1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2015, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "crypto/aes_wrap.h" 17 #include "crypto/crypto.h" 18 #include "crypto/sha1.h" 19 #include "crypto/sha256.h" 20 #include "crypto/random.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "ap_config.h" 23 #include "ieee802_11.h" 24 #include "wpa_auth.h" 25 #include "pmksa_cache_auth.h" 26 #include "wpa_auth_i.h" 27 #include "wpa_auth_ie.h" 28 29 #define STATE_MACHINE_DATA struct wpa_state_machine 30 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 31 #define STATE_MACHINE_ADDR sm->addr 32 33 34 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 35 static int wpa_sm_step(struct wpa_state_machine *sm); 36 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 37 size_t data_len); 38 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 39 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 40 struct wpa_group *group); 41 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 42 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 45 struct wpa_group *group); 46 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 47 const u8 *pmk, unsigned int pmk_len, 48 struct wpa_ptk *ptk); 49 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 50 struct wpa_group *group); 51 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 52 struct wpa_group *group); 53 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 54 struct wpa_group *group); 55 56 static const u32 dot11RSNAConfigGroupUpdateCount = 4; 57 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 58 static const u32 eapol_key_timeout_first = 100; /* ms */ 59 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 60 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 61 62 /* TODO: make these configurable */ 63 static const int dot11RSNAConfigPMKLifetime = 43200; 64 static const int dot11RSNAConfigPMKReauthThreshold = 70; 65 static const int dot11RSNAConfigSATimeout = 60; 66 67 68 static inline int wpa_auth_mic_failure_report( 69 struct wpa_authenticator *wpa_auth, const u8 *addr) 70 { 71 if (wpa_auth->cb.mic_failure_report) 72 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 73 return 0; 74 } 75 76 77 static inline void wpa_auth_psk_failure_report( 78 struct wpa_authenticator *wpa_auth, const u8 *addr) 79 { 80 if (wpa_auth->cb.psk_failure_report) 81 wpa_auth->cb.psk_failure_report(wpa_auth->cb.ctx, addr); 82 } 83 84 85 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 86 const u8 *addr, wpa_eapol_variable var, 87 int value) 88 { 89 if (wpa_auth->cb.set_eapol) 90 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 91 } 92 93 94 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 95 const u8 *addr, wpa_eapol_variable var) 96 { 97 if (wpa_auth->cb.get_eapol == NULL) 98 return -1; 99 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 100 } 101 102 103 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 104 const u8 *addr, 105 const u8 *p2p_dev_addr, 106 const u8 *prev_psk) 107 { 108 if (wpa_auth->cb.get_psk == NULL) 109 return NULL; 110 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr, 111 prev_psk); 112 } 113 114 115 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 116 const u8 *addr, u8 *msk, size_t *len) 117 { 118 if (wpa_auth->cb.get_msk == NULL) 119 return -1; 120 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 121 } 122 123 124 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 125 int vlan_id, 126 enum wpa_alg alg, const u8 *addr, int idx, 127 u8 *key, size_t key_len) 128 { 129 if (wpa_auth->cb.set_key == NULL) 130 return -1; 131 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 132 key, key_len); 133 } 134 135 136 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 137 const u8 *addr, int idx, u8 *seq) 138 { 139 if (wpa_auth->cb.get_seqnum == NULL) 140 return -1; 141 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 142 } 143 144 145 static inline int 146 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 147 const u8 *data, size_t data_len, int encrypt) 148 { 149 if (wpa_auth->cb.send_eapol == NULL) 150 return -1; 151 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 152 encrypt); 153 } 154 155 156 #ifdef CONFIG_MESH 157 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 158 const u8 *addr) 159 { 160 if (wpa_auth->cb.start_ampe == NULL) 161 return -1; 162 return wpa_auth->cb.start_ampe(wpa_auth->cb.ctx, addr); 163 } 164 #endif /* CONFIG_MESH */ 165 166 167 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 168 int (*cb)(struct wpa_state_machine *sm, void *ctx), 169 void *cb_ctx) 170 { 171 if (wpa_auth->cb.for_each_sta == NULL) 172 return 0; 173 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 174 } 175 176 177 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 178 int (*cb)(struct wpa_authenticator *a, void *ctx), 179 void *cb_ctx) 180 { 181 if (wpa_auth->cb.for_each_auth == NULL) 182 return 0; 183 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 184 } 185 186 187 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 188 logger_level level, const char *txt) 189 { 190 if (wpa_auth->cb.logger == NULL) 191 return; 192 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 193 } 194 195 196 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 197 logger_level level, const char *fmt, ...) 198 { 199 char *format; 200 int maxlen; 201 va_list ap; 202 203 if (wpa_auth->cb.logger == NULL) 204 return; 205 206 maxlen = os_strlen(fmt) + 100; 207 format = os_malloc(maxlen); 208 if (!format) 209 return; 210 211 va_start(ap, fmt); 212 vsnprintf(format, maxlen, fmt, ap); 213 va_end(ap); 214 215 wpa_auth_logger(wpa_auth, addr, level, format); 216 217 os_free(format); 218 } 219 220 221 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 222 const u8 *addr) 223 { 224 if (wpa_auth->cb.disconnect == NULL) 225 return; 226 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 227 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 228 WLAN_REASON_PREV_AUTH_NOT_VALID); 229 } 230 231 232 static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 233 { 234 int ret = 0; 235 #ifdef CONFIG_IEEE80211R 236 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 237 ret = 1; 238 #endif /* CONFIG_IEEE80211R */ 239 #ifdef CONFIG_IEEE80211W 240 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 241 ret = 1; 242 #endif /* CONFIG_IEEE80211W */ 243 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) 244 ret = 1; 245 return ret; 246 } 247 248 249 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 250 { 251 struct wpa_authenticator *wpa_auth = eloop_ctx; 252 253 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 254 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 255 "initialization."); 256 } else { 257 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 258 wpa_hexdump_key(MSG_DEBUG, "GMK", 259 wpa_auth->group->GMK, WPA_GMK_LEN); 260 } 261 262 if (wpa_auth->conf.wpa_gmk_rekey) { 263 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 264 wpa_rekey_gmk, wpa_auth, NULL); 265 } 266 } 267 268 269 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 270 { 271 struct wpa_authenticator *wpa_auth = eloop_ctx; 272 struct wpa_group *group, *next; 273 274 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 275 group = wpa_auth->group; 276 while (group) { 277 wpa_group_get(wpa_auth, group); 278 279 group->GTKReKey = TRUE; 280 do { 281 group->changed = FALSE; 282 wpa_group_sm_step(wpa_auth, group); 283 } while (group->changed); 284 285 next = group->next; 286 wpa_group_put(wpa_auth, group); 287 group = next; 288 } 289 290 if (wpa_auth->conf.wpa_group_rekey) { 291 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 292 0, wpa_rekey_gtk, wpa_auth, NULL); 293 } 294 } 295 296 297 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 298 { 299 struct wpa_authenticator *wpa_auth = eloop_ctx; 300 struct wpa_state_machine *sm = timeout_ctx; 301 302 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 303 wpa_request_new_ptk(sm); 304 wpa_sm_step(sm); 305 } 306 307 308 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 309 { 310 if (sm->pmksa == ctx) 311 sm->pmksa = NULL; 312 return 0; 313 } 314 315 316 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 317 void *ctx) 318 { 319 struct wpa_authenticator *wpa_auth = ctx; 320 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 321 } 322 323 324 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 325 struct wpa_group *group) 326 { 327 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 328 u8 rkey[32]; 329 unsigned long ptr; 330 331 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 332 return -1; 333 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 334 335 /* 336 * Counter = PRF-256(Random number, "Init Counter", 337 * Local MAC Address || Time) 338 */ 339 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 340 wpa_get_ntp_timestamp(buf + ETH_ALEN); 341 ptr = (unsigned long) group; 342 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 343 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 344 return -1; 345 346 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 347 group->Counter, WPA_NONCE_LEN) < 0) 348 return -1; 349 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 350 group->Counter, WPA_NONCE_LEN); 351 352 return 0; 353 } 354 355 356 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 357 int vlan_id, int delay_init) 358 { 359 struct wpa_group *group; 360 361 group = os_zalloc(sizeof(struct wpa_group)); 362 if (group == NULL) 363 return NULL; 364 365 group->GTKAuthenticator = TRUE; 366 group->vlan_id = vlan_id; 367 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 368 369 if (random_pool_ready() != 1) { 370 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 371 "for secure operations - update keys later when " 372 "the first station connects"); 373 } 374 375 /* 376 * Set initial GMK/Counter value here. The actual values that will be 377 * used in negotiations will be set once the first station tries to 378 * connect. This allows more time for collecting additional randomness 379 * on embedded devices. 380 */ 381 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 382 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 383 "initialization."); 384 os_free(group); 385 return NULL; 386 } 387 388 group->GInit = TRUE; 389 if (delay_init) { 390 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 391 "until Beacon frames have been configured"); 392 /* Initialization is completed in wpa_init_keys(). */ 393 } else { 394 wpa_group_sm_step(wpa_auth, group); 395 group->GInit = FALSE; 396 wpa_group_sm_step(wpa_auth, group); 397 } 398 399 return group; 400 } 401 402 403 /** 404 * wpa_init - Initialize WPA authenticator 405 * @addr: Authenticator address 406 * @conf: Configuration for WPA authenticator 407 * @cb: Callback functions for WPA authenticator 408 * Returns: Pointer to WPA authenticator data or %NULL on failure 409 */ 410 struct wpa_authenticator * wpa_init(const u8 *addr, 411 struct wpa_auth_config *conf, 412 struct wpa_auth_callbacks *cb) 413 { 414 struct wpa_authenticator *wpa_auth; 415 416 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 417 if (wpa_auth == NULL) 418 return NULL; 419 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 420 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 421 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 422 423 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 424 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 425 os_free(wpa_auth); 426 return NULL; 427 } 428 429 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 430 if (wpa_auth->group == NULL) { 431 os_free(wpa_auth->wpa_ie); 432 os_free(wpa_auth); 433 return NULL; 434 } 435 436 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 437 wpa_auth); 438 if (wpa_auth->pmksa == NULL) { 439 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 440 os_free(wpa_auth->group); 441 os_free(wpa_auth->wpa_ie); 442 os_free(wpa_auth); 443 return NULL; 444 } 445 446 #ifdef CONFIG_IEEE80211R 447 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 448 if (wpa_auth->ft_pmk_cache == NULL) { 449 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 450 os_free(wpa_auth->group); 451 os_free(wpa_auth->wpa_ie); 452 pmksa_cache_auth_deinit(wpa_auth->pmksa); 453 os_free(wpa_auth); 454 return NULL; 455 } 456 #endif /* CONFIG_IEEE80211R */ 457 458 if (wpa_auth->conf.wpa_gmk_rekey) { 459 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 460 wpa_rekey_gmk, wpa_auth, NULL); 461 } 462 463 if (wpa_auth->conf.wpa_group_rekey) { 464 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 465 wpa_rekey_gtk, wpa_auth, NULL); 466 } 467 468 #ifdef CONFIG_P2P 469 if (WPA_GET_BE32(conf->ip_addr_start)) { 470 int count = WPA_GET_BE32(conf->ip_addr_end) - 471 WPA_GET_BE32(conf->ip_addr_start) + 1; 472 if (count > 1000) 473 count = 1000; 474 if (count > 0) 475 wpa_auth->ip_pool = bitfield_alloc(count); 476 } 477 #endif /* CONFIG_P2P */ 478 479 return wpa_auth; 480 } 481 482 483 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 484 { 485 struct wpa_group *group = wpa_auth->group; 486 487 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 488 "keys"); 489 wpa_group_sm_step(wpa_auth, group); 490 group->GInit = FALSE; 491 wpa_group_sm_step(wpa_auth, group); 492 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 493 return -1; 494 return 0; 495 } 496 497 498 /** 499 * wpa_deinit - Deinitialize WPA authenticator 500 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 501 */ 502 void wpa_deinit(struct wpa_authenticator *wpa_auth) 503 { 504 struct wpa_group *group, *prev; 505 506 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 507 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 508 509 #ifdef CONFIG_PEERKEY 510 while (wpa_auth->stsl_negotiations) 511 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 512 #endif /* CONFIG_PEERKEY */ 513 514 pmksa_cache_auth_deinit(wpa_auth->pmksa); 515 516 #ifdef CONFIG_IEEE80211R 517 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 518 wpa_auth->ft_pmk_cache = NULL; 519 #endif /* CONFIG_IEEE80211R */ 520 521 #ifdef CONFIG_P2P 522 bitfield_free(wpa_auth->ip_pool); 523 #endif /* CONFIG_P2P */ 524 525 526 os_free(wpa_auth->wpa_ie); 527 528 group = wpa_auth->group; 529 while (group) { 530 prev = group; 531 group = group->next; 532 os_free(prev); 533 } 534 535 os_free(wpa_auth); 536 } 537 538 539 /** 540 * wpa_reconfig - Update WPA authenticator configuration 541 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 542 * @conf: Configuration for WPA authenticator 543 */ 544 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 545 struct wpa_auth_config *conf) 546 { 547 struct wpa_group *group; 548 if (wpa_auth == NULL) 549 return 0; 550 551 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 552 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 553 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 554 return -1; 555 } 556 557 /* 558 * Reinitialize GTK to make sure it is suitable for the new 559 * configuration. 560 */ 561 group = wpa_auth->group; 562 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 563 group->GInit = TRUE; 564 wpa_group_sm_step(wpa_auth, group); 565 group->GInit = FALSE; 566 wpa_group_sm_step(wpa_auth, group); 567 568 return 0; 569 } 570 571 572 struct wpa_state_machine * 573 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 574 const u8 *p2p_dev_addr) 575 { 576 struct wpa_state_machine *sm; 577 578 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 579 return NULL; 580 581 sm = os_zalloc(sizeof(struct wpa_state_machine)); 582 if (sm == NULL) 583 return NULL; 584 os_memcpy(sm->addr, addr, ETH_ALEN); 585 if (p2p_dev_addr) 586 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 587 588 sm->wpa_auth = wpa_auth; 589 sm->group = wpa_auth->group; 590 wpa_group_get(sm->wpa_auth, sm->group); 591 592 return sm; 593 } 594 595 596 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 597 struct wpa_state_machine *sm) 598 { 599 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 600 return -1; 601 602 #ifdef CONFIG_IEEE80211R 603 if (sm->ft_completed) { 604 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 605 "FT authentication already completed - do not " 606 "start 4-way handshake"); 607 /* Go to PTKINITDONE state to allow GTK rekeying */ 608 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 609 return 0; 610 } 611 #endif /* CONFIG_IEEE80211R */ 612 613 if (sm->started) { 614 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 615 sm->ReAuthenticationRequest = TRUE; 616 return wpa_sm_step(sm); 617 } 618 619 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 620 "start authentication"); 621 sm->started = 1; 622 623 sm->Init = TRUE; 624 if (wpa_sm_step(sm) == 1) 625 return 1; /* should not really happen */ 626 sm->Init = FALSE; 627 sm->AuthenticationRequest = TRUE; 628 return wpa_sm_step(sm); 629 } 630 631 632 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 633 { 634 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 635 * reassociates back to the same AP while the previous entry for the 636 * STA has not yet been removed. */ 637 if (sm == NULL) 638 return; 639 640 sm->wpa_key_mgmt = 0; 641 } 642 643 644 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 645 { 646 #ifdef CONFIG_P2P 647 if (WPA_GET_BE32(sm->ip_addr)) { 648 u32 start; 649 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 650 "address %u.%u.%u.%u from " MACSTR, 651 sm->ip_addr[0], sm->ip_addr[1], 652 sm->ip_addr[2], sm->ip_addr[3], 653 MAC2STR(sm->addr)); 654 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 655 bitfield_clear(sm->wpa_auth->ip_pool, 656 WPA_GET_BE32(sm->ip_addr) - start); 657 } 658 #endif /* CONFIG_P2P */ 659 if (sm->GUpdateStationKeys) { 660 sm->group->GKeyDoneStations--; 661 sm->GUpdateStationKeys = FALSE; 662 } 663 #ifdef CONFIG_IEEE80211R 664 os_free(sm->assoc_resp_ftie); 665 wpabuf_free(sm->ft_pending_req_ies); 666 #endif /* CONFIG_IEEE80211R */ 667 os_free(sm->last_rx_eapol_key); 668 os_free(sm->wpa_ie); 669 wpa_group_put(sm->wpa_auth, sm->group); 670 os_free(sm); 671 } 672 673 674 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 675 { 676 if (sm == NULL) 677 return; 678 679 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 680 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 681 "strict rekeying - force GTK rekey since STA " 682 "is leaving"); 683 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 684 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 685 NULL); 686 } 687 688 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 689 sm->pending_1_of_4_timeout = 0; 690 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 691 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 692 if (sm->in_step_loop) { 693 /* Must not free state machine while wpa_sm_step() is running. 694 * Freeing will be completed in the end of wpa_sm_step(). */ 695 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 696 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 697 sm->pending_deinit = 1; 698 } else 699 wpa_free_sta_sm(sm); 700 } 701 702 703 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 704 { 705 if (sm == NULL) 706 return; 707 708 sm->PTKRequest = TRUE; 709 sm->PTK_valid = 0; 710 } 711 712 713 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 714 const u8 *replay_counter) 715 { 716 int i; 717 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 718 if (!ctr[i].valid) 719 break; 720 if (os_memcmp(replay_counter, ctr[i].counter, 721 WPA_REPLAY_COUNTER_LEN) == 0) 722 return 1; 723 } 724 return 0; 725 } 726 727 728 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 729 const u8 *replay_counter) 730 { 731 int i; 732 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 733 if (ctr[i].valid && 734 (replay_counter == NULL || 735 os_memcmp(replay_counter, ctr[i].counter, 736 WPA_REPLAY_COUNTER_LEN) == 0)) 737 ctr[i].valid = FALSE; 738 } 739 } 740 741 742 #ifdef CONFIG_IEEE80211R 743 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 744 struct wpa_state_machine *sm, 745 struct wpa_eapol_ie_parse *kde) 746 { 747 struct wpa_ie_data ie; 748 struct rsn_mdie *mdie; 749 750 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 751 ie.num_pmkid != 1 || ie.pmkid == NULL) { 752 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 753 "FT 4-way handshake message 2/4"); 754 return -1; 755 } 756 757 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 758 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 759 sm->sup_pmk_r1_name, PMKID_LEN); 760 761 if (!kde->mdie || !kde->ftie) { 762 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 763 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 764 return -1; 765 } 766 767 mdie = (struct rsn_mdie *) (kde->mdie + 2); 768 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 769 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 770 MOBILITY_DOMAIN_ID_LEN) != 0) { 771 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 772 return -1; 773 } 774 775 if (sm->assoc_resp_ftie && 776 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 777 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 778 2 + sm->assoc_resp_ftie[1]) != 0)) { 779 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 780 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 781 kde->ftie, kde->ftie_len); 782 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 783 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 784 return -1; 785 } 786 787 return 0; 788 } 789 #endif /* CONFIG_IEEE80211R */ 790 791 792 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 793 struct wpa_state_machine *sm, int group) 794 { 795 /* Supplicant reported a Michael MIC error */ 796 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 797 "received EAPOL-Key Error Request " 798 "(STA detected Michael MIC failure (group=%d))", 799 group); 800 801 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 802 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 803 "ignore Michael MIC failure report since " 804 "group cipher is not TKIP"); 805 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 806 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 807 "ignore Michael MIC failure report since " 808 "pairwise cipher is not TKIP"); 809 } else { 810 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 811 return 1; /* STA entry was removed */ 812 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 813 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 814 } 815 816 /* 817 * Error report is not a request for a new key handshake, but since 818 * Authenticator may do it, let's change the keys now anyway. 819 */ 820 wpa_request_new_ptk(sm); 821 return 0; 822 } 823 824 825 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 826 size_t data_len) 827 { 828 struct wpa_ptk PTK; 829 int ok = 0; 830 const u8 *pmk = NULL; 831 unsigned int pmk_len; 832 833 for (;;) { 834 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 835 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 836 sm->p2p_dev_addr, pmk); 837 if (pmk == NULL) 838 break; 839 pmk_len = PMK_LEN; 840 } else { 841 pmk = sm->PMK; 842 pmk_len = sm->pmk_len; 843 } 844 845 wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK); 846 847 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len) 848 == 0) { 849 ok = 1; 850 break; 851 } 852 853 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 854 break; 855 } 856 857 if (!ok) { 858 wpa_printf(MSG_DEBUG, 859 "WPA: Earlier SNonce did not result in matching MIC"); 860 return -1; 861 } 862 863 wpa_printf(MSG_DEBUG, 864 "WPA: Earlier SNonce resulted in matching MIC"); 865 sm->alt_snonce_valid = 0; 866 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 867 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 868 sm->PTK_valid = TRUE; 869 870 return 0; 871 } 872 873 874 void wpa_receive(struct wpa_authenticator *wpa_auth, 875 struct wpa_state_machine *sm, 876 u8 *data, size_t data_len) 877 { 878 struct ieee802_1x_hdr *hdr; 879 struct wpa_eapol_key *key; 880 struct wpa_eapol_key_192 *key192; 881 u16 key_info, key_data_length; 882 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 883 SMK_M1, SMK_M3, SMK_ERROR } msg; 884 char *msgtxt; 885 struct wpa_eapol_ie_parse kde; 886 int ft; 887 const u8 *eapol_key_ie, *key_data; 888 size_t eapol_key_ie_len, keyhdrlen, mic_len; 889 890 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 891 return; 892 893 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 894 keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key); 895 896 if (data_len < sizeof(*hdr) + keyhdrlen) 897 return; 898 899 hdr = (struct ieee802_1x_hdr *) data; 900 key = (struct wpa_eapol_key *) (hdr + 1); 901 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 902 key_info = WPA_GET_BE16(key->key_info); 903 if (mic_len == 24) { 904 key_data = (const u8 *) (key192 + 1); 905 key_data_length = WPA_GET_BE16(key192->key_data_length); 906 } else { 907 key_data = (const u8 *) (key + 1); 908 key_data_length = WPA_GET_BE16(key->key_data_length); 909 } 910 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 911 " key_info=0x%x type=%u key_data_length=%u", 912 MAC2STR(sm->addr), key_info, key->type, key_data_length); 913 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 914 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 915 "key_data overflow (%d > %lu)", 916 key_data_length, 917 (unsigned long) (data_len - sizeof(*hdr) - 918 keyhdrlen)); 919 return; 920 } 921 922 if (sm->wpa == WPA_VERSION_WPA2) { 923 if (key->type == EAPOL_KEY_TYPE_WPA) { 924 /* 925 * Some deployed station implementations seem to send 926 * msg 4/4 with incorrect type value in WPA2 mode. 927 */ 928 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 929 "with unexpected WPA type in RSN mode"); 930 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 931 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 932 "unexpected type %d in RSN mode", 933 key->type); 934 return; 935 } 936 } else { 937 if (key->type != EAPOL_KEY_TYPE_WPA) { 938 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 939 "unexpected type %d in WPA mode", 940 key->type); 941 return; 942 } 943 } 944 945 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 946 WPA_NONCE_LEN); 947 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 948 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 949 950 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 951 * are set */ 952 953 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 954 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 955 if (key_info & WPA_KEY_INFO_ERROR) { 956 msg = SMK_ERROR; 957 msgtxt = "SMK Error"; 958 } else { 959 msg = SMK_M1; 960 msgtxt = "SMK M1"; 961 } 962 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 963 msg = SMK_M3; 964 msgtxt = "SMK M3"; 965 } else if (key_info & WPA_KEY_INFO_REQUEST) { 966 msg = REQUEST; 967 msgtxt = "Request"; 968 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 969 msg = GROUP_2; 970 msgtxt = "2/2 Group"; 971 } else if (key_data_length == 0) { 972 msg = PAIRWISE_4; 973 msgtxt = "4/4 Pairwise"; 974 } else { 975 msg = PAIRWISE_2; 976 msgtxt = "2/4 Pairwise"; 977 } 978 979 /* TODO: key_info type validation for PeerKey */ 980 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 981 msg == GROUP_2) { 982 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 983 if (sm->pairwise == WPA_CIPHER_CCMP || 984 sm->pairwise == WPA_CIPHER_GCMP) { 985 if (wpa_use_aes_cmac(sm) && 986 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN && 987 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 988 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 989 wpa_auth_logger(wpa_auth, sm->addr, 990 LOGGER_WARNING, 991 "advertised support for " 992 "AES-128-CMAC, but did not " 993 "use it"); 994 return; 995 } 996 997 if (!wpa_use_aes_cmac(sm) && 998 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 999 wpa_auth_logger(wpa_auth, sm->addr, 1000 LOGGER_WARNING, 1001 "did not use HMAC-SHA1-AES " 1002 "with CCMP/GCMP"); 1003 return; 1004 } 1005 } 1006 1007 if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 1008 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1009 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1010 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1011 return; 1012 } 1013 } 1014 1015 if (key_info & WPA_KEY_INFO_REQUEST) { 1016 if (sm->req_replay_counter_used && 1017 os_memcmp(key->replay_counter, sm->req_replay_counter, 1018 WPA_REPLAY_COUNTER_LEN) <= 0) { 1019 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1020 "received EAPOL-Key request with " 1021 "replayed counter"); 1022 return; 1023 } 1024 } 1025 1026 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1027 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1028 int i; 1029 1030 if (msg == PAIRWISE_2 && 1031 wpa_replay_counter_valid(sm->prev_key_replay, 1032 key->replay_counter) && 1033 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1034 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1035 { 1036 /* 1037 * Some supplicant implementations (e.g., Windows XP 1038 * WZC) update SNonce for each EAPOL-Key 2/4. This 1039 * breaks the workaround on accepting any of the 1040 * pending requests, so allow the SNonce to be updated 1041 * even if we have already sent out EAPOL-Key 3/4. 1042 */ 1043 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1044 "Process SNonce update from STA " 1045 "based on retransmitted EAPOL-Key " 1046 "1/4"); 1047 sm->update_snonce = 1; 1048 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1049 sm->alt_snonce_valid = TRUE; 1050 os_memcpy(sm->alt_replay_counter, 1051 sm->key_replay[0].counter, 1052 WPA_REPLAY_COUNTER_LEN); 1053 goto continue_processing; 1054 } 1055 1056 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1057 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1058 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1059 WPA_REPLAY_COUNTER_LEN) == 0) { 1060 /* 1061 * Supplicant may still be using the old SNonce since 1062 * there was two EAPOL-Key 2/4 messages and they had 1063 * different SNonce values. 1064 */ 1065 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1066 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1067 goto continue_processing; 1068 } 1069 1070 if (msg == PAIRWISE_2 && 1071 wpa_replay_counter_valid(sm->prev_key_replay, 1072 key->replay_counter) && 1073 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1074 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1075 "ignore retransmitted EAPOL-Key %s - " 1076 "SNonce did not change", msgtxt); 1077 } else { 1078 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1079 "received EAPOL-Key %s with " 1080 "unexpected replay counter", msgtxt); 1081 } 1082 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1083 if (!sm->key_replay[i].valid) 1084 break; 1085 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1086 sm->key_replay[i].counter, 1087 WPA_REPLAY_COUNTER_LEN); 1088 } 1089 wpa_hexdump(MSG_DEBUG, "received replay counter", 1090 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1091 return; 1092 } 1093 1094 continue_processing: 1095 switch (msg) { 1096 case PAIRWISE_2: 1097 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1098 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1099 (!sm->update_snonce || 1100 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1101 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1102 "received EAPOL-Key msg 2/4 in " 1103 "invalid state (%d) - dropped", 1104 sm->wpa_ptk_state); 1105 return; 1106 } 1107 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1108 if (sm->group->reject_4way_hs_for_entropy) { 1109 /* 1110 * The system did not have enough entropy to generate 1111 * strong random numbers. Reject the first 4-way 1112 * handshake(s) and collect some entropy based on the 1113 * information from it. Once enough entropy is 1114 * available, the next atempt will trigger GMK/Key 1115 * Counter update and the station will be allowed to 1116 * continue. 1117 */ 1118 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1119 "collect more entropy for random number " 1120 "generation"); 1121 random_mark_pool_ready(); 1122 wpa_sta_disconnect(wpa_auth, sm->addr); 1123 return; 1124 } 1125 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 1126 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1127 "received EAPOL-Key msg 2/4 with " 1128 "invalid Key Data contents"); 1129 return; 1130 } 1131 if (kde.rsn_ie) { 1132 eapol_key_ie = kde.rsn_ie; 1133 eapol_key_ie_len = kde.rsn_ie_len; 1134 } else if (kde.osen) { 1135 eapol_key_ie = kde.osen; 1136 eapol_key_ie_len = kde.osen_len; 1137 } else { 1138 eapol_key_ie = kde.wpa_ie; 1139 eapol_key_ie_len = kde.wpa_ie_len; 1140 } 1141 ft = sm->wpa == WPA_VERSION_WPA2 && 1142 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 1143 if (sm->wpa_ie == NULL || 1144 wpa_compare_rsn_ie(ft, 1145 sm->wpa_ie, sm->wpa_ie_len, 1146 eapol_key_ie, eapol_key_ie_len)) { 1147 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1148 "WPA IE from (Re)AssocReq did not " 1149 "match with msg 2/4"); 1150 if (sm->wpa_ie) { 1151 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 1152 sm->wpa_ie, sm->wpa_ie_len); 1153 } 1154 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 1155 eapol_key_ie, eapol_key_ie_len); 1156 /* MLME-DEAUTHENTICATE.request */ 1157 wpa_sta_disconnect(wpa_auth, sm->addr); 1158 return; 1159 } 1160 #ifdef CONFIG_IEEE80211R 1161 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 1162 wpa_sta_disconnect(wpa_auth, sm->addr); 1163 return; 1164 } 1165 #endif /* CONFIG_IEEE80211R */ 1166 #ifdef CONFIG_P2P 1167 if (kde.ip_addr_req && kde.ip_addr_req[0] && 1168 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 1169 int idx; 1170 wpa_printf(MSG_DEBUG, "P2P: IP address requested in " 1171 "EAPOL-Key exchange"); 1172 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 1173 if (idx >= 0) { 1174 u32 start = WPA_GET_BE32(wpa_auth->conf. 1175 ip_addr_start); 1176 bitfield_set(wpa_auth->ip_pool, idx); 1177 WPA_PUT_BE32(sm->ip_addr, start + idx); 1178 wpa_printf(MSG_DEBUG, "P2P: Assigned IP " 1179 "address %u.%u.%u.%u to " MACSTR, 1180 sm->ip_addr[0], sm->ip_addr[1], 1181 sm->ip_addr[2], sm->ip_addr[3], 1182 MAC2STR(sm->addr)); 1183 } 1184 } 1185 #endif /* CONFIG_P2P */ 1186 break; 1187 case PAIRWISE_4: 1188 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1189 !sm->PTK_valid) { 1190 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1191 "received EAPOL-Key msg 4/4 in " 1192 "invalid state (%d) - dropped", 1193 sm->wpa_ptk_state); 1194 return; 1195 } 1196 break; 1197 case GROUP_2: 1198 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1199 || !sm->PTK_valid) { 1200 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1201 "received EAPOL-Key msg 2/2 in " 1202 "invalid state (%d) - dropped", 1203 sm->wpa_ptk_group_state); 1204 return; 1205 } 1206 break; 1207 #ifdef CONFIG_PEERKEY 1208 case SMK_M1: 1209 case SMK_M3: 1210 case SMK_ERROR: 1211 if (!wpa_auth->conf.peerkey) { 1212 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1213 "PeerKey use disabled - ignoring message"); 1214 return; 1215 } 1216 if (!sm->PTK_valid) { 1217 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1218 "received EAPOL-Key msg SMK in " 1219 "invalid state - dropped"); 1220 return; 1221 } 1222 break; 1223 #else /* CONFIG_PEERKEY */ 1224 case SMK_M1: 1225 case SMK_M3: 1226 case SMK_ERROR: 1227 return; /* STSL disabled - ignore SMK messages */ 1228 #endif /* CONFIG_PEERKEY */ 1229 case REQUEST: 1230 break; 1231 } 1232 1233 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1234 "received EAPOL-Key frame (%s)", msgtxt); 1235 1236 if (key_info & WPA_KEY_INFO_ACK) { 1237 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1238 "received invalid EAPOL-Key: Key Ack set"); 1239 return; 1240 } 1241 1242 if (!(key_info & WPA_KEY_INFO_MIC)) { 1243 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1244 "received invalid EAPOL-Key: Key MIC not set"); 1245 return; 1246 } 1247 1248 sm->MICVerified = FALSE; 1249 if (sm->PTK_valid && !sm->update_snonce) { 1250 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data, 1251 data_len) && 1252 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1253 wpa_try_alt_snonce(sm, data, data_len))) { 1254 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1255 "received EAPOL-Key with invalid MIC"); 1256 return; 1257 } 1258 sm->MICVerified = TRUE; 1259 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1260 sm->pending_1_of_4_timeout = 0; 1261 } 1262 1263 if (key_info & WPA_KEY_INFO_REQUEST) { 1264 if (sm->MICVerified) { 1265 sm->req_replay_counter_used = 1; 1266 os_memcpy(sm->req_replay_counter, key->replay_counter, 1267 WPA_REPLAY_COUNTER_LEN); 1268 } else { 1269 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1270 "received EAPOL-Key request with " 1271 "invalid MIC"); 1272 return; 1273 } 1274 1275 /* 1276 * TODO: should decrypt key data field if encryption was used; 1277 * even though MAC address KDE is not normally encrypted, 1278 * supplicant is allowed to encrypt it. 1279 */ 1280 if (msg == SMK_ERROR) { 1281 #ifdef CONFIG_PEERKEY 1282 wpa_smk_error(wpa_auth, sm, key_data, key_data_length); 1283 #endif /* CONFIG_PEERKEY */ 1284 return; 1285 } else if (key_info & WPA_KEY_INFO_ERROR) { 1286 if (wpa_receive_error_report( 1287 wpa_auth, sm, 1288 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1289 return; /* STA entry was removed */ 1290 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1291 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1292 "received EAPOL-Key Request for new " 1293 "4-Way Handshake"); 1294 wpa_request_new_ptk(sm); 1295 #ifdef CONFIG_PEERKEY 1296 } else if (msg == SMK_M1) { 1297 wpa_smk_m1(wpa_auth, sm, key, key_data, 1298 key_data_length); 1299 #endif /* CONFIG_PEERKEY */ 1300 } else if (key_data_length > 0 && 1301 wpa_parse_kde_ies(key_data, key_data_length, 1302 &kde) == 0 && 1303 kde.mac_addr) { 1304 } else { 1305 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1306 "received EAPOL-Key Request for GTK " 1307 "rekeying"); 1308 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1309 wpa_rekey_gtk(wpa_auth, NULL); 1310 } 1311 } else { 1312 /* Do not allow the same key replay counter to be reused. */ 1313 wpa_replay_counter_mark_invalid(sm->key_replay, 1314 key->replay_counter); 1315 1316 if (msg == PAIRWISE_2) { 1317 /* 1318 * Maintain a copy of the pending EAPOL-Key frames in 1319 * case the EAPOL-Key frame was retransmitted. This is 1320 * needed to allow EAPOL-Key msg 2/4 reply to another 1321 * pending msg 1/4 to update the SNonce to work around 1322 * unexpected supplicant behavior. 1323 */ 1324 os_memcpy(sm->prev_key_replay, sm->key_replay, 1325 sizeof(sm->key_replay)); 1326 } else { 1327 os_memset(sm->prev_key_replay, 0, 1328 sizeof(sm->prev_key_replay)); 1329 } 1330 1331 /* 1332 * Make sure old valid counters are not accepted anymore and 1333 * do not get copied again. 1334 */ 1335 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1336 } 1337 1338 #ifdef CONFIG_PEERKEY 1339 if (msg == SMK_M3) { 1340 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length); 1341 return; 1342 } 1343 #endif /* CONFIG_PEERKEY */ 1344 1345 os_free(sm->last_rx_eapol_key); 1346 sm->last_rx_eapol_key = os_malloc(data_len); 1347 if (sm->last_rx_eapol_key == NULL) 1348 return; 1349 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1350 sm->last_rx_eapol_key_len = data_len; 1351 1352 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1353 sm->EAPOLKeyReceived = TRUE; 1354 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1355 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1356 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1357 wpa_sm_step(sm); 1358 } 1359 1360 1361 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1362 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1363 { 1364 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1365 u8 *pos; 1366 int ret = 0; 1367 1368 /* GTK = PRF-X(GMK, "Group key expansion", 1369 * AA || GNonce || Time || random data) 1370 * The example described in the IEEE 802.11 standard uses only AA and 1371 * GNonce as inputs here. Add some more entropy since this derivation 1372 * is done only at the Authenticator and as such, does not need to be 1373 * exactly same. 1374 */ 1375 os_memcpy(data, addr, ETH_ALEN); 1376 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1377 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1378 wpa_get_ntp_timestamp(pos); 1379 pos += 8; 1380 if (random_get_bytes(pos, 16) < 0) 1381 ret = -1; 1382 1383 #ifdef CONFIG_IEEE80211W 1384 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1385 #else /* CONFIG_IEEE80211W */ 1386 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1387 < 0) 1388 ret = -1; 1389 #endif /* CONFIG_IEEE80211W */ 1390 1391 return ret; 1392 } 1393 1394 1395 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1396 { 1397 struct wpa_authenticator *wpa_auth = eloop_ctx; 1398 struct wpa_state_machine *sm = timeout_ctx; 1399 1400 sm->pending_1_of_4_timeout = 0; 1401 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1402 sm->TimeoutEvt = TRUE; 1403 wpa_sm_step(sm); 1404 } 1405 1406 1407 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1408 struct wpa_state_machine *sm, int key_info, 1409 const u8 *key_rsc, const u8 *nonce, 1410 const u8 *kde, size_t kde_len, 1411 int keyidx, int encr, int force_version) 1412 { 1413 struct ieee802_1x_hdr *hdr; 1414 struct wpa_eapol_key *key; 1415 struct wpa_eapol_key_192 *key192; 1416 size_t len, mic_len, keyhdrlen; 1417 int alg; 1418 int key_data_len, pad_len = 0; 1419 u8 *buf, *pos; 1420 int version, pairwise; 1421 int i; 1422 u8 *key_data; 1423 1424 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 1425 keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key); 1426 1427 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1428 1429 if (force_version) 1430 version = force_version; 1431 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1432 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) 1433 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1434 else if (wpa_use_aes_cmac(sm)) 1435 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1436 else if (sm->pairwise != WPA_CIPHER_TKIP) 1437 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1438 else 1439 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1440 1441 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1442 1443 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1444 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1445 "encr=%d)", 1446 version, 1447 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1448 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1449 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1450 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1451 pairwise, (unsigned long) kde_len, keyidx, encr); 1452 1453 key_data_len = kde_len; 1454 1455 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1456 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1457 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1458 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1459 pad_len = key_data_len % 8; 1460 if (pad_len) 1461 pad_len = 8 - pad_len; 1462 key_data_len += pad_len + 8; 1463 } 1464 1465 len += key_data_len; 1466 1467 hdr = os_zalloc(len); 1468 if (hdr == NULL) 1469 return; 1470 hdr->version = wpa_auth->conf.eapol_version; 1471 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1472 hdr->length = host_to_be16(len - sizeof(*hdr)); 1473 key = (struct wpa_eapol_key *) (hdr + 1); 1474 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 1475 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1476 1477 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1478 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1479 key_info |= version; 1480 if (encr && sm->wpa == WPA_VERSION_WPA2) 1481 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1482 if (sm->wpa != WPA_VERSION_WPA2) 1483 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1484 WPA_PUT_BE16(key->key_info, key_info); 1485 1486 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1487 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1488 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1489 WPA_PUT_BE16(key->key_length, 0); 1490 1491 /* FIX: STSL: what to use as key_replay_counter? */ 1492 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1493 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1494 os_memcpy(sm->key_replay[i].counter, 1495 sm->key_replay[i - 1].counter, 1496 WPA_REPLAY_COUNTER_LEN); 1497 } 1498 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1499 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1500 WPA_REPLAY_COUNTER_LEN); 1501 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1502 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1503 sm->key_replay[0].valid = TRUE; 1504 1505 if (nonce) 1506 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1507 1508 if (key_rsc) 1509 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1510 1511 if (kde && !encr) { 1512 os_memcpy(key_data, kde, kde_len); 1513 if (mic_len == 24) 1514 WPA_PUT_BE16(key192->key_data_length, kde_len); 1515 else 1516 WPA_PUT_BE16(key->key_data_length, kde_len); 1517 } else if (encr && kde) { 1518 buf = os_zalloc(key_data_len); 1519 if (buf == NULL) { 1520 os_free(hdr); 1521 return; 1522 } 1523 pos = buf; 1524 os_memcpy(pos, kde, kde_len); 1525 pos += kde_len; 1526 1527 if (pad_len) 1528 *pos++ = 0xdd; 1529 1530 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1531 buf, key_data_len); 1532 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1533 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1534 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1535 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1536 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1537 (key_data_len - 8) / 8, buf, key_data)) { 1538 os_free(hdr); 1539 os_free(buf); 1540 return; 1541 } 1542 if (mic_len == 24) 1543 WPA_PUT_BE16(key192->key_data_length, 1544 key_data_len); 1545 else 1546 WPA_PUT_BE16(key->key_data_length, 1547 key_data_len); 1548 #ifndef CONFIG_NO_RC4 1549 } else if (sm->PTK.kek_len == 16) { 1550 u8 ek[32]; 1551 os_memcpy(key->key_iv, 1552 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1553 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1554 os_memcpy(ek, key->key_iv, 16); 1555 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1556 os_memcpy(key_data, buf, key_data_len); 1557 rc4_skip(ek, 32, 256, key_data, key_data_len); 1558 if (mic_len == 24) 1559 WPA_PUT_BE16(key192->key_data_length, 1560 key_data_len); 1561 else 1562 WPA_PUT_BE16(key->key_data_length, 1563 key_data_len); 1564 #endif /* CONFIG_NO_RC4 */ 1565 } else { 1566 os_free(hdr); 1567 os_free(buf); 1568 return; 1569 } 1570 os_free(buf); 1571 } 1572 1573 if (key_info & WPA_KEY_INFO_MIC) { 1574 u8 *key_mic; 1575 1576 if (!sm->PTK_valid) { 1577 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1578 "PTK not valid when sending EAPOL-Key " 1579 "frame"); 1580 os_free(hdr); 1581 return; 1582 } 1583 1584 key_mic = key192->key_mic; /* same offset for key and key192 */ 1585 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1586 sm->wpa_key_mgmt, version, 1587 (u8 *) hdr, len, key_mic); 1588 #ifdef CONFIG_TESTING_OPTIONS 1589 if (!pairwise && 1590 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1591 drand48() < 1592 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1593 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1594 "Corrupting group EAPOL-Key Key MIC"); 1595 key_mic[0]++; 1596 } 1597 #endif /* CONFIG_TESTING_OPTIONS */ 1598 } 1599 1600 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1601 1); 1602 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1603 sm->pairwise_set); 1604 os_free(hdr); 1605 } 1606 1607 1608 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1609 struct wpa_state_machine *sm, int key_info, 1610 const u8 *key_rsc, const u8 *nonce, 1611 const u8 *kde, size_t kde_len, 1612 int keyidx, int encr) 1613 { 1614 int timeout_ms; 1615 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1616 int ctr; 1617 1618 if (sm == NULL) 1619 return; 1620 1621 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1622 keyidx, encr, 0); 1623 1624 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1625 if (ctr == 1 && wpa_auth->conf.tx_status) 1626 timeout_ms = pairwise ? eapol_key_timeout_first : 1627 eapol_key_timeout_first_group; 1628 else 1629 timeout_ms = eapol_key_timeout_subseq; 1630 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1631 sm->pending_1_of_4_timeout = 1; 1632 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1633 "counter %d)", timeout_ms, ctr); 1634 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1635 wpa_send_eapol_timeout, wpa_auth, sm); 1636 } 1637 1638 1639 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 1640 size_t data_len) 1641 { 1642 struct ieee802_1x_hdr *hdr; 1643 struct wpa_eapol_key *key; 1644 struct wpa_eapol_key_192 *key192; 1645 u16 key_info; 1646 int ret = 0; 1647 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 1648 size_t mic_len = wpa_mic_len(akmp); 1649 1650 if (data_len < sizeof(*hdr) + sizeof(*key)) 1651 return -1; 1652 1653 hdr = (struct ieee802_1x_hdr *) data; 1654 key = (struct wpa_eapol_key *) (hdr + 1); 1655 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 1656 key_info = WPA_GET_BE16(key->key_info); 1657 os_memcpy(mic, key192->key_mic, mic_len); 1658 os_memset(key192->key_mic, 0, mic_len); 1659 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1660 key_info & WPA_KEY_INFO_TYPE_MASK, 1661 data, data_len, key192->key_mic) || 1662 os_memcmp_const(mic, key192->key_mic, mic_len) != 0) 1663 ret = -1; 1664 os_memcpy(key192->key_mic, mic, mic_len); 1665 return ret; 1666 } 1667 1668 1669 void wpa_remove_ptk(struct wpa_state_machine *sm) 1670 { 1671 sm->PTK_valid = FALSE; 1672 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1673 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1674 sm->pairwise_set = FALSE; 1675 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1676 } 1677 1678 1679 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1680 { 1681 int remove_ptk = 1; 1682 1683 if (sm == NULL) 1684 return -1; 1685 1686 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1687 "event %d notification", event); 1688 1689 switch (event) { 1690 case WPA_AUTH: 1691 #ifdef CONFIG_MESH 1692 /* PTKs are derived through AMPE */ 1693 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1694 /* not mesh */ 1695 break; 1696 } 1697 return 0; 1698 #endif /* CONFIG_MESH */ 1699 case WPA_ASSOC: 1700 break; 1701 case WPA_DEAUTH: 1702 case WPA_DISASSOC: 1703 sm->DeauthenticationRequest = TRUE; 1704 break; 1705 case WPA_REAUTH: 1706 case WPA_REAUTH_EAPOL: 1707 if (!sm->started) { 1708 /* 1709 * When using WPS, we may end up here if the STA 1710 * manages to re-associate without the previous STA 1711 * entry getting removed. Consequently, we need to make 1712 * sure that the WPA state machines gets initialized 1713 * properly at this point. 1714 */ 1715 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1716 "started - initialize now"); 1717 sm->started = 1; 1718 sm->Init = TRUE; 1719 if (wpa_sm_step(sm) == 1) 1720 return 1; /* should not really happen */ 1721 sm->Init = FALSE; 1722 sm->AuthenticationRequest = TRUE; 1723 break; 1724 } 1725 if (sm->GUpdateStationKeys) { 1726 /* 1727 * Reauthentication cancels the pending group key 1728 * update for this STA. 1729 */ 1730 sm->group->GKeyDoneStations--; 1731 sm->GUpdateStationKeys = FALSE; 1732 sm->PtkGroupInit = TRUE; 1733 } 1734 sm->ReAuthenticationRequest = TRUE; 1735 break; 1736 case WPA_ASSOC_FT: 1737 #ifdef CONFIG_IEEE80211R 1738 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1739 "after association"); 1740 wpa_ft_install_ptk(sm); 1741 1742 /* Using FT protocol, not WPA auth state machine */ 1743 sm->ft_completed = 1; 1744 return 0; 1745 #else /* CONFIG_IEEE80211R */ 1746 break; 1747 #endif /* CONFIG_IEEE80211R */ 1748 } 1749 1750 #ifdef CONFIG_IEEE80211R 1751 sm->ft_completed = 0; 1752 #endif /* CONFIG_IEEE80211R */ 1753 1754 #ifdef CONFIG_IEEE80211W 1755 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1756 remove_ptk = 0; 1757 #endif /* CONFIG_IEEE80211W */ 1758 1759 if (remove_ptk) { 1760 sm->PTK_valid = FALSE; 1761 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1762 1763 if (event != WPA_REAUTH_EAPOL) 1764 wpa_remove_ptk(sm); 1765 } 1766 1767 if (sm->in_step_loop) { 1768 /* 1769 * wpa_sm_step() is already running - avoid recursive call to 1770 * it by making the existing loop process the new update. 1771 */ 1772 sm->changed = TRUE; 1773 return 0; 1774 } 1775 return wpa_sm_step(sm); 1776 } 1777 1778 1779 SM_STATE(WPA_PTK, INITIALIZE) 1780 { 1781 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1782 if (sm->Init) { 1783 /* Init flag is not cleared here, so avoid busy 1784 * loop by claiming nothing changed. */ 1785 sm->changed = FALSE; 1786 } 1787 1788 sm->keycount = 0; 1789 if (sm->GUpdateStationKeys) 1790 sm->group->GKeyDoneStations--; 1791 sm->GUpdateStationKeys = FALSE; 1792 if (sm->wpa == WPA_VERSION_WPA) 1793 sm->PInitAKeys = FALSE; 1794 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1795 * Local AA > Remote AA)) */) { 1796 sm->Pair = TRUE; 1797 } 1798 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1799 wpa_remove_ptk(sm); 1800 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1801 sm->TimeoutCtr = 0; 1802 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1803 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1804 WPA_EAPOL_authorized, 0); 1805 } 1806 } 1807 1808 1809 SM_STATE(WPA_PTK, DISCONNECT) 1810 { 1811 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1812 sm->Disconnect = FALSE; 1813 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1814 } 1815 1816 1817 SM_STATE(WPA_PTK, DISCONNECTED) 1818 { 1819 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1820 sm->DeauthenticationRequest = FALSE; 1821 } 1822 1823 1824 SM_STATE(WPA_PTK, AUTHENTICATION) 1825 { 1826 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1827 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1828 sm->PTK_valid = FALSE; 1829 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1830 1); 1831 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1832 sm->AuthenticationRequest = FALSE; 1833 } 1834 1835 1836 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1837 struct wpa_group *group) 1838 { 1839 if (group->first_sta_seen) 1840 return; 1841 /* 1842 * System has run bit further than at the time hostapd was started 1843 * potentially very early during boot up. This provides better chances 1844 * of collecting more randomness on embedded systems. Re-initialize the 1845 * GMK and Counter here to improve their strength if there was not 1846 * enough entropy available immediately after system startup. 1847 */ 1848 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1849 "station"); 1850 if (random_pool_ready() != 1) { 1851 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1852 "to proceed - reject first 4-way handshake"); 1853 group->reject_4way_hs_for_entropy = TRUE; 1854 } else { 1855 group->first_sta_seen = TRUE; 1856 group->reject_4way_hs_for_entropy = FALSE; 1857 } 1858 1859 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1860 wpa_gtk_update(wpa_auth, group) < 0 || 1861 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1862 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1863 group->first_sta_seen = FALSE; 1864 group->reject_4way_hs_for_entropy = TRUE; 1865 } 1866 } 1867 1868 1869 SM_STATE(WPA_PTK, AUTHENTICATION2) 1870 { 1871 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1872 1873 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1874 sm->ReAuthenticationRequest = FALSE; 1875 1876 /* 1877 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1878 * ambiguous. The Authenticator state machine uses a counter that is 1879 * incremented by one for each 4-way handshake. However, the security 1880 * analysis of 4-way handshake points out that unpredictable nonces 1881 * help in preventing precomputation attacks. Instead of the state 1882 * machine definition, use an unpredictable nonce value here to provide 1883 * stronger protection against potential precomputation attacks. 1884 */ 1885 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1886 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1887 "ANonce."); 1888 sm->Disconnect = TRUE; 1889 return; 1890 } 1891 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1892 WPA_NONCE_LEN); 1893 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1894 * logical place than INITIALIZE since AUTHENTICATION2 can be 1895 * re-entered on ReAuthenticationRequest without going through 1896 * INITIALIZE. */ 1897 sm->TimeoutCtr = 0; 1898 } 1899 1900 1901 SM_STATE(WPA_PTK, INITPMK) 1902 { 1903 u8 msk[2 * PMK_LEN]; 1904 size_t len = 2 * PMK_LEN; 1905 1906 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1907 #ifdef CONFIG_IEEE80211R 1908 sm->xxkey_len = 0; 1909 #endif /* CONFIG_IEEE80211R */ 1910 if (sm->pmksa) { 1911 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1912 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 1913 sm->pmk_len = sm->pmksa->pmk_len; 1914 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1915 unsigned int pmk_len; 1916 1917 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 1918 pmk_len = PMK_LEN_SUITE_B_192; 1919 else 1920 pmk_len = PMK_LEN; 1921 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1922 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 1923 pmk_len); 1924 if (len < pmk_len) { 1925 wpa_printf(MSG_DEBUG, 1926 "WPA: MSK not long enough (%u) to create PMK (%u)", 1927 (unsigned int) len, (unsigned int) pmk_len); 1928 sm->Disconnect = TRUE; 1929 return; 1930 } 1931 os_memcpy(sm->PMK, msk, pmk_len); 1932 sm->pmk_len = pmk_len; 1933 #ifdef CONFIG_IEEE80211R 1934 if (len >= 2 * PMK_LEN) { 1935 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1936 sm->xxkey_len = PMK_LEN; 1937 } 1938 #endif /* CONFIG_IEEE80211R */ 1939 } else { 1940 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 1941 sm->wpa_auth->cb.get_msk); 1942 sm->Disconnect = TRUE; 1943 return; 1944 } 1945 os_memset(msk, 0, sizeof(msk)); 1946 1947 sm->req_replay_counter_used = 0; 1948 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1949 * will break reauthentication since EAPOL state machines may not be 1950 * get into AUTHENTICATING state that clears keyRun before WPA state 1951 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1952 * state and takes PMK from the previously used AAA Key. This will 1953 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1954 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1955 * be good workaround for this issue. */ 1956 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1957 } 1958 1959 1960 SM_STATE(WPA_PTK, INITPSK) 1961 { 1962 const u8 *psk; 1963 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1964 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1965 if (psk) { 1966 os_memcpy(sm->PMK, psk, PMK_LEN); 1967 sm->pmk_len = PMK_LEN; 1968 #ifdef CONFIG_IEEE80211R 1969 os_memcpy(sm->xxkey, psk, PMK_LEN); 1970 sm->xxkey_len = PMK_LEN; 1971 #endif /* CONFIG_IEEE80211R */ 1972 } 1973 sm->req_replay_counter_used = 0; 1974 } 1975 1976 1977 SM_STATE(WPA_PTK, PTKSTART) 1978 { 1979 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1980 size_t pmkid_len = 0; 1981 1982 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1983 sm->PTKRequest = FALSE; 1984 sm->TimeoutEvt = FALSE; 1985 sm->alt_snonce_valid = FALSE; 1986 1987 sm->TimeoutCtr++; 1988 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1989 /* No point in sending the EAPOL-Key - we will disconnect 1990 * immediately following this. */ 1991 return; 1992 } 1993 1994 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1995 "sending 1/4 msg of 4-Way Handshake"); 1996 /* 1997 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1998 * one possible PSK for this STA. 1999 */ 2000 if (sm->wpa == WPA_VERSION_WPA2 && 2001 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2002 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2003 pmkid = buf; 2004 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2005 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2006 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2007 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2008 if (sm->pmksa) { 2009 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2010 sm->pmksa->pmkid, PMKID_LEN); 2011 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2012 /* No KCK available to derive PMKID */ 2013 pmkid = NULL; 2014 } else { 2015 /* 2016 * Calculate PMKID since no PMKSA cache entry was 2017 * available with pre-calculated PMKID. 2018 */ 2019 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2020 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2021 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 2022 } 2023 } 2024 wpa_send_eapol(sm->wpa_auth, sm, 2025 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2026 sm->ANonce, pmkid, pmkid_len, 0, 0); 2027 } 2028 2029 2030 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2031 const u8 *pmk, unsigned int pmk_len, 2032 struct wpa_ptk *ptk) 2033 { 2034 #ifdef CONFIG_IEEE80211R 2035 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 2036 return wpa_auth_derive_ptk_ft(sm, pmk, ptk); 2037 #endif /* CONFIG_IEEE80211R */ 2038 2039 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2040 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2041 ptk, sm->wpa_key_mgmt, sm->pairwise); 2042 } 2043 2044 2045 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2046 { 2047 struct wpa_ptk PTK; 2048 int ok = 0, psk_found = 0; 2049 const u8 *pmk = NULL; 2050 unsigned int pmk_len; 2051 2052 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2053 sm->EAPOLKeyReceived = FALSE; 2054 sm->update_snonce = FALSE; 2055 2056 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2057 * WPA-PSK: iterate through possible PSKs and select the one matching 2058 * the packet */ 2059 for (;;) { 2060 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2061 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2062 sm->p2p_dev_addr, pmk); 2063 if (pmk == NULL) 2064 break; 2065 psk_found = 1; 2066 pmk_len = PMK_LEN; 2067 } else { 2068 pmk = sm->PMK; 2069 pmk_len = sm->pmk_len; 2070 } 2071 2072 wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK); 2073 2074 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, 2075 sm->last_rx_eapol_key, 2076 sm->last_rx_eapol_key_len) == 0) { 2077 ok = 1; 2078 break; 2079 } 2080 2081 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 2082 break; 2083 } 2084 2085 if (!ok) { 2086 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2087 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2088 if (psk_found) 2089 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2090 return; 2091 } 2092 2093 #ifdef CONFIG_IEEE80211R 2094 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2095 /* 2096 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2097 * with the value we derived. 2098 */ 2099 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2100 WPA_PMK_NAME_LEN) != 0) { 2101 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2102 "PMKR1Name mismatch in FT 4-way " 2103 "handshake"); 2104 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 2105 "Supplicant", 2106 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2107 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2108 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2109 return; 2110 } 2111 } 2112 #endif /* CONFIG_IEEE80211R */ 2113 2114 sm->pending_1_of_4_timeout = 0; 2115 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2116 2117 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2118 /* PSK may have changed from the previous choice, so update 2119 * state machine data based on whatever PSK was selected here. 2120 */ 2121 os_memcpy(sm->PMK, pmk, PMK_LEN); 2122 sm->pmk_len = PMK_LEN; 2123 } 2124 2125 sm->MICVerified = TRUE; 2126 2127 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2128 sm->PTK_valid = TRUE; 2129 } 2130 2131 2132 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2133 { 2134 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2135 sm->TimeoutCtr = 0; 2136 } 2137 2138 2139 #ifdef CONFIG_IEEE80211W 2140 2141 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2142 { 2143 if (sm->mgmt_frame_prot) { 2144 size_t len; 2145 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2146 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2147 } 2148 2149 return 0; 2150 } 2151 2152 2153 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2154 { 2155 struct wpa_igtk_kde igtk; 2156 struct wpa_group *gsm = sm->group; 2157 u8 rsc[WPA_KEY_RSC_LEN]; 2158 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2159 2160 if (!sm->mgmt_frame_prot) 2161 return pos; 2162 2163 igtk.keyid[0] = gsm->GN_igtk; 2164 igtk.keyid[1] = 0; 2165 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 2166 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 2167 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 2168 else 2169 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 2170 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 2171 if (sm->wpa_auth->conf.disable_gtk) { 2172 /* 2173 * Provide unique random IGTK to each STA to prevent use of 2174 * IGTK in the BSS. 2175 */ 2176 if (random_get_bytes(igtk.igtk, len) < 0) 2177 return pos; 2178 } 2179 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 2180 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 2181 NULL, 0); 2182 2183 return pos; 2184 } 2185 2186 #else /* CONFIG_IEEE80211W */ 2187 2188 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2189 { 2190 return 0; 2191 } 2192 2193 2194 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2195 { 2196 return pos; 2197 } 2198 2199 #endif /* CONFIG_IEEE80211W */ 2200 2201 2202 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 2203 { 2204 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 2205 size_t gtk_len, kde_len; 2206 struct wpa_group *gsm = sm->group; 2207 u8 *wpa_ie; 2208 int wpa_ie_len, secure, keyidx, encr = 0; 2209 2210 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 2211 sm->TimeoutEvt = FALSE; 2212 2213 sm->TimeoutCtr++; 2214 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 2215 /* No point in sending the EAPOL-Key - we will disconnect 2216 * immediately following this. */ 2217 return; 2218 } 2219 2220 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 2221 GTK[GN], IGTK, [FTIE], [TIE * 2]) 2222 */ 2223 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2224 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2225 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 2226 wpa_ie = sm->wpa_auth->wpa_ie; 2227 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 2228 if (sm->wpa == WPA_VERSION_WPA && 2229 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 2230 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 2231 /* WPA-only STA, remove RSN IE and possible MDIE */ 2232 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2233 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 2234 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2235 wpa_ie_len = wpa_ie[1] + 2; 2236 } 2237 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2238 "sending 3/4 msg of 4-Way Handshake"); 2239 if (sm->wpa == WPA_VERSION_WPA2) { 2240 /* WPA2 send GTK in the 4-way handshake */ 2241 secure = 1; 2242 gtk = gsm->GTK[gsm->GN - 1]; 2243 gtk_len = gsm->GTK_len; 2244 if (sm->wpa_auth->conf.disable_gtk) { 2245 /* 2246 * Provide unique random GTK to each STA to prevent use 2247 * of GTK in the BSS. 2248 */ 2249 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2250 return; 2251 gtk = dummy_gtk; 2252 } 2253 keyidx = gsm->GN; 2254 _rsc = rsc; 2255 encr = 1; 2256 } else { 2257 /* WPA does not include GTK in msg 3/4 */ 2258 secure = 0; 2259 gtk = NULL; 2260 gtk_len = 0; 2261 keyidx = 0; 2262 _rsc = NULL; 2263 if (sm->rx_eapol_key_secure) { 2264 /* 2265 * It looks like Windows 7 supplicant tries to use 2266 * Secure bit in msg 2/4 after having reported Michael 2267 * MIC failure and it then rejects the 4-way handshake 2268 * if msg 3/4 does not set Secure bit. Work around this 2269 * by setting the Secure bit here even in the case of 2270 * WPA if the supplicant used it first. 2271 */ 2272 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2273 "STA used Secure bit in WPA msg 2/4 - " 2274 "set Secure for 3/4 as workaround"); 2275 secure = 1; 2276 } 2277 } 2278 2279 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2280 if (gtk) 2281 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2282 #ifdef CONFIG_IEEE80211R 2283 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2284 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2285 kde_len += 300; /* FTIE + 2 * TIE */ 2286 } 2287 #endif /* CONFIG_IEEE80211R */ 2288 #ifdef CONFIG_P2P 2289 if (WPA_GET_BE32(sm->ip_addr) > 0) 2290 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2291 #endif /* CONFIG_P2P */ 2292 kde = os_malloc(kde_len); 2293 if (kde == NULL) 2294 return; 2295 2296 pos = kde; 2297 os_memcpy(pos, wpa_ie, wpa_ie_len); 2298 pos += wpa_ie_len; 2299 #ifdef CONFIG_IEEE80211R 2300 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2301 int res; 2302 size_t elen; 2303 2304 elen = pos - kde; 2305 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 2306 if (res < 0) { 2307 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2308 "PMKR1Name into RSN IE in EAPOL-Key data"); 2309 os_free(kde); 2310 return; 2311 } 2312 pos -= wpa_ie_len; 2313 pos += elen; 2314 } 2315 #endif /* CONFIG_IEEE80211R */ 2316 if (gtk) { 2317 u8 hdr[2]; 2318 hdr[0] = keyidx & 0x03; 2319 hdr[1] = 0; 2320 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2321 gtk, gtk_len); 2322 } 2323 pos = ieee80211w_kde_add(sm, pos); 2324 2325 #ifdef CONFIG_IEEE80211R 2326 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2327 int res; 2328 struct wpa_auth_config *conf; 2329 2330 conf = &sm->wpa_auth->conf; 2331 if (sm->assoc_resp_ftie && 2332 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 2333 os_memcpy(pos, sm->assoc_resp_ftie, 2334 2 + sm->assoc_resp_ftie[1]); 2335 res = 2 + sm->assoc_resp_ftie[1]; 2336 } else { 2337 res = wpa_write_ftie(conf, conf->r0_key_holder, 2338 conf->r0_key_holder_len, 2339 NULL, NULL, pos, 2340 kde + kde_len - pos, 2341 NULL, 0); 2342 } 2343 if (res < 0) { 2344 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2345 "into EAPOL-Key Key Data"); 2346 os_free(kde); 2347 return; 2348 } 2349 pos += res; 2350 2351 /* TIE[ReassociationDeadline] (TU) */ 2352 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2353 *pos++ = 5; 2354 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2355 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2356 pos += 4; 2357 2358 /* TIE[KeyLifetime] (seconds) */ 2359 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2360 *pos++ = 5; 2361 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2362 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2363 pos += 4; 2364 } 2365 #endif /* CONFIG_IEEE80211R */ 2366 #ifdef CONFIG_P2P 2367 if (WPA_GET_BE32(sm->ip_addr) > 0) { 2368 u8 addr[3 * 4]; 2369 os_memcpy(addr, sm->ip_addr, 4); 2370 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 2371 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 2372 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 2373 addr, sizeof(addr), NULL, 0); 2374 } 2375 #endif /* CONFIG_P2P */ 2376 2377 wpa_send_eapol(sm->wpa_auth, sm, 2378 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2379 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2380 WPA_KEY_INFO_KEY_TYPE, 2381 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2382 os_free(kde); 2383 } 2384 2385 2386 SM_STATE(WPA_PTK, PTKINITDONE) 2387 { 2388 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2389 sm->EAPOLKeyReceived = FALSE; 2390 if (sm->Pair) { 2391 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2392 int klen = wpa_cipher_key_len(sm->pairwise); 2393 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2394 sm->PTK.tk, klen)) { 2395 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2396 return; 2397 } 2398 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2399 sm->pairwise_set = TRUE; 2400 2401 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2402 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2403 eloop_register_timeout(sm->wpa_auth->conf. 2404 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2405 sm->wpa_auth, sm); 2406 } 2407 2408 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2409 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2410 WPA_EAPOL_authorized, 1); 2411 } 2412 } 2413 2414 if (0 /* IBSS == TRUE */) { 2415 sm->keycount++; 2416 if (sm->keycount == 2) { 2417 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2418 WPA_EAPOL_portValid, 1); 2419 } 2420 } else { 2421 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2422 1); 2423 } 2424 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2425 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2426 if (sm->wpa == WPA_VERSION_WPA) 2427 sm->PInitAKeys = TRUE; 2428 else 2429 sm->has_GTK = TRUE; 2430 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2431 "pairwise key handshake completed (%s)", 2432 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2433 2434 #ifdef CONFIG_IEEE80211R 2435 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2436 #endif /* CONFIG_IEEE80211R */ 2437 } 2438 2439 2440 SM_STEP(WPA_PTK) 2441 { 2442 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2443 2444 if (sm->Init) 2445 SM_ENTER(WPA_PTK, INITIALIZE); 2446 else if (sm->Disconnect 2447 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2448 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2449 "WPA_PTK: sm->Disconnect"); 2450 SM_ENTER(WPA_PTK, DISCONNECT); 2451 } 2452 else if (sm->DeauthenticationRequest) 2453 SM_ENTER(WPA_PTK, DISCONNECTED); 2454 else if (sm->AuthenticationRequest) 2455 SM_ENTER(WPA_PTK, AUTHENTICATION); 2456 else if (sm->ReAuthenticationRequest) 2457 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2458 else if (sm->PTKRequest) 2459 SM_ENTER(WPA_PTK, PTKSTART); 2460 else switch (sm->wpa_ptk_state) { 2461 case WPA_PTK_INITIALIZE: 2462 break; 2463 case WPA_PTK_DISCONNECT: 2464 SM_ENTER(WPA_PTK, DISCONNECTED); 2465 break; 2466 case WPA_PTK_DISCONNECTED: 2467 SM_ENTER(WPA_PTK, INITIALIZE); 2468 break; 2469 case WPA_PTK_AUTHENTICATION: 2470 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2471 break; 2472 case WPA_PTK_AUTHENTICATION2: 2473 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2474 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2475 WPA_EAPOL_keyRun) > 0) 2476 SM_ENTER(WPA_PTK, INITPMK); 2477 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2478 /* FIX: && 802.1X::keyRun */) 2479 SM_ENTER(WPA_PTK, INITPSK); 2480 break; 2481 case WPA_PTK_INITPMK: 2482 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2483 WPA_EAPOL_keyAvailable) > 0) 2484 SM_ENTER(WPA_PTK, PTKSTART); 2485 else { 2486 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2487 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2488 "INITPMK - keyAvailable = false"); 2489 SM_ENTER(WPA_PTK, DISCONNECT); 2490 } 2491 break; 2492 case WPA_PTK_INITPSK: 2493 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2494 NULL)) 2495 SM_ENTER(WPA_PTK, PTKSTART); 2496 else { 2497 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2498 "no PSK configured for the STA"); 2499 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2500 SM_ENTER(WPA_PTK, DISCONNECT); 2501 } 2502 break; 2503 case WPA_PTK_PTKSTART: 2504 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2505 sm->EAPOLKeyPairwise) 2506 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2507 else if (sm->TimeoutCtr > 2508 (int) dot11RSNAConfigPairwiseUpdateCount) { 2509 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2510 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2511 "PTKSTART: Retry limit %d reached", 2512 dot11RSNAConfigPairwiseUpdateCount); 2513 SM_ENTER(WPA_PTK, DISCONNECT); 2514 } else if (sm->TimeoutEvt) 2515 SM_ENTER(WPA_PTK, PTKSTART); 2516 break; 2517 case WPA_PTK_PTKCALCNEGOTIATING: 2518 if (sm->MICVerified) 2519 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2520 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2521 sm->EAPOLKeyPairwise) 2522 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2523 else if (sm->TimeoutEvt) 2524 SM_ENTER(WPA_PTK, PTKSTART); 2525 break; 2526 case WPA_PTK_PTKCALCNEGOTIATING2: 2527 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2528 break; 2529 case WPA_PTK_PTKINITNEGOTIATING: 2530 if (sm->update_snonce) 2531 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2532 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2533 sm->EAPOLKeyPairwise && sm->MICVerified) 2534 SM_ENTER(WPA_PTK, PTKINITDONE); 2535 else if (sm->TimeoutCtr > 2536 (int) dot11RSNAConfigPairwiseUpdateCount) { 2537 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2538 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2539 "PTKINITNEGOTIATING: Retry limit %d " 2540 "reached", 2541 dot11RSNAConfigPairwiseUpdateCount); 2542 SM_ENTER(WPA_PTK, DISCONNECT); 2543 } else if (sm->TimeoutEvt) 2544 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2545 break; 2546 case WPA_PTK_PTKINITDONE: 2547 break; 2548 } 2549 } 2550 2551 2552 SM_STATE(WPA_PTK_GROUP, IDLE) 2553 { 2554 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2555 if (sm->Init) { 2556 /* Init flag is not cleared here, so avoid busy 2557 * loop by claiming nothing changed. */ 2558 sm->changed = FALSE; 2559 } 2560 sm->GTimeoutCtr = 0; 2561 } 2562 2563 2564 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2565 { 2566 u8 rsc[WPA_KEY_RSC_LEN]; 2567 struct wpa_group *gsm = sm->group; 2568 const u8 *kde; 2569 u8 *kde_buf = NULL, *pos, hdr[2]; 2570 size_t kde_len; 2571 u8 *gtk, dummy_gtk[32]; 2572 2573 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2574 2575 sm->GTimeoutCtr++; 2576 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2577 /* No point in sending the EAPOL-Key - we will disconnect 2578 * immediately following this. */ 2579 return; 2580 } 2581 2582 if (sm->wpa == WPA_VERSION_WPA) 2583 sm->PInitAKeys = FALSE; 2584 sm->TimeoutEvt = FALSE; 2585 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2586 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2587 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2588 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2589 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2590 "sending 1/2 msg of Group Key Handshake"); 2591 2592 gtk = gsm->GTK[gsm->GN - 1]; 2593 if (sm->wpa_auth->conf.disable_gtk) { 2594 /* 2595 * Provide unique random GTK to each STA to prevent use 2596 * of GTK in the BSS. 2597 */ 2598 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2599 return; 2600 gtk = dummy_gtk; 2601 } 2602 if (sm->wpa == WPA_VERSION_WPA2) { 2603 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2604 ieee80211w_kde_len(sm); 2605 kde_buf = os_malloc(kde_len); 2606 if (kde_buf == NULL) 2607 return; 2608 2609 kde = pos = kde_buf; 2610 hdr[0] = gsm->GN & 0x03; 2611 hdr[1] = 0; 2612 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2613 gtk, gsm->GTK_len); 2614 pos = ieee80211w_kde_add(sm, pos); 2615 kde_len = pos - kde; 2616 } else { 2617 kde = gtk; 2618 kde_len = gsm->GTK_len; 2619 } 2620 2621 wpa_send_eapol(sm->wpa_auth, sm, 2622 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2623 WPA_KEY_INFO_ACK | 2624 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2625 rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1); 2626 2627 os_free(kde_buf); 2628 } 2629 2630 2631 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2632 { 2633 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2634 sm->EAPOLKeyReceived = FALSE; 2635 if (sm->GUpdateStationKeys) 2636 sm->group->GKeyDoneStations--; 2637 sm->GUpdateStationKeys = FALSE; 2638 sm->GTimeoutCtr = 0; 2639 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2640 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2641 "group key handshake completed (%s)", 2642 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2643 sm->has_GTK = TRUE; 2644 } 2645 2646 2647 SM_STATE(WPA_PTK_GROUP, KEYERROR) 2648 { 2649 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2650 if (sm->GUpdateStationKeys) 2651 sm->group->GKeyDoneStations--; 2652 sm->GUpdateStationKeys = FALSE; 2653 sm->Disconnect = TRUE; 2654 } 2655 2656 2657 SM_STEP(WPA_PTK_GROUP) 2658 { 2659 if (sm->Init || sm->PtkGroupInit) { 2660 SM_ENTER(WPA_PTK_GROUP, IDLE); 2661 sm->PtkGroupInit = FALSE; 2662 } else switch (sm->wpa_ptk_group_state) { 2663 case WPA_PTK_GROUP_IDLE: 2664 if (sm->GUpdateStationKeys || 2665 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2666 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2667 break; 2668 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2669 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2670 !sm->EAPOLKeyPairwise && sm->MICVerified) 2671 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2672 else if (sm->GTimeoutCtr > 2673 (int) dot11RSNAConfigGroupUpdateCount) 2674 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2675 else if (sm->TimeoutEvt) 2676 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2677 break; 2678 case WPA_PTK_GROUP_KEYERROR: 2679 SM_ENTER(WPA_PTK_GROUP, IDLE); 2680 break; 2681 case WPA_PTK_GROUP_REKEYESTABLISHED: 2682 SM_ENTER(WPA_PTK_GROUP, IDLE); 2683 break; 2684 } 2685 } 2686 2687 2688 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2689 struct wpa_group *group) 2690 { 2691 int ret = 0; 2692 2693 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2694 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2695 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2696 wpa_auth->addr, group->GNonce, 2697 group->GTK[group->GN - 1], group->GTK_len) < 0) 2698 ret = -1; 2699 wpa_hexdump_key(MSG_DEBUG, "GTK", 2700 group->GTK[group->GN - 1], group->GTK_len); 2701 2702 #ifdef CONFIG_IEEE80211W 2703 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2704 size_t len; 2705 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 2706 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2707 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2708 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2709 wpa_auth->addr, group->GNonce, 2710 group->IGTK[group->GN_igtk - 4], len) < 0) 2711 ret = -1; 2712 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2713 group->IGTK[group->GN_igtk - 4], len); 2714 } 2715 #endif /* CONFIG_IEEE80211W */ 2716 2717 return ret; 2718 } 2719 2720 2721 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2722 struct wpa_group *group) 2723 { 2724 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2725 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2726 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2727 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2728 2729 /* GTK[0..N] = 0 */ 2730 os_memset(group->GTK, 0, sizeof(group->GTK)); 2731 group->GN = 1; 2732 group->GM = 2; 2733 #ifdef CONFIG_IEEE80211W 2734 group->GN_igtk = 4; 2735 group->GM_igtk = 5; 2736 #endif /* CONFIG_IEEE80211W */ 2737 /* GTK[GN] = CalcGTK() */ 2738 wpa_gtk_update(wpa_auth, group); 2739 } 2740 2741 2742 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2743 { 2744 if (ctx != NULL && ctx != sm->group) 2745 return 0; 2746 2747 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2748 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2749 "Not in PTKINITDONE; skip Group Key update"); 2750 sm->GUpdateStationKeys = FALSE; 2751 return 0; 2752 } 2753 if (sm->GUpdateStationKeys) { 2754 /* 2755 * This should not really happen, so add a debug log entry. 2756 * Since we clear the GKeyDoneStations before the loop, the 2757 * station needs to be counted here anyway. 2758 */ 2759 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2760 "GUpdateStationKeys was already set when " 2761 "marking station for GTK rekeying"); 2762 } 2763 2764 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 2765 if (sm->is_wnmsleep) 2766 return 0; 2767 2768 sm->group->GKeyDoneStations++; 2769 sm->GUpdateStationKeys = TRUE; 2770 2771 wpa_sm_step(sm); 2772 return 0; 2773 } 2774 2775 2776 #ifdef CONFIG_WNM 2777 /* update GTK when exiting WNM-Sleep Mode */ 2778 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2779 { 2780 if (sm == NULL || sm->is_wnmsleep) 2781 return; 2782 2783 wpa_group_update_sta(sm, NULL); 2784 } 2785 2786 2787 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2788 { 2789 if (sm) 2790 sm->is_wnmsleep = !!flag; 2791 } 2792 2793 2794 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2795 { 2796 struct wpa_group *gsm = sm->group; 2797 u8 *start = pos; 2798 2799 /* 2800 * GTK subelement: 2801 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2802 * Key[5..32] 2803 */ 2804 *pos++ = WNM_SLEEP_SUBELEM_GTK; 2805 *pos++ = 11 + gsm->GTK_len; 2806 /* Key ID in B0-B1 of Key Info */ 2807 WPA_PUT_LE16(pos, gsm->GN & 0x03); 2808 pos += 2; 2809 *pos++ = gsm->GTK_len; 2810 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 2811 return 0; 2812 pos += 8; 2813 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2814 pos += gsm->GTK_len; 2815 2816 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 2817 gsm->GN); 2818 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 2819 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2820 2821 return pos - start; 2822 } 2823 2824 2825 #ifdef CONFIG_IEEE80211W 2826 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2827 { 2828 struct wpa_group *gsm = sm->group; 2829 u8 *start = pos; 2830 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2831 2832 /* 2833 * IGTK subelement: 2834 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 2835 */ 2836 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 2837 *pos++ = 2 + 6 + len; 2838 WPA_PUT_LE16(pos, gsm->GN_igtk); 2839 pos += 2; 2840 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 2841 return 0; 2842 pos += 6; 2843 2844 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 2845 pos += len; 2846 2847 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 2848 gsm->GN_igtk); 2849 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 2850 gsm->IGTK[gsm->GN_igtk - 4], len); 2851 2852 return pos - start; 2853 } 2854 #endif /* CONFIG_IEEE80211W */ 2855 #endif /* CONFIG_WNM */ 2856 2857 2858 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2859 struct wpa_group *group) 2860 { 2861 int tmp; 2862 2863 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2864 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2865 group->changed = TRUE; 2866 group->wpa_group_state = WPA_GROUP_SETKEYS; 2867 group->GTKReKey = FALSE; 2868 tmp = group->GM; 2869 group->GM = group->GN; 2870 group->GN = tmp; 2871 #ifdef CONFIG_IEEE80211W 2872 tmp = group->GM_igtk; 2873 group->GM_igtk = group->GN_igtk; 2874 group->GN_igtk = tmp; 2875 #endif /* CONFIG_IEEE80211W */ 2876 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2877 * counting the STAs that are marked with GUpdateStationKeys instead of 2878 * including all STAs that could be in not-yet-completed state. */ 2879 wpa_gtk_update(wpa_auth, group); 2880 2881 if (group->GKeyDoneStations) { 2882 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2883 "GKeyDoneStations=%d when starting new GTK rekey", 2884 group->GKeyDoneStations); 2885 group->GKeyDoneStations = 0; 2886 } 2887 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2888 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2889 group->GKeyDoneStations); 2890 } 2891 2892 2893 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2894 struct wpa_group *group) 2895 { 2896 int ret = 0; 2897 2898 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2899 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2900 broadcast_ether_addr, group->GN, 2901 group->GTK[group->GN - 1], group->GTK_len) < 0) 2902 ret = -1; 2903 2904 #ifdef CONFIG_IEEE80211W 2905 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2906 enum wpa_alg alg; 2907 size_t len; 2908 2909 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 2910 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 2911 2912 if (ret == 0 && 2913 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 2914 broadcast_ether_addr, group->GN_igtk, 2915 group->IGTK[group->GN_igtk - 4], len) < 0) 2916 ret = -1; 2917 } 2918 #endif /* CONFIG_IEEE80211W */ 2919 2920 return ret; 2921 } 2922 2923 2924 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 2925 { 2926 if (sm->group == ctx) { 2927 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 2928 " for discconnection due to fatal failure", 2929 MAC2STR(sm->addr)); 2930 sm->Disconnect = TRUE; 2931 } 2932 2933 return 0; 2934 } 2935 2936 2937 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 2938 struct wpa_group *group) 2939 { 2940 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 2941 group->changed = TRUE; 2942 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 2943 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 2944 } 2945 2946 2947 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2948 struct wpa_group *group) 2949 { 2950 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2951 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2952 group->changed = TRUE; 2953 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2954 2955 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 2956 wpa_group_fatal_failure(wpa_auth, group); 2957 return -1; 2958 } 2959 2960 return 0; 2961 } 2962 2963 2964 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2965 struct wpa_group *group) 2966 { 2967 if (group->GInit) { 2968 wpa_group_gtk_init(wpa_auth, group); 2969 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 2970 /* Do not allow group operations */ 2971 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2972 group->GTKAuthenticator) { 2973 wpa_group_setkeysdone(wpa_auth, group); 2974 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2975 group->GTKReKey) { 2976 wpa_group_setkeys(wpa_auth, group); 2977 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2978 if (group->GKeyDoneStations == 0) 2979 wpa_group_setkeysdone(wpa_auth, group); 2980 else if (group->GTKReKey) 2981 wpa_group_setkeys(wpa_auth, group); 2982 } 2983 } 2984 2985 2986 static int wpa_sm_step(struct wpa_state_machine *sm) 2987 { 2988 if (sm == NULL) 2989 return 0; 2990 2991 if (sm->in_step_loop) { 2992 /* This should not happen, but if it does, make sure we do not 2993 * end up freeing the state machine too early by exiting the 2994 * recursive call. */ 2995 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2996 return 0; 2997 } 2998 2999 sm->in_step_loop = 1; 3000 do { 3001 if (sm->pending_deinit) 3002 break; 3003 3004 sm->changed = FALSE; 3005 sm->wpa_auth->group->changed = FALSE; 3006 3007 SM_STEP_RUN(WPA_PTK); 3008 if (sm->pending_deinit) 3009 break; 3010 SM_STEP_RUN(WPA_PTK_GROUP); 3011 if (sm->pending_deinit) 3012 break; 3013 wpa_group_sm_step(sm->wpa_auth, sm->group); 3014 } while (sm->changed || sm->wpa_auth->group->changed); 3015 sm->in_step_loop = 0; 3016 3017 if (sm->pending_deinit) { 3018 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 3019 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 3020 wpa_free_sta_sm(sm); 3021 return 1; 3022 } 3023 return 0; 3024 } 3025 3026 3027 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 3028 { 3029 struct wpa_state_machine *sm = eloop_ctx; 3030 wpa_sm_step(sm); 3031 } 3032 3033 3034 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 3035 { 3036 if (sm == NULL) 3037 return; 3038 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 3039 } 3040 3041 3042 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 3043 { 3044 int tmp, i; 3045 struct wpa_group *group; 3046 3047 if (wpa_auth == NULL) 3048 return; 3049 3050 group = wpa_auth->group; 3051 3052 for (i = 0; i < 2; i++) { 3053 tmp = group->GM; 3054 group->GM = group->GN; 3055 group->GN = tmp; 3056 #ifdef CONFIG_IEEE80211W 3057 tmp = group->GM_igtk; 3058 group->GM_igtk = group->GN_igtk; 3059 group->GN_igtk = tmp; 3060 #endif /* CONFIG_IEEE80211W */ 3061 wpa_gtk_update(wpa_auth, group); 3062 wpa_group_config_group_keys(wpa_auth, group); 3063 } 3064 } 3065 3066 3067 static const char * wpa_bool_txt(int val) 3068 { 3069 return val ? "TRUE" : "FALSE"; 3070 } 3071 3072 3073 #define RSN_SUITE "%02x-%02x-%02x-%d" 3074 #define RSN_SUITE_ARG(s) \ 3075 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 3076 3077 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 3078 { 3079 int len = 0, ret; 3080 char pmkid_txt[PMKID_LEN * 2 + 1]; 3081 #ifdef CONFIG_RSN_PREAUTH 3082 const int preauth = 1; 3083 #else /* CONFIG_RSN_PREAUTH */ 3084 const int preauth = 0; 3085 #endif /* CONFIG_RSN_PREAUTH */ 3086 3087 if (wpa_auth == NULL) 3088 return len; 3089 3090 ret = os_snprintf(buf + len, buflen - len, 3091 "dot11RSNAOptionImplemented=TRUE\n" 3092 "dot11RSNAPreauthenticationImplemented=%s\n" 3093 "dot11RSNAEnabled=%s\n" 3094 "dot11RSNAPreauthenticationEnabled=%s\n", 3095 wpa_bool_txt(preauth), 3096 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 3097 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 3098 if (os_snprintf_error(buflen - len, ret)) 3099 return len; 3100 len += ret; 3101 3102 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 3103 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 3104 3105 ret = os_snprintf( 3106 buf + len, buflen - len, 3107 "dot11RSNAConfigVersion=%u\n" 3108 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 3109 /* FIX: dot11RSNAConfigGroupCipher */ 3110 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 3111 /* FIX: dot11RSNAConfigGroupRekeyTime */ 3112 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 3113 "dot11RSNAConfigGroupRekeyStrict=%u\n" 3114 "dot11RSNAConfigGroupUpdateCount=%u\n" 3115 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 3116 "dot11RSNAConfigGroupCipherSize=%u\n" 3117 "dot11RSNAConfigPMKLifetime=%u\n" 3118 "dot11RSNAConfigPMKReauthThreshold=%u\n" 3119 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 3120 "dot11RSNAConfigSATimeout=%u\n" 3121 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 3122 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 3123 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 3124 "dot11RSNAPMKIDUsed=%s\n" 3125 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 3126 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 3127 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 3128 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 3129 "dot11RSNA4WayHandshakeFailures=%u\n" 3130 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 3131 RSN_VERSION, 3132 !!wpa_auth->conf.wpa_strict_rekey, 3133 dot11RSNAConfigGroupUpdateCount, 3134 dot11RSNAConfigPairwiseUpdateCount, 3135 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 3136 dot11RSNAConfigPMKLifetime, 3137 dot11RSNAConfigPMKReauthThreshold, 3138 dot11RSNAConfigSATimeout, 3139 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 3140 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 3141 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 3142 pmkid_txt, 3143 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 3144 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 3145 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 3146 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 3147 wpa_auth->dot11RSNA4WayHandshakeFailures); 3148 if (os_snprintf_error(buflen - len, ret)) 3149 return len; 3150 len += ret; 3151 3152 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 3153 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 3154 3155 /* Private MIB */ 3156 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 3157 wpa_auth->group->wpa_group_state); 3158 if (os_snprintf_error(buflen - len, ret)) 3159 return len; 3160 len += ret; 3161 3162 return len; 3163 } 3164 3165 3166 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 3167 { 3168 int len = 0, ret; 3169 u32 pairwise = 0; 3170 3171 if (sm == NULL) 3172 return 0; 3173 3174 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 3175 3176 /* dot11RSNAStatsEntry */ 3177 3178 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 3179 WPA_PROTO_RSN : WPA_PROTO_WPA, 3180 sm->pairwise); 3181 if (pairwise == 0) 3182 return 0; 3183 3184 ret = os_snprintf( 3185 buf + len, buflen - len, 3186 /* TODO: dot11RSNAStatsIndex */ 3187 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 3188 "dot11RSNAStatsVersion=1\n" 3189 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 3190 /* TODO: dot11RSNAStatsTKIPICVErrors */ 3191 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 3192 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 3193 /* TODO: dot11RSNAStatsCCMPReplays */ 3194 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 3195 /* TODO: dot11RSNAStatsTKIPReplays */, 3196 MAC2STR(sm->addr), 3197 RSN_SUITE_ARG(pairwise), 3198 sm->dot11RSNAStatsTKIPLocalMICFailures, 3199 sm->dot11RSNAStatsTKIPRemoteMICFailures); 3200 if (os_snprintf_error(buflen - len, ret)) 3201 return len; 3202 len += ret; 3203 3204 /* Private MIB */ 3205 ret = os_snprintf(buf + len, buflen - len, 3206 "hostapdWPAPTKState=%d\n" 3207 "hostapdWPAPTKGroupState=%d\n", 3208 sm->wpa_ptk_state, 3209 sm->wpa_ptk_group_state); 3210 if (os_snprintf_error(buflen - len, ret)) 3211 return len; 3212 len += ret; 3213 3214 return len; 3215 } 3216 3217 3218 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 3219 { 3220 if (wpa_auth) 3221 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 3222 } 3223 3224 3225 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 3226 { 3227 return sm && sm->pairwise_set; 3228 } 3229 3230 3231 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 3232 { 3233 return sm->pairwise; 3234 } 3235 3236 3237 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 3238 { 3239 if (sm == NULL) 3240 return -1; 3241 return sm->wpa_key_mgmt; 3242 } 3243 3244 3245 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 3246 { 3247 if (sm == NULL) 3248 return 0; 3249 return sm->wpa; 3250 } 3251 3252 3253 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 3254 struct rsn_pmksa_cache_entry *entry) 3255 { 3256 if (sm == NULL || sm->pmksa != entry) 3257 return -1; 3258 sm->pmksa = NULL; 3259 return 0; 3260 } 3261 3262 3263 struct rsn_pmksa_cache_entry * 3264 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 3265 { 3266 return sm ? sm->pmksa : NULL; 3267 } 3268 3269 3270 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 3271 { 3272 if (sm) 3273 sm->dot11RSNAStatsTKIPLocalMICFailures++; 3274 } 3275 3276 3277 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 3278 { 3279 if (wpa_auth == NULL) 3280 return NULL; 3281 *len = wpa_auth->wpa_ie_len; 3282 return wpa_auth->wpa_ie; 3283 } 3284 3285 3286 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 3287 unsigned int pmk_len, 3288 int session_timeout, struct eapol_state_machine *eapol) 3289 { 3290 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 3291 sm->wpa_auth->conf.disable_pmksa_caching) 3292 return -1; 3293 3294 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { 3295 if (pmk_len > PMK_LEN_SUITE_B_192) 3296 pmk_len = PMK_LEN_SUITE_B_192; 3297 } else if (pmk_len > PMK_LEN) { 3298 pmk_len = PMK_LEN; 3299 } 3300 3301 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 3302 sm->PTK.kck, sm->PTK.kck_len, 3303 sm->wpa_auth->addr, sm->addr, session_timeout, 3304 eapol, sm->wpa_key_mgmt)) 3305 return 0; 3306 3307 return -1; 3308 } 3309 3310 3311 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 3312 const u8 *pmk, size_t len, const u8 *sta_addr, 3313 int session_timeout, 3314 struct eapol_state_machine *eapol) 3315 { 3316 if (wpa_auth == NULL) 3317 return -1; 3318 3319 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 3320 NULL, 0, 3321 wpa_auth->addr, 3322 sta_addr, session_timeout, eapol, 3323 WPA_KEY_MGMT_IEEE8021X)) 3324 return 0; 3325 3326 return -1; 3327 } 3328 3329 3330 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 3331 const u8 *pmk, const u8 *pmkid) 3332 { 3333 if (wpa_auth->conf.disable_pmksa_caching) 3334 return -1; 3335 3336 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 3337 NULL, 0, 3338 wpa_auth->addr, addr, 0, NULL, 3339 WPA_KEY_MGMT_SAE)) 3340 return 0; 3341 3342 return -1; 3343 } 3344 3345 3346 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 3347 const u8 *sta_addr) 3348 { 3349 struct rsn_pmksa_cache_entry *pmksa; 3350 3351 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 3352 return; 3353 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3354 if (pmksa) { 3355 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 3356 MACSTR " based on request", MAC2STR(sta_addr)); 3357 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 3358 } 3359 } 3360 3361 3362 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 3363 size_t len) 3364 { 3365 if (!wpa_auth || !wpa_auth->pmksa) 3366 return 0; 3367 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 3368 } 3369 3370 3371 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 3372 { 3373 if (wpa_auth && wpa_auth->pmksa) 3374 pmksa_cache_auth_flush(wpa_auth->pmksa); 3375 } 3376 3377 3378 struct rsn_pmksa_cache_entry * 3379 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr) 3380 { 3381 if (!wpa_auth || !wpa_auth->pmksa) 3382 return NULL; 3383 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3384 } 3385 3386 3387 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 3388 struct wpa_state_machine *sm, 3389 struct wpa_authenticator *wpa_auth, 3390 u8 *pmkid, u8 *pmk) 3391 { 3392 if (!sm) 3393 return; 3394 3395 sm->pmksa = pmksa; 3396 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 3397 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 3398 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 3399 } 3400 3401 3402 /* 3403 * Remove and free the group from wpa_authenticator. This is triggered by a 3404 * callback to make sure nobody is currently iterating the group list while it 3405 * gets modified. 3406 */ 3407 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 3408 struct wpa_group *group) 3409 { 3410 struct wpa_group *prev = wpa_auth->group; 3411 3412 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 3413 group->vlan_id); 3414 3415 while (prev) { 3416 if (prev->next == group) { 3417 /* This never frees the special first group as needed */ 3418 prev->next = group->next; 3419 os_free(group); 3420 break; 3421 } 3422 prev = prev->next; 3423 } 3424 3425 } 3426 3427 3428 /* Increase the reference counter for group */ 3429 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 3430 struct wpa_group *group) 3431 { 3432 /* Skip the special first group */ 3433 if (wpa_auth->group == group) 3434 return; 3435 3436 group->references++; 3437 } 3438 3439 3440 /* Decrease the reference counter and maybe free the group */ 3441 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 3442 struct wpa_group *group) 3443 { 3444 /* Skip the special first group */ 3445 if (wpa_auth->group == group) 3446 return; 3447 3448 group->references--; 3449 if (group->references) 3450 return; 3451 wpa_group_free(wpa_auth, group); 3452 } 3453 3454 3455 /* 3456 * Add a group that has its references counter set to zero. Caller needs to 3457 * call wpa_group_get() on the return value to mark the entry in use. 3458 */ 3459 static struct wpa_group * 3460 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3461 { 3462 struct wpa_group *group; 3463 3464 if (wpa_auth == NULL || wpa_auth->group == NULL) 3465 return NULL; 3466 3467 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 3468 vlan_id); 3469 group = wpa_group_init(wpa_auth, vlan_id, 0); 3470 if (group == NULL) 3471 return NULL; 3472 3473 group->next = wpa_auth->group->next; 3474 wpa_auth->group->next = group; 3475 3476 return group; 3477 } 3478 3479 3480 /* 3481 * Enforce that the group state machine for the VLAN is running, increase 3482 * reference counter as interface is up. References might have been increased 3483 * even if a negative value is returned. 3484 * Returns: -1 on error (group missing, group already failed); otherwise, 0 3485 */ 3486 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3487 { 3488 struct wpa_group *group; 3489 3490 if (wpa_auth == NULL) 3491 return 0; 3492 3493 group = wpa_auth->group; 3494 while (group) { 3495 if (group->vlan_id == vlan_id) 3496 break; 3497 group = group->next; 3498 } 3499 3500 if (group == NULL) { 3501 group = wpa_auth_add_group(wpa_auth, vlan_id); 3502 if (group == NULL) 3503 return -1; 3504 } 3505 3506 wpa_printf(MSG_DEBUG, 3507 "WPA: Ensure group state machine running for VLAN ID %d", 3508 vlan_id); 3509 3510 wpa_group_get(wpa_auth, group); 3511 group->num_setup_iface++; 3512 3513 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3514 return -1; 3515 3516 return 0; 3517 } 3518 3519 3520 /* 3521 * Decrease reference counter, expected to be zero afterwards. 3522 * returns: -1 on error (group not found, group in fail state) 3523 * -2 if wpa_group is still referenced 3524 * 0 else 3525 */ 3526 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3527 { 3528 struct wpa_group *group; 3529 int ret = 0; 3530 3531 if (wpa_auth == NULL) 3532 return 0; 3533 3534 group = wpa_auth->group; 3535 while (group) { 3536 if (group->vlan_id == vlan_id) 3537 break; 3538 group = group->next; 3539 } 3540 3541 if (group == NULL) 3542 return -1; 3543 3544 wpa_printf(MSG_DEBUG, 3545 "WPA: Try stopping group state machine for VLAN ID %d", 3546 vlan_id); 3547 3548 if (group->num_setup_iface <= 0) { 3549 wpa_printf(MSG_ERROR, 3550 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 3551 vlan_id); 3552 return -1; 3553 } 3554 group->num_setup_iface--; 3555 3556 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3557 ret = -1; 3558 3559 if (group->references > 1) { 3560 wpa_printf(MSG_DEBUG, 3561 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 3562 vlan_id); 3563 ret = -2; 3564 } 3565 3566 wpa_group_put(wpa_auth, group); 3567 3568 return ret; 3569 } 3570 3571 3572 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 3573 { 3574 struct wpa_group *group; 3575 3576 if (sm == NULL || sm->wpa_auth == NULL) 3577 return 0; 3578 3579 group = sm->wpa_auth->group; 3580 while (group) { 3581 if (group->vlan_id == vlan_id) 3582 break; 3583 group = group->next; 3584 } 3585 3586 if (group == NULL) { 3587 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 3588 if (group == NULL) 3589 return -1; 3590 } 3591 3592 if (sm->group == group) 3593 return 0; 3594 3595 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3596 return -1; 3597 3598 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 3599 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 3600 3601 wpa_group_get(sm->wpa_auth, group); 3602 wpa_group_put(sm->wpa_auth, sm->group); 3603 sm->group = group; 3604 3605 return 0; 3606 } 3607 3608 3609 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 3610 struct wpa_state_machine *sm, int ack) 3611 { 3612 if (wpa_auth == NULL || sm == NULL) 3613 return; 3614 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 3615 " ack=%d", MAC2STR(sm->addr), ack); 3616 if (sm->pending_1_of_4_timeout && ack) { 3617 /* 3618 * Some deployed supplicant implementations update their SNonce 3619 * for each EAPOL-Key 2/4 message even within the same 4-way 3620 * handshake and then fail to use the first SNonce when 3621 * deriving the PTK. This results in unsuccessful 4-way 3622 * handshake whenever the relatively short initial timeout is 3623 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3624 * around this by increasing the timeout now that we know that 3625 * the station has received the frame. 3626 */ 3627 int timeout_ms = eapol_key_timeout_subseq; 3628 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3629 "timeout by %u ms because of acknowledged frame", 3630 timeout_ms); 3631 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3632 eloop_register_timeout(timeout_ms / 1000, 3633 (timeout_ms % 1000) * 1000, 3634 wpa_send_eapol_timeout, wpa_auth, sm); 3635 } 3636 } 3637 3638 3639 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 3640 { 3641 if (sm == NULL) 3642 return 0; 3643 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 3644 } 3645 3646 3647 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 3648 { 3649 if (sm == NULL) 3650 return 0; 3651 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 3652 } 3653 3654 3655 #ifdef CONFIG_P2P 3656 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 3657 { 3658 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 3659 return -1; 3660 os_memcpy(addr, sm->ip_addr, 4); 3661 return 0; 3662 } 3663 #endif /* CONFIG_P2P */ 3664 3665 3666 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 3667 struct radius_das_attrs *attr) 3668 { 3669 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 3670 } 3671 3672 3673 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 3674 { 3675 struct wpa_group *group; 3676 3677 if (!wpa_auth) 3678 return; 3679 for (group = wpa_auth->group; group; group = group->next) 3680 wpa_group_config_group_keys(wpa_auth, group); 3681 } 3682
