1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2011, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "common/ieee802_11_defs.h" 15 #include "crypto/aes_wrap.h" 16 #include "crypto/crypto.h" 17 #include "crypto/sha1.h" 18 #include "crypto/sha256.h" 19 #include "crypto/random.h" 20 #include "eapol_auth/eapol_auth_sm.h" 21 #include "ap_config.h" 22 #include "ieee802_11.h" 23 #include "wpa_auth.h" 24 #include "pmksa_cache_auth.h" 25 #include "wpa_auth_i.h" 26 #include "wpa_auth_ie.h" 27 28 #define STATE_MACHINE_DATA struct wpa_state_machine 29 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 30 #define STATE_MACHINE_ADDR sm->addr 31 32 33 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 34 static int wpa_sm_step(struct wpa_state_machine *sm); 35 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len); 36 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 37 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 38 struct wpa_group *group); 39 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 40 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 41 struct wpa_group *group); 42 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 45 static const u32 dot11RSNAConfigGroupUpdateCount = 4; 46 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 47 static const u32 eapol_key_timeout_first = 100; /* ms */ 48 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 49 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 50 51 /* TODO: make these configurable */ 52 static const int dot11RSNAConfigPMKLifetime = 43200; 53 static const int dot11RSNAConfigPMKReauthThreshold = 70; 54 static const int dot11RSNAConfigSATimeout = 60; 55 56 57 static inline void wpa_auth_mic_failure_report( 58 struct wpa_authenticator *wpa_auth, const u8 *addr) 59 { 60 if (wpa_auth->cb.mic_failure_report) 61 wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 62 } 63 64 65 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 66 const u8 *addr, wpa_eapol_variable var, 67 int value) 68 { 69 if (wpa_auth->cb.set_eapol) 70 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 71 } 72 73 74 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 75 const u8 *addr, wpa_eapol_variable var) 76 { 77 if (wpa_auth->cb.get_eapol == NULL) 78 return -1; 79 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 80 } 81 82 83 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 84 const u8 *addr, const u8 *prev_psk) 85 { 86 if (wpa_auth->cb.get_psk == NULL) 87 return NULL; 88 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, prev_psk); 89 } 90 91 92 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 93 const u8 *addr, u8 *msk, size_t *len) 94 { 95 if (wpa_auth->cb.get_msk == NULL) 96 return -1; 97 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 98 } 99 100 101 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 102 int vlan_id, 103 enum wpa_alg alg, const u8 *addr, int idx, 104 u8 *key, size_t key_len) 105 { 106 if (wpa_auth->cb.set_key == NULL) 107 return -1; 108 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 109 key, key_len); 110 } 111 112 113 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 114 const u8 *addr, int idx, u8 *seq) 115 { 116 if (wpa_auth->cb.get_seqnum == NULL) 117 return -1; 118 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 119 } 120 121 122 static inline int 123 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 124 const u8 *data, size_t data_len, int encrypt) 125 { 126 if (wpa_auth->cb.send_eapol == NULL) 127 return -1; 128 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 129 encrypt); 130 } 131 132 133 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 134 int (*cb)(struct wpa_state_machine *sm, void *ctx), 135 void *cb_ctx) 136 { 137 if (wpa_auth->cb.for_each_sta == NULL) 138 return 0; 139 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 140 } 141 142 143 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 144 int (*cb)(struct wpa_authenticator *a, void *ctx), 145 void *cb_ctx) 146 { 147 if (wpa_auth->cb.for_each_auth == NULL) 148 return 0; 149 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 150 } 151 152 153 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 154 logger_level level, const char *txt) 155 { 156 if (wpa_auth->cb.logger == NULL) 157 return; 158 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 159 } 160 161 162 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 163 logger_level level, const char *fmt, ...) 164 { 165 char *format; 166 int maxlen; 167 va_list ap; 168 169 if (wpa_auth->cb.logger == NULL) 170 return; 171 172 maxlen = os_strlen(fmt) + 100; 173 format = os_malloc(maxlen); 174 if (!format) 175 return; 176 177 va_start(ap, fmt); 178 vsnprintf(format, maxlen, fmt, ap); 179 va_end(ap); 180 181 wpa_auth_logger(wpa_auth, addr, level, format); 182 183 os_free(format); 184 } 185 186 187 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 188 const u8 *addr) 189 { 190 if (wpa_auth->cb.disconnect == NULL) 191 return; 192 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 193 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 194 WLAN_REASON_PREV_AUTH_NOT_VALID); 195 } 196 197 198 static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 199 { 200 int ret = 0; 201 #ifdef CONFIG_IEEE80211R 202 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 203 ret = 1; 204 #endif /* CONFIG_IEEE80211R */ 205 #ifdef CONFIG_IEEE80211W 206 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 207 ret = 1; 208 #endif /* CONFIG_IEEE80211W */ 209 return ret; 210 } 211 212 213 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 214 { 215 struct wpa_authenticator *wpa_auth = eloop_ctx; 216 217 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 218 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 219 "initialization."); 220 } else { 221 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 222 wpa_hexdump_key(MSG_DEBUG, "GMK", 223 wpa_auth->group->GMK, WPA_GMK_LEN); 224 } 225 226 if (wpa_auth->conf.wpa_gmk_rekey) { 227 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 228 wpa_rekey_gmk, wpa_auth, NULL); 229 } 230 } 231 232 233 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 234 { 235 struct wpa_authenticator *wpa_auth = eloop_ctx; 236 struct wpa_group *group; 237 238 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 239 for (group = wpa_auth->group; group; group = group->next) { 240 group->GTKReKey = TRUE; 241 do { 242 group->changed = FALSE; 243 wpa_group_sm_step(wpa_auth, group); 244 } while (group->changed); 245 } 246 247 if (wpa_auth->conf.wpa_group_rekey) { 248 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 249 0, wpa_rekey_gtk, wpa_auth, NULL); 250 } 251 } 252 253 254 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 255 { 256 struct wpa_authenticator *wpa_auth = eloop_ctx; 257 struct wpa_state_machine *sm = timeout_ctx; 258 259 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 260 wpa_request_new_ptk(sm); 261 wpa_sm_step(sm); 262 } 263 264 265 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 266 { 267 if (sm->pmksa == ctx) 268 sm->pmksa = NULL; 269 return 0; 270 } 271 272 273 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 274 void *ctx) 275 { 276 struct wpa_authenticator *wpa_auth = ctx; 277 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 278 } 279 280 281 static void wpa_group_set_key_len(struct wpa_group *group, int cipher) 282 { 283 switch (cipher) { 284 case WPA_CIPHER_CCMP: 285 group->GTK_len = 16; 286 break; 287 case WPA_CIPHER_TKIP: 288 group->GTK_len = 32; 289 break; 290 case WPA_CIPHER_WEP104: 291 group->GTK_len = 13; 292 break; 293 case WPA_CIPHER_WEP40: 294 group->GTK_len = 5; 295 break; 296 } 297 } 298 299 300 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 301 struct wpa_group *group) 302 { 303 u8 buf[ETH_ALEN + 8 + sizeof(group)]; 304 u8 rkey[32]; 305 306 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 307 return -1; 308 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 309 310 /* 311 * Counter = PRF-256(Random number, "Init Counter", 312 * Local MAC Address || Time) 313 */ 314 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 315 wpa_get_ntp_timestamp(buf + ETH_ALEN); 316 os_memcpy(buf + ETH_ALEN + 8, &group, sizeof(group)); 317 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 318 return -1; 319 320 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 321 group->Counter, WPA_NONCE_LEN) < 0) 322 return -1; 323 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 324 group->Counter, WPA_NONCE_LEN); 325 326 return 0; 327 } 328 329 330 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 331 int vlan_id, int delay_init) 332 { 333 struct wpa_group *group; 334 335 group = os_zalloc(sizeof(struct wpa_group)); 336 if (group == NULL) 337 return NULL; 338 339 group->GTKAuthenticator = TRUE; 340 group->vlan_id = vlan_id; 341 342 wpa_group_set_key_len(group, wpa_auth->conf.wpa_group); 343 344 if (random_pool_ready() != 1) { 345 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 346 "for secure operations - update keys later when " 347 "the first station connects"); 348 } 349 350 /* 351 * Set initial GMK/Counter value here. The actual values that will be 352 * used in negotiations will be set once the first station tries to 353 * connect. This allows more time for collecting additional randomness 354 * on embedded devices. 355 */ 356 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 357 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 358 "initialization."); 359 os_free(group); 360 return NULL; 361 } 362 363 group->GInit = TRUE; 364 if (delay_init) { 365 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 366 "until Beacon frames have been configured"); 367 /* Initialization is completed in wpa_init_keys(). */ 368 } else { 369 wpa_group_sm_step(wpa_auth, group); 370 group->GInit = FALSE; 371 wpa_group_sm_step(wpa_auth, group); 372 } 373 374 return group; 375 } 376 377 378 /** 379 * wpa_init - Initialize WPA authenticator 380 * @addr: Authenticator address 381 * @conf: Configuration for WPA authenticator 382 * @cb: Callback functions for WPA authenticator 383 * Returns: Pointer to WPA authenticator data or %NULL on failure 384 */ 385 struct wpa_authenticator * wpa_init(const u8 *addr, 386 struct wpa_auth_config *conf, 387 struct wpa_auth_callbacks *cb) 388 { 389 struct wpa_authenticator *wpa_auth; 390 391 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 392 if (wpa_auth == NULL) 393 return NULL; 394 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 395 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 396 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 397 398 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 399 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 400 os_free(wpa_auth); 401 return NULL; 402 } 403 404 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 405 if (wpa_auth->group == NULL) { 406 os_free(wpa_auth->wpa_ie); 407 os_free(wpa_auth); 408 return NULL; 409 } 410 411 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 412 wpa_auth); 413 if (wpa_auth->pmksa == NULL) { 414 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 415 os_free(wpa_auth->wpa_ie); 416 os_free(wpa_auth); 417 return NULL; 418 } 419 420 #ifdef CONFIG_IEEE80211R 421 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 422 if (wpa_auth->ft_pmk_cache == NULL) { 423 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 424 os_free(wpa_auth->wpa_ie); 425 pmksa_cache_auth_deinit(wpa_auth->pmksa); 426 os_free(wpa_auth); 427 return NULL; 428 } 429 #endif /* CONFIG_IEEE80211R */ 430 431 if (wpa_auth->conf.wpa_gmk_rekey) { 432 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 433 wpa_rekey_gmk, wpa_auth, NULL); 434 } 435 436 if (wpa_auth->conf.wpa_group_rekey) { 437 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 438 wpa_rekey_gtk, wpa_auth, NULL); 439 } 440 441 return wpa_auth; 442 } 443 444 445 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 446 { 447 struct wpa_group *group = wpa_auth->group; 448 449 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 450 "keys"); 451 wpa_group_sm_step(wpa_auth, group); 452 group->GInit = FALSE; 453 wpa_group_sm_step(wpa_auth, group); 454 return 0; 455 } 456 457 458 /** 459 * wpa_deinit - Deinitialize WPA authenticator 460 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 461 */ 462 void wpa_deinit(struct wpa_authenticator *wpa_auth) 463 { 464 struct wpa_group *group, *prev; 465 466 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 467 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 468 469 #ifdef CONFIG_PEERKEY 470 while (wpa_auth->stsl_negotiations) 471 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 472 #endif /* CONFIG_PEERKEY */ 473 474 pmksa_cache_auth_deinit(wpa_auth->pmksa); 475 476 #ifdef CONFIG_IEEE80211R 477 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 478 wpa_auth->ft_pmk_cache = NULL; 479 #endif /* CONFIG_IEEE80211R */ 480 481 os_free(wpa_auth->wpa_ie); 482 483 group = wpa_auth->group; 484 while (group) { 485 prev = group; 486 group = group->next; 487 os_free(prev); 488 } 489 490 os_free(wpa_auth); 491 } 492 493 494 /** 495 * wpa_reconfig - Update WPA authenticator configuration 496 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 497 * @conf: Configuration for WPA authenticator 498 */ 499 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 500 struct wpa_auth_config *conf) 501 { 502 struct wpa_group *group; 503 if (wpa_auth == NULL) 504 return 0; 505 506 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 507 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 508 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 509 return -1; 510 } 511 512 /* 513 * Reinitialize GTK to make sure it is suitable for the new 514 * configuration. 515 */ 516 group = wpa_auth->group; 517 wpa_group_set_key_len(group, wpa_auth->conf.wpa_group); 518 group->GInit = TRUE; 519 wpa_group_sm_step(wpa_auth, group); 520 group->GInit = FALSE; 521 wpa_group_sm_step(wpa_auth, group); 522 523 return 0; 524 } 525 526 527 struct wpa_state_machine * 528 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr) 529 { 530 struct wpa_state_machine *sm; 531 532 sm = os_zalloc(sizeof(struct wpa_state_machine)); 533 if (sm == NULL) 534 return NULL; 535 os_memcpy(sm->addr, addr, ETH_ALEN); 536 537 sm->wpa_auth = wpa_auth; 538 sm->group = wpa_auth->group; 539 540 return sm; 541 } 542 543 544 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 545 struct wpa_state_machine *sm) 546 { 547 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 548 return -1; 549 550 #ifdef CONFIG_IEEE80211R 551 if (sm->ft_completed) { 552 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 553 "FT authentication already completed - do not " 554 "start 4-way handshake"); 555 return 0; 556 } 557 #endif /* CONFIG_IEEE80211R */ 558 559 if (sm->started) { 560 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 561 sm->ReAuthenticationRequest = TRUE; 562 return wpa_sm_step(sm); 563 } 564 565 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 566 "start authentication"); 567 sm->started = 1; 568 569 sm->Init = TRUE; 570 if (wpa_sm_step(sm) == 1) 571 return 1; /* should not really happen */ 572 sm->Init = FALSE; 573 sm->AuthenticationRequest = TRUE; 574 return wpa_sm_step(sm); 575 } 576 577 578 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 579 { 580 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 581 * reassociates back to the same AP while the previous entry for the 582 * STA has not yet been removed. */ 583 if (sm == NULL) 584 return; 585 586 sm->wpa_key_mgmt = 0; 587 } 588 589 590 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 591 { 592 if (sm->GUpdateStationKeys) { 593 sm->group->GKeyDoneStations--; 594 sm->GUpdateStationKeys = FALSE; 595 } 596 #ifdef CONFIG_IEEE80211R 597 os_free(sm->assoc_resp_ftie); 598 #endif /* CONFIG_IEEE80211R */ 599 os_free(sm->last_rx_eapol_key); 600 os_free(sm->wpa_ie); 601 os_free(sm); 602 } 603 604 605 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 606 { 607 if (sm == NULL) 608 return; 609 610 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 611 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 612 "strict rekeying - force GTK rekey since STA " 613 "is leaving"); 614 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 615 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 616 NULL); 617 } 618 619 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 620 sm->pending_1_of_4_timeout = 0; 621 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 622 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 623 if (sm->in_step_loop) { 624 /* Must not free state machine while wpa_sm_step() is running. 625 * Freeing will be completed in the end of wpa_sm_step(). */ 626 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 627 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 628 sm->pending_deinit = 1; 629 } else 630 wpa_free_sta_sm(sm); 631 } 632 633 634 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 635 { 636 if (sm == NULL) 637 return; 638 639 sm->PTKRequest = TRUE; 640 sm->PTK_valid = 0; 641 } 642 643 644 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 645 const u8 *replay_counter) 646 { 647 int i; 648 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 649 if (!ctr[i].valid) 650 break; 651 if (os_memcmp(replay_counter, ctr[i].counter, 652 WPA_REPLAY_COUNTER_LEN) == 0) 653 return 1; 654 } 655 return 0; 656 } 657 658 659 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 660 const u8 *replay_counter) 661 { 662 int i; 663 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 664 if (ctr[i].valid && 665 (replay_counter == NULL || 666 os_memcmp(replay_counter, ctr[i].counter, 667 WPA_REPLAY_COUNTER_LEN) == 0)) 668 ctr[i].valid = FALSE; 669 } 670 } 671 672 673 #ifdef CONFIG_IEEE80211R 674 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 675 struct wpa_state_machine *sm, 676 struct wpa_eapol_ie_parse *kde) 677 { 678 struct wpa_ie_data ie; 679 struct rsn_mdie *mdie; 680 681 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 682 ie.num_pmkid != 1 || ie.pmkid == NULL) { 683 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 684 "FT 4-way handshake message 2/4"); 685 return -1; 686 } 687 688 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 689 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 690 sm->sup_pmk_r1_name, PMKID_LEN); 691 692 if (!kde->mdie || !kde->ftie) { 693 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 694 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 695 return -1; 696 } 697 698 mdie = (struct rsn_mdie *) (kde->mdie + 2); 699 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 700 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 701 MOBILITY_DOMAIN_ID_LEN) != 0) { 702 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 703 return -1; 704 } 705 706 if (sm->assoc_resp_ftie && 707 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 708 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 709 2 + sm->assoc_resp_ftie[1]) != 0)) { 710 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 711 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 712 kde->ftie, kde->ftie_len); 713 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 714 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 715 return -1; 716 } 717 718 return 0; 719 } 720 #endif /* CONFIG_IEEE80211R */ 721 722 723 static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 724 struct wpa_state_machine *sm, int group) 725 { 726 /* Supplicant reported a Michael MIC error */ 727 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 728 "received EAPOL-Key Error Request " 729 "(STA detected Michael MIC failure (group=%d))", 730 group); 731 732 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 733 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 734 "ignore Michael MIC failure report since " 735 "group cipher is not TKIP"); 736 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 737 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 738 "ignore Michael MIC failure report since " 739 "pairwise cipher is not TKIP"); 740 } else { 741 wpa_auth_mic_failure_report(wpa_auth, sm->addr); 742 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 743 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 744 } 745 746 /* 747 * Error report is not a request for a new key handshake, but since 748 * Authenticator may do it, let's change the keys now anyway. 749 */ 750 wpa_request_new_ptk(sm); 751 } 752 753 754 void wpa_receive(struct wpa_authenticator *wpa_auth, 755 struct wpa_state_machine *sm, 756 u8 *data, size_t data_len) 757 { 758 struct ieee802_1x_hdr *hdr; 759 struct wpa_eapol_key *key; 760 u16 key_info, key_data_length; 761 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 762 SMK_M1, SMK_M3, SMK_ERROR } msg; 763 char *msgtxt; 764 struct wpa_eapol_ie_parse kde; 765 int ft; 766 const u8 *eapol_key_ie; 767 size_t eapol_key_ie_len; 768 769 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 770 return; 771 772 if (data_len < sizeof(*hdr) + sizeof(*key)) 773 return; 774 775 hdr = (struct ieee802_1x_hdr *) data; 776 key = (struct wpa_eapol_key *) (hdr + 1); 777 key_info = WPA_GET_BE16(key->key_info); 778 key_data_length = WPA_GET_BE16(key->key_data_length); 779 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 780 " key_info=0x%x type=%u key_data_length=%u", 781 MAC2STR(sm->addr), key_info, key->type, key_data_length); 782 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { 783 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 784 "key_data overflow (%d > %lu)", 785 key_data_length, 786 (unsigned long) (data_len - sizeof(*hdr) - 787 sizeof(*key))); 788 return; 789 } 790 791 if (sm->wpa == WPA_VERSION_WPA2) { 792 if (key->type == EAPOL_KEY_TYPE_WPA) { 793 /* 794 * Some deployed station implementations seem to send 795 * msg 4/4 with incorrect type value in WPA2 mode. 796 */ 797 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 798 "with unexpected WPA type in RSN mode"); 799 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 800 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 801 "unexpected type %d in RSN mode", 802 key->type); 803 return; 804 } 805 } else { 806 if (key->type != EAPOL_KEY_TYPE_WPA) { 807 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 808 "unexpected type %d in WPA mode", 809 key->type); 810 return; 811 } 812 } 813 814 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 815 WPA_NONCE_LEN); 816 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 817 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 818 819 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 820 * are set */ 821 822 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 823 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 824 if (key_info & WPA_KEY_INFO_ERROR) { 825 msg = SMK_ERROR; 826 msgtxt = "SMK Error"; 827 } else { 828 msg = SMK_M1; 829 msgtxt = "SMK M1"; 830 } 831 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 832 msg = SMK_M3; 833 msgtxt = "SMK M3"; 834 } else if (key_info & WPA_KEY_INFO_REQUEST) { 835 msg = REQUEST; 836 msgtxt = "Request"; 837 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 838 msg = GROUP_2; 839 msgtxt = "2/2 Group"; 840 } else if (key_data_length == 0) { 841 msg = PAIRWISE_4; 842 msgtxt = "4/4 Pairwise"; 843 } else { 844 msg = PAIRWISE_2; 845 msgtxt = "2/4 Pairwise"; 846 } 847 848 /* TODO: key_info type validation for PeerKey */ 849 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 850 msg == GROUP_2) { 851 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 852 if (sm->pairwise == WPA_CIPHER_CCMP) { 853 if (wpa_use_aes_cmac(sm) && 854 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 855 wpa_auth_logger(wpa_auth, sm->addr, 856 LOGGER_WARNING, 857 "advertised support for " 858 "AES-128-CMAC, but did not " 859 "use it"); 860 return; 861 } 862 863 if (!wpa_use_aes_cmac(sm) && 864 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 865 wpa_auth_logger(wpa_auth, sm->addr, 866 LOGGER_WARNING, 867 "did not use HMAC-SHA1-AES " 868 "with CCMP"); 869 return; 870 } 871 } 872 } 873 874 if (key_info & WPA_KEY_INFO_REQUEST) { 875 if (sm->req_replay_counter_used && 876 os_memcmp(key->replay_counter, sm->req_replay_counter, 877 WPA_REPLAY_COUNTER_LEN) <= 0) { 878 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 879 "received EAPOL-Key request with " 880 "replayed counter"); 881 return; 882 } 883 } 884 885 if (!(key_info & WPA_KEY_INFO_REQUEST) && 886 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 887 int i; 888 889 if (msg == PAIRWISE_2 && 890 wpa_replay_counter_valid(sm->prev_key_replay, 891 key->replay_counter) && 892 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 893 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 894 { 895 /* 896 * Some supplicant implementations (e.g., Windows XP 897 * WZC) update SNonce for each EAPOL-Key 2/4. This 898 * breaks the workaround on accepting any of the 899 * pending requests, so allow the SNonce to be updated 900 * even if we have already sent out EAPOL-Key 3/4. 901 */ 902 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 903 "Process SNonce update from STA " 904 "based on retransmitted EAPOL-Key " 905 "1/4"); 906 sm->update_snonce = 1; 907 wpa_replay_counter_mark_invalid(sm->prev_key_replay, 908 key->replay_counter); 909 goto continue_processing; 910 } 911 912 if (msg == PAIRWISE_2 && 913 wpa_replay_counter_valid(sm->prev_key_replay, 914 key->replay_counter) && 915 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 916 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 917 "ignore retransmitted EAPOL-Key %s - " 918 "SNonce did not change", msgtxt); 919 } else { 920 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 921 "received EAPOL-Key %s with " 922 "unexpected replay counter", msgtxt); 923 } 924 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 925 if (!sm->key_replay[i].valid) 926 break; 927 wpa_hexdump(MSG_DEBUG, "pending replay counter", 928 sm->key_replay[i].counter, 929 WPA_REPLAY_COUNTER_LEN); 930 } 931 wpa_hexdump(MSG_DEBUG, "received replay counter", 932 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 933 return; 934 } 935 936 continue_processing: 937 switch (msg) { 938 case PAIRWISE_2: 939 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 940 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 941 (!sm->update_snonce || 942 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 943 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 944 "received EAPOL-Key msg 2/4 in " 945 "invalid state (%d) - dropped", 946 sm->wpa_ptk_state); 947 return; 948 } 949 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 950 if (sm->group->reject_4way_hs_for_entropy) { 951 /* 952 * The system did not have enough entropy to generate 953 * strong random numbers. Reject the first 4-way 954 * handshake(s) and collect some entropy based on the 955 * information from it. Once enough entropy is 956 * available, the next atempt will trigger GMK/Key 957 * Counter update and the station will be allowed to 958 * continue. 959 */ 960 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 961 "collect more entropy for random number " 962 "generation"); 963 random_mark_pool_ready(); 964 wpa_sta_disconnect(wpa_auth, sm->addr); 965 return; 966 } 967 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length, 968 &kde) < 0) { 969 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 970 "received EAPOL-Key msg 2/4 with " 971 "invalid Key Data contents"); 972 return; 973 } 974 if (kde.rsn_ie) { 975 eapol_key_ie = kde.rsn_ie; 976 eapol_key_ie_len = kde.rsn_ie_len; 977 } else { 978 eapol_key_ie = kde.wpa_ie; 979 eapol_key_ie_len = kde.wpa_ie_len; 980 } 981 ft = sm->wpa == WPA_VERSION_WPA2 && 982 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 983 if (sm->wpa_ie == NULL || 984 wpa_compare_rsn_ie(ft, 985 sm->wpa_ie, sm->wpa_ie_len, 986 eapol_key_ie, eapol_key_ie_len)) { 987 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 988 "WPA IE from (Re)AssocReq did not " 989 "match with msg 2/4"); 990 if (sm->wpa_ie) { 991 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 992 sm->wpa_ie, sm->wpa_ie_len); 993 } 994 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 995 eapol_key_ie, eapol_key_ie_len); 996 /* MLME-DEAUTHENTICATE.request */ 997 wpa_sta_disconnect(wpa_auth, sm->addr); 998 return; 999 } 1000 #ifdef CONFIG_IEEE80211R 1001 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 1002 wpa_sta_disconnect(wpa_auth, sm->addr); 1003 return; 1004 } 1005 #endif /* CONFIG_IEEE80211R */ 1006 break; 1007 case PAIRWISE_4: 1008 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1009 !sm->PTK_valid) { 1010 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1011 "received EAPOL-Key msg 4/4 in " 1012 "invalid state (%d) - dropped", 1013 sm->wpa_ptk_state); 1014 return; 1015 } 1016 break; 1017 case GROUP_2: 1018 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1019 || !sm->PTK_valid) { 1020 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1021 "received EAPOL-Key msg 2/2 in " 1022 "invalid state (%d) - dropped", 1023 sm->wpa_ptk_group_state); 1024 return; 1025 } 1026 break; 1027 #ifdef CONFIG_PEERKEY 1028 case SMK_M1: 1029 case SMK_M3: 1030 case SMK_ERROR: 1031 if (!wpa_auth->conf.peerkey) { 1032 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1033 "PeerKey use disabled - ignoring message"); 1034 return; 1035 } 1036 if (!sm->PTK_valid) { 1037 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1038 "received EAPOL-Key msg SMK in " 1039 "invalid state - dropped"); 1040 return; 1041 } 1042 break; 1043 #else /* CONFIG_PEERKEY */ 1044 case SMK_M1: 1045 case SMK_M3: 1046 case SMK_ERROR: 1047 return; /* STSL disabled - ignore SMK messages */ 1048 #endif /* CONFIG_PEERKEY */ 1049 case REQUEST: 1050 break; 1051 } 1052 1053 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1054 "received EAPOL-Key frame (%s)", msgtxt); 1055 1056 if (key_info & WPA_KEY_INFO_ACK) { 1057 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1058 "received invalid EAPOL-Key: Key Ack set"); 1059 return; 1060 } 1061 1062 if (!(key_info & WPA_KEY_INFO_MIC)) { 1063 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1064 "received invalid EAPOL-Key: Key MIC not set"); 1065 return; 1066 } 1067 1068 sm->MICVerified = FALSE; 1069 if (sm->PTK_valid && !sm->update_snonce) { 1070 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) { 1071 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1072 "received EAPOL-Key with invalid MIC"); 1073 return; 1074 } 1075 sm->MICVerified = TRUE; 1076 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1077 sm->pending_1_of_4_timeout = 0; 1078 } 1079 1080 if (key_info & WPA_KEY_INFO_REQUEST) { 1081 if (sm->MICVerified) { 1082 sm->req_replay_counter_used = 1; 1083 os_memcpy(sm->req_replay_counter, key->replay_counter, 1084 WPA_REPLAY_COUNTER_LEN); 1085 } else { 1086 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1087 "received EAPOL-Key request with " 1088 "invalid MIC"); 1089 return; 1090 } 1091 1092 /* 1093 * TODO: should decrypt key data field if encryption was used; 1094 * even though MAC address KDE is not normally encrypted, 1095 * supplicant is allowed to encrypt it. 1096 */ 1097 if (msg == SMK_ERROR) { 1098 #ifdef CONFIG_PEERKEY 1099 wpa_smk_error(wpa_auth, sm, key); 1100 #endif /* CONFIG_PEERKEY */ 1101 return; 1102 } else if (key_info & WPA_KEY_INFO_ERROR) { 1103 wpa_receive_error_report( 1104 wpa_auth, sm, 1105 !(key_info & WPA_KEY_INFO_KEY_TYPE)); 1106 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1107 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1108 "received EAPOL-Key Request for new " 1109 "4-Way Handshake"); 1110 wpa_request_new_ptk(sm); 1111 #ifdef CONFIG_PEERKEY 1112 } else if (msg == SMK_M1) { 1113 wpa_smk_m1(wpa_auth, sm, key); 1114 #endif /* CONFIG_PEERKEY */ 1115 } else if (key_data_length > 0 && 1116 wpa_parse_kde_ies((const u8 *) (key + 1), 1117 key_data_length, &kde) == 0 && 1118 kde.mac_addr) { 1119 } else { 1120 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1121 "received EAPOL-Key Request for GTK " 1122 "rekeying"); 1123 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1124 wpa_rekey_gtk(wpa_auth, NULL); 1125 } 1126 } else { 1127 /* Do not allow the same key replay counter to be reused. */ 1128 wpa_replay_counter_mark_invalid(sm->key_replay, 1129 key->replay_counter); 1130 1131 if (msg == PAIRWISE_2) { 1132 /* 1133 * Maintain a copy of the pending EAPOL-Key frames in 1134 * case the EAPOL-Key frame was retransmitted. This is 1135 * needed to allow EAPOL-Key msg 2/4 reply to another 1136 * pending msg 1/4 to update the SNonce to work around 1137 * unexpected supplicant behavior. 1138 */ 1139 os_memcpy(sm->prev_key_replay, sm->key_replay, 1140 sizeof(sm->key_replay)); 1141 } else { 1142 os_memset(sm->prev_key_replay, 0, 1143 sizeof(sm->prev_key_replay)); 1144 } 1145 1146 /* 1147 * Make sure old valid counters are not accepted anymore and 1148 * do not get copied again. 1149 */ 1150 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1151 } 1152 1153 #ifdef CONFIG_PEERKEY 1154 if (msg == SMK_M3) { 1155 wpa_smk_m3(wpa_auth, sm, key); 1156 return; 1157 } 1158 #endif /* CONFIG_PEERKEY */ 1159 1160 os_free(sm->last_rx_eapol_key); 1161 sm->last_rx_eapol_key = os_malloc(data_len); 1162 if (sm->last_rx_eapol_key == NULL) 1163 return; 1164 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1165 sm->last_rx_eapol_key_len = data_len; 1166 1167 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1168 sm->EAPOLKeyReceived = TRUE; 1169 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1170 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1171 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1172 wpa_sm_step(sm); 1173 } 1174 1175 1176 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1177 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1178 { 1179 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1180 u8 *pos; 1181 int ret = 0; 1182 1183 /* GTK = PRF-X(GMK, "Group key expansion", 1184 * AA || GNonce || Time || random data) 1185 * The example described in the IEEE 802.11 standard uses only AA and 1186 * GNonce as inputs here. Add some more entropy since this derivation 1187 * is done only at the Authenticator and as such, does not need to be 1188 * exactly same. 1189 */ 1190 os_memcpy(data, addr, ETH_ALEN); 1191 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1192 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1193 wpa_get_ntp_timestamp(pos); 1194 pos += 8; 1195 if (random_get_bytes(pos, 16) < 0) 1196 ret = -1; 1197 1198 #ifdef CONFIG_IEEE80211W 1199 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1200 #else /* CONFIG_IEEE80211W */ 1201 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1202 < 0) 1203 ret = -1; 1204 #endif /* CONFIG_IEEE80211W */ 1205 1206 return ret; 1207 } 1208 1209 1210 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1211 { 1212 struct wpa_authenticator *wpa_auth = eloop_ctx; 1213 struct wpa_state_machine *sm = timeout_ctx; 1214 1215 sm->pending_1_of_4_timeout = 0; 1216 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1217 sm->TimeoutEvt = TRUE; 1218 wpa_sm_step(sm); 1219 } 1220 1221 1222 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1223 struct wpa_state_machine *sm, int key_info, 1224 const u8 *key_rsc, const u8 *nonce, 1225 const u8 *kde, size_t kde_len, 1226 int keyidx, int encr, int force_version) 1227 { 1228 struct ieee802_1x_hdr *hdr; 1229 struct wpa_eapol_key *key; 1230 size_t len; 1231 int alg; 1232 int key_data_len, pad_len = 0; 1233 u8 *buf, *pos; 1234 int version, pairwise; 1235 int i; 1236 1237 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key); 1238 1239 if (force_version) 1240 version = force_version; 1241 else if (wpa_use_aes_cmac(sm)) 1242 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1243 else if (sm->pairwise == WPA_CIPHER_CCMP) 1244 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1245 else 1246 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1247 1248 pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1249 1250 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1251 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1252 "encr=%d)", 1253 version, 1254 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1255 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1256 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1257 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1258 pairwise, (unsigned long) kde_len, keyidx, encr); 1259 1260 key_data_len = kde_len; 1261 1262 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1263 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1264 pad_len = key_data_len % 8; 1265 if (pad_len) 1266 pad_len = 8 - pad_len; 1267 key_data_len += pad_len + 8; 1268 } 1269 1270 len += key_data_len; 1271 1272 hdr = os_zalloc(len); 1273 if (hdr == NULL) 1274 return; 1275 hdr->version = wpa_auth->conf.eapol_version; 1276 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1277 hdr->length = host_to_be16(len - sizeof(*hdr)); 1278 key = (struct wpa_eapol_key *) (hdr + 1); 1279 1280 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1281 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1282 key_info |= version; 1283 if (encr && sm->wpa == WPA_VERSION_WPA2) 1284 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1285 if (sm->wpa != WPA_VERSION_WPA2) 1286 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1287 WPA_PUT_BE16(key->key_info, key_info); 1288 1289 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1290 switch (alg) { 1291 case WPA_CIPHER_CCMP: 1292 WPA_PUT_BE16(key->key_length, 16); 1293 break; 1294 case WPA_CIPHER_TKIP: 1295 WPA_PUT_BE16(key->key_length, 32); 1296 break; 1297 case WPA_CIPHER_WEP40: 1298 WPA_PUT_BE16(key->key_length, 5); 1299 break; 1300 case WPA_CIPHER_WEP104: 1301 WPA_PUT_BE16(key->key_length, 13); 1302 break; 1303 } 1304 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1305 WPA_PUT_BE16(key->key_length, 0); 1306 1307 /* FIX: STSL: what to use as key_replay_counter? */ 1308 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1309 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1310 os_memcpy(sm->key_replay[i].counter, 1311 sm->key_replay[i - 1].counter, 1312 WPA_REPLAY_COUNTER_LEN); 1313 } 1314 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1315 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1316 WPA_REPLAY_COUNTER_LEN); 1317 sm->key_replay[0].valid = TRUE; 1318 1319 if (nonce) 1320 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1321 1322 if (key_rsc) 1323 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1324 1325 if (kde && !encr) { 1326 os_memcpy(key + 1, kde, kde_len); 1327 WPA_PUT_BE16(key->key_data_length, kde_len); 1328 } else if (encr && kde) { 1329 buf = os_zalloc(key_data_len); 1330 if (buf == NULL) { 1331 os_free(hdr); 1332 return; 1333 } 1334 pos = buf; 1335 os_memcpy(pos, kde, kde_len); 1336 pos += kde_len; 1337 1338 if (pad_len) 1339 *pos++ = 0xdd; 1340 1341 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1342 buf, key_data_len); 1343 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1344 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1345 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf, 1346 (u8 *) (key + 1))) { 1347 os_free(hdr); 1348 os_free(buf); 1349 return; 1350 } 1351 WPA_PUT_BE16(key->key_data_length, key_data_len); 1352 } else { 1353 u8 ek[32]; 1354 os_memcpy(key->key_iv, 1355 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1356 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1357 os_memcpy(ek, key->key_iv, 16); 1358 os_memcpy(ek + 16, sm->PTK.kek, 16); 1359 os_memcpy(key + 1, buf, key_data_len); 1360 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len); 1361 WPA_PUT_BE16(key->key_data_length, key_data_len); 1362 } 1363 os_free(buf); 1364 } 1365 1366 if (key_info & WPA_KEY_INFO_MIC) { 1367 if (!sm->PTK_valid) { 1368 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1369 "PTK not valid when sending EAPOL-Key " 1370 "frame"); 1371 os_free(hdr); 1372 return; 1373 } 1374 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len, 1375 key->key_mic); 1376 } 1377 1378 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1379 1); 1380 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1381 sm->pairwise_set); 1382 os_free(hdr); 1383 } 1384 1385 1386 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1387 struct wpa_state_machine *sm, int key_info, 1388 const u8 *key_rsc, const u8 *nonce, 1389 const u8 *kde, size_t kde_len, 1390 int keyidx, int encr) 1391 { 1392 int timeout_ms; 1393 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1394 int ctr; 1395 1396 if (sm == NULL) 1397 return; 1398 1399 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1400 keyidx, encr, 0); 1401 1402 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1403 if (ctr == 1 && wpa_auth->conf.tx_status) 1404 timeout_ms = pairwise ? eapol_key_timeout_first : 1405 eapol_key_timeout_first_group; 1406 else 1407 timeout_ms = eapol_key_timeout_subseq; 1408 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1409 sm->pending_1_of_4_timeout = 1; 1410 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1411 "counter %d)", timeout_ms, ctr); 1412 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1413 wpa_send_eapol_timeout, wpa_auth, sm); 1414 } 1415 1416 1417 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len) 1418 { 1419 struct ieee802_1x_hdr *hdr; 1420 struct wpa_eapol_key *key; 1421 u16 key_info; 1422 int ret = 0; 1423 u8 mic[16]; 1424 1425 if (data_len < sizeof(*hdr) + sizeof(*key)) 1426 return -1; 1427 1428 hdr = (struct ieee802_1x_hdr *) data; 1429 key = (struct wpa_eapol_key *) (hdr + 1); 1430 key_info = WPA_GET_BE16(key->key_info); 1431 os_memcpy(mic, key->key_mic, 16); 1432 os_memset(key->key_mic, 0, 16); 1433 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK, 1434 data, data_len, key->key_mic) || 1435 os_memcmp(mic, key->key_mic, 16) != 0) 1436 ret = -1; 1437 os_memcpy(key->key_mic, mic, 16); 1438 return ret; 1439 } 1440 1441 1442 void wpa_remove_ptk(struct wpa_state_machine *sm) 1443 { 1444 sm->PTK_valid = FALSE; 1445 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1446 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1447 sm->pairwise_set = FALSE; 1448 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1449 } 1450 1451 1452 int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event) 1453 { 1454 int remove_ptk = 1; 1455 1456 if (sm == NULL) 1457 return -1; 1458 1459 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1460 "event %d notification", event); 1461 1462 switch (event) { 1463 case WPA_AUTH: 1464 case WPA_ASSOC: 1465 break; 1466 case WPA_DEAUTH: 1467 case WPA_DISASSOC: 1468 sm->DeauthenticationRequest = TRUE; 1469 break; 1470 case WPA_REAUTH: 1471 case WPA_REAUTH_EAPOL: 1472 if (!sm->started) { 1473 /* 1474 * When using WPS, we may end up here if the STA 1475 * manages to re-associate without the previous STA 1476 * entry getting removed. Consequently, we need to make 1477 * sure that the WPA state machines gets initialized 1478 * properly at this point. 1479 */ 1480 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1481 "started - initialize now"); 1482 sm->started = 1; 1483 sm->Init = TRUE; 1484 if (wpa_sm_step(sm) == 1) 1485 return 1; /* should not really happen */ 1486 sm->Init = FALSE; 1487 sm->AuthenticationRequest = TRUE; 1488 break; 1489 } 1490 if (sm->GUpdateStationKeys) { 1491 /* 1492 * Reauthentication cancels the pending group key 1493 * update for this STA. 1494 */ 1495 sm->group->GKeyDoneStations--; 1496 sm->GUpdateStationKeys = FALSE; 1497 sm->PtkGroupInit = TRUE; 1498 } 1499 sm->ReAuthenticationRequest = TRUE; 1500 break; 1501 case WPA_ASSOC_FT: 1502 #ifdef CONFIG_IEEE80211R 1503 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1504 "after association"); 1505 wpa_ft_install_ptk(sm); 1506 1507 /* Using FT protocol, not WPA auth state machine */ 1508 sm->ft_completed = 1; 1509 return 0; 1510 #else /* CONFIG_IEEE80211R */ 1511 break; 1512 #endif /* CONFIG_IEEE80211R */ 1513 } 1514 1515 #ifdef CONFIG_IEEE80211R 1516 sm->ft_completed = 0; 1517 #endif /* CONFIG_IEEE80211R */ 1518 1519 #ifdef CONFIG_IEEE80211W 1520 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1521 remove_ptk = 0; 1522 #endif /* CONFIG_IEEE80211W */ 1523 1524 if (remove_ptk) { 1525 sm->PTK_valid = FALSE; 1526 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1527 1528 if (event != WPA_REAUTH_EAPOL) 1529 wpa_remove_ptk(sm); 1530 } 1531 1532 return wpa_sm_step(sm); 1533 } 1534 1535 1536 static enum wpa_alg wpa_alg_enum(int alg) 1537 { 1538 switch (alg) { 1539 case WPA_CIPHER_CCMP: 1540 return WPA_ALG_CCMP; 1541 case WPA_CIPHER_TKIP: 1542 return WPA_ALG_TKIP; 1543 case WPA_CIPHER_WEP104: 1544 case WPA_CIPHER_WEP40: 1545 return WPA_ALG_WEP; 1546 default: 1547 return WPA_ALG_NONE; 1548 } 1549 } 1550 1551 1552 SM_STATE(WPA_PTK, INITIALIZE) 1553 { 1554 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1555 if (sm->Init) { 1556 /* Init flag is not cleared here, so avoid busy 1557 * loop by claiming nothing changed. */ 1558 sm->changed = FALSE; 1559 } 1560 1561 sm->keycount = 0; 1562 if (sm->GUpdateStationKeys) 1563 sm->group->GKeyDoneStations--; 1564 sm->GUpdateStationKeys = FALSE; 1565 if (sm->wpa == WPA_VERSION_WPA) 1566 sm->PInitAKeys = FALSE; 1567 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1568 * Local AA > Remote AA)) */) { 1569 sm->Pair = TRUE; 1570 } 1571 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1572 wpa_remove_ptk(sm); 1573 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1574 sm->TimeoutCtr = 0; 1575 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1576 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1577 WPA_EAPOL_authorized, 0); 1578 } 1579 } 1580 1581 1582 SM_STATE(WPA_PTK, DISCONNECT) 1583 { 1584 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1585 sm->Disconnect = FALSE; 1586 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1587 } 1588 1589 1590 SM_STATE(WPA_PTK, DISCONNECTED) 1591 { 1592 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1593 sm->DeauthenticationRequest = FALSE; 1594 } 1595 1596 1597 SM_STATE(WPA_PTK, AUTHENTICATION) 1598 { 1599 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1600 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1601 sm->PTK_valid = FALSE; 1602 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1603 1); 1604 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1605 sm->AuthenticationRequest = FALSE; 1606 } 1607 1608 1609 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1610 struct wpa_group *group) 1611 { 1612 if (group->first_sta_seen) 1613 return; 1614 /* 1615 * System has run bit further than at the time hostapd was started 1616 * potentially very early during boot up. This provides better chances 1617 * of collecting more randomness on embedded systems. Re-initialize the 1618 * GMK and Counter here to improve their strength if there was not 1619 * enough entropy available immediately after system startup. 1620 */ 1621 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1622 "station"); 1623 if (random_pool_ready() != 1) { 1624 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1625 "to proceed - reject first 4-way handshake"); 1626 group->reject_4way_hs_for_entropy = TRUE; 1627 } else { 1628 group->first_sta_seen = TRUE; 1629 group->reject_4way_hs_for_entropy = FALSE; 1630 } 1631 1632 wpa_group_init_gmk_and_counter(wpa_auth, group); 1633 wpa_gtk_update(wpa_auth, group); 1634 wpa_group_config_group_keys(wpa_auth, group); 1635 } 1636 1637 1638 SM_STATE(WPA_PTK, AUTHENTICATION2) 1639 { 1640 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1641 1642 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1643 1644 os_memcpy(sm->ANonce, sm->group->Counter, WPA_NONCE_LEN); 1645 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1646 WPA_NONCE_LEN); 1647 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1648 sm->ReAuthenticationRequest = FALSE; 1649 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1650 * logical place than INITIALIZE since AUTHENTICATION2 can be 1651 * re-entered on ReAuthenticationRequest without going through 1652 * INITIALIZE. */ 1653 sm->TimeoutCtr = 0; 1654 } 1655 1656 1657 SM_STATE(WPA_PTK, INITPMK) 1658 { 1659 u8 msk[2 * PMK_LEN]; 1660 size_t len = 2 * PMK_LEN; 1661 1662 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1663 #ifdef CONFIG_IEEE80211R 1664 sm->xxkey_len = 0; 1665 #endif /* CONFIG_IEEE80211R */ 1666 if (sm->pmksa) { 1667 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1668 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN); 1669 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1670 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1671 "(len=%lu)", (unsigned long) len); 1672 os_memcpy(sm->PMK, msk, PMK_LEN); 1673 #ifdef CONFIG_IEEE80211R 1674 if (len >= 2 * PMK_LEN) { 1675 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1676 sm->xxkey_len = PMK_LEN; 1677 } 1678 #endif /* CONFIG_IEEE80211R */ 1679 } else { 1680 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK"); 1681 } 1682 1683 sm->req_replay_counter_used = 0; 1684 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1685 * will break reauthentication since EAPOL state machines may not be 1686 * get into AUTHENTICATING state that clears keyRun before WPA state 1687 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1688 * state and takes PMK from the previously used AAA Key. This will 1689 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1690 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1691 * be good workaround for this issue. */ 1692 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1693 } 1694 1695 1696 SM_STATE(WPA_PTK, INITPSK) 1697 { 1698 const u8 *psk; 1699 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1700 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL); 1701 if (psk) { 1702 os_memcpy(sm->PMK, psk, PMK_LEN); 1703 #ifdef CONFIG_IEEE80211R 1704 os_memcpy(sm->xxkey, psk, PMK_LEN); 1705 sm->xxkey_len = PMK_LEN; 1706 #endif /* CONFIG_IEEE80211R */ 1707 } 1708 sm->req_replay_counter_used = 0; 1709 } 1710 1711 1712 SM_STATE(WPA_PTK, PTKSTART) 1713 { 1714 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1715 size_t pmkid_len = 0; 1716 1717 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1718 sm->PTKRequest = FALSE; 1719 sm->TimeoutEvt = FALSE; 1720 1721 sm->TimeoutCtr++; 1722 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1723 /* No point in sending the EAPOL-Key - we will disconnect 1724 * immediately following this. */ 1725 return; 1726 } 1727 1728 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1729 "sending 1/4 msg of 4-Way Handshake"); 1730 /* 1731 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1732 * one possible PSK for this STA. 1733 */ 1734 if (sm->wpa == WPA_VERSION_WPA2 && 1735 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) { 1736 pmkid = buf; 1737 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 1738 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 1739 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 1740 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 1741 if (sm->pmksa) 1742 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 1743 sm->pmksa->pmkid, PMKID_LEN); 1744 else { 1745 /* 1746 * Calculate PMKID since no PMKSA cache entry was 1747 * available with pre-calculated PMKID. 1748 */ 1749 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr, 1750 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 1751 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1752 } 1753 } 1754 wpa_send_eapol(sm->wpa_auth, sm, 1755 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 1756 sm->ANonce, pmkid, pmkid_len, 0, 0); 1757 } 1758 1759 1760 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk, 1761 struct wpa_ptk *ptk) 1762 { 1763 size_t ptk_len = sm->pairwise == WPA_CIPHER_CCMP ? 48 : 64; 1764 #ifdef CONFIG_IEEE80211R 1765 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 1766 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len); 1767 #endif /* CONFIG_IEEE80211R */ 1768 1769 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion", 1770 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce, 1771 (u8 *) ptk, ptk_len, 1772 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1773 1774 return 0; 1775 } 1776 1777 1778 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 1779 { 1780 struct wpa_ptk PTK; 1781 int ok = 0; 1782 const u8 *pmk = NULL; 1783 1784 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 1785 sm->EAPOLKeyReceived = FALSE; 1786 sm->update_snonce = FALSE; 1787 1788 /* WPA with IEEE 802.1X: use the derived PMK from EAP 1789 * WPA-PSK: iterate through possible PSKs and select the one matching 1790 * the packet */ 1791 for (;;) { 1792 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1793 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, pmk); 1794 if (pmk == NULL) 1795 break; 1796 } else 1797 pmk = sm->PMK; 1798 1799 wpa_derive_ptk(sm, pmk, &PTK); 1800 1801 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key, 1802 sm->last_rx_eapol_key_len) == 0) { 1803 ok = 1; 1804 break; 1805 } 1806 1807 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 1808 break; 1809 } 1810 1811 if (!ok) { 1812 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1813 "invalid MIC in msg 2/4 of 4-Way Handshake"); 1814 return; 1815 } 1816 1817 #ifdef CONFIG_IEEE80211R 1818 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1819 /* 1820 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 1821 * with the value we derived. 1822 */ 1823 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name, 1824 WPA_PMK_NAME_LEN) != 0) { 1825 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1826 "PMKR1Name mismatch in FT 4-way " 1827 "handshake"); 1828 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 1829 "Supplicant", 1830 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 1831 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1832 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1833 return; 1834 } 1835 } 1836 #endif /* CONFIG_IEEE80211R */ 1837 1838 sm->pending_1_of_4_timeout = 0; 1839 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 1840 1841 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1842 /* PSK may have changed from the previous choice, so update 1843 * state machine data based on whatever PSK was selected here. 1844 */ 1845 os_memcpy(sm->PMK, pmk, PMK_LEN); 1846 } 1847 1848 sm->MICVerified = TRUE; 1849 1850 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 1851 sm->PTK_valid = TRUE; 1852 } 1853 1854 1855 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 1856 { 1857 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 1858 sm->TimeoutCtr = 0; 1859 } 1860 1861 1862 #ifdef CONFIG_IEEE80211W 1863 1864 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1865 { 1866 if (sm->mgmt_frame_prot) { 1867 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde); 1868 } 1869 1870 return 0; 1871 } 1872 1873 1874 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1875 { 1876 struct wpa_igtk_kde igtk; 1877 struct wpa_group *gsm = sm->group; 1878 1879 if (!sm->mgmt_frame_prot) 1880 return pos; 1881 1882 igtk.keyid[0] = gsm->GN_igtk; 1883 igtk.keyid[1] = 0; 1884 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 1885 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0) 1886 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 1887 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 1888 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 1889 (const u8 *) &igtk, sizeof(igtk), NULL, 0); 1890 1891 return pos; 1892 } 1893 1894 #else /* CONFIG_IEEE80211W */ 1895 1896 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1897 { 1898 return 0; 1899 } 1900 1901 1902 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1903 { 1904 return pos; 1905 } 1906 1907 #endif /* CONFIG_IEEE80211W */ 1908 1909 1910 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 1911 { 1912 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos; 1913 size_t gtk_len, kde_len; 1914 struct wpa_group *gsm = sm->group; 1915 u8 *wpa_ie; 1916 int wpa_ie_len, secure, keyidx, encr = 0; 1917 1918 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 1919 sm->TimeoutEvt = FALSE; 1920 1921 sm->TimeoutCtr++; 1922 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1923 /* No point in sending the EAPOL-Key - we will disconnect 1924 * immediately following this. */ 1925 return; 1926 } 1927 1928 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 1929 GTK[GN], IGTK, [FTIE], [TIE * 2]) 1930 */ 1931 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 1932 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 1933 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 1934 wpa_ie = sm->wpa_auth->wpa_ie; 1935 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 1936 if (sm->wpa == WPA_VERSION_WPA && 1937 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 1938 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 1939 /* WPA-only STA, remove RSN IE */ 1940 wpa_ie = wpa_ie + wpa_ie[1] + 2; 1941 wpa_ie_len = wpa_ie[1] + 2; 1942 } 1943 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1944 "sending 3/4 msg of 4-Way Handshake"); 1945 if (sm->wpa == WPA_VERSION_WPA2) { 1946 /* WPA2 send GTK in the 4-way handshake */ 1947 secure = 1; 1948 gtk = gsm->GTK[gsm->GN - 1]; 1949 gtk_len = gsm->GTK_len; 1950 keyidx = gsm->GN; 1951 _rsc = rsc; 1952 encr = 1; 1953 } else { 1954 /* WPA does not include GTK in msg 3/4 */ 1955 secure = 0; 1956 gtk = NULL; 1957 gtk_len = 0; 1958 keyidx = 0; 1959 _rsc = NULL; 1960 if (sm->rx_eapol_key_secure) { 1961 /* 1962 * It looks like Windows 7 supplicant tries to use 1963 * Secure bit in msg 2/4 after having reported Michael 1964 * MIC failure and it then rejects the 4-way handshake 1965 * if msg 3/4 does not set Secure bit. Work around this 1966 * by setting the Secure bit here even in the case of 1967 * WPA if the supplicant used it first. 1968 */ 1969 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1970 "STA used Secure bit in WPA msg 2/4 - " 1971 "set Secure for 3/4 as workaround"); 1972 secure = 1; 1973 } 1974 } 1975 1976 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 1977 if (gtk) 1978 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 1979 #ifdef CONFIG_IEEE80211R 1980 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1981 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 1982 kde_len += 300; /* FTIE + 2 * TIE */ 1983 } 1984 #endif /* CONFIG_IEEE80211R */ 1985 kde = os_malloc(kde_len); 1986 if (kde == NULL) 1987 return; 1988 1989 pos = kde; 1990 os_memcpy(pos, wpa_ie, wpa_ie_len); 1991 pos += wpa_ie_len; 1992 #ifdef CONFIG_IEEE80211R 1993 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1994 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name); 1995 if (res < 0) { 1996 wpa_printf(MSG_ERROR, "FT: Failed to insert " 1997 "PMKR1Name into RSN IE in EAPOL-Key data"); 1998 os_free(kde); 1999 return; 2000 } 2001 pos += res; 2002 } 2003 #endif /* CONFIG_IEEE80211R */ 2004 if (gtk) { 2005 u8 hdr[2]; 2006 hdr[0] = keyidx & 0x03; 2007 hdr[1] = 0; 2008 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2009 gtk, gtk_len); 2010 } 2011 pos = ieee80211w_kde_add(sm, pos); 2012 2013 #ifdef CONFIG_IEEE80211R 2014 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2015 int res; 2016 struct wpa_auth_config *conf; 2017 2018 conf = &sm->wpa_auth->conf; 2019 res = wpa_write_ftie(conf, conf->r0_key_holder, 2020 conf->r0_key_holder_len, 2021 NULL, NULL, pos, kde + kde_len - pos, 2022 NULL, 0); 2023 if (res < 0) { 2024 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2025 "into EAPOL-Key Key Data"); 2026 os_free(kde); 2027 return; 2028 } 2029 pos += res; 2030 2031 /* TIE[ReassociationDeadline] (TU) */ 2032 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2033 *pos++ = 5; 2034 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2035 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2036 pos += 4; 2037 2038 /* TIE[KeyLifetime] (seconds) */ 2039 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2040 *pos++ = 5; 2041 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2042 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2043 pos += 4; 2044 } 2045 #endif /* CONFIG_IEEE80211R */ 2046 2047 wpa_send_eapol(sm->wpa_auth, sm, 2048 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2049 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2050 WPA_KEY_INFO_KEY_TYPE, 2051 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2052 os_free(kde); 2053 } 2054 2055 2056 SM_STATE(WPA_PTK, PTKINITDONE) 2057 { 2058 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2059 sm->EAPOLKeyReceived = FALSE; 2060 if (sm->Pair) { 2061 enum wpa_alg alg; 2062 int klen; 2063 if (sm->pairwise == WPA_CIPHER_TKIP) { 2064 alg = WPA_ALG_TKIP; 2065 klen = 32; 2066 } else { 2067 alg = WPA_ALG_CCMP; 2068 klen = 16; 2069 } 2070 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2071 sm->PTK.tk1, klen)) { 2072 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2073 return; 2074 } 2075 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2076 sm->pairwise_set = TRUE; 2077 2078 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2079 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2080 eloop_register_timeout(sm->wpa_auth->conf. 2081 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2082 sm->wpa_auth, sm); 2083 } 2084 2085 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2086 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2087 WPA_EAPOL_authorized, 1); 2088 } 2089 } 2090 2091 if (0 /* IBSS == TRUE */) { 2092 sm->keycount++; 2093 if (sm->keycount == 2) { 2094 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2095 WPA_EAPOL_portValid, 1); 2096 } 2097 } else { 2098 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2099 1); 2100 } 2101 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2102 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2103 if (sm->wpa == WPA_VERSION_WPA) 2104 sm->PInitAKeys = TRUE; 2105 else 2106 sm->has_GTK = TRUE; 2107 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2108 "pairwise key handshake completed (%s)", 2109 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2110 2111 #ifdef CONFIG_IEEE80211R 2112 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2113 #endif /* CONFIG_IEEE80211R */ 2114 } 2115 2116 2117 SM_STEP(WPA_PTK) 2118 { 2119 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2120 2121 if (sm->Init) 2122 SM_ENTER(WPA_PTK, INITIALIZE); 2123 else if (sm->Disconnect 2124 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2125 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2126 "WPA_PTK: sm->Disconnect"); 2127 SM_ENTER(WPA_PTK, DISCONNECT); 2128 } 2129 else if (sm->DeauthenticationRequest) 2130 SM_ENTER(WPA_PTK, DISCONNECTED); 2131 else if (sm->AuthenticationRequest) 2132 SM_ENTER(WPA_PTK, AUTHENTICATION); 2133 else if (sm->ReAuthenticationRequest) 2134 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2135 else if (sm->PTKRequest) 2136 SM_ENTER(WPA_PTK, PTKSTART); 2137 else switch (sm->wpa_ptk_state) { 2138 case WPA_PTK_INITIALIZE: 2139 break; 2140 case WPA_PTK_DISCONNECT: 2141 SM_ENTER(WPA_PTK, DISCONNECTED); 2142 break; 2143 case WPA_PTK_DISCONNECTED: 2144 SM_ENTER(WPA_PTK, INITIALIZE); 2145 break; 2146 case WPA_PTK_AUTHENTICATION: 2147 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2148 break; 2149 case WPA_PTK_AUTHENTICATION2: 2150 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2151 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2152 WPA_EAPOL_keyRun) > 0) 2153 SM_ENTER(WPA_PTK, INITPMK); 2154 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2155 /* FIX: && 802.1X::keyRun */) 2156 SM_ENTER(WPA_PTK, INITPSK); 2157 break; 2158 case WPA_PTK_INITPMK: 2159 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2160 WPA_EAPOL_keyAvailable) > 0) 2161 SM_ENTER(WPA_PTK, PTKSTART); 2162 else { 2163 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2164 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2165 "INITPMK - keyAvailable = false"); 2166 SM_ENTER(WPA_PTK, DISCONNECT); 2167 } 2168 break; 2169 case WPA_PTK_INITPSK: 2170 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL)) 2171 SM_ENTER(WPA_PTK, PTKSTART); 2172 else { 2173 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2174 "no PSK configured for the STA"); 2175 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2176 SM_ENTER(WPA_PTK, DISCONNECT); 2177 } 2178 break; 2179 case WPA_PTK_PTKSTART: 2180 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2181 sm->EAPOLKeyPairwise) 2182 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2183 else if (sm->TimeoutCtr > 2184 (int) dot11RSNAConfigPairwiseUpdateCount) { 2185 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2186 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2187 "PTKSTART: Retry limit %d reached", 2188 dot11RSNAConfigPairwiseUpdateCount); 2189 SM_ENTER(WPA_PTK, DISCONNECT); 2190 } else if (sm->TimeoutEvt) 2191 SM_ENTER(WPA_PTK, PTKSTART); 2192 break; 2193 case WPA_PTK_PTKCALCNEGOTIATING: 2194 if (sm->MICVerified) 2195 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2196 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2197 sm->EAPOLKeyPairwise) 2198 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2199 else if (sm->TimeoutEvt) 2200 SM_ENTER(WPA_PTK, PTKSTART); 2201 break; 2202 case WPA_PTK_PTKCALCNEGOTIATING2: 2203 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2204 break; 2205 case WPA_PTK_PTKINITNEGOTIATING: 2206 if (sm->update_snonce) 2207 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2208 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2209 sm->EAPOLKeyPairwise && sm->MICVerified) 2210 SM_ENTER(WPA_PTK, PTKINITDONE); 2211 else if (sm->TimeoutCtr > 2212 (int) dot11RSNAConfigPairwiseUpdateCount) { 2213 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2214 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2215 "PTKINITNEGOTIATING: Retry limit %d " 2216 "reached", 2217 dot11RSNAConfigPairwiseUpdateCount); 2218 SM_ENTER(WPA_PTK, DISCONNECT); 2219 } else if (sm->TimeoutEvt) 2220 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2221 break; 2222 case WPA_PTK_PTKINITDONE: 2223 break; 2224 } 2225 } 2226 2227 2228 SM_STATE(WPA_PTK_GROUP, IDLE) 2229 { 2230 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2231 if (sm->Init) { 2232 /* Init flag is not cleared here, so avoid busy 2233 * loop by claiming nothing changed. */ 2234 sm->changed = FALSE; 2235 } 2236 sm->GTimeoutCtr = 0; 2237 } 2238 2239 2240 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2241 { 2242 u8 rsc[WPA_KEY_RSC_LEN]; 2243 struct wpa_group *gsm = sm->group; 2244 u8 *kde, *pos, hdr[2]; 2245 size_t kde_len; 2246 2247 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2248 2249 sm->GTimeoutCtr++; 2250 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2251 /* No point in sending the EAPOL-Key - we will disconnect 2252 * immediately following this. */ 2253 return; 2254 } 2255 2256 if (sm->wpa == WPA_VERSION_WPA) 2257 sm->PInitAKeys = FALSE; 2258 sm->TimeoutEvt = FALSE; 2259 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2260 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2261 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2262 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2263 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2264 "sending 1/2 msg of Group Key Handshake"); 2265 2266 if (sm->wpa == WPA_VERSION_WPA2) { 2267 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2268 ieee80211w_kde_len(sm); 2269 kde = os_malloc(kde_len); 2270 if (kde == NULL) 2271 return; 2272 2273 pos = kde; 2274 hdr[0] = gsm->GN & 0x03; 2275 hdr[1] = 0; 2276 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2277 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2278 pos = ieee80211w_kde_add(sm, pos); 2279 } else { 2280 kde = gsm->GTK[gsm->GN - 1]; 2281 pos = kde + gsm->GTK_len; 2282 } 2283 2284 wpa_send_eapol(sm->wpa_auth, sm, 2285 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2286 WPA_KEY_INFO_ACK | 2287 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2288 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1); 2289 if (sm->wpa == WPA_VERSION_WPA2) 2290 os_free(kde); 2291 } 2292 2293 2294 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2295 { 2296 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2297 sm->EAPOLKeyReceived = FALSE; 2298 if (sm->GUpdateStationKeys) 2299 sm->group->GKeyDoneStations--; 2300 sm->GUpdateStationKeys = FALSE; 2301 sm->GTimeoutCtr = 0; 2302 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2303 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2304 "group key handshake completed (%s)", 2305 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2306 sm->has_GTK = TRUE; 2307 } 2308 2309 2310 SM_STATE(WPA_PTK_GROUP, KEYERROR) 2311 { 2312 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2313 if (sm->GUpdateStationKeys) 2314 sm->group->GKeyDoneStations--; 2315 sm->GUpdateStationKeys = FALSE; 2316 sm->Disconnect = TRUE; 2317 } 2318 2319 2320 SM_STEP(WPA_PTK_GROUP) 2321 { 2322 if (sm->Init || sm->PtkGroupInit) { 2323 SM_ENTER(WPA_PTK_GROUP, IDLE); 2324 sm->PtkGroupInit = FALSE; 2325 } else switch (sm->wpa_ptk_group_state) { 2326 case WPA_PTK_GROUP_IDLE: 2327 if (sm->GUpdateStationKeys || 2328 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2329 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2330 break; 2331 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2332 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2333 !sm->EAPOLKeyPairwise && sm->MICVerified) 2334 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2335 else if (sm->GTimeoutCtr > 2336 (int) dot11RSNAConfigGroupUpdateCount) 2337 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2338 else if (sm->TimeoutEvt) 2339 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2340 break; 2341 case WPA_PTK_GROUP_KEYERROR: 2342 SM_ENTER(WPA_PTK_GROUP, IDLE); 2343 break; 2344 case WPA_PTK_GROUP_REKEYESTABLISHED: 2345 SM_ENTER(WPA_PTK_GROUP, IDLE); 2346 break; 2347 } 2348 } 2349 2350 2351 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2352 struct wpa_group *group) 2353 { 2354 int ret = 0; 2355 2356 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2357 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2358 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2359 wpa_auth->addr, group->GNonce, 2360 group->GTK[group->GN - 1], group->GTK_len) < 0) 2361 ret = -1; 2362 wpa_hexdump_key(MSG_DEBUG, "GTK", 2363 group->GTK[group->GN - 1], group->GTK_len); 2364 2365 #ifdef CONFIG_IEEE80211W 2366 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2367 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2368 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2369 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2370 wpa_auth->addr, group->GNonce, 2371 group->IGTK[group->GN_igtk - 4], 2372 WPA_IGTK_LEN) < 0) 2373 ret = -1; 2374 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2375 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN); 2376 } 2377 #endif /* CONFIG_IEEE80211W */ 2378 2379 return ret; 2380 } 2381 2382 2383 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2384 struct wpa_group *group) 2385 { 2386 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2387 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2388 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2389 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2390 2391 /* GTK[0..N] = 0 */ 2392 os_memset(group->GTK, 0, sizeof(group->GTK)); 2393 group->GN = 1; 2394 group->GM = 2; 2395 #ifdef CONFIG_IEEE80211W 2396 group->GN_igtk = 4; 2397 group->GM_igtk = 5; 2398 #endif /* CONFIG_IEEE80211W */ 2399 /* GTK[GN] = CalcGTK() */ 2400 wpa_gtk_update(wpa_auth, group); 2401 } 2402 2403 2404 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2405 { 2406 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2407 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2408 "Not in PTKINITDONE; skip Group Key update"); 2409 sm->GUpdateStationKeys = FALSE; 2410 return 0; 2411 } 2412 if (sm->GUpdateStationKeys) { 2413 /* 2414 * This should not really happen, so add a debug log entry. 2415 * Since we clear the GKeyDoneStations before the loop, the 2416 * station needs to be counted here anyway. 2417 */ 2418 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2419 "GUpdateStationKeys was already set when " 2420 "marking station for GTK rekeying"); 2421 } 2422 2423 sm->group->GKeyDoneStations++; 2424 sm->GUpdateStationKeys = TRUE; 2425 2426 wpa_sm_step(sm); 2427 return 0; 2428 } 2429 2430 2431 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2432 struct wpa_group *group) 2433 { 2434 int tmp; 2435 2436 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2437 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2438 group->changed = TRUE; 2439 group->wpa_group_state = WPA_GROUP_SETKEYS; 2440 group->GTKReKey = FALSE; 2441 tmp = group->GM; 2442 group->GM = group->GN; 2443 group->GN = tmp; 2444 #ifdef CONFIG_IEEE80211W 2445 tmp = group->GM_igtk; 2446 group->GM_igtk = group->GN_igtk; 2447 group->GN_igtk = tmp; 2448 #endif /* CONFIG_IEEE80211W */ 2449 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2450 * counting the STAs that are marked with GUpdateStationKeys instead of 2451 * including all STAs that could be in not-yet-completed state. */ 2452 wpa_gtk_update(wpa_auth, group); 2453 2454 if (group->GKeyDoneStations) { 2455 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2456 "GKeyDoneStations=%d when starting new GTK rekey", 2457 group->GKeyDoneStations); 2458 group->GKeyDoneStations = 0; 2459 } 2460 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, NULL); 2461 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2462 group->GKeyDoneStations); 2463 } 2464 2465 2466 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2467 struct wpa_group *group) 2468 { 2469 int ret = 0; 2470 2471 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2472 wpa_alg_enum(wpa_auth->conf.wpa_group), 2473 broadcast_ether_addr, group->GN, 2474 group->GTK[group->GN - 1], group->GTK_len) < 0) 2475 ret = -1; 2476 2477 #ifdef CONFIG_IEEE80211W 2478 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION && 2479 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK, 2480 broadcast_ether_addr, group->GN_igtk, 2481 group->IGTK[group->GN_igtk - 4], 2482 WPA_IGTK_LEN) < 0) 2483 ret = -1; 2484 #endif /* CONFIG_IEEE80211W */ 2485 2486 return ret; 2487 } 2488 2489 2490 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2491 struct wpa_group *group) 2492 { 2493 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2494 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2495 group->changed = TRUE; 2496 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2497 2498 if (wpa_group_config_group_keys(wpa_auth, group) < 0) 2499 return -1; 2500 2501 return 0; 2502 } 2503 2504 2505 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2506 struct wpa_group *group) 2507 { 2508 if (group->GInit) { 2509 wpa_group_gtk_init(wpa_auth, group); 2510 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2511 group->GTKAuthenticator) { 2512 wpa_group_setkeysdone(wpa_auth, group); 2513 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2514 group->GTKReKey) { 2515 wpa_group_setkeys(wpa_auth, group); 2516 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2517 if (group->GKeyDoneStations == 0) 2518 wpa_group_setkeysdone(wpa_auth, group); 2519 else if (group->GTKReKey) 2520 wpa_group_setkeys(wpa_auth, group); 2521 } 2522 } 2523 2524 2525 static int wpa_sm_step(struct wpa_state_machine *sm) 2526 { 2527 if (sm == NULL) 2528 return 0; 2529 2530 if (sm->in_step_loop) { 2531 /* This should not happen, but if it does, make sure we do not 2532 * end up freeing the state machine too early by exiting the 2533 * recursive call. */ 2534 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2535 return 0; 2536 } 2537 2538 sm->in_step_loop = 1; 2539 do { 2540 if (sm->pending_deinit) 2541 break; 2542 2543 sm->changed = FALSE; 2544 sm->wpa_auth->group->changed = FALSE; 2545 2546 SM_STEP_RUN(WPA_PTK); 2547 if (sm->pending_deinit) 2548 break; 2549 SM_STEP_RUN(WPA_PTK_GROUP); 2550 if (sm->pending_deinit) 2551 break; 2552 wpa_group_sm_step(sm->wpa_auth, sm->group); 2553 } while (sm->changed || sm->wpa_auth->group->changed); 2554 sm->in_step_loop = 0; 2555 2556 if (sm->pending_deinit) { 2557 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 2558 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 2559 wpa_free_sta_sm(sm); 2560 return 1; 2561 } 2562 return 0; 2563 } 2564 2565 2566 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 2567 { 2568 struct wpa_state_machine *sm = eloop_ctx; 2569 wpa_sm_step(sm); 2570 } 2571 2572 2573 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 2574 { 2575 if (sm == NULL) 2576 return; 2577 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 2578 } 2579 2580 2581 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 2582 { 2583 int tmp, i; 2584 struct wpa_group *group; 2585 2586 if (wpa_auth == NULL) 2587 return; 2588 2589 group = wpa_auth->group; 2590 2591 for (i = 0; i < 2; i++) { 2592 tmp = group->GM; 2593 group->GM = group->GN; 2594 group->GN = tmp; 2595 #ifdef CONFIG_IEEE80211W 2596 tmp = group->GM_igtk; 2597 group->GM_igtk = group->GN_igtk; 2598 group->GN_igtk = tmp; 2599 #endif /* CONFIG_IEEE80211W */ 2600 wpa_gtk_update(wpa_auth, group); 2601 wpa_group_config_group_keys(wpa_auth, group); 2602 } 2603 } 2604 2605 2606 static const char * wpa_bool_txt(int bool) 2607 { 2608 return bool ? "TRUE" : "FALSE"; 2609 } 2610 2611 2612 static int wpa_cipher_bits(int cipher) 2613 { 2614 switch (cipher) { 2615 case WPA_CIPHER_CCMP: 2616 return 128; 2617 case WPA_CIPHER_TKIP: 2618 return 256; 2619 case WPA_CIPHER_WEP104: 2620 return 104; 2621 case WPA_CIPHER_WEP40: 2622 return 40; 2623 default: 2624 return 0; 2625 } 2626 } 2627 2628 2629 #define RSN_SUITE "%02x-%02x-%02x-%d" 2630 #define RSN_SUITE_ARG(s) \ 2631 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2632 2633 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 2634 { 2635 int len = 0, ret; 2636 char pmkid_txt[PMKID_LEN * 2 + 1]; 2637 #ifdef CONFIG_RSN_PREAUTH 2638 const int preauth = 1; 2639 #else /* CONFIG_RSN_PREAUTH */ 2640 const int preauth = 0; 2641 #endif /* CONFIG_RSN_PREAUTH */ 2642 2643 if (wpa_auth == NULL) 2644 return len; 2645 2646 ret = os_snprintf(buf + len, buflen - len, 2647 "dot11RSNAOptionImplemented=TRUE\n" 2648 "dot11RSNAPreauthenticationImplemented=%s\n" 2649 "dot11RSNAEnabled=%s\n" 2650 "dot11RSNAPreauthenticationEnabled=%s\n", 2651 wpa_bool_txt(preauth), 2652 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 2653 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 2654 if (ret < 0 || (size_t) ret >= buflen - len) 2655 return len; 2656 len += ret; 2657 2658 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2659 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 2660 2661 ret = os_snprintf( 2662 buf + len, buflen - len, 2663 "dot11RSNAConfigVersion=%u\n" 2664 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 2665 /* FIX: dot11RSNAConfigGroupCipher */ 2666 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 2667 /* FIX: dot11RSNAConfigGroupRekeyTime */ 2668 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 2669 "dot11RSNAConfigGroupRekeyStrict=%u\n" 2670 "dot11RSNAConfigGroupUpdateCount=%u\n" 2671 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 2672 "dot11RSNAConfigGroupCipherSize=%u\n" 2673 "dot11RSNAConfigPMKLifetime=%u\n" 2674 "dot11RSNAConfigPMKReauthThreshold=%u\n" 2675 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 2676 "dot11RSNAConfigSATimeout=%u\n" 2677 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2678 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2679 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2680 "dot11RSNAPMKIDUsed=%s\n" 2681 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2682 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2683 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2684 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 2685 "dot11RSNA4WayHandshakeFailures=%u\n" 2686 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 2687 RSN_VERSION, 2688 !!wpa_auth->conf.wpa_strict_rekey, 2689 dot11RSNAConfigGroupUpdateCount, 2690 dot11RSNAConfigPairwiseUpdateCount, 2691 wpa_cipher_bits(wpa_auth->conf.wpa_group), 2692 dot11RSNAConfigPMKLifetime, 2693 dot11RSNAConfigPMKReauthThreshold, 2694 dot11RSNAConfigSATimeout, 2695 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 2696 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 2697 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 2698 pmkid_txt, 2699 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 2700 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 2701 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 2702 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 2703 wpa_auth->dot11RSNA4WayHandshakeFailures); 2704 if (ret < 0 || (size_t) ret >= buflen - len) 2705 return len; 2706 len += ret; 2707 2708 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 2709 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 2710 2711 /* Private MIB */ 2712 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 2713 wpa_auth->group->wpa_group_state); 2714 if (ret < 0 || (size_t) ret >= buflen - len) 2715 return len; 2716 len += ret; 2717 2718 return len; 2719 } 2720 2721 2722 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 2723 { 2724 int len = 0, ret; 2725 u32 pairwise = 0; 2726 2727 if (sm == NULL) 2728 return 0; 2729 2730 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 2731 2732 /* dot11RSNAStatsEntry */ 2733 2734 if (sm->wpa == WPA_VERSION_WPA) { 2735 if (sm->pairwise == WPA_CIPHER_CCMP) 2736 pairwise = WPA_CIPHER_SUITE_CCMP; 2737 else if (sm->pairwise == WPA_CIPHER_TKIP) 2738 pairwise = WPA_CIPHER_SUITE_TKIP; 2739 else if (sm->pairwise == WPA_CIPHER_WEP104) 2740 pairwise = WPA_CIPHER_SUITE_WEP104; 2741 else if (sm->pairwise == WPA_CIPHER_WEP40) 2742 pairwise = WPA_CIPHER_SUITE_WEP40; 2743 else if (sm->pairwise == WPA_CIPHER_NONE) 2744 pairwise = WPA_CIPHER_SUITE_NONE; 2745 } else if (sm->wpa == WPA_VERSION_WPA2) { 2746 if (sm->pairwise == WPA_CIPHER_CCMP) 2747 pairwise = RSN_CIPHER_SUITE_CCMP; 2748 else if (sm->pairwise == WPA_CIPHER_TKIP) 2749 pairwise = RSN_CIPHER_SUITE_TKIP; 2750 else if (sm->pairwise == WPA_CIPHER_WEP104) 2751 pairwise = RSN_CIPHER_SUITE_WEP104; 2752 else if (sm->pairwise == WPA_CIPHER_WEP40) 2753 pairwise = RSN_CIPHER_SUITE_WEP40; 2754 else if (sm->pairwise == WPA_CIPHER_NONE) 2755 pairwise = RSN_CIPHER_SUITE_NONE; 2756 } else 2757 return 0; 2758 2759 ret = os_snprintf( 2760 buf + len, buflen - len, 2761 /* TODO: dot11RSNAStatsIndex */ 2762 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 2763 "dot11RSNAStatsVersion=1\n" 2764 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 2765 /* TODO: dot11RSNAStatsTKIPICVErrors */ 2766 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 2767 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 2768 /* TODO: dot11RSNAStatsCCMPReplays */ 2769 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 2770 /* TODO: dot11RSNAStatsTKIPReplays */, 2771 MAC2STR(sm->addr), 2772 RSN_SUITE_ARG(pairwise), 2773 sm->dot11RSNAStatsTKIPLocalMICFailures, 2774 sm->dot11RSNAStatsTKIPRemoteMICFailures); 2775 if (ret < 0 || (size_t) ret >= buflen - len) 2776 return len; 2777 len += ret; 2778 2779 /* Private MIB */ 2780 ret = os_snprintf(buf + len, buflen - len, 2781 "hostapdWPAPTKState=%d\n" 2782 "hostapdWPAPTKGroupState=%d\n", 2783 sm->wpa_ptk_state, 2784 sm->wpa_ptk_group_state); 2785 if (ret < 0 || (size_t) ret >= buflen - len) 2786 return len; 2787 len += ret; 2788 2789 return len; 2790 } 2791 2792 2793 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 2794 { 2795 if (wpa_auth) 2796 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 2797 } 2798 2799 2800 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 2801 { 2802 return sm && sm->pairwise_set; 2803 } 2804 2805 2806 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 2807 { 2808 return sm->pairwise; 2809 } 2810 2811 2812 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 2813 { 2814 if (sm == NULL) 2815 return -1; 2816 return sm->wpa_key_mgmt; 2817 } 2818 2819 2820 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 2821 { 2822 if (sm == NULL) 2823 return 0; 2824 return sm->wpa; 2825 } 2826 2827 2828 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 2829 struct rsn_pmksa_cache_entry *entry) 2830 { 2831 if (sm == NULL || sm->pmksa != entry) 2832 return -1; 2833 sm->pmksa = NULL; 2834 return 0; 2835 } 2836 2837 2838 struct rsn_pmksa_cache_entry * 2839 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 2840 { 2841 return sm ? sm->pmksa : NULL; 2842 } 2843 2844 2845 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 2846 { 2847 if (sm) 2848 sm->dot11RSNAStatsTKIPLocalMICFailures++; 2849 } 2850 2851 2852 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 2853 { 2854 if (wpa_auth == NULL) 2855 return NULL; 2856 *len = wpa_auth->wpa_ie_len; 2857 return wpa_auth->wpa_ie; 2858 } 2859 2860 2861 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 2862 int session_timeout, struct eapol_state_machine *eapol) 2863 { 2864 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 2865 sm->wpa_auth->conf.disable_pmksa_caching) 2866 return -1; 2867 2868 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, 2869 sm->wpa_auth->addr, sm->addr, session_timeout, 2870 eapol, sm->wpa_key_mgmt)) 2871 return 0; 2872 2873 return -1; 2874 } 2875 2876 2877 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 2878 const u8 *pmk, size_t len, const u8 *sta_addr, 2879 int session_timeout, 2880 struct eapol_state_machine *eapol) 2881 { 2882 if (wpa_auth == NULL) 2883 return -1; 2884 2885 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr, 2886 sta_addr, session_timeout, eapol, 2887 WPA_KEY_MGMT_IEEE8021X)) 2888 return 0; 2889 2890 return -1; 2891 } 2892 2893 2894 static struct wpa_group * 2895 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 2896 { 2897 struct wpa_group *group; 2898 2899 if (wpa_auth == NULL || wpa_auth->group == NULL) 2900 return NULL; 2901 2902 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 2903 vlan_id); 2904 group = wpa_group_init(wpa_auth, vlan_id, 0); 2905 if (group == NULL) 2906 return NULL; 2907 2908 group->next = wpa_auth->group->next; 2909 wpa_auth->group->next = group; 2910 2911 return group; 2912 } 2913 2914 2915 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 2916 { 2917 struct wpa_group *group; 2918 2919 if (sm == NULL || sm->wpa_auth == NULL) 2920 return 0; 2921 2922 group = sm->wpa_auth->group; 2923 while (group) { 2924 if (group->vlan_id == vlan_id) 2925 break; 2926 group = group->next; 2927 } 2928 2929 if (group == NULL) { 2930 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 2931 if (group == NULL) 2932 return -1; 2933 } 2934 2935 if (sm->group == group) 2936 return 0; 2937 2938 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 2939 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 2940 2941 sm->group = group; 2942 return 0; 2943 } 2944 2945 2946 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 2947 struct wpa_state_machine *sm, int ack) 2948 { 2949 if (wpa_auth == NULL || sm == NULL) 2950 return; 2951 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 2952 " ack=%d", MAC2STR(sm->addr), ack); 2953 if (sm->pending_1_of_4_timeout && ack) { 2954 /* 2955 * Some deployed supplicant implementations update their SNonce 2956 * for each EAPOL-Key 2/4 message even within the same 4-way 2957 * handshake and then fail to use the first SNonce when 2958 * deriving the PTK. This results in unsuccessful 4-way 2959 * handshake whenever the relatively short initial timeout is 2960 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 2961 * around this by increasing the timeout now that we know that 2962 * the station has received the frame. 2963 */ 2964 int timeout_ms = eapol_key_timeout_subseq; 2965 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 2966 "timeout by %u ms because of acknowledged frame", 2967 timeout_ms); 2968 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 2969 eloop_register_timeout(timeout_ms / 1000, 2970 (timeout_ms % 1000) * 1000, 2971 wpa_send_eapol_timeout, wpa_auth, sm); 2972 } 2973 } 2974