1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "crypto/aes_wrap.h" 17 #include "crypto/crypto.h" 18 #include "crypto/sha1.h" 19 #include "crypto/sha256.h" 20 #include "crypto/random.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "ap_config.h" 23 #include "ieee802_11.h" 24 #include "wpa_auth.h" 25 #include "pmksa_cache_auth.h" 26 #include "wpa_auth_i.h" 27 #include "wpa_auth_ie.h" 28 29 #define STATE_MACHINE_DATA struct wpa_state_machine 30 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 31 #define STATE_MACHINE_ADDR sm->addr 32 33 34 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 35 static int wpa_sm_step(struct wpa_state_machine *sm); 36 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 37 size_t data_len); 38 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 39 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 40 struct wpa_group *group); 41 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 42 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 45 struct wpa_group *group); 46 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 47 const u8 *pmk, unsigned int pmk_len, 48 struct wpa_ptk *ptk); 49 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 50 struct wpa_group *group); 51 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 52 struct wpa_group *group); 53 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 54 struct wpa_group *group); 55 56 static const u32 dot11RSNAConfigGroupUpdateCount = 4; 57 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 58 static const u32 eapol_key_timeout_first = 100; /* ms */ 59 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 60 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 61 62 /* TODO: make these configurable */ 63 static const int dot11RSNAConfigPMKLifetime = 43200; 64 static const int dot11RSNAConfigPMKReauthThreshold = 70; 65 static const int dot11RSNAConfigSATimeout = 60; 66 67 68 static inline int wpa_auth_mic_failure_report( 69 struct wpa_authenticator *wpa_auth, const u8 *addr) 70 { 71 if (wpa_auth->cb.mic_failure_report) 72 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 73 return 0; 74 } 75 76 77 static inline void wpa_auth_psk_failure_report( 78 struct wpa_authenticator *wpa_auth, const u8 *addr) 79 { 80 if (wpa_auth->cb.psk_failure_report) 81 wpa_auth->cb.psk_failure_report(wpa_auth->cb.ctx, addr); 82 } 83 84 85 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 86 const u8 *addr, wpa_eapol_variable var, 87 int value) 88 { 89 if (wpa_auth->cb.set_eapol) 90 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 91 } 92 93 94 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 95 const u8 *addr, wpa_eapol_variable var) 96 { 97 if (wpa_auth->cb.get_eapol == NULL) 98 return -1; 99 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 100 } 101 102 103 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 104 const u8 *addr, 105 const u8 *p2p_dev_addr, 106 const u8 *prev_psk) 107 { 108 if (wpa_auth->cb.get_psk == NULL) 109 return NULL; 110 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr, 111 prev_psk); 112 } 113 114 115 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 116 const u8 *addr, u8 *msk, size_t *len) 117 { 118 if (wpa_auth->cb.get_msk == NULL) 119 return -1; 120 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 121 } 122 123 124 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 125 int vlan_id, 126 enum wpa_alg alg, const u8 *addr, int idx, 127 u8 *key, size_t key_len) 128 { 129 if (wpa_auth->cb.set_key == NULL) 130 return -1; 131 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 132 key, key_len); 133 } 134 135 136 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 137 const u8 *addr, int idx, u8 *seq) 138 { 139 if (wpa_auth->cb.get_seqnum == NULL) 140 return -1; 141 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 142 } 143 144 145 static inline int 146 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 147 const u8 *data, size_t data_len, int encrypt) 148 { 149 if (wpa_auth->cb.send_eapol == NULL) 150 return -1; 151 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 152 encrypt); 153 } 154 155 156 #ifdef CONFIG_MESH 157 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 158 const u8 *addr) 159 { 160 if (wpa_auth->cb.start_ampe == NULL) 161 return -1; 162 return wpa_auth->cb.start_ampe(wpa_auth->cb.ctx, addr); 163 } 164 #endif /* CONFIG_MESH */ 165 166 167 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 168 int (*cb)(struct wpa_state_machine *sm, void *ctx), 169 void *cb_ctx) 170 { 171 if (wpa_auth->cb.for_each_sta == NULL) 172 return 0; 173 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 174 } 175 176 177 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 178 int (*cb)(struct wpa_authenticator *a, void *ctx), 179 void *cb_ctx) 180 { 181 if (wpa_auth->cb.for_each_auth == NULL) 182 return 0; 183 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 184 } 185 186 187 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 188 logger_level level, const char *txt) 189 { 190 if (wpa_auth->cb.logger == NULL) 191 return; 192 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 193 } 194 195 196 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 197 logger_level level, const char *fmt, ...) 198 { 199 char *format; 200 int maxlen; 201 va_list ap; 202 203 if (wpa_auth->cb.logger == NULL) 204 return; 205 206 maxlen = os_strlen(fmt) + 100; 207 format = os_malloc(maxlen); 208 if (!format) 209 return; 210 211 va_start(ap, fmt); 212 vsnprintf(format, maxlen, fmt, ap); 213 va_end(ap); 214 215 wpa_auth_logger(wpa_auth, addr, level, format); 216 217 os_free(format); 218 } 219 220 221 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 222 const u8 *addr) 223 { 224 if (wpa_auth->cb.disconnect == NULL) 225 return; 226 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 227 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 228 WLAN_REASON_PREV_AUTH_NOT_VALID); 229 } 230 231 232 static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 233 { 234 int ret = 0; 235 #ifdef CONFIG_IEEE80211R 236 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 237 ret = 1; 238 #endif /* CONFIG_IEEE80211R */ 239 #ifdef CONFIG_IEEE80211W 240 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 241 ret = 1; 242 #endif /* CONFIG_IEEE80211W */ 243 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) 244 ret = 1; 245 return ret; 246 } 247 248 249 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 250 { 251 struct wpa_authenticator *wpa_auth = eloop_ctx; 252 253 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 254 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 255 "initialization."); 256 } else { 257 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 258 wpa_hexdump_key(MSG_DEBUG, "GMK", 259 wpa_auth->group->GMK, WPA_GMK_LEN); 260 } 261 262 if (wpa_auth->conf.wpa_gmk_rekey) { 263 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 264 wpa_rekey_gmk, wpa_auth, NULL); 265 } 266 } 267 268 269 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 270 { 271 struct wpa_authenticator *wpa_auth = eloop_ctx; 272 struct wpa_group *group, *next; 273 274 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 275 group = wpa_auth->group; 276 while (group) { 277 wpa_group_get(wpa_auth, group); 278 279 group->GTKReKey = TRUE; 280 do { 281 group->changed = FALSE; 282 wpa_group_sm_step(wpa_auth, group); 283 } while (group->changed); 284 285 next = group->next; 286 wpa_group_put(wpa_auth, group); 287 group = next; 288 } 289 290 if (wpa_auth->conf.wpa_group_rekey) { 291 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 292 0, wpa_rekey_gtk, wpa_auth, NULL); 293 } 294 } 295 296 297 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 298 { 299 struct wpa_authenticator *wpa_auth = eloop_ctx; 300 struct wpa_state_machine *sm = timeout_ctx; 301 302 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 303 wpa_request_new_ptk(sm); 304 wpa_sm_step(sm); 305 } 306 307 308 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 309 { 310 if (sm->pmksa == ctx) 311 sm->pmksa = NULL; 312 return 0; 313 } 314 315 316 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 317 void *ctx) 318 { 319 struct wpa_authenticator *wpa_auth = ctx; 320 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 321 } 322 323 324 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 325 struct wpa_group *group) 326 { 327 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 328 u8 rkey[32]; 329 unsigned long ptr; 330 331 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 332 return -1; 333 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 334 335 /* 336 * Counter = PRF-256(Random number, "Init Counter", 337 * Local MAC Address || Time) 338 */ 339 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 340 wpa_get_ntp_timestamp(buf + ETH_ALEN); 341 ptr = (unsigned long) group; 342 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 343 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 344 return -1; 345 346 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 347 group->Counter, WPA_NONCE_LEN) < 0) 348 return -1; 349 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 350 group->Counter, WPA_NONCE_LEN); 351 352 return 0; 353 } 354 355 356 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 357 int vlan_id, int delay_init) 358 { 359 struct wpa_group *group; 360 361 group = os_zalloc(sizeof(struct wpa_group)); 362 if (group == NULL) 363 return NULL; 364 365 group->GTKAuthenticator = TRUE; 366 group->vlan_id = vlan_id; 367 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 368 369 if (random_pool_ready() != 1) { 370 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 371 "for secure operations - update keys later when " 372 "the first station connects"); 373 } 374 375 /* 376 * Set initial GMK/Counter value here. The actual values that will be 377 * used in negotiations will be set once the first station tries to 378 * connect. This allows more time for collecting additional randomness 379 * on embedded devices. 380 */ 381 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 382 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 383 "initialization."); 384 os_free(group); 385 return NULL; 386 } 387 388 group->GInit = TRUE; 389 if (delay_init) { 390 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 391 "until Beacon frames have been configured"); 392 /* Initialization is completed in wpa_init_keys(). */ 393 } else { 394 wpa_group_sm_step(wpa_auth, group); 395 group->GInit = FALSE; 396 wpa_group_sm_step(wpa_auth, group); 397 } 398 399 return group; 400 } 401 402 403 /** 404 * wpa_init - Initialize WPA authenticator 405 * @addr: Authenticator address 406 * @conf: Configuration for WPA authenticator 407 * @cb: Callback functions for WPA authenticator 408 * Returns: Pointer to WPA authenticator data or %NULL on failure 409 */ 410 struct wpa_authenticator * wpa_init(const u8 *addr, 411 struct wpa_auth_config *conf, 412 struct wpa_auth_callbacks *cb) 413 { 414 struct wpa_authenticator *wpa_auth; 415 416 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 417 if (wpa_auth == NULL) 418 return NULL; 419 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 420 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 421 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 422 423 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 424 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 425 os_free(wpa_auth); 426 return NULL; 427 } 428 429 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 430 if (wpa_auth->group == NULL) { 431 os_free(wpa_auth->wpa_ie); 432 os_free(wpa_auth); 433 return NULL; 434 } 435 436 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 437 wpa_auth); 438 if (wpa_auth->pmksa == NULL) { 439 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 440 os_free(wpa_auth->group); 441 os_free(wpa_auth->wpa_ie); 442 os_free(wpa_auth); 443 return NULL; 444 } 445 446 #ifdef CONFIG_IEEE80211R 447 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 448 if (wpa_auth->ft_pmk_cache == NULL) { 449 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 450 os_free(wpa_auth->group); 451 os_free(wpa_auth->wpa_ie); 452 pmksa_cache_auth_deinit(wpa_auth->pmksa); 453 os_free(wpa_auth); 454 return NULL; 455 } 456 #endif /* CONFIG_IEEE80211R */ 457 458 if (wpa_auth->conf.wpa_gmk_rekey) { 459 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 460 wpa_rekey_gmk, wpa_auth, NULL); 461 } 462 463 if (wpa_auth->conf.wpa_group_rekey) { 464 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 465 wpa_rekey_gtk, wpa_auth, NULL); 466 } 467 468 #ifdef CONFIG_P2P 469 if (WPA_GET_BE32(conf->ip_addr_start)) { 470 int count = WPA_GET_BE32(conf->ip_addr_end) - 471 WPA_GET_BE32(conf->ip_addr_start) + 1; 472 if (count > 1000) 473 count = 1000; 474 if (count > 0) 475 wpa_auth->ip_pool = bitfield_alloc(count); 476 } 477 #endif /* CONFIG_P2P */ 478 479 return wpa_auth; 480 } 481 482 483 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 484 { 485 struct wpa_group *group = wpa_auth->group; 486 487 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 488 "keys"); 489 wpa_group_sm_step(wpa_auth, group); 490 group->GInit = FALSE; 491 wpa_group_sm_step(wpa_auth, group); 492 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 493 return -1; 494 return 0; 495 } 496 497 498 /** 499 * wpa_deinit - Deinitialize WPA authenticator 500 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 501 */ 502 void wpa_deinit(struct wpa_authenticator *wpa_auth) 503 { 504 struct wpa_group *group, *prev; 505 506 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 507 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 508 509 #ifdef CONFIG_PEERKEY 510 while (wpa_auth->stsl_negotiations) 511 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 512 #endif /* CONFIG_PEERKEY */ 513 514 pmksa_cache_auth_deinit(wpa_auth->pmksa); 515 516 #ifdef CONFIG_IEEE80211R 517 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 518 wpa_auth->ft_pmk_cache = NULL; 519 #endif /* CONFIG_IEEE80211R */ 520 521 #ifdef CONFIG_P2P 522 bitfield_free(wpa_auth->ip_pool); 523 #endif /* CONFIG_P2P */ 524 525 526 os_free(wpa_auth->wpa_ie); 527 528 group = wpa_auth->group; 529 while (group) { 530 prev = group; 531 group = group->next; 532 os_free(prev); 533 } 534 535 os_free(wpa_auth); 536 } 537 538 539 /** 540 * wpa_reconfig - Update WPA authenticator configuration 541 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 542 * @conf: Configuration for WPA authenticator 543 */ 544 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 545 struct wpa_auth_config *conf) 546 { 547 struct wpa_group *group; 548 if (wpa_auth == NULL) 549 return 0; 550 551 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 552 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 553 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 554 return -1; 555 } 556 557 /* 558 * Reinitialize GTK to make sure it is suitable for the new 559 * configuration. 560 */ 561 group = wpa_auth->group; 562 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 563 group->GInit = TRUE; 564 wpa_group_sm_step(wpa_auth, group); 565 group->GInit = FALSE; 566 wpa_group_sm_step(wpa_auth, group); 567 568 return 0; 569 } 570 571 572 struct wpa_state_machine * 573 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 574 const u8 *p2p_dev_addr) 575 { 576 struct wpa_state_machine *sm; 577 578 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 579 return NULL; 580 581 sm = os_zalloc(sizeof(struct wpa_state_machine)); 582 if (sm == NULL) 583 return NULL; 584 os_memcpy(sm->addr, addr, ETH_ALEN); 585 if (p2p_dev_addr) 586 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 587 588 sm->wpa_auth = wpa_auth; 589 sm->group = wpa_auth->group; 590 wpa_group_get(sm->wpa_auth, sm->group); 591 592 return sm; 593 } 594 595 596 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 597 struct wpa_state_machine *sm) 598 { 599 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 600 return -1; 601 602 #ifdef CONFIG_IEEE80211R 603 if (sm->ft_completed) { 604 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 605 "FT authentication already completed - do not " 606 "start 4-way handshake"); 607 /* Go to PTKINITDONE state to allow GTK rekeying */ 608 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 609 return 0; 610 } 611 #endif /* CONFIG_IEEE80211R */ 612 613 if (sm->started) { 614 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 615 sm->ReAuthenticationRequest = TRUE; 616 return wpa_sm_step(sm); 617 } 618 619 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 620 "start authentication"); 621 sm->started = 1; 622 623 sm->Init = TRUE; 624 if (wpa_sm_step(sm) == 1) 625 return 1; /* should not really happen */ 626 sm->Init = FALSE; 627 sm->AuthenticationRequest = TRUE; 628 return wpa_sm_step(sm); 629 } 630 631 632 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 633 { 634 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 635 * reassociates back to the same AP while the previous entry for the 636 * STA has not yet been removed. */ 637 if (sm == NULL) 638 return; 639 640 sm->wpa_key_mgmt = 0; 641 } 642 643 644 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 645 { 646 #ifdef CONFIG_P2P 647 if (WPA_GET_BE32(sm->ip_addr)) { 648 u32 start; 649 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 650 "address %u.%u.%u.%u from " MACSTR, 651 sm->ip_addr[0], sm->ip_addr[1], 652 sm->ip_addr[2], sm->ip_addr[3], 653 MAC2STR(sm->addr)); 654 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 655 bitfield_clear(sm->wpa_auth->ip_pool, 656 WPA_GET_BE32(sm->ip_addr) - start); 657 } 658 #endif /* CONFIG_P2P */ 659 if (sm->GUpdateStationKeys) { 660 sm->group->GKeyDoneStations--; 661 sm->GUpdateStationKeys = FALSE; 662 } 663 #ifdef CONFIG_IEEE80211R 664 os_free(sm->assoc_resp_ftie); 665 wpabuf_free(sm->ft_pending_req_ies); 666 #endif /* CONFIG_IEEE80211R */ 667 os_free(sm->last_rx_eapol_key); 668 os_free(sm->wpa_ie); 669 wpa_group_put(sm->wpa_auth, sm->group); 670 os_free(sm); 671 } 672 673 674 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 675 { 676 if (sm == NULL) 677 return; 678 679 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 680 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 681 "strict rekeying - force GTK rekey since STA " 682 "is leaving"); 683 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 684 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 685 NULL); 686 } 687 688 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 689 sm->pending_1_of_4_timeout = 0; 690 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 691 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 692 if (sm->in_step_loop) { 693 /* Must not free state machine while wpa_sm_step() is running. 694 * Freeing will be completed in the end of wpa_sm_step(). */ 695 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 696 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 697 sm->pending_deinit = 1; 698 } else 699 wpa_free_sta_sm(sm); 700 } 701 702 703 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 704 { 705 if (sm == NULL) 706 return; 707 708 sm->PTKRequest = TRUE; 709 sm->PTK_valid = 0; 710 } 711 712 713 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 714 const u8 *replay_counter) 715 { 716 int i; 717 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 718 if (!ctr[i].valid) 719 break; 720 if (os_memcmp(replay_counter, ctr[i].counter, 721 WPA_REPLAY_COUNTER_LEN) == 0) 722 return 1; 723 } 724 return 0; 725 } 726 727 728 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 729 const u8 *replay_counter) 730 { 731 int i; 732 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 733 if (ctr[i].valid && 734 (replay_counter == NULL || 735 os_memcmp(replay_counter, ctr[i].counter, 736 WPA_REPLAY_COUNTER_LEN) == 0)) 737 ctr[i].valid = FALSE; 738 } 739 } 740 741 742 #ifdef CONFIG_IEEE80211R 743 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 744 struct wpa_state_machine *sm, 745 struct wpa_eapol_ie_parse *kde) 746 { 747 struct wpa_ie_data ie; 748 struct rsn_mdie *mdie; 749 750 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 751 ie.num_pmkid != 1 || ie.pmkid == NULL) { 752 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 753 "FT 4-way handshake message 2/4"); 754 return -1; 755 } 756 757 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 758 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 759 sm->sup_pmk_r1_name, PMKID_LEN); 760 761 if (!kde->mdie || !kde->ftie) { 762 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 763 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 764 return -1; 765 } 766 767 mdie = (struct rsn_mdie *) (kde->mdie + 2); 768 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 769 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 770 MOBILITY_DOMAIN_ID_LEN) != 0) { 771 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 772 return -1; 773 } 774 775 if (sm->assoc_resp_ftie && 776 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 777 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 778 2 + sm->assoc_resp_ftie[1]) != 0)) { 779 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 780 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 781 kde->ftie, kde->ftie_len); 782 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 783 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 784 return -1; 785 } 786 787 return 0; 788 } 789 #endif /* CONFIG_IEEE80211R */ 790 791 792 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 793 struct wpa_state_machine *sm, int group) 794 { 795 /* Supplicant reported a Michael MIC error */ 796 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 797 "received EAPOL-Key Error Request " 798 "(STA detected Michael MIC failure (group=%d))", 799 group); 800 801 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 802 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 803 "ignore Michael MIC failure report since " 804 "group cipher is not TKIP"); 805 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 806 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 807 "ignore Michael MIC failure report since " 808 "pairwise cipher is not TKIP"); 809 } else { 810 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 811 return 1; /* STA entry was removed */ 812 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 813 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 814 } 815 816 /* 817 * Error report is not a request for a new key handshake, but since 818 * Authenticator may do it, let's change the keys now anyway. 819 */ 820 wpa_request_new_ptk(sm); 821 return 0; 822 } 823 824 825 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 826 size_t data_len) 827 { 828 struct wpa_ptk PTK; 829 int ok = 0; 830 const u8 *pmk = NULL; 831 unsigned int pmk_len; 832 833 for (;;) { 834 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 835 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 836 sm->p2p_dev_addr, pmk); 837 if (pmk == NULL) 838 break; 839 pmk_len = PMK_LEN; 840 } else { 841 pmk = sm->PMK; 842 pmk_len = sm->pmk_len; 843 } 844 845 wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK); 846 847 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len) 848 == 0) { 849 ok = 1; 850 break; 851 } 852 853 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 854 break; 855 } 856 857 if (!ok) { 858 wpa_printf(MSG_DEBUG, 859 "WPA: Earlier SNonce did not result in matching MIC"); 860 return -1; 861 } 862 863 wpa_printf(MSG_DEBUG, 864 "WPA: Earlier SNonce resulted in matching MIC"); 865 sm->alt_snonce_valid = 0; 866 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 867 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 868 sm->PTK_valid = TRUE; 869 870 return 0; 871 } 872 873 874 void wpa_receive(struct wpa_authenticator *wpa_auth, 875 struct wpa_state_machine *sm, 876 u8 *data, size_t data_len) 877 { 878 struct ieee802_1x_hdr *hdr; 879 struct wpa_eapol_key *key; 880 struct wpa_eapol_key_192 *key192; 881 u16 key_info, key_data_length; 882 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 883 SMK_M1, SMK_M3, SMK_ERROR } msg; 884 char *msgtxt; 885 struct wpa_eapol_ie_parse kde; 886 int ft; 887 const u8 *eapol_key_ie, *key_data; 888 size_t eapol_key_ie_len, keyhdrlen, mic_len; 889 890 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 891 return; 892 893 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 894 keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key); 895 896 if (data_len < sizeof(*hdr) + keyhdrlen) 897 return; 898 899 hdr = (struct ieee802_1x_hdr *) data; 900 key = (struct wpa_eapol_key *) (hdr + 1); 901 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 902 key_info = WPA_GET_BE16(key->key_info); 903 if (mic_len == 24) { 904 key_data = (const u8 *) (key192 + 1); 905 key_data_length = WPA_GET_BE16(key192->key_data_length); 906 } else { 907 key_data = (const u8 *) (key + 1); 908 key_data_length = WPA_GET_BE16(key->key_data_length); 909 } 910 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 911 " key_info=0x%x type=%u key_data_length=%u", 912 MAC2STR(sm->addr), key_info, key->type, key_data_length); 913 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 914 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 915 "key_data overflow (%d > %lu)", 916 key_data_length, 917 (unsigned long) (data_len - sizeof(*hdr) - 918 keyhdrlen)); 919 return; 920 } 921 922 if (sm->wpa == WPA_VERSION_WPA2) { 923 if (key->type == EAPOL_KEY_TYPE_WPA) { 924 /* 925 * Some deployed station implementations seem to send 926 * msg 4/4 with incorrect type value in WPA2 mode. 927 */ 928 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 929 "with unexpected WPA type in RSN mode"); 930 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 931 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 932 "unexpected type %d in RSN mode", 933 key->type); 934 return; 935 } 936 } else { 937 if (key->type != EAPOL_KEY_TYPE_WPA) { 938 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 939 "unexpected type %d in WPA mode", 940 key->type); 941 return; 942 } 943 } 944 945 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 946 WPA_NONCE_LEN); 947 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 948 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 949 950 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 951 * are set */ 952 953 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 954 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 955 if (key_info & WPA_KEY_INFO_ERROR) { 956 msg = SMK_ERROR; 957 msgtxt = "SMK Error"; 958 } else { 959 msg = SMK_M1; 960 msgtxt = "SMK M1"; 961 } 962 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 963 msg = SMK_M3; 964 msgtxt = "SMK M3"; 965 } else if (key_info & WPA_KEY_INFO_REQUEST) { 966 msg = REQUEST; 967 msgtxt = "Request"; 968 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 969 msg = GROUP_2; 970 msgtxt = "2/2 Group"; 971 } else if (key_data_length == 0) { 972 msg = PAIRWISE_4; 973 msgtxt = "4/4 Pairwise"; 974 } else { 975 msg = PAIRWISE_2; 976 msgtxt = "2/4 Pairwise"; 977 } 978 979 /* TODO: key_info type validation for PeerKey */ 980 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 981 msg == GROUP_2) { 982 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 983 if (sm->pairwise == WPA_CIPHER_CCMP || 984 sm->pairwise == WPA_CIPHER_GCMP) { 985 if (wpa_use_aes_cmac(sm) && 986 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN && 987 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 988 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 989 wpa_auth_logger(wpa_auth, sm->addr, 990 LOGGER_WARNING, 991 "advertised support for " 992 "AES-128-CMAC, but did not " 993 "use it"); 994 return; 995 } 996 997 if (!wpa_use_aes_cmac(sm) && 998 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 999 wpa_auth_logger(wpa_auth, sm->addr, 1000 LOGGER_WARNING, 1001 "did not use HMAC-SHA1-AES " 1002 "with CCMP/GCMP"); 1003 return; 1004 } 1005 } 1006 1007 if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 1008 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1009 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1010 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1011 return; 1012 } 1013 } 1014 1015 if (key_info & WPA_KEY_INFO_REQUEST) { 1016 if (sm->req_replay_counter_used && 1017 os_memcmp(key->replay_counter, sm->req_replay_counter, 1018 WPA_REPLAY_COUNTER_LEN) <= 0) { 1019 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1020 "received EAPOL-Key request with " 1021 "replayed counter"); 1022 return; 1023 } 1024 } 1025 1026 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1027 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1028 int i; 1029 1030 if (msg == PAIRWISE_2 && 1031 wpa_replay_counter_valid(sm->prev_key_replay, 1032 key->replay_counter) && 1033 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1034 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1035 { 1036 /* 1037 * Some supplicant implementations (e.g., Windows XP 1038 * WZC) update SNonce for each EAPOL-Key 2/4. This 1039 * breaks the workaround on accepting any of the 1040 * pending requests, so allow the SNonce to be updated 1041 * even if we have already sent out EAPOL-Key 3/4. 1042 */ 1043 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1044 "Process SNonce update from STA " 1045 "based on retransmitted EAPOL-Key " 1046 "1/4"); 1047 sm->update_snonce = 1; 1048 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1049 sm->alt_snonce_valid = TRUE; 1050 os_memcpy(sm->alt_replay_counter, 1051 sm->key_replay[0].counter, 1052 WPA_REPLAY_COUNTER_LEN); 1053 goto continue_processing; 1054 } 1055 1056 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1057 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1058 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1059 WPA_REPLAY_COUNTER_LEN) == 0) { 1060 /* 1061 * Supplicant may still be using the old SNonce since 1062 * there was two EAPOL-Key 2/4 messages and they had 1063 * different SNonce values. 1064 */ 1065 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1066 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1067 goto continue_processing; 1068 } 1069 1070 if (msg == PAIRWISE_2 && 1071 wpa_replay_counter_valid(sm->prev_key_replay, 1072 key->replay_counter) && 1073 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1074 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1075 "ignore retransmitted EAPOL-Key %s - " 1076 "SNonce did not change", msgtxt); 1077 } else { 1078 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1079 "received EAPOL-Key %s with " 1080 "unexpected replay counter", msgtxt); 1081 } 1082 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1083 if (!sm->key_replay[i].valid) 1084 break; 1085 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1086 sm->key_replay[i].counter, 1087 WPA_REPLAY_COUNTER_LEN); 1088 } 1089 wpa_hexdump(MSG_DEBUG, "received replay counter", 1090 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1091 return; 1092 } 1093 1094 continue_processing: 1095 switch (msg) { 1096 case PAIRWISE_2: 1097 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1098 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1099 (!sm->update_snonce || 1100 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1101 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1102 "received EAPOL-Key msg 2/4 in " 1103 "invalid state (%d) - dropped", 1104 sm->wpa_ptk_state); 1105 return; 1106 } 1107 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1108 if (sm->group->reject_4way_hs_for_entropy) { 1109 /* 1110 * The system did not have enough entropy to generate 1111 * strong random numbers. Reject the first 4-way 1112 * handshake(s) and collect some entropy based on the 1113 * information from it. Once enough entropy is 1114 * available, the next atempt will trigger GMK/Key 1115 * Counter update and the station will be allowed to 1116 * continue. 1117 */ 1118 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1119 "collect more entropy for random number " 1120 "generation"); 1121 random_mark_pool_ready(); 1122 wpa_sta_disconnect(wpa_auth, sm->addr); 1123 return; 1124 } 1125 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 1126 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1127 "received EAPOL-Key msg 2/4 with " 1128 "invalid Key Data contents"); 1129 return; 1130 } 1131 if (kde.rsn_ie) { 1132 eapol_key_ie = kde.rsn_ie; 1133 eapol_key_ie_len = kde.rsn_ie_len; 1134 } else if (kde.osen) { 1135 eapol_key_ie = kde.osen; 1136 eapol_key_ie_len = kde.osen_len; 1137 } else { 1138 eapol_key_ie = kde.wpa_ie; 1139 eapol_key_ie_len = kde.wpa_ie_len; 1140 } 1141 ft = sm->wpa == WPA_VERSION_WPA2 && 1142 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 1143 if (sm->wpa_ie == NULL || 1144 wpa_compare_rsn_ie(ft, 1145 sm->wpa_ie, sm->wpa_ie_len, 1146 eapol_key_ie, eapol_key_ie_len)) { 1147 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1148 "WPA IE from (Re)AssocReq did not " 1149 "match with msg 2/4"); 1150 if (sm->wpa_ie) { 1151 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 1152 sm->wpa_ie, sm->wpa_ie_len); 1153 } 1154 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 1155 eapol_key_ie, eapol_key_ie_len); 1156 /* MLME-DEAUTHENTICATE.request */ 1157 wpa_sta_disconnect(wpa_auth, sm->addr); 1158 return; 1159 } 1160 #ifdef CONFIG_IEEE80211R 1161 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 1162 wpa_sta_disconnect(wpa_auth, sm->addr); 1163 return; 1164 } 1165 #endif /* CONFIG_IEEE80211R */ 1166 #ifdef CONFIG_P2P 1167 if (kde.ip_addr_req && kde.ip_addr_req[0] && 1168 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 1169 int idx; 1170 wpa_printf(MSG_DEBUG, "P2P: IP address requested in " 1171 "EAPOL-Key exchange"); 1172 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 1173 if (idx >= 0) { 1174 u32 start = WPA_GET_BE32(wpa_auth->conf. 1175 ip_addr_start); 1176 bitfield_set(wpa_auth->ip_pool, idx); 1177 WPA_PUT_BE32(sm->ip_addr, start + idx); 1178 wpa_printf(MSG_DEBUG, "P2P: Assigned IP " 1179 "address %u.%u.%u.%u to " MACSTR, 1180 sm->ip_addr[0], sm->ip_addr[1], 1181 sm->ip_addr[2], sm->ip_addr[3], 1182 MAC2STR(sm->addr)); 1183 } 1184 } 1185 #endif /* CONFIG_P2P */ 1186 break; 1187 case PAIRWISE_4: 1188 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1189 !sm->PTK_valid) { 1190 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1191 "received EAPOL-Key msg 4/4 in " 1192 "invalid state (%d) - dropped", 1193 sm->wpa_ptk_state); 1194 return; 1195 } 1196 break; 1197 case GROUP_2: 1198 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1199 || !sm->PTK_valid) { 1200 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1201 "received EAPOL-Key msg 2/2 in " 1202 "invalid state (%d) - dropped", 1203 sm->wpa_ptk_group_state); 1204 return; 1205 } 1206 break; 1207 #ifdef CONFIG_PEERKEY 1208 case SMK_M1: 1209 case SMK_M3: 1210 case SMK_ERROR: 1211 if (!wpa_auth->conf.peerkey) { 1212 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1213 "PeerKey use disabled - ignoring message"); 1214 return; 1215 } 1216 if (!sm->PTK_valid) { 1217 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1218 "received EAPOL-Key msg SMK in " 1219 "invalid state - dropped"); 1220 return; 1221 } 1222 break; 1223 #else /* CONFIG_PEERKEY */ 1224 case SMK_M1: 1225 case SMK_M3: 1226 case SMK_ERROR: 1227 return; /* STSL disabled - ignore SMK messages */ 1228 #endif /* CONFIG_PEERKEY */ 1229 case REQUEST: 1230 break; 1231 } 1232 1233 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1234 "received EAPOL-Key frame (%s)", msgtxt); 1235 1236 if (key_info & WPA_KEY_INFO_ACK) { 1237 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1238 "received invalid EAPOL-Key: Key Ack set"); 1239 return; 1240 } 1241 1242 if (!(key_info & WPA_KEY_INFO_MIC)) { 1243 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1244 "received invalid EAPOL-Key: Key MIC not set"); 1245 return; 1246 } 1247 1248 sm->MICVerified = FALSE; 1249 if (sm->PTK_valid && !sm->update_snonce) { 1250 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data, 1251 data_len) && 1252 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1253 wpa_try_alt_snonce(sm, data, data_len))) { 1254 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1255 "received EAPOL-Key with invalid MIC"); 1256 return; 1257 } 1258 sm->MICVerified = TRUE; 1259 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1260 sm->pending_1_of_4_timeout = 0; 1261 } 1262 1263 if (key_info & WPA_KEY_INFO_REQUEST) { 1264 if (sm->MICVerified) { 1265 sm->req_replay_counter_used = 1; 1266 os_memcpy(sm->req_replay_counter, key->replay_counter, 1267 WPA_REPLAY_COUNTER_LEN); 1268 } else { 1269 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1270 "received EAPOL-Key request with " 1271 "invalid MIC"); 1272 return; 1273 } 1274 1275 /* 1276 * TODO: should decrypt key data field if encryption was used; 1277 * even though MAC address KDE is not normally encrypted, 1278 * supplicant is allowed to encrypt it. 1279 */ 1280 if (msg == SMK_ERROR) { 1281 #ifdef CONFIG_PEERKEY 1282 wpa_smk_error(wpa_auth, sm, key_data, key_data_length); 1283 #endif /* CONFIG_PEERKEY */ 1284 return; 1285 } else if (key_info & WPA_KEY_INFO_ERROR) { 1286 if (wpa_receive_error_report( 1287 wpa_auth, sm, 1288 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1289 return; /* STA entry was removed */ 1290 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1291 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1292 "received EAPOL-Key Request for new " 1293 "4-Way Handshake"); 1294 wpa_request_new_ptk(sm); 1295 #ifdef CONFIG_PEERKEY 1296 } else if (msg == SMK_M1) { 1297 wpa_smk_m1(wpa_auth, sm, key, key_data, 1298 key_data_length); 1299 #endif /* CONFIG_PEERKEY */ 1300 } else if (key_data_length > 0 && 1301 wpa_parse_kde_ies(key_data, key_data_length, 1302 &kde) == 0 && 1303 kde.mac_addr) { 1304 } else { 1305 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1306 "received EAPOL-Key Request for GTK " 1307 "rekeying"); 1308 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1309 wpa_rekey_gtk(wpa_auth, NULL); 1310 } 1311 } else { 1312 /* Do not allow the same key replay counter to be reused. */ 1313 wpa_replay_counter_mark_invalid(sm->key_replay, 1314 key->replay_counter); 1315 1316 if (msg == PAIRWISE_2) { 1317 /* 1318 * Maintain a copy of the pending EAPOL-Key frames in 1319 * case the EAPOL-Key frame was retransmitted. This is 1320 * needed to allow EAPOL-Key msg 2/4 reply to another 1321 * pending msg 1/4 to update the SNonce to work around 1322 * unexpected supplicant behavior. 1323 */ 1324 os_memcpy(sm->prev_key_replay, sm->key_replay, 1325 sizeof(sm->key_replay)); 1326 } else { 1327 os_memset(sm->prev_key_replay, 0, 1328 sizeof(sm->prev_key_replay)); 1329 } 1330 1331 /* 1332 * Make sure old valid counters are not accepted anymore and 1333 * do not get copied again. 1334 */ 1335 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1336 } 1337 1338 #ifdef CONFIG_PEERKEY 1339 if (msg == SMK_M3) { 1340 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length); 1341 return; 1342 } 1343 #endif /* CONFIG_PEERKEY */ 1344 1345 os_free(sm->last_rx_eapol_key); 1346 sm->last_rx_eapol_key = os_malloc(data_len); 1347 if (sm->last_rx_eapol_key == NULL) 1348 return; 1349 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1350 sm->last_rx_eapol_key_len = data_len; 1351 1352 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1353 sm->EAPOLKeyReceived = TRUE; 1354 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1355 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1356 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1357 wpa_sm_step(sm); 1358 } 1359 1360 1361 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1362 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1363 { 1364 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1365 u8 *pos; 1366 int ret = 0; 1367 1368 /* GTK = PRF-X(GMK, "Group key expansion", 1369 * AA || GNonce || Time || random data) 1370 * The example described in the IEEE 802.11 standard uses only AA and 1371 * GNonce as inputs here. Add some more entropy since this derivation 1372 * is done only at the Authenticator and as such, does not need to be 1373 * exactly same. 1374 */ 1375 os_memcpy(data, addr, ETH_ALEN); 1376 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1377 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1378 wpa_get_ntp_timestamp(pos); 1379 pos += 8; 1380 if (random_get_bytes(pos, 16) < 0) 1381 ret = -1; 1382 1383 #ifdef CONFIG_IEEE80211W 1384 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1385 #else /* CONFIG_IEEE80211W */ 1386 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1387 < 0) 1388 ret = -1; 1389 #endif /* CONFIG_IEEE80211W */ 1390 1391 return ret; 1392 } 1393 1394 1395 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1396 { 1397 struct wpa_authenticator *wpa_auth = eloop_ctx; 1398 struct wpa_state_machine *sm = timeout_ctx; 1399 1400 sm->pending_1_of_4_timeout = 0; 1401 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1402 sm->TimeoutEvt = TRUE; 1403 wpa_sm_step(sm); 1404 } 1405 1406 1407 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1408 struct wpa_state_machine *sm, int key_info, 1409 const u8 *key_rsc, const u8 *nonce, 1410 const u8 *kde, size_t kde_len, 1411 int keyidx, int encr, int force_version) 1412 { 1413 struct ieee802_1x_hdr *hdr; 1414 struct wpa_eapol_key *key; 1415 struct wpa_eapol_key_192 *key192; 1416 size_t len, mic_len, keyhdrlen; 1417 int alg; 1418 int key_data_len, pad_len = 0; 1419 u8 *buf, *pos; 1420 int version, pairwise; 1421 int i; 1422 u8 *key_data; 1423 1424 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 1425 keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key); 1426 1427 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1428 1429 if (force_version) 1430 version = force_version; 1431 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1432 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) 1433 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1434 else if (wpa_use_aes_cmac(sm)) 1435 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1436 else if (sm->pairwise != WPA_CIPHER_TKIP) 1437 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1438 else 1439 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1440 1441 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1442 1443 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1444 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1445 "encr=%d)", 1446 version, 1447 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1448 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1449 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1450 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1451 pairwise, (unsigned long) kde_len, keyidx, encr); 1452 1453 key_data_len = kde_len; 1454 1455 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1456 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1457 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1458 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1459 pad_len = key_data_len % 8; 1460 if (pad_len) 1461 pad_len = 8 - pad_len; 1462 key_data_len += pad_len + 8; 1463 } 1464 1465 len += key_data_len; 1466 1467 hdr = os_zalloc(len); 1468 if (hdr == NULL) 1469 return; 1470 hdr->version = wpa_auth->conf.eapol_version; 1471 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1472 hdr->length = host_to_be16(len - sizeof(*hdr)); 1473 key = (struct wpa_eapol_key *) (hdr + 1); 1474 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 1475 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1476 1477 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1478 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1479 key_info |= version; 1480 if (encr && sm->wpa == WPA_VERSION_WPA2) 1481 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1482 if (sm->wpa != WPA_VERSION_WPA2) 1483 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1484 WPA_PUT_BE16(key->key_info, key_info); 1485 1486 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1487 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1488 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1489 WPA_PUT_BE16(key->key_length, 0); 1490 1491 /* FIX: STSL: what to use as key_replay_counter? */ 1492 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1493 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1494 os_memcpy(sm->key_replay[i].counter, 1495 sm->key_replay[i - 1].counter, 1496 WPA_REPLAY_COUNTER_LEN); 1497 } 1498 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1499 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1500 WPA_REPLAY_COUNTER_LEN); 1501 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1502 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1503 sm->key_replay[0].valid = TRUE; 1504 1505 if (nonce) 1506 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1507 1508 if (key_rsc) 1509 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1510 1511 if (kde && !encr) { 1512 os_memcpy(key_data, kde, kde_len); 1513 if (mic_len == 24) 1514 WPA_PUT_BE16(key192->key_data_length, kde_len); 1515 else 1516 WPA_PUT_BE16(key->key_data_length, kde_len); 1517 } else if (encr && kde) { 1518 buf = os_zalloc(key_data_len); 1519 if (buf == NULL) { 1520 os_free(hdr); 1521 return; 1522 } 1523 pos = buf; 1524 os_memcpy(pos, kde, kde_len); 1525 pos += kde_len; 1526 1527 if (pad_len) 1528 *pos++ = 0xdd; 1529 1530 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1531 buf, key_data_len); 1532 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1533 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1534 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1535 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1536 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1537 (key_data_len - 8) / 8, buf, key_data)) { 1538 os_free(hdr); 1539 os_free(buf); 1540 return; 1541 } 1542 if (mic_len == 24) 1543 WPA_PUT_BE16(key192->key_data_length, 1544 key_data_len); 1545 else 1546 WPA_PUT_BE16(key->key_data_length, 1547 key_data_len); 1548 #ifndef CONFIG_NO_RC4 1549 } else if (sm->PTK.kek_len == 16) { 1550 u8 ek[32]; 1551 os_memcpy(key->key_iv, 1552 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1553 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1554 os_memcpy(ek, key->key_iv, 16); 1555 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1556 os_memcpy(key_data, buf, key_data_len); 1557 rc4_skip(ek, 32, 256, key_data, key_data_len); 1558 if (mic_len == 24) 1559 WPA_PUT_BE16(key192->key_data_length, 1560 key_data_len); 1561 else 1562 WPA_PUT_BE16(key->key_data_length, 1563 key_data_len); 1564 #endif /* CONFIG_NO_RC4 */ 1565 } else { 1566 os_free(hdr); 1567 os_free(buf); 1568 return; 1569 } 1570 os_free(buf); 1571 } 1572 1573 if (key_info & WPA_KEY_INFO_MIC) { 1574 u8 *key_mic; 1575 1576 if (!sm->PTK_valid) { 1577 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1578 "PTK not valid when sending EAPOL-Key " 1579 "frame"); 1580 os_free(hdr); 1581 return; 1582 } 1583 1584 key_mic = key192->key_mic; /* same offset for key and key192 */ 1585 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1586 sm->wpa_key_mgmt, version, 1587 (u8 *) hdr, len, key_mic); 1588 #ifdef CONFIG_TESTING_OPTIONS 1589 if (!pairwise && 1590 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1591 drand48() < 1592 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1593 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1594 "Corrupting group EAPOL-Key Key MIC"); 1595 key_mic[0]++; 1596 } 1597 #endif /* CONFIG_TESTING_OPTIONS */ 1598 } 1599 1600 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1601 1); 1602 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1603 sm->pairwise_set); 1604 os_free(hdr); 1605 } 1606 1607 1608 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1609 struct wpa_state_machine *sm, int key_info, 1610 const u8 *key_rsc, const u8 *nonce, 1611 const u8 *kde, size_t kde_len, 1612 int keyidx, int encr) 1613 { 1614 int timeout_ms; 1615 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1616 int ctr; 1617 1618 if (sm == NULL) 1619 return; 1620 1621 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1622 keyidx, encr, 0); 1623 1624 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1625 if (ctr == 1 && wpa_auth->conf.tx_status) 1626 timeout_ms = pairwise ? eapol_key_timeout_first : 1627 eapol_key_timeout_first_group; 1628 else 1629 timeout_ms = eapol_key_timeout_subseq; 1630 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1631 sm->pending_1_of_4_timeout = 1; 1632 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1633 "counter %d)", timeout_ms, ctr); 1634 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1635 wpa_send_eapol_timeout, wpa_auth, sm); 1636 } 1637 1638 1639 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 1640 size_t data_len) 1641 { 1642 struct ieee802_1x_hdr *hdr; 1643 struct wpa_eapol_key *key; 1644 struct wpa_eapol_key_192 *key192; 1645 u16 key_info; 1646 int ret = 0; 1647 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 1648 size_t mic_len = wpa_mic_len(akmp); 1649 1650 if (data_len < sizeof(*hdr) + sizeof(*key)) 1651 return -1; 1652 1653 hdr = (struct ieee802_1x_hdr *) data; 1654 key = (struct wpa_eapol_key *) (hdr + 1); 1655 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 1656 key_info = WPA_GET_BE16(key->key_info); 1657 os_memcpy(mic, key192->key_mic, mic_len); 1658 os_memset(key192->key_mic, 0, mic_len); 1659 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1660 key_info & WPA_KEY_INFO_TYPE_MASK, 1661 data, data_len, key192->key_mic) || 1662 os_memcmp_const(mic, key192->key_mic, mic_len) != 0) 1663 ret = -1; 1664 os_memcpy(key192->key_mic, mic, mic_len); 1665 return ret; 1666 } 1667 1668 1669 void wpa_remove_ptk(struct wpa_state_machine *sm) 1670 { 1671 sm->PTK_valid = FALSE; 1672 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1673 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1674 sm->pairwise_set = FALSE; 1675 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1676 } 1677 1678 1679 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1680 { 1681 int remove_ptk = 1; 1682 1683 if (sm == NULL) 1684 return -1; 1685 1686 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1687 "event %d notification", event); 1688 1689 switch (event) { 1690 case WPA_AUTH: 1691 #ifdef CONFIG_MESH 1692 /* PTKs are derived through AMPE */ 1693 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1694 /* not mesh */ 1695 break; 1696 } 1697 return 0; 1698 #endif /* CONFIG_MESH */ 1699 case WPA_ASSOC: 1700 break; 1701 case WPA_DEAUTH: 1702 case WPA_DISASSOC: 1703 sm->DeauthenticationRequest = TRUE; 1704 break; 1705 case WPA_REAUTH: 1706 case WPA_REAUTH_EAPOL: 1707 if (!sm->started) { 1708 /* 1709 * When using WPS, we may end up here if the STA 1710 * manages to re-associate without the previous STA 1711 * entry getting removed. Consequently, we need to make 1712 * sure that the WPA state machines gets initialized 1713 * properly at this point. 1714 */ 1715 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1716 "started - initialize now"); 1717 sm->started = 1; 1718 sm->Init = TRUE; 1719 if (wpa_sm_step(sm) == 1) 1720 return 1; /* should not really happen */ 1721 sm->Init = FALSE; 1722 sm->AuthenticationRequest = TRUE; 1723 break; 1724 } 1725 if (sm->GUpdateStationKeys) { 1726 /* 1727 * Reauthentication cancels the pending group key 1728 * update for this STA. 1729 */ 1730 sm->group->GKeyDoneStations--; 1731 sm->GUpdateStationKeys = FALSE; 1732 sm->PtkGroupInit = TRUE; 1733 } 1734 sm->ReAuthenticationRequest = TRUE; 1735 break; 1736 case WPA_ASSOC_FT: 1737 #ifdef CONFIG_IEEE80211R 1738 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1739 "after association"); 1740 wpa_ft_install_ptk(sm); 1741 1742 /* Using FT protocol, not WPA auth state machine */ 1743 sm->ft_completed = 1; 1744 return 0; 1745 #else /* CONFIG_IEEE80211R */ 1746 break; 1747 #endif /* CONFIG_IEEE80211R */ 1748 } 1749 1750 #ifdef CONFIG_IEEE80211R 1751 sm->ft_completed = 0; 1752 #endif /* CONFIG_IEEE80211R */ 1753 1754 #ifdef CONFIG_IEEE80211W 1755 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1756 remove_ptk = 0; 1757 #endif /* CONFIG_IEEE80211W */ 1758 1759 if (remove_ptk) { 1760 sm->PTK_valid = FALSE; 1761 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1762 1763 if (event != WPA_REAUTH_EAPOL) 1764 wpa_remove_ptk(sm); 1765 } 1766 1767 if (sm->in_step_loop) { 1768 /* 1769 * wpa_sm_step() is already running - avoid recursive call to 1770 * it by making the existing loop process the new update. 1771 */ 1772 sm->changed = TRUE; 1773 return 0; 1774 } 1775 return wpa_sm_step(sm); 1776 } 1777 1778 1779 SM_STATE(WPA_PTK, INITIALIZE) 1780 { 1781 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1782 if (sm->Init) { 1783 /* Init flag is not cleared here, so avoid busy 1784 * loop by claiming nothing changed. */ 1785 sm->changed = FALSE; 1786 } 1787 1788 sm->keycount = 0; 1789 if (sm->GUpdateStationKeys) 1790 sm->group->GKeyDoneStations--; 1791 sm->GUpdateStationKeys = FALSE; 1792 if (sm->wpa == WPA_VERSION_WPA) 1793 sm->PInitAKeys = FALSE; 1794 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1795 * Local AA > Remote AA)) */) { 1796 sm->Pair = TRUE; 1797 } 1798 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1799 wpa_remove_ptk(sm); 1800 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1801 sm->TimeoutCtr = 0; 1802 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1803 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1804 WPA_EAPOL_authorized, 0); 1805 } 1806 } 1807 1808 1809 SM_STATE(WPA_PTK, DISCONNECT) 1810 { 1811 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1812 sm->Disconnect = FALSE; 1813 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1814 } 1815 1816 1817 SM_STATE(WPA_PTK, DISCONNECTED) 1818 { 1819 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1820 sm->DeauthenticationRequest = FALSE; 1821 } 1822 1823 1824 SM_STATE(WPA_PTK, AUTHENTICATION) 1825 { 1826 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1827 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1828 sm->PTK_valid = FALSE; 1829 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1830 1); 1831 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1832 sm->AuthenticationRequest = FALSE; 1833 } 1834 1835 1836 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1837 struct wpa_group *group) 1838 { 1839 if (group->first_sta_seen) 1840 return; 1841 /* 1842 * System has run bit further than at the time hostapd was started 1843 * potentially very early during boot up. This provides better chances 1844 * of collecting more randomness on embedded systems. Re-initialize the 1845 * GMK and Counter here to improve their strength if there was not 1846 * enough entropy available immediately after system startup. 1847 */ 1848 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1849 "station"); 1850 if (random_pool_ready() != 1) { 1851 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1852 "to proceed - reject first 4-way handshake"); 1853 group->reject_4way_hs_for_entropy = TRUE; 1854 } else { 1855 group->first_sta_seen = TRUE; 1856 group->reject_4way_hs_for_entropy = FALSE; 1857 } 1858 1859 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1860 wpa_gtk_update(wpa_auth, group) < 0 || 1861 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1862 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1863 group->first_sta_seen = FALSE; 1864 group->reject_4way_hs_for_entropy = TRUE; 1865 } 1866 } 1867 1868 1869 SM_STATE(WPA_PTK, AUTHENTICATION2) 1870 { 1871 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1872 1873 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1874 sm->ReAuthenticationRequest = FALSE; 1875 1876 /* 1877 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1878 * ambiguous. The Authenticator state machine uses a counter that is 1879 * incremented by one for each 4-way handshake. However, the security 1880 * analysis of 4-way handshake points out that unpredictable nonces 1881 * help in preventing precomputation attacks. Instead of the state 1882 * machine definition, use an unpredictable nonce value here to provide 1883 * stronger protection against potential precomputation attacks. 1884 */ 1885 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1886 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1887 "ANonce."); 1888 sm->Disconnect = TRUE; 1889 return; 1890 } 1891 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1892 WPA_NONCE_LEN); 1893 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1894 * logical place than INITIALIZE since AUTHENTICATION2 can be 1895 * re-entered on ReAuthenticationRequest without going through 1896 * INITIALIZE. */ 1897 sm->TimeoutCtr = 0; 1898 } 1899 1900 1901 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 1902 { 1903 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1904 wpa_printf(MSG_ERROR, 1905 "WPA: Failed to get random data for ANonce"); 1906 sm->Disconnect = TRUE; 1907 return -1; 1908 } 1909 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 1910 WPA_NONCE_LEN); 1911 sm->TimeoutCtr = 0; 1912 return 0; 1913 } 1914 1915 1916 SM_STATE(WPA_PTK, INITPMK) 1917 { 1918 u8 msk[2 * PMK_LEN]; 1919 size_t len = 2 * PMK_LEN; 1920 1921 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1922 #ifdef CONFIG_IEEE80211R 1923 sm->xxkey_len = 0; 1924 #endif /* CONFIG_IEEE80211R */ 1925 if (sm->pmksa) { 1926 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1927 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 1928 sm->pmk_len = sm->pmksa->pmk_len; 1929 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1930 unsigned int pmk_len; 1931 1932 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 1933 pmk_len = PMK_LEN_SUITE_B_192; 1934 else 1935 pmk_len = PMK_LEN; 1936 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1937 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 1938 pmk_len); 1939 if (len < pmk_len) { 1940 wpa_printf(MSG_DEBUG, 1941 "WPA: MSK not long enough (%u) to create PMK (%u)", 1942 (unsigned int) len, (unsigned int) pmk_len); 1943 sm->Disconnect = TRUE; 1944 return; 1945 } 1946 os_memcpy(sm->PMK, msk, pmk_len); 1947 sm->pmk_len = pmk_len; 1948 #ifdef CONFIG_IEEE80211R 1949 if (len >= 2 * PMK_LEN) { 1950 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1951 sm->xxkey_len = PMK_LEN; 1952 } 1953 #endif /* CONFIG_IEEE80211R */ 1954 } else { 1955 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 1956 sm->wpa_auth->cb.get_msk); 1957 sm->Disconnect = TRUE; 1958 return; 1959 } 1960 os_memset(msk, 0, sizeof(msk)); 1961 1962 sm->req_replay_counter_used = 0; 1963 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1964 * will break reauthentication since EAPOL state machines may not be 1965 * get into AUTHENTICATING state that clears keyRun before WPA state 1966 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1967 * state and takes PMK from the previously used AAA Key. This will 1968 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1969 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1970 * be good workaround for this issue. */ 1971 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1972 } 1973 1974 1975 SM_STATE(WPA_PTK, INITPSK) 1976 { 1977 const u8 *psk; 1978 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1979 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1980 if (psk) { 1981 os_memcpy(sm->PMK, psk, PMK_LEN); 1982 sm->pmk_len = PMK_LEN; 1983 #ifdef CONFIG_IEEE80211R 1984 os_memcpy(sm->xxkey, psk, PMK_LEN); 1985 sm->xxkey_len = PMK_LEN; 1986 #endif /* CONFIG_IEEE80211R */ 1987 } 1988 sm->req_replay_counter_used = 0; 1989 } 1990 1991 1992 SM_STATE(WPA_PTK, PTKSTART) 1993 { 1994 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1995 size_t pmkid_len = 0; 1996 1997 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1998 sm->PTKRequest = FALSE; 1999 sm->TimeoutEvt = FALSE; 2000 sm->alt_snonce_valid = FALSE; 2001 2002 sm->TimeoutCtr++; 2003 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 2004 /* No point in sending the EAPOL-Key - we will disconnect 2005 * immediately following this. */ 2006 return; 2007 } 2008 2009 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2010 "sending 1/4 msg of 4-Way Handshake"); 2011 /* 2012 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 2013 * one possible PSK for this STA. 2014 */ 2015 if (sm->wpa == WPA_VERSION_WPA2 && 2016 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2017 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2018 pmkid = buf; 2019 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2020 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2021 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2022 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2023 if (sm->pmksa) { 2024 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2025 sm->pmksa->pmkid, PMKID_LEN); 2026 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2027 /* No KCK available to derive PMKID */ 2028 pmkid = NULL; 2029 } else { 2030 /* 2031 * Calculate PMKID since no PMKSA cache entry was 2032 * available with pre-calculated PMKID. 2033 */ 2034 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2035 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2036 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 2037 } 2038 } 2039 wpa_send_eapol(sm->wpa_auth, sm, 2040 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2041 sm->ANonce, pmkid, pmkid_len, 0, 0); 2042 } 2043 2044 2045 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2046 const u8 *pmk, unsigned int pmk_len, 2047 struct wpa_ptk *ptk) 2048 { 2049 #ifdef CONFIG_IEEE80211R 2050 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 2051 return wpa_auth_derive_ptk_ft(sm, pmk, ptk); 2052 #endif /* CONFIG_IEEE80211R */ 2053 2054 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2055 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2056 ptk, sm->wpa_key_mgmt, sm->pairwise); 2057 } 2058 2059 2060 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2061 { 2062 struct wpa_ptk PTK; 2063 int ok = 0, psk_found = 0; 2064 const u8 *pmk = NULL; 2065 unsigned int pmk_len; 2066 2067 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2068 sm->EAPOLKeyReceived = FALSE; 2069 sm->update_snonce = FALSE; 2070 2071 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2072 * WPA-PSK: iterate through possible PSKs and select the one matching 2073 * the packet */ 2074 for (;;) { 2075 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2076 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2077 sm->p2p_dev_addr, pmk); 2078 if (pmk == NULL) 2079 break; 2080 psk_found = 1; 2081 pmk_len = PMK_LEN; 2082 } else { 2083 pmk = sm->PMK; 2084 pmk_len = sm->pmk_len; 2085 } 2086 2087 wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK); 2088 2089 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, 2090 sm->last_rx_eapol_key, 2091 sm->last_rx_eapol_key_len) == 0) { 2092 ok = 1; 2093 break; 2094 } 2095 2096 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 2097 break; 2098 } 2099 2100 if (!ok) { 2101 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2102 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2103 if (psk_found) 2104 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2105 return; 2106 } 2107 2108 #ifdef CONFIG_IEEE80211R 2109 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2110 /* 2111 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2112 * with the value we derived. 2113 */ 2114 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2115 WPA_PMK_NAME_LEN) != 0) { 2116 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2117 "PMKR1Name mismatch in FT 4-way " 2118 "handshake"); 2119 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 2120 "Supplicant", 2121 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2122 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2123 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2124 return; 2125 } 2126 } 2127 #endif /* CONFIG_IEEE80211R */ 2128 2129 sm->pending_1_of_4_timeout = 0; 2130 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2131 2132 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2133 /* PSK may have changed from the previous choice, so update 2134 * state machine data based on whatever PSK was selected here. 2135 */ 2136 os_memcpy(sm->PMK, pmk, PMK_LEN); 2137 sm->pmk_len = PMK_LEN; 2138 } 2139 2140 sm->MICVerified = TRUE; 2141 2142 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2143 sm->PTK_valid = TRUE; 2144 } 2145 2146 2147 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2148 { 2149 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2150 sm->TimeoutCtr = 0; 2151 } 2152 2153 2154 #ifdef CONFIG_IEEE80211W 2155 2156 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2157 { 2158 if (sm->mgmt_frame_prot) { 2159 size_t len; 2160 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2161 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2162 } 2163 2164 return 0; 2165 } 2166 2167 2168 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2169 { 2170 struct wpa_igtk_kde igtk; 2171 struct wpa_group *gsm = sm->group; 2172 u8 rsc[WPA_KEY_RSC_LEN]; 2173 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2174 2175 if (!sm->mgmt_frame_prot) 2176 return pos; 2177 2178 igtk.keyid[0] = gsm->GN_igtk; 2179 igtk.keyid[1] = 0; 2180 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 2181 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 2182 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 2183 else 2184 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 2185 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 2186 if (sm->wpa_auth->conf.disable_gtk) { 2187 /* 2188 * Provide unique random IGTK to each STA to prevent use of 2189 * IGTK in the BSS. 2190 */ 2191 if (random_get_bytes(igtk.igtk, len) < 0) 2192 return pos; 2193 } 2194 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 2195 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 2196 NULL, 0); 2197 2198 return pos; 2199 } 2200 2201 #else /* CONFIG_IEEE80211W */ 2202 2203 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2204 { 2205 return 0; 2206 } 2207 2208 2209 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2210 { 2211 return pos; 2212 } 2213 2214 #endif /* CONFIG_IEEE80211W */ 2215 2216 2217 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 2218 { 2219 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 2220 size_t gtk_len, kde_len; 2221 struct wpa_group *gsm = sm->group; 2222 u8 *wpa_ie; 2223 int wpa_ie_len, secure, keyidx, encr = 0; 2224 2225 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 2226 sm->TimeoutEvt = FALSE; 2227 2228 sm->TimeoutCtr++; 2229 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 2230 /* No point in sending the EAPOL-Key - we will disconnect 2231 * immediately following this. */ 2232 return; 2233 } 2234 2235 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 2236 GTK[GN], IGTK, [FTIE], [TIE * 2]) 2237 */ 2238 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2239 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2240 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 2241 wpa_ie = sm->wpa_auth->wpa_ie; 2242 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 2243 if (sm->wpa == WPA_VERSION_WPA && 2244 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 2245 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 2246 /* WPA-only STA, remove RSN IE and possible MDIE */ 2247 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2248 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 2249 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2250 wpa_ie_len = wpa_ie[1] + 2; 2251 } 2252 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2253 "sending 3/4 msg of 4-Way Handshake"); 2254 if (sm->wpa == WPA_VERSION_WPA2) { 2255 /* WPA2 send GTK in the 4-way handshake */ 2256 secure = 1; 2257 gtk = gsm->GTK[gsm->GN - 1]; 2258 gtk_len = gsm->GTK_len; 2259 if (sm->wpa_auth->conf.disable_gtk) { 2260 /* 2261 * Provide unique random GTK to each STA to prevent use 2262 * of GTK in the BSS. 2263 */ 2264 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2265 return; 2266 gtk = dummy_gtk; 2267 } 2268 keyidx = gsm->GN; 2269 _rsc = rsc; 2270 encr = 1; 2271 } else { 2272 /* WPA does not include GTK in msg 3/4 */ 2273 secure = 0; 2274 gtk = NULL; 2275 gtk_len = 0; 2276 keyidx = 0; 2277 _rsc = NULL; 2278 if (sm->rx_eapol_key_secure) { 2279 /* 2280 * It looks like Windows 7 supplicant tries to use 2281 * Secure bit in msg 2/4 after having reported Michael 2282 * MIC failure and it then rejects the 4-way handshake 2283 * if msg 3/4 does not set Secure bit. Work around this 2284 * by setting the Secure bit here even in the case of 2285 * WPA if the supplicant used it first. 2286 */ 2287 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2288 "STA used Secure bit in WPA msg 2/4 - " 2289 "set Secure for 3/4 as workaround"); 2290 secure = 1; 2291 } 2292 } 2293 2294 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2295 if (gtk) 2296 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2297 #ifdef CONFIG_IEEE80211R 2298 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2299 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2300 kde_len += 300; /* FTIE + 2 * TIE */ 2301 } 2302 #endif /* CONFIG_IEEE80211R */ 2303 #ifdef CONFIG_P2P 2304 if (WPA_GET_BE32(sm->ip_addr) > 0) 2305 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2306 #endif /* CONFIG_P2P */ 2307 kde = os_malloc(kde_len); 2308 if (kde == NULL) 2309 return; 2310 2311 pos = kde; 2312 os_memcpy(pos, wpa_ie, wpa_ie_len); 2313 pos += wpa_ie_len; 2314 #ifdef CONFIG_IEEE80211R 2315 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2316 int res; 2317 size_t elen; 2318 2319 elen = pos - kde; 2320 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 2321 if (res < 0) { 2322 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2323 "PMKR1Name into RSN IE in EAPOL-Key data"); 2324 os_free(kde); 2325 return; 2326 } 2327 pos -= wpa_ie_len; 2328 pos += elen; 2329 } 2330 #endif /* CONFIG_IEEE80211R */ 2331 if (gtk) { 2332 u8 hdr[2]; 2333 hdr[0] = keyidx & 0x03; 2334 hdr[1] = 0; 2335 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2336 gtk, gtk_len); 2337 } 2338 pos = ieee80211w_kde_add(sm, pos); 2339 2340 #ifdef CONFIG_IEEE80211R 2341 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2342 int res; 2343 struct wpa_auth_config *conf; 2344 2345 conf = &sm->wpa_auth->conf; 2346 if (sm->assoc_resp_ftie && 2347 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 2348 os_memcpy(pos, sm->assoc_resp_ftie, 2349 2 + sm->assoc_resp_ftie[1]); 2350 res = 2 + sm->assoc_resp_ftie[1]; 2351 } else { 2352 res = wpa_write_ftie(conf, conf->r0_key_holder, 2353 conf->r0_key_holder_len, 2354 NULL, NULL, pos, 2355 kde + kde_len - pos, 2356 NULL, 0); 2357 } 2358 if (res < 0) { 2359 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2360 "into EAPOL-Key Key Data"); 2361 os_free(kde); 2362 return; 2363 } 2364 pos += res; 2365 2366 /* TIE[ReassociationDeadline] (TU) */ 2367 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2368 *pos++ = 5; 2369 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2370 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2371 pos += 4; 2372 2373 /* TIE[KeyLifetime] (seconds) */ 2374 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2375 *pos++ = 5; 2376 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2377 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2378 pos += 4; 2379 } 2380 #endif /* CONFIG_IEEE80211R */ 2381 #ifdef CONFIG_P2P 2382 if (WPA_GET_BE32(sm->ip_addr) > 0) { 2383 u8 addr[3 * 4]; 2384 os_memcpy(addr, sm->ip_addr, 4); 2385 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 2386 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 2387 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 2388 addr, sizeof(addr), NULL, 0); 2389 } 2390 #endif /* CONFIG_P2P */ 2391 2392 wpa_send_eapol(sm->wpa_auth, sm, 2393 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2394 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2395 WPA_KEY_INFO_KEY_TYPE, 2396 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2397 os_free(kde); 2398 } 2399 2400 2401 SM_STATE(WPA_PTK, PTKINITDONE) 2402 { 2403 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2404 sm->EAPOLKeyReceived = FALSE; 2405 if (sm->Pair) { 2406 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2407 int klen = wpa_cipher_key_len(sm->pairwise); 2408 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2409 sm->PTK.tk, klen)) { 2410 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2411 return; 2412 } 2413 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2414 sm->pairwise_set = TRUE; 2415 2416 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2417 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2418 eloop_register_timeout(sm->wpa_auth->conf. 2419 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2420 sm->wpa_auth, sm); 2421 } 2422 2423 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2424 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2425 WPA_EAPOL_authorized, 1); 2426 } 2427 } 2428 2429 if (0 /* IBSS == TRUE */) { 2430 sm->keycount++; 2431 if (sm->keycount == 2) { 2432 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2433 WPA_EAPOL_portValid, 1); 2434 } 2435 } else { 2436 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2437 1); 2438 } 2439 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2440 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2441 if (sm->wpa == WPA_VERSION_WPA) 2442 sm->PInitAKeys = TRUE; 2443 else 2444 sm->has_GTK = TRUE; 2445 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2446 "pairwise key handshake completed (%s)", 2447 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2448 2449 #ifdef CONFIG_IEEE80211R 2450 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2451 #endif /* CONFIG_IEEE80211R */ 2452 } 2453 2454 2455 SM_STEP(WPA_PTK) 2456 { 2457 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2458 2459 if (sm->Init) 2460 SM_ENTER(WPA_PTK, INITIALIZE); 2461 else if (sm->Disconnect 2462 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2463 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2464 "WPA_PTK: sm->Disconnect"); 2465 SM_ENTER(WPA_PTK, DISCONNECT); 2466 } 2467 else if (sm->DeauthenticationRequest) 2468 SM_ENTER(WPA_PTK, DISCONNECTED); 2469 else if (sm->AuthenticationRequest) 2470 SM_ENTER(WPA_PTK, AUTHENTICATION); 2471 else if (sm->ReAuthenticationRequest) 2472 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2473 else if (sm->PTKRequest) { 2474 if (wpa_auth_sm_ptk_update(sm) < 0) 2475 SM_ENTER(WPA_PTK, DISCONNECTED); 2476 else 2477 SM_ENTER(WPA_PTK, PTKSTART); 2478 } else switch (sm->wpa_ptk_state) { 2479 case WPA_PTK_INITIALIZE: 2480 break; 2481 case WPA_PTK_DISCONNECT: 2482 SM_ENTER(WPA_PTK, DISCONNECTED); 2483 break; 2484 case WPA_PTK_DISCONNECTED: 2485 SM_ENTER(WPA_PTK, INITIALIZE); 2486 break; 2487 case WPA_PTK_AUTHENTICATION: 2488 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2489 break; 2490 case WPA_PTK_AUTHENTICATION2: 2491 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2492 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2493 WPA_EAPOL_keyRun) > 0) 2494 SM_ENTER(WPA_PTK, INITPMK); 2495 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2496 /* FIX: && 802.1X::keyRun */) 2497 SM_ENTER(WPA_PTK, INITPSK); 2498 break; 2499 case WPA_PTK_INITPMK: 2500 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2501 WPA_EAPOL_keyAvailable) > 0) 2502 SM_ENTER(WPA_PTK, PTKSTART); 2503 else { 2504 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2505 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2506 "INITPMK - keyAvailable = false"); 2507 SM_ENTER(WPA_PTK, DISCONNECT); 2508 } 2509 break; 2510 case WPA_PTK_INITPSK: 2511 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2512 NULL)) 2513 SM_ENTER(WPA_PTK, PTKSTART); 2514 else { 2515 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2516 "no PSK configured for the STA"); 2517 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2518 SM_ENTER(WPA_PTK, DISCONNECT); 2519 } 2520 break; 2521 case WPA_PTK_PTKSTART: 2522 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2523 sm->EAPOLKeyPairwise) 2524 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2525 else if (sm->TimeoutCtr > 2526 (int) dot11RSNAConfigPairwiseUpdateCount) { 2527 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2528 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2529 "PTKSTART: Retry limit %d reached", 2530 dot11RSNAConfigPairwiseUpdateCount); 2531 SM_ENTER(WPA_PTK, DISCONNECT); 2532 } else if (sm->TimeoutEvt) 2533 SM_ENTER(WPA_PTK, PTKSTART); 2534 break; 2535 case WPA_PTK_PTKCALCNEGOTIATING: 2536 if (sm->MICVerified) 2537 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2538 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2539 sm->EAPOLKeyPairwise) 2540 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2541 else if (sm->TimeoutEvt) 2542 SM_ENTER(WPA_PTK, PTKSTART); 2543 break; 2544 case WPA_PTK_PTKCALCNEGOTIATING2: 2545 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2546 break; 2547 case WPA_PTK_PTKINITNEGOTIATING: 2548 if (sm->update_snonce) 2549 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2550 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2551 sm->EAPOLKeyPairwise && sm->MICVerified) 2552 SM_ENTER(WPA_PTK, PTKINITDONE); 2553 else if (sm->TimeoutCtr > 2554 (int) dot11RSNAConfigPairwiseUpdateCount) { 2555 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2556 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2557 "PTKINITNEGOTIATING: Retry limit %d " 2558 "reached", 2559 dot11RSNAConfigPairwiseUpdateCount); 2560 SM_ENTER(WPA_PTK, DISCONNECT); 2561 } else if (sm->TimeoutEvt) 2562 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2563 break; 2564 case WPA_PTK_PTKINITDONE: 2565 break; 2566 } 2567 } 2568 2569 2570 SM_STATE(WPA_PTK_GROUP, IDLE) 2571 { 2572 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2573 if (sm->Init) { 2574 /* Init flag is not cleared here, so avoid busy 2575 * loop by claiming nothing changed. */ 2576 sm->changed = FALSE; 2577 } 2578 sm->GTimeoutCtr = 0; 2579 } 2580 2581 2582 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2583 { 2584 u8 rsc[WPA_KEY_RSC_LEN]; 2585 struct wpa_group *gsm = sm->group; 2586 const u8 *kde; 2587 u8 *kde_buf = NULL, *pos, hdr[2]; 2588 size_t kde_len; 2589 u8 *gtk, dummy_gtk[32]; 2590 2591 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2592 2593 sm->GTimeoutCtr++; 2594 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2595 /* No point in sending the EAPOL-Key - we will disconnect 2596 * immediately following this. */ 2597 return; 2598 } 2599 2600 if (sm->wpa == WPA_VERSION_WPA) 2601 sm->PInitAKeys = FALSE; 2602 sm->TimeoutEvt = FALSE; 2603 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2604 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2605 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2606 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2607 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2608 "sending 1/2 msg of Group Key Handshake"); 2609 2610 gtk = gsm->GTK[gsm->GN - 1]; 2611 if (sm->wpa_auth->conf.disable_gtk) { 2612 /* 2613 * Provide unique random GTK to each STA to prevent use 2614 * of GTK in the BSS. 2615 */ 2616 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2617 return; 2618 gtk = dummy_gtk; 2619 } 2620 if (sm->wpa == WPA_VERSION_WPA2) { 2621 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2622 ieee80211w_kde_len(sm); 2623 kde_buf = os_malloc(kde_len); 2624 if (kde_buf == NULL) 2625 return; 2626 2627 kde = pos = kde_buf; 2628 hdr[0] = gsm->GN & 0x03; 2629 hdr[1] = 0; 2630 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2631 gtk, gsm->GTK_len); 2632 pos = ieee80211w_kde_add(sm, pos); 2633 kde_len = pos - kde; 2634 } else { 2635 kde = gtk; 2636 kde_len = gsm->GTK_len; 2637 } 2638 2639 wpa_send_eapol(sm->wpa_auth, sm, 2640 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2641 WPA_KEY_INFO_ACK | 2642 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2643 rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1); 2644 2645 os_free(kde_buf); 2646 } 2647 2648 2649 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2650 { 2651 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2652 sm->EAPOLKeyReceived = FALSE; 2653 if (sm->GUpdateStationKeys) 2654 sm->group->GKeyDoneStations--; 2655 sm->GUpdateStationKeys = FALSE; 2656 sm->GTimeoutCtr = 0; 2657 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2658 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2659 "group key handshake completed (%s)", 2660 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2661 sm->has_GTK = TRUE; 2662 } 2663 2664 2665 SM_STATE(WPA_PTK_GROUP, KEYERROR) 2666 { 2667 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2668 if (sm->GUpdateStationKeys) 2669 sm->group->GKeyDoneStations--; 2670 sm->GUpdateStationKeys = FALSE; 2671 sm->Disconnect = TRUE; 2672 } 2673 2674 2675 SM_STEP(WPA_PTK_GROUP) 2676 { 2677 if (sm->Init || sm->PtkGroupInit) { 2678 SM_ENTER(WPA_PTK_GROUP, IDLE); 2679 sm->PtkGroupInit = FALSE; 2680 } else switch (sm->wpa_ptk_group_state) { 2681 case WPA_PTK_GROUP_IDLE: 2682 if (sm->GUpdateStationKeys || 2683 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2684 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2685 break; 2686 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2687 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2688 !sm->EAPOLKeyPairwise && sm->MICVerified) 2689 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2690 else if (sm->GTimeoutCtr > 2691 (int) dot11RSNAConfigGroupUpdateCount) 2692 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2693 else if (sm->TimeoutEvt) 2694 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2695 break; 2696 case WPA_PTK_GROUP_KEYERROR: 2697 SM_ENTER(WPA_PTK_GROUP, IDLE); 2698 break; 2699 case WPA_PTK_GROUP_REKEYESTABLISHED: 2700 SM_ENTER(WPA_PTK_GROUP, IDLE); 2701 break; 2702 } 2703 } 2704 2705 2706 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2707 struct wpa_group *group) 2708 { 2709 int ret = 0; 2710 2711 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2712 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2713 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2714 wpa_auth->addr, group->GNonce, 2715 group->GTK[group->GN - 1], group->GTK_len) < 0) 2716 ret = -1; 2717 wpa_hexdump_key(MSG_DEBUG, "GTK", 2718 group->GTK[group->GN - 1], group->GTK_len); 2719 2720 #ifdef CONFIG_IEEE80211W 2721 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2722 size_t len; 2723 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 2724 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2725 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2726 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2727 wpa_auth->addr, group->GNonce, 2728 group->IGTK[group->GN_igtk - 4], len) < 0) 2729 ret = -1; 2730 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2731 group->IGTK[group->GN_igtk - 4], len); 2732 } 2733 #endif /* CONFIG_IEEE80211W */ 2734 2735 return ret; 2736 } 2737 2738 2739 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2740 struct wpa_group *group) 2741 { 2742 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2743 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2744 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2745 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2746 2747 /* GTK[0..N] = 0 */ 2748 os_memset(group->GTK, 0, sizeof(group->GTK)); 2749 group->GN = 1; 2750 group->GM = 2; 2751 #ifdef CONFIG_IEEE80211W 2752 group->GN_igtk = 4; 2753 group->GM_igtk = 5; 2754 #endif /* CONFIG_IEEE80211W */ 2755 /* GTK[GN] = CalcGTK() */ 2756 wpa_gtk_update(wpa_auth, group); 2757 } 2758 2759 2760 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2761 { 2762 if (ctx != NULL && ctx != sm->group) 2763 return 0; 2764 2765 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2766 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2767 "Not in PTKINITDONE; skip Group Key update"); 2768 sm->GUpdateStationKeys = FALSE; 2769 return 0; 2770 } 2771 if (sm->GUpdateStationKeys) { 2772 /* 2773 * This should not really happen, so add a debug log entry. 2774 * Since we clear the GKeyDoneStations before the loop, the 2775 * station needs to be counted here anyway. 2776 */ 2777 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2778 "GUpdateStationKeys was already set when " 2779 "marking station for GTK rekeying"); 2780 } 2781 2782 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 2783 if (sm->is_wnmsleep) 2784 return 0; 2785 2786 sm->group->GKeyDoneStations++; 2787 sm->GUpdateStationKeys = TRUE; 2788 2789 wpa_sm_step(sm); 2790 return 0; 2791 } 2792 2793 2794 #ifdef CONFIG_WNM 2795 /* update GTK when exiting WNM-Sleep Mode */ 2796 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2797 { 2798 if (sm == NULL || sm->is_wnmsleep) 2799 return; 2800 2801 wpa_group_update_sta(sm, NULL); 2802 } 2803 2804 2805 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2806 { 2807 if (sm) 2808 sm->is_wnmsleep = !!flag; 2809 } 2810 2811 2812 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2813 { 2814 struct wpa_group *gsm = sm->group; 2815 u8 *start = pos; 2816 2817 /* 2818 * GTK subelement: 2819 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2820 * Key[5..32] 2821 */ 2822 *pos++ = WNM_SLEEP_SUBELEM_GTK; 2823 *pos++ = 11 + gsm->GTK_len; 2824 /* Key ID in B0-B1 of Key Info */ 2825 WPA_PUT_LE16(pos, gsm->GN & 0x03); 2826 pos += 2; 2827 *pos++ = gsm->GTK_len; 2828 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 2829 return 0; 2830 pos += 8; 2831 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2832 pos += gsm->GTK_len; 2833 2834 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 2835 gsm->GN); 2836 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 2837 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2838 2839 return pos - start; 2840 } 2841 2842 2843 #ifdef CONFIG_IEEE80211W 2844 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2845 { 2846 struct wpa_group *gsm = sm->group; 2847 u8 *start = pos; 2848 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2849 2850 /* 2851 * IGTK subelement: 2852 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 2853 */ 2854 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 2855 *pos++ = 2 + 6 + len; 2856 WPA_PUT_LE16(pos, gsm->GN_igtk); 2857 pos += 2; 2858 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 2859 return 0; 2860 pos += 6; 2861 2862 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 2863 pos += len; 2864 2865 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 2866 gsm->GN_igtk); 2867 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 2868 gsm->IGTK[gsm->GN_igtk - 4], len); 2869 2870 return pos - start; 2871 } 2872 #endif /* CONFIG_IEEE80211W */ 2873 #endif /* CONFIG_WNM */ 2874 2875 2876 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2877 struct wpa_group *group) 2878 { 2879 int tmp; 2880 2881 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2882 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2883 group->changed = TRUE; 2884 group->wpa_group_state = WPA_GROUP_SETKEYS; 2885 group->GTKReKey = FALSE; 2886 tmp = group->GM; 2887 group->GM = group->GN; 2888 group->GN = tmp; 2889 #ifdef CONFIG_IEEE80211W 2890 tmp = group->GM_igtk; 2891 group->GM_igtk = group->GN_igtk; 2892 group->GN_igtk = tmp; 2893 #endif /* CONFIG_IEEE80211W */ 2894 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2895 * counting the STAs that are marked with GUpdateStationKeys instead of 2896 * including all STAs that could be in not-yet-completed state. */ 2897 wpa_gtk_update(wpa_auth, group); 2898 2899 if (group->GKeyDoneStations) { 2900 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2901 "GKeyDoneStations=%d when starting new GTK rekey", 2902 group->GKeyDoneStations); 2903 group->GKeyDoneStations = 0; 2904 } 2905 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2906 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2907 group->GKeyDoneStations); 2908 } 2909 2910 2911 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2912 struct wpa_group *group) 2913 { 2914 int ret = 0; 2915 2916 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2917 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2918 broadcast_ether_addr, group->GN, 2919 group->GTK[group->GN - 1], group->GTK_len) < 0) 2920 ret = -1; 2921 2922 #ifdef CONFIG_IEEE80211W 2923 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2924 enum wpa_alg alg; 2925 size_t len; 2926 2927 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 2928 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 2929 2930 if (ret == 0 && 2931 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 2932 broadcast_ether_addr, group->GN_igtk, 2933 group->IGTK[group->GN_igtk - 4], len) < 0) 2934 ret = -1; 2935 } 2936 #endif /* CONFIG_IEEE80211W */ 2937 2938 return ret; 2939 } 2940 2941 2942 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 2943 { 2944 if (sm->group == ctx) { 2945 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 2946 " for discconnection due to fatal failure", 2947 MAC2STR(sm->addr)); 2948 sm->Disconnect = TRUE; 2949 } 2950 2951 return 0; 2952 } 2953 2954 2955 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 2956 struct wpa_group *group) 2957 { 2958 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 2959 group->changed = TRUE; 2960 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 2961 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 2962 } 2963 2964 2965 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2966 struct wpa_group *group) 2967 { 2968 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2969 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2970 group->changed = TRUE; 2971 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2972 2973 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 2974 wpa_group_fatal_failure(wpa_auth, group); 2975 return -1; 2976 } 2977 2978 return 0; 2979 } 2980 2981 2982 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2983 struct wpa_group *group) 2984 { 2985 if (group->GInit) { 2986 wpa_group_gtk_init(wpa_auth, group); 2987 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 2988 /* Do not allow group operations */ 2989 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2990 group->GTKAuthenticator) { 2991 wpa_group_setkeysdone(wpa_auth, group); 2992 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2993 group->GTKReKey) { 2994 wpa_group_setkeys(wpa_auth, group); 2995 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2996 if (group->GKeyDoneStations == 0) 2997 wpa_group_setkeysdone(wpa_auth, group); 2998 else if (group->GTKReKey) 2999 wpa_group_setkeys(wpa_auth, group); 3000 } 3001 } 3002 3003 3004 static int wpa_sm_step(struct wpa_state_machine *sm) 3005 { 3006 if (sm == NULL) 3007 return 0; 3008 3009 if (sm->in_step_loop) { 3010 /* This should not happen, but if it does, make sure we do not 3011 * end up freeing the state machine too early by exiting the 3012 * recursive call. */ 3013 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 3014 return 0; 3015 } 3016 3017 sm->in_step_loop = 1; 3018 do { 3019 if (sm->pending_deinit) 3020 break; 3021 3022 sm->changed = FALSE; 3023 sm->wpa_auth->group->changed = FALSE; 3024 3025 SM_STEP_RUN(WPA_PTK); 3026 if (sm->pending_deinit) 3027 break; 3028 SM_STEP_RUN(WPA_PTK_GROUP); 3029 if (sm->pending_deinit) 3030 break; 3031 wpa_group_sm_step(sm->wpa_auth, sm->group); 3032 } while (sm->changed || sm->wpa_auth->group->changed); 3033 sm->in_step_loop = 0; 3034 3035 if (sm->pending_deinit) { 3036 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 3037 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 3038 wpa_free_sta_sm(sm); 3039 return 1; 3040 } 3041 return 0; 3042 } 3043 3044 3045 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 3046 { 3047 struct wpa_state_machine *sm = eloop_ctx; 3048 wpa_sm_step(sm); 3049 } 3050 3051 3052 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 3053 { 3054 if (sm == NULL) 3055 return; 3056 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 3057 } 3058 3059 3060 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 3061 { 3062 int tmp, i; 3063 struct wpa_group *group; 3064 3065 if (wpa_auth == NULL) 3066 return; 3067 3068 group = wpa_auth->group; 3069 3070 for (i = 0; i < 2; i++) { 3071 tmp = group->GM; 3072 group->GM = group->GN; 3073 group->GN = tmp; 3074 #ifdef CONFIG_IEEE80211W 3075 tmp = group->GM_igtk; 3076 group->GM_igtk = group->GN_igtk; 3077 group->GN_igtk = tmp; 3078 #endif /* CONFIG_IEEE80211W */ 3079 wpa_gtk_update(wpa_auth, group); 3080 wpa_group_config_group_keys(wpa_auth, group); 3081 } 3082 } 3083 3084 3085 static const char * wpa_bool_txt(int val) 3086 { 3087 return val ? "TRUE" : "FALSE"; 3088 } 3089 3090 3091 #define RSN_SUITE "%02x-%02x-%02x-%d" 3092 #define RSN_SUITE_ARG(s) \ 3093 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 3094 3095 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 3096 { 3097 int len = 0, ret; 3098 char pmkid_txt[PMKID_LEN * 2 + 1]; 3099 #ifdef CONFIG_RSN_PREAUTH 3100 const int preauth = 1; 3101 #else /* CONFIG_RSN_PREAUTH */ 3102 const int preauth = 0; 3103 #endif /* CONFIG_RSN_PREAUTH */ 3104 3105 if (wpa_auth == NULL) 3106 return len; 3107 3108 ret = os_snprintf(buf + len, buflen - len, 3109 "dot11RSNAOptionImplemented=TRUE\n" 3110 "dot11RSNAPreauthenticationImplemented=%s\n" 3111 "dot11RSNAEnabled=%s\n" 3112 "dot11RSNAPreauthenticationEnabled=%s\n", 3113 wpa_bool_txt(preauth), 3114 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 3115 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 3116 if (os_snprintf_error(buflen - len, ret)) 3117 return len; 3118 len += ret; 3119 3120 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 3121 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 3122 3123 ret = os_snprintf( 3124 buf + len, buflen - len, 3125 "dot11RSNAConfigVersion=%u\n" 3126 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 3127 /* FIX: dot11RSNAConfigGroupCipher */ 3128 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 3129 /* FIX: dot11RSNAConfigGroupRekeyTime */ 3130 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 3131 "dot11RSNAConfigGroupRekeyStrict=%u\n" 3132 "dot11RSNAConfigGroupUpdateCount=%u\n" 3133 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 3134 "dot11RSNAConfigGroupCipherSize=%u\n" 3135 "dot11RSNAConfigPMKLifetime=%u\n" 3136 "dot11RSNAConfigPMKReauthThreshold=%u\n" 3137 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 3138 "dot11RSNAConfigSATimeout=%u\n" 3139 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 3140 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 3141 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 3142 "dot11RSNAPMKIDUsed=%s\n" 3143 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 3144 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 3145 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 3146 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 3147 "dot11RSNA4WayHandshakeFailures=%u\n" 3148 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 3149 RSN_VERSION, 3150 !!wpa_auth->conf.wpa_strict_rekey, 3151 dot11RSNAConfigGroupUpdateCount, 3152 dot11RSNAConfigPairwiseUpdateCount, 3153 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 3154 dot11RSNAConfigPMKLifetime, 3155 dot11RSNAConfigPMKReauthThreshold, 3156 dot11RSNAConfigSATimeout, 3157 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 3158 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 3159 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 3160 pmkid_txt, 3161 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 3162 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 3163 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 3164 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 3165 wpa_auth->dot11RSNA4WayHandshakeFailures); 3166 if (os_snprintf_error(buflen - len, ret)) 3167 return len; 3168 len += ret; 3169 3170 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 3171 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 3172 3173 /* Private MIB */ 3174 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 3175 wpa_auth->group->wpa_group_state); 3176 if (os_snprintf_error(buflen - len, ret)) 3177 return len; 3178 len += ret; 3179 3180 return len; 3181 } 3182 3183 3184 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 3185 { 3186 int len = 0, ret; 3187 u32 pairwise = 0; 3188 3189 if (sm == NULL) 3190 return 0; 3191 3192 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 3193 3194 /* dot11RSNAStatsEntry */ 3195 3196 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 3197 WPA_PROTO_RSN : WPA_PROTO_WPA, 3198 sm->pairwise); 3199 if (pairwise == 0) 3200 return 0; 3201 3202 ret = os_snprintf( 3203 buf + len, buflen - len, 3204 /* TODO: dot11RSNAStatsIndex */ 3205 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 3206 "dot11RSNAStatsVersion=1\n" 3207 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 3208 /* TODO: dot11RSNAStatsTKIPICVErrors */ 3209 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 3210 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 3211 /* TODO: dot11RSNAStatsCCMPReplays */ 3212 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 3213 /* TODO: dot11RSNAStatsTKIPReplays */, 3214 MAC2STR(sm->addr), 3215 RSN_SUITE_ARG(pairwise), 3216 sm->dot11RSNAStatsTKIPLocalMICFailures, 3217 sm->dot11RSNAStatsTKIPRemoteMICFailures); 3218 if (os_snprintf_error(buflen - len, ret)) 3219 return len; 3220 len += ret; 3221 3222 /* Private MIB */ 3223 ret = os_snprintf(buf + len, buflen - len, 3224 "hostapdWPAPTKState=%d\n" 3225 "hostapdWPAPTKGroupState=%d\n", 3226 sm->wpa_ptk_state, 3227 sm->wpa_ptk_group_state); 3228 if (os_snprintf_error(buflen - len, ret)) 3229 return len; 3230 len += ret; 3231 3232 return len; 3233 } 3234 3235 3236 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 3237 { 3238 if (wpa_auth) 3239 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 3240 } 3241 3242 3243 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 3244 { 3245 return sm && sm->pairwise_set; 3246 } 3247 3248 3249 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 3250 { 3251 return sm->pairwise; 3252 } 3253 3254 3255 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 3256 { 3257 if (sm == NULL) 3258 return -1; 3259 return sm->wpa_key_mgmt; 3260 } 3261 3262 3263 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 3264 { 3265 if (sm == NULL) 3266 return 0; 3267 return sm->wpa; 3268 } 3269 3270 3271 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 3272 { 3273 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 3274 return 0; 3275 return sm->tk_already_set; 3276 } 3277 3278 3279 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 3280 struct rsn_pmksa_cache_entry *entry) 3281 { 3282 if (sm == NULL || sm->pmksa != entry) 3283 return -1; 3284 sm->pmksa = NULL; 3285 return 0; 3286 } 3287 3288 3289 struct rsn_pmksa_cache_entry * 3290 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 3291 { 3292 return sm ? sm->pmksa : NULL; 3293 } 3294 3295 3296 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 3297 { 3298 if (sm) 3299 sm->dot11RSNAStatsTKIPLocalMICFailures++; 3300 } 3301 3302 3303 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 3304 { 3305 if (wpa_auth == NULL) 3306 return NULL; 3307 *len = wpa_auth->wpa_ie_len; 3308 return wpa_auth->wpa_ie; 3309 } 3310 3311 3312 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 3313 unsigned int pmk_len, 3314 int session_timeout, struct eapol_state_machine *eapol) 3315 { 3316 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 3317 sm->wpa_auth->conf.disable_pmksa_caching) 3318 return -1; 3319 3320 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { 3321 if (pmk_len > PMK_LEN_SUITE_B_192) 3322 pmk_len = PMK_LEN_SUITE_B_192; 3323 } else if (pmk_len > PMK_LEN) { 3324 pmk_len = PMK_LEN; 3325 } 3326 3327 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 3328 sm->PTK.kck, sm->PTK.kck_len, 3329 sm->wpa_auth->addr, sm->addr, session_timeout, 3330 eapol, sm->wpa_key_mgmt)) 3331 return 0; 3332 3333 return -1; 3334 } 3335 3336 3337 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 3338 const u8 *pmk, size_t len, const u8 *sta_addr, 3339 int session_timeout, 3340 struct eapol_state_machine *eapol) 3341 { 3342 if (wpa_auth == NULL) 3343 return -1; 3344 3345 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 3346 NULL, 0, 3347 wpa_auth->addr, 3348 sta_addr, session_timeout, eapol, 3349 WPA_KEY_MGMT_IEEE8021X)) 3350 return 0; 3351 3352 return -1; 3353 } 3354 3355 3356 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 3357 const u8 *pmk, const u8 *pmkid) 3358 { 3359 if (wpa_auth->conf.disable_pmksa_caching) 3360 return -1; 3361 3362 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 3363 NULL, 0, 3364 wpa_auth->addr, addr, 0, NULL, 3365 WPA_KEY_MGMT_SAE)) 3366 return 0; 3367 3368 return -1; 3369 } 3370 3371 3372 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 3373 const u8 *sta_addr) 3374 { 3375 struct rsn_pmksa_cache_entry *pmksa; 3376 3377 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 3378 return; 3379 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3380 if (pmksa) { 3381 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 3382 MACSTR " based on request", MAC2STR(sta_addr)); 3383 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 3384 } 3385 } 3386 3387 3388 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 3389 size_t len) 3390 { 3391 if (!wpa_auth || !wpa_auth->pmksa) 3392 return 0; 3393 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 3394 } 3395 3396 3397 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 3398 { 3399 if (wpa_auth && wpa_auth->pmksa) 3400 pmksa_cache_auth_flush(wpa_auth->pmksa); 3401 } 3402 3403 3404 struct rsn_pmksa_cache_entry * 3405 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr) 3406 { 3407 if (!wpa_auth || !wpa_auth->pmksa) 3408 return NULL; 3409 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3410 } 3411 3412 3413 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 3414 struct wpa_state_machine *sm, 3415 struct wpa_authenticator *wpa_auth, 3416 u8 *pmkid, u8 *pmk) 3417 { 3418 if (!sm) 3419 return; 3420 3421 sm->pmksa = pmksa; 3422 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 3423 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 3424 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 3425 } 3426 3427 3428 /* 3429 * Remove and free the group from wpa_authenticator. This is triggered by a 3430 * callback to make sure nobody is currently iterating the group list while it 3431 * gets modified. 3432 */ 3433 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 3434 struct wpa_group *group) 3435 { 3436 struct wpa_group *prev = wpa_auth->group; 3437 3438 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 3439 group->vlan_id); 3440 3441 while (prev) { 3442 if (prev->next == group) { 3443 /* This never frees the special first group as needed */ 3444 prev->next = group->next; 3445 os_free(group); 3446 break; 3447 } 3448 prev = prev->next; 3449 } 3450 3451 } 3452 3453 3454 /* Increase the reference counter for group */ 3455 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 3456 struct wpa_group *group) 3457 { 3458 /* Skip the special first group */ 3459 if (wpa_auth->group == group) 3460 return; 3461 3462 group->references++; 3463 } 3464 3465 3466 /* Decrease the reference counter and maybe free the group */ 3467 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 3468 struct wpa_group *group) 3469 { 3470 /* Skip the special first group */ 3471 if (wpa_auth->group == group) 3472 return; 3473 3474 group->references--; 3475 if (group->references) 3476 return; 3477 wpa_group_free(wpa_auth, group); 3478 } 3479 3480 3481 /* 3482 * Add a group that has its references counter set to zero. Caller needs to 3483 * call wpa_group_get() on the return value to mark the entry in use. 3484 */ 3485 static struct wpa_group * 3486 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3487 { 3488 struct wpa_group *group; 3489 3490 if (wpa_auth == NULL || wpa_auth->group == NULL) 3491 return NULL; 3492 3493 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 3494 vlan_id); 3495 group = wpa_group_init(wpa_auth, vlan_id, 0); 3496 if (group == NULL) 3497 return NULL; 3498 3499 group->next = wpa_auth->group->next; 3500 wpa_auth->group->next = group; 3501 3502 return group; 3503 } 3504 3505 3506 /* 3507 * Enforce that the group state machine for the VLAN is running, increase 3508 * reference counter as interface is up. References might have been increased 3509 * even if a negative value is returned. 3510 * Returns: -1 on error (group missing, group already failed); otherwise, 0 3511 */ 3512 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3513 { 3514 struct wpa_group *group; 3515 3516 if (wpa_auth == NULL) 3517 return 0; 3518 3519 group = wpa_auth->group; 3520 while (group) { 3521 if (group->vlan_id == vlan_id) 3522 break; 3523 group = group->next; 3524 } 3525 3526 if (group == NULL) { 3527 group = wpa_auth_add_group(wpa_auth, vlan_id); 3528 if (group == NULL) 3529 return -1; 3530 } 3531 3532 wpa_printf(MSG_DEBUG, 3533 "WPA: Ensure group state machine running for VLAN ID %d", 3534 vlan_id); 3535 3536 wpa_group_get(wpa_auth, group); 3537 group->num_setup_iface++; 3538 3539 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3540 return -1; 3541 3542 return 0; 3543 } 3544 3545 3546 /* 3547 * Decrease reference counter, expected to be zero afterwards. 3548 * returns: -1 on error (group not found, group in fail state) 3549 * -2 if wpa_group is still referenced 3550 * 0 else 3551 */ 3552 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3553 { 3554 struct wpa_group *group; 3555 int ret = 0; 3556 3557 if (wpa_auth == NULL) 3558 return 0; 3559 3560 group = wpa_auth->group; 3561 while (group) { 3562 if (group->vlan_id == vlan_id) 3563 break; 3564 group = group->next; 3565 } 3566 3567 if (group == NULL) 3568 return -1; 3569 3570 wpa_printf(MSG_DEBUG, 3571 "WPA: Try stopping group state machine for VLAN ID %d", 3572 vlan_id); 3573 3574 if (group->num_setup_iface <= 0) { 3575 wpa_printf(MSG_ERROR, 3576 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 3577 vlan_id); 3578 return -1; 3579 } 3580 group->num_setup_iface--; 3581 3582 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3583 ret = -1; 3584 3585 if (group->references > 1) { 3586 wpa_printf(MSG_DEBUG, 3587 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 3588 vlan_id); 3589 ret = -2; 3590 } 3591 3592 wpa_group_put(wpa_auth, group); 3593 3594 return ret; 3595 } 3596 3597 3598 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 3599 { 3600 struct wpa_group *group; 3601 3602 if (sm == NULL || sm->wpa_auth == NULL) 3603 return 0; 3604 3605 group = sm->wpa_auth->group; 3606 while (group) { 3607 if (group->vlan_id == vlan_id) 3608 break; 3609 group = group->next; 3610 } 3611 3612 if (group == NULL) { 3613 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 3614 if (group == NULL) 3615 return -1; 3616 } 3617 3618 if (sm->group == group) 3619 return 0; 3620 3621 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3622 return -1; 3623 3624 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 3625 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 3626 3627 wpa_group_get(sm->wpa_auth, group); 3628 wpa_group_put(sm->wpa_auth, sm->group); 3629 sm->group = group; 3630 3631 return 0; 3632 } 3633 3634 3635 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 3636 struct wpa_state_machine *sm, int ack) 3637 { 3638 if (wpa_auth == NULL || sm == NULL) 3639 return; 3640 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 3641 " ack=%d", MAC2STR(sm->addr), ack); 3642 if (sm->pending_1_of_4_timeout && ack) { 3643 /* 3644 * Some deployed supplicant implementations update their SNonce 3645 * for each EAPOL-Key 2/4 message even within the same 4-way 3646 * handshake and then fail to use the first SNonce when 3647 * deriving the PTK. This results in unsuccessful 4-way 3648 * handshake whenever the relatively short initial timeout is 3649 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3650 * around this by increasing the timeout now that we know that 3651 * the station has received the frame. 3652 */ 3653 int timeout_ms = eapol_key_timeout_subseq; 3654 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3655 "timeout by %u ms because of acknowledged frame", 3656 timeout_ms); 3657 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3658 eloop_register_timeout(timeout_ms / 1000, 3659 (timeout_ms % 1000) * 1000, 3660 wpa_send_eapol_timeout, wpa_auth, sm); 3661 } 3662 } 3663 3664 3665 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 3666 { 3667 if (sm == NULL) 3668 return 0; 3669 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 3670 } 3671 3672 3673 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 3674 { 3675 if (sm == NULL) 3676 return 0; 3677 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 3678 } 3679 3680 3681 #ifdef CONFIG_P2P 3682 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 3683 { 3684 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 3685 return -1; 3686 os_memcpy(addr, sm->ip_addr, 4); 3687 return 0; 3688 } 3689 #endif /* CONFIG_P2P */ 3690 3691 3692 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 3693 struct radius_das_attrs *attr) 3694 { 3695 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 3696 } 3697 3698 3699 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 3700 { 3701 struct wpa_group *group; 3702 3703 if (!wpa_auth) 3704 return; 3705 for (group = wpa_auth->group; group; group = group->next) 3706 wpa_group_config_group_keys(wpa_auth, group); 3707 } 3708