_SUITE_WEP104; 489 else if (data.group_cipher & WPA_CIPHER_WEP40) 490 selector = RSN_CIPHER_SUITE_WEP40; 491 else if (data.group_cipher & WPA_CIPHER_NONE) 492 selector = RSN_CIPHER_SUITE_NONE; 493 wpa_auth->dot11RSNAGroupCipherSelected = selector; 494 } else { 495 res = wpa_parse_wpa_ie_wpa(wpa_ie, wpa_ie_len, &data); 496 497 selector = WPA_AUTH_KEY_MGMT_UNSPEC_802_1X; 498 if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X) 499 selector = WPA_AUTH_KEY_MGMT_UNSPEC_802_1X; 500 else if (data.key_mgmt & WPA_KEY_MGMT_PSK) 501 selector = WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X; 502 wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector; 503 504 selector = WPA_CIPHER_SUITE_TKIP; 505 if (data.pairwise_cipher & WPA_CIPHER_CCMP) 506 selector = WPA_CIPHER_SUITE_CCMP; 507 else if (data.pairwise_cipher & WPA_CIPHER_TKIP) 508 selector = WPA_CIPHER_SUITE_TKIP; 509 else if (data.pairwise_cipher & WPA_CIPHER_WEP104) 510 selector = WPA_CIPHER_SUITE_WEP104; 511 else if (data.pairwise_cipher & WPA_CIPHER_WEP40) 512 selector = WPA_CIPHER_SUITE_WEP40; 513 else if (data.pairwise_cipher & WPA_CIPHER_NONE) 514 selector = WPA_CIPHER_SUITE_NONE; 515 wpa_auth->dot11RSNAPairwiseCipherSelected = selector; 516 517 selector = WPA_CIPHER_SUITE_TKIP; 518 if (data.group_cipher & WPA_CIPHER_CCMP) 519 selector = WPA_CIPHER_SUITE_CCMP; 520 else if (data.group_cipher & WPA_CIPHER_TKIP) 521 selector = WPA_CIPHER_SUITE_TKIP; 522 else if (data.group_cipher & WPA_CIPHER_WEP104) 523 selector = WPA_CIPHER_SUITE_WEP104; 524 else if (data.group_cipher & WPA_CIPHER_WEP40) 525 selector = WPA_CIPHER_SUITE_WEP40; 526 else if (data.group_cipher & WPA_CIPHER_NONE) 527 selector = WPA_CIPHER_SUITE_NONE; 528 wpa_auth->dot11RSNAGroupCipherSelected = selector; 529 } 530 if (res) { 531 wpa_printf(MSG_DEBUG, "Failed to parse WPA/RSN IE from " 532 MACSTR " (res=%d)", MAC2STR(sm->addr), res); 533 wpa_hexdump(MSG_DEBUG, "WPA/RSN IE", wpa_ie, wpa_ie_len); 534 return WPA_INVALID_IE; 535 } 536 537 if (data.group_cipher != wpa_auth->conf.wpa_group) { 538 wpa_printf(MSG_DEBUG, "Invalid WPA group cipher (0x%x) from " 539 MACSTR, data.group_cipher, MAC2STR(sm->addr)); 540 return WPA_INVALID_GROUP; 541 } 542 543 key_mgmt = data.key_mgmt & wpa_auth->conf.wpa_key_mgmt; 544 if (!key_mgmt) { 545 wpa_printf(MSG_DEBUG, "Invalid WPA key mgmt (0x%x) from " 546 MACSTR, data.key_mgmt, MAC2STR(sm->addr)); 547 return WPA_INVALID_AKMP; 548 } 549 if (0) { 550 } 551 #ifdef CONFIG_IEEE80211R 552 else if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) 553 sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X; 554 else if (key_mgmt & WPA_KEY_MGMT_FT_PSK) 555 sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK; 556 #endif /* CONFIG_IEEE80211R */ 557 #ifdef CONFIG_IEEE80211W 558 else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) 559 sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256; 560 else if (key_mgmt & WPA_KEY_MGMT_PSK_SHA256) 561 sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK_SHA256; 562 #endif /* CONFIG_IEEE80211W */ 563 else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X) 564 sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X; 565 else 566 sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK; 567 568 if (version == WPA_PROTO_RSN) 569 ciphers = data.pairwise_cipher & wpa_auth->conf.rsn_pairwise; 570 else 571 ciphers = data.pairwise_cipher & wpa_auth->conf.wpa_pairwise; 572 if (!ciphers) { 573 wpa_printf(MSG_DEBUG, "Invalid %s pairwise cipher (0x%x) " 574 "from " MACSTR, 575 version == WPA_PROTO_RSN ? "RSN" : "WPA", 576 data.pairwise_cipher, MAC2STR(sm->addr)); 577 return WPA_INVALID_PAIRWISE; 578 } 579 580 #ifdef CONFIG_IEEE80211W 581 if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_REQUIRED) { 582 if (!(data.capabilities & WPA_CAPABILITY_MFPC)) { 583 wpa_printf(MSG_DEBUG, "Management frame protection " 584 "required, but client did not enable it"); 585 return WPA_MGMT_FRAME_PROTECTION_VIOLATION; 586 } 587 588 if (ciphers & WPA_CIPHER_TKIP) { 589 wpa_printf(MSG_DEBUG, "Management frame protection " 590 "cannot use TKIP"); 591 return WPA_MGMT_FRAME_PROTECTION_VIOLATION; 592 } 593 594 if (data.mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC) { 595 wpa_printf(MSG_DEBUG, "Unsupported management group " 596 "cipher %d", data.mgmt_group_cipher); 597 return WPA_INVALID_MGMT_GROUP_CIPHER; 598 } 599 } 600 601 if (wpa_auth->conf.ieee80211w == NO_MGMT_FRAME_PROTECTION || 602 !(data.capabilities & WPA_CAPABILITY_MFPC)) 603 sm->mgmt_frame_prot = 0; 604 else 605 sm->mgmt_frame_prot = 1; 606 #endif /* CONFIG_IEEE80211W */ 607 608 #ifdef CONFIG_IEEE80211R 609 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 610 if (mdie == NULL || mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) { 611 wpa_printf(MSG_DEBUG, "RSN: Trying to use FT, but " 612 "MDIE not included"); 613 return WPA_INVALID_MDIE; 614 } 615 if (os_memcmp(mdie, wpa_auth->conf.mobility_domain, 616 MOBILITY_DOMAIN_ID_LEN) != 0) { 617 wpa_hexdump(MSG_DEBUG, "RSN: Attempted to use unknown " 618 "MDIE", mdie, MOBILITY_DOMAIN_ID_LEN); 619 return WPA_INVALID_MDIE; 620 } 621 } 622 #endif /* CONFIG_IEEE80211R */ 623 624 if (ciphers & WPA_CIPHER_CCMP) 625 sm->pairwise = WPA_CIPHER_CCMP; 626 else 627 sm->pairwise = WPA_CIPHER_TKIP; 628 629 /* TODO: clear WPA/WPA2 state if STA changes from one to another */ 630 if (wpa_ie[0] == WLAN_EID_RSN) 631 sm->wpa = WPA_VERSION_WPA2; 632 else 633 sm->wpa = WPA_VERSION_WPA; 634 635 sm->pmksa = NULL; 636 for (i = 0; i < data.num_pmkid; i++) { 637 wpa_hexdump(MSG_DEBUG, "RSN IE: STA PMKID", 638 &data.pmkid[i * PMKID_LEN], PMKID_LEN); 639 sm->pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sm->addr, 640 &data.pmkid[i * PMKID_LEN]); 641 if (sm->pmksa) { 642 pmkid = sm->pmksa->pmkid; 643 break; 644 } 645 } 646 for (i = 0; sm->pmksa == NULL && wpa_auth->conf.okc && 647 i < data.num_pmkid; i++) { 648 struct wpa_auth_okc_iter_data idata; 649 idata.pmksa = NULL; 650 idata.aa = wpa_auth->addr; 651 idata.spa = sm->addr; 652 idata.pmkid = &data.pmkid[i * PMKID_LEN]; 653 wpa_auth_for_each_auth(wpa_auth, wpa_auth_okc_iter, &idata); 654 if (idata.pmksa) { 655 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 656 "OKC match for PMKID"); 657 sm->pmksa = pmksa_cache_add_okc(wpa_auth->pmksa, 658 idata.pmksa, 659 wpa_auth->addr, 660 idata.pmkid); 661 pmkid = idata.pmkid; 662 break; 663 } 664 } 665 if (sm->pmksa) { 666 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 667 "PMKID found from PMKSA cache " 668 "eap_type=%d vlan_id=%d", 669 sm->pmksa->eap_type_authsrv, 670 sm->pmksa->vlan_id); 671 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmkid, PMKID_LEN); 672 } 673 674 if (sm->wpa_ie == NULL || sm->wpa_ie_len < wpa_ie_len) { 675 os_free(sm->wpa_ie); 676 sm->wpa_ie = os_malloc(wpa_ie_len); 677 if (sm->wpa_ie == NULL) 678 return WPA_ALLOC_FAIL; 679 } 680 os_memcpy(sm->wpa_ie, wpa_ie, wpa_ie_len); 681 sm->wpa_ie_len = wpa_ie_len; 682 683 return WPA_IE_OK; 684 } 685 686 687 /** 688 * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs 689 * @pos: Pointer to the IE header 690 * @end: Pointer to the end of the Key Data buffer 691 * @ie: Pointer to parsed IE data 692 * Returns: 0 on success, 1 if end mark is found, -1 on failure 693 */ 694 static int wpa_parse_generic(const u8 *pos, const u8 *end, 695 struct wpa_eapol_ie_parse *ie) 696 { 697 if (pos[1] == 0) 698 return 1; 699 700 if (pos[1] >= 6 && 701 RSN_SELECTOR_GET(pos + 2) == WPA_OUI_TYPE && 702 pos[2 + WPA_SELECTOR_LEN] == 1 && 703 pos[2 + WPA_SELECTOR_LEN + 1] == 0) { 704 ie->wpa_ie = pos; 705 ie->wpa_ie_len = pos[1] + 2; 706 return 0; 707 } 708 709 if (pos + 1 + RSN_SELECTOR_LEN < end && 710 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN && 711 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) { 712 ie->pmkid = pos + 2 + RSN_SELECTOR_LEN; 713 return 0; 714 } 715 716 if (pos[1] > RSN_SELECTOR_LEN + 2 && 717 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_GROUPKEY) { 718 ie->gtk = pos + 2 + RSN_SELECTOR_LEN; 719 ie->gtk_len = pos[1] - RSN_SELECTOR_LEN; 720 return 0; 721 } 722 723 if (pos[1] > RSN_SELECTOR_LEN + 2 && 724 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_MAC_ADDR) { 725 ie->mac_addr = pos + 2 + RSN_SELECTOR_LEN; 726 ie->mac_addr_len = pos[1] - RSN_SELECTOR_LEN; 727 return 0; 728 } 729 730 #ifdef CONFIG_PEERKEY 731 if (pos[1] > RSN_SELECTOR_LEN + 2 && 732 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_SMK) { 733 ie->smk = pos + 2 + RSN_SELECTOR_LEN; 734 ie->smk_len = pos[1] - RSN_SELECTOR_LEN; 735 return 0; 736 } 737 738 if (pos[1] > RSN_SELECTOR_LEN + 2 && 739 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_NONCE) { 740 ie->nonce = pos + 2 + RSN_SELECTOR_LEN; 741 ie->nonce_len = pos[1] - RSN_SELECTOR_LEN; 742 return 0; 743 } 744 745 if (pos[1] > RSN_SELECTOR_LEN + 2 && 746 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_LIFETIME) { 747 ie->lifetime = pos + 2 + RSN_SELECTOR_LEN; 748 ie->lifetime_len = pos[1] - RSN_SELECTOR_LEN; 749 return 0; 750 } 751 752 if (pos[1] > RSN_SELECTOR_LEN + 2 && 753 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_ERROR) { 754 ie->error = pos + 2 + RSN_SELECTOR_LEN; 755 ie->error_len = pos[1] - RSN_SELECTOR_LEN; 756 return 0; 757 } 758 #endif /* CONFIG_PEERKEY */ 759 760 #ifdef CONFIG_IEEE80211W 761 if (pos[1] > RSN_SELECTOR_LEN + 2 && 762 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_IGTK) { 763 ie->igtk = pos + 2 + RSN_SELECTOR_LEN; 764 ie->igtk_len = pos[1] - RSN_SELECTOR_LEN; 765 return 0; 766 } 767 #endif /* CONFIG_IEEE80211W */ 768 769 return 0; 770 } 771 772 773 /** 774 * wpa_parse_kde_ies - Parse EAPOL-Key Key Data IEs 775 * @buf: Pointer to the Key Data buffer 776 * @len: Key Data Length 777 * @ie: Pointer to parsed IE data 778 * Returns: 0 on success, -1 on failure 779 */ 780 int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie) 781 { 782 const u8 *pos, *end; 783 int ret = 0; 784 785 os_memset(ie, 0, sizeof(*ie)); 786 for (pos = buf, end = pos + len; pos + 1 < end; pos += 2 + pos[1]) { 787 if (pos[0] == 0xdd && 788 ((pos == buf + len - 1) || pos[1] == 0)) { 789 /* Ignore padding */ 790 break; 791 } 792 if (pos + 2 + pos[1] > end) { 793 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Key Data " 794 "underflow (ie=%d len=%d pos=%d)", 795 pos[0], pos[1], (int) (pos - buf)); 796 wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data", 797 buf, len); 798 ret = -1; 799 break; 800 } 801 if (*pos == WLAN_EID_RSN) { 802 ie->rsn_ie = pos; 803 ie->rsn_ie_len = pos[1] + 2; 804 #ifdef CONFIG_IEEE80211R 805 } else if (*pos == WLAN_EID_MOBILITY_DOMAIN) { 806 ie->mdie = pos; 807 ie->mdie_len = pos[1] + 2; 808 } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) { 809 ie->ftie = pos; 810 ie->ftie_len = pos[1] + 2; 811 #endif /* CONFIG_IEEE80211R */ 812 } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) { 813 ret = wpa_parse_generic(pos, end, ie); 814 if (ret < 0) 815 break; 816 if (ret > 0) { 817 ret = 0; 818 break; 819 } 820 } else { 821 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized EAPOL-Key " 822 "Key Data IE", pos, 2 + pos[1]); 823 } 824 } 825 826 return ret; 827 } 828 829 830 int wpa_auth_uses_mfp(struct wpa_state_machine *sm) 831 { 832 return sm ? sm->mgmt_frame_prot : 0; 833 } 834
