1 /* $OpenBSD: ieee80211_pae_input.c,v 1.37 2020/11/19 20:03:33 krw Exp $ */
2
3 /*-
4 * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 /*
20 * This code implements the 4-Way Handshake and Group Key Handshake protocols
21 * (both Supplicant and Authenticator Key Receive state machines) defined in
22 * IEEE Std 802.11-2007 section 8.5.
23 */
24
25 #include <sys/param.h>
26 #include <sys/systm.h>
27 #include <sys/mbuf.h>
28 #include <sys/kernel.h>
29 #include <sys/socket.h>
30 #include <sys/sockio.h>
31 #include <sys/errno.h>
32
33 #include <net/if.h>
34 #include <net/if_dl.h>
35 #include <net/if_media.h>
36
37 #include <netinet/in.h>
38 #include <netinet/if_ether.h>
39
40 #include <net80211/ieee80211_var.h>
41 #include <net80211/ieee80211_priv.h>
42
43 void ieee80211_recv_4way_msg1(struct ieee80211com *,
44 struct ieee80211_eapol_key *, struct ieee80211_node *);
45 #ifndef IEEE80211_STA_ONLY
46 void ieee80211_recv_4way_msg2(struct ieee80211com *,
47 struct ieee80211_eapol_key *, struct ieee80211_node *,
48 const u_int8_t *);
49 #endif
50 int ieee80211_must_update_group_key(struct ieee80211_key *, const uint8_t *,
51 int);
52 void ieee80211_recv_4way_msg3(struct ieee80211com *,
53 struct ieee80211_eapol_key *, struct ieee80211_node *);
54 #ifndef IEEE80211_STA_ONLY
55 void ieee80211_recv_4way_msg4(struct ieee80211com *,
56 struct ieee80211_eapol_key *, struct ieee80211_node *);
57 void ieee80211_recv_4way_msg2or4(struct ieee80211com *,
58 struct ieee80211_eapol_key *, struct ieee80211_node *);
59 #endif
60 void ieee80211_recv_rsn_group_msg1(struct ieee80211com *,
61 struct ieee80211_eapol_key *, struct ieee80211_node *);
62 void ieee80211_recv_wpa_group_msg1(struct ieee80211com *,
63 struct ieee80211_eapol_key *, struct ieee80211_node *);
64 #ifndef IEEE80211_STA_ONLY
65 void ieee80211_recv_group_msg2(struct ieee80211com *,
66 struct ieee80211_eapol_key *, struct ieee80211_node *);
67 void ieee80211_recv_eapol_key_req(struct ieee80211com *,
68 struct ieee80211_eapol_key *, struct ieee80211_node *);
69 #endif
70
71 /*
72 * Process an incoming EAPOL frame. Notice that we are only interested in
73 * EAPOL-Key frames with an IEEE 802.11 or WPA descriptor type.
74 */
75 void
ieee80211_eapol_key_input(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)76 ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m,
77 struct ieee80211_node *ni)
78 {
79 struct ifnet *ifp = &ic->ic_if;
80 struct ether_header *eh;
81 struct ieee80211_eapol_key *key;
82 u_int16_t info, desc;
83 int totlen, bodylen, paylen;
84
85 ifp->if_ibytes += m->m_pkthdr.len;
86
87 eh = mtod(m, struct ether_header *);
88 if (IEEE80211_IS_MULTICAST(eh->ether_dhost)) {
89 ifp->if_imcasts++;
90 goto done;
91 }
92 m_adj(m, sizeof(*eh));
93
94 if (m->m_pkthdr.len < sizeof(*key))
95 goto done;
96 if (m->m_len < sizeof(*key) &&
97 (m = m_pullup(m, sizeof(*key))) == NULL) {
98 ic->ic_stats.is_rx_nombuf++;
99 goto done;
100 }
101 key = mtod(m, struct ieee80211_eapol_key *);
102
103 if (key->type != EAPOL_KEY)
104 goto done;
105 ic->ic_stats.is_rx_eapol_key++;
106
107 if ((ni->ni_rsnprotos == IEEE80211_PROTO_RSN &&
108 key->desc != EAPOL_KEY_DESC_IEEE80211) ||
109 (ni->ni_rsnprotos == IEEE80211_PROTO_WPA &&
110 key->desc != EAPOL_KEY_DESC_WPA))
111 goto done;
112
113 /* check packet body length */
114 bodylen = BE_READ_2(key->len);
115 totlen = 4 + bodylen;
116 if (m->m_pkthdr.len < totlen || totlen > MCLBYTES)
117 goto done;
118
119 /* check key data length */
120 paylen = BE_READ_2(key->paylen);
121 if (paylen > totlen - sizeof(*key))
122 goto done;
123
124 info = BE_READ_2(key->info);
125
126 /* discard EAPOL-Key frames with an unknown descriptor version */
127 desc = info & EAPOL_KEY_VERSION_MASK;
128 if (desc < EAPOL_KEY_DESC_V1 || desc > EAPOL_KEY_DESC_V3)
129 goto done;
130
131 if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) {
132 if (desc != EAPOL_KEY_DESC_V3)
133 goto done;
134 } else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP ||
135 ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP) {
136 if (desc != EAPOL_KEY_DESC_V2)
137 goto done;
138 }
139
140 /* make sure the key data field is contiguous */
141 if (m->m_len < totlen && (m = m_pullup(m, totlen)) == NULL) {
142 ic->ic_stats.is_rx_nombuf++;
143 goto done;
144 }
145 key = mtod(m, struct ieee80211_eapol_key *);
146
147 /* determine message type (see 8.5.3.7) */
148 if (info & EAPOL_KEY_REQUEST) {
149 #ifndef IEEE80211_STA_ONLY
150 /* EAPOL-Key Request frame */
151 ieee80211_recv_eapol_key_req(ic, key, ni);
152 #endif
153 } else if (info & EAPOL_KEY_PAIRWISE) {
154 /* 4-Way Handshake */
155 if (info & EAPOL_KEY_KEYMIC) {
156 if (info & EAPOL_KEY_KEYACK)
157 ieee80211_recv_4way_msg3(ic, key, ni);
158 #ifndef IEEE80211_STA_ONLY
159 else
160 ieee80211_recv_4way_msg2or4(ic, key, ni);
161 #endif
162 } else if (info & EAPOL_KEY_KEYACK)
163 ieee80211_recv_4way_msg1(ic, key, ni);
164 } else {
165 /* Group Key Handshake */
166 if (!(info & EAPOL_KEY_KEYMIC))
167 goto done;
168 if (info & EAPOL_KEY_KEYACK) {
169 if (key->desc == EAPOL_KEY_DESC_WPA)
170 ieee80211_recv_wpa_group_msg1(ic, key, ni);
171 else
172 ieee80211_recv_rsn_group_msg1(ic, key, ni);
173 }
174 #ifndef IEEE80211_STA_ONLY
175 else
176 ieee80211_recv_group_msg2(ic, key, ni);
177 #endif
178 }
179 done:
180 m_freem(m);
181 }
182
183 /*
184 * Process Message 1 of the 4-Way Handshake (sent by Authenticator).
185 */
186 void
ieee80211_recv_4way_msg1(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni)187 ieee80211_recv_4way_msg1(struct ieee80211com *ic,
188 struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
189 {
190 struct ieee80211_ptk tptk;
191 struct ieee80211_pmk *pmk;
192 const u_int8_t *frm, *efrm;
193 const u_int8_t *pmkid;
194
195 #ifndef IEEE80211_STA_ONLY
196 if (ic->ic_opmode != IEEE80211_M_STA &&
197 ic->ic_opmode != IEEE80211_M_IBSS)
198 return;
199 #endif
200 /*
201 * Message 1 is always expected while RSN is active since some
202 * APs will rekey the PTK by sending Msg1/4 after some time.
203 */
204 if (ni->ni_rsn_supp_state == RSNA_SUPP_INITIALIZE) {
205 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state));
206 return;
207 }
208 /* enforce monotonicity of key request replay counter */
209 if (ni->ni_replaycnt_ok &&
210 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) {
211 ic->ic_stats.is_rx_eapol_replay++;
212 return;
213 }
214
215 /* parse key data field (may contain an encapsulated PMKID) */
216 frm = (const u_int8_t *)&key[1];
217 efrm = frm + BE_READ_2(key->paylen);
218
219 pmkid = NULL;
220 while (frm + 2 <= efrm) {
221 if (frm + 2 + frm[1] > efrm)
222 break;
223 switch (frm[0]) {
224 case IEEE80211_ELEMID_VENDOR:
225 if (frm[1] < 4)
226 break;
227 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) {
228 switch (frm[5]) {
229 case IEEE80211_KDE_PMKID:
230 pmkid = frm;
231 break;
232 }
233 }
234 break;
235 }
236 frm += 2 + frm[1];
237 }
238 /* check that the PMKID KDE is valid (if present) */
239 if (pmkid != NULL && pmkid[1] != 4 + 16)
240 return;
241
242 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) {
243 /* retrieve the PMK for this (AP,PMKID) */
244 pmk = ieee80211_pmksa_find(ic, ni,
245 (pmkid != NULL) ? &pmkid[6] : NULL);
246 if (pmk == NULL) {
247 DPRINTF(("no PMK available for %s\n",
248 ether_sprintf(ni->ni_macaddr)));
249 return;
250 }
251 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN);
252 } else /* use pre-shared key */
253 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN);
254 ni->ni_flags |= IEEE80211_NODE_PMK;
255
256 /* save authenticator's nonce (ANonce) */
257 memcpy(ni->ni_nonce, key->nonce, EAPOL_KEY_NONCE_LEN);
258
259 /* generate supplicant's nonce (SNonce) */
260 arc4random_buf(ic->ic_nonce, EAPOL_KEY_NONCE_LEN);
261
262 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */
263 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr,
264 ic->ic_myaddr, ni->ni_nonce, ic->ic_nonce, &tptk);
265
266 /* We are now expecting a new pairwise key. */
267 ni->ni_flags |= IEEE80211_NODE_RSN_NEW_PTK;
268
269 if (ic->ic_if.if_flags & IFF_DEBUG)
270 printf("%s: received msg %d/%d of the %s handshake from %s\n",
271 ic->ic_if.if_xname, 1, 4, "4-way",
272 ether_sprintf(ni->ni_macaddr));
273
274 /* send message 2 to authenticator using TPTK */
275 (void)ieee80211_send_4way_msg2(ic, ni, key->replaycnt, &tptk);
276 }
277
278 #ifndef IEEE80211_STA_ONLY
279 /*
280 * Process Message 2 of the 4-Way Handshake (sent by Supplicant).
281 */
282 void
ieee80211_recv_4way_msg2(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni,const u_int8_t * rsnie)283 ieee80211_recv_4way_msg2(struct ieee80211com *ic,
284 struct ieee80211_eapol_key *key, struct ieee80211_node *ni,
285 const u_int8_t *rsnie)
286 {
287 struct ieee80211_ptk tptk;
288
289 if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
290 ic->ic_opmode != IEEE80211_M_IBSS)
291 return;
292
293 /* discard if we're not expecting this message */
294 if (ni->ni_rsn_state != RSNA_PTKSTART &&
295 ni->ni_rsn_state != RSNA_PTKCALCNEGOTIATING) {
296 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state));
297 return;
298 }
299 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING;
300
301 /* NB: replay counter has already been verified by caller */
302
303 /* PTK = CalcPTK(ANonce, SNonce) */
304 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ic->ic_myaddr,
305 ni->ni_macaddr, ni->ni_nonce, key->nonce, &tptk);
306
307 /* check Key MIC field using KCK */
308 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) {
309 DPRINTF(("key MIC failed\n"));
310 ic->ic_stats.is_rx_eapol_badmic++;
311 return; /* will timeout.. */
312 }
313
314 timeout_del(&ni->ni_eapol_to);
315 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING_2;
316 ni->ni_rsn_retries = 0;
317
318 /* install TPTK as PTK now that MIC is verified */
319 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk));
320
321 /*
322 * The RSN IE must match bit-wise with what the STA included in its
323 * (Re)Association Request.
324 */
325 if (ni->ni_rsnie == NULL || rsnie[1] != ni->ni_rsnie[1] ||
326 memcmp(rsnie, ni->ni_rsnie, 2 + rsnie[1]) != 0) {
327 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
328 IEEE80211_REASON_RSN_DIFFERENT_IE);
329 ieee80211_node_leave(ic, ni);
330 return;
331 }
332
333 if (ic->ic_if.if_flags & IFF_DEBUG)
334 printf("%s: received msg %d/%d of the %s handshake from %s\n",
335 ic->ic_if.if_xname, 2, 4, "4-way",
336 ether_sprintf(ni->ni_macaddr));
337
338 /* send message 3 to supplicant */
339 (void)ieee80211_send_4way_msg3(ic, ni);
340 }
341 #endif /* IEEE80211_STA_ONLY */
342
343 /*
344 * Check if a group key must be updated with a new GTK from an EAPOL frame.
345 * Manipulated group key handshake messages could trick clients into
346 * reinstalling an already used group key and hence lower or reset the
347 * associated replay counter. This check prevents such attacks.
348 */
349 int
ieee80211_must_update_group_key(struct ieee80211_key * k,const uint8_t * gtk,int len)350 ieee80211_must_update_group_key(struct ieee80211_key *k, const uint8_t *gtk,
351 int len)
352 {
353 return (k->k_cipher == IEEE80211_CIPHER_NONE || k->k_len != len ||
354 memcmp(k->k_key, gtk, len) != 0);
355 }
356
357 /*
358 * Process Message 3 of the 4-Way Handshake (sent by Authenticator).
359 */
360 void
ieee80211_recv_4way_msg3(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni)361 ieee80211_recv_4way_msg3(struct ieee80211com *ic,
362 struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
363 {
364 struct ieee80211_ptk tptk;
365 struct ieee80211_key *k;
366 const u_int8_t *frm, *efrm;
367 const u_int8_t *rsnie1, *rsnie2, *gtk, *igtk;
368 u_int16_t info, reason = 0;
369 int keylen, deferlink = 0;
370
371 #ifndef IEEE80211_STA_ONLY
372 if (ic->ic_opmode != IEEE80211_M_STA &&
373 ic->ic_opmode != IEEE80211_M_IBSS)
374 return;
375 #endif
376 /* discard if we're not expecting this message */
377 if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKNEGOTIATING &&
378 ni->ni_rsn_supp_state != RSNA_SUPP_PTKDONE) {
379 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state));
380 return;
381 }
382 /* enforce monotonicity of key request replay counter */
383 if (ni->ni_replaycnt_ok &&
384 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) {
385 ic->ic_stats.is_rx_eapol_replay++;
386 return;
387 }
388 /* make sure that a PMK has been selected */
389 if (!(ni->ni_flags & IEEE80211_NODE_PMK)) {
390 DPRINTF(("no PMK found for %s\n",
391 ether_sprintf(ni->ni_macaddr)));
392 return;
393 }
394 /* check that ANonce matches that of Message 1 */
395 if (memcmp(key->nonce, ni->ni_nonce, EAPOL_KEY_NONCE_LEN) != 0) {
396 DPRINTF(("ANonce does not match msg 1/4\n"));
397 return;
398 }
399 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */
400 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr,
401 ic->ic_myaddr, key->nonce, ic->ic_nonce, &tptk);
402
403 info = BE_READ_2(key->info);
404
405 /* check Key MIC field using KCK */
406 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) {
407 DPRINTF(("key MIC failed\n"));
408 ic->ic_stats.is_rx_eapol_badmic++;
409 return;
410 }
411 /* install TPTK as PTK now that MIC is verified */
412 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk));
413
414 /* if encrypted, decrypt Key Data field using KEK */
415 if ((info & EAPOL_KEY_ENCRYPTED) &&
416 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) {
417 DPRINTF(("decryption failed\n"));
418 return;
419 }
420
421 /* parse key data field */
422 frm = (const u_int8_t *)&key[1];
423 efrm = frm + BE_READ_2(key->paylen);
424
425 /*
426 * Some WPA1+WPA2 APs (like hostapd) appear to include both WPA and
427 * RSN IEs in message 3/4. We only take into account the IE of the
428 * version of the protocol we negotiated at association time.
429 */
430 rsnie1 = rsnie2 = gtk = igtk = NULL;
431 while (frm + 2 <= efrm) {
432 if (frm + 2 + frm[1] > efrm)
433 break;
434 switch (frm[0]) {
435 case IEEE80211_ELEMID_RSN:
436 if (ni->ni_rsnprotos != IEEE80211_PROTO_RSN)
437 break;
438 if (rsnie1 == NULL)
439 rsnie1 = frm;
440 else if (rsnie2 == NULL)
441 rsnie2 = frm;
442 /* ignore others if more than two RSN IEs */
443 break;
444 case IEEE80211_ELEMID_VENDOR:
445 if (frm[1] < 4)
446 break;
447 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) {
448 switch (frm[5]) {
449 case IEEE80211_KDE_GTK:
450 gtk = frm;
451 break;
452 case IEEE80211_KDE_IGTK:
453 if (ni->ni_flags & IEEE80211_NODE_MFP)
454 igtk = frm;
455 break;
456 }
457 } else if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) {
458 switch (frm[5]) {
459 case 1: /* WPA */
460 if (ni->ni_rsnprotos !=
461 IEEE80211_PROTO_WPA)
462 break;
463 rsnie1 = frm;
464 break;
465 }
466 }
467 break;
468 }
469 frm += 2 + frm[1];
470 }
471 /* first WPA/RSN IE is mandatory */
472 if (rsnie1 == NULL) {
473 DPRINTF(("missing RSN IE\n"));
474 return;
475 }
476 /* key data must be encrypted if GTK is included */
477 if (gtk != NULL && !(info & EAPOL_KEY_ENCRYPTED)) {
478 DPRINTF(("GTK not encrypted\n"));
479 return;
480 }
481 /* GTK KDE must be included if IGTK KDE is present */
482 if (igtk != NULL && gtk == NULL) {
483 DPRINTF(("IGTK KDE found but GTK KDE missing\n"));
484 return;
485 }
486 /* check that the Install bit is set if using pairwise keys */
487 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP &&
488 !(info & EAPOL_KEY_INSTALL)) {
489 DPRINTF(("pairwise cipher but !Install\n"));
490 return;
491 }
492
493 /*
494 * Check that first WPA/RSN IE is identical to the one received in
495 * the beacon or probe response frame.
496 */
497 if (ni->ni_rsnie == NULL || rsnie1[1] != ni->ni_rsnie[1] ||
498 memcmp(rsnie1, ni->ni_rsnie, 2 + rsnie1[1]) != 0) {
499 reason = IEEE80211_REASON_RSN_DIFFERENT_IE;
500 goto deauth;
501 }
502
503 /*
504 * If a second RSN information element is present, use its pairwise
505 * cipher suite or deauthenticate.
506 */
507 if (rsnie2 != NULL) {
508 struct ieee80211_rsnparams rsn;
509
510 if (ieee80211_parse_rsn(ic, rsnie2, &rsn) == 0) {
511 if (rsn.rsn_akms != ni->ni_rsnakms ||
512 rsn.rsn_groupcipher != ni->ni_rsngroupcipher ||
513 rsn.rsn_nciphers != 1 ||
514 !(rsn.rsn_ciphers & ic->ic_rsnciphers)) {
515 reason = IEEE80211_REASON_BAD_PAIRWISE_CIPHER;
516 goto deauth;
517 }
518 /* use pairwise cipher suite of second RSN IE */
519 ni->ni_rsnciphers = rsn.rsn_ciphers;
520 ni->ni_rsncipher = ni->ni_rsnciphers;
521 }
522 }
523
524 /* update the last seen value of the key replay counter field */
525 ni->ni_replaycnt = BE_READ_8(key->replaycnt);
526 ni->ni_replaycnt_ok = 1;
527
528 if (ic->ic_if.if_flags & IFF_DEBUG)
529 printf("%s: received msg %d/%d of the %s handshake from %s\n",
530 ic->ic_if.if_xname, 3, 4, "4-way",
531 ether_sprintf(ni->ni_macaddr));
532
533 /* send message 4 to authenticator */
534 if (ieee80211_send_4way_msg4(ic, ni) != 0)
535 return; /* ..authenticator will retry */
536
537 /*
538 * Only install a new pairwise key if we are still expecting a new key,
539 * as indicated by the NODE_RSN_NEW_PTK flag. An adversary could be
540 * sending manipulated retransmissions of message 3 of the 4-way
541 * handshake in an attempt to trick us into reinstalling an already
542 * used pairwise key. If this attack succeeded, the incremental nonce
543 * and replay counter associated with the key would be reset.
544 * Against CCMP, the adversary could abuse this to replay and decrypt
545 * packets. Against TKIP, it would become possible to replay, decrypt,
546 * and forge packets.
547 */
548 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP &&
549 (ni->ni_flags & IEEE80211_NODE_RSN_NEW_PTK)) {
550 u_int64_t prsc;
551
552 /* check that key length matches that of pairwise cipher */
553 keylen = ieee80211_cipher_keylen(ni->ni_rsncipher);
554 if (BE_READ_2(key->keylen) != keylen) {
555 reason = IEEE80211_REASON_AUTH_LEAVE;
556 goto deauth;
557 }
558 prsc = (gtk == NULL) ? LE_READ_6(key->rsc) : 0;
559
560 /* map PTK to 802.11 key */
561 k = &ni->ni_pairwise_key;
562 memset(k, 0, sizeof(*k));
563 k->k_cipher = ni->ni_rsncipher;
564 k->k_rsc[0] = prsc;
565 k->k_len = keylen;
566 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len);
567 /* install the PTK */
568 switch ((*ic->ic_set_key)(ic, ni, k)) {
569 case 0:
570 break;
571 case EBUSY:
572 deferlink = 1;
573 break;
574 default:
575 reason = IEEE80211_REASON_AUTH_LEAVE;
576 goto deauth;
577 }
578 ni->ni_flags &= ~IEEE80211_NODE_RSN_NEW_PTK;
579 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT;
580 ni->ni_flags |= IEEE80211_NODE_RXPROT;
581 } else if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP)
582 printf("%s: unexpected pairwise key update received from %s\n",
583 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr));
584
585 if (gtk != NULL) {
586 u_int8_t kid;
587
588 /* check that key length matches that of group cipher */
589 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher);
590 if (gtk[1] != 6 + keylen) {
591 reason = IEEE80211_REASON_AUTH_LEAVE;
592 goto deauth;
593 }
594 /* map GTK to 802.11 key */
595 kid = gtk[6] & 3;
596 k = &ic->ic_nw_keys[kid];
597 if (ieee80211_must_update_group_key(k, >k[8], keylen)) {
598 memset(k, 0, sizeof(*k));
599 k->k_id = kid; /* 0-3 */
600 k->k_cipher = ni->ni_rsngroupcipher;
601 k->k_flags = IEEE80211_KEY_GROUP;
602 if (gtk[6] & (1 << 2))
603 k->k_flags |= IEEE80211_KEY_TX;
604 k->k_rsc[0] = LE_READ_6(key->rsc);
605 k->k_len = keylen;
606 memcpy(k->k_key, >k[8], k->k_len);
607 /* install the GTK */
608 switch ((*ic->ic_set_key)(ic, ni, k)) {
609 case 0:
610 break;
611 case EBUSY:
612 deferlink = 1;
613 break;
614 default:
615 reason = IEEE80211_REASON_AUTH_LEAVE;
616 goto deauth;
617 }
618 }
619 }
620 if (igtk != NULL) { /* implies MFP && gtk != NULL */
621 u_int16_t kid;
622
623 /* check that the IGTK KDE is valid */
624 if (igtk[1] != 4 + 24) {
625 reason = IEEE80211_REASON_AUTH_LEAVE;
626 goto deauth;
627 }
628 kid = LE_READ_2(&igtk[6]);
629 if (kid != 4 && kid != 5) {
630 DPRINTF(("unsupported IGTK id %u\n", kid));
631 reason = IEEE80211_REASON_AUTH_LEAVE;
632 goto deauth;
633 }
634 /* map IGTK to 802.11 key */
635 k = &ic->ic_nw_keys[kid];
636 if (ieee80211_must_update_group_key(k, &igtk[14], 16)) {
637 memset(k, 0, sizeof(*k));
638 k->k_id = kid; /* either 4 or 5 */
639 k->k_cipher = ni->ni_rsngroupmgmtcipher;
640 k->k_flags = IEEE80211_KEY_IGTK;
641 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */
642 k->k_len = 16;
643 memcpy(k->k_key, &igtk[14], k->k_len);
644 /* install the IGTK */
645 switch ((*ic->ic_set_key)(ic, ni, k)) {
646 case 0:
647 break;
648 case EBUSY:
649 deferlink = 1;
650 break;
651 default:
652 reason = IEEE80211_REASON_AUTH_LEAVE;
653 goto deauth;
654 }
655 }
656 }
657 if (info & EAPOL_KEY_INSTALL)
658 ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
659
660 if (info & EAPOL_KEY_SECURE) {
661 ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
662 #ifndef IEEE80211_STA_ONLY
663 if (ic->ic_opmode != IEEE80211_M_IBSS ||
664 ++ni->ni_key_count == 2)
665 #endif
666 {
667 if (deferlink == 0) {
668 DPRINTF(("marking port %s valid\n",
669 ether_sprintf(ni->ni_macaddr)));
670 ni->ni_port_valid = 1;
671 ieee80211_set_link_state(ic, LINK_STATE_UP);
672 }
673 ni->ni_assoc_fail = 0;
674 if (ic->ic_opmode == IEEE80211_M_STA)
675 ic->ic_rsngroupcipher = ni->ni_rsngroupcipher;
676 }
677 }
678 deauth:
679 if (reason != 0) {
680 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
681 reason);
682 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
683 }
684 }
685
686 #ifndef IEEE80211_STA_ONLY
687 /*
688 * Process Message 4 of the 4-Way Handshake (sent by Supplicant).
689 */
690 void
ieee80211_recv_4way_msg4(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni)691 ieee80211_recv_4way_msg4(struct ieee80211com *ic,
692 struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
693 {
694 if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
695 ic->ic_opmode != IEEE80211_M_IBSS)
696 return;
697
698 /* discard if we're not expecting this message */
699 if (ni->ni_rsn_state != RSNA_PTKINITNEGOTIATING) {
700 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state));
701 return;
702 }
703
704 /* NB: replay counter has already been verified by caller */
705
706 /* check Key MIC field using KCK */
707 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
708 DPRINTF(("key MIC failed\n"));
709 ic->ic_stats.is_rx_eapol_badmic++;
710 return; /* will timeout.. */
711 }
712
713 timeout_del(&ni->ni_eapol_to);
714 ni->ni_rsn_state = RSNA_PTKINITDONE;
715 ni->ni_rsn_retries = 0;
716
717 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) {
718 struct ieee80211_key *k;
719
720 /* map PTK to 802.11 key */
721 k = &ni->ni_pairwise_key;
722 memset(k, 0, sizeof(*k));
723 k->k_cipher = ni->ni_rsncipher;
724 k->k_len = ieee80211_cipher_keylen(k->k_cipher);
725 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len);
726 /* install the PTK */
727 switch ((*ic->ic_set_key)(ic, ni, k)) {
728 case 0:
729 case EBUSY:
730 break;
731 default:
732 IEEE80211_SEND_MGMT(ic, ni,
733 IEEE80211_FC0_SUBTYPE_DEAUTH,
734 IEEE80211_REASON_ASSOC_TOOMANY);
735 ieee80211_node_leave(ic, ni);
736 return;
737 }
738 ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
739 }
740 if (ic->ic_opmode != IEEE80211_M_IBSS || ++ni->ni_key_count == 2) {
741 DPRINTF(("marking port %s valid\n",
742 ether_sprintf(ni->ni_macaddr)));
743 ni->ni_port_valid = 1;
744 }
745
746 if (ic->ic_if.if_flags & IFF_DEBUG)
747 printf("%s: received msg %d/%d of the %s handshake from %s\n",
748 ic->ic_if.if_xname, 4, 4, "4-way",
749 ether_sprintf(ni->ni_macaddr));
750
751 /* initiate a group key handshake for WPA */
752 if (ni->ni_rsnprotos == IEEE80211_PROTO_WPA)
753 (void)ieee80211_send_group_msg1(ic, ni);
754 else
755 ni->ni_rsn_gstate = RSNA_IDLE;
756 }
757
758 /*
759 * Differentiate Message 2 from Message 4 of the 4-Way Handshake based on
760 * the presence of an RSN or WPA Information Element.
761 */
762 void
ieee80211_recv_4way_msg2or4(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni)763 ieee80211_recv_4way_msg2or4(struct ieee80211com *ic,
764 struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
765 {
766 const u_int8_t *frm, *efrm;
767 const u_int8_t *rsnie;
768
769 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) {
770 ic->ic_stats.is_rx_eapol_replay++;
771 return;
772 }
773
774 /* parse key data field (check if an RSN IE is present) */
775 frm = (const u_int8_t *)&key[1];
776 efrm = frm + BE_READ_2(key->paylen);
777
778 rsnie = NULL;
779 while (frm + 2 <= efrm) {
780 if (frm + 2 + frm[1] > efrm)
781 break;
782 switch (frm[0]) {
783 case IEEE80211_ELEMID_RSN:
784 rsnie = frm;
785 break;
786 case IEEE80211_ELEMID_VENDOR:
787 if (frm[1] < 4)
788 break;
789 if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) {
790 switch (frm[5]) {
791 case 1: /* WPA */
792 rsnie = frm;
793 break;
794 }
795 }
796 }
797 frm += 2 + frm[1];
798 }
799 if (rsnie != NULL)
800 ieee80211_recv_4way_msg2(ic, key, ni, rsnie);
801 else
802 ieee80211_recv_4way_msg4(ic, key, ni);
803 }
804 #endif /* IEEE80211_STA_ONLY */
805
806 /*
807 * Process Message 1 of the RSN Group Key Handshake (sent by Authenticator).
808 */
809 void
ieee80211_recv_rsn_group_msg1(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni)810 ieee80211_recv_rsn_group_msg1(struct ieee80211com *ic,
811 struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
812 {
813 struct ieee80211_key *k;
814 const u_int8_t *frm, *efrm;
815 const u_int8_t *gtk, *igtk;
816 u_int16_t info, kid, reason = 0;
817 int keylen;
818
819 #ifndef IEEE80211_STA_ONLY
820 if (ic->ic_opmode != IEEE80211_M_STA &&
821 ic->ic_opmode != IEEE80211_M_IBSS)
822 return;
823 #endif
824 /* discard if we're not expecting this message */
825 if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKDONE) {
826 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state));
827 return;
828 }
829 /* enforce monotonicity of key request replay counter */
830 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) {
831 ic->ic_stats.is_rx_eapol_replay++;
832 return;
833 }
834 /* check Key MIC field using KCK */
835 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
836 DPRINTF(("key MIC failed\n"));
837 ic->ic_stats.is_rx_eapol_badmic++;
838 return;
839 }
840 info = BE_READ_2(key->info);
841
842 /* check that encrypted and decrypt Key Data field using KEK */
843 if (!(info & EAPOL_KEY_ENCRYPTED) ||
844 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) {
845 DPRINTF(("decryption failed\n"));
846 return;
847 }
848
849 /* parse key data field (shall contain a GTK KDE) */
850 frm = (const u_int8_t *)&key[1];
851 efrm = frm + BE_READ_2(key->paylen);
852
853 gtk = igtk = NULL;
854 while (frm + 2 <= efrm) {
855 if (frm + 2 + frm[1] > efrm)
856 break;
857 switch (frm[0]) {
858 case IEEE80211_ELEMID_VENDOR:
859 if (frm[1] < 4)
860 break;
861 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) {
862 switch (frm[5]) {
863 case IEEE80211_KDE_GTK:
864 gtk = frm;
865 break;
866 case IEEE80211_KDE_IGTK:
867 if (ni->ni_flags & IEEE80211_NODE_MFP)
868 igtk = frm;
869 break;
870 }
871 }
872 break;
873 }
874 frm += 2 + frm[1];
875 }
876 /* check that the GTK KDE is present */
877 if (gtk == NULL) {
878 DPRINTF(("GTK KDE missing\n"));
879 return;
880 }
881
882 /* check that key length matches that of group cipher */
883 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher);
884 if (gtk[1] != 6 + keylen)
885 return;
886
887 /* map GTK to 802.11 key */
888 kid = gtk[6] & 3;
889 k = &ic->ic_nw_keys[kid];
890 if (ieee80211_must_update_group_key(k, >k[8], keylen)) {
891 memset(k, 0, sizeof(*k));
892 k->k_id = kid; /* 0-3 */
893 k->k_cipher = ni->ni_rsngroupcipher;
894 k->k_flags = IEEE80211_KEY_GROUP;
895 if (gtk[6] & (1 << 2))
896 k->k_flags |= IEEE80211_KEY_TX;
897 k->k_rsc[0] = LE_READ_6(key->rsc);
898 k->k_len = keylen;
899 memcpy(k->k_key, >k[8], k->k_len);
900 /* install the GTK */
901 switch ((*ic->ic_set_key)(ic, ni, k)) {
902 case 0:
903 case EBUSY:
904 break;
905 default:
906 reason = IEEE80211_REASON_AUTH_LEAVE;
907 goto deauth;
908 }
909 }
910 if (igtk != NULL) { /* implies MFP */
911 /* check that the IGTK KDE is valid */
912 if (igtk[1] != 4 + 24) {
913 reason = IEEE80211_REASON_AUTH_LEAVE;
914 goto deauth;
915 }
916 kid = LE_READ_2(&igtk[6]);
917 if (kid != 4 && kid != 5) {
918 DPRINTF(("unsupported IGTK id %u\n", kid));
919 reason = IEEE80211_REASON_AUTH_LEAVE;
920 goto deauth;
921 }
922 /* map IGTK to 802.11 key */
923 k = &ic->ic_nw_keys[kid];
924 if (ieee80211_must_update_group_key(k, &igtk[14], 16)) {
925 memset(k, 0, sizeof(*k));
926 k->k_id = kid; /* either 4 or 5 */
927 k->k_cipher = ni->ni_rsngroupmgmtcipher;
928 k->k_flags = IEEE80211_KEY_IGTK;
929 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */
930 k->k_len = 16;
931 memcpy(k->k_key, &igtk[14], k->k_len);
932 /* install the IGTK */
933 switch ((*ic->ic_set_key)(ic, ni, k)) {
934 case 0:
935 case EBUSY:
936 break;
937 default:
938 reason = IEEE80211_REASON_AUTH_LEAVE;
939 goto deauth;
940 }
941 }
942 }
943 if (info & EAPOL_KEY_SECURE) {
944 #ifndef IEEE80211_STA_ONLY
945 if (ic->ic_opmode != IEEE80211_M_IBSS ||
946 ++ni->ni_key_count == 2)
947 #endif
948 {
949 DPRINTF(("marking port %s valid\n",
950 ether_sprintf(ni->ni_macaddr)));
951 ni->ni_port_valid = 1;
952 ieee80211_set_link_state(ic, LINK_STATE_UP);
953 ni->ni_assoc_fail = 0;
954 }
955 }
956 /* update the last seen value of the key replay counter field */
957 ni->ni_replaycnt = BE_READ_8(key->replaycnt);
958
959 if (ic->ic_if.if_flags & IFF_DEBUG)
960 printf("%s: received msg %d/%d of the %s handshake from %s\n",
961 ic->ic_if.if_xname, 1, 2, "group key",
962 ether_sprintf(ni->ni_macaddr));
963
964 /* send message 2 to authenticator */
965 (void)ieee80211_send_group_msg2(ic, ni, NULL);
966 return;
967 deauth:
968 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
969 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
970 }
971
972 /*
973 * Process Message 1 of the WPA Group Key Handshake (sent by Authenticator).
974 */
975 void
ieee80211_recv_wpa_group_msg1(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni)976 ieee80211_recv_wpa_group_msg1(struct ieee80211com *ic,
977 struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
978 {
979 struct ieee80211_key *k;
980 u_int16_t info;
981 u_int8_t kid;
982 int keylen;
983 const uint8_t *gtk;
984
985 #ifndef IEEE80211_STA_ONLY
986 if (ic->ic_opmode != IEEE80211_M_STA &&
987 ic->ic_opmode != IEEE80211_M_IBSS)
988 return;
989 #endif
990 /* discard if we're not expecting this message */
991 if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKDONE) {
992 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state));
993 return;
994 }
995 /* enforce monotonicity of key request replay counter */
996 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) {
997 ic->ic_stats.is_rx_eapol_replay++;
998 return;
999 }
1000 /* check Key MIC field using KCK */
1001 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
1002 DPRINTF(("key MIC failed\n"));
1003 ic->ic_stats.is_rx_eapol_badmic++;
1004 return;
1005 }
1006 /*
1007 * EAPOL-Key data field is encrypted even though WPA doesn't set
1008 * the ENCRYPTED bit in the info field.
1009 */
1010 if (ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) {
1011 DPRINTF(("decryption failed\n"));
1012 return;
1013 }
1014
1015 /* check that key length matches that of group cipher */
1016 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher);
1017 if (BE_READ_2(key->keylen) != keylen)
1018 return;
1019
1020 /* check that the data length is large enough to hold the key */
1021 if (BE_READ_2(key->paylen) < keylen)
1022 return;
1023
1024 info = BE_READ_2(key->info);
1025
1026 /* map GTK to 802.11 key */
1027 kid = (info >> EAPOL_KEY_WPA_KID_SHIFT) & 3;
1028 k = &ic->ic_nw_keys[kid];
1029 gtk = (const uint8_t *)&key[1]; /* key data field contains the GTK */
1030 if (ieee80211_must_update_group_key(k, gtk, keylen)) {
1031 memset(k, 0, sizeof(*k));
1032 k->k_id = kid; /* 0-3 */
1033 k->k_cipher = ni->ni_rsngroupcipher;
1034 k->k_flags = IEEE80211_KEY_GROUP;
1035 if (info & EAPOL_KEY_WPA_TX)
1036 k->k_flags |= IEEE80211_KEY_TX;
1037 k->k_rsc[0] = LE_READ_6(key->rsc);
1038 k->k_len = keylen;
1039 memcpy(k->k_key, gtk, k->k_len);
1040 /* install the GTK */
1041 switch ((*ic->ic_set_key)(ic, ni, k)) {
1042 case 0:
1043 case EBUSY:
1044 break;
1045 default:
1046 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
1047 IEEE80211_REASON_AUTH_LEAVE);
1048 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
1049 return;
1050 }
1051 }
1052 if (info & EAPOL_KEY_SECURE) {
1053 #ifndef IEEE80211_STA_ONLY
1054 if (ic->ic_opmode != IEEE80211_M_IBSS ||
1055 ++ni->ni_key_count == 2)
1056 #endif
1057 {
1058 DPRINTF(("marking port %s valid\n",
1059 ether_sprintf(ni->ni_macaddr)));
1060 ni->ni_port_valid = 1;
1061 ieee80211_set_link_state(ic, LINK_STATE_UP);
1062 ni->ni_assoc_fail = 0;
1063 }
1064 }
1065 /* update the last seen value of the key replay counter field */
1066 ni->ni_replaycnt = BE_READ_8(key->replaycnt);
1067
1068 if (ic->ic_if.if_flags & IFF_DEBUG)
1069 printf("%s: received msg %d/%d of the %s handshake from %s\n",
1070 ic->ic_if.if_xname, 1, 2, "group key",
1071 ether_sprintf(ni->ni_macaddr));
1072
1073 /* send message 2 to authenticator */
1074 (void)ieee80211_send_group_msg2(ic, ni, k);
1075 }
1076
1077 #ifndef IEEE80211_STA_ONLY
1078 /*
1079 * Process Message 2 of the Group Key Handshake (sent by Supplicant).
1080 */
1081 void
ieee80211_recv_group_msg2(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni)1082 ieee80211_recv_group_msg2(struct ieee80211com *ic,
1083 struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
1084 {
1085 if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
1086 ic->ic_opmode != IEEE80211_M_IBSS)
1087 return;
1088
1089 /* discard if we're not expecting this message */
1090 if (ni->ni_rsn_gstate != RSNA_REKEYNEGOTIATING) {
1091 DPRINTF(("%s: unexpected in state: %d\n", ic->ic_if.if_xname,
1092 ni->ni_rsn_gstate));
1093 return;
1094 }
1095 /* enforce monotonicity of key request replay counter */
1096 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) {
1097 ic->ic_stats.is_rx_eapol_replay++;
1098 return;
1099 }
1100 /* check Key MIC field using KCK */
1101 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
1102 DPRINTF(("key MIC failed\n"));
1103 ic->ic_stats.is_rx_eapol_badmic++;
1104 return;
1105 }
1106
1107 timeout_del(&ni->ni_eapol_to);
1108 ni->ni_rsn_gstate = RSNA_REKEYESTABLISHED;
1109
1110 if (ni->ni_flags & IEEE80211_NODE_REKEY) {
1111 int rekeysta = 0;
1112 ni->ni_flags &= ~IEEE80211_NODE_REKEY;
1113 ieee80211_iterate_nodes(ic,
1114 ieee80211_count_rekeysta, &rekeysta);
1115 if (rekeysta == 0)
1116 ieee80211_setkeysdone(ic);
1117 }
1118 ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
1119
1120 ni->ni_rsn_gstate = RSNA_IDLE;
1121 ni->ni_rsn_retries = 0;
1122
1123 if (ic->ic_if.if_flags & IFF_DEBUG)
1124 printf("%s: received msg %d/%d of the %s handshake from %s\n",
1125 ic->ic_if.if_xname, 2, 2, "group key",
1126 ether_sprintf(ni->ni_macaddr));
1127 }
1128
1129 /*
1130 * EAPOL-Key Request frames are sent by the supplicant to request that the
1131 * authenticator initiates either a 4-Way Handshake or Group Key Handshake,
1132 * or to report a MIC failure in a TKIP MSDU.
1133 */
1134 void
ieee80211_recv_eapol_key_req(struct ieee80211com * ic,struct ieee80211_eapol_key * key,struct ieee80211_node * ni)1135 ieee80211_recv_eapol_key_req(struct ieee80211com *ic,
1136 struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
1137 {
1138 u_int16_t info;
1139
1140 if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
1141 ic->ic_opmode != IEEE80211_M_IBSS)
1142 return;
1143
1144 /* discard if we're not expecting this message */
1145 if (ni->ni_rsn_state != RSNA_PTKINITDONE) {
1146 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state));
1147 return;
1148 }
1149 /* enforce monotonicity of key request replay counter */
1150 if (ni->ni_reqreplaycnt_ok &&
1151 BE_READ_8(key->replaycnt) <= ni->ni_reqreplaycnt) {
1152 ic->ic_stats.is_rx_eapol_replay++;
1153 return;
1154 }
1155 info = BE_READ_2(key->info);
1156
1157 if (!(info & EAPOL_KEY_KEYMIC) ||
1158 ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
1159 DPRINTF(("key request MIC failed\n"));
1160 ic->ic_stats.is_rx_eapol_badmic++;
1161 return;
1162 }
1163 /* update key request replay counter now that MIC is verified */
1164 ni->ni_reqreplaycnt = BE_READ_8(key->replaycnt);
1165 ni->ni_reqreplaycnt_ok = 1;
1166
1167 if (info & EAPOL_KEY_ERROR) { /* TKIP MIC failure */
1168 /* ignore reports from STAs not using TKIP */
1169 if (ic->ic_bss->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP &&
1170 ni->ni_rsncipher != IEEE80211_CIPHER_TKIP) {
1171 DPRINTF(("MIC failure report from !TKIP STA: %s\n",
1172 ether_sprintf(ni->ni_macaddr)));
1173 return;
1174 }
1175 ic->ic_stats.is_rx_remmicfail++;
1176 ieee80211_michael_mic_failure(ic, LE_READ_6(key->rsc));
1177
1178 } else if (info & EAPOL_KEY_PAIRWISE) {
1179 /* initiate a 4-Way Handshake */
1180
1181 } else {
1182 /*
1183 * Should change the GTK, initiate the 4-Way Handshake and
1184 * then execute a Group Key Handshake with all supplicants.
1185 */
1186 }
1187 }
1188 #endif /* IEEE80211_STA_ONLY */
1189