13ff40c12SJohn Marino /* 23ff40c12SJohn Marino * hostapd - IEEE 802.11i-2004 / WPA Authenticator: Internal definitions 3*a1157835SDaniel Fojt * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> 43ff40c12SJohn Marino * 53ff40c12SJohn Marino * This software may be distributed under the terms of the BSD license. 63ff40c12SJohn Marino * See README for more details. 73ff40c12SJohn Marino */ 83ff40c12SJohn Marino 93ff40c12SJohn Marino #ifndef WPA_AUTH_I_H 103ff40c12SJohn Marino #define WPA_AUTH_I_H 113ff40c12SJohn Marino 12*a1157835SDaniel Fojt #include "utils/list.h" 13*a1157835SDaniel Fojt 143ff40c12SJohn Marino /* max(dot11RSNAConfigGroupUpdateCount,dot11RSNAConfigPairwiseUpdateCount) */ 153ff40c12SJohn Marino #define RSNA_MAX_EAPOL_RETRIES 4 163ff40c12SJohn Marino 173ff40c12SJohn Marino struct wpa_group; 183ff40c12SJohn Marino 193ff40c12SJohn Marino struct wpa_state_machine { 203ff40c12SJohn Marino struct wpa_authenticator *wpa_auth; 213ff40c12SJohn Marino struct wpa_group *group; 223ff40c12SJohn Marino 233ff40c12SJohn Marino u8 addr[ETH_ALEN]; 243ff40c12SJohn Marino u8 p2p_dev_addr[ETH_ALEN]; 25*a1157835SDaniel Fojt u16 auth_alg; 263ff40c12SJohn Marino 273ff40c12SJohn Marino enum { 283ff40c12SJohn Marino WPA_PTK_INITIALIZE, WPA_PTK_DISCONNECT, WPA_PTK_DISCONNECTED, 293ff40c12SJohn Marino WPA_PTK_AUTHENTICATION, WPA_PTK_AUTHENTICATION2, 303ff40c12SJohn Marino WPA_PTK_INITPMK, WPA_PTK_INITPSK, WPA_PTK_PTKSTART, 313ff40c12SJohn Marino WPA_PTK_PTKCALCNEGOTIATING, WPA_PTK_PTKCALCNEGOTIATING2, 323ff40c12SJohn Marino WPA_PTK_PTKINITNEGOTIATING, WPA_PTK_PTKINITDONE 333ff40c12SJohn Marino } wpa_ptk_state; 343ff40c12SJohn Marino 353ff40c12SJohn Marino enum { 363ff40c12SJohn Marino WPA_PTK_GROUP_IDLE = 0, 373ff40c12SJohn Marino WPA_PTK_GROUP_REKEYNEGOTIATING, 383ff40c12SJohn Marino WPA_PTK_GROUP_REKEYESTABLISHED, 393ff40c12SJohn Marino WPA_PTK_GROUP_KEYERROR 403ff40c12SJohn Marino } wpa_ptk_group_state; 413ff40c12SJohn Marino 423ff40c12SJohn Marino Boolean Init; 433ff40c12SJohn Marino Boolean DeauthenticationRequest; 443ff40c12SJohn Marino Boolean AuthenticationRequest; 453ff40c12SJohn Marino Boolean ReAuthenticationRequest; 463ff40c12SJohn Marino Boolean Disconnect; 47*a1157835SDaniel Fojt u16 disconnect_reason; /* specific reason code to use with Disconnect */ 48*a1157835SDaniel Fojt u32 TimeoutCtr; 49*a1157835SDaniel Fojt u32 GTimeoutCtr; 503ff40c12SJohn Marino Boolean TimeoutEvt; 513ff40c12SJohn Marino Boolean EAPOLKeyReceived; 523ff40c12SJohn Marino Boolean EAPOLKeyPairwise; 533ff40c12SJohn Marino Boolean EAPOLKeyRequest; 543ff40c12SJohn Marino Boolean MICVerified; 553ff40c12SJohn Marino Boolean GUpdateStationKeys; 563ff40c12SJohn Marino u8 ANonce[WPA_NONCE_LEN]; 573ff40c12SJohn Marino u8 SNonce[WPA_NONCE_LEN]; 58*a1157835SDaniel Fojt u8 alt_SNonce[WPA_NONCE_LEN]; 59*a1157835SDaniel Fojt u8 alt_replay_counter[WPA_REPLAY_COUNTER_LEN]; 60*a1157835SDaniel Fojt u8 PMK[PMK_LEN_MAX]; 61*a1157835SDaniel Fojt unsigned int pmk_len; 62*a1157835SDaniel Fojt u8 pmkid[PMKID_LEN]; /* valid if pmkid_set == 1 */ 633ff40c12SJohn Marino struct wpa_ptk PTK; 643ff40c12SJohn Marino Boolean PTK_valid; 653ff40c12SJohn Marino Boolean pairwise_set; 66*a1157835SDaniel Fojt Boolean tk_already_set; 673ff40c12SJohn Marino int keycount; 683ff40c12SJohn Marino Boolean Pair; 693ff40c12SJohn Marino struct wpa_key_replay_counter { 703ff40c12SJohn Marino u8 counter[WPA_REPLAY_COUNTER_LEN]; 713ff40c12SJohn Marino Boolean valid; 723ff40c12SJohn Marino } key_replay[RSNA_MAX_EAPOL_RETRIES], 733ff40c12SJohn Marino prev_key_replay[RSNA_MAX_EAPOL_RETRIES]; 743ff40c12SJohn Marino Boolean PInitAKeys; /* WPA only, not in IEEE 802.11i */ 753ff40c12SJohn Marino Boolean PTKRequest; /* not in IEEE 802.11i state machine */ 763ff40c12SJohn Marino Boolean has_GTK; 773ff40c12SJohn Marino Boolean PtkGroupInit; /* init request for PTK Group state machine */ 783ff40c12SJohn Marino 793ff40c12SJohn Marino u8 *last_rx_eapol_key; /* starting from IEEE 802.1X header */ 803ff40c12SJohn Marino size_t last_rx_eapol_key_len; 813ff40c12SJohn Marino 823ff40c12SJohn Marino unsigned int changed:1; 833ff40c12SJohn Marino unsigned int in_step_loop:1; 843ff40c12SJohn Marino unsigned int pending_deinit:1; 853ff40c12SJohn Marino unsigned int started:1; 863ff40c12SJohn Marino unsigned int mgmt_frame_prot:1; 873ff40c12SJohn Marino unsigned int rx_eapol_key_secure:1; 883ff40c12SJohn Marino unsigned int update_snonce:1; 89*a1157835SDaniel Fojt unsigned int alt_snonce_valid:1; 90*a1157835SDaniel Fojt #ifdef CONFIG_IEEE80211R_AP 913ff40c12SJohn Marino unsigned int ft_completed:1; 923ff40c12SJohn Marino unsigned int pmk_r1_name_valid:1; 93*a1157835SDaniel Fojt #endif /* CONFIG_IEEE80211R_AP */ 943ff40c12SJohn Marino unsigned int is_wnmsleep:1; 95*a1157835SDaniel Fojt unsigned int pmkid_set:1; 96*a1157835SDaniel Fojt #ifdef CONFIG_OCV 97*a1157835SDaniel Fojt unsigned int ocv_enabled:1; 98*a1157835SDaniel Fojt #endif /* CONFIG_OCV */ 993ff40c12SJohn Marino 1003ff40c12SJohn Marino u8 req_replay_counter[WPA_REPLAY_COUNTER_LEN]; 1013ff40c12SJohn Marino int req_replay_counter_used; 1023ff40c12SJohn Marino 1033ff40c12SJohn Marino u8 *wpa_ie; 1043ff40c12SJohn Marino size_t wpa_ie_len; 1053ff40c12SJohn Marino 1063ff40c12SJohn Marino enum { 1073ff40c12SJohn Marino WPA_VERSION_NO_WPA = 0 /* WPA not used */, 1083ff40c12SJohn Marino WPA_VERSION_WPA = 1 /* WPA / IEEE 802.11i/D3.0 */, 1093ff40c12SJohn Marino WPA_VERSION_WPA2 = 2 /* WPA2 / IEEE 802.11i */ 1103ff40c12SJohn Marino } wpa; 1113ff40c12SJohn Marino int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */ 1123ff40c12SJohn Marino int wpa_key_mgmt; /* the selected WPA_KEY_MGMT_* */ 1133ff40c12SJohn Marino struct rsn_pmksa_cache_entry *pmksa; 1143ff40c12SJohn Marino 1153ff40c12SJohn Marino u32 dot11RSNAStatsTKIPLocalMICFailures; 1163ff40c12SJohn Marino u32 dot11RSNAStatsTKIPRemoteMICFailures; 1173ff40c12SJohn Marino 118*a1157835SDaniel Fojt #ifdef CONFIG_IEEE80211R_AP 119*a1157835SDaniel Fojt u8 xxkey[PMK_LEN_MAX]; /* PSK or the second 256 bits of MSK, or the 120*a1157835SDaniel Fojt * first 384 bits of MSK */ 1213ff40c12SJohn Marino size_t xxkey_len; 122*a1157835SDaniel Fojt u8 pmk_r1[PMK_LEN_MAX]; 123*a1157835SDaniel Fojt unsigned int pmk_r1_len; 1243ff40c12SJohn Marino u8 pmk_r1_name[WPA_PMK_NAME_LEN]; /* PMKR1Name derived from FT Auth 1253ff40c12SJohn Marino * Request */ 1263ff40c12SJohn Marino u8 r0kh_id[FT_R0KH_ID_MAX_LEN]; /* R0KH-ID from FT Auth Request */ 1273ff40c12SJohn Marino size_t r0kh_id_len; 1283ff40c12SJohn Marino u8 sup_pmk_r1_name[WPA_PMK_NAME_LEN]; /* PMKR1Name from EAPOL-Key 1293ff40c12SJohn Marino * message 2/4 */ 1303ff40c12SJohn Marino u8 *assoc_resp_ftie; 131*a1157835SDaniel Fojt 132*a1157835SDaniel Fojt void (*ft_pending_cb)(void *ctx, const u8 *dst, const u8 *bssid, 133*a1157835SDaniel Fojt u16 auth_transaction, u16 status, 134*a1157835SDaniel Fojt const u8 *ies, size_t ies_len); 135*a1157835SDaniel Fojt void *ft_pending_cb_ctx; 136*a1157835SDaniel Fojt struct wpabuf *ft_pending_req_ies; 137*a1157835SDaniel Fojt u8 ft_pending_pull_nonce[FT_RRB_NONCE_LEN]; 138*a1157835SDaniel Fojt u8 ft_pending_auth_transaction; 139*a1157835SDaniel Fojt u8 ft_pending_current_ap[ETH_ALEN]; 140*a1157835SDaniel Fojt int ft_pending_pull_left_retries; 141*a1157835SDaniel Fojt #endif /* CONFIG_IEEE80211R_AP */ 1423ff40c12SJohn Marino 1433ff40c12SJohn Marino int pending_1_of_4_timeout; 1443ff40c12SJohn Marino 1453ff40c12SJohn Marino #ifdef CONFIG_P2P 1463ff40c12SJohn Marino u8 ip_addr[4]; 1473ff40c12SJohn Marino #endif /* CONFIG_P2P */ 148*a1157835SDaniel Fojt 149*a1157835SDaniel Fojt #ifdef CONFIG_FILS 150*a1157835SDaniel Fojt u8 fils_key_auth_sta[FILS_MAX_KEY_AUTH_LEN]; 151*a1157835SDaniel Fojt u8 fils_key_auth_ap[FILS_MAX_KEY_AUTH_LEN]; 152*a1157835SDaniel Fojt size_t fils_key_auth_len; 153*a1157835SDaniel Fojt unsigned int fils_completed:1; 154*a1157835SDaniel Fojt #endif /* CONFIG_FILS */ 155*a1157835SDaniel Fojt 156*a1157835SDaniel Fojt #ifdef CONFIG_DPP2 157*a1157835SDaniel Fojt struct wpabuf *dpp_z; 158*a1157835SDaniel Fojt #endif /* CONFIG_DPP2 */ 159*a1157835SDaniel Fojt 160*a1157835SDaniel Fojt #ifdef CONFIG_TESTING_OPTIONS 161*a1157835SDaniel Fojt void (*eapol_status_cb)(void *ctx1, void *ctx2); 162*a1157835SDaniel Fojt void *eapol_status_cb_ctx1; 163*a1157835SDaniel Fojt void *eapol_status_cb_ctx2; 164*a1157835SDaniel Fojt #endif /* CONFIG_TESTING_OPTIONS */ 1653ff40c12SJohn Marino }; 1663ff40c12SJohn Marino 1673ff40c12SJohn Marino 1683ff40c12SJohn Marino /* per group key state machine data */ 1693ff40c12SJohn Marino struct wpa_group { 1703ff40c12SJohn Marino struct wpa_group *next; 1713ff40c12SJohn Marino int vlan_id; 1723ff40c12SJohn Marino 1733ff40c12SJohn Marino Boolean GInit; 1743ff40c12SJohn Marino int GKeyDoneStations; 1753ff40c12SJohn Marino Boolean GTKReKey; 1763ff40c12SJohn Marino int GTK_len; 1773ff40c12SJohn Marino int GN, GM; 1783ff40c12SJohn Marino Boolean GTKAuthenticator; 1793ff40c12SJohn Marino u8 Counter[WPA_NONCE_LEN]; 1803ff40c12SJohn Marino 1813ff40c12SJohn Marino enum { 1823ff40c12SJohn Marino WPA_GROUP_GTK_INIT = 0, 1833ff40c12SJohn Marino WPA_GROUP_SETKEYS, WPA_GROUP_SETKEYSDONE, 1843ff40c12SJohn Marino WPA_GROUP_FATAL_FAILURE 1853ff40c12SJohn Marino } wpa_group_state; 1863ff40c12SJohn Marino 1873ff40c12SJohn Marino u8 GMK[WPA_GMK_LEN]; 1883ff40c12SJohn Marino u8 GTK[2][WPA_GTK_MAX_LEN]; 1893ff40c12SJohn Marino u8 GNonce[WPA_NONCE_LEN]; 1903ff40c12SJohn Marino Boolean changed; 1913ff40c12SJohn Marino Boolean first_sta_seen; 1923ff40c12SJohn Marino Boolean reject_4way_hs_for_entropy; 1933ff40c12SJohn Marino #ifdef CONFIG_IEEE80211W 194*a1157835SDaniel Fojt u8 IGTK[2][WPA_IGTK_MAX_LEN]; 1953ff40c12SJohn Marino int GN_igtk, GM_igtk; 1963ff40c12SJohn Marino #endif /* CONFIG_IEEE80211W */ 197*a1157835SDaniel Fojt /* Number of references except those in struct wpa_group->next */ 198*a1157835SDaniel Fojt unsigned int references; 199*a1157835SDaniel Fojt unsigned int num_setup_iface; 2003ff40c12SJohn Marino }; 2013ff40c12SJohn Marino 2023ff40c12SJohn Marino 2033ff40c12SJohn Marino struct wpa_ft_pmk_cache; 2043ff40c12SJohn Marino 2053ff40c12SJohn Marino /* per authenticator data */ 2063ff40c12SJohn Marino struct wpa_authenticator { 2073ff40c12SJohn Marino struct wpa_group *group; 2083ff40c12SJohn Marino 2093ff40c12SJohn Marino unsigned int dot11RSNAStatsTKIPRemoteMICFailures; 2103ff40c12SJohn Marino u32 dot11RSNAAuthenticationSuiteSelected; 2113ff40c12SJohn Marino u32 dot11RSNAPairwiseCipherSelected; 2123ff40c12SJohn Marino u32 dot11RSNAGroupCipherSelected; 2133ff40c12SJohn Marino u8 dot11RSNAPMKIDUsed[PMKID_LEN]; 2143ff40c12SJohn Marino u32 dot11RSNAAuthenticationSuiteRequested; /* FIX: update */ 2153ff40c12SJohn Marino u32 dot11RSNAPairwiseCipherRequested; /* FIX: update */ 2163ff40c12SJohn Marino u32 dot11RSNAGroupCipherRequested; /* FIX: update */ 2173ff40c12SJohn Marino unsigned int dot11RSNATKIPCounterMeasuresInvoked; 2183ff40c12SJohn Marino unsigned int dot11RSNA4WayHandshakeFailures; 2193ff40c12SJohn Marino 2203ff40c12SJohn Marino struct wpa_auth_config conf; 221*a1157835SDaniel Fojt const struct wpa_auth_callbacks *cb; 222*a1157835SDaniel Fojt void *cb_ctx; 2233ff40c12SJohn Marino 2243ff40c12SJohn Marino u8 *wpa_ie; 2253ff40c12SJohn Marino size_t wpa_ie_len; 2263ff40c12SJohn Marino 2273ff40c12SJohn Marino u8 addr[ETH_ALEN]; 2283ff40c12SJohn Marino 2293ff40c12SJohn Marino struct rsn_pmksa_cache *pmksa; 2303ff40c12SJohn Marino struct wpa_ft_pmk_cache *ft_pmk_cache; 2313ff40c12SJohn Marino 2323ff40c12SJohn Marino #ifdef CONFIG_P2P 2333ff40c12SJohn Marino struct bitfield *ip_pool; 2343ff40c12SJohn Marino #endif /* CONFIG_P2P */ 2353ff40c12SJohn Marino }; 2363ff40c12SJohn Marino 2373ff40c12SJohn Marino 238*a1157835SDaniel Fojt #ifdef CONFIG_IEEE80211R_AP 239*a1157835SDaniel Fojt 240*a1157835SDaniel Fojt #define FT_REMOTE_SEQ_BACKLOG 16 241*a1157835SDaniel Fojt struct ft_remote_seq_rx { 242*a1157835SDaniel Fojt u32 dom; 243*a1157835SDaniel Fojt struct os_reltime time_offset; /* local time - offset = remote time */ 244*a1157835SDaniel Fojt 245*a1157835SDaniel Fojt /* accepted sequence numbers: (offset ... offset + 0x40000000] 246*a1157835SDaniel Fojt * (except those in last) 247*a1157835SDaniel Fojt * dropped sequence numbers: (offset - 0x40000000 ... offset] 248*a1157835SDaniel Fojt * all others trigger SEQ_REQ message (except first message) 249*a1157835SDaniel Fojt */ 250*a1157835SDaniel Fojt u32 last[FT_REMOTE_SEQ_BACKLOG]; 251*a1157835SDaniel Fojt unsigned int num_last; 252*a1157835SDaniel Fojt u32 offsetidx; 253*a1157835SDaniel Fojt 254*a1157835SDaniel Fojt struct dl_list queue; /* send nonces + rrb msgs awaiting seq resp */ 255*a1157835SDaniel Fojt }; 256*a1157835SDaniel Fojt 257*a1157835SDaniel Fojt struct ft_remote_seq_tx { 258*a1157835SDaniel Fojt u32 dom; /* non zero if initialized */ 259*a1157835SDaniel Fojt u32 seq; 260*a1157835SDaniel Fojt }; 261*a1157835SDaniel Fojt 262*a1157835SDaniel Fojt struct ft_remote_seq { 263*a1157835SDaniel Fojt struct ft_remote_seq_rx rx; 264*a1157835SDaniel Fojt struct ft_remote_seq_tx tx; 265*a1157835SDaniel Fojt }; 266*a1157835SDaniel Fojt 267*a1157835SDaniel Fojt #endif /* CONFIG_IEEE80211R_AP */ 268*a1157835SDaniel Fojt 269*a1157835SDaniel Fojt 2703ff40c12SJohn Marino int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len, 2713ff40c12SJohn Marino const u8 *pmkid); 2723ff40c12SJohn Marino void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 2733ff40c12SJohn Marino logger_level level, const char *txt); 2743ff40c12SJohn Marino void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 2753ff40c12SJohn Marino logger_level level, const char *fmt, ...); 2763ff40c12SJohn Marino void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 2773ff40c12SJohn Marino struct wpa_state_machine *sm, int key_info, 2783ff40c12SJohn Marino const u8 *key_rsc, const u8 *nonce, 2793ff40c12SJohn Marino const u8 *kde, size_t kde_len, 2803ff40c12SJohn Marino int keyidx, int encr, int force_version); 2813ff40c12SJohn Marino int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 2823ff40c12SJohn Marino int (*cb)(struct wpa_state_machine *sm, void *ctx), 2833ff40c12SJohn Marino void *cb_ctx); 2843ff40c12SJohn Marino int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 2853ff40c12SJohn Marino int (*cb)(struct wpa_authenticator *a, void *ctx), 2863ff40c12SJohn Marino void *cb_ctx); 2873ff40c12SJohn Marino 288*a1157835SDaniel Fojt #ifdef CONFIG_IEEE80211R_AP 2893ff40c12SJohn Marino int wpa_write_mdie(struct wpa_auth_config *conf, u8 *buf, size_t len); 290*a1157835SDaniel Fojt int wpa_write_ftie(struct wpa_auth_config *conf, int use_sha384, 291*a1157835SDaniel Fojt const u8 *r0kh_id, size_t r0kh_id_len, 2923ff40c12SJohn Marino const u8 *anonce, const u8 *snonce, 2933ff40c12SJohn Marino u8 *buf, size_t len, const u8 *subelem, 2943ff40c12SJohn Marino size_t subelem_len); 295*a1157835SDaniel Fojt int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk); 2963ff40c12SJohn Marino struct wpa_ft_pmk_cache * wpa_ft_pmk_cache_init(void); 2973ff40c12SJohn Marino void wpa_ft_pmk_cache_deinit(struct wpa_ft_pmk_cache *cache); 2983ff40c12SJohn Marino void wpa_ft_install_ptk(struct wpa_state_machine *sm); 299*a1157835SDaniel Fojt int wpa_ft_store_pmk_fils(struct wpa_state_machine *sm, const u8 *pmk_r0, 300*a1157835SDaniel Fojt const u8 *pmk_r0_name); 301*a1157835SDaniel Fojt #endif /* CONFIG_IEEE80211R_AP */ 3023ff40c12SJohn Marino 3033ff40c12SJohn Marino #endif /* WPA_AUTH_I_H */ 304