1 /* $OpenBSD: ieee80211_pae_input.c,v 1.25 2015/07/15 22:16:42 deraadt Exp $ */ 2 3 /*- 4 * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the 4-Way Handshake and Group Key Handshake protocols 21 * (both Supplicant and Authenticator Key Receive state machines) defined in 22 * IEEE Std 802.11-2007 section 8.5. 23 */ 24 25 #include <sys/param.h> 26 #include <sys/systm.h> 27 #include <sys/mbuf.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/sockio.h> 31 #include <sys/errno.h> 32 33 #include <net/if.h> 34 #include <net/if_dl.h> 35 #include <net/if_media.h> 36 37 #include <netinet/in.h> 38 #include <netinet/if_ether.h> 39 40 #include <net80211/ieee80211_var.h> 41 #include <net80211/ieee80211_priv.h> 42 43 void ieee80211_recv_4way_msg1(struct ieee80211com *, 44 struct ieee80211_eapol_key *, struct ieee80211_node *); 45 #ifndef IEEE80211_STA_ONLY 46 void ieee80211_recv_4way_msg2(struct ieee80211com *, 47 struct ieee80211_eapol_key *, struct ieee80211_node *, 48 const u_int8_t *); 49 #endif 50 void ieee80211_recv_4way_msg3(struct ieee80211com *, 51 struct ieee80211_eapol_key *, struct ieee80211_node *); 52 #ifndef IEEE80211_STA_ONLY 53 void ieee80211_recv_4way_msg4(struct ieee80211com *, 54 struct ieee80211_eapol_key *, struct ieee80211_node *); 55 void ieee80211_recv_4way_msg2or4(struct ieee80211com *, 56 struct ieee80211_eapol_key *, struct ieee80211_node *); 57 #endif 58 void ieee80211_recv_rsn_group_msg1(struct ieee80211com *, 59 struct ieee80211_eapol_key *, struct ieee80211_node *); 60 void ieee80211_recv_wpa_group_msg1(struct ieee80211com *, 61 struct ieee80211_eapol_key *, struct ieee80211_node *); 62 #ifndef IEEE80211_STA_ONLY 63 void ieee80211_recv_group_msg2(struct ieee80211com *, 64 struct ieee80211_eapol_key *, struct ieee80211_node *); 65 void ieee80211_recv_eapol_key_req(struct ieee80211com *, 66 struct ieee80211_eapol_key *, struct ieee80211_node *); 67 #endif 68 69 /* 70 * Process an incoming EAPOL frame. Notice that we are only interested in 71 * EAPOL-Key frames with an IEEE 802.11 or WPA descriptor type. 72 */ 73 void 74 ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m, 75 struct ieee80211_node *ni) 76 { 77 struct ifnet *ifp = &ic->ic_if; 78 struct ether_header *eh; 79 struct ieee80211_eapol_key *key; 80 u_int16_t info, desc; 81 int totlen; 82 83 ifp->if_ibytes += m->m_pkthdr.len; 84 85 eh = mtod(m, struct ether_header *); 86 if (IEEE80211_IS_MULTICAST(eh->ether_dhost)) { 87 ifp->if_imcasts++; 88 goto done; 89 } 90 m_adj(m, sizeof(*eh)); 91 92 if (m->m_pkthdr.len < sizeof(*key)) 93 goto done; 94 if (m->m_len < sizeof(*key) && 95 (m = m_pullup(m, sizeof(*key))) == NULL) { 96 ic->ic_stats.is_rx_nombuf++; 97 goto done; 98 } 99 key = mtod(m, struct ieee80211_eapol_key *); 100 101 if (key->type != EAPOL_KEY) 102 goto done; 103 ic->ic_stats.is_rx_eapol_key++; 104 105 if ((ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 106 key->desc != EAPOL_KEY_DESC_IEEE80211) || 107 (ni->ni_rsnprotos == IEEE80211_PROTO_WPA && 108 key->desc != EAPOL_KEY_DESC_WPA)) 109 goto done; 110 111 /* check packet body length */ 112 if (m->m_pkthdr.len < 4 + BE_READ_2(key->len)) 113 goto done; 114 115 /* check key data length */ 116 totlen = sizeof(*key) + BE_READ_2(key->paylen); 117 if (m->m_pkthdr.len < totlen || totlen > MCLBYTES) 118 goto done; 119 120 info = BE_READ_2(key->info); 121 122 /* discard EAPOL-Key frames with an unknown descriptor version */ 123 desc = info & EAPOL_KEY_VERSION_MASK; 124 if (desc < EAPOL_KEY_DESC_V1 || desc > EAPOL_KEY_DESC_V3) 125 goto done; 126 127 if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) { 128 if (desc != EAPOL_KEY_DESC_V3) 129 goto done; 130 } else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP || 131 ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP) { 132 if (desc != EAPOL_KEY_DESC_V2) 133 goto done; 134 } 135 136 /* make sure the key data field is contiguous */ 137 if (m->m_len < totlen && (m = m_pullup(m, totlen)) == NULL) { 138 ic->ic_stats.is_rx_nombuf++; 139 goto done; 140 } 141 key = mtod(m, struct ieee80211_eapol_key *); 142 143 /* determine message type (see 8.5.3.7) */ 144 if (info & EAPOL_KEY_REQUEST) { 145 #ifndef IEEE80211_STA_ONLY 146 /* EAPOL-Key Request frame */ 147 ieee80211_recv_eapol_key_req(ic, key, ni); 148 #endif 149 } else if (info & EAPOL_KEY_PAIRWISE) { 150 /* 4-Way Handshake */ 151 if (info & EAPOL_KEY_KEYMIC) { 152 if (info & EAPOL_KEY_KEYACK) 153 ieee80211_recv_4way_msg3(ic, key, ni); 154 #ifndef IEEE80211_STA_ONLY 155 else 156 ieee80211_recv_4way_msg2or4(ic, key, ni); 157 #endif 158 } else if (info & EAPOL_KEY_KEYACK) 159 ieee80211_recv_4way_msg1(ic, key, ni); 160 } else { 161 /* Group Key Handshake */ 162 if (!(info & EAPOL_KEY_KEYMIC)) 163 goto done; 164 if (info & EAPOL_KEY_KEYACK) { 165 if (key->desc == EAPOL_KEY_DESC_WPA) 166 ieee80211_recv_wpa_group_msg1(ic, key, ni); 167 else 168 ieee80211_recv_rsn_group_msg1(ic, key, ni); 169 } 170 #ifndef IEEE80211_STA_ONLY 171 else 172 ieee80211_recv_group_msg2(ic, key, ni); 173 #endif 174 } 175 done: 176 m_freem(m); 177 } 178 179 /* 180 * Process Message 1 of the 4-Way Handshake (sent by Authenticator). 181 */ 182 void 183 ieee80211_recv_4way_msg1(struct ieee80211com *ic, 184 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 185 { 186 struct ieee80211_ptk tptk; 187 struct ieee80211_pmk *pmk; 188 const u_int8_t *frm, *efrm; 189 const u_int8_t *pmkid; 190 191 #ifndef IEEE80211_STA_ONLY 192 if (ic->ic_opmode != IEEE80211_M_STA && 193 ic->ic_opmode != IEEE80211_M_IBSS) 194 return; 195 #endif 196 if (ni->ni_replaycnt_ok && 197 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 198 ic->ic_stats.is_rx_eapol_replay++; 199 return; 200 } 201 202 /* parse key data field (may contain an encapsulated PMKID) */ 203 frm = (const u_int8_t *)&key[1]; 204 efrm = frm + BE_READ_2(key->paylen); 205 206 pmkid = NULL; 207 while (frm + 2 <= efrm) { 208 if (frm + 2 + frm[1] > efrm) 209 break; 210 switch (frm[0]) { 211 case IEEE80211_ELEMID_VENDOR: 212 if (frm[1] < 4) 213 break; 214 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 215 switch (frm[5]) { 216 case IEEE80211_KDE_PMKID: 217 pmkid = frm; 218 break; 219 } 220 } 221 break; 222 } 223 frm += 2 + frm[1]; 224 } 225 /* check that the PMKID KDE is valid (if present) */ 226 if (pmkid != NULL && pmkid[1] != 4 + 16) 227 return; 228 229 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 230 /* retrieve the PMK for this (AP,PMKID) */ 231 pmk = ieee80211_pmksa_find(ic, ni, 232 (pmkid != NULL) ? &pmkid[6] : NULL); 233 if (pmk == NULL) { 234 DPRINTF(("no PMK available for %s\n", 235 ether_sprintf(ni->ni_macaddr))); 236 return; 237 } 238 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 239 } else /* use pre-shared key */ 240 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 241 ni->ni_flags |= IEEE80211_NODE_PMK; 242 243 /* save authenticator's nonce (ANonce) */ 244 memcpy(ni->ni_nonce, key->nonce, EAPOL_KEY_NONCE_LEN); 245 246 /* generate supplicant's nonce (SNonce) */ 247 arc4random_buf(ic->ic_nonce, EAPOL_KEY_NONCE_LEN); 248 249 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 250 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 251 ic->ic_myaddr, ni->ni_nonce, ic->ic_nonce, &tptk); 252 253 if (ic->ic_if.if_flags & IFF_DEBUG) 254 printf("%s: received msg %d/%d of the %s handshake from %s\n", 255 ic->ic_if.if_xname, 1, 4, "4-way", 256 ether_sprintf(ni->ni_macaddr)); 257 258 /* send message 2 to authenticator using TPTK */ 259 (void)ieee80211_send_4way_msg2(ic, ni, key->replaycnt, &tptk); 260 } 261 262 #ifndef IEEE80211_STA_ONLY 263 /* 264 * Process Message 2 of the 4-Way Handshake (sent by Supplicant). 265 */ 266 void 267 ieee80211_recv_4way_msg2(struct ieee80211com *ic, 268 struct ieee80211_eapol_key *key, struct ieee80211_node *ni, 269 const u_int8_t *rsnie) 270 { 271 struct ieee80211_ptk tptk; 272 273 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 274 ic->ic_opmode != IEEE80211_M_IBSS) 275 return; 276 277 /* discard if we're not expecting this message */ 278 if (ni->ni_rsn_state != RSNA_PTKSTART && 279 ni->ni_rsn_state != RSNA_PTKCALCNEGOTIATING) { 280 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 281 return; 282 } 283 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING; 284 285 /* NB: replay counter has already been verified by caller */ 286 287 /* PTK = CalcPTK(ANonce, SNonce) */ 288 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ic->ic_myaddr, 289 ni->ni_macaddr, ni->ni_nonce, key->nonce, &tptk); 290 291 /* check Key MIC field using KCK */ 292 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 293 DPRINTF(("key MIC failed\n")); 294 ic->ic_stats.is_rx_eapol_badmic++; 295 return; /* will timeout.. */ 296 } 297 298 timeout_del(&ni->ni_eapol_to); 299 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING_2; 300 ni->ni_rsn_retries = 0; 301 302 /* install TPTK as PTK now that MIC is verified */ 303 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 304 305 /* 306 * The RSN IE must match bit-wise with what the STA included in its 307 * (Re)Association Request. 308 */ 309 if (ni->ni_rsnie == NULL || rsnie[1] != ni->ni_rsnie[1] || 310 memcmp(rsnie, ni->ni_rsnie, 2 + rsnie[1]) != 0) { 311 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 312 IEEE80211_REASON_RSN_DIFFERENT_IE); 313 ieee80211_node_leave(ic, ni); 314 return; 315 } 316 317 if (ic->ic_if.if_flags & IFF_DEBUG) 318 printf("%s: received msg %d/%d of the %s handshake from %s\n", 319 ic->ic_if.if_xname, 2, 4, "4-way", 320 ether_sprintf(ni->ni_macaddr)); 321 322 /* send message 3 to supplicant */ 323 (void)ieee80211_send_4way_msg3(ic, ni); 324 } 325 #endif /* IEEE80211_STA_ONLY */ 326 327 /* 328 * Process Message 3 of the 4-Way Handshake (sent by Authenticator). 329 */ 330 void 331 ieee80211_recv_4way_msg3(struct ieee80211com *ic, 332 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 333 { 334 struct ieee80211_ptk tptk; 335 struct ieee80211_key *k; 336 const u_int8_t *frm, *efrm; 337 const u_int8_t *rsnie1, *rsnie2, *gtk, *igtk; 338 u_int16_t info, reason = 0; 339 int keylen; 340 341 #ifndef IEEE80211_STA_ONLY 342 if (ic->ic_opmode != IEEE80211_M_STA && 343 ic->ic_opmode != IEEE80211_M_IBSS) 344 return; 345 #endif 346 if (ni->ni_replaycnt_ok && 347 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 348 ic->ic_stats.is_rx_eapol_replay++; 349 return; 350 } 351 /* make sure that a PMK has been selected */ 352 if (!(ni->ni_flags & IEEE80211_NODE_PMK)) { 353 DPRINTF(("no PMK found for %s\n", 354 ether_sprintf(ni->ni_macaddr))); 355 return; 356 } 357 /* check that ANonce matches that of Message 1 */ 358 if (memcmp(key->nonce, ni->ni_nonce, EAPOL_KEY_NONCE_LEN) != 0) { 359 DPRINTF(("ANonce does not match msg 1/4\n")); 360 return; 361 } 362 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 363 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 364 ic->ic_myaddr, key->nonce, ic->ic_nonce, &tptk); 365 366 info = BE_READ_2(key->info); 367 368 /* check Key MIC field using KCK */ 369 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 370 DPRINTF(("key MIC failed\n")); 371 ic->ic_stats.is_rx_eapol_badmic++; 372 return; 373 } 374 /* install TPTK as PTK now that MIC is verified */ 375 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 376 377 /* if encrypted, decrypt Key Data field using KEK */ 378 if ((info & EAPOL_KEY_ENCRYPTED) && 379 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 380 DPRINTF(("decryption failed\n")); 381 return; 382 } 383 384 /* parse key data field */ 385 frm = (const u_int8_t *)&key[1]; 386 efrm = frm + BE_READ_2(key->paylen); 387 388 /* 389 * Some WPA1+WPA2 APs (like hostapd) appear to include both WPA and 390 * RSN IEs in message 3/4. We only take into account the IE of the 391 * version of the protocol we negotiated at association time. 392 */ 393 rsnie1 = rsnie2 = gtk = igtk = NULL; 394 while (frm + 2 <= efrm) { 395 if (frm + 2 + frm[1] > efrm) 396 break; 397 switch (frm[0]) { 398 case IEEE80211_ELEMID_RSN: 399 if (ni->ni_rsnprotos != IEEE80211_PROTO_RSN) 400 break; 401 if (rsnie1 == NULL) 402 rsnie1 = frm; 403 else if (rsnie2 == NULL) 404 rsnie2 = frm; 405 /* ignore others if more than two RSN IEs */ 406 break; 407 case IEEE80211_ELEMID_VENDOR: 408 if (frm[1] < 4) 409 break; 410 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 411 switch (frm[5]) { 412 case IEEE80211_KDE_GTK: 413 gtk = frm; 414 break; 415 case IEEE80211_KDE_IGTK: 416 if (ni->ni_flags & IEEE80211_NODE_MFP) 417 igtk = frm; 418 break; 419 } 420 } else if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 421 switch (frm[5]) { 422 case 1: /* WPA */ 423 if (ni->ni_rsnprotos != 424 IEEE80211_PROTO_WPA) 425 break; 426 rsnie1 = frm; 427 break; 428 } 429 } 430 break; 431 } 432 frm += 2 + frm[1]; 433 } 434 /* first WPA/RSN IE is mandatory */ 435 if (rsnie1 == NULL) { 436 DPRINTF(("missing RSN IE\n")); 437 return; 438 } 439 /* key data must be encrypted if GTK is included */ 440 if (gtk != NULL && !(info & EAPOL_KEY_ENCRYPTED)) { 441 DPRINTF(("GTK not encrypted\n")); 442 return; 443 } 444 /* GTK KDE must be included if IGTK KDE is present */ 445 if (igtk != NULL && gtk == NULL) { 446 DPRINTF(("IGTK KDE found but GTK KDE missing\n")); 447 return; 448 } 449 /* check that the Install bit is set if using pairwise keys */ 450 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && 451 !(info & EAPOL_KEY_INSTALL)) { 452 DPRINTF(("pairwise cipher but !Install\n")); 453 return; 454 } 455 456 /* 457 * Check that first WPA/RSN IE is identical to the one received in 458 * the beacon or probe response frame. 459 */ 460 if (ni->ni_rsnie == NULL || rsnie1[1] != ni->ni_rsnie[1] || 461 memcmp(rsnie1, ni->ni_rsnie, 2 + rsnie1[1]) != 0) { 462 reason = IEEE80211_REASON_RSN_DIFFERENT_IE; 463 goto deauth; 464 } 465 466 /* 467 * If a second RSN information element is present, use its pairwise 468 * cipher suite or deauthenticate. 469 */ 470 if (rsnie2 != NULL) { 471 struct ieee80211_rsnparams rsn; 472 473 if (ieee80211_parse_rsn(ic, rsnie2, &rsn) == 0) { 474 if (rsn.rsn_akms != ni->ni_rsnakms || 475 rsn.rsn_groupcipher != ni->ni_rsngroupcipher || 476 rsn.rsn_nciphers != 1 || 477 !(rsn.rsn_ciphers & ic->ic_rsnciphers)) { 478 reason = IEEE80211_REASON_BAD_PAIRWISE_CIPHER; 479 goto deauth; 480 } 481 /* use pairwise cipher suite of second RSN IE */ 482 ni->ni_rsnciphers = rsn.rsn_ciphers; 483 ni->ni_rsncipher = ni->ni_rsnciphers; 484 } 485 } 486 487 /* update the last seen value of the key replay counter field */ 488 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 489 ni->ni_replaycnt_ok = 1; 490 491 if (ic->ic_if.if_flags & IFF_DEBUG) 492 printf("%s: received msg %d/%d of the %s handshake from %s\n", 493 ic->ic_if.if_xname, 3, 4, "4-way", 494 ether_sprintf(ni->ni_macaddr)); 495 496 /* send message 4 to authenticator */ 497 if (ieee80211_send_4way_msg4(ic, ni) != 0) 498 return; /* ..authenticator will retry */ 499 500 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 501 u_int64_t prsc; 502 503 /* check that key length matches that of pairwise cipher */ 504 keylen = ieee80211_cipher_keylen(ni->ni_rsncipher); 505 if (BE_READ_2(key->keylen) != keylen) { 506 reason = IEEE80211_REASON_AUTH_LEAVE; 507 goto deauth; 508 } 509 prsc = (gtk == NULL) ? LE_READ_6(key->rsc) : 0; 510 511 /* map PTK to 802.11 key */ 512 k = &ni->ni_pairwise_key; 513 memset(k, 0, sizeof(*k)); 514 k->k_cipher = ni->ni_rsncipher; 515 k->k_rsc[0] = prsc; 516 k->k_len = keylen; 517 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 518 /* install the PTK */ 519 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 520 reason = IEEE80211_REASON_AUTH_LEAVE; 521 goto deauth; 522 } 523 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 524 ni->ni_flags |= IEEE80211_NODE_RXPROT; 525 } 526 if (gtk != NULL) { 527 u_int8_t kid; 528 529 /* check that key length matches that of group cipher */ 530 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 531 if (gtk[1] != 6 + keylen) { 532 reason = IEEE80211_REASON_AUTH_LEAVE; 533 goto deauth; 534 } 535 /* map GTK to 802.11 key */ 536 kid = gtk[6] & 3; 537 k = &ic->ic_nw_keys[kid]; 538 memset(k, 0, sizeof(*k)); 539 k->k_id = kid; /* 0-3 */ 540 k->k_cipher = ni->ni_rsngroupcipher; 541 k->k_flags = IEEE80211_KEY_GROUP; 542 if (gtk[6] & (1 << 2)) 543 k->k_flags |= IEEE80211_KEY_TX; 544 k->k_rsc[0] = LE_READ_6(key->rsc); 545 k->k_len = keylen; 546 memcpy(k->k_key, >k[8], k->k_len); 547 /* install the GTK */ 548 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 549 reason = IEEE80211_REASON_AUTH_LEAVE; 550 goto deauth; 551 } 552 } 553 if (igtk != NULL) { /* implies MFP && gtk != NULL */ 554 u_int16_t kid; 555 556 /* check that the IGTK KDE is valid */ 557 if (igtk[1] != 4 + 24) { 558 reason = IEEE80211_REASON_AUTH_LEAVE; 559 goto deauth; 560 } 561 kid = LE_READ_2(&igtk[6]); 562 if (kid != 4 && kid != 5) { 563 DPRINTF(("unsupported IGTK id %u\n", kid)); 564 reason = IEEE80211_REASON_AUTH_LEAVE; 565 goto deauth; 566 } 567 /* map IGTK to 802.11 key */ 568 k = &ic->ic_nw_keys[kid]; 569 memset(k, 0, sizeof(*k)); 570 k->k_id = kid; /* either 4 or 5 */ 571 k->k_cipher = ni->ni_rsngroupmgmtcipher; 572 k->k_flags = IEEE80211_KEY_IGTK; 573 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 574 k->k_len = 16; 575 memcpy(k->k_key, &igtk[14], k->k_len); 576 /* install the IGTK */ 577 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 578 reason = IEEE80211_REASON_AUTH_LEAVE; 579 goto deauth; 580 } 581 } 582 if (info & EAPOL_KEY_INSTALL) 583 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 584 585 if (info & EAPOL_KEY_SECURE) { 586 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 587 #ifndef IEEE80211_STA_ONLY 588 if (ic->ic_opmode != IEEE80211_M_IBSS || 589 ++ni->ni_key_count == 2) 590 #endif 591 { 592 DPRINTF(("marking port %s valid\n", 593 ether_sprintf(ni->ni_macaddr))); 594 ni->ni_port_valid = 1; 595 ieee80211_set_link_state(ic, LINK_STATE_UP); 596 } 597 } 598 deauth: 599 if (reason != 0) { 600 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 601 reason); 602 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 603 } 604 } 605 606 #ifndef IEEE80211_STA_ONLY 607 /* 608 * Process Message 4 of the 4-Way Handshake (sent by Supplicant). 609 */ 610 void 611 ieee80211_recv_4way_msg4(struct ieee80211com *ic, 612 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 613 { 614 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 615 ic->ic_opmode != IEEE80211_M_IBSS) 616 return; 617 618 /* discard if we're not expecting this message */ 619 if (ni->ni_rsn_state != RSNA_PTKINITNEGOTIATING) { 620 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 621 return; 622 } 623 624 /* NB: replay counter has already been verified by caller */ 625 626 /* check Key MIC field using KCK */ 627 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 628 DPRINTF(("key MIC failed\n")); 629 ic->ic_stats.is_rx_eapol_badmic++; 630 return; /* will timeout.. */ 631 } 632 633 timeout_del(&ni->ni_eapol_to); 634 ni->ni_rsn_state = RSNA_PTKINITDONE; 635 ni->ni_rsn_retries = 0; 636 637 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 638 struct ieee80211_key *k; 639 640 /* map PTK to 802.11 key */ 641 k = &ni->ni_pairwise_key; 642 memset(k, 0, sizeof(*k)); 643 k->k_cipher = ni->ni_rsncipher; 644 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 645 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 646 /* install the PTK */ 647 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 648 IEEE80211_SEND_MGMT(ic, ni, 649 IEEE80211_FC0_SUBTYPE_DEAUTH, 650 IEEE80211_REASON_ASSOC_TOOMANY); 651 ieee80211_node_leave(ic, ni); 652 return; 653 } 654 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 655 } 656 if (ic->ic_opmode != IEEE80211_M_IBSS || ++ni->ni_key_count == 2) { 657 DPRINTF(("marking port %s valid\n", 658 ether_sprintf(ni->ni_macaddr))); 659 ni->ni_port_valid = 1; 660 } 661 662 if (ic->ic_if.if_flags & IFF_DEBUG) 663 printf("%s: received msg %d/%d of the %s handshake from %s\n", 664 ic->ic_if.if_xname, 4, 4, "4-way", 665 ether_sprintf(ni->ni_macaddr)); 666 667 /* initiate a group key handshake for WPA */ 668 if (ni->ni_rsnprotos == IEEE80211_PROTO_WPA) 669 (void)ieee80211_send_group_msg1(ic, ni); 670 else 671 ni->ni_rsn_gstate = RSNA_IDLE; 672 } 673 674 /* 675 * Differentiate Message 2 from Message 4 of the 4-Way Handshake based on 676 * the presence of an RSN or WPA Information Element. 677 */ 678 void 679 ieee80211_recv_4way_msg2or4(struct ieee80211com *ic, 680 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 681 { 682 const u_int8_t *frm, *efrm; 683 const u_int8_t *rsnie; 684 685 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 686 ic->ic_stats.is_rx_eapol_replay++; 687 return; 688 } 689 690 /* parse key data field (check if an RSN IE is present) */ 691 frm = (const u_int8_t *)&key[1]; 692 efrm = frm + BE_READ_2(key->paylen); 693 694 rsnie = NULL; 695 while (frm + 2 <= efrm) { 696 if (frm + 2 + frm[1] > efrm) 697 break; 698 switch (frm[0]) { 699 case IEEE80211_ELEMID_RSN: 700 rsnie = frm; 701 break; 702 case IEEE80211_ELEMID_VENDOR: 703 if (frm[1] < 4) 704 break; 705 if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 706 switch (frm[5]) { 707 case 1: /* WPA */ 708 rsnie = frm; 709 break; 710 } 711 } 712 } 713 frm += 2 + frm[1]; 714 } 715 if (rsnie != NULL) 716 ieee80211_recv_4way_msg2(ic, key, ni, rsnie); 717 else 718 ieee80211_recv_4way_msg4(ic, key, ni); 719 } 720 #endif /* IEEE80211_STA_ONLY */ 721 722 /* 723 * Process Message 1 of the RSN Group Key Handshake (sent by Authenticator). 724 */ 725 void 726 ieee80211_recv_rsn_group_msg1(struct ieee80211com *ic, 727 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 728 { 729 struct ieee80211_key *k; 730 const u_int8_t *frm, *efrm; 731 const u_int8_t *gtk, *igtk; 732 u_int16_t info, kid, reason = 0; 733 int keylen; 734 735 #ifndef IEEE80211_STA_ONLY 736 if (ic->ic_opmode != IEEE80211_M_STA && 737 ic->ic_opmode != IEEE80211_M_IBSS) 738 return; 739 #endif 740 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 741 ic->ic_stats.is_rx_eapol_replay++; 742 return; 743 } 744 /* check Key MIC field using KCK */ 745 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 746 DPRINTF(("key MIC failed\n")); 747 ic->ic_stats.is_rx_eapol_badmic++; 748 return; 749 } 750 info = BE_READ_2(key->info); 751 752 /* check that encrypted and decrypt Key Data field using KEK */ 753 if (!(info & EAPOL_KEY_ENCRYPTED) || 754 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 755 DPRINTF(("decryption failed\n")); 756 return; 757 } 758 759 /* parse key data field (shall contain a GTK KDE) */ 760 frm = (const u_int8_t *)&key[1]; 761 efrm = frm + BE_READ_2(key->paylen); 762 763 gtk = igtk = NULL; 764 while (frm + 2 <= efrm) { 765 if (frm + 2 + frm[1] > efrm) 766 break; 767 switch (frm[0]) { 768 case IEEE80211_ELEMID_VENDOR: 769 if (frm[1] < 4) 770 break; 771 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 772 switch (frm[5]) { 773 case IEEE80211_KDE_GTK: 774 gtk = frm; 775 break; 776 case IEEE80211_KDE_IGTK: 777 if (ni->ni_flags & IEEE80211_NODE_MFP) 778 igtk = frm; 779 break; 780 } 781 } 782 break; 783 } 784 frm += 2 + frm[1]; 785 } 786 /* check that the GTK KDE is present */ 787 if (gtk == NULL) { 788 DPRINTF(("GTK KDE missing\n")); 789 return; 790 } 791 792 /* check that key length matches that of group cipher */ 793 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 794 if (gtk[1] != 6 + keylen) 795 return; 796 797 /* map GTK to 802.11 key */ 798 kid = gtk[6] & 3; 799 k = &ic->ic_nw_keys[kid]; 800 memset(k, 0, sizeof(*k)); 801 k->k_id = kid; /* 0-3 */ 802 k->k_cipher = ni->ni_rsngroupcipher; 803 k->k_flags = IEEE80211_KEY_GROUP; 804 if (gtk[6] & (1 << 2)) 805 k->k_flags |= IEEE80211_KEY_TX; 806 k->k_rsc[0] = LE_READ_6(key->rsc); 807 k->k_len = keylen; 808 memcpy(k->k_key, >k[8], k->k_len); 809 /* install the GTK */ 810 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 811 reason = IEEE80211_REASON_AUTH_LEAVE; 812 goto deauth; 813 } 814 if (igtk != NULL) { /* implies MFP */ 815 /* check that the IGTK KDE is valid */ 816 if (igtk[1] != 4 + 24) { 817 reason = IEEE80211_REASON_AUTH_LEAVE; 818 goto deauth; 819 } 820 kid = LE_READ_2(&igtk[6]); 821 if (kid != 4 && kid != 5) { 822 DPRINTF(("unsupported IGTK id %u\n", kid)); 823 reason = IEEE80211_REASON_AUTH_LEAVE; 824 goto deauth; 825 } 826 /* map IGTK to 802.11 key */ 827 k = &ic->ic_nw_keys[kid]; 828 memset(k, 0, sizeof(*k)); 829 k->k_id = kid; /* either 4 or 5 */ 830 k->k_cipher = ni->ni_rsngroupmgmtcipher; 831 k->k_flags = IEEE80211_KEY_IGTK; 832 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 833 k->k_len = 16; 834 memcpy(k->k_key, &igtk[14], k->k_len); 835 /* install the IGTK */ 836 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 837 reason = IEEE80211_REASON_AUTH_LEAVE; 838 goto deauth; 839 } 840 } 841 if (info & EAPOL_KEY_SECURE) { 842 #ifndef IEEE80211_STA_ONLY 843 if (ic->ic_opmode != IEEE80211_M_IBSS || 844 ++ni->ni_key_count == 2) 845 #endif 846 { 847 DPRINTF(("marking port %s valid\n", 848 ether_sprintf(ni->ni_macaddr))); 849 ni->ni_port_valid = 1; 850 ieee80211_set_link_state(ic, LINK_STATE_UP); 851 } 852 } 853 /* update the last seen value of the key replay counter field */ 854 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 855 856 if (ic->ic_if.if_flags & IFF_DEBUG) 857 printf("%s: received msg %d/%d of the %s handshake from %s\n", 858 ic->ic_if.if_xname, 1, 2, "group key", 859 ether_sprintf(ni->ni_macaddr)); 860 861 /* send message 2 to authenticator */ 862 (void)ieee80211_send_group_msg2(ic, ni, NULL); 863 return; 864 deauth: 865 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 866 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 867 } 868 869 /* 870 * Process Message 1 of the WPA Group Key Handshake (sent by Authenticator). 871 */ 872 void 873 ieee80211_recv_wpa_group_msg1(struct ieee80211com *ic, 874 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 875 { 876 struct ieee80211_key *k; 877 u_int16_t info; 878 u_int8_t kid; 879 int keylen; 880 881 #ifndef IEEE80211_STA_ONLY 882 if (ic->ic_opmode != IEEE80211_M_STA && 883 ic->ic_opmode != IEEE80211_M_IBSS) 884 return; 885 #endif 886 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 887 ic->ic_stats.is_rx_eapol_replay++; 888 return; 889 } 890 /* check Key MIC field using KCK */ 891 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 892 DPRINTF(("key MIC failed\n")); 893 ic->ic_stats.is_rx_eapol_badmic++; 894 return; 895 } 896 /* 897 * EAPOL-Key data field is encrypted even though WPA doesn't set 898 * the ENCRYPTED bit in the info field. 899 */ 900 if (ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 901 DPRINTF(("decryption failed\n")); 902 return; 903 } 904 905 /* check that key length matches that of group cipher */ 906 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 907 if (BE_READ_2(key->keylen) != keylen) 908 return; 909 910 /* check that the data length is large enough to hold the key */ 911 if (BE_READ_2(key->paylen) < keylen) 912 return; 913 914 info = BE_READ_2(key->info); 915 916 /* map GTK to 802.11 key */ 917 kid = (info >> EAPOL_KEY_WPA_KID_SHIFT) & 3; 918 k = &ic->ic_nw_keys[kid]; 919 memset(k, 0, sizeof(*k)); 920 k->k_id = kid; /* 0-3 */ 921 k->k_cipher = ni->ni_rsngroupcipher; 922 k->k_flags = IEEE80211_KEY_GROUP; 923 if (info & EAPOL_KEY_WPA_TX) 924 k->k_flags |= IEEE80211_KEY_TX; 925 k->k_rsc[0] = LE_READ_6(key->rsc); 926 k->k_len = keylen; 927 /* key data field contains the GTK */ 928 memcpy(k->k_key, &key[1], k->k_len); 929 /* install the GTK */ 930 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 931 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 932 IEEE80211_REASON_AUTH_LEAVE); 933 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 934 return; 935 } 936 if (info & EAPOL_KEY_SECURE) { 937 #ifndef IEEE80211_STA_ONLY 938 if (ic->ic_opmode != IEEE80211_M_IBSS || 939 ++ni->ni_key_count == 2) 940 #endif 941 { 942 DPRINTF(("marking port %s valid\n", 943 ether_sprintf(ni->ni_macaddr))); 944 ni->ni_port_valid = 1; 945 ieee80211_set_link_state(ic, LINK_STATE_UP); 946 } 947 } 948 /* update the last seen value of the key replay counter field */ 949 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 950 951 if (ic->ic_if.if_flags & IFF_DEBUG) 952 printf("%s: received msg %d/%d of the %s handshake from %s\n", 953 ic->ic_if.if_xname, 1, 2, "group key", 954 ether_sprintf(ni->ni_macaddr)); 955 956 /* send message 2 to authenticator */ 957 (void)ieee80211_send_group_msg2(ic, ni, k); 958 } 959 960 #ifndef IEEE80211_STA_ONLY 961 /* 962 * Process Message 2 of the Group Key Handshake (sent by Supplicant). 963 */ 964 void 965 ieee80211_recv_group_msg2(struct ieee80211com *ic, 966 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 967 { 968 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 969 ic->ic_opmode != IEEE80211_M_IBSS) 970 return; 971 972 /* discard if we're not expecting this message */ 973 if (ni->ni_rsn_gstate != RSNA_REKEYNEGOTIATING) { 974 DPRINTF(("%s: unexpected in state: %d\n", ic->ic_if.if_xname, 975 ni->ni_rsn_gstate)); 976 return; 977 } 978 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 979 ic->ic_stats.is_rx_eapol_replay++; 980 return; 981 } 982 /* check Key MIC field using KCK */ 983 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 984 DPRINTF(("key MIC failed\n")); 985 ic->ic_stats.is_rx_eapol_badmic++; 986 return; 987 } 988 989 timeout_del(&ni->ni_eapol_to); 990 ni->ni_rsn_gstate = RSNA_REKEYESTABLISHED; 991 992 if ((ni->ni_flags & IEEE80211_NODE_REKEY) && 993 --ic->ic_rsn_keydonesta == 0) 994 ieee80211_setkeysdone(ic); 995 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 996 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 997 998 ni->ni_rsn_gstate = RSNA_IDLE; 999 ni->ni_rsn_retries = 0; 1000 1001 if (ic->ic_if.if_flags & IFF_DEBUG) 1002 printf("%s: received msg %d/%d of the %s handshake from %s\n", 1003 ic->ic_if.if_xname, 2, 2, "group key", 1004 ether_sprintf(ni->ni_macaddr)); 1005 } 1006 1007 /* 1008 * EAPOL-Key Request frames are sent by the supplicant to request that the 1009 * authenticator initiates either a 4-Way Handshake or Group Key Handshake, 1010 * or to report a MIC failure in a TKIP MSDU. 1011 */ 1012 void 1013 ieee80211_recv_eapol_key_req(struct ieee80211com *ic, 1014 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 1015 { 1016 u_int16_t info; 1017 1018 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 1019 ic->ic_opmode != IEEE80211_M_IBSS) 1020 return; 1021 1022 /* enforce monotonicity of key request replay counter */ 1023 if (ni->ni_reqreplaycnt_ok && 1024 BE_READ_8(key->replaycnt) <= ni->ni_reqreplaycnt) { 1025 ic->ic_stats.is_rx_eapol_replay++; 1026 return; 1027 } 1028 info = BE_READ_2(key->info); 1029 1030 if (!(info & EAPOL_KEY_KEYMIC) || 1031 ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1032 DPRINTF(("key request MIC failed\n")); 1033 ic->ic_stats.is_rx_eapol_badmic++; 1034 return; 1035 } 1036 /* update key request replay counter now that MIC is verified */ 1037 ni->ni_reqreplaycnt = BE_READ_8(key->replaycnt); 1038 ni->ni_reqreplaycnt_ok = 1; 1039 1040 if (info & EAPOL_KEY_ERROR) { /* TKIP MIC failure */ 1041 /* ignore reports from STAs not using TKIP */ 1042 if (ic->ic_bss->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP && 1043 ni->ni_rsncipher != IEEE80211_CIPHER_TKIP) { 1044 DPRINTF(("MIC failure report from !TKIP STA: %s\n", 1045 ether_sprintf(ni->ni_macaddr))); 1046 return; 1047 } 1048 ic->ic_stats.is_rx_remmicfail++; 1049 ieee80211_michael_mic_failure(ic, LE_READ_6(key->rsc)); 1050 1051 } else if (info & EAPOL_KEY_PAIRWISE) { 1052 /* initiate a 4-Way Handshake */ 1053 1054 } else { 1055 /* 1056 * Should change the GTK, initiate the 4-Way Handshake and 1057 * then execute a Group Key Handshake with all supplicants. 1058 */ 1059 } 1060 } 1061 #endif /* IEEE80211_STA_ONLY */ 1062