1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "crypto/aes_wrap.h" 17 #include "crypto/crypto.h" 18 #include "crypto/sha1.h" 19 #include "crypto/sha256.h" 20 #include "crypto/random.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "ap_config.h" 23 #include "ieee802_11.h" 24 #include "wpa_auth.h" 25 #include "pmksa_cache_auth.h" 26 #include "wpa_auth_i.h" 27 #include "wpa_auth_ie.h" 28 29 #define STATE_MACHINE_DATA struct wpa_state_machine 30 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 31 #define STATE_MACHINE_ADDR sm->addr 32 33 34 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 35 static int wpa_sm_step(struct wpa_state_machine *sm); 36 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len); 37 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 38 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 39 struct wpa_group *group); 40 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 41 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 42 struct wpa_group *group); 43 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 44 struct wpa_group *group); 45 46 static const u32 dot11RSNAConfigGroupUpdateCount = 4; 47 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 48 static const u32 eapol_key_timeout_first = 100; /* ms */ 49 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 50 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 51 52 /* TODO: make these configurable */ 53 static const int dot11RSNAConfigPMKLifetime = 43200; 54 static const int dot11RSNAConfigPMKReauthThreshold = 70; 55 static const int dot11RSNAConfigSATimeout = 60; 56 57 58 static inline int wpa_auth_mic_failure_report( 59 struct wpa_authenticator *wpa_auth, const u8 *addr) 60 { 61 if (wpa_auth->cb.mic_failure_report) 62 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 63 return 0; 64 } 65 66 67 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 68 const u8 *addr, wpa_eapol_variable var, 69 int value) 70 { 71 if (wpa_auth->cb.set_eapol) 72 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 73 } 74 75 76 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 77 const u8 *addr, wpa_eapol_variable var) 78 { 79 if (wpa_auth->cb.get_eapol == NULL) 80 return -1; 81 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 82 } 83 84 85 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 86 const u8 *addr, 87 const u8 *p2p_dev_addr, 88 const u8 *prev_psk) 89 { 90 if (wpa_auth->cb.get_psk == NULL) 91 return NULL; 92 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr, 93 prev_psk); 94 } 95 96 97 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 98 const u8 *addr, u8 *msk, size_t *len) 99 { 100 if (wpa_auth->cb.get_msk == NULL) 101 return -1; 102 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 103 } 104 105 106 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 107 int vlan_id, 108 enum wpa_alg alg, const u8 *addr, int idx, 109 u8 *key, size_t key_len) 110 { 111 if (wpa_auth->cb.set_key == NULL) 112 return -1; 113 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 114 key, key_len); 115 } 116 117 118 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 119 const u8 *addr, int idx, u8 *seq) 120 { 121 if (wpa_auth->cb.get_seqnum == NULL) 122 return -1; 123 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 124 } 125 126 127 static inline int 128 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 129 const u8 *data, size_t data_len, int encrypt) 130 { 131 if (wpa_auth->cb.send_eapol == NULL) 132 return -1; 133 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 134 encrypt); 135 } 136 137 138 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 139 int (*cb)(struct wpa_state_machine *sm, void *ctx), 140 void *cb_ctx) 141 { 142 if (wpa_auth->cb.for_each_sta == NULL) 143 return 0; 144 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 145 } 146 147 148 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 149 int (*cb)(struct wpa_authenticator *a, void *ctx), 150 void *cb_ctx) 151 { 152 if (wpa_auth->cb.for_each_auth == NULL) 153 return 0; 154 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 155 } 156 157 158 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 159 logger_level level, const char *txt) 160 { 161 if (wpa_auth->cb.logger == NULL) 162 return; 163 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 164 } 165 166 167 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 168 logger_level level, const char *fmt, ...) 169 { 170 char *format; 171 int maxlen; 172 va_list ap; 173 174 if (wpa_auth->cb.logger == NULL) 175 return; 176 177 maxlen = os_strlen(fmt) + 100; 178 format = os_malloc(maxlen); 179 if (!format) 180 return; 181 182 va_start(ap, fmt); 183 vsnprintf(format, maxlen, fmt, ap); 184 va_end(ap); 185 186 wpa_auth_logger(wpa_auth, addr, level, format); 187 188 os_free(format); 189 } 190 191 192 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 193 const u8 *addr) 194 { 195 if (wpa_auth->cb.disconnect == NULL) 196 return; 197 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 198 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 199 WLAN_REASON_PREV_AUTH_NOT_VALID); 200 } 201 202 203 static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 204 { 205 int ret = 0; 206 #ifdef CONFIG_IEEE80211R 207 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 208 ret = 1; 209 #endif /* CONFIG_IEEE80211R */ 210 #ifdef CONFIG_IEEE80211W 211 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 212 ret = 1; 213 #endif /* CONFIG_IEEE80211W */ 214 return ret; 215 } 216 217 218 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 219 { 220 struct wpa_authenticator *wpa_auth = eloop_ctx; 221 222 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 223 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 224 "initialization."); 225 } else { 226 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 227 wpa_hexdump_key(MSG_DEBUG, "GMK", 228 wpa_auth->group->GMK, WPA_GMK_LEN); 229 } 230 231 if (wpa_auth->conf.wpa_gmk_rekey) { 232 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 233 wpa_rekey_gmk, wpa_auth, NULL); 234 } 235 } 236 237 238 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 239 { 240 struct wpa_authenticator *wpa_auth = eloop_ctx; 241 struct wpa_group *group; 242 243 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 244 for (group = wpa_auth->group; group; group = group->next) { 245 group->GTKReKey = TRUE; 246 do { 247 group->changed = FALSE; 248 wpa_group_sm_step(wpa_auth, group); 249 } while (group->changed); 250 } 251 252 if (wpa_auth->conf.wpa_group_rekey) { 253 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 254 0, wpa_rekey_gtk, wpa_auth, NULL); 255 } 256 } 257 258 259 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 260 { 261 struct wpa_authenticator *wpa_auth = eloop_ctx; 262 struct wpa_state_machine *sm = timeout_ctx; 263 264 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 265 wpa_request_new_ptk(sm); 266 wpa_sm_step(sm); 267 } 268 269 270 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 271 { 272 if (sm->pmksa == ctx) 273 sm->pmksa = NULL; 274 return 0; 275 } 276 277 278 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 279 void *ctx) 280 { 281 struct wpa_authenticator *wpa_auth = ctx; 282 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 283 } 284 285 286 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 287 struct wpa_group *group) 288 { 289 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 290 u8 rkey[32]; 291 unsigned long ptr; 292 293 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 294 return -1; 295 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 296 297 /* 298 * Counter = PRF-256(Random number, "Init Counter", 299 * Local MAC Address || Time) 300 */ 301 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 302 wpa_get_ntp_timestamp(buf + ETH_ALEN); 303 ptr = (unsigned long) group; 304 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 305 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 306 return -1; 307 308 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 309 group->Counter, WPA_NONCE_LEN) < 0) 310 return -1; 311 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 312 group->Counter, WPA_NONCE_LEN); 313 314 return 0; 315 } 316 317 318 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 319 int vlan_id, int delay_init) 320 { 321 struct wpa_group *group; 322 323 group = os_zalloc(sizeof(struct wpa_group)); 324 if (group == NULL) 325 return NULL; 326 327 group->GTKAuthenticator = TRUE; 328 group->vlan_id = vlan_id; 329 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 330 331 if (random_pool_ready() != 1) { 332 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 333 "for secure operations - update keys later when " 334 "the first station connects"); 335 } 336 337 /* 338 * Set initial GMK/Counter value here. The actual values that will be 339 * used in negotiations will be set once the first station tries to 340 * connect. This allows more time for collecting additional randomness 341 * on embedded devices. 342 */ 343 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 344 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 345 "initialization."); 346 os_free(group); 347 return NULL; 348 } 349 350 group->GInit = TRUE; 351 if (delay_init) { 352 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 353 "until Beacon frames have been configured"); 354 /* Initialization is completed in wpa_init_keys(). */ 355 } else { 356 wpa_group_sm_step(wpa_auth, group); 357 group->GInit = FALSE; 358 wpa_group_sm_step(wpa_auth, group); 359 } 360 361 return group; 362 } 363 364 365 /** 366 * wpa_init - Initialize WPA authenticator 367 * @addr: Authenticator address 368 * @conf: Configuration for WPA authenticator 369 * @cb: Callback functions for WPA authenticator 370 * Returns: Pointer to WPA authenticator data or %NULL on failure 371 */ 372 struct wpa_authenticator * wpa_init(const u8 *addr, 373 struct wpa_auth_config *conf, 374 struct wpa_auth_callbacks *cb) 375 { 376 struct wpa_authenticator *wpa_auth; 377 378 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 379 if (wpa_auth == NULL) 380 return NULL; 381 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 382 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 383 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 384 385 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 386 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 387 os_free(wpa_auth); 388 return NULL; 389 } 390 391 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 392 if (wpa_auth->group == NULL) { 393 os_free(wpa_auth->wpa_ie); 394 os_free(wpa_auth); 395 return NULL; 396 } 397 398 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 399 wpa_auth); 400 if (wpa_auth->pmksa == NULL) { 401 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 402 os_free(wpa_auth->wpa_ie); 403 os_free(wpa_auth); 404 return NULL; 405 } 406 407 #ifdef CONFIG_IEEE80211R 408 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 409 if (wpa_auth->ft_pmk_cache == NULL) { 410 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 411 os_free(wpa_auth->wpa_ie); 412 pmksa_cache_auth_deinit(wpa_auth->pmksa); 413 os_free(wpa_auth); 414 return NULL; 415 } 416 #endif /* CONFIG_IEEE80211R */ 417 418 if (wpa_auth->conf.wpa_gmk_rekey) { 419 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 420 wpa_rekey_gmk, wpa_auth, NULL); 421 } 422 423 if (wpa_auth->conf.wpa_group_rekey) { 424 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 425 wpa_rekey_gtk, wpa_auth, NULL); 426 } 427 428 #ifdef CONFIG_P2P 429 if (WPA_GET_BE32(conf->ip_addr_start)) { 430 int count = WPA_GET_BE32(conf->ip_addr_end) - 431 WPA_GET_BE32(conf->ip_addr_start) + 1; 432 if (count > 1000) 433 count = 1000; 434 if (count > 0) 435 wpa_auth->ip_pool = bitfield_alloc(count); 436 } 437 #endif /* CONFIG_P2P */ 438 439 return wpa_auth; 440 } 441 442 443 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 444 { 445 struct wpa_group *group = wpa_auth->group; 446 447 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 448 "keys"); 449 wpa_group_sm_step(wpa_auth, group); 450 group->GInit = FALSE; 451 wpa_group_sm_step(wpa_auth, group); 452 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 453 return -1; 454 return 0; 455 } 456 457 458 /** 459 * wpa_deinit - Deinitialize WPA authenticator 460 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 461 */ 462 void wpa_deinit(struct wpa_authenticator *wpa_auth) 463 { 464 struct wpa_group *group, *prev; 465 466 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 467 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 468 469 #ifdef CONFIG_PEERKEY 470 while (wpa_auth->stsl_negotiations) 471 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 472 #endif /* CONFIG_PEERKEY */ 473 474 pmksa_cache_auth_deinit(wpa_auth->pmksa); 475 476 #ifdef CONFIG_IEEE80211R 477 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 478 wpa_auth->ft_pmk_cache = NULL; 479 #endif /* CONFIG_IEEE80211R */ 480 481 #ifdef CONFIG_P2P 482 bitfield_free(wpa_auth->ip_pool); 483 #endif /* CONFIG_P2P */ 484 485 486 os_free(wpa_auth->wpa_ie); 487 488 group = wpa_auth->group; 489 while (group) { 490 prev = group; 491 group = group->next; 492 os_free(prev); 493 } 494 495 os_free(wpa_auth); 496 } 497 498 499 /** 500 * wpa_reconfig - Update WPA authenticator configuration 501 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 502 * @conf: Configuration for WPA authenticator 503 */ 504 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 505 struct wpa_auth_config *conf) 506 { 507 struct wpa_group *group; 508 if (wpa_auth == NULL) 509 return 0; 510 511 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 512 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 513 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 514 return -1; 515 } 516 517 /* 518 * Reinitialize GTK to make sure it is suitable for the new 519 * configuration. 520 */ 521 group = wpa_auth->group; 522 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 523 group->GInit = TRUE; 524 wpa_group_sm_step(wpa_auth, group); 525 group->GInit = FALSE; 526 wpa_group_sm_step(wpa_auth, group); 527 528 return 0; 529 } 530 531 532 struct wpa_state_machine * 533 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 534 const u8 *p2p_dev_addr) 535 { 536 struct wpa_state_machine *sm; 537 538 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 539 return NULL; 540 541 sm = os_zalloc(sizeof(struct wpa_state_machine)); 542 if (sm == NULL) 543 return NULL; 544 os_memcpy(sm->addr, addr, ETH_ALEN); 545 if (p2p_dev_addr) 546 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 547 548 sm->wpa_auth = wpa_auth; 549 sm->group = wpa_auth->group; 550 551 return sm; 552 } 553 554 555 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 556 struct wpa_state_machine *sm) 557 { 558 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 559 return -1; 560 561 #ifdef CONFIG_IEEE80211R 562 if (sm->ft_completed) { 563 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 564 "FT authentication already completed - do not " 565 "start 4-way handshake"); 566 return 0; 567 } 568 #endif /* CONFIG_IEEE80211R */ 569 570 if (sm->started) { 571 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 572 sm->ReAuthenticationRequest = TRUE; 573 return wpa_sm_step(sm); 574 } 575 576 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 577 "start authentication"); 578 sm->started = 1; 579 580 sm->Init = TRUE; 581 if (wpa_sm_step(sm) == 1) 582 return 1; /* should not really happen */ 583 sm->Init = FALSE; 584 sm->AuthenticationRequest = TRUE; 585 return wpa_sm_step(sm); 586 } 587 588 589 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 590 { 591 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 592 * reassociates back to the same AP while the previous entry for the 593 * STA has not yet been removed. */ 594 if (sm == NULL) 595 return; 596 597 sm->wpa_key_mgmt = 0; 598 } 599 600 601 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 602 { 603 #ifdef CONFIG_P2P 604 if (WPA_GET_BE32(sm->ip_addr)) { 605 u32 start; 606 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 607 "address %u.%u.%u.%u from " MACSTR, 608 sm->ip_addr[0], sm->ip_addr[1], 609 sm->ip_addr[2], sm->ip_addr[3], 610 MAC2STR(sm->addr)); 611 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 612 bitfield_clear(sm->wpa_auth->ip_pool, 613 WPA_GET_BE32(sm->ip_addr) - start); 614 } 615 #endif /* CONFIG_P2P */ 616 if (sm->GUpdateStationKeys) { 617 sm->group->GKeyDoneStations--; 618 sm->GUpdateStationKeys = FALSE; 619 } 620 #ifdef CONFIG_IEEE80211R 621 os_free(sm->assoc_resp_ftie); 622 #endif /* CONFIG_IEEE80211R */ 623 os_free(sm->last_rx_eapol_key); 624 os_free(sm->wpa_ie); 625 os_free(sm); 626 } 627 628 629 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 630 { 631 if (sm == NULL) 632 return; 633 634 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 635 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 636 "strict rekeying - force GTK rekey since STA " 637 "is leaving"); 638 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 639 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 640 NULL); 641 } 642 643 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 644 sm->pending_1_of_4_timeout = 0; 645 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 646 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 647 if (sm->in_step_loop) { 648 /* Must not free state machine while wpa_sm_step() is running. 649 * Freeing will be completed in the end of wpa_sm_step(). */ 650 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 651 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 652 sm->pending_deinit = 1; 653 } else 654 wpa_free_sta_sm(sm); 655 } 656 657 658 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 659 { 660 if (sm == NULL) 661 return; 662 663 sm->PTKRequest = TRUE; 664 sm->PTK_valid = 0; 665 } 666 667 668 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 669 const u8 *replay_counter) 670 { 671 int i; 672 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 673 if (!ctr[i].valid) 674 break; 675 if (os_memcmp(replay_counter, ctr[i].counter, 676 WPA_REPLAY_COUNTER_LEN) == 0) 677 return 1; 678 } 679 return 0; 680 } 681 682 683 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 684 const u8 *replay_counter) 685 { 686 int i; 687 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 688 if (ctr[i].valid && 689 (replay_counter == NULL || 690 os_memcmp(replay_counter, ctr[i].counter, 691 WPA_REPLAY_COUNTER_LEN) == 0)) 692 ctr[i].valid = FALSE; 693 } 694 } 695 696 697 #ifdef CONFIG_IEEE80211R 698 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 699 struct wpa_state_machine *sm, 700 struct wpa_eapol_ie_parse *kde) 701 { 702 struct wpa_ie_data ie; 703 struct rsn_mdie *mdie; 704 705 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 706 ie.num_pmkid != 1 || ie.pmkid == NULL) { 707 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 708 "FT 4-way handshake message 2/4"); 709 return -1; 710 } 711 712 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 713 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 714 sm->sup_pmk_r1_name, PMKID_LEN); 715 716 if (!kde->mdie || !kde->ftie) { 717 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 718 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 719 return -1; 720 } 721 722 mdie = (struct rsn_mdie *) (kde->mdie + 2); 723 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 724 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 725 MOBILITY_DOMAIN_ID_LEN) != 0) { 726 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 727 return -1; 728 } 729 730 if (sm->assoc_resp_ftie && 731 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 732 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 733 2 + sm->assoc_resp_ftie[1]) != 0)) { 734 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 735 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 736 kde->ftie, kde->ftie_len); 737 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 738 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 739 return -1; 740 } 741 742 return 0; 743 } 744 #endif /* CONFIG_IEEE80211R */ 745 746 747 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 748 struct wpa_state_machine *sm, int group) 749 { 750 /* Supplicant reported a Michael MIC error */ 751 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 752 "received EAPOL-Key Error Request " 753 "(STA detected Michael MIC failure (group=%d))", 754 group); 755 756 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 757 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 758 "ignore Michael MIC failure report since " 759 "group cipher is not TKIP"); 760 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 761 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 762 "ignore Michael MIC failure report since " 763 "pairwise cipher is not TKIP"); 764 } else { 765 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 766 return 1; /* STA entry was removed */ 767 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 768 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 769 } 770 771 /* 772 * Error report is not a request for a new key handshake, but since 773 * Authenticator may do it, let's change the keys now anyway. 774 */ 775 wpa_request_new_ptk(sm); 776 return 0; 777 } 778 779 780 void wpa_receive(struct wpa_authenticator *wpa_auth, 781 struct wpa_state_machine *sm, 782 u8 *data, size_t data_len) 783 { 784 struct ieee802_1x_hdr *hdr; 785 struct wpa_eapol_key *key; 786 u16 key_info, key_data_length; 787 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 788 SMK_M1, SMK_M3, SMK_ERROR } msg; 789 char *msgtxt; 790 struct wpa_eapol_ie_parse kde; 791 int ft; 792 const u8 *eapol_key_ie; 793 size_t eapol_key_ie_len; 794 795 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 796 return; 797 798 if (data_len < sizeof(*hdr) + sizeof(*key)) 799 return; 800 801 hdr = (struct ieee802_1x_hdr *) data; 802 key = (struct wpa_eapol_key *) (hdr + 1); 803 key_info = WPA_GET_BE16(key->key_info); 804 key_data_length = WPA_GET_BE16(key->key_data_length); 805 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 806 " key_info=0x%x type=%u key_data_length=%u", 807 MAC2STR(sm->addr), key_info, key->type, key_data_length); 808 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { 809 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 810 "key_data overflow (%d > %lu)", 811 key_data_length, 812 (unsigned long) (data_len - sizeof(*hdr) - 813 sizeof(*key))); 814 return; 815 } 816 817 if (sm->wpa == WPA_VERSION_WPA2) { 818 if (key->type == EAPOL_KEY_TYPE_WPA) { 819 /* 820 * Some deployed station implementations seem to send 821 * msg 4/4 with incorrect type value in WPA2 mode. 822 */ 823 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 824 "with unexpected WPA type in RSN mode"); 825 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 826 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 827 "unexpected type %d in RSN mode", 828 key->type); 829 return; 830 } 831 } else { 832 if (key->type != EAPOL_KEY_TYPE_WPA) { 833 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 834 "unexpected type %d in WPA mode", 835 key->type); 836 return; 837 } 838 } 839 840 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 841 WPA_NONCE_LEN); 842 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 843 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 844 845 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 846 * are set */ 847 848 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 849 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 850 if (key_info & WPA_KEY_INFO_ERROR) { 851 msg = SMK_ERROR; 852 msgtxt = "SMK Error"; 853 } else { 854 msg = SMK_M1; 855 msgtxt = "SMK M1"; 856 } 857 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 858 msg = SMK_M3; 859 msgtxt = "SMK M3"; 860 } else if (key_info & WPA_KEY_INFO_REQUEST) { 861 msg = REQUEST; 862 msgtxt = "Request"; 863 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 864 msg = GROUP_2; 865 msgtxt = "2/2 Group"; 866 } else if (key_data_length == 0) { 867 msg = PAIRWISE_4; 868 msgtxt = "4/4 Pairwise"; 869 } else { 870 msg = PAIRWISE_2; 871 msgtxt = "2/4 Pairwise"; 872 } 873 874 /* TODO: key_info type validation for PeerKey */ 875 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 876 msg == GROUP_2) { 877 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 878 if (sm->pairwise == WPA_CIPHER_CCMP || 879 sm->pairwise == WPA_CIPHER_GCMP) { 880 if (wpa_use_aes_cmac(sm) && 881 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 882 wpa_auth_logger(wpa_auth, sm->addr, 883 LOGGER_WARNING, 884 "advertised support for " 885 "AES-128-CMAC, but did not " 886 "use it"); 887 return; 888 } 889 890 if (!wpa_use_aes_cmac(sm) && 891 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 892 wpa_auth_logger(wpa_auth, sm->addr, 893 LOGGER_WARNING, 894 "did not use HMAC-SHA1-AES " 895 "with CCMP/GCMP"); 896 return; 897 } 898 } 899 } 900 901 if (key_info & WPA_KEY_INFO_REQUEST) { 902 if (sm->req_replay_counter_used && 903 os_memcmp(key->replay_counter, sm->req_replay_counter, 904 WPA_REPLAY_COUNTER_LEN) <= 0) { 905 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 906 "received EAPOL-Key request with " 907 "replayed counter"); 908 return; 909 } 910 } 911 912 if (!(key_info & WPA_KEY_INFO_REQUEST) && 913 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 914 int i; 915 916 if (msg == PAIRWISE_2 && 917 wpa_replay_counter_valid(sm->prev_key_replay, 918 key->replay_counter) && 919 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 920 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 921 { 922 /* 923 * Some supplicant implementations (e.g., Windows XP 924 * WZC) update SNonce for each EAPOL-Key 2/4. This 925 * breaks the workaround on accepting any of the 926 * pending requests, so allow the SNonce to be updated 927 * even if we have already sent out EAPOL-Key 3/4. 928 */ 929 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 930 "Process SNonce update from STA " 931 "based on retransmitted EAPOL-Key " 932 "1/4"); 933 sm->update_snonce = 1; 934 wpa_replay_counter_mark_invalid(sm->prev_key_replay, 935 key->replay_counter); 936 goto continue_processing; 937 } 938 939 if (msg == PAIRWISE_2 && 940 wpa_replay_counter_valid(sm->prev_key_replay, 941 key->replay_counter) && 942 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 943 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 944 "ignore retransmitted EAPOL-Key %s - " 945 "SNonce did not change", msgtxt); 946 } else { 947 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 948 "received EAPOL-Key %s with " 949 "unexpected replay counter", msgtxt); 950 } 951 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 952 if (!sm->key_replay[i].valid) 953 break; 954 wpa_hexdump(MSG_DEBUG, "pending replay counter", 955 sm->key_replay[i].counter, 956 WPA_REPLAY_COUNTER_LEN); 957 } 958 wpa_hexdump(MSG_DEBUG, "received replay counter", 959 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 960 return; 961 } 962 963 continue_processing: 964 switch (msg) { 965 case PAIRWISE_2: 966 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 967 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 968 (!sm->update_snonce || 969 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 970 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 971 "received EAPOL-Key msg 2/4 in " 972 "invalid state (%d) - dropped", 973 sm->wpa_ptk_state); 974 return; 975 } 976 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 977 if (sm->group->reject_4way_hs_for_entropy) { 978 /* 979 * The system did not have enough entropy to generate 980 * strong random numbers. Reject the first 4-way 981 * handshake(s) and collect some entropy based on the 982 * information from it. Once enough entropy is 983 * available, the next atempt will trigger GMK/Key 984 * Counter update and the station will be allowed to 985 * continue. 986 */ 987 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 988 "collect more entropy for random number " 989 "generation"); 990 random_mark_pool_ready(); 991 wpa_sta_disconnect(wpa_auth, sm->addr); 992 return; 993 } 994 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length, 995 &kde) < 0) { 996 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 997 "received EAPOL-Key msg 2/4 with " 998 "invalid Key Data contents"); 999 return; 1000 } 1001 if (kde.rsn_ie) { 1002 eapol_key_ie = kde.rsn_ie; 1003 eapol_key_ie_len = kde.rsn_ie_len; 1004 } else { 1005 eapol_key_ie = kde.wpa_ie; 1006 eapol_key_ie_len = kde.wpa_ie_len; 1007 } 1008 ft = sm->wpa == WPA_VERSION_WPA2 && 1009 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 1010 if (sm->wpa_ie == NULL || 1011 wpa_compare_rsn_ie(ft, 1012 sm->wpa_ie, sm->wpa_ie_len, 1013 eapol_key_ie, eapol_key_ie_len)) { 1014 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1015 "WPA IE from (Re)AssocReq did not " 1016 "match with msg 2/4"); 1017 if (sm->wpa_ie) { 1018 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 1019 sm->wpa_ie, sm->wpa_ie_len); 1020 } 1021 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 1022 eapol_key_ie, eapol_key_ie_len); 1023 /* MLME-DEAUTHENTICATE.request */ 1024 wpa_sta_disconnect(wpa_auth, sm->addr); 1025 return; 1026 } 1027 #ifdef CONFIG_IEEE80211R 1028 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 1029 wpa_sta_disconnect(wpa_auth, sm->addr); 1030 return; 1031 } 1032 #endif /* CONFIG_IEEE80211R */ 1033 #ifdef CONFIG_P2P 1034 if (kde.ip_addr_req && kde.ip_addr_req[0] && 1035 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 1036 int idx; 1037 wpa_printf(MSG_DEBUG, "P2P: IP address requested in " 1038 "EAPOL-Key exchange"); 1039 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 1040 if (idx >= 0) { 1041 u32 start = WPA_GET_BE32(wpa_auth->conf. 1042 ip_addr_start); 1043 bitfield_set(wpa_auth->ip_pool, idx); 1044 WPA_PUT_BE32(sm->ip_addr, start + idx); 1045 wpa_printf(MSG_DEBUG, "P2P: Assigned IP " 1046 "address %u.%u.%u.%u to " MACSTR, 1047 sm->ip_addr[0], sm->ip_addr[1], 1048 sm->ip_addr[2], sm->ip_addr[3], 1049 MAC2STR(sm->addr)); 1050 } 1051 } 1052 #endif /* CONFIG_P2P */ 1053 break; 1054 case PAIRWISE_4: 1055 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1056 !sm->PTK_valid) { 1057 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1058 "received EAPOL-Key msg 4/4 in " 1059 "invalid state (%d) - dropped", 1060 sm->wpa_ptk_state); 1061 return; 1062 } 1063 break; 1064 case GROUP_2: 1065 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1066 || !sm->PTK_valid) { 1067 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1068 "received EAPOL-Key msg 2/2 in " 1069 "invalid state (%d) - dropped", 1070 sm->wpa_ptk_group_state); 1071 return; 1072 } 1073 break; 1074 #ifdef CONFIG_PEERKEY 1075 case SMK_M1: 1076 case SMK_M3: 1077 case SMK_ERROR: 1078 if (!wpa_auth->conf.peerkey) { 1079 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1080 "PeerKey use disabled - ignoring message"); 1081 return; 1082 } 1083 if (!sm->PTK_valid) { 1084 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1085 "received EAPOL-Key msg SMK in " 1086 "invalid state - dropped"); 1087 return; 1088 } 1089 break; 1090 #else /* CONFIG_PEERKEY */ 1091 case SMK_M1: 1092 case SMK_M3: 1093 case SMK_ERROR: 1094 return; /* STSL disabled - ignore SMK messages */ 1095 #endif /* CONFIG_PEERKEY */ 1096 case REQUEST: 1097 break; 1098 } 1099 1100 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1101 "received EAPOL-Key frame (%s)", msgtxt); 1102 1103 if (key_info & WPA_KEY_INFO_ACK) { 1104 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1105 "received invalid EAPOL-Key: Key Ack set"); 1106 return; 1107 } 1108 1109 if (!(key_info & WPA_KEY_INFO_MIC)) { 1110 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1111 "received invalid EAPOL-Key: Key MIC not set"); 1112 return; 1113 } 1114 1115 sm->MICVerified = FALSE; 1116 if (sm->PTK_valid && !sm->update_snonce) { 1117 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) { 1118 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1119 "received EAPOL-Key with invalid MIC"); 1120 return; 1121 } 1122 sm->MICVerified = TRUE; 1123 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1124 sm->pending_1_of_4_timeout = 0; 1125 } 1126 1127 if (key_info & WPA_KEY_INFO_REQUEST) { 1128 if (sm->MICVerified) { 1129 sm->req_replay_counter_used = 1; 1130 os_memcpy(sm->req_replay_counter, key->replay_counter, 1131 WPA_REPLAY_COUNTER_LEN); 1132 } else { 1133 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1134 "received EAPOL-Key request with " 1135 "invalid MIC"); 1136 return; 1137 } 1138 1139 /* 1140 * TODO: should decrypt key data field if encryption was used; 1141 * even though MAC address KDE is not normally encrypted, 1142 * supplicant is allowed to encrypt it. 1143 */ 1144 if (msg == SMK_ERROR) { 1145 #ifdef CONFIG_PEERKEY 1146 wpa_smk_error(wpa_auth, sm, key); 1147 #endif /* CONFIG_PEERKEY */ 1148 return; 1149 } else if (key_info & WPA_KEY_INFO_ERROR) { 1150 if (wpa_receive_error_report( 1151 wpa_auth, sm, 1152 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1153 return; /* STA entry was removed */ 1154 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1155 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1156 "received EAPOL-Key Request for new " 1157 "4-Way Handshake"); 1158 wpa_request_new_ptk(sm); 1159 #ifdef CONFIG_PEERKEY 1160 } else if (msg == SMK_M1) { 1161 wpa_smk_m1(wpa_auth, sm, key); 1162 #endif /* CONFIG_PEERKEY */ 1163 } else if (key_data_length > 0 && 1164 wpa_parse_kde_ies((const u8 *) (key + 1), 1165 key_data_length, &kde) == 0 && 1166 kde.mac_addr) { 1167 } else { 1168 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1169 "received EAPOL-Key Request for GTK " 1170 "rekeying"); 1171 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1172 wpa_rekey_gtk(wpa_auth, NULL); 1173 } 1174 } else { 1175 /* Do not allow the same key replay counter to be reused. */ 1176 wpa_replay_counter_mark_invalid(sm->key_replay, 1177 key->replay_counter); 1178 1179 if (msg == PAIRWISE_2) { 1180 /* 1181 * Maintain a copy of the pending EAPOL-Key frames in 1182 * case the EAPOL-Key frame was retransmitted. This is 1183 * needed to allow EAPOL-Key msg 2/4 reply to another 1184 * pending msg 1/4 to update the SNonce to work around 1185 * unexpected supplicant behavior. 1186 */ 1187 os_memcpy(sm->prev_key_replay, sm->key_replay, 1188 sizeof(sm->key_replay)); 1189 } else { 1190 os_memset(sm->prev_key_replay, 0, 1191 sizeof(sm->prev_key_replay)); 1192 } 1193 1194 /* 1195 * Make sure old valid counters are not accepted anymore and 1196 * do not get copied again. 1197 */ 1198 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1199 } 1200 1201 #ifdef CONFIG_PEERKEY 1202 if (msg == SMK_M3) { 1203 wpa_smk_m3(wpa_auth, sm, key); 1204 return; 1205 } 1206 #endif /* CONFIG_PEERKEY */ 1207 1208 os_free(sm->last_rx_eapol_key); 1209 sm->last_rx_eapol_key = os_malloc(data_len); 1210 if (sm->last_rx_eapol_key == NULL) 1211 return; 1212 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1213 sm->last_rx_eapol_key_len = data_len; 1214 1215 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1216 sm->EAPOLKeyReceived = TRUE; 1217 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1218 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1219 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1220 wpa_sm_step(sm); 1221 } 1222 1223 1224 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1225 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1226 { 1227 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1228 u8 *pos; 1229 int ret = 0; 1230 1231 /* GTK = PRF-X(GMK, "Group key expansion", 1232 * AA || GNonce || Time || random data) 1233 * The example described in the IEEE 802.11 standard uses only AA and 1234 * GNonce as inputs here. Add some more entropy since this derivation 1235 * is done only at the Authenticator and as such, does not need to be 1236 * exactly same. 1237 */ 1238 os_memcpy(data, addr, ETH_ALEN); 1239 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1240 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1241 wpa_get_ntp_timestamp(pos); 1242 pos += 8; 1243 if (random_get_bytes(pos, 16) < 0) 1244 ret = -1; 1245 1246 #ifdef CONFIG_IEEE80211W 1247 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1248 #else /* CONFIG_IEEE80211W */ 1249 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1250 < 0) 1251 ret = -1; 1252 #endif /* CONFIG_IEEE80211W */ 1253 1254 return ret; 1255 } 1256 1257 1258 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1259 { 1260 struct wpa_authenticator *wpa_auth = eloop_ctx; 1261 struct wpa_state_machine *sm = timeout_ctx; 1262 1263 sm->pending_1_of_4_timeout = 0; 1264 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1265 sm->TimeoutEvt = TRUE; 1266 wpa_sm_step(sm); 1267 } 1268 1269 1270 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1271 struct wpa_state_machine *sm, int key_info, 1272 const u8 *key_rsc, const u8 *nonce, 1273 const u8 *kde, size_t kde_len, 1274 int keyidx, int encr, int force_version) 1275 { 1276 struct ieee802_1x_hdr *hdr; 1277 struct wpa_eapol_key *key; 1278 size_t len; 1279 int alg; 1280 int key_data_len, pad_len = 0; 1281 u8 *buf, *pos; 1282 int version, pairwise; 1283 int i; 1284 1285 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key); 1286 1287 if (force_version) 1288 version = force_version; 1289 else if (wpa_use_aes_cmac(sm)) 1290 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1291 else if (sm->pairwise != WPA_CIPHER_TKIP) 1292 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1293 else 1294 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1295 1296 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1297 1298 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1299 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1300 "encr=%d)", 1301 version, 1302 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1303 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1304 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1305 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1306 pairwise, (unsigned long) kde_len, keyidx, encr); 1307 1308 key_data_len = kde_len; 1309 1310 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1311 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1312 pad_len = key_data_len % 8; 1313 if (pad_len) 1314 pad_len = 8 - pad_len; 1315 key_data_len += pad_len + 8; 1316 } 1317 1318 len += key_data_len; 1319 1320 hdr = os_zalloc(len); 1321 if (hdr == NULL) 1322 return; 1323 hdr->version = wpa_auth->conf.eapol_version; 1324 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1325 hdr->length = host_to_be16(len - sizeof(*hdr)); 1326 key = (struct wpa_eapol_key *) (hdr + 1); 1327 1328 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1329 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1330 key_info |= version; 1331 if (encr && sm->wpa == WPA_VERSION_WPA2) 1332 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1333 if (sm->wpa != WPA_VERSION_WPA2) 1334 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1335 WPA_PUT_BE16(key->key_info, key_info); 1336 1337 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1338 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1339 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1340 WPA_PUT_BE16(key->key_length, 0); 1341 1342 /* FIX: STSL: what to use as key_replay_counter? */ 1343 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1344 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1345 os_memcpy(sm->key_replay[i].counter, 1346 sm->key_replay[i - 1].counter, 1347 WPA_REPLAY_COUNTER_LEN); 1348 } 1349 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1350 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1351 WPA_REPLAY_COUNTER_LEN); 1352 sm->key_replay[0].valid = TRUE; 1353 1354 if (nonce) 1355 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1356 1357 if (key_rsc) 1358 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1359 1360 if (kde && !encr) { 1361 os_memcpy(key + 1, kde, kde_len); 1362 WPA_PUT_BE16(key->key_data_length, kde_len); 1363 } else if (encr && kde) { 1364 buf = os_zalloc(key_data_len); 1365 if (buf == NULL) { 1366 os_free(hdr); 1367 return; 1368 } 1369 pos = buf; 1370 os_memcpy(pos, kde, kde_len); 1371 pos += kde_len; 1372 1373 if (pad_len) 1374 *pos++ = 0xdd; 1375 1376 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1377 buf, key_data_len); 1378 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1379 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1380 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf, 1381 (u8 *) (key + 1))) { 1382 os_free(hdr); 1383 os_free(buf); 1384 return; 1385 } 1386 WPA_PUT_BE16(key->key_data_length, key_data_len); 1387 } else { 1388 u8 ek[32]; 1389 os_memcpy(key->key_iv, 1390 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1391 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1392 os_memcpy(ek, key->key_iv, 16); 1393 os_memcpy(ek + 16, sm->PTK.kek, 16); 1394 os_memcpy(key + 1, buf, key_data_len); 1395 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len); 1396 WPA_PUT_BE16(key->key_data_length, key_data_len); 1397 } 1398 os_free(buf); 1399 } 1400 1401 if (key_info & WPA_KEY_INFO_MIC) { 1402 if (!sm->PTK_valid) { 1403 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1404 "PTK not valid when sending EAPOL-Key " 1405 "frame"); 1406 os_free(hdr); 1407 return; 1408 } 1409 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len, 1410 key->key_mic); 1411 #ifdef CONFIG_TESTING_OPTIONS 1412 if (!pairwise && 1413 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0d && 1414 drand48() < 1415 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1416 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1417 "Corrupting group EAPOL-Key Key MIC"); 1418 key->key_mic[0]++; 1419 } 1420 #endif /* CONFIG_TESTING_OPTIONS */ 1421 } 1422 1423 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1424 1); 1425 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1426 sm->pairwise_set); 1427 os_free(hdr); 1428 } 1429 1430 1431 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1432 struct wpa_state_machine *sm, int key_info, 1433 const u8 *key_rsc, const u8 *nonce, 1434 const u8 *kde, size_t kde_len, 1435 int keyidx, int encr) 1436 { 1437 int timeout_ms; 1438 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1439 int ctr; 1440 1441 if (sm == NULL) 1442 return; 1443 1444 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1445 keyidx, encr, 0); 1446 1447 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1448 if (ctr == 1 && wpa_auth->conf.tx_status) 1449 timeout_ms = pairwise ? eapol_key_timeout_first : 1450 eapol_key_timeout_first_group; 1451 else 1452 timeout_ms = eapol_key_timeout_subseq; 1453 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1454 sm->pending_1_of_4_timeout = 1; 1455 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1456 "counter %d)", timeout_ms, ctr); 1457 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1458 wpa_send_eapol_timeout, wpa_auth, sm); 1459 } 1460 1461 1462 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len) 1463 { 1464 struct ieee802_1x_hdr *hdr; 1465 struct wpa_eapol_key *key; 1466 u16 key_info; 1467 int ret = 0; 1468 u8 mic[16]; 1469 1470 if (data_len < sizeof(*hdr) + sizeof(*key)) 1471 return -1; 1472 1473 hdr = (struct ieee802_1x_hdr *) data; 1474 key = (struct wpa_eapol_key *) (hdr + 1); 1475 key_info = WPA_GET_BE16(key->key_info); 1476 os_memcpy(mic, key->key_mic, 16); 1477 os_memset(key->key_mic, 0, 16); 1478 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK, 1479 data, data_len, key->key_mic) || 1480 os_memcmp(mic, key->key_mic, 16) != 0) 1481 ret = -1; 1482 os_memcpy(key->key_mic, mic, 16); 1483 return ret; 1484 } 1485 1486 1487 void wpa_remove_ptk(struct wpa_state_machine *sm) 1488 { 1489 sm->PTK_valid = FALSE; 1490 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1491 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1492 sm->pairwise_set = FALSE; 1493 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1494 } 1495 1496 1497 int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event) 1498 { 1499 int remove_ptk = 1; 1500 1501 if (sm == NULL) 1502 return -1; 1503 1504 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1505 "event %d notification", event); 1506 1507 switch (event) { 1508 case WPA_AUTH: 1509 case WPA_ASSOC: 1510 break; 1511 case WPA_DEAUTH: 1512 case WPA_DISASSOC: 1513 sm->DeauthenticationRequest = TRUE; 1514 break; 1515 case WPA_REAUTH: 1516 case WPA_REAUTH_EAPOL: 1517 if (!sm->started) { 1518 /* 1519 * When using WPS, we may end up here if the STA 1520 * manages to re-associate without the previous STA 1521 * entry getting removed. Consequently, we need to make 1522 * sure that the WPA state machines gets initialized 1523 * properly at this point. 1524 */ 1525 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1526 "started - initialize now"); 1527 sm->started = 1; 1528 sm->Init = TRUE; 1529 if (wpa_sm_step(sm) == 1) 1530 return 1; /* should not really happen */ 1531 sm->Init = FALSE; 1532 sm->AuthenticationRequest = TRUE; 1533 break; 1534 } 1535 if (sm->GUpdateStationKeys) { 1536 /* 1537 * Reauthentication cancels the pending group key 1538 * update for this STA. 1539 */ 1540 sm->group->GKeyDoneStations--; 1541 sm->GUpdateStationKeys = FALSE; 1542 sm->PtkGroupInit = TRUE; 1543 } 1544 sm->ReAuthenticationRequest = TRUE; 1545 break; 1546 case WPA_ASSOC_FT: 1547 #ifdef CONFIG_IEEE80211R 1548 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1549 "after association"); 1550 wpa_ft_install_ptk(sm); 1551 1552 /* Using FT protocol, not WPA auth state machine */ 1553 sm->ft_completed = 1; 1554 return 0; 1555 #else /* CONFIG_IEEE80211R */ 1556 break; 1557 #endif /* CONFIG_IEEE80211R */ 1558 } 1559 1560 #ifdef CONFIG_IEEE80211R 1561 sm->ft_completed = 0; 1562 #endif /* CONFIG_IEEE80211R */ 1563 1564 #ifdef CONFIG_IEEE80211W 1565 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1566 remove_ptk = 0; 1567 #endif /* CONFIG_IEEE80211W */ 1568 1569 if (remove_ptk) { 1570 sm->PTK_valid = FALSE; 1571 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1572 1573 if (event != WPA_REAUTH_EAPOL) 1574 wpa_remove_ptk(sm); 1575 } 1576 1577 return wpa_sm_step(sm); 1578 } 1579 1580 1581 SM_STATE(WPA_PTK, INITIALIZE) 1582 { 1583 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1584 if (sm->Init) { 1585 /* Init flag is not cleared here, so avoid busy 1586 * loop by claiming nothing changed. */ 1587 sm->changed = FALSE; 1588 } 1589 1590 sm->keycount = 0; 1591 if (sm->GUpdateStationKeys) 1592 sm->group->GKeyDoneStations--; 1593 sm->GUpdateStationKeys = FALSE; 1594 if (sm->wpa == WPA_VERSION_WPA) 1595 sm->PInitAKeys = FALSE; 1596 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1597 * Local AA > Remote AA)) */) { 1598 sm->Pair = TRUE; 1599 } 1600 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1601 wpa_remove_ptk(sm); 1602 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1603 sm->TimeoutCtr = 0; 1604 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1605 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1606 WPA_EAPOL_authorized, 0); 1607 } 1608 } 1609 1610 1611 SM_STATE(WPA_PTK, DISCONNECT) 1612 { 1613 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1614 sm->Disconnect = FALSE; 1615 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1616 } 1617 1618 1619 SM_STATE(WPA_PTK, DISCONNECTED) 1620 { 1621 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1622 sm->DeauthenticationRequest = FALSE; 1623 } 1624 1625 1626 SM_STATE(WPA_PTK, AUTHENTICATION) 1627 { 1628 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1629 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1630 sm->PTK_valid = FALSE; 1631 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1632 1); 1633 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1634 sm->AuthenticationRequest = FALSE; 1635 } 1636 1637 1638 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1639 struct wpa_group *group) 1640 { 1641 if (group->first_sta_seen) 1642 return; 1643 /* 1644 * System has run bit further than at the time hostapd was started 1645 * potentially very early during boot up. This provides better chances 1646 * of collecting more randomness on embedded systems. Re-initialize the 1647 * GMK and Counter here to improve their strength if there was not 1648 * enough entropy available immediately after system startup. 1649 */ 1650 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1651 "station"); 1652 if (random_pool_ready() != 1) { 1653 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1654 "to proceed - reject first 4-way handshake"); 1655 group->reject_4way_hs_for_entropy = TRUE; 1656 } else { 1657 group->first_sta_seen = TRUE; 1658 group->reject_4way_hs_for_entropy = FALSE; 1659 } 1660 1661 wpa_group_init_gmk_and_counter(wpa_auth, group); 1662 wpa_gtk_update(wpa_auth, group); 1663 wpa_group_config_group_keys(wpa_auth, group); 1664 } 1665 1666 1667 SM_STATE(WPA_PTK, AUTHENTICATION2) 1668 { 1669 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1670 1671 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1672 sm->ReAuthenticationRequest = FALSE; 1673 1674 /* 1675 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1676 * ambiguous. The Authenticator state machine uses a counter that is 1677 * incremented by one for each 4-way handshake. However, the security 1678 * analysis of 4-way handshake points out that unpredictable nonces 1679 * help in preventing precomputation attacks. Instead of the state 1680 * machine definition, use an unpredictable nonce value here to provide 1681 * stronger protection against potential precomputation attacks. 1682 */ 1683 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1684 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1685 "ANonce."); 1686 sm->Disconnect = TRUE; 1687 return; 1688 } 1689 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1690 WPA_NONCE_LEN); 1691 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1692 * logical place than INITIALIZE since AUTHENTICATION2 can be 1693 * re-entered on ReAuthenticationRequest without going through 1694 * INITIALIZE. */ 1695 sm->TimeoutCtr = 0; 1696 } 1697 1698 1699 SM_STATE(WPA_PTK, INITPMK) 1700 { 1701 u8 msk[2 * PMK_LEN]; 1702 size_t len = 2 * PMK_LEN; 1703 1704 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1705 #ifdef CONFIG_IEEE80211R 1706 sm->xxkey_len = 0; 1707 #endif /* CONFIG_IEEE80211R */ 1708 if (sm->pmksa) { 1709 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1710 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN); 1711 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1712 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1713 "(len=%lu)", (unsigned long) len); 1714 os_memcpy(sm->PMK, msk, PMK_LEN); 1715 #ifdef CONFIG_IEEE80211R 1716 if (len >= 2 * PMK_LEN) { 1717 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1718 sm->xxkey_len = PMK_LEN; 1719 } 1720 #endif /* CONFIG_IEEE80211R */ 1721 } else { 1722 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK"); 1723 } 1724 1725 sm->req_replay_counter_used = 0; 1726 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1727 * will break reauthentication since EAPOL state machines may not be 1728 * get into AUTHENTICATING state that clears keyRun before WPA state 1729 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1730 * state and takes PMK from the previously used AAA Key. This will 1731 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1732 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1733 * be good workaround for this issue. */ 1734 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1735 } 1736 1737 1738 SM_STATE(WPA_PTK, INITPSK) 1739 { 1740 const u8 *psk; 1741 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1742 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1743 if (psk) { 1744 os_memcpy(sm->PMK, psk, PMK_LEN); 1745 #ifdef CONFIG_IEEE80211R 1746 os_memcpy(sm->xxkey, psk, PMK_LEN); 1747 sm->xxkey_len = PMK_LEN; 1748 #endif /* CONFIG_IEEE80211R */ 1749 } 1750 sm->req_replay_counter_used = 0; 1751 } 1752 1753 1754 SM_STATE(WPA_PTK, PTKSTART) 1755 { 1756 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1757 size_t pmkid_len = 0; 1758 1759 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1760 sm->PTKRequest = FALSE; 1761 sm->TimeoutEvt = FALSE; 1762 1763 sm->TimeoutCtr++; 1764 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1765 /* No point in sending the EAPOL-Key - we will disconnect 1766 * immediately following this. */ 1767 return; 1768 } 1769 1770 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1771 "sending 1/4 msg of 4-Way Handshake"); 1772 /* 1773 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 1774 * one possible PSK for this STA. 1775 */ 1776 if (sm->wpa == WPA_VERSION_WPA2 && 1777 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) { 1778 pmkid = buf; 1779 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 1780 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 1781 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 1782 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 1783 if (sm->pmksa) 1784 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 1785 sm->pmksa->pmkid, PMKID_LEN); 1786 else { 1787 /* 1788 * Calculate PMKID since no PMKSA cache entry was 1789 * available with pre-calculated PMKID. 1790 */ 1791 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr, 1792 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 1793 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1794 } 1795 } 1796 wpa_send_eapol(sm->wpa_auth, sm, 1797 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 1798 sm->ANonce, pmkid, pmkid_len, 0, 0); 1799 } 1800 1801 1802 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk, 1803 struct wpa_ptk *ptk) 1804 { 1805 size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64; 1806 #ifdef CONFIG_IEEE80211R 1807 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 1808 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len); 1809 #endif /* CONFIG_IEEE80211R */ 1810 1811 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion", 1812 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce, 1813 (u8 *) ptk, ptk_len, 1814 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 1815 1816 return 0; 1817 } 1818 1819 1820 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 1821 { 1822 struct wpa_ptk PTK; 1823 int ok = 0; 1824 const u8 *pmk = NULL; 1825 1826 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 1827 sm->EAPOLKeyReceived = FALSE; 1828 sm->update_snonce = FALSE; 1829 1830 /* WPA with IEEE 802.1X: use the derived PMK from EAP 1831 * WPA-PSK: iterate through possible PSKs and select the one matching 1832 * the packet */ 1833 for (;;) { 1834 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1835 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 1836 sm->p2p_dev_addr, pmk); 1837 if (pmk == NULL) 1838 break; 1839 } else 1840 pmk = sm->PMK; 1841 1842 wpa_derive_ptk(sm, pmk, &PTK); 1843 1844 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key, 1845 sm->last_rx_eapol_key_len) == 0) { 1846 ok = 1; 1847 break; 1848 } 1849 1850 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 1851 break; 1852 } 1853 1854 if (!ok) { 1855 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1856 "invalid MIC in msg 2/4 of 4-Way Handshake"); 1857 return; 1858 } 1859 1860 #ifdef CONFIG_IEEE80211R 1861 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 1862 /* 1863 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 1864 * with the value we derived. 1865 */ 1866 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name, 1867 WPA_PMK_NAME_LEN) != 0) { 1868 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1869 "PMKR1Name mismatch in FT 4-way " 1870 "handshake"); 1871 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 1872 "Supplicant", 1873 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 1874 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1875 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1876 return; 1877 } 1878 } 1879 #endif /* CONFIG_IEEE80211R */ 1880 1881 sm->pending_1_of_4_timeout = 0; 1882 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 1883 1884 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1885 /* PSK may have changed from the previous choice, so update 1886 * state machine data based on whatever PSK was selected here. 1887 */ 1888 os_memcpy(sm->PMK, pmk, PMK_LEN); 1889 } 1890 1891 sm->MICVerified = TRUE; 1892 1893 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 1894 sm->PTK_valid = TRUE; 1895 } 1896 1897 1898 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 1899 { 1900 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 1901 sm->TimeoutCtr = 0; 1902 } 1903 1904 1905 #ifdef CONFIG_IEEE80211W 1906 1907 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1908 { 1909 if (sm->mgmt_frame_prot) { 1910 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde); 1911 } 1912 1913 return 0; 1914 } 1915 1916 1917 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1918 { 1919 struct wpa_igtk_kde igtk; 1920 struct wpa_group *gsm = sm->group; 1921 u8 rsc[WPA_KEY_RSC_LEN]; 1922 1923 if (!sm->mgmt_frame_prot) 1924 return pos; 1925 1926 igtk.keyid[0] = gsm->GN_igtk; 1927 igtk.keyid[1] = 0; 1928 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 1929 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 1930 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 1931 else 1932 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 1933 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 1934 if (sm->wpa_auth->conf.disable_gtk) { 1935 /* 1936 * Provide unique random IGTK to each STA to prevent use of 1937 * IGTK in the BSS. 1938 */ 1939 if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0) 1940 return pos; 1941 } 1942 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 1943 (const u8 *) &igtk, sizeof(igtk), NULL, 0); 1944 1945 return pos; 1946 } 1947 1948 #else /* CONFIG_IEEE80211W */ 1949 1950 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 1951 { 1952 return 0; 1953 } 1954 1955 1956 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 1957 { 1958 return pos; 1959 } 1960 1961 #endif /* CONFIG_IEEE80211W */ 1962 1963 1964 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 1965 { 1966 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 1967 size_t gtk_len, kde_len; 1968 struct wpa_group *gsm = sm->group; 1969 u8 *wpa_ie; 1970 int wpa_ie_len, secure, keyidx, encr = 0; 1971 1972 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 1973 sm->TimeoutEvt = FALSE; 1974 1975 sm->TimeoutCtr++; 1976 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 1977 /* No point in sending the EAPOL-Key - we will disconnect 1978 * immediately following this. */ 1979 return; 1980 } 1981 1982 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 1983 GTK[GN], IGTK, [FTIE], [TIE * 2]) 1984 */ 1985 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 1986 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 1987 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 1988 wpa_ie = sm->wpa_auth->wpa_ie; 1989 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 1990 if (sm->wpa == WPA_VERSION_WPA && 1991 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 1992 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 1993 /* WPA-only STA, remove RSN IE */ 1994 wpa_ie = wpa_ie + wpa_ie[1] + 2; 1995 wpa_ie_len = wpa_ie[1] + 2; 1996 } 1997 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1998 "sending 3/4 msg of 4-Way Handshake"); 1999 if (sm->wpa == WPA_VERSION_WPA2) { 2000 /* WPA2 send GTK in the 4-way handshake */ 2001 secure = 1; 2002 gtk = gsm->GTK[gsm->GN - 1]; 2003 gtk_len = gsm->GTK_len; 2004 if (sm->wpa_auth->conf.disable_gtk) { 2005 /* 2006 * Provide unique random GTK to each STA to prevent use 2007 * of GTK in the BSS. 2008 */ 2009 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2010 return; 2011 gtk = dummy_gtk; 2012 } 2013 keyidx = gsm->GN; 2014 _rsc = rsc; 2015 encr = 1; 2016 } else { 2017 /* WPA does not include GTK in msg 3/4 */ 2018 secure = 0; 2019 gtk = NULL; 2020 gtk_len = 0; 2021 keyidx = 0; 2022 _rsc = NULL; 2023 if (sm->rx_eapol_key_secure) { 2024 /* 2025 * It looks like Windows 7 supplicant tries to use 2026 * Secure bit in msg 2/4 after having reported Michael 2027 * MIC failure and it then rejects the 4-way handshake 2028 * if msg 3/4 does not set Secure bit. Work around this 2029 * by setting the Secure bit here even in the case of 2030 * WPA if the supplicant used it first. 2031 */ 2032 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2033 "STA used Secure bit in WPA msg 2/4 - " 2034 "set Secure for 3/4 as workaround"); 2035 secure = 1; 2036 } 2037 } 2038 2039 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2040 if (gtk) 2041 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2042 #ifdef CONFIG_IEEE80211R 2043 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2044 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2045 kde_len += 300; /* FTIE + 2 * TIE */ 2046 } 2047 #endif /* CONFIG_IEEE80211R */ 2048 #ifdef CONFIG_P2P 2049 if (WPA_GET_BE32(sm->ip_addr) > 0) 2050 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2051 #endif /* CONFIG_P2P */ 2052 kde = os_malloc(kde_len); 2053 if (kde == NULL) 2054 return; 2055 2056 pos = kde; 2057 os_memcpy(pos, wpa_ie, wpa_ie_len); 2058 pos += wpa_ie_len; 2059 #ifdef CONFIG_IEEE80211R 2060 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2061 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name); 2062 if (res < 0) { 2063 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2064 "PMKR1Name into RSN IE in EAPOL-Key data"); 2065 os_free(kde); 2066 return; 2067 } 2068 pos += res; 2069 } 2070 #endif /* CONFIG_IEEE80211R */ 2071 if (gtk) { 2072 u8 hdr[2]; 2073 hdr[0] = keyidx & 0x03; 2074 hdr[1] = 0; 2075 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2076 gtk, gtk_len); 2077 } 2078 pos = ieee80211w_kde_add(sm, pos); 2079 2080 #ifdef CONFIG_IEEE80211R 2081 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2082 int res; 2083 struct wpa_auth_config *conf; 2084 2085 conf = &sm->wpa_auth->conf; 2086 res = wpa_write_ftie(conf, conf->r0_key_holder, 2087 conf->r0_key_holder_len, 2088 NULL, NULL, pos, kde + kde_len - pos, 2089 NULL, 0); 2090 if (res < 0) { 2091 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2092 "into EAPOL-Key Key Data"); 2093 os_free(kde); 2094 return; 2095 } 2096 pos += res; 2097 2098 /* TIE[ReassociationDeadline] (TU) */ 2099 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2100 *pos++ = 5; 2101 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2102 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2103 pos += 4; 2104 2105 /* TIE[KeyLifetime] (seconds) */ 2106 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2107 *pos++ = 5; 2108 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2109 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2110 pos += 4; 2111 } 2112 #endif /* CONFIG_IEEE80211R */ 2113 #ifdef CONFIG_P2P 2114 if (WPA_GET_BE32(sm->ip_addr) > 0) { 2115 u8 addr[3 * 4]; 2116 os_memcpy(addr, sm->ip_addr, 4); 2117 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 2118 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 2119 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 2120 addr, sizeof(addr), NULL, 0); 2121 } 2122 #endif /* CONFIG_P2P */ 2123 2124 wpa_send_eapol(sm->wpa_auth, sm, 2125 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2126 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2127 WPA_KEY_INFO_KEY_TYPE, 2128 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2129 os_free(kde); 2130 } 2131 2132 2133 SM_STATE(WPA_PTK, PTKINITDONE) 2134 { 2135 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2136 sm->EAPOLKeyReceived = FALSE; 2137 if (sm->Pair) { 2138 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2139 int klen = wpa_cipher_key_len(sm->pairwise); 2140 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2141 sm->PTK.tk1, klen)) { 2142 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2143 return; 2144 } 2145 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2146 sm->pairwise_set = TRUE; 2147 2148 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2149 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2150 eloop_register_timeout(sm->wpa_auth->conf. 2151 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2152 sm->wpa_auth, sm); 2153 } 2154 2155 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2156 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2157 WPA_EAPOL_authorized, 1); 2158 } 2159 } 2160 2161 if (0 /* IBSS == TRUE */) { 2162 sm->keycount++; 2163 if (sm->keycount == 2) { 2164 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2165 WPA_EAPOL_portValid, 1); 2166 } 2167 } else { 2168 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2169 1); 2170 } 2171 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2172 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2173 if (sm->wpa == WPA_VERSION_WPA) 2174 sm->PInitAKeys = TRUE; 2175 else 2176 sm->has_GTK = TRUE; 2177 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2178 "pairwise key handshake completed (%s)", 2179 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2180 2181 #ifdef CONFIG_IEEE80211R 2182 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2183 #endif /* CONFIG_IEEE80211R */ 2184 } 2185 2186 2187 SM_STEP(WPA_PTK) 2188 { 2189 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2190 2191 if (sm->Init) 2192 SM_ENTER(WPA_PTK, INITIALIZE); 2193 else if (sm->Disconnect 2194 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2195 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2196 "WPA_PTK: sm->Disconnect"); 2197 SM_ENTER(WPA_PTK, DISCONNECT); 2198 } 2199 else if (sm->DeauthenticationRequest) 2200 SM_ENTER(WPA_PTK, DISCONNECTED); 2201 else if (sm->AuthenticationRequest) 2202 SM_ENTER(WPA_PTK, AUTHENTICATION); 2203 else if (sm->ReAuthenticationRequest) 2204 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2205 else if (sm->PTKRequest) 2206 SM_ENTER(WPA_PTK, PTKSTART); 2207 else switch (sm->wpa_ptk_state) { 2208 case WPA_PTK_INITIALIZE: 2209 break; 2210 case WPA_PTK_DISCONNECT: 2211 SM_ENTER(WPA_PTK, DISCONNECTED); 2212 break; 2213 case WPA_PTK_DISCONNECTED: 2214 SM_ENTER(WPA_PTK, INITIALIZE); 2215 break; 2216 case WPA_PTK_AUTHENTICATION: 2217 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2218 break; 2219 case WPA_PTK_AUTHENTICATION2: 2220 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2221 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2222 WPA_EAPOL_keyRun) > 0) 2223 SM_ENTER(WPA_PTK, INITPMK); 2224 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2225 /* FIX: && 802.1X::keyRun */) 2226 SM_ENTER(WPA_PTK, INITPSK); 2227 break; 2228 case WPA_PTK_INITPMK: 2229 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2230 WPA_EAPOL_keyAvailable) > 0) 2231 SM_ENTER(WPA_PTK, PTKSTART); 2232 else { 2233 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2234 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2235 "INITPMK - keyAvailable = false"); 2236 SM_ENTER(WPA_PTK, DISCONNECT); 2237 } 2238 break; 2239 case WPA_PTK_INITPSK: 2240 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2241 NULL)) 2242 SM_ENTER(WPA_PTK, PTKSTART); 2243 else { 2244 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2245 "no PSK configured for the STA"); 2246 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2247 SM_ENTER(WPA_PTK, DISCONNECT); 2248 } 2249 break; 2250 case WPA_PTK_PTKSTART: 2251 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2252 sm->EAPOLKeyPairwise) 2253 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2254 else if (sm->TimeoutCtr > 2255 (int) dot11RSNAConfigPairwiseUpdateCount) { 2256 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2257 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2258 "PTKSTART: Retry limit %d reached", 2259 dot11RSNAConfigPairwiseUpdateCount); 2260 SM_ENTER(WPA_PTK, DISCONNECT); 2261 } else if (sm->TimeoutEvt) 2262 SM_ENTER(WPA_PTK, PTKSTART); 2263 break; 2264 case WPA_PTK_PTKCALCNEGOTIATING: 2265 if (sm->MICVerified) 2266 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2267 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2268 sm->EAPOLKeyPairwise) 2269 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2270 else if (sm->TimeoutEvt) 2271 SM_ENTER(WPA_PTK, PTKSTART); 2272 break; 2273 case WPA_PTK_PTKCALCNEGOTIATING2: 2274 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2275 break; 2276 case WPA_PTK_PTKINITNEGOTIATING: 2277 if (sm->update_snonce) 2278 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2279 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2280 sm->EAPOLKeyPairwise && sm->MICVerified) 2281 SM_ENTER(WPA_PTK, PTKINITDONE); 2282 else if (sm->TimeoutCtr > 2283 (int) dot11RSNAConfigPairwiseUpdateCount) { 2284 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2285 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2286 "PTKINITNEGOTIATING: Retry limit %d " 2287 "reached", 2288 dot11RSNAConfigPairwiseUpdateCount); 2289 SM_ENTER(WPA_PTK, DISCONNECT); 2290 } else if (sm->TimeoutEvt) 2291 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2292 break; 2293 case WPA_PTK_PTKINITDONE: 2294 break; 2295 } 2296 } 2297 2298 2299 SM_STATE(WPA_PTK_GROUP, IDLE) 2300 { 2301 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2302 if (sm->Init) { 2303 /* Init flag is not cleared here, so avoid busy 2304 * loop by claiming nothing changed. */ 2305 sm->changed = FALSE; 2306 } 2307 sm->GTimeoutCtr = 0; 2308 } 2309 2310 2311 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2312 { 2313 u8 rsc[WPA_KEY_RSC_LEN]; 2314 struct wpa_group *gsm = sm->group; 2315 u8 *kde, *pos, hdr[2]; 2316 size_t kde_len; 2317 u8 *gtk, dummy_gtk[32]; 2318 2319 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2320 2321 sm->GTimeoutCtr++; 2322 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2323 /* No point in sending the EAPOL-Key - we will disconnect 2324 * immediately following this. */ 2325 return; 2326 } 2327 2328 if (sm->wpa == WPA_VERSION_WPA) 2329 sm->PInitAKeys = FALSE; 2330 sm->TimeoutEvt = FALSE; 2331 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2332 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2333 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2334 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2335 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2336 "sending 1/2 msg of Group Key Handshake"); 2337 2338 gtk = gsm->GTK[gsm->GN - 1]; 2339 if (sm->wpa_auth->conf.disable_gtk) { 2340 /* 2341 * Provide unique random GTK to each STA to prevent use 2342 * of GTK in the BSS. 2343 */ 2344 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2345 return; 2346 gtk = dummy_gtk; 2347 } 2348 if (sm->wpa == WPA_VERSION_WPA2) { 2349 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2350 ieee80211w_kde_len(sm); 2351 kde = os_malloc(kde_len); 2352 if (kde == NULL) 2353 return; 2354 2355 pos = kde; 2356 hdr[0] = gsm->GN & 0x03; 2357 hdr[1] = 0; 2358 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2359 gtk, gsm->GTK_len); 2360 pos = ieee80211w_kde_add(sm, pos); 2361 } else { 2362 kde = gtk; 2363 pos = kde + gsm->GTK_len; 2364 } 2365 2366 wpa_send_eapol(sm->wpa_auth, sm, 2367 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2368 WPA_KEY_INFO_ACK | 2369 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2370 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1); 2371 if (sm->wpa == WPA_VERSION_WPA2) 2372 os_free(kde); 2373 } 2374 2375 2376 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2377 { 2378 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2379 sm->EAPOLKeyReceived = FALSE; 2380 if (sm->GUpdateStationKeys) 2381 sm->group->GKeyDoneStations--; 2382 sm->GUpdateStationKeys = FALSE; 2383 sm->GTimeoutCtr = 0; 2384 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2385 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2386 "group key handshake completed (%s)", 2387 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2388 sm->has_GTK = TRUE; 2389 } 2390 2391 2392 SM_STATE(WPA_PTK_GROUP, KEYERROR) 2393 { 2394 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2395 if (sm->GUpdateStationKeys) 2396 sm->group->GKeyDoneStations--; 2397 sm->GUpdateStationKeys = FALSE; 2398 sm->Disconnect = TRUE; 2399 } 2400 2401 2402 SM_STEP(WPA_PTK_GROUP) 2403 { 2404 if (sm->Init || sm->PtkGroupInit) { 2405 SM_ENTER(WPA_PTK_GROUP, IDLE); 2406 sm->PtkGroupInit = FALSE; 2407 } else switch (sm->wpa_ptk_group_state) { 2408 case WPA_PTK_GROUP_IDLE: 2409 if (sm->GUpdateStationKeys || 2410 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2411 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2412 break; 2413 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2414 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2415 !sm->EAPOLKeyPairwise && sm->MICVerified) 2416 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2417 else if (sm->GTimeoutCtr > 2418 (int) dot11RSNAConfigGroupUpdateCount) 2419 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2420 else if (sm->TimeoutEvt) 2421 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2422 break; 2423 case WPA_PTK_GROUP_KEYERROR: 2424 SM_ENTER(WPA_PTK_GROUP, IDLE); 2425 break; 2426 case WPA_PTK_GROUP_REKEYESTABLISHED: 2427 SM_ENTER(WPA_PTK_GROUP, IDLE); 2428 break; 2429 } 2430 } 2431 2432 2433 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2434 struct wpa_group *group) 2435 { 2436 int ret = 0; 2437 2438 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2439 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2440 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2441 wpa_auth->addr, group->GNonce, 2442 group->GTK[group->GN - 1], group->GTK_len) < 0) 2443 ret = -1; 2444 wpa_hexdump_key(MSG_DEBUG, "GTK", 2445 group->GTK[group->GN - 1], group->GTK_len); 2446 2447 #ifdef CONFIG_IEEE80211W 2448 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2449 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2450 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2451 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2452 wpa_auth->addr, group->GNonce, 2453 group->IGTK[group->GN_igtk - 4], 2454 WPA_IGTK_LEN) < 0) 2455 ret = -1; 2456 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2457 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN); 2458 } 2459 #endif /* CONFIG_IEEE80211W */ 2460 2461 return ret; 2462 } 2463 2464 2465 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2466 struct wpa_group *group) 2467 { 2468 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2469 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2470 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2471 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2472 2473 /* GTK[0..N] = 0 */ 2474 os_memset(group->GTK, 0, sizeof(group->GTK)); 2475 group->GN = 1; 2476 group->GM = 2; 2477 #ifdef CONFIG_IEEE80211W 2478 group->GN_igtk = 4; 2479 group->GM_igtk = 5; 2480 #endif /* CONFIG_IEEE80211W */ 2481 /* GTK[GN] = CalcGTK() */ 2482 wpa_gtk_update(wpa_auth, group); 2483 } 2484 2485 2486 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2487 { 2488 if (ctx != NULL && ctx != sm->group) 2489 return 0; 2490 2491 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2492 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2493 "Not in PTKINITDONE; skip Group Key update"); 2494 sm->GUpdateStationKeys = FALSE; 2495 return 0; 2496 } 2497 if (sm->GUpdateStationKeys) { 2498 /* 2499 * This should not really happen, so add a debug log entry. 2500 * Since we clear the GKeyDoneStations before the loop, the 2501 * station needs to be counted here anyway. 2502 */ 2503 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2504 "GUpdateStationKeys was already set when " 2505 "marking station for GTK rekeying"); 2506 } 2507 2508 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 2509 if (sm->is_wnmsleep) 2510 return 0; 2511 2512 sm->group->GKeyDoneStations++; 2513 sm->GUpdateStationKeys = TRUE; 2514 2515 wpa_sm_step(sm); 2516 return 0; 2517 } 2518 2519 2520 #ifdef CONFIG_WNM 2521 /* update GTK when exiting WNM-Sleep Mode */ 2522 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2523 { 2524 if (sm == NULL || sm->is_wnmsleep) 2525 return; 2526 2527 wpa_group_update_sta(sm, NULL); 2528 } 2529 2530 2531 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2532 { 2533 if (sm) 2534 sm->is_wnmsleep = !!flag; 2535 } 2536 2537 2538 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2539 { 2540 struct wpa_group *gsm = sm->group; 2541 u8 *start = pos; 2542 2543 /* 2544 * GTK subelement: 2545 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2546 * Key[5..32] 2547 */ 2548 *pos++ = WNM_SLEEP_SUBELEM_GTK; 2549 *pos++ = 11 + gsm->GTK_len; 2550 /* Key ID in B0-B1 of Key Info */ 2551 WPA_PUT_LE16(pos, gsm->GN & 0x03); 2552 pos += 2; 2553 *pos++ = gsm->GTK_len; 2554 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 2555 return 0; 2556 pos += 8; 2557 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2558 pos += gsm->GTK_len; 2559 2560 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 2561 gsm->GN); 2562 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 2563 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2564 2565 return pos - start; 2566 } 2567 2568 2569 #ifdef CONFIG_IEEE80211W 2570 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2571 { 2572 struct wpa_group *gsm = sm->group; 2573 u8 *start = pos; 2574 2575 /* 2576 * IGTK subelement: 2577 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 2578 */ 2579 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 2580 *pos++ = 2 + 6 + WPA_IGTK_LEN; 2581 WPA_PUT_LE16(pos, gsm->GN_igtk); 2582 pos += 2; 2583 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 2584 return 0; 2585 pos += 6; 2586 2587 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2588 pos += WPA_IGTK_LEN; 2589 2590 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 2591 gsm->GN_igtk); 2592 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 2593 gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); 2594 2595 return pos - start; 2596 } 2597 #endif /* CONFIG_IEEE80211W */ 2598 #endif /* CONFIG_WNM */ 2599 2600 2601 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2602 struct wpa_group *group) 2603 { 2604 int tmp; 2605 2606 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2607 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2608 group->changed = TRUE; 2609 group->wpa_group_state = WPA_GROUP_SETKEYS; 2610 group->GTKReKey = FALSE; 2611 tmp = group->GM; 2612 group->GM = group->GN; 2613 group->GN = tmp; 2614 #ifdef CONFIG_IEEE80211W 2615 tmp = group->GM_igtk; 2616 group->GM_igtk = group->GN_igtk; 2617 group->GN_igtk = tmp; 2618 #endif /* CONFIG_IEEE80211W */ 2619 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2620 * counting the STAs that are marked with GUpdateStationKeys instead of 2621 * including all STAs that could be in not-yet-completed state. */ 2622 wpa_gtk_update(wpa_auth, group); 2623 2624 if (group->GKeyDoneStations) { 2625 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2626 "GKeyDoneStations=%d when starting new GTK rekey", 2627 group->GKeyDoneStations); 2628 group->GKeyDoneStations = 0; 2629 } 2630 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2631 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2632 group->GKeyDoneStations); 2633 } 2634 2635 2636 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2637 struct wpa_group *group) 2638 { 2639 int ret = 0; 2640 2641 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2642 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2643 broadcast_ether_addr, group->GN, 2644 group->GTK[group->GN - 1], group->GTK_len) < 0) 2645 ret = -1; 2646 2647 #ifdef CONFIG_IEEE80211W 2648 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION && 2649 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK, 2650 broadcast_ether_addr, group->GN_igtk, 2651 group->IGTK[group->GN_igtk - 4], 2652 WPA_IGTK_LEN) < 0) 2653 ret = -1; 2654 #endif /* CONFIG_IEEE80211W */ 2655 2656 return ret; 2657 } 2658 2659 2660 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 2661 { 2662 if (sm->group == ctx) { 2663 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 2664 " for discconnection due to fatal failure", 2665 MAC2STR(sm->addr)); 2666 sm->Disconnect = TRUE; 2667 } 2668 2669 return 0; 2670 } 2671 2672 2673 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 2674 struct wpa_group *group) 2675 { 2676 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 2677 group->changed = TRUE; 2678 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 2679 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 2680 } 2681 2682 2683 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2684 struct wpa_group *group) 2685 { 2686 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2687 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2688 group->changed = TRUE; 2689 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2690 2691 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 2692 wpa_group_fatal_failure(wpa_auth, group); 2693 return -1; 2694 } 2695 2696 return 0; 2697 } 2698 2699 2700 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2701 struct wpa_group *group) 2702 { 2703 if (group->GInit) { 2704 wpa_group_gtk_init(wpa_auth, group); 2705 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 2706 /* Do not allow group operations */ 2707 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2708 group->GTKAuthenticator) { 2709 wpa_group_setkeysdone(wpa_auth, group); 2710 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2711 group->GTKReKey) { 2712 wpa_group_setkeys(wpa_auth, group); 2713 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2714 if (group->GKeyDoneStations == 0) 2715 wpa_group_setkeysdone(wpa_auth, group); 2716 else if (group->GTKReKey) 2717 wpa_group_setkeys(wpa_auth, group); 2718 } 2719 } 2720 2721 2722 static int wpa_sm_step(struct wpa_state_machine *sm) 2723 { 2724 if (sm == NULL) 2725 return 0; 2726 2727 if (sm->in_step_loop) { 2728 /* This should not happen, but if it does, make sure we do not 2729 * end up freeing the state machine too early by exiting the 2730 * recursive call. */ 2731 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 2732 return 0; 2733 } 2734 2735 sm->in_step_loop = 1; 2736 do { 2737 if (sm->pending_deinit) 2738 break; 2739 2740 sm->changed = FALSE; 2741 sm->wpa_auth->group->changed = FALSE; 2742 2743 SM_STEP_RUN(WPA_PTK); 2744 if (sm->pending_deinit) 2745 break; 2746 SM_STEP_RUN(WPA_PTK_GROUP); 2747 if (sm->pending_deinit) 2748 break; 2749 wpa_group_sm_step(sm->wpa_auth, sm->group); 2750 } while (sm->changed || sm->wpa_auth->group->changed); 2751 sm->in_step_loop = 0; 2752 2753 if (sm->pending_deinit) { 2754 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 2755 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 2756 wpa_free_sta_sm(sm); 2757 return 1; 2758 } 2759 return 0; 2760 } 2761 2762 2763 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 2764 { 2765 struct wpa_state_machine *sm = eloop_ctx; 2766 wpa_sm_step(sm); 2767 } 2768 2769 2770 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 2771 { 2772 if (sm == NULL) 2773 return; 2774 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 2775 } 2776 2777 2778 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 2779 { 2780 int tmp, i; 2781 struct wpa_group *group; 2782 2783 if (wpa_auth == NULL) 2784 return; 2785 2786 group = wpa_auth->group; 2787 2788 for (i = 0; i < 2; i++) { 2789 tmp = group->GM; 2790 group->GM = group->GN; 2791 group->GN = tmp; 2792 #ifdef CONFIG_IEEE80211W 2793 tmp = group->GM_igtk; 2794 group->GM_igtk = group->GN_igtk; 2795 group->GN_igtk = tmp; 2796 #endif /* CONFIG_IEEE80211W */ 2797 wpa_gtk_update(wpa_auth, group); 2798 wpa_group_config_group_keys(wpa_auth, group); 2799 } 2800 } 2801 2802 2803 static const char * wpa_bool_txt(int bool) 2804 { 2805 return bool ? "TRUE" : "FALSE"; 2806 } 2807 2808 2809 #define RSN_SUITE "%02x-%02x-%02x-%d" 2810 #define RSN_SUITE_ARG(s) \ 2811 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2812 2813 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 2814 { 2815 int len = 0, ret; 2816 char pmkid_txt[PMKID_LEN * 2 + 1]; 2817 #ifdef CONFIG_RSN_PREAUTH 2818 const int preauth = 1; 2819 #else /* CONFIG_RSN_PREAUTH */ 2820 const int preauth = 0; 2821 #endif /* CONFIG_RSN_PREAUTH */ 2822 2823 if (wpa_auth == NULL) 2824 return len; 2825 2826 ret = os_snprintf(buf + len, buflen - len, 2827 "dot11RSNAOptionImplemented=TRUE\n" 2828 "dot11RSNAPreauthenticationImplemented=%s\n" 2829 "dot11RSNAEnabled=%s\n" 2830 "dot11RSNAPreauthenticationEnabled=%s\n", 2831 wpa_bool_txt(preauth), 2832 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 2833 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 2834 if (ret < 0 || (size_t) ret >= buflen - len) 2835 return len; 2836 len += ret; 2837 2838 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2839 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 2840 2841 ret = os_snprintf( 2842 buf + len, buflen - len, 2843 "dot11RSNAConfigVersion=%u\n" 2844 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 2845 /* FIX: dot11RSNAConfigGroupCipher */ 2846 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 2847 /* FIX: dot11RSNAConfigGroupRekeyTime */ 2848 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 2849 "dot11RSNAConfigGroupRekeyStrict=%u\n" 2850 "dot11RSNAConfigGroupUpdateCount=%u\n" 2851 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 2852 "dot11RSNAConfigGroupCipherSize=%u\n" 2853 "dot11RSNAConfigPMKLifetime=%u\n" 2854 "dot11RSNAConfigPMKReauthThreshold=%u\n" 2855 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 2856 "dot11RSNAConfigSATimeout=%u\n" 2857 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2858 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2859 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2860 "dot11RSNAPMKIDUsed=%s\n" 2861 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2862 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2863 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2864 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 2865 "dot11RSNA4WayHandshakeFailures=%u\n" 2866 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 2867 RSN_VERSION, 2868 !!wpa_auth->conf.wpa_strict_rekey, 2869 dot11RSNAConfigGroupUpdateCount, 2870 dot11RSNAConfigPairwiseUpdateCount, 2871 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 2872 dot11RSNAConfigPMKLifetime, 2873 dot11RSNAConfigPMKReauthThreshold, 2874 dot11RSNAConfigSATimeout, 2875 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 2876 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 2877 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 2878 pmkid_txt, 2879 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 2880 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 2881 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 2882 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 2883 wpa_auth->dot11RSNA4WayHandshakeFailures); 2884 if (ret < 0 || (size_t) ret >= buflen - len) 2885 return len; 2886 len += ret; 2887 2888 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 2889 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 2890 2891 /* Private MIB */ 2892 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 2893 wpa_auth->group->wpa_group_state); 2894 if (ret < 0 || (size_t) ret >= buflen - len) 2895 return len; 2896 len += ret; 2897 2898 return len; 2899 } 2900 2901 2902 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 2903 { 2904 int len = 0, ret; 2905 u32 pairwise = 0; 2906 2907 if (sm == NULL) 2908 return 0; 2909 2910 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 2911 2912 /* dot11RSNAStatsEntry */ 2913 2914 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 2915 WPA_PROTO_RSN : WPA_PROTO_WPA, 2916 sm->pairwise); 2917 if (pairwise == 0) 2918 return 0; 2919 2920 ret = os_snprintf( 2921 buf + len, buflen - len, 2922 /* TODO: dot11RSNAStatsIndex */ 2923 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 2924 "dot11RSNAStatsVersion=1\n" 2925 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 2926 /* TODO: dot11RSNAStatsTKIPICVErrors */ 2927 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 2928 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 2929 /* TODO: dot11RSNAStatsCCMPReplays */ 2930 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 2931 /* TODO: dot11RSNAStatsTKIPReplays */, 2932 MAC2STR(sm->addr), 2933 RSN_SUITE_ARG(pairwise), 2934 sm->dot11RSNAStatsTKIPLocalMICFailures, 2935 sm->dot11RSNAStatsTKIPRemoteMICFailures); 2936 if (ret < 0 || (size_t) ret >= buflen - len) 2937 return len; 2938 len += ret; 2939 2940 /* Private MIB */ 2941 ret = os_snprintf(buf + len, buflen - len, 2942 "hostapdWPAPTKState=%d\n" 2943 "hostapdWPAPTKGroupState=%d\n", 2944 sm->wpa_ptk_state, 2945 sm->wpa_ptk_group_state); 2946 if (ret < 0 || (size_t) ret >= buflen - len) 2947 return len; 2948 len += ret; 2949 2950 return len; 2951 } 2952 2953 2954 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 2955 { 2956 if (wpa_auth) 2957 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 2958 } 2959 2960 2961 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 2962 { 2963 return sm && sm->pairwise_set; 2964 } 2965 2966 2967 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 2968 { 2969 return sm->pairwise; 2970 } 2971 2972 2973 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 2974 { 2975 if (sm == NULL) 2976 return -1; 2977 return sm->wpa_key_mgmt; 2978 } 2979 2980 2981 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 2982 { 2983 if (sm == NULL) 2984 return 0; 2985 return sm->wpa; 2986 } 2987 2988 2989 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 2990 struct rsn_pmksa_cache_entry *entry) 2991 { 2992 if (sm == NULL || sm->pmksa != entry) 2993 return -1; 2994 sm->pmksa = NULL; 2995 return 0; 2996 } 2997 2998 2999 struct rsn_pmksa_cache_entry * 3000 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 3001 { 3002 return sm ? sm->pmksa : NULL; 3003 } 3004 3005 3006 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 3007 { 3008 if (sm) 3009 sm->dot11RSNAStatsTKIPLocalMICFailures++; 3010 } 3011 3012 3013 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 3014 { 3015 if (wpa_auth == NULL) 3016 return NULL; 3017 *len = wpa_auth->wpa_ie_len; 3018 return wpa_auth->wpa_ie; 3019 } 3020 3021 3022 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 3023 int session_timeout, struct eapol_state_machine *eapol) 3024 { 3025 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 3026 sm->wpa_auth->conf.disable_pmksa_caching) 3027 return -1; 3028 3029 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, 3030 sm->wpa_auth->addr, sm->addr, session_timeout, 3031 eapol, sm->wpa_key_mgmt)) 3032 return 0; 3033 3034 return -1; 3035 } 3036 3037 3038 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 3039 const u8 *pmk, size_t len, const u8 *sta_addr, 3040 int session_timeout, 3041 struct eapol_state_machine *eapol) 3042 { 3043 if (wpa_auth == NULL) 3044 return -1; 3045 3046 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr, 3047 sta_addr, session_timeout, eapol, 3048 WPA_KEY_MGMT_IEEE8021X)) 3049 return 0; 3050 3051 return -1; 3052 } 3053 3054 3055 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 3056 const u8 *sta_addr) 3057 { 3058 struct rsn_pmksa_cache_entry *pmksa; 3059 3060 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 3061 return; 3062 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3063 if (pmksa) { 3064 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 3065 MACSTR " based on request", MAC2STR(sta_addr)); 3066 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 3067 } 3068 } 3069 3070 3071 static struct wpa_group * 3072 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3073 { 3074 struct wpa_group *group; 3075 3076 if (wpa_auth == NULL || wpa_auth->group == NULL) 3077 return NULL; 3078 3079 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 3080 vlan_id); 3081 group = wpa_group_init(wpa_auth, vlan_id, 0); 3082 if (group == NULL) 3083 return NULL; 3084 3085 group->next = wpa_auth->group->next; 3086 wpa_auth->group->next = group; 3087 3088 return group; 3089 } 3090 3091 3092 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 3093 { 3094 struct wpa_group *group; 3095 3096 if (sm == NULL || sm->wpa_auth == NULL) 3097 return 0; 3098 3099 group = sm->wpa_auth->group; 3100 while (group) { 3101 if (group->vlan_id == vlan_id) 3102 break; 3103 group = group->next; 3104 } 3105 3106 if (group == NULL) { 3107 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 3108 if (group == NULL) 3109 return -1; 3110 } 3111 3112 if (sm->group == group) 3113 return 0; 3114 3115 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3116 return -1; 3117 3118 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 3119 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 3120 3121 sm->group = group; 3122 return 0; 3123 } 3124 3125 3126 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 3127 struct wpa_state_machine *sm, int ack) 3128 { 3129 if (wpa_auth == NULL || sm == NULL) 3130 return; 3131 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 3132 " ack=%d", MAC2STR(sm->addr), ack); 3133 if (sm->pending_1_of_4_timeout && ack) { 3134 /* 3135 * Some deployed supplicant implementations update their SNonce 3136 * for each EAPOL-Key 2/4 message even within the same 4-way 3137 * handshake and then fail to use the first SNonce when 3138 * deriving the PTK. This results in unsuccessful 4-way 3139 * handshake whenever the relatively short initial timeout is 3140 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3141 * around this by increasing the timeout now that we know that 3142 * the station has received the frame. 3143 */ 3144 int timeout_ms = eapol_key_timeout_subseq; 3145 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3146 "timeout by %u ms because of acknowledged frame", 3147 timeout_ms); 3148 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3149 eloop_register_timeout(timeout_ms / 1000, 3150 (timeout_ms % 1000) * 1000, 3151 wpa_send_eapol_timeout, wpa_auth, sm); 3152 } 3153 } 3154 3155 3156 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 3157 { 3158 if (sm == NULL) 3159 return 0; 3160 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 3161 } 3162 3163 3164 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 3165 { 3166 if (sm == NULL) 3167 return 0; 3168 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 3169 } 3170 3171 3172 #ifdef CONFIG_P2P 3173 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 3174 { 3175 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 3176 return -1; 3177 os_memcpy(addr, sm->ip_addr, 4); 3178 return 0; 3179 } 3180 #endif /* CONFIG_P2P */ 3181