1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2011, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "common/ieee802_11_defs.h" 15 #include "crypto/aes_wrap.h" 16 #include "crypto/crypto.h" 17 #include "crypto/sha1.h" 18 #include "crypto/sha256.h" 19 #include "crypto/random.h" 20 #include "eapol_auth/eapol_auth_sm.h" 21 #include "ap_config.h" 22 #include "ieee802_11.h" 23 #include "wpa_auth.h" 24 #include "pmksa_cache_auth.h" 25 #include "wpa_auth_i.h" 26 #include "wpa_auth_ie.h" 27 28 #define STATE_MACHINE_DATA struct wpa_state_machine 29 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 30 #define STATE_MACHINE_ADDR sm->addr 31 32 33 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 34 static int wpa_sm_step(struct wpa_state_machine *sm); 35 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len); 36 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 37 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 38 struct wpa_group *group); 39 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 40 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 41 struct wpa_group *group); 42 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 45 static const u32 dot11RSNAConfigGroupUpdateCount = 4; 46 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 47 static const u32 eapol_key_timeout_first = 100; /* ms */ 48 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 49 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 50 51 /* TODO: make these configurable */ 52 static const int dot11RSNAConfigPMKLifetime = 43200; 53 static const int dot11RSNAConfigPMKReauthThreshold = 70; 54 static const int dot11RSNAConfigSATimeout = 60; 55 56 57 static inline void wpa_auth_mic_failure_report( 58 struct wpa_authenticator *wpa_auth, const u8 *addr) 59 { 60 if (wpa_auth->cb.mic_failure_report) 61 wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 62 } 63 64 65 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 66 const u8 *addr, wpa_eapol_variable var, 67 int value) 68 { 69 if (wpa_auth->cb.set_eapol) 70 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 71 } 72 73 74 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 75 const u8 *addr, wpa_eapol_variable var) 76 { 77 if (wpa_auth->cb.get_eapol == NULL) 78 return -1; 79 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 80 } 81 82 83 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 84 const u8 *addr, const u8 *prev_psk) 85 { 86 if (wpa_auth->cb.get_psk == NULL) 87 return NULL; 88 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, prev_psk); 89 } 90 91 92 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 93 const u8 *addr, u8 *msk, size_t *len) 94 { 95 if (wpa_auth->cb.get_msk == NULL) 96 return -1; 97 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 98 } 99 100 101 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 102 int vlan_id, 103 enum wpa_alg alg, const u8 *addr, int idx, 104 u8 *key, size_t key_len) 105 { 106 if (wpa_auth->cb.set_key == NULL) 107 return -1; 108 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 109 key, key_len); 110 } 111 112 113 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 114 const u8 *addr, int idx, u8 *seq) 115 { 116 if (wpa_auth->cb.get_seqnum == NULL) 117 return -1; 118 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 119 } 120 121 122 static inline int 123 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 124 const u8 *data, size_t data_len, int encrypt) 125 { 126 if (wpa_auth->cb.send_eapol == NULL) 127 return -1; 128 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 129 encrypt); 130 } 131 132 133 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 134 int (*cb)(struct wpa_state_machine *sm, void *ctx), 135 void *cb_ctx) 136 { 137 if (wpa_auth->cb.for_each_sta == NULL) 138 return 0; 139 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 140 } 141 142 143 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 144 int (*cb)(struct wpa_authenticator *a, void *ctx), 145 void *cb_ctx) 146 { 147 if (wpa_auth->cb.for_each_auth == NULL) 148 return 0; 149 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 150 } 151 152 153 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 154 logger_level level, const char *txt) 155 { 156 if (wpa_auth->cb.logger == NULL) 157 return; 158 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 159 } 160 161 162 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 163 logger_level level, const char *fmt, ...) 164 { 165 char *format; 166 int maxlen; 167 va_list ap; 168 169 if (wpa_auth->cb.logger == NULL) 170 return; 171 172 maxlen = os_strlen(fmt) + 100; 173 format = os_malloc(maxlen); 174 if (!format) 175 return; 176 177 va_start(ap, fmt); 178 vsnprintf(format, maxlen, fmt, ap); 179 va_end(ap); 180 181 wpa_auth_logger(wpa_auth, addr, level, format); 182 183 os_free(format); 184 } 185 186 187 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 188 const u8 *addr) 189 { 190 if (wpa_auth->cb.disconnect == NULL) 191 return; 192 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 193 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 194 WLAN_REASON_PREV_AUTH_NOT_VALID); 195 } 196 197 198 static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 199 { 200 int ret = 0; 201 #ifdef CONFIG_IEEE80211R 202 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 203 ret = 1; 204 #endif /* CONFIG_IEEE80211R */ 205 #ifdef CONFIG_IEEE80211W 206 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 207 ret = 1; 208 #endif /* CONFIG_IEEE80211W */ 209 return ret; 210 } 211 212 213 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 214 { 215 struct wpa_authenticator *wpa_auth = eloop_ctx; 216 217 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 218 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 219 "initialization."); 220 } else { 221 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 222 wpa_hexdump_key(MSG_DEBUG, "GMK", 223 wpa_auth->group->GMK, WPA_GMK_LEN); 224 } 225 226 if (wpa_auth->conf.wpa_gmk_rekey) { 227 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 228 wpa_rekey_gmk, wpa_auth, NULL); 229 } 230 } 231 232 233 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 234 { 235 struct wpa_authenticator *wpa_auth = eloop_ctx; 236 struct wpa_group *group; 237 238 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 239 for (group = wpa_auth->group; group; group = group->next) { 240 group->GTKReKey = TRUE; 241 do { 242 group->changed = FALSE; 243 wpa_group_sm_step(wpa_auth, group); 244 } while (group->changed); 245 } 246 247 if (wpa_auth->conf.wpa_group_rekey) { 248 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 249 0, wpa_rekey_gtk, wpa_auth, NULL); 250 } 251 } 252 253 254 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 255 { 256 struct wpa_authenticator *wpa_auth = eloop_ctx; 257 struct wpa_state_machine *sm = timeout_ctx; 258 259 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 260 wpa_request_new_ptk(sm); 261 wpa_sm_step(sm); 262 } 263 264 265 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 266 { 267 if (sm->pmksa == ctx) 268 sm->pmksa = NULL; 269 return 0; 270 } 271 272 273 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 274 void *ctx) 275 { 276 struct wpa_authenticator *wpa_auth = ctx; 277 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 278 } 279 280 281 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 282 struct wpa_group *group) 283 { 284 u8 buf[ETH_ALEN + 8 + sizeof(group)]; 285 u8 rkey[32]; 286 287 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 288 return -1; 289 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 290 291 /* 292 * Counter = PRF-256(Random number, "Init Counter", 293 * Local MAC Address || Time) 294 */ 295 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 296 wpa_get_ntp_timestamp(buf + ETH_ALEN); 297 os_memcpy(buf + ETH_ALEN + 8, &group, sizeof(group)); 298 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 299 return -1; 300 301 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 302 group->Counter, WPA_NONCE_LEN) < 0) 303 return -1; 304 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 305 group->Counter, WPA_NONCE_LEN); 306 307 return 0; 308 } 309 310 311 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 312 int vlan_id, int delay_init) 313 { 314 struct wpa_group *group; 315 316 group = os_zalloc(sizeof(struct wpa_group)); 317 if (group == NULL) 318 return NULL; 319 320 group->GTKAuthenticator = TRUE; 321 group->vlan_id = vlan_id; 322 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 323 324 if (random_pool_ready() != 1) { 325 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 326 "for secure operations - update keys later when " 327 "the first station connects"); 328 } 329 330 /* 331 * Set initial GMK/Counter value here. The actual values that will be 332 * used in negotiations will be set once the first station tries to 333 * connect. This allows more time for collecting additional randomness 334 * on embedded devices. 335 */ 336 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 337 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 338 "initialization."); 339 os_free(group); 340 return NULL; 341 } 342 343 group->GInit = TRUE; 344 if (delay_init) { 345 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 346 "until Beacon frames have been configured"); 347 /* Initialization is completed in wpa_init_keys(). */ 348 } else { 349 wpa_group_sm_step(wpa_auth, group); 350 group->GInit = FALSE; 351 wpa_group_sm_step(wpa_auth, group); 352 } 353 354 return group; 355 } 356 357 358 /** 359 * wpa_init - Initialize WPA authenticator 360 * @addr: Authenticator address 361 * @conf: Configuration for WPA authenticator 362 * @cb: Callback functions for WPA authenticator 363 * Returns: Pointer to WPA authenticator data or %NULL on failure 364 */ 365 struct wpa_authenticator * wpa_init(const u8 *addr, 366 struct wpa_auth_config *conf, 367 struct wpa_auth_callbacks *cb) 368 { 369 struct wpa_authenticator *wpa_auth; 370 371 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 372 if (wpa_auth == NULL) 373 return NULL; 374 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 375 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 376 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 377 378 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 379 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 380 os_free(wpa_auth); 381 return NULL; 382 } 383 384 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 385 if (wpa_auth->group == NULL) { 386 os_free(wpa_auth->wpa_ie); 387 os_free(wpa_auth); 388 return NULL; 389 } 390 391 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 392 wpa_auth); 393 if (wpa_auth->pmksa == NULL) { 394 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 395 os_free(wpa_auth->wpa_ie); 396 os_free(wpa_auth); 397 return NULL; 398 } 399 400 #ifdef CONFIG_IEEE80211R 401 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 402 if (wpa_auth->ft_pmk_cache == NULL) { 403 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 404 os_free(wpa_auth->wpa_ie); 405 pmksa_cache_auth_deinit(wpa_auth->pmksa); 406 os_free(wpa_auth); 407 return NULL; 408 } 409 #endif /* CONFIG_IEEE80211R */ 410 411 if (wpa_auth->conf.wpa_gmk_rekey) { 412 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 413 wpa_rekey_gmk, wpa_auth, NULL); 414 } 415 416 if (wpa_auth->conf.wpa_group_rekey) { 417 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 418 wpa_rekey_gtk, wpa_auth, NULL); 419 } 420 421 return wpa_auth; 422 } 423 424 425 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 426 { 427 struct wpa_group *group = wpa_auth->group; 428 429 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 430 "keys"); 431 wpa_group_sm_step(wpa_auth, group); 432 group->GInit = FALSE; 433 wpa_group_sm_step(wpa_auth, group); 434 return 0; 435 } 436 437 438 /** 439 * wpa_deinit - Deinitialize WPA authenticator 440 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 441 */ 442 void wpa_deinit(struct wpa_authenticator *wpa_auth) 443 { 444 struct wpa_group *group, *prev; 445 446 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 447 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 448 449 #ifdef CONFIG_PEERKEY 450 while (wpa_auth->stsl_negotiations) 451 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 452 #endif /* CONFIG_PEERKEY */ 453 454 pmksa_cache_auth_deinit(wpa_auth->pmksa); 455 456 #ifdef CONFIG_IEEE80211R 457 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 458 wpa_auth->ft_pmk_cache = NULL; 459 #endif /* CONFIG_IEEE80211R */ 460 461 os_free(wpa_auth->wpa_ie); 462 463 group = wpa_auth->group; 464 while (group) { 465 prev = group; 466 group = group->next; 467 os_free(prev); 468 } 469 470 os_free(wpa_auth); 471 } 472 473 474 /** 475 * wpa_reconfig - Update WPA authenticator configuration 476 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 477 * @conf: Configuration for WPA authenticator 478 */ 479 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 480 struct wpa_auth_config *conf) 481 { 482 struct wpa_group *group; 483 if (wpa_auth == NULL) 484 return 0; 485 486 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 487 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 488 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 489 return -1; 490 } 491 492 /* 493 * Reinitialize GTK to make sure it is suitable for the new 494 * configuration. 495 */ 496 group = wpa_auth->group; 497 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 498 group->GInit = TRUE; 499 wpa_group_sm_step(wpa_auth, group); 500 group->GInit = FALSE; 501 wpa_group_sm_step(wpa_auth, group); 502 503 return 0; 504 } 505 506 507 struct wpa_state_machine * 508 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr) 509 { 510 struct wpa_state_machine *sm; 511 512 sm = os_zalloc(sizeof(struct wpa_state_machine)); 513 if (sm == NULL) 514 return NULL; 515 os_memcpy(sm->addr, addr, ETH_ALEN); 516 517 sm->wpa_auth = wpa_auth; 518 sm->group = wpa_auth->group; 519 520 return sm; 521 } 522 523 524 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 525 struct wpa_state_machine *sm) 526 { 527 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 528 return -1; 529 530 #ifdef CONFIG_IEEE80211R 531 if (sm->ft_completed) { 532 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 533 "FT authentication already completed - do not " 534 "start 4-way handshake"); 535 return 0; 536 } 537 #endif /* CONFIG_IEEE80211R */ 538 539 if (sm->started) { 540 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 541 sm->ReAuthenticationRequest = TRUE; 542 return wpa_sm_step(sm); 543 } 544 545 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 546 "start authentication"); 547 sm->started = 1; 548 549 sm->Init = TRUE; 550 if (wpa_sm_step(sm) == 1) 551 return 1; /* should not really happen */ 552 sm->Init = FALSE; 553 sm->AuthenticationRequest = TRUE; 554 return wpa_sm_step(sm); 555 } 556 557 558 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 559 { 560 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 561 * reassociates back to the same AP while the previous entry for the 562 * STA has not yet been removed. */ 563 if (sm == NULL) 564 return; 565 566 sm->wpa_key_mgmt = 0; 567 } 568 569 570 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 571 { 572 if (sm->GUpdateStationKeys) { 573 sm->group->GKeyDoneStations--; 574 sm->GUpdateStationKeys = FALSE; 575 } 576 #ifdef CONFIG_IEEE80211R 577 os_free(sm->assoc_resp_ftie); 578 #endif /* CONFIG_IEEE80211R */ 579 os_free(sm->last_rx_eapol_key); 580 os_free(sm->wpa_ie); 581 os_free(sm); 582 } 583 584 585 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 586 { 587 if (sm == NULL) 588 return; 589 590 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 591 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 592 "strict rekeying - force GTK rekey since STA " 593 "is leaving"); 594 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 595 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 596 NULL); 597 } 598 599 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 600 sm->pending_1_of_4_timeout = 0; 601 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 602 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 603 if (sm->in_step_loop) { 604 /* Must not free state machine while wpa_sm_step() is running. 605 * Freeing will be completed in the end of wpa_sm_step(). */ 606 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 607 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 608 sm->pending_deinit = 1; 609 } else 610 wpa_free_sta_sm(sm); 611 } 612 613 614 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 615 { 616 if (sm == NULL) 617 return; 618 619 sm->PTKRequest = TRUE; 620 sm->PTK_valid = 0; 621 } 622 623 624 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 625 const u8 *replay_counter) 626 { 627 int i; 628 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 629 if (!ctr[i].valid) 630 break; 631 if (os_memcmp(replay_counter, ctr[i].counter, 632 WPA_REPLAY_COUNTER_LEN) == 0) 633 return 1; 634 } 635 return 0; 636 } 637 638 639 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 640 const u8 *replay_counter) 641 { 642 int i; 643 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 644 if (ctr[i].valid && 645 (replay_counter == NULL || 646 os_memcmp(replay_counter, ctr[i].counter, 647 WPA_REPLAY_COUNTER_LEN) == 0)) 648 ctr[i].valid = FALSE; 649 } 650 } 651 652 653 #ifdef CONFIG_IEEE80211R 654 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 655 struct wpa_state_machine *sm, 656 struct wpa_eapol_ie_parse *kde) 657 { 658 struct wpa_ie_data ie; 659 struct rsn_mdie *mdie; 660 661 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 662 ie.num_pmkid != 1 || ie.pmkid == NULL) { 663 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 664 "FT 4-way handshake message 2/4"); 665 return -1; 666 } 667 668 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 669 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 670 sm->sup_pmk_r1_name, PMKID_LEN); 671 672 if (!kde->mdie || !kde->ftie) { 673 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 674 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 675 return -1; 676 } 677 678 mdie = (struct rsn_mdie *) (kde->mdie + 2); 679 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 680 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 681 MOBILITY_DOMAIN_ID_LEN) != 0) { 682 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 683 return -1; 684 } 685 686 if (sm->assoc_resp_ftie && 687 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 688 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 689 2 + sm->assoc_resp_ftie[1]) != 0)) { 690 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 691 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 692 kde->ftie, kde->ftie_len); 693 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 694 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 695 return -1; 696 } 697 698 return 0; 699 } 700 #endif /* CONFIG_IEEE80211R */ 701 702 703 static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 704 struct wpa_state_machine *sm, int group) 705 { 706 /* Supplicant reported a Michael MIC error */ 707 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 708 "received EAPOL-Key Error Request " 709 "(STA detected Michael MIC failure (group=%d))", 710 group); 711 712 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 713 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 714 "ignore Michael MIC failure report since " 715 "group cipher is not TKIP"); 716 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 717 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 718 "ignore Michael MIC failure report since " 719 "pairwise cipher is not TKIP"); 720 } else { 721 wpa_auth_mic_failure_report(wpa_auth, sm->addr); 722 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 723 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 724 } 725 726 /* 727 * Error report is not a request for a new key handshake, but since 728 * Authenticator may do it, let's change the keys now anyway. 729 */ 730 wpa_request_new_ptk(sm); 731 } 732 733 734 void wpa_receive(struct wpa_authenticator *wpa_auth, 735 struct wpa_state_machine *sm, 736 u8 *data, size_t data_len) 737 { 738 struct ieee802_1x_hdr *hdr; 739 struct wpa_eapol_key *key; 740 u16 key_info, key_data_length; 741 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 742 SMK_M1, SMK_M3, SMK_ERROR } msg; 743 char *msgtxt; 744 struct wpa_eapol_ie_parse kde; 745 int ft; 746 const u8 *eapol_key_ie; 747 size_t eapol_key_ie_len; 748 749 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 750 return; 751 752 if (data_len < sizeof(*hdr) + sizeof(*key)) 753 return; 754 755 hdr = (struct ieee802_1x_hdr *) data; 756 key = (struct wpa_eapol_key *) (hdr + 1); 757 key_info = WPA_GET_BE16(key->key_info); 758 key_data_length = WPA_GET_BE16(key->key_data_length); 759 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 760 " key_info=0x%x type=%u key_data_length=%u", 761 MAC2STR(sm->addr), key_info, key->type, key_data_length); 762 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { 763 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 764 "key_data overflow (%d > %lu)", 765 key_data_length, 766 (unsigned long) (data_len - sizeof(*hdr) - 767 sizeof(*key))); 768 return; 769 } 770 771 if (sm->wpa == WPA_VERSION_WPA2) { 772 if (key->type == EAPOL_KEY_TYPE_WPA) { 773 /* 774 * Some deployed station implementations seem to send 775 * msg 4/4 with incorrect type value in WPA2 mode. 776 */ 777 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 778 "with unexpected WPA type in RSN mode"); 779 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 780 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 781 "unexpected type %d in RSN mode", 782 key->type); 783 return; 784 } 785 } else { 786 if (key->type != EAPOL_KEY_TYPE_WPA) { 787 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 788 "unexpected type %d in WPA mode", 789 key->type); 790 return; 791 } 792 } 793 794 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 795 WPA_NONCE_LEN); 796 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 797 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 798 799 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 800 * are set */ 801 802 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 803 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 804 if (key_info & WPA_KEY_INFO_ERROR) { 805 msg = SMK_ERROR; 806 msgtxt = "SMK Error"; 807 } else { 808 msg = SMK_M1; 809 msgtxt = "SMK M1"; 810 } 811 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 812 msg = SMK_M3; 813 msgtxt = "SMK M3"; 814 } else if (key_info & WPA_KEY_INFO_REQUEST) { 815 msg = REQUEST; 816 msgtxt = "Request"; 817 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 818 msg = GROUP_2; 819 msgtxt = "2/2 Group"; 820 } else if (key_data_length == 0) { 821 msg = PAIRWISE_4; 822 msgtxt = "4/4 Pairwise"; 823 } else { 824 msg = PAIRWISE_2; 825 msgtxt = "2/4 Pairwise"; 826 } 827 828 /* TODO: key_info type validation for PeerKey */ 829 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 830 msg == GROUP_2) { 831 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 832 if (sm->pairwise == WPA_CIPHER_CCMP || 833 sm->pairwise == WPA_CIPHER_GCMP) { 834 if (wpa_use_aes_cmac(sm) && 835 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 836 wpa_auth_logger(wpa_auth, sm->addr, 837 LOGGER_WARNING, 838 "advertised support for " 839 "AES-128-CMAC, but did not " 840 "use it"); 841 return; 842 } 843 844 if (!wpa_use_aes_cmac(sm) && 845 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 846 wpa_auth_logger(wpa_auth, sm->addr, 847 LOGGER_WARNING, 848 "did not use HMAC-SHA1-AES " 849 "with CCMP/GCMP"); 850 return; 851 } 852 } 853 } 854 855 if (key_info & WPA_KEY_INFO_REQUEST) { 856 if (sm->req_replay_counter_used && 857 os_memcmp(key->replay_counter, sm->req_replay_counter, 858 WPA_REPLAY_COUNTER_LEN) <= 0) { 859 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 860 "received EAPOL-Key request with " 861 "replayed counter"); 862 return; 863 } 864 } 865 866 if (!(key_info & WPA_KEY_INFO_REQUEST) && 867 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 868 int i; 869 870 if (msg == PAIRWISE_2 && 871 wpa_replay_counter_valid(sm->prev_key_replay, 872 key->replay_counter) && 873 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 874 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 875 { 876 /* 877 * Some supplicant implementations (e.g., Windows XP 878 * WZC) update SNonce for each EAPOL-Key 2/4. This 879 * breaks the workaround on accepting any of the 880 * pending requests, so allow the SNonce to be updated 881 * even if we have already sent out EAPOL-Key 3/4. 882 */ 883 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 884 "Process SNonce update from STA " 885 "based on retransmitted EAPOL-Key " 886 "1/4"); 887 sm->update_snonce = 1; 888 wpa_replay_counter_mark_invalid(sm->prev_key_replay, 889 key->replay_counter); 890 goto continue_processing; 891 } 892 893 if (msg == PAIRWISE_2 && 894 wpa_replay_counter_valid(sm->prev_key_replay, 895 key->replay_counter) && 896 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 897 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 898 "ignore retransmitted EAPOL-Key %s - " 899 "SNonce did not change", msgtxt); 900 } else { 901 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 902 "received EAPOL-Key %s with " 903 "unexpected replay counter", msgtxt); 904 } 905 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 906 if (!sm->key_replay[i].valid) 907 break; 908 wpa_hexdump(MSG_DEBUG, "pending replay counter", 909 sm->key_replay[i].counter, 910 WPA_REPLAY_COUNTER_LEN); 911 } 912 wpa_hexdump(MSG_DEBUG, "received replay counter", 913 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 914 return; 915 } 916 917 continue_processing: 918 switch (msg) { 919 case PAIRWISE_2: 920 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 921 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 922 (!sm->update_snonce || 923 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 924 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 925 "received EAPOL-Key msg 2/4 in " 926 "invalid state (%d) - dropped", 927 sm->wpa_ptk_state); 928 return; 929 } 930 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 931 if (sm->group->reject_4way_hs_for_entropy) { 932 /* 933 * The system did not have enough entropy to generate 934 * strong random numbers. Reject the first 4-way 935 * handshake(s) and collect some entropy based on the 936 * information from it. Once enough entropy is 937 * available, the next atempt will trigger GMK/Key 938 * Counter update and the station will be allowed to 939 * continue. 940 */ 941 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 942 "collect more entropy for random number " 943 "generation"); 944 random_mark_pool_ready(); 945 wpa_sta_disconnect(wpa_auth, sm->addr); 946 return; 947 } 948 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length, 949 &kde) < 0) { 950 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 951 "received EAPOL-Key msg 2/4 with " 952 "invalid Key Data contents"); 953 return; 954 } 955 if (kde.rsn_ie) { 956 eapol_key_ie = kde.rsn_ie; 957 eapol_key_ie_len = kde.rsn_ie_len; 958 } else { 959 eapol_key_ie = kde.wpa_ie; 960 eapol_key_ie_len = kde.wpa_ie_len; 961 } 962 ft = sm->wpa == WPA_VERSION_WPA2 && 963 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 964 if (sm->wpa_ie == NULL || 965 wpa_compare_rsn_ie(ft, 966 sm->wpa_ie, sm->wpa_ie_len, 967 eapol_key_ie, eapol_key_ie_len)) { 968 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 969 "WPA IE from (Re)AssocReq did not " 970 "match with msg 2/4"); 971 if (sm->wpa_ie) { 972 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 973 sm->wpa_ie, sm->wpa_ie_len); 974 } 975 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 976 eapol_key_ie, eapol_key_ie_len); 977 /* MLME-DEAUTHENTICATE.request */ 978 wpa_sta_disconnect(wpa_auth, sm->addr); 979 return; 980 } 981 #ifdef CONFIG_IEEE80211R 982 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 983 wpa_sta_disconnect(wpa_auth, sm->addr); 984 return; 985 } 986 #endif /* CONFIG_IEEE80211R */ 987 break; 988 case PAIRWISE_4: 989 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 990 !sm->PTK_valid) { 991 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 992 "received EAPOL-Key msg 4/4 in " 993 "invalid state (%d) - dropped", 994 sm->wpa_ptk_state); 995 return; 996 } 997 break; 998 case GROUP_2: 999 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1000 || !sm->PTK_valid) { 1001 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1002 "received EAPOL-Key msg 2/2 in " 1003 "invalid state (%d) - dropped", 1004 sm->wpa_ptk_group_state); 1005 return; 1006 } 1007 break; 1008 #ifdef CONFIG_PEERKEY 1009 case SMK_M1: 1010 case SMK_M3: 1011 case SMK_ERROR: 1012 if (!wpa_auth->conf.peerkey) { 1013 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1014 "PeerKey use disabled - ignoring message"); 1015 return; 1016 } 1017 if (!sm->PTK_valid) { 1018 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1019 "received EAPOL-Key msg SMK in " 1020 "invalid state - dropped"); 1021 return; 1022 } 1023 break; 1024 #else /* CONFIG_PEERKEY */ 1025 case SMK_M1: 1026 case SMK_M3: 1027 case SMK_ERROR: 1028 return; /* STSL disabled - ignore SMK messages */ 1029 #endif /* CONFIG_PEERKEY */ 1030 case REQUEST: 1031 break; 1032 } 1033 1034 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1035 "received EAPOL-Key frame (%s)", msgtxt); 1036 1037 if (key_info & WPA_KEY_INFO_ACK) { 1038 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1039 "received invalid EAPOL-Key: Key Ack set"); 1040 return; 1041 } 1042 1043 if (!(key_info & WPA_KEY_INFO_MIC)) { 1044 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1045 "received invalid EAPOL-Key: Key MIC not set"); 1046 return; 1047 } 1048 1049 sm->MICVerified = FALSE; 1050 if (sm->PTK_valid && !sm->update_snonce) { 1051 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) { 1052 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1053 "received EAPOL-Key with invalid MIC"); 1054 return; 1055 } 1056 sm->MICVerified = TRUE; 1057 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1058 sm->pending_1_of_4_timeout = 0; 1059 } 1060 1061 if (key_info & WPA_KEY_INFO_REQUEST) { 1062 if (sm->MICVerified) { 1063 sm->req_replay_counter_used = 1; 1064 os_memcpy(sm->req_replay_counter, key->replay_counter, 1065 WPA_REPLAY_COUNTER_LEN); 1066 } else { 1067 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1068 "received EAPOL-Key request with " 1069 "invalid MIC"); 1070 return; 1071 } 1072 1073 /* 1074 * TODO: should decrypt key data field if encryption was used; 1075 * even though MAC address KDE is not normally encrypted, 1076 * supplicant is allowed to encrypt it. 1077 */ 1078 if (msg == SMK_ERROR) { 1079 #ifdef CONFIG_PEERKEY 1080 wpa_smk_error(wpa_auth, sm, key); 1081 #endif /* CONFIG_PEERKEY */ 1082 return; 1083 } else if (key_info & WPA_KEY_INFO_ERROR) { 1084 wpa_receive_error_report( 1085 wpa_auth, sm, 1086 !(key_info & WPA_KEY_INFO_KEY_TYPE)); 1087 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1088 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1089 "received EAPOL-Key Request for new " 1090 "4-Way Handshake"); 1091 wpa_request_new_ptk(sm); 1092 #ifdef CONFIG_PEERKEY 1093 } else if (msg == SMK_M1) { 1094 wpa_smk_m1(wpa_auth, sm, key); 1095 #endif /* CONFIG_PEERKEY */ 1096 } else if (key_data_length > 0 && 1097 wpa_parse_kde_ies((const u8 *) (key + 1), 1098 key_data_length, &kde) == 0 && 1099 kde.mac_addr) { 1100 } else { 1101 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1102 "received EAPOL-Key Request for GTK " 1103 "rekeying"); 1104 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1105 wpa_rekey_gtk(wpa_auth, NULL); 1106 } 1107 } else { 1108 /* Do not allow the same key replay counter to be reused. */ 1109 wpa_replay_counter_mark_invalid(sm->key_replay, 1110 key->replay_counter); 1111 1112 if (msg == PAIRWISE_2) { 1113 /* 1114 * Maintain a copy of the pending EAPOL-Key frames in 1115 * case the EAPOL-Key frame was retransmitted. This is 1116 * needed to allow EAPOL-Key msg 2/4 reply to another 1117 * pending msg 1/4 to update the SNonce to work around 1118 * unexpected supplicant behavior. 1119 */ 1120 os_memcpy(sm->prev_key_replay, sm->key_replay, 1121 sizeof(sm->key_replay)); 1122 } else { 1123 os_memset(sm->prev_key_replay, 0, 1124 sizeof(sm->prev_key_replay)); 1125 } 1126 1127 /* 1128 * Make sure old valid counters are not accepted anymore and 1129 * do not get copied again. 1130 */ 1131 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1132 } 1133 1134 #ifdef CONFIG_PEERKEY 1135 if (msg == SMK_M3) { 1136 wpa_smk_m3(wpa_auth, sm, key); 1137 return; 1138 } 1139 #endif /* CONFIG_PEERKEY */ 1140 1141 os_free(sm->last_rx_eapol_key); 1142 sm->last_rx_eapol_key = os_malloc(data_len); 1143 if (sm->last_rx_eapol_key == NULL) 1144 return; 1145 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1146 sm->last_rx_eapol_key_len = data_len; 1147 1148 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1149 sm->EAPOLKeyReceived = TRUE; 1150 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1151 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1152 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1153 wpa_sm_step(sm); 1154 } 1155 1156 1157 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1158 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1159 { 1160 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1161 u8 *pos; 1162 int ret = 0; 1163 1164 /* GTK = PRF-X(GMK, "Group key expansion", 1165 * AA || GNonce || Time || random data) 1166 * The example described in the IEEE 802.11 standard uses only AA and 1167 * GNonce as inputs here. Add some more entropy since this derivation 1168 * is done only at the Authenticator and as such, does not need to be 1169 * exactly same. 1170 */ 1171 os_memcpy(data, addr, ETH_ALEN); 1172 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1173 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1174 wpa_get_ntp_timestamp(pos); 1175 pos += 8; 1176 if (random_get_bytes(pos, 16) < 0) 1177 ret = -1; 1178 1179 #ifdef CONFIG_IEEE80211W 1180 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1181 #else /* CONFIG_IEEE80211W */ 1182 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1183 < 0) 1184 ret = -1; 1185 #endif /* CONFIG_IEEE80211W */ 1186 1187 return ret; 1188 } 1189 1190 1191 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1192 { 1193 struct wpa_authenticator *wpa_auth = eloop_ctx; 1194 struct wpa_state_machine *sm = timeout_ctx; 1195 1196 sm->pending_1_of_4_timeout = 0; 1197 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1198 sm->TimeoutEvt = TRUE; 1199 wpa_sm_step(sm); 1200 } 1201 1202 1203 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1204 struct wpa_state_machine *sm, int key_info, 1205 const u8 *key_rsc, const u8 *nonce, 1206 const u8 *kde, size_t kde_len, 1207 int keyidx, int encr, int force_version) 1208 { 1209 struct ieee802_1x_hdr *hdr; 1210 struct wpa_eapol_key *key; 1211 size_t len; 1212 int alg; 1213 int key_data_len, pad_len = 0; 1214 u8 *buf, *pos; 1215 int version, pairwise; 1216 int i; 1217 1218 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key); 1219 1220 if (force_version) 1221 version = force_version; 1222 else if (wpa_use_aes_cmac(sm)) 1223 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1224 else if (sm->pairwise != WPA_CIPHER_TKIP) 1225 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1226 else 1227 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1228 1229 pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1230 1231 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1232 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1233 "encr=%d)", 1234 version, 1235 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1236 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1237 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1238 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1239 pairwise, (unsigned long) kde_len, keyidx, encr); 1240 1241 key_data_len = kde_len; 1242 1243 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1244 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1245 pad_len = key_data_len % 8; 1246 if (pad_len) 1247 pad_len = 8 - pad_len; 1248 key_data_len += pad_len + 8; 1249 } 1250 1251 len += key_data_len; 1252 1253 hdr = os_zalloc(len); 1254 if (hdr == NULL) 1255 return; 1256 hdr->version = wpa_auth->conf.eapol_version; 1257 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1258 hdr->length = host_to_be16(len - sizeof(*hdr)); 1259 key = (struct wpa_eapol_key *) (hdr + 1); 1260 1261 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1262 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1263 key_info |= version; 1264 if (encr && sm->wpa == WPA_VERSION_WPA2) 1265 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1266 if (sm->wpa != WPA_VERSION_WPA2) 1267 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1268 WPA_PUT_BE16(key->key_info, key_info); 1269 1270 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1271 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1272 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1273 WPA_PUT_BE16(key->key_length, 0); 1274 1275 /* FIX: STSL: what to use as key_replay_counter? */ 1276 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1277 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1278 os_memcpy(sm->key_replay[i].counter, 1279 sm->key_replay[i - 1].counter, 1280 WPA_REPLAY_COUNTER_LEN); 1281 } 1282 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1283 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1284 WPA_REPLAY_COUNTER_LEN); 1285 sm->key_replay[0].valid = TRUE; 1286 1287 if (nonce) 1288 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1289 1290 if (key_rsc) 1291 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1292 1293 if (kde && !encr) { 1294 os_memcpy(key + 1, kde, kde_len); 1295 WPA_PUT_BE16(key->key_data_length, kde_len); 1296 } else if (encr && kde) { 1297 buf = os_zalloc(key_data_len); 1298 if (buf == NULL) { 1299 os_free(hdr); 1300 return; 1301 } 1302 pos = buf; 1303 os_memcpy(pos, kde, kde_len); 1304 pos += kde_len; 1305 1306 if (pad_len) 1307 *pos++ = 0xdd; 1308 1309 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1310 buf, key_data_len); 1311 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1312 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1313 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf, 1314 (u8 *) (key + 1))) { 1315 os_free(hdr); 1316 os_free(buf); 1317 return; 1318 } 1319 WPA_PUT_BE16(key->key_data_length, key_data_len); 1320 } else { 1321 u8 ek[32]; 1322 os_memcpy(key->key_iv, 1323 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1324 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1325 os_memcpy(ek, key->key_iv, 16); 1326 os_memcpy(ek + 16, sm->PTK.kek, 16); 1327 os_memcpy(key + 1, buf, key_data_len); 1328 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len); 1329 WPA_PUT_BE16(key->key_data_length, key_data_len); 1330 } 1331 os_free(buf); 1332 } 1333 1334 if (key_info & WPA_KEY_INFO_MIC) { 1335 if (!sm->PTK_valid) { 1336 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1337 "PTK not valid when sending EAPOL-Key " 1338 "frame"); 1339 os_free(hdr); 1340 return; 1341 } 1342 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len, 1343 key->key_mic); 1344 } 1345 1346 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1347 1); 1348 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1349 sm->pairwise_set); 1350 os_free(hdr); 1351 } 1352 1353 1354 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1355 struct wpa_state_machine *sm, int key_info, 1356 const u8 *key_rsc, const u8 *nonce, 1357 const u8 *kde, size_t kde_len, 1358 int keyidx, int encr) 1359 { 1360 int timeout_ms; 1361 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1362 int ctr; 1363 1364 if (sm == NULL) 1365 return; 1366 1367 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1368 keyidx, encr, 0); 1369 1370 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1371 if (ctr == 1 && wpa_auth->conf.tx_status) 1372 timeout_ms = pairwise ? eapol_key_timeout_first : 1373 eapol_key_timeout_first_group; 1374 else 1375 timeout_ms = eapol_key_timeout_subseq; 1376 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1377 sm->pending_1_of_4_timeout = 1; 1378 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1379 "counter %d)", timeout_ms, ctr); 1380 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1381 wpa_send_eapol_timeout, wpa_auth, sm); 1382 } 1383 1384 1385 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len) 1386 { 1387 struct ieee802_1x_hdr *hdr; 1388 struct wpa_eapol_key *key; 1389 u16 key_info; 1390 int ret = 0; 1391 u8 mic[16]; 1392 1393 if (data_len < sizeof(*hdr) + sizeof(*key)) 1394 return -1; 1395 1396 hdr = (struct ieee802_1x_hdr *) data; 1397 key = (struct wpa_eapol_key *) (hdr + 1); 1398 key_info = WPA_GET_BE16(key->key_info); 1399 os_memcpy(mic, key->key_mic, 16); 1400 os_memset(key->key_mic, 0, 16); 1401 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK, 1402 data, data_len, key->key_mic) || 1403 os_memcmp(mic, key->key_mic, 16) != 0) 1404 ret = -1; 1405 os_memcpy(key->key_mic, mic, 16); 1406 return ret; 1407 } 1408 1409 1410 void wpa_remove_ptk(struct wpa_state_machine *sm) 1411 { 1412 sm->PTK_valid = FALSE; 1413 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1414 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1415 sm->pairwise_set = FALSE; 1416 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1417 } 1418 1419 1420 int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event) 1421 { 1422 int remove_ptk = 1; 1423 1424 if (sm == NULL) 1425 return -1; 1426 1427 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1428 "event %d notification", event); 1429 1430 switch (event) { 1431 case WPA_AUTH: 1432 case WPA_ASSOC: 1433 break; 1434 case WPA_DEAUTH: 1435 case WPA_DISASSOC: 1436 sm->DeauthenticationRequest = TRUE; 1437 break; 1438 case WPA_REAUTH: 1439 case WPA_REAUTH_EAPOL: 1440 if (!sm->started) { 1441 /* 1442 * When using WPS, we may end up here if the STA 1443 * manages to re-associate without the previous STA 1444 * entry getting removed. Consequently, we need to make 1445 * sure that the WPA state machines gets initialized 1446 * properly at this point. 1447 */ 1448 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1449 "started - initialize now"); 1450 sm->started = 1; 1451 sm->Init = TRUE; 1452 if (wpa_sm_step(sm) == 1) 1453 return 1; /* should not really happen */ 1454 sm->Init = FALSE; 1455 sm->AuthenticationRequest = TRUE; 1456 break; 1457 } 1458 if (sm->GUpdateStationKeys) { 1459 /* 1460 * Reauthentication cancels the pending group key 1461 * update for this STA. 1462 */ 1463 sm->group->GKeyDoneStations--; 1464 sm->GUpdateStationKeys = FALSE; 1465 sm->PtkGroupInit = TRUE; 1466 } 1467 sm->ReAuthenticationRequest = TRUE; 1468 break; 1469 case WPA_ASSOC_FT: 1470 #ifdef CONFIG_IEEE80211R 1471 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1472 "after association"); 1473 wpa_ft_install_ptk(sm); 1474 1475 /* Using FT protocol, not WPA auth state machine */ 1476 sm->ft_completed = 1; 1477 return 0; 1478 #else /* CONFIG_IEEE80211R */ 1479 break; 1480 #endif /* CONFIG_IEEE80211R */ 1481 } 1482 1483 #ifdef CONFIG_IEEE80211R 1484 sm->ft_completed = 0; 1485 #endif /* CONFIG_IEEE80211R */ 1486 1487 #ifdef CONFIG_IEEE80211W 1488 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1489 remove_ptk = 0; 1490 #endif /* CONFIG_IEEE80211W */ 1491 1492 if (remove_ptk) { 1493 sm->PTK_valid = FALSE; 1494 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1495 1496 if (event != WPA_REAUTH_EAPOL) 1497 wpa_remove_ptk(sm); 1498 } 1499 1500 return wpa_sm_step(sm); 1501 } 1502 1503 1504 SM_STATE(WPA_PTK, INITIALIZE) 1505 { 1506 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1507 if (sm->Init) { 1508 /* Init flag is not cleared here, so avoid busy 1509 * loop by claiming nothing changed. */ 1510 sm->changed = FALSE; 1511 } 1512 1513 sm->keycount = 0; 1514 if (sm->GUpdateStationKeys) 1515 sm->group->GKeyDoneStations--; 1516 sm->GUpdateStationKeys = FALSE; 1517 if (sm->wpa == WPA_VERSION_WPA) 1518 sm->PInitAKeys = FALSE; 1519 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1520 * Local AA > Remote AA)) */) { 1521 sm->Pair = TRUE; 1522 } 1523 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1524 wpa_remove_ptk(sm); 1525 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1526 sm->TimeoutCtr = 0; 1527 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1528 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1529 WPA_EAPOL_authorized, 0); 1530 } 1531 } 1532 1533 1534 SM_STATE(WPA_PTK, DISCONNECT) 1535 { 1536 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1537 sm->Disconnect = FALSE; 1538 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1539 } 1540 1541 1542 SM_STATE(WPA_PTK, DISCONNECTED) 1543 { 1544 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1545 sm->DeauthenticationRequest = FALSE; 1546 } 1547 1548 1549 SM_STATE(WPA_PTK, AUTHENTICATION) 1550 { 1551 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1552 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1553 sm->PTK_valid = FALSE; 1554 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1555 1); 1556 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1557 sm->AuthenticationRequest = FALSE; 1558 } 1559 1560 1561 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1562 struct wpa_group *group) 1563 { 1564 if (group->first_sta_seen) 1565 return; 1566 /* 1567 * System has run bit further than at the time hostapd was started 1568 * potentially very early during boot up. This provides better chances 1569 * of collecting more randomness on embedded systems. Re-initialize the 1570 * GMK and Counter here to improve their strength if there was not 1571 * enough entropy available immediately after system startup. 1572 */ 1573 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1574 "station"); 1575 if (random_pool_ready() != 1) { 1576 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1577 "to proceed - reject first 4-way handshake"); 1578 group->reject_4way_hs_for_entropy = TRUE; 1579 } else { 1580 group->first_sta_seen = TRUE; 1581 group->reject_4way_hs_for_entropy = FALSE; 1582 } 1583 1584 wpa_group_init_gmk_and_counter(wpa_auth, group); 1585 wpa_gtk_update(wpa_auth, group); 1586 wpa_group_config_group_keys(wpa_auth, group); 1587 } 1588 1589 1590 SM_STATE(WPA_PTK, AUTHENTICATION2) 1591 { 1592 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1593 1594 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1595 1596 /* 1597 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1598 * ambiguous. The Authenticator state machine uses a counter that is 1599 * incremented by one for each 4-way handshake. However, the security 1600 * analysis of 4-way handshake points out that unpredictable nonces 1601 * help in preventing precomputation attacks. Instead of the state 1602 * machine definition, use an unpredictable nonce value here to provide 1603 * stronger protection against potential precomputation attacks. 1604 */ 1605 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1606 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1607 "ANonce."); 1608 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1609 return; 1610 } 1611 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1612 WPA_NONCE_LEN); 1613 sm->ReAuthenticationRequest = FALSE; 1614 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1615 * logical place than INITIALIZE since AUTHENTICATION2 can be 1616 * re-entered on ReAuthenticationRequest without going through 1617 * INITIALIZE. */ 1618 sm->TimeoutCtr = 0; 1619 } 1620 1621 1622 SM_STATE(WPA_PTK, INITPMK) 1623 { 1624 u8 msk[2 * PMK_LEN]; 1625 size_t len = 2 * PMK_LEN; 1626 1627 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1628 #ifdef CONFIG_IEEE80211R 1629 sm->xxkey_len = 0; 1630 #endif /* CONFIG_IEEE80211R */ 1631 if (sm->pmksa) { 1632 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1633 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN); 1634 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1635 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1636 "(len=%lu)", (unsigned long) len); 1637 os_memcpy(sm->PMK, msk, PMK_LEN); 1638 #ifdef CONFIG_IEEE80211R 1639 if (len >= 2 * PMK_LEN) { 1640 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1641 sm->xxkey_len = PMK_LEN; 1642 } 1643 #endif /* CONFIG_IEEE80211R */ 1644 } else { 1645 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK"); 1646 } 1647 1648 sm->req_replay_counter_used = 0; 1649 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1650 * will break reauthentication since EAPOL state machines may not be 1651 * get into AUTHENTICATING state that clears keyRun before WPA state 1652 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1653 * state and takes PMK from the previously used AAA Key. This will 1654 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1655 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1656 * be good workaround for this issue. */ 1657 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1658 } 1659 1660 1661 SM_STATE(WPA_PTK, INITPSK) 1662 { 1663 const u8 *psk; 1664 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1665 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL); 1666 if (psk) { 1667 os_memcpy(sm->PMK, psk, PMK_LEN); 1668 #ifdef CONFIG_IEEE80211R 1669 os_memcpy(sm->xxkey, psk, PMK_LEN); 1670 sm->xxkey_len = PMK_LEN; 1671 #endif /* CONFIG_IEEE80211R */ 1672 } 1673 sm->req_replay_counter_used = 0; 1674 } 1675 1676 1677 SM_STATE(WPA_PTK, PTKSTART) 1678 { 1679 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1680 size_t pmkid_len = 0; 1681 1682 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1683 sm->PTKRequest = FALSE; 1684 sm->TimeoutEvt = FALSE; 1685 1686 sm->TimeoutCtr++; 1687 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1688 /* No point in sending the EAPOL-Key - we will disconnect 1689 * immediately following this. */ 1690 return; 1691 } 1692 1693 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1694 "sending 1/4 msg of 4-Way Handshake"); 1695 /* 1696 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1697 * one possible PSK for this STA. 1698 */ 1699 if (sm->wpa == WPA_VERSION_WPA2 && 1700 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) { 1701 pmkid = buf; 1702 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 1703 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 1704 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 1705 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 1706 if (sm->pmksa) 1707 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 1708 sm->pmksa->pmkid, PMKID_LEN); 1709 else { 1710 /* 1711 * Calculate PMKID since no PMKSA cache entry was 1712 * available with pre-calculated PMKID. 1713 */ 1714 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr, 1715 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 1716 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1717 } 1718 } 1719 wpa_send_eapol(sm->wpa_auth, sm, 1720 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 1721 sm->ANonce, pmkid, pmkid_len, 0, 0); 1722 } 1723 1724 1725 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk, 1726 struct wpa_ptk *ptk) 1727 { 1728 size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64; 1729 #ifdef CONFIG_IEEE80211R 1730 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 1731 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len); 1732 #endif /* CONFIG_IEEE80211R */ 1733 1734 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion", 1735 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce, 1736 (u8 *) ptk, ptk_len, 1737 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1738 1739 return 0; 1740 } 1741 1742 1743 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 1744 { 1745 struct wpa_ptk PTK; 1746 int ok = 0; 1747 const u8 *pmk = NULL; 1748 1749 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 1750 sm->EAPOLKeyReceived = FALSE; 1751 sm->update_snonce = FALSE; 1752 1753 /* WPA with IEEE 802.1X: use the derived PMK from EAP 1754 * WPA-PSK: iterate through possible PSKs and select the one matching 1755 * the packet */ 1756 for (;;) { 1757 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1758 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, pmk); 1759 if (pmk == NULL) 1760 break; 1761 } else 1762 pmk = sm->PMK; 1763 1764 wpa_derive_ptk(sm, pmk, &PTK); 1765 1766 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key, 1767 sm->last_rx_eapol_key_len) == 0) { 1768 ok = 1; 1769 break; 1770 } 1771 1772 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 1773 break; 1774 } 1775 1776 if (!ok) { 1777 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1778 "invalid MIC in msg 2/4 of 4-Way Handshake"); 1779 return; 1780 } 1781 1782 #ifdef CONFIG_IEEE80211R 1783 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1784 /* 1785 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 1786 * with the value we derived. 1787 */ 1788 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name, 1789 WPA_PMK_NAME_LEN) != 0) { 1790 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1791 "PMKR1Name mismatch in FT 4-way " 1792 "handshake"); 1793 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 1794 "Supplicant", 1795 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 1796 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1797 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1798 return; 1799 } 1800 } 1801 #endif /* CONFIG_IEEE80211R */ 1802 1803 sm->pending_1_of_4_timeout = 0; 1804 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 1805 1806 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1807 /* PSK may have changed from the previous choice, so update 1808 * state machine data based on whatever PSK was selected here. 1809 */ 1810 os_memcpy(sm->PMK, pmk, PMK_LEN); 1811 } 1812 1813 sm->MICVerified = TRUE; 1814 1815 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 1816 sm->PTK_valid = TRUE; 1817 } 1818 1819 1820 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 1821 { 1822 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 1823 sm->TimeoutCtr = 0; 1824 } 1825 1826 1827 #ifdef CONFIG_IEEE80211W 1828 1829 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1830 { 1831 if (sm->mgmt_frame_prot) { 1832 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde); 1833 } 1834 1835 return 0; 1836 } 1837 1838 1839 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1840 { 1841 struct wpa_igtk_kde igtk; 1842 struct wpa_group *gsm = sm->group; 1843 1844 if (!sm->mgmt_frame_prot) 1845 return pos; 1846 1847 igtk.keyid[0] = gsm->GN_igtk; 1848 igtk.keyid[1] = 0; 1849 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 1850 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0) 1851 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 1852 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 1853 if (sm->wpa_auth->conf.disable_gtk) { 1854 /* 1855 * Provide unique random IGTK to each STA to prevent use of 1856 * IGTK in the BSS. 1857 */ 1858 if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0) 1859 return pos; 1860 } 1861 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 1862 (const u8 *) &igtk, sizeof(igtk), NULL, 0); 1863 1864 return pos; 1865 } 1866 1867 #else /* CONFIG_IEEE80211W */ 1868 1869 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1870 { 1871 return 0; 1872 } 1873 1874 1875 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1876 { 1877 return pos; 1878 } 1879 1880 #endif /* CONFIG_IEEE80211W */ 1881 1882 1883 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 1884 { 1885 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 1886 size_t gtk_len, kde_len; 1887 struct wpa_group *gsm = sm->group; 1888 u8 *wpa_ie; 1889 int wpa_ie_len, secure, keyidx, encr = 0; 1890 1891 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 1892 sm->TimeoutEvt = FALSE; 1893 1894 sm->TimeoutCtr++; 1895 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1896 /* No point in sending the EAPOL-Key - we will disconnect 1897 * immediately following this. */ 1898 return; 1899 } 1900 1901 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 1902 GTK[GN], IGTK, [FTIE], [TIE * 2]) 1903 */ 1904 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 1905 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 1906 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 1907 wpa_ie = sm->wpa_auth->wpa_ie; 1908 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 1909 if (sm->wpa == WPA_VERSION_WPA && 1910 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 1911 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 1912 /* WPA-only STA, remove RSN IE */ 1913 wpa_ie = wpa_ie + wpa_ie[1] + 2; 1914 wpa_ie_len = wpa_ie[1] + 2; 1915 } 1916 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1917 "sending 3/4 msg of 4-Way Handshake"); 1918 if (sm->wpa == WPA_VERSION_WPA2) { 1919 /* WPA2 send GTK in the 4-way handshake */ 1920 secure = 1; 1921 gtk = gsm->GTK[gsm->GN - 1]; 1922 gtk_len = gsm->GTK_len; 1923 if (sm->wpa_auth->conf.disable_gtk) { 1924 /* 1925 * Provide unique random GTK to each STA to prevent use 1926 * of GTK in the BSS. 1927 */ 1928 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 1929 return; 1930 gtk = dummy_gtk; 1931 } 1932 keyidx = gsm->GN; 1933 _rsc = rsc; 1934 encr = 1; 1935 } else { 1936 /* WPA does not include GTK in msg 3/4 */ 1937 secure = 0; 1938 gtk = NULL; 1939 gtk_len = 0; 1940 keyidx = 0; 1941 _rsc = NULL; 1942 if (sm->rx_eapol_key_secure) { 1943 /* 1944 * It looks like Windows 7 supplicant tries to use 1945 * Secure bit in msg 2/4 after having reported Michael 1946 * MIC failure and it then rejects the 4-way handshake 1947 * if msg 3/4 does not set Secure bit. Work around this 1948 * by setting the Secure bit here even in the case of 1949 * WPA if the supplicant used it first. 1950 */ 1951 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1952 "STA used Secure bit in WPA msg 2/4 - " 1953 "set Secure for 3/4 as workaround"); 1954 secure = 1; 1955 } 1956 } 1957 1958 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 1959 if (gtk) 1960 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 1961 #ifdef CONFIG_IEEE80211R 1962 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1963 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 1964 kde_len += 300; /* FTIE + 2 * TIE */ 1965 } 1966 #endif /* CONFIG_IEEE80211R */ 1967 kde = os_malloc(kde_len); 1968 if (kde == NULL) 1969 return; 1970 1971 pos = kde; 1972 os_memcpy(pos, wpa_ie, wpa_ie_len); 1973 pos += wpa_ie_len; 1974 #ifdef CONFIG_IEEE80211R 1975 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1976 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name); 1977 if (res < 0) { 1978 wpa_printf(MSG_ERROR, "FT: Failed to insert " 1979 "PMKR1Name into RSN IE in EAPOL-Key data"); 1980 os_free(kde); 1981 return; 1982 } 1983 pos += res; 1984 } 1985 #endif /* CONFIG_IEEE80211R */ 1986 if (gtk) { 1987 u8 hdr[2]; 1988 hdr[0] = keyidx & 0x03; 1989 hdr[1] = 0; 1990 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 1991 gtk, gtk_len); 1992 } 1993 pos = ieee80211w_kde_add(sm, pos); 1994 1995 #ifdef CONFIG_IEEE80211R 1996 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1997 int res; 1998 struct wpa_auth_config *conf; 1999 2000 conf = &sm->wpa_auth->conf; 2001 res = wpa_write_ftie(conf, conf->r0_key_holder, 2002 conf->r0_key_holder_len, 2003 NULL, NULL, pos, kde + kde_len - pos, 2004 NULL, 0); 2005 if (res < 0) { 2006 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2007 "into EAPOL-Key Key Data"); 2008 os_free(kde); 2009 return; 2010 } 2011 pos += res; 2012 2013 /* TIE[ReassociationDeadline] (TU) */ 2014 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2015 *pos++ = 5; 2016 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2017 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2018 pos += 4; 2019 2020 /* TIE[KeyLifetime] (seconds) */ 2021 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2022 *pos++ = 5; 2023 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2024 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2025 pos += 4; 2026 } 2027 #endif /* CONFIG_IEEE80211R */ 2028 2029 wpa_send_eapol(sm->wpa_auth, sm, 2030 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2031 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2032 WPA_KEY_INFO_KEY_TYPE, 2033 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2034 os_free(kde); 2035 } 2036 2037 2038 SM_STATE(WPA_PTK, PTKINITDONE) 2039 { 2040 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2041 sm->EAPOLKeyReceived = FALSE; 2042 if (sm->Pair) { 2043 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2044 int klen = wpa_cipher_key_len(sm->pairwise); 2045 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2046 sm->PTK.tk1, klen)) { 2047 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2048 return; 2049 } 2050 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2051 sm->pairwise_set = TRUE; 2052 2053 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2054 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2055 eloop_register_timeout(sm->wpa_auth->conf. 2056 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2057 sm->wpa_auth, sm); 2058 } 2059 2060 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2061 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2062 WPA_EAPOL_authorized, 1); 2063 } 2064 } 2065 2066 if (0 /* IBSS == TRUE */) { 2067 sm->keycount++; 2068 if (sm->keycount == 2) { 2069 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2070 WPA_EAPOL_portValid, 1); 2071 } 2072 } else { 2073 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2074 1); 2075 } 2076 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2077 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2078 if (sm->wpa == WPA_VERSION_WPA) 2079 sm->PInitAKeys = TRUE; 2080 else 2081 sm->has_GTK = TRUE; 2082 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2083 "pairwise key handshake completed (%s)", 2084 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2085 2086 #ifdef CONFIG_IEEE80211R 2087 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2088 #endif /* CONFIG_IEEE80211R */ 2089 } 2090 2091 2092 SM_STEP(WPA_PTK) 2093 { 2094 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2095 2096 if (sm->Init) 2097 SM_ENTER(WPA_PTK, INITIALIZE); 2098 else if (sm->Disconnect 2099 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2100 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2101 "WPA_PTK: sm->Disconnect"); 2102 SM_ENTER(WPA_PTK, DISCONNECT); 2103 } 2104 else if (sm->DeauthenticationRequest) 2105 SM_ENTER(WPA_PTK, DISCONNECTED); 2106 else if (sm->AuthenticationRequest) 2107 SM_ENTER(WPA_PTK, AUTHENTICATION); 2108 else if (sm->ReAuthenticationRequest) 2109 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2110 else if (sm->PTKRequest) 2111 SM_ENTER(WPA_PTK, PTKSTART); 2112 else switch (sm->wpa_ptk_state) { 2113 case WPA_PTK_INITIALIZE: 2114 break; 2115 case WPA_PTK_DISCONNECT: 2116 SM_ENTER(WPA_PTK, DISCONNECTED); 2117 break; 2118 case WPA_PTK_DISCONNECTED: 2119 SM_ENTER(WPA_PTK, INITIALIZE); 2120 break; 2121 case WPA_PTK_AUTHENTICATION: 2122 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2123 break; 2124 case WPA_PTK_AUTHENTICATION2: 2125 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2126 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2127 WPA_EAPOL_keyRun) > 0) 2128 SM_ENTER(WPA_PTK, INITPMK); 2129 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2130 /* FIX: && 802.1X::keyRun */) 2131 SM_ENTER(WPA_PTK, INITPSK); 2132 break; 2133 case WPA_PTK_INITPMK: 2134 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2135 WPA_EAPOL_keyAvailable) > 0) 2136 SM_ENTER(WPA_PTK, PTKSTART); 2137 else { 2138 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2139 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2140 "INITPMK - keyAvailable = false"); 2141 SM_ENTER(WPA_PTK, DISCONNECT); 2142 } 2143 break; 2144 case WPA_PTK_INITPSK: 2145 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL)) 2146 SM_ENTER(WPA_PTK, PTKSTART); 2147 else { 2148 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2149 "no PSK configured for the STA"); 2150 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2151 SM_ENTER(WPA_PTK, DISCONNECT); 2152 } 2153 break; 2154 case WPA_PTK_PTKSTART: 2155 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2156 sm->EAPOLKeyPairwise) 2157 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2158 else if (sm->TimeoutCtr > 2159 (int) dot11RSNAConfigPairwiseUpdateCount) { 2160 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2161 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2162 "PTKSTART: Retry limit %d reached", 2163 dot11RSNAConfigPairwiseUpdateCount); 2164 SM_ENTER(WPA_PTK, DISCONNECT); 2165 } else if (sm->TimeoutEvt) 2166 SM_ENTER(WPA_PTK, PTKSTART); 2167 break; 2168 case WPA_PTK_PTKCALCNEGOTIATING: 2169 if (sm->MICVerified) 2170 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2171 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2172 sm->EAPOLKeyPairwise) 2173 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2174 else if (sm->TimeoutEvt) 2175 SM_ENTER(WPA_PTK, PTKSTART); 2176 break; 2177 case WPA_PTK_PTKCALCNEGOTIATING2: 2178 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2179 break; 2180 case WPA_PTK_PTKINITNEGOTIATING: 2181 if (sm->update_snonce) 2182 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2183 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2184 sm->EAPOLKeyPairwise && sm->MICVerified) 2185 SM_ENTER(WPA_PTK, PTKINITDONE); 2186 else if (sm->TimeoutCtr > 2187 (int) dot11RSNAConfigPairwiseUpdateCount) { 2188 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2189 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2190 "PTKINITNEGOTIATING: Retry limit %d " 2191 "reached", 2192 dot11RSNAConfigPairwiseUpdateCount); 2193 SM_ENTER(WPA_PTK, DISCONNECT); 2194 } else if (sm->TimeoutEvt) 2195 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2196 break; 2197 case WPA_PTK_PTKINITDONE: 2198 break; 2199 } 2200 } 2201 2202 2203 SM_STATE(WPA_PTK_GROUP, IDLE) 2204 { 2205 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2206 if (sm->Init) { 2207 /* Init flag is not cleared here, so avoid busy 2208 * loop by claiming nothing changed. */ 2209 sm->changed = FALSE; 2210 } 2211 sm->GTimeoutCtr = 0; 2212 } 2213 2214 2215 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2216 { 2217 u8 rsc[WPA_KEY_RSC_LEN]; 2218 struct wpa_group *gsm = sm->group; 2219 u8 *kde, *pos, hdr[2]; 2220 size_t kde_len; 2221 u8 *gtk, dummy_gtk[32]; 2222 2223 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2224 2225 sm->GTimeoutCtr++; 2226 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2227 /* No point in sending the EAPOL-Key - we will disconnect 2228 * immediately following this. */ 2229 return; 2230 } 2231 2232 if (sm->wpa == WPA_VERSION_WPA) 2233 sm->PInitAKeys = FALSE; 2234 sm->TimeoutEvt = FALSE; 2235 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2236 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2237 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2238 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2239 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2240 "sending 1/2 msg of Group Key Handshake"); 2241 2242 gtk = gsm->GTK[gsm->GN - 1]; 2243 if (sm->wpa_auth->conf.disable_gtk) { 2244 /* 2245 * Provide unique random GTK to each STA to prevent use 2246 * of GTK in the BSS. 2247 */ 2248 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2249 return; 2250 gtk = dummy_gtk; 2251 } 2252 if (sm->wpa == WPA_VERSION_WPA2) { 2253 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2254 ieee80211w_kde_len(sm); 2255 kde = os_malloc(kde_len); 2256 if (kde == NULL) 2257 return; 2258 2259 pos = kde; 2260 hdr[0] = gsm->GN & 0x03; 2261 hdr[1] = 0; 2262 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2263 gtk, gsm->GTK_len); 2264 pos = ieee80211w_kde_add(sm, pos); 2265 } else { 2266 kde = gtk; 2267 pos = kde + gsm->GTK_len; 2268 } 2269 2270 wpa_send_eapol(sm->wpa_auth, sm, 2271 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2272 WPA_KEY_INFO_ACK | 2273 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2274 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1); 2275 if (sm->wpa == WPA_VERSION_WPA2) 2276 os_free(kde); 2277 } 2278 2279 2280 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2281 { 2282 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2283 sm->EAPOLKeyReceived = FALSE; 2284 if (sm->GUpdateStationKeys) 2285 sm->group->GKeyDoneStations--; 2286 sm->GUpdateStationKeys = FALSE; 2287 sm->GTimeoutCtr = 0; 2288 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2289 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2290 "group key handshake completed (%s)", 2291 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2292 sm->has_GTK = TRUE; 2293 } 2294 2295 2296 SM_STATE(WPA_PTK_GROUP, KEYERROR) 2297 { 2298 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2299 if (sm->GUpdateStationKeys) 2300 sm->group->GKeyDoneStations--; 2301 sm->GUpdateStationKeys = FALSE; 2302 sm->Disconnect = TRUE; 2303 } 2304 2305 2306 SM_STEP(WPA_PTK_GROUP) 2307 { 2308 if (sm->Init || sm->PtkGroupInit) { 2309 SM_ENTER(WPA_PTK_GROUP, IDLE); 2310 sm->PtkGroupInit = FALSE; 2311 } else switch (sm->wpa_ptk_group_state) { 2312 case WPA_PTK_GROUP_IDLE: 2313 if (sm->GUpdateStationKeys || 2314 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2315 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2316 break; 2317 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2318 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2319 !sm->EAPOLKeyPairwise && sm->MICVerified) 2320 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2321 else if (sm->GTimeoutCtr > 2322 (int) dot11RSNAConfigGroupUpdateCount) 2323 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2324 else if (sm->TimeoutEvt) 2325 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2326 break; 2327 case WPA_PTK_GROUP_KEYERROR: 2328 SM_ENTER(WPA_PTK_GROUP, IDLE); 2329 break; 2330 case WPA_PTK_GROUP_REKEYESTABLISHED: 2331 SM_ENTER(WPA_PTK_GROUP, IDLE); 2332 break; 2333 } 2334 } 2335 2336 2337 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2338 struct wpa_group *group) 2339 { 2340 int ret = 0; 2341 2342 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2343 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2344 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2345 wpa_auth->addr, group->GNonce, 2346 group->GTK[group->GN - 1], group->GTK_len) < 0) 2347 ret = -1; 2348 wpa_hexdump_key(MSG_DEBUG, "GTK", 2349 group->GTK[group->GN - 1], group->GTK_len); 2350 2351 #ifdef CONFIG_IEEE80211W 2352 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2353 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2354 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2355 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2356 wpa_auth->addr, group->GNonce, 2357 group->IGTK[group->GN_igtk - 4], 2358 WPA_IGTK_LEN) < 0) 2359 ret = -1; 2360 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2361 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN); 2362 } 2363 #endif /* CONFIG_IEEE80211W */ 2364 2365 return ret; 2366 } 2367 2368 2369 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2370 struct wpa_group *group) 2371 { 2372 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2373 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2374 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2375 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2376 2377 /* GTK[0..N] = 0 */ 2378 os_memset(group->GTK, 0, sizeof(group->GTK)); 2379 group->GN = 1; 2380 group->GM = 2; 2381 #ifdef CONFIG_IEEE80211W 2382 group->GN_igtk = 4; 2383 group->GM_igtk = 5; 2384 #endif /* CONFIG_IEEE80211W */ 2385 /* GTK[GN] = CalcGTK() */ 2386 wpa_gtk_update(wpa_auth, group); 2387 } 2388 2389 2390 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2391 { 2392 if (ctx != NULL && ctx != sm->group) 2393 return 0; 2394 2395 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2396 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2397 "Not in PTKINITDONE; skip Group Key update"); 2398 sm->GUpdateStationKeys = FALSE; 2399 return 0; 2400 } 2401 if (sm->GUpdateStationKeys) { 2402 /* 2403 * This should not really happen, so add a debug log entry. 2404 * Since we clear the GKeyDoneStations before the loop, the 2405 * station needs to be counted here anyway. 2406 */ 2407 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2408 "GUpdateStationKeys was already set when " 2409 "marking station for GTK rekeying"); 2410 } 2411 2412 #ifdef CONFIG_IEEE80211V 2413 /* Do not rekey GTK/IGTK when STA is in wnmsleep */ 2414 if (sm->is_wnmsleep) 2415 return 0; 2416 #endif /* CONFIG_IEEE80211V */ 2417 2418 sm->group->GKeyDoneStations++; 2419 sm->GUpdateStationKeys = TRUE; 2420 2421 wpa_sm_step(sm); 2422 return 0; 2423 } 2424 2425 2426 #ifdef CONFIG_IEEE80211V 2427 /* update GTK when exiting wnmsleep mode */ 2428 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2429 { 2430 if (sm->is_wnmsleep) 2431 return; 2432 2433 wpa_group_update_sta(sm, NULL); 2434 } 2435 2436 2437 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2438 { 2439 sm->is_wnmsleep = !!flag; 2440 } 2441 2442 2443 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2444 { 2445 u8 *subelem; 2446 struct wpa_group *gsm = sm->group; 2447 size_t subelem_len, pad_len; 2448 const u8 *key; 2449 size_t key_len; 2450 u8 keybuf[32]; 2451 2452 /* GTK subslement */ 2453 key_len = gsm->GTK_len; 2454 if (key_len > sizeof(keybuf)) 2455 return 0; 2456 2457 /* 2458 * Pad key for AES Key Wrap if it is not multiple of 8 bytes or is less 2459 * than 16 bytes. 2460 */ 2461 pad_len = key_len % 8; 2462 if (pad_len) 2463 pad_len = 8 - pad_len; 2464 if (key_len + pad_len < 16) 2465 pad_len += 8; 2466 if (pad_len) { 2467 os_memcpy(keybuf, gsm->GTK[gsm->GN - 1], key_len); 2468 os_memset(keybuf + key_len, 0, pad_len); 2469 keybuf[key_len] = 0xdd; 2470 key_len += pad_len; 2471 key = keybuf; 2472 } else 2473 key = gsm->GTK[gsm->GN - 1]; 2474 2475 /* 2476 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2477 * Key[5..32] | 8 padding. 2478 */ 2479 subelem_len = 13 + key_len + 8; 2480 subelem = os_zalloc(subelem_len); 2481 if (subelem == NULL) 2482 return 0; 2483 2484 subelem[0] = WNM_SLEEP_SUBELEM_GTK; 2485 subelem[1] = 11 + key_len + 8; 2486 /* Key ID in B0-B1 of Key Info */ 2487 WPA_PUT_LE16(&subelem[2], gsm->GN & 0x03); 2488 subelem[4] = gsm->GTK_len; 2489 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, subelem + 5) != 0) 2490 { 2491 os_free(subelem); 2492 return 0; 2493 } 2494 if (aes_wrap(sm->PTK.kek, key_len / 8, key, subelem + 13)) { 2495 os_free(subelem); 2496 return 0; 2497 } 2498 2499 os_memcpy(pos, subelem, subelem_len); 2500 2501 wpa_hexdump_key(MSG_DEBUG, "Plaintext GTK", 2502 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2503 os_free(subelem); 2504 2505 return subelem_len; 2506 } 2507 2508 2509 #ifdef CONFIG_IEEE80211W 2510 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2511 { 2512 u8 *subelem, *ptr; 2513 struct wpa_group *gsm = sm->group; 2514 size_t subelem_len; 2515 2516 /* IGTK subelement 2517 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | 2518 * Key[16] | 8 padding */ 2519 subelem_len = 1 + 1 + 2 + 6 + WPA_IGTK_LEN + 8; 2520 subelem = os_zalloc(subelem_len); 2521 if (subelem == NULL) 2522 return 0; 2523 2524 ptr = subelem; 2525 *ptr++ = WNM_SLEEP_SUBELEM_IGTK; 2526 *ptr++ = subelem_len - 2; 2527 WPA_PUT_LE16(ptr, gsm->GN_igtk); 2528 ptr += 2; 2529 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, ptr) != 0) { 2530 os_free(subelem); 2531 return 0; 2532 } 2533 ptr += 6; 2534 if (aes_wrap(sm->PTK.kek, WPA_IGTK_LEN / 8, 2535 gsm->IGTK[gsm->GN_igtk - 4], ptr)) { 2536 os_free(subelem); 2537 return -1; 2538 } 2539 2540 os_memcpy(pos, subelem, subelem_len); 2541 2542 wpa_hexdump_key(MSG_DEBUG, "Plaintext IGTK", 2543 gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2544 os_free(subelem); 2545 2546 return subelem_len; 2547 } 2548 #endif /* CONFIG_IEEE80211W */ 2549 #endif /* CONFIG_IEEE80211V */ 2550 2551 2552 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2553 struct wpa_group *group) 2554 { 2555 int tmp; 2556 2557 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2558 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2559 group->changed = TRUE; 2560 group->wpa_group_state = WPA_GROUP_SETKEYS; 2561 group->GTKReKey = FALSE; 2562 tmp = group->GM; 2563 group->GM = group->GN; 2564 group->GN = tmp; 2565 #ifdef CONFIG_IEEE80211W 2566 tmp = group->GM_igtk; 2567 group->GM_igtk = group->GN_igtk; 2568 group->GN_igtk = tmp; 2569 #endif /* CONFIG_IEEE80211W */ 2570 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2571 * counting the STAs that are marked with GUpdateStationKeys instead of 2572 * including all STAs that could be in not-yet-completed state. */ 2573 wpa_gtk_update(wpa_auth, group); 2574 2575 if (group->GKeyDoneStations) { 2576 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2577 "GKeyDoneStations=%d when starting new GTK rekey", 2578 group->GKeyDoneStations); 2579 group->GKeyDoneStations = 0; 2580 } 2581 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2582 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2583 group->GKeyDoneStations); 2584 } 2585 2586 2587 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2588 struct wpa_group *group) 2589 { 2590 int ret = 0; 2591 2592 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2593 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2594 broadcast_ether_addr, group->GN, 2595 group->GTK[group->GN - 1], group->GTK_len) < 0) 2596 ret = -1; 2597 2598 #ifdef CONFIG_IEEE80211W 2599 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION && 2600 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK, 2601 broadcast_ether_addr, group->GN_igtk, 2602 group->IGTK[group->GN_igtk - 4], 2603 WPA_IGTK_LEN) < 0) 2604 ret = -1; 2605 #endif /* CONFIG_IEEE80211W */ 2606 2607 return ret; 2608 } 2609 2610 2611 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2612 struct wpa_group *group) 2613 { 2614 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2615 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2616 group->changed = TRUE; 2617 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2618 2619 if (wpa_group_config_group_keys(wpa_auth, group) < 0) 2620 return -1; 2621 2622 return 0; 2623 } 2624 2625 2626 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2627 struct wpa_group *group) 2628 { 2629 if (group->GInit) { 2630 wpa_group_gtk_init(wpa_auth, group); 2631 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2632 group->GTKAuthenticator) { 2633 wpa_group_setkeysdone(wpa_auth, group); 2634 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2635 group->GTKReKey) { 2636 wpa_group_setkeys(wpa_auth, group); 2637 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2638 if (group->GKeyDoneStations == 0) 2639 wpa_group_setkeysdone(wpa_auth, group); 2640 else if (group->GTKReKey) 2641 wpa_group_setkeys(wpa_auth, group); 2642 } 2643 } 2644 2645 2646 static int wpa_sm_step(struct wpa_state_machine *sm) 2647 { 2648 if (sm == NULL) 2649 return 0; 2650 2651 if (sm->in_step_loop) { 2652 /* This should not happen, but if it does, make sure we do not 2653 * end up freeing the state machine too early by exiting the 2654 * recursive call. */ 2655 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2656 return 0; 2657 } 2658 2659 sm->in_step_loop = 1; 2660 do { 2661 if (sm->pending_deinit) 2662 break; 2663 2664 sm->changed = FALSE; 2665 sm->wpa_auth->group->changed = FALSE; 2666 2667 SM_STEP_RUN(WPA_PTK); 2668 if (sm->pending_deinit) 2669 break; 2670 SM_STEP_RUN(WPA_PTK_GROUP); 2671 if (sm->pending_deinit) 2672 break; 2673 wpa_group_sm_step(sm->wpa_auth, sm->group); 2674 } while (sm->changed || sm->wpa_auth->group->changed); 2675 sm->in_step_loop = 0; 2676 2677 if (sm->pending_deinit) { 2678 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 2679 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 2680 wpa_free_sta_sm(sm); 2681 return 1; 2682 } 2683 return 0; 2684 } 2685 2686 2687 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 2688 { 2689 struct wpa_state_machine *sm = eloop_ctx; 2690 wpa_sm_step(sm); 2691 } 2692 2693 2694 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 2695 { 2696 if (sm == NULL) 2697 return; 2698 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 2699 } 2700 2701 2702 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 2703 { 2704 int tmp, i; 2705 struct wpa_group *group; 2706 2707 if (wpa_auth == NULL) 2708 return; 2709 2710 group = wpa_auth->group; 2711 2712 for (i = 0; i < 2; i++) { 2713 tmp = group->GM; 2714 group->GM = group->GN; 2715 group->GN = tmp; 2716 #ifdef CONFIG_IEEE80211W 2717 tmp = group->GM_igtk; 2718 group->GM_igtk = group->GN_igtk; 2719 group->GN_igtk = tmp; 2720 #endif /* CONFIG_IEEE80211W */ 2721 wpa_gtk_update(wpa_auth, group); 2722 wpa_group_config_group_keys(wpa_auth, group); 2723 } 2724 } 2725 2726 2727 static const char * wpa_bool_txt(int bool) 2728 { 2729 return bool ? "TRUE" : "FALSE"; 2730 } 2731 2732 2733 #define RSN_SUITE "%02x-%02x-%02x-%d" 2734 #define RSN_SUITE_ARG(s) \ 2735 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2736 2737 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 2738 { 2739 int len = 0, ret; 2740 char pmkid_txt[PMKID_LEN * 2 + 1]; 2741 #ifdef CONFIG_RSN_PREAUTH 2742 const int preauth = 1; 2743 #else /* CONFIG_RSN_PREAUTH */ 2744 const int preauth = 0; 2745 #endif /* CONFIG_RSN_PREAUTH */ 2746 2747 if (wpa_auth == NULL) 2748 return len; 2749 2750 ret = os_snprintf(buf + len, buflen - len, 2751 "dot11RSNAOptionImplemented=TRUE\n" 2752 "dot11RSNAPreauthenticationImplemented=%s\n" 2753 "dot11RSNAEnabled=%s\n" 2754 "dot11RSNAPreauthenticationEnabled=%s\n", 2755 wpa_bool_txt(preauth), 2756 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 2757 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 2758 if (ret < 0 || (size_t) ret >= buflen - len) 2759 return len; 2760 len += ret; 2761 2762 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2763 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 2764 2765 ret = os_snprintf( 2766 buf + len, buflen - len, 2767 "dot11RSNAConfigVersion=%u\n" 2768 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 2769 /* FIX: dot11RSNAConfigGroupCipher */ 2770 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 2771 /* FIX: dot11RSNAConfigGroupRekeyTime */ 2772 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 2773 "dot11RSNAConfigGroupRekeyStrict=%u\n" 2774 "dot11RSNAConfigGroupUpdateCount=%u\n" 2775 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 2776 "dot11RSNAConfigGroupCipherSize=%u\n" 2777 "dot11RSNAConfigPMKLifetime=%u\n" 2778 "dot11RSNAConfigPMKReauthThreshold=%u\n" 2779 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 2780 "dot11RSNAConfigSATimeout=%u\n" 2781 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2782 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2783 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2784 "dot11RSNAPMKIDUsed=%s\n" 2785 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2786 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2787 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2788 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 2789 "dot11RSNA4WayHandshakeFailures=%u\n" 2790 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 2791 RSN_VERSION, 2792 !!wpa_auth->conf.wpa_strict_rekey, 2793 dot11RSNAConfigGroupUpdateCount, 2794 dot11RSNAConfigPairwiseUpdateCount, 2795 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 2796 dot11RSNAConfigPMKLifetime, 2797 dot11RSNAConfigPMKReauthThreshold, 2798 dot11RSNAConfigSATimeout, 2799 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 2800 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 2801 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 2802 pmkid_txt, 2803 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 2804 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 2805 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 2806 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 2807 wpa_auth->dot11RSNA4WayHandshakeFailures); 2808 if (ret < 0 || (size_t) ret >= buflen - len) 2809 return len; 2810 len += ret; 2811 2812 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 2813 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 2814 2815 /* Private MIB */ 2816 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 2817 wpa_auth->group->wpa_group_state); 2818 if (ret < 0 || (size_t) ret >= buflen - len) 2819 return len; 2820 len += ret; 2821 2822 return len; 2823 } 2824 2825 2826 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 2827 { 2828 int len = 0, ret; 2829 u32 pairwise = 0; 2830 2831 if (sm == NULL) 2832 return 0; 2833 2834 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 2835 2836 /* dot11RSNAStatsEntry */ 2837 2838 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 2839 WPA_PROTO_RSN : WPA_PROTO_WPA, 2840 sm->pairwise); 2841 if (pairwise == 0) 2842 return 0; 2843 2844 ret = os_snprintf( 2845 buf + len, buflen - len, 2846 /* TODO: dot11RSNAStatsIndex */ 2847 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 2848 "dot11RSNAStatsVersion=1\n" 2849 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 2850 /* TODO: dot11RSNAStatsTKIPICVErrors */ 2851 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 2852 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 2853 /* TODO: dot11RSNAStatsCCMPReplays */ 2854 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 2855 /* TODO: dot11RSNAStatsTKIPReplays */, 2856 MAC2STR(sm->addr), 2857 RSN_SUITE_ARG(pairwise), 2858 sm->dot11RSNAStatsTKIPLocalMICFailures, 2859 sm->dot11RSNAStatsTKIPRemoteMICFailures); 2860 if (ret < 0 || (size_t) ret >= buflen - len) 2861 return len; 2862 len += ret; 2863 2864 /* Private MIB */ 2865 ret = os_snprintf(buf + len, buflen - len, 2866 "hostapdWPAPTKState=%d\n" 2867 "hostapdWPAPTKGroupState=%d\n", 2868 sm->wpa_ptk_state, 2869 sm->wpa_ptk_group_state); 2870 if (ret < 0 || (size_t) ret >= buflen - len) 2871 return len; 2872 len += ret; 2873 2874 return len; 2875 } 2876 2877 2878 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 2879 { 2880 if (wpa_auth) 2881 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 2882 } 2883 2884 2885 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 2886 { 2887 return sm && sm->pairwise_set; 2888 } 2889 2890 2891 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 2892 { 2893 return sm->pairwise; 2894 } 2895 2896 2897 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 2898 { 2899 if (sm == NULL) 2900 return -1; 2901 return sm->wpa_key_mgmt; 2902 } 2903 2904 2905 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 2906 { 2907 if (sm == NULL) 2908 return 0; 2909 return sm->wpa; 2910 } 2911 2912 2913 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 2914 struct rsn_pmksa_cache_entry *entry) 2915 { 2916 if (sm == NULL || sm->pmksa != entry) 2917 return -1; 2918 sm->pmksa = NULL; 2919 return 0; 2920 } 2921 2922 2923 struct rsn_pmksa_cache_entry * 2924 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 2925 { 2926 return sm ? sm->pmksa : NULL; 2927 } 2928 2929 2930 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 2931 { 2932 if (sm) 2933 sm->dot11RSNAStatsTKIPLocalMICFailures++; 2934 } 2935 2936 2937 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 2938 { 2939 if (wpa_auth == NULL) 2940 return NULL; 2941 *len = wpa_auth->wpa_ie_len; 2942 return wpa_auth->wpa_ie; 2943 } 2944 2945 2946 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 2947 int session_timeout, struct eapol_state_machine *eapol) 2948 { 2949 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 2950 sm->wpa_auth->conf.disable_pmksa_caching) 2951 return -1; 2952 2953 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, 2954 sm->wpa_auth->addr, sm->addr, session_timeout, 2955 eapol, sm->wpa_key_mgmt)) 2956 return 0; 2957 2958 return -1; 2959 } 2960 2961 2962 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 2963 const u8 *pmk, size_t len, const u8 *sta_addr, 2964 int session_timeout, 2965 struct eapol_state_machine *eapol) 2966 { 2967 if (wpa_auth == NULL) 2968 return -1; 2969 2970 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr, 2971 sta_addr, session_timeout, eapol, 2972 WPA_KEY_MGMT_IEEE8021X)) 2973 return 0; 2974 2975 return -1; 2976 } 2977 2978 2979 static struct wpa_group * 2980 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 2981 { 2982 struct wpa_group *group; 2983 2984 if (wpa_auth == NULL || wpa_auth->group == NULL) 2985 return NULL; 2986 2987 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 2988 vlan_id); 2989 group = wpa_group_init(wpa_auth, vlan_id, 0); 2990 if (group == NULL) 2991 return NULL; 2992 2993 group->next = wpa_auth->group->next; 2994 wpa_auth->group->next = group; 2995 2996 return group; 2997 } 2998 2999 3000 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 3001 { 3002 struct wpa_group *group; 3003 3004 if (sm == NULL || sm->wpa_auth == NULL) 3005 return 0; 3006 3007 group = sm->wpa_auth->group; 3008 while (group) { 3009 if (group->vlan_id == vlan_id) 3010 break; 3011 group = group->next; 3012 } 3013 3014 if (group == NULL) { 3015 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 3016 if (group == NULL) 3017 return -1; 3018 } 3019 3020 if (sm->group == group) 3021 return 0; 3022 3023 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 3024 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 3025 3026 sm->group = group; 3027 return 0; 3028 } 3029 3030 3031 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 3032 struct wpa_state_machine *sm, int ack) 3033 { 3034 if (wpa_auth == NULL || sm == NULL) 3035 return; 3036 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 3037 " ack=%d", MAC2STR(sm->addr), ack); 3038 if (sm->pending_1_of_4_timeout && ack) { 3039 /* 3040 * Some deployed supplicant implementations update their SNonce 3041 * for each EAPOL-Key 2/4 message even within the same 4-way 3042 * handshake and then fail to use the first SNonce when 3043 * deriving the PTK. This results in unsuccessful 4-way 3044 * handshake whenever the relatively short initial timeout is 3045 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3046 * around this by increasing the timeout now that we know that 3047 * the station has received the frame. 3048 */ 3049 int timeout_ms = eapol_key_timeout_subseq; 3050 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3051 "timeout by %u ms because of acknowledged frame", 3052 timeout_ms); 3053 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3054 eloop_register_timeout(timeout_ms / 1000, 3055 (timeout_ms % 1000) * 1000, 3056 wpa_send_eapol_timeout, wpa_auth, sm); 3057 } 3058 } 3059
