1 /* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "utils/state_machine.h" 14 #include "utils/bitfield.h" 15 #include "common/ieee802_11_defs.h" 16 #include "crypto/aes_wrap.h" 17 #include "crypto/crypto.h" 18 #include "crypto/sha1.h" 19 #include "crypto/sha256.h" 20 #include "crypto/random.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "ap_config.h" 23 #include "ieee802_11.h" 24 #include "wpa_auth.h" 25 #include "pmksa_cache_auth.h" 26 #include "wpa_auth_i.h" 27 #include "wpa_auth_ie.h" 28 29 #define STATE_MACHINE_DATA struct wpa_state_machine 30 #define STATE_MACHINE_DEBUG_PREFIX "WPA" 31 #define STATE_MACHINE_ADDR sm->addr 32 33 34 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 35 static int wpa_sm_step(struct wpa_state_machine *sm); 36 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 37 size_t data_len); 38 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 39 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 40 struct wpa_group *group); 41 static void wpa_request_new_ptk(struct wpa_state_machine *sm); 42 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 43 struct wpa_group *group); 44 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 45 struct wpa_group *group); 46 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 47 const u8 *pmk, unsigned int pmk_len, 48 struct wpa_ptk *ptk); 49 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 50 struct wpa_group *group); 51 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 52 struct wpa_group *group); 53 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 54 struct wpa_group *group); 55 56 static const u32 dot11RSNAConfigGroupUpdateCount = 4; 57 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; 58 static const u32 eapol_key_timeout_first = 100; /* ms */ 59 static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 60 static const u32 eapol_key_timeout_first_group = 500; /* ms */ 61 62 /* TODO: make these configurable */ 63 static const int dot11RSNAConfigPMKLifetime = 43200; 64 static const int dot11RSNAConfigPMKReauthThreshold = 70; 65 static const int dot11RSNAConfigSATimeout = 60; 66 67 68 static inline int wpa_auth_mic_failure_report( 69 struct wpa_authenticator *wpa_auth, const u8 *addr) 70 { 71 if (wpa_auth->cb.mic_failure_report) 72 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr); 73 return 0; 74 } 75 76 77 static inline void wpa_auth_psk_failure_report( 78 struct wpa_authenticator *wpa_auth, const u8 *addr) 79 { 80 if (wpa_auth->cb.psk_failure_report) 81 wpa_auth->cb.psk_failure_report(wpa_auth->cb.ctx, addr); 82 } 83 84 85 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 86 const u8 *addr, wpa_eapol_variable var, 87 int value) 88 { 89 if (wpa_auth->cb.set_eapol) 90 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value); 91 } 92 93 94 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 95 const u8 *addr, wpa_eapol_variable var) 96 { 97 if (wpa_auth->cb.get_eapol == NULL) 98 return -1; 99 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var); 100 } 101 102 103 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 104 const u8 *addr, 105 const u8 *p2p_dev_addr, 106 const u8 *prev_psk) 107 { 108 if (wpa_auth->cb.get_psk == NULL) 109 return NULL; 110 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr, 111 prev_psk); 112 } 113 114 115 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 116 const u8 *addr, u8 *msk, size_t *len) 117 { 118 if (wpa_auth->cb.get_msk == NULL) 119 return -1; 120 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len); 121 } 122 123 124 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 125 int vlan_id, 126 enum wpa_alg alg, const u8 *addr, int idx, 127 u8 *key, size_t key_len) 128 { 129 if (wpa_auth->cb.set_key == NULL) 130 return -1; 131 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx, 132 key, key_len); 133 } 134 135 136 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 137 const u8 *addr, int idx, u8 *seq) 138 { 139 if (wpa_auth->cb.get_seqnum == NULL) 140 return -1; 141 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq); 142 } 143 144 145 static inline int 146 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 147 const u8 *data, size_t data_len, int encrypt) 148 { 149 if (wpa_auth->cb.send_eapol == NULL) 150 return -1; 151 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len, 152 encrypt); 153 } 154 155 156 #ifdef CONFIG_MESH 157 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 158 const u8 *addr) 159 { 160 if (wpa_auth->cb.start_ampe == NULL) 161 return -1; 162 return wpa_auth->cb.start_ampe(wpa_auth->cb.ctx, addr); 163 } 164 #endif /* CONFIG_MESH */ 165 166 167 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 168 int (*cb)(struct wpa_state_machine *sm, void *ctx), 169 void *cb_ctx) 170 { 171 if (wpa_auth->cb.for_each_sta == NULL) 172 return 0; 173 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx); 174 } 175 176 177 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 178 int (*cb)(struct wpa_authenticator *a, void *ctx), 179 void *cb_ctx) 180 { 181 if (wpa_auth->cb.for_each_auth == NULL) 182 return 0; 183 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx); 184 } 185 186 187 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 188 logger_level level, const char *txt) 189 { 190 if (wpa_auth->cb.logger == NULL) 191 return; 192 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt); 193 } 194 195 196 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 197 logger_level level, const char *fmt, ...) 198 { 199 char *format; 200 int maxlen; 201 va_list ap; 202 203 if (wpa_auth->cb.logger == NULL) 204 return; 205 206 maxlen = os_strlen(fmt) + 100; 207 format = os_malloc(maxlen); 208 if (!format) 209 return; 210 211 va_start(ap, fmt); 212 vsnprintf(format, maxlen, fmt, ap); 213 va_end(ap); 214 215 wpa_auth_logger(wpa_auth, addr, level, format); 216 217 os_free(format); 218 } 219 220 221 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 222 const u8 *addr) 223 { 224 if (wpa_auth->cb.disconnect == NULL) 225 return; 226 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 227 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr, 228 WLAN_REASON_PREV_AUTH_NOT_VALID); 229 } 230 231 232 static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 233 { 234 int ret = 0; 235 #ifdef CONFIG_IEEE80211R 236 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 237 ret = 1; 238 #endif /* CONFIG_IEEE80211R */ 239 #ifdef CONFIG_IEEE80211W 240 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 241 ret = 1; 242 #endif /* CONFIG_IEEE80211W */ 243 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) 244 ret = 1; 245 return ret; 246 } 247 248 249 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 250 { 251 struct wpa_authenticator *wpa_auth = eloop_ctx; 252 253 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 254 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 255 "initialization."); 256 } else { 257 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 258 wpa_hexdump_key(MSG_DEBUG, "GMK", 259 wpa_auth->group->GMK, WPA_GMK_LEN); 260 } 261 262 if (wpa_auth->conf.wpa_gmk_rekey) { 263 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 264 wpa_rekey_gmk, wpa_auth, NULL); 265 } 266 } 267 268 269 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 270 { 271 struct wpa_authenticator *wpa_auth = eloop_ctx; 272 struct wpa_group *group, *next; 273 274 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 275 group = wpa_auth->group; 276 while (group) { 277 wpa_group_get(wpa_auth, group); 278 279 group->GTKReKey = TRUE; 280 do { 281 group->changed = FALSE; 282 wpa_group_sm_step(wpa_auth, group); 283 } while (group->changed); 284 285 next = group->next; 286 wpa_group_put(wpa_auth, group); 287 group = next; 288 } 289 290 if (wpa_auth->conf.wpa_group_rekey) { 291 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 292 0, wpa_rekey_gtk, wpa_auth, NULL); 293 } 294 } 295 296 297 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 298 { 299 struct wpa_authenticator *wpa_auth = eloop_ctx; 300 struct wpa_state_machine *sm = timeout_ctx; 301 302 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 303 wpa_request_new_ptk(sm); 304 wpa_sm_step(sm); 305 } 306 307 308 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 309 { 310 if (sm->pmksa == ctx) 311 sm->pmksa = NULL; 312 return 0; 313 } 314 315 316 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 317 void *ctx) 318 { 319 struct wpa_authenticator *wpa_auth = ctx; 320 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 321 } 322 323 324 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 325 struct wpa_group *group) 326 { 327 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 328 u8 rkey[32]; 329 unsigned long ptr; 330 331 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 332 return -1; 333 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 334 335 /* 336 * Counter = PRF-256(Random number, "Init Counter", 337 * Local MAC Address || Time) 338 */ 339 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 340 wpa_get_ntp_timestamp(buf + ETH_ALEN); 341 ptr = (unsigned long) group; 342 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 343 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 344 return -1; 345 346 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 347 group->Counter, WPA_NONCE_LEN) < 0) 348 return -1; 349 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 350 group->Counter, WPA_NONCE_LEN); 351 352 return 0; 353 } 354 355 356 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 357 int vlan_id, int delay_init) 358 { 359 struct wpa_group *group; 360 361 group = os_zalloc(sizeof(struct wpa_group)); 362 if (group == NULL) 363 return NULL; 364 365 group->GTKAuthenticator = TRUE; 366 group->vlan_id = vlan_id; 367 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 368 369 if (random_pool_ready() != 1) { 370 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 371 "for secure operations - update keys later when " 372 "the first station connects"); 373 } 374 375 /* 376 * Set initial GMK/Counter value here. The actual values that will be 377 * used in negotiations will be set once the first station tries to 378 * connect. This allows more time for collecting additional randomness 379 * on embedded devices. 380 */ 381 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 382 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 383 "initialization."); 384 os_free(group); 385 return NULL; 386 } 387 388 group->GInit = TRUE; 389 if (delay_init) { 390 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 391 "until Beacon frames have been configured"); 392 /* Initialization is completed in wpa_init_keys(). */ 393 } else { 394 wpa_group_sm_step(wpa_auth, group); 395 group->GInit = FALSE; 396 wpa_group_sm_step(wpa_auth, group); 397 } 398 399 return group; 400 } 401 402 403 /** 404 * wpa_init - Initialize WPA authenticator 405 * @addr: Authenticator address 406 * @conf: Configuration for WPA authenticator 407 * @cb: Callback functions for WPA authenticator 408 * Returns: Pointer to WPA authenticator data or %NULL on failure 409 */ 410 struct wpa_authenticator * wpa_init(const u8 *addr, 411 struct wpa_auth_config *conf, 412 struct wpa_auth_callbacks *cb) 413 { 414 struct wpa_authenticator *wpa_auth; 415 416 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 417 if (wpa_auth == NULL) 418 return NULL; 419 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 420 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 421 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb)); 422 423 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 424 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 425 os_free(wpa_auth); 426 return NULL; 427 } 428 429 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 430 if (wpa_auth->group == NULL) { 431 os_free(wpa_auth->wpa_ie); 432 os_free(wpa_auth); 433 return NULL; 434 } 435 436 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 437 wpa_auth); 438 if (wpa_auth->pmksa == NULL) { 439 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 440 os_free(wpa_auth->group); 441 os_free(wpa_auth->wpa_ie); 442 os_free(wpa_auth); 443 return NULL; 444 } 445 446 #ifdef CONFIG_IEEE80211R 447 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 448 if (wpa_auth->ft_pmk_cache == NULL) { 449 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 450 os_free(wpa_auth->group); 451 os_free(wpa_auth->wpa_ie); 452 pmksa_cache_auth_deinit(wpa_auth->pmksa); 453 os_free(wpa_auth); 454 return NULL; 455 } 456 #endif /* CONFIG_IEEE80211R */ 457 458 if (wpa_auth->conf.wpa_gmk_rekey) { 459 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 460 wpa_rekey_gmk, wpa_auth, NULL); 461 } 462 463 if (wpa_auth->conf.wpa_group_rekey) { 464 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 465 wpa_rekey_gtk, wpa_auth, NULL); 466 } 467 468 #ifdef CONFIG_P2P 469 if (WPA_GET_BE32(conf->ip_addr_start)) { 470 int count = WPA_GET_BE32(conf->ip_addr_end) - 471 WPA_GET_BE32(conf->ip_addr_start) + 1; 472 if (count > 1000) 473 count = 1000; 474 if (count > 0) 475 wpa_auth->ip_pool = bitfield_alloc(count); 476 } 477 #endif /* CONFIG_P2P */ 478 479 return wpa_auth; 480 } 481 482 483 int wpa_init_keys(struct wpa_authenticator *wpa_auth) 484 { 485 struct wpa_group *group = wpa_auth->group; 486 487 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 488 "keys"); 489 wpa_group_sm_step(wpa_auth, group); 490 group->GInit = FALSE; 491 wpa_group_sm_step(wpa_auth, group); 492 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 493 return -1; 494 return 0; 495 } 496 497 498 /** 499 * wpa_deinit - Deinitialize WPA authenticator 500 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 501 */ 502 void wpa_deinit(struct wpa_authenticator *wpa_auth) 503 { 504 struct wpa_group *group, *prev; 505 506 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 507 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 508 509 #ifdef CONFIG_PEERKEY 510 while (wpa_auth->stsl_negotiations) 511 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations); 512 #endif /* CONFIG_PEERKEY */ 513 514 pmksa_cache_auth_deinit(wpa_auth->pmksa); 515 516 #ifdef CONFIG_IEEE80211R 517 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 518 wpa_auth->ft_pmk_cache = NULL; 519 #endif /* CONFIG_IEEE80211R */ 520 521 #ifdef CONFIG_P2P 522 bitfield_free(wpa_auth->ip_pool); 523 #endif /* CONFIG_P2P */ 524 525 526 os_free(wpa_auth->wpa_ie); 527 528 group = wpa_auth->group; 529 while (group) { 530 prev = group; 531 group = group->next; 532 os_free(prev); 533 } 534 535 os_free(wpa_auth); 536 } 537 538 539 /** 540 * wpa_reconfig - Update WPA authenticator configuration 541 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 542 * @conf: Configuration for WPA authenticator 543 */ 544 int wpa_reconfig(struct wpa_authenticator *wpa_auth, 545 struct wpa_auth_config *conf) 546 { 547 struct wpa_group *group; 548 if (wpa_auth == NULL) 549 return 0; 550 551 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 552 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 553 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 554 return -1; 555 } 556 557 /* 558 * Reinitialize GTK to make sure it is suitable for the new 559 * configuration. 560 */ 561 group = wpa_auth->group; 562 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 563 group->GInit = TRUE; 564 wpa_group_sm_step(wpa_auth, group); 565 group->GInit = FALSE; 566 wpa_group_sm_step(wpa_auth, group); 567 568 return 0; 569 } 570 571 572 struct wpa_state_machine * 573 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 574 const u8 *p2p_dev_addr) 575 { 576 struct wpa_state_machine *sm; 577 578 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 579 return NULL; 580 581 sm = os_zalloc(sizeof(struct wpa_state_machine)); 582 if (sm == NULL) 583 return NULL; 584 os_memcpy(sm->addr, addr, ETH_ALEN); 585 if (p2p_dev_addr) 586 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 587 588 sm->wpa_auth = wpa_auth; 589 sm->group = wpa_auth->group; 590 wpa_group_get(sm->wpa_auth, sm->group); 591 592 return sm; 593 } 594 595 596 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 597 struct wpa_state_machine *sm) 598 { 599 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 600 return -1; 601 602 #ifdef CONFIG_IEEE80211R 603 if (sm->ft_completed) { 604 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 605 "FT authentication already completed - do not " 606 "start 4-way handshake"); 607 /* Go to PTKINITDONE state to allow GTK rekeying */ 608 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 609 return 0; 610 } 611 #endif /* CONFIG_IEEE80211R */ 612 613 if (sm->started) { 614 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 615 sm->ReAuthenticationRequest = TRUE; 616 return wpa_sm_step(sm); 617 } 618 619 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 620 "start authentication"); 621 sm->started = 1; 622 623 sm->Init = TRUE; 624 if (wpa_sm_step(sm) == 1) 625 return 1; /* should not really happen */ 626 sm->Init = FALSE; 627 sm->AuthenticationRequest = TRUE; 628 return wpa_sm_step(sm); 629 } 630 631 632 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 633 { 634 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 635 * reassociates back to the same AP while the previous entry for the 636 * STA has not yet been removed. */ 637 if (sm == NULL) 638 return; 639 640 sm->wpa_key_mgmt = 0; 641 } 642 643 644 static void wpa_free_sta_sm(struct wpa_state_machine *sm) 645 { 646 #ifdef CONFIG_P2P 647 if (WPA_GET_BE32(sm->ip_addr)) { 648 u32 start; 649 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 650 "address %u.%u.%u.%u from " MACSTR, 651 sm->ip_addr[0], sm->ip_addr[1], 652 sm->ip_addr[2], sm->ip_addr[3], 653 MAC2STR(sm->addr)); 654 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 655 bitfield_clear(sm->wpa_auth->ip_pool, 656 WPA_GET_BE32(sm->ip_addr) - start); 657 } 658 #endif /* CONFIG_P2P */ 659 if (sm->GUpdateStationKeys) { 660 sm->group->GKeyDoneStations--; 661 sm->GUpdateStationKeys = FALSE; 662 } 663 #ifdef CONFIG_IEEE80211R 664 os_free(sm->assoc_resp_ftie); 665 wpabuf_free(sm->ft_pending_req_ies); 666 #endif /* CONFIG_IEEE80211R */ 667 os_free(sm->last_rx_eapol_key); 668 os_free(sm->wpa_ie); 669 wpa_group_put(sm->wpa_auth, sm->group); 670 os_free(sm); 671 } 672 673 674 void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 675 { 676 if (sm == NULL) 677 return; 678 679 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 680 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 681 "strict rekeying - force GTK rekey since STA " 682 "is leaving"); 683 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 684 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 685 NULL); 686 } 687 688 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 689 sm->pending_1_of_4_timeout = 0; 690 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 691 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 692 if (sm->in_step_loop) { 693 /* Must not free state machine while wpa_sm_step() is running. 694 * Freeing will be completed in the end of wpa_sm_step(). */ 695 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 696 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 697 sm->pending_deinit = 1; 698 } else 699 wpa_free_sta_sm(sm); 700 } 701 702 703 static void wpa_request_new_ptk(struct wpa_state_machine *sm) 704 { 705 if (sm == NULL) 706 return; 707 708 sm->PTKRequest = TRUE; 709 sm->PTK_valid = 0; 710 } 711 712 713 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 714 const u8 *replay_counter) 715 { 716 int i; 717 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 718 if (!ctr[i].valid) 719 break; 720 if (os_memcmp(replay_counter, ctr[i].counter, 721 WPA_REPLAY_COUNTER_LEN) == 0) 722 return 1; 723 } 724 return 0; 725 } 726 727 728 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 729 const u8 *replay_counter) 730 { 731 int i; 732 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 733 if (ctr[i].valid && 734 (replay_counter == NULL || 735 os_memcmp(replay_counter, ctr[i].counter, 736 WPA_REPLAY_COUNTER_LEN) == 0)) 737 ctr[i].valid = FALSE; 738 } 739 } 740 741 742 #ifdef CONFIG_IEEE80211R 743 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 744 struct wpa_state_machine *sm, 745 struct wpa_eapol_ie_parse *kde) 746 { 747 struct wpa_ie_data ie; 748 struct rsn_mdie *mdie; 749 750 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 751 ie.num_pmkid != 1 || ie.pmkid == NULL) { 752 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 753 "FT 4-way handshake message 2/4"); 754 return -1; 755 } 756 757 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 758 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 759 sm->sup_pmk_r1_name, PMKID_LEN); 760 761 if (!kde->mdie || !kde->ftie) { 762 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 763 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 764 return -1; 765 } 766 767 mdie = (struct rsn_mdie *) (kde->mdie + 2); 768 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 769 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 770 MOBILITY_DOMAIN_ID_LEN) != 0) { 771 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 772 return -1; 773 } 774 775 if (sm->assoc_resp_ftie && 776 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 777 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 778 2 + sm->assoc_resp_ftie[1]) != 0)) { 779 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 780 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 781 kde->ftie, kde->ftie_len); 782 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 783 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 784 return -1; 785 } 786 787 return 0; 788 } 789 #endif /* CONFIG_IEEE80211R */ 790 791 792 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 793 struct wpa_state_machine *sm, int group) 794 { 795 /* Supplicant reported a Michael MIC error */ 796 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 797 "received EAPOL-Key Error Request " 798 "(STA detected Michael MIC failure (group=%d))", 799 group); 800 801 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 802 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 803 "ignore Michael MIC failure report since " 804 "group cipher is not TKIP"); 805 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 806 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 807 "ignore Michael MIC failure report since " 808 "pairwise cipher is not TKIP"); 809 } else { 810 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 811 return 1; /* STA entry was removed */ 812 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 813 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 814 } 815 816 /* 817 * Error report is not a request for a new key handshake, but since 818 * Authenticator may do it, let's change the keys now anyway. 819 */ 820 wpa_request_new_ptk(sm); 821 return 0; 822 } 823 824 825 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 826 size_t data_len) 827 { 828 struct wpa_ptk PTK; 829 int ok = 0; 830 const u8 *pmk = NULL; 831 unsigned int pmk_len; 832 833 for (;;) { 834 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 835 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 836 sm->p2p_dev_addr, pmk); 837 if (pmk == NULL) 838 break; 839 pmk_len = PMK_LEN; 840 } else { 841 pmk = sm->PMK; 842 pmk_len = sm->pmk_len; 843 } 844 845 wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK); 846 847 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len) 848 == 0) { 849 ok = 1; 850 break; 851 } 852 853 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 854 break; 855 } 856 857 if (!ok) { 858 wpa_printf(MSG_DEBUG, 859 "WPA: Earlier SNonce did not result in matching MIC"); 860 return -1; 861 } 862 863 wpa_printf(MSG_DEBUG, 864 "WPA: Earlier SNonce resulted in matching MIC"); 865 sm->alt_snonce_valid = 0; 866 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 867 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 868 sm->PTK_valid = TRUE; 869 870 return 0; 871 } 872 873 874 void wpa_receive(struct wpa_authenticator *wpa_auth, 875 struct wpa_state_machine *sm, 876 u8 *data, size_t data_len) 877 { 878 struct ieee802_1x_hdr *hdr; 879 struct wpa_eapol_key *key; 880 struct wpa_eapol_key_192 *key192; 881 u16 key_info, key_data_length; 882 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 883 SMK_M1, SMK_M3, SMK_ERROR } msg; 884 char *msgtxt; 885 struct wpa_eapol_ie_parse kde; 886 int ft; 887 const u8 *eapol_key_ie, *key_data; 888 size_t eapol_key_ie_len, keyhdrlen, mic_len; 889 890 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 891 return; 892 893 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 894 keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key); 895 896 if (data_len < sizeof(*hdr) + keyhdrlen) 897 return; 898 899 hdr = (struct ieee802_1x_hdr *) data; 900 key = (struct wpa_eapol_key *) (hdr + 1); 901 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 902 key_info = WPA_GET_BE16(key->key_info); 903 if (mic_len == 24) { 904 key_data = (const u8 *) (key192 + 1); 905 key_data_length = WPA_GET_BE16(key192->key_data_length); 906 } else { 907 key_data = (const u8 *) (key + 1); 908 key_data_length = WPA_GET_BE16(key->key_data_length); 909 } 910 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 911 " key_info=0x%x type=%u key_data_length=%u", 912 MAC2STR(sm->addr), key_info, key->type, key_data_length); 913 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 914 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 915 "key_data overflow (%d > %lu)", 916 key_data_length, 917 (unsigned long) (data_len - sizeof(*hdr) - 918 keyhdrlen)); 919 return; 920 } 921 922 if (sm->wpa == WPA_VERSION_WPA2) { 923 if (key->type == EAPOL_KEY_TYPE_WPA) { 924 /* 925 * Some deployed station implementations seem to send 926 * msg 4/4 with incorrect type value in WPA2 mode. 927 */ 928 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 929 "with unexpected WPA type in RSN mode"); 930 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 931 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 932 "unexpected type %d in RSN mode", 933 key->type); 934 return; 935 } 936 } else { 937 if (key->type != EAPOL_KEY_TYPE_WPA) { 938 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 939 "unexpected type %d in WPA mode", 940 key->type); 941 return; 942 } 943 } 944 945 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 946 WPA_NONCE_LEN); 947 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 948 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 949 950 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 951 * are set */ 952 953 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 954 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 955 if (key_info & WPA_KEY_INFO_ERROR) { 956 msg = SMK_ERROR; 957 msgtxt = "SMK Error"; 958 } else { 959 msg = SMK_M1; 960 msgtxt = "SMK M1"; 961 } 962 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 963 msg = SMK_M3; 964 msgtxt = "SMK M3"; 965 } else if (key_info & WPA_KEY_INFO_REQUEST) { 966 msg = REQUEST; 967 msgtxt = "Request"; 968 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 969 msg = GROUP_2; 970 msgtxt = "2/2 Group"; 971 } else if (key_data_length == 0) { 972 msg = PAIRWISE_4; 973 msgtxt = "4/4 Pairwise"; 974 } else { 975 msg = PAIRWISE_2; 976 msgtxt = "2/4 Pairwise"; 977 } 978 979 /* TODO: key_info type validation for PeerKey */ 980 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 981 msg == GROUP_2) { 982 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 983 if (sm->pairwise == WPA_CIPHER_CCMP || 984 sm->pairwise == WPA_CIPHER_GCMP) { 985 if (wpa_use_aes_cmac(sm) && 986 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN && 987 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 988 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 989 wpa_auth_logger(wpa_auth, sm->addr, 990 LOGGER_WARNING, 991 "advertised support for " 992 "AES-128-CMAC, but did not " 993 "use it"); 994 return; 995 } 996 997 if (!wpa_use_aes_cmac(sm) && 998 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 999 wpa_auth_logger(wpa_auth, sm->addr, 1000 LOGGER_WARNING, 1001 "did not use HMAC-SHA1-AES " 1002 "with CCMP/GCMP"); 1003 return; 1004 } 1005 } 1006 1007 if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 1008 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1009 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1010 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1011 return; 1012 } 1013 } 1014 1015 if (key_info & WPA_KEY_INFO_REQUEST) { 1016 if (sm->req_replay_counter_used && 1017 os_memcmp(key->replay_counter, sm->req_replay_counter, 1018 WPA_REPLAY_COUNTER_LEN) <= 0) { 1019 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1020 "received EAPOL-Key request with " 1021 "replayed counter"); 1022 return; 1023 } 1024 } 1025 1026 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1027 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1028 int i; 1029 1030 if (msg == PAIRWISE_2 && 1031 wpa_replay_counter_valid(sm->prev_key_replay, 1032 key->replay_counter) && 1033 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1034 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1035 { 1036 /* 1037 * Some supplicant implementations (e.g., Windows XP 1038 * WZC) update SNonce for each EAPOL-Key 2/4. This 1039 * breaks the workaround on accepting any of the 1040 * pending requests, so allow the SNonce to be updated 1041 * even if we have already sent out EAPOL-Key 3/4. 1042 */ 1043 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1044 "Process SNonce update from STA " 1045 "based on retransmitted EAPOL-Key " 1046 "1/4"); 1047 sm->update_snonce = 1; 1048 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1049 sm->alt_snonce_valid = TRUE; 1050 os_memcpy(sm->alt_replay_counter, 1051 sm->key_replay[0].counter, 1052 WPA_REPLAY_COUNTER_LEN); 1053 goto continue_processing; 1054 } 1055 1056 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1057 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1058 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1059 WPA_REPLAY_COUNTER_LEN) == 0) { 1060 /* 1061 * Supplicant may still be using the old SNonce since 1062 * there was two EAPOL-Key 2/4 messages and they had 1063 * different SNonce values. 1064 */ 1065 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1066 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1067 goto continue_processing; 1068 } 1069 1070 if (msg == PAIRWISE_2 && 1071 wpa_replay_counter_valid(sm->prev_key_replay, 1072 key->replay_counter) && 1073 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1074 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1075 "ignore retransmitted EAPOL-Key %s - " 1076 "SNonce did not change", msgtxt); 1077 } else { 1078 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1079 "received EAPOL-Key %s with " 1080 "unexpected replay counter", msgtxt); 1081 } 1082 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1083 if (!sm->key_replay[i].valid) 1084 break; 1085 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1086 sm->key_replay[i].counter, 1087 WPA_REPLAY_COUNTER_LEN); 1088 } 1089 wpa_hexdump(MSG_DEBUG, "received replay counter", 1090 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1091 return; 1092 } 1093 1094 continue_processing: 1095 switch (msg) { 1096 case PAIRWISE_2: 1097 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1098 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1099 (!sm->update_snonce || 1100 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1101 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1102 "received EAPOL-Key msg 2/4 in " 1103 "invalid state (%d) - dropped", 1104 sm->wpa_ptk_state); 1105 return; 1106 } 1107 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1108 if (sm->group->reject_4way_hs_for_entropy) { 1109 /* 1110 * The system did not have enough entropy to generate 1111 * strong random numbers. Reject the first 4-way 1112 * handshake(s) and collect some entropy based on the 1113 * information from it. Once enough entropy is 1114 * available, the next atempt will trigger GMK/Key 1115 * Counter update and the station will be allowed to 1116 * continue. 1117 */ 1118 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1119 "collect more entropy for random number " 1120 "generation"); 1121 random_mark_pool_ready(); 1122 wpa_sta_disconnect(wpa_auth, sm->addr); 1123 return; 1124 } 1125 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 1126 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1127 "received EAPOL-Key msg 2/4 with " 1128 "invalid Key Data contents"); 1129 return; 1130 } 1131 if (kde.rsn_ie) { 1132 eapol_key_ie = kde.rsn_ie; 1133 eapol_key_ie_len = kde.rsn_ie_len; 1134 } else if (kde.osen) { 1135 eapol_key_ie = kde.osen; 1136 eapol_key_ie_len = kde.osen_len; 1137 } else { 1138 eapol_key_ie = kde.wpa_ie; 1139 eapol_key_ie_len = kde.wpa_ie_len; 1140 } 1141 ft = sm->wpa == WPA_VERSION_WPA2 && 1142 wpa_key_mgmt_ft(sm->wpa_key_mgmt); 1143 if (sm->wpa_ie == NULL || 1144 wpa_compare_rsn_ie(ft, 1145 sm->wpa_ie, sm->wpa_ie_len, 1146 eapol_key_ie, eapol_key_ie_len)) { 1147 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1148 "WPA IE from (Re)AssocReq did not " 1149 "match with msg 2/4"); 1150 if (sm->wpa_ie) { 1151 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 1152 sm->wpa_ie, sm->wpa_ie_len); 1153 } 1154 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 1155 eapol_key_ie, eapol_key_ie_len); 1156 /* MLME-DEAUTHENTICATE.request */ 1157 wpa_sta_disconnect(wpa_auth, sm->addr); 1158 return; 1159 } 1160 #ifdef CONFIG_IEEE80211R 1161 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 1162 wpa_sta_disconnect(wpa_auth, sm->addr); 1163 return; 1164 } 1165 #endif /* CONFIG_IEEE80211R */ 1166 #ifdef CONFIG_P2P 1167 if (kde.ip_addr_req && kde.ip_addr_req[0] && 1168 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 1169 int idx; 1170 wpa_printf(MSG_DEBUG, "P2P: IP address requested in " 1171 "EAPOL-Key exchange"); 1172 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 1173 if (idx >= 0) { 1174 u32 start = WPA_GET_BE32(wpa_auth->conf. 1175 ip_addr_start); 1176 bitfield_set(wpa_auth->ip_pool, idx); 1177 WPA_PUT_BE32(sm->ip_addr, start + idx); 1178 wpa_printf(MSG_DEBUG, "P2P: Assigned IP " 1179 "address %u.%u.%u.%u to " MACSTR, 1180 sm->ip_addr[0], sm->ip_addr[1], 1181 sm->ip_addr[2], sm->ip_addr[3], 1182 MAC2STR(sm->addr)); 1183 } 1184 } 1185 #endif /* CONFIG_P2P */ 1186 break; 1187 case PAIRWISE_4: 1188 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1189 !sm->PTK_valid) { 1190 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1191 "received EAPOL-Key msg 4/4 in " 1192 "invalid state (%d) - dropped", 1193 sm->wpa_ptk_state); 1194 return; 1195 } 1196 break; 1197 case GROUP_2: 1198 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1199 || !sm->PTK_valid) { 1200 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1201 "received EAPOL-Key msg 2/2 in " 1202 "invalid state (%d) - dropped", 1203 sm->wpa_ptk_group_state); 1204 return; 1205 } 1206 break; 1207 #ifdef CONFIG_PEERKEY 1208 case SMK_M1: 1209 case SMK_M3: 1210 case SMK_ERROR: 1211 if (!wpa_auth->conf.peerkey) { 1212 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1213 "PeerKey use disabled - ignoring message"); 1214 return; 1215 } 1216 if (!sm->PTK_valid) { 1217 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1218 "received EAPOL-Key msg SMK in " 1219 "invalid state - dropped"); 1220 return; 1221 } 1222 break; 1223 #else /* CONFIG_PEERKEY */ 1224 case SMK_M1: 1225 case SMK_M3: 1226 case SMK_ERROR: 1227 return; /* STSL disabled - ignore SMK messages */ 1228 #endif /* CONFIG_PEERKEY */ 1229 case REQUEST: 1230 break; 1231 } 1232 1233 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1234 "received EAPOL-Key frame (%s)", msgtxt); 1235 1236 if (key_info & WPA_KEY_INFO_ACK) { 1237 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1238 "received invalid EAPOL-Key: Key Ack set"); 1239 return; 1240 } 1241 1242 if (!(key_info & WPA_KEY_INFO_MIC)) { 1243 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1244 "received invalid EAPOL-Key: Key MIC not set"); 1245 return; 1246 } 1247 1248 sm->MICVerified = FALSE; 1249 if (sm->PTK_valid && !sm->update_snonce) { 1250 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data, 1251 data_len) && 1252 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1253 wpa_try_alt_snonce(sm, data, data_len))) { 1254 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1255 "received EAPOL-Key with invalid MIC"); 1256 return; 1257 } 1258 sm->MICVerified = TRUE; 1259 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1260 sm->pending_1_of_4_timeout = 0; 1261 } 1262 1263 if (key_info & WPA_KEY_INFO_REQUEST) { 1264 if (sm->MICVerified) { 1265 sm->req_replay_counter_used = 1; 1266 os_memcpy(sm->req_replay_counter, key->replay_counter, 1267 WPA_REPLAY_COUNTER_LEN); 1268 } else { 1269 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1270 "received EAPOL-Key request with " 1271 "invalid MIC"); 1272 return; 1273 } 1274 1275 /* 1276 * TODO: should decrypt key data field if encryption was used; 1277 * even though MAC address KDE is not normally encrypted, 1278 * supplicant is allowed to encrypt it. 1279 */ 1280 if (msg == SMK_ERROR) { 1281 #ifdef CONFIG_PEERKEY 1282 wpa_smk_error(wpa_auth, sm, key_data, key_data_length); 1283 #endif /* CONFIG_PEERKEY */ 1284 return; 1285 } else if (key_info & WPA_KEY_INFO_ERROR) { 1286 if (wpa_receive_error_report( 1287 wpa_auth, sm, 1288 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1289 return; /* STA entry was removed */ 1290 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1291 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1292 "received EAPOL-Key Request for new " 1293 "4-Way Handshake"); 1294 wpa_request_new_ptk(sm); 1295 #ifdef CONFIG_PEERKEY 1296 } else if (msg == SMK_M1) { 1297 wpa_smk_m1(wpa_auth, sm, key, key_data, 1298 key_data_length); 1299 #endif /* CONFIG_PEERKEY */ 1300 } else if (key_data_length > 0 && 1301 wpa_parse_kde_ies(key_data, key_data_length, 1302 &kde) == 0 && 1303 kde.mac_addr) { 1304 } else { 1305 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1306 "received EAPOL-Key Request for GTK " 1307 "rekeying"); 1308 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1309 wpa_rekey_gtk(wpa_auth, NULL); 1310 } 1311 } else { 1312 /* Do not allow the same key replay counter to be reused. */ 1313 wpa_replay_counter_mark_invalid(sm->key_replay, 1314 key->replay_counter); 1315 1316 if (msg == PAIRWISE_2) { 1317 /* 1318 * Maintain a copy of the pending EAPOL-Key frames in 1319 * case the EAPOL-Key frame was retransmitted. This is 1320 * needed to allow EAPOL-Key msg 2/4 reply to another 1321 * pending msg 1/4 to update the SNonce to work around 1322 * unexpected supplicant behavior. 1323 */ 1324 os_memcpy(sm->prev_key_replay, sm->key_replay, 1325 sizeof(sm->key_replay)); 1326 } else { 1327 os_memset(sm->prev_key_replay, 0, 1328 sizeof(sm->prev_key_replay)); 1329 } 1330 1331 /* 1332 * Make sure old valid counters are not accepted anymore and 1333 * do not get copied again. 1334 */ 1335 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1336 } 1337 1338 #ifdef CONFIG_PEERKEY 1339 if (msg == SMK_M3) { 1340 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length); 1341 return; 1342 } 1343 #endif /* CONFIG_PEERKEY */ 1344 1345 os_free(sm->last_rx_eapol_key); 1346 sm->last_rx_eapol_key = os_malloc(data_len); 1347 if (sm->last_rx_eapol_key == NULL) 1348 return; 1349 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1350 sm->last_rx_eapol_key_len = data_len; 1351 1352 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1353 sm->EAPOLKeyReceived = TRUE; 1354 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1355 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1356 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1357 wpa_sm_step(sm); 1358 } 1359 1360 1361 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1362 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1363 { 1364 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1365 u8 *pos; 1366 int ret = 0; 1367 1368 /* GTK = PRF-X(GMK, "Group key expansion", 1369 * AA || GNonce || Time || random data) 1370 * The example described in the IEEE 802.11 standard uses only AA and 1371 * GNonce as inputs here. Add some more entropy since this derivation 1372 * is done only at the Authenticator and as such, does not need to be 1373 * exactly same. 1374 */ 1375 os_memcpy(data, addr, ETH_ALEN); 1376 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1377 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1378 wpa_get_ntp_timestamp(pos); 1379 pos += 8; 1380 if (random_get_bytes(pos, 16) < 0) 1381 ret = -1; 1382 1383 #ifdef CONFIG_IEEE80211W 1384 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1385 #else /* CONFIG_IEEE80211W */ 1386 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1387 < 0) 1388 ret = -1; 1389 #endif /* CONFIG_IEEE80211W */ 1390 1391 return ret; 1392 } 1393 1394 1395 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1396 { 1397 struct wpa_authenticator *wpa_auth = eloop_ctx; 1398 struct wpa_state_machine *sm = timeout_ctx; 1399 1400 sm->pending_1_of_4_timeout = 0; 1401 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1402 sm->TimeoutEvt = TRUE; 1403 wpa_sm_step(sm); 1404 } 1405 1406 1407 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1408 struct wpa_state_machine *sm, int key_info, 1409 const u8 *key_rsc, const u8 *nonce, 1410 const u8 *kde, size_t kde_len, 1411 int keyidx, int encr, int force_version) 1412 { 1413 struct ieee802_1x_hdr *hdr; 1414 struct wpa_eapol_key *key; 1415 struct wpa_eapol_key_192 *key192; 1416 size_t len, mic_len, keyhdrlen; 1417 int alg; 1418 int key_data_len, pad_len = 0; 1419 u8 *buf, *pos; 1420 int version, pairwise; 1421 int i; 1422 u8 *key_data; 1423 1424 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 1425 keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key); 1426 1427 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1428 1429 if (force_version) 1430 version = force_version; 1431 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1432 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) 1433 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1434 else if (wpa_use_aes_cmac(sm)) 1435 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1436 else if (sm->pairwise != WPA_CIPHER_TKIP) 1437 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1438 else 1439 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1440 1441 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1442 1443 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1444 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1445 "encr=%d)", 1446 version, 1447 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1448 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1449 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1450 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1451 pairwise, (unsigned long) kde_len, keyidx, encr); 1452 1453 key_data_len = kde_len; 1454 1455 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1456 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1457 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1458 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1459 pad_len = key_data_len % 8; 1460 if (pad_len) 1461 pad_len = 8 - pad_len; 1462 key_data_len += pad_len + 8; 1463 } 1464 1465 len += key_data_len; 1466 1467 hdr = os_zalloc(len); 1468 if (hdr == NULL) 1469 return; 1470 hdr->version = wpa_auth->conf.eapol_version; 1471 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1472 hdr->length = host_to_be16(len - sizeof(*hdr)); 1473 key = (struct wpa_eapol_key *) (hdr + 1); 1474 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 1475 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1476 1477 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1478 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1479 key_info |= version; 1480 if (encr && sm->wpa == WPA_VERSION_WPA2) 1481 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1482 if (sm->wpa != WPA_VERSION_WPA2) 1483 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1484 WPA_PUT_BE16(key->key_info, key_info); 1485 1486 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1487 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1488 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) 1489 WPA_PUT_BE16(key->key_length, 0); 1490 1491 /* FIX: STSL: what to use as key_replay_counter? */ 1492 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1493 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1494 os_memcpy(sm->key_replay[i].counter, 1495 sm->key_replay[i - 1].counter, 1496 WPA_REPLAY_COUNTER_LEN); 1497 } 1498 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1499 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1500 WPA_REPLAY_COUNTER_LEN); 1501 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1502 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1503 sm->key_replay[0].valid = TRUE; 1504 1505 if (nonce) 1506 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1507 1508 if (key_rsc) 1509 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1510 1511 if (kde && !encr) { 1512 os_memcpy(key_data, kde, kde_len); 1513 if (mic_len == 24) 1514 WPA_PUT_BE16(key192->key_data_length, kde_len); 1515 else 1516 WPA_PUT_BE16(key->key_data_length, kde_len); 1517 } else if (encr && kde) { 1518 buf = os_zalloc(key_data_len); 1519 if (buf == NULL) { 1520 os_free(hdr); 1521 return; 1522 } 1523 pos = buf; 1524 os_memcpy(pos, kde, kde_len); 1525 pos += kde_len; 1526 1527 if (pad_len) 1528 *pos++ = 0xdd; 1529 1530 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1531 buf, key_data_len); 1532 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1533 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1534 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1535 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1536 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1537 (key_data_len - 8) / 8, buf, key_data)) { 1538 os_free(hdr); 1539 os_free(buf); 1540 return; 1541 } 1542 if (mic_len == 24) 1543 WPA_PUT_BE16(key192->key_data_length, 1544 key_data_len); 1545 else 1546 WPA_PUT_BE16(key->key_data_length, 1547 key_data_len); 1548 #ifndef CONFIG_NO_RC4 1549 } else if (sm->PTK.kek_len == 16) { 1550 u8 ek[32]; 1551 os_memcpy(key->key_iv, 1552 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1553 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1554 os_memcpy(ek, key->key_iv, 16); 1555 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1556 os_memcpy(key_data, buf, key_data_len); 1557 rc4_skip(ek, 32, 256, key_data, key_data_len); 1558 if (mic_len == 24) 1559 WPA_PUT_BE16(key192->key_data_length, 1560 key_data_len); 1561 else 1562 WPA_PUT_BE16(key->key_data_length, 1563 key_data_len); 1564 #endif /* CONFIG_NO_RC4 */ 1565 } else { 1566 os_free(hdr); 1567 os_free(buf); 1568 return; 1569 } 1570 os_free(buf); 1571 } 1572 1573 if (key_info & WPA_KEY_INFO_MIC) { 1574 u8 *key_mic; 1575 1576 if (!sm->PTK_valid) { 1577 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1578 "PTK not valid when sending EAPOL-Key " 1579 "frame"); 1580 os_free(hdr); 1581 return; 1582 } 1583 1584 key_mic = key192->key_mic; /* same offset for key and key192 */ 1585 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1586 sm->wpa_key_mgmt, version, 1587 (u8 *) hdr, len, key_mic); 1588 #ifdef CONFIG_TESTING_OPTIONS 1589 if (!pairwise && 1590 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1591 drand48() < 1592 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1593 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1594 "Corrupting group EAPOL-Key Key MIC"); 1595 key_mic[0]++; 1596 } 1597 #endif /* CONFIG_TESTING_OPTIONS */ 1598 } 1599 1600 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1601 1); 1602 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1603 sm->pairwise_set); 1604 os_free(hdr); 1605 } 1606 1607 1608 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1609 struct wpa_state_machine *sm, int key_info, 1610 const u8 *key_rsc, const u8 *nonce, 1611 const u8 *kde, size_t kde_len, 1612 int keyidx, int encr) 1613 { 1614 int timeout_ms; 1615 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1616 int ctr; 1617 1618 if (sm == NULL) 1619 return; 1620 1621 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1622 keyidx, encr, 0); 1623 1624 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1625 if (ctr == 1 && wpa_auth->conf.tx_status) 1626 timeout_ms = pairwise ? eapol_key_timeout_first : 1627 eapol_key_timeout_first_group; 1628 else 1629 timeout_ms = eapol_key_timeout_subseq; 1630 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1631 sm->pending_1_of_4_timeout = 1; 1632 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1633 "counter %d)", timeout_ms, ctr); 1634 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1635 wpa_send_eapol_timeout, wpa_auth, sm); 1636 } 1637 1638 1639 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 1640 size_t data_len) 1641 { 1642 struct ieee802_1x_hdr *hdr; 1643 struct wpa_eapol_key *key; 1644 struct wpa_eapol_key_192 *key192; 1645 u16 key_info; 1646 int ret = 0; 1647 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 1648 size_t mic_len = wpa_mic_len(akmp); 1649 1650 if (data_len < sizeof(*hdr) + sizeof(*key)) 1651 return -1; 1652 1653 hdr = (struct ieee802_1x_hdr *) data; 1654 key = (struct wpa_eapol_key *) (hdr + 1); 1655 key192 = (struct wpa_eapol_key_192 *) (hdr + 1); 1656 key_info = WPA_GET_BE16(key->key_info); 1657 os_memcpy(mic, key192->key_mic, mic_len); 1658 os_memset(key192->key_mic, 0, mic_len); 1659 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1660 key_info & WPA_KEY_INFO_TYPE_MASK, 1661 data, data_len, key192->key_mic) || 1662 os_memcmp_const(mic, key192->key_mic, mic_len) != 0) 1663 ret = -1; 1664 os_memcpy(key192->key_mic, mic, mic_len); 1665 return ret; 1666 } 1667 1668 1669 void wpa_remove_ptk(struct wpa_state_machine *sm) 1670 { 1671 sm->PTK_valid = FALSE; 1672 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1673 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0); 1674 sm->pairwise_set = FALSE; 1675 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1676 } 1677 1678 1679 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1680 { 1681 int remove_ptk = 1; 1682 1683 if (sm == NULL) 1684 return -1; 1685 1686 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1687 "event %d notification", event); 1688 1689 switch (event) { 1690 case WPA_AUTH: 1691 #ifdef CONFIG_MESH 1692 /* PTKs are derived through AMPE */ 1693 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1694 /* not mesh */ 1695 break; 1696 } 1697 return 0; 1698 #endif /* CONFIG_MESH */ 1699 case WPA_ASSOC: 1700 break; 1701 case WPA_DEAUTH: 1702 case WPA_DISASSOC: 1703 sm->DeauthenticationRequest = TRUE; 1704 break; 1705 case WPA_REAUTH: 1706 case WPA_REAUTH_EAPOL: 1707 if (!sm->started) { 1708 /* 1709 * When using WPS, we may end up here if the STA 1710 * manages to re-associate without the previous STA 1711 * entry getting removed. Consequently, we need to make 1712 * sure that the WPA state machines gets initialized 1713 * properly at this point. 1714 */ 1715 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1716 "started - initialize now"); 1717 sm->started = 1; 1718 sm->Init = TRUE; 1719 if (wpa_sm_step(sm) == 1) 1720 return 1; /* should not really happen */ 1721 sm->Init = FALSE; 1722 sm->AuthenticationRequest = TRUE; 1723 break; 1724 } 1725 if (sm->GUpdateStationKeys) { 1726 /* 1727 * Reauthentication cancels the pending group key 1728 * update for this STA. 1729 */ 1730 sm->group->GKeyDoneStations--; 1731 sm->GUpdateStationKeys = FALSE; 1732 sm->PtkGroupInit = TRUE; 1733 } 1734 sm->ReAuthenticationRequest = TRUE; 1735 break; 1736 case WPA_ASSOC_FT: 1737 #ifdef CONFIG_IEEE80211R 1738 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1739 "after association"); 1740 wpa_ft_install_ptk(sm); 1741 1742 /* Using FT protocol, not WPA auth state machine */ 1743 sm->ft_completed = 1; 1744 return 0; 1745 #else /* CONFIG_IEEE80211R */ 1746 break; 1747 #endif /* CONFIG_IEEE80211R */ 1748 case WPA_DRV_STA_REMOVED: 1749 sm->tk_already_set = FALSE; 1750 return 0; 1751 } 1752 1753 #ifdef CONFIG_IEEE80211R 1754 sm->ft_completed = 0; 1755 #endif /* CONFIG_IEEE80211R */ 1756 1757 #ifdef CONFIG_IEEE80211W 1758 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1759 remove_ptk = 0; 1760 #endif /* CONFIG_IEEE80211W */ 1761 1762 if (remove_ptk) { 1763 sm->PTK_valid = FALSE; 1764 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1765 1766 if (event != WPA_REAUTH_EAPOL) 1767 wpa_remove_ptk(sm); 1768 } 1769 1770 if (sm->in_step_loop) { 1771 /* 1772 * wpa_sm_step() is already running - avoid recursive call to 1773 * it by making the existing loop process the new update. 1774 */ 1775 sm->changed = TRUE; 1776 return 0; 1777 } 1778 return wpa_sm_step(sm); 1779 } 1780 1781 1782 SM_STATE(WPA_PTK, INITIALIZE) 1783 { 1784 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1785 if (sm->Init) { 1786 /* Init flag is not cleared here, so avoid busy 1787 * loop by claiming nothing changed. */ 1788 sm->changed = FALSE; 1789 } 1790 1791 sm->keycount = 0; 1792 if (sm->GUpdateStationKeys) 1793 sm->group->GKeyDoneStations--; 1794 sm->GUpdateStationKeys = FALSE; 1795 if (sm->wpa == WPA_VERSION_WPA) 1796 sm->PInitAKeys = FALSE; 1797 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1798 * Local AA > Remote AA)) */) { 1799 sm->Pair = TRUE; 1800 } 1801 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1802 wpa_remove_ptk(sm); 1803 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1804 sm->TimeoutCtr = 0; 1805 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1806 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1807 WPA_EAPOL_authorized, 0); 1808 } 1809 } 1810 1811 1812 SM_STATE(WPA_PTK, DISCONNECT) 1813 { 1814 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1815 sm->Disconnect = FALSE; 1816 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1817 } 1818 1819 1820 SM_STATE(WPA_PTK, DISCONNECTED) 1821 { 1822 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1823 sm->DeauthenticationRequest = FALSE; 1824 } 1825 1826 1827 SM_STATE(WPA_PTK, AUTHENTICATION) 1828 { 1829 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1830 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1831 sm->PTK_valid = FALSE; 1832 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1833 1); 1834 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1835 sm->AuthenticationRequest = FALSE; 1836 } 1837 1838 1839 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1840 struct wpa_group *group) 1841 { 1842 if (group->first_sta_seen) 1843 return; 1844 /* 1845 * System has run bit further than at the time hostapd was started 1846 * potentially very early during boot up. This provides better chances 1847 * of collecting more randomness on embedded systems. Re-initialize the 1848 * GMK and Counter here to improve their strength if there was not 1849 * enough entropy available immediately after system startup. 1850 */ 1851 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1852 "station"); 1853 if (random_pool_ready() != 1) { 1854 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1855 "to proceed - reject first 4-way handshake"); 1856 group->reject_4way_hs_for_entropy = TRUE; 1857 } else { 1858 group->first_sta_seen = TRUE; 1859 group->reject_4way_hs_for_entropy = FALSE; 1860 } 1861 1862 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1863 wpa_gtk_update(wpa_auth, group) < 0 || 1864 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1865 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1866 group->first_sta_seen = FALSE; 1867 group->reject_4way_hs_for_entropy = TRUE; 1868 } 1869 } 1870 1871 1872 SM_STATE(WPA_PTK, AUTHENTICATION2) 1873 { 1874 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1875 1876 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1877 sm->ReAuthenticationRequest = FALSE; 1878 1879 /* 1880 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1881 * ambiguous. The Authenticator state machine uses a counter that is 1882 * incremented by one for each 4-way handshake. However, the security 1883 * analysis of 4-way handshake points out that unpredictable nonces 1884 * help in preventing precomputation attacks. Instead of the state 1885 * machine definition, use an unpredictable nonce value here to provide 1886 * stronger protection against potential precomputation attacks. 1887 */ 1888 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1889 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1890 "ANonce."); 1891 sm->Disconnect = TRUE; 1892 return; 1893 } 1894 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1895 WPA_NONCE_LEN); 1896 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1897 * logical place than INITIALIZE since AUTHENTICATION2 can be 1898 * re-entered on ReAuthenticationRequest without going through 1899 * INITIALIZE. */ 1900 sm->TimeoutCtr = 0; 1901 } 1902 1903 1904 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 1905 { 1906 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1907 wpa_printf(MSG_ERROR, 1908 "WPA: Failed to get random data for ANonce"); 1909 sm->Disconnect = TRUE; 1910 return -1; 1911 } 1912 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 1913 WPA_NONCE_LEN); 1914 sm->TimeoutCtr = 0; 1915 return 0; 1916 } 1917 1918 1919 SM_STATE(WPA_PTK, INITPMK) 1920 { 1921 u8 msk[2 * PMK_LEN]; 1922 size_t len = 2 * PMK_LEN; 1923 1924 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1925 #ifdef CONFIG_IEEE80211R 1926 sm->xxkey_len = 0; 1927 #endif /* CONFIG_IEEE80211R */ 1928 if (sm->pmksa) { 1929 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1930 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 1931 sm->pmk_len = sm->pmksa->pmk_len; 1932 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1933 unsigned int pmk_len; 1934 1935 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) 1936 pmk_len = PMK_LEN_SUITE_B_192; 1937 else 1938 pmk_len = PMK_LEN; 1939 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1940 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 1941 pmk_len); 1942 if (len < pmk_len) { 1943 wpa_printf(MSG_DEBUG, 1944 "WPA: MSK not long enough (%u) to create PMK (%u)", 1945 (unsigned int) len, (unsigned int) pmk_len); 1946 sm->Disconnect = TRUE; 1947 return; 1948 } 1949 os_memcpy(sm->PMK, msk, pmk_len); 1950 sm->pmk_len = pmk_len; 1951 #ifdef CONFIG_IEEE80211R 1952 if (len >= 2 * PMK_LEN) { 1953 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1954 sm->xxkey_len = PMK_LEN; 1955 } 1956 #endif /* CONFIG_IEEE80211R */ 1957 } else { 1958 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 1959 sm->wpa_auth->cb.get_msk); 1960 sm->Disconnect = TRUE; 1961 return; 1962 } 1963 os_memset(msk, 0, sizeof(msk)); 1964 1965 sm->req_replay_counter_used = 0; 1966 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1967 * will break reauthentication since EAPOL state machines may not be 1968 * get into AUTHENTICATING state that clears keyRun before WPA state 1969 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1970 * state and takes PMK from the previously used AAA Key. This will 1971 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1972 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1973 * be good workaround for this issue. */ 1974 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1975 } 1976 1977 1978 SM_STATE(WPA_PTK, INITPSK) 1979 { 1980 const u8 *psk; 1981 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1982 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1983 if (psk) { 1984 os_memcpy(sm->PMK, psk, PMK_LEN); 1985 sm->pmk_len = PMK_LEN; 1986 #ifdef CONFIG_IEEE80211R 1987 os_memcpy(sm->xxkey, psk, PMK_LEN); 1988 sm->xxkey_len = PMK_LEN; 1989 #endif /* CONFIG_IEEE80211R */ 1990 } 1991 sm->req_replay_counter_used = 0; 1992 } 1993 1994 1995 SM_STATE(WPA_PTK, PTKSTART) 1996 { 1997 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1998 size_t pmkid_len = 0; 1999 2000 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 2001 sm->PTKRequest = FALSE; 2002 sm->TimeoutEvt = FALSE; 2003 sm->alt_snonce_valid = FALSE; 2004 2005 sm->TimeoutCtr++; 2006 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 2007 /* No point in sending the EAPOL-Key - we will disconnect 2008 * immediately following this. */ 2009 return; 2010 } 2011 2012 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2013 "sending 1/4 msg of 4-Way Handshake"); 2014 /* 2015 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 2016 * one possible PSK for this STA. 2017 */ 2018 if (sm->wpa == WPA_VERSION_WPA2 && 2019 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2020 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2021 pmkid = buf; 2022 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2023 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2024 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2025 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2026 if (sm->pmksa) { 2027 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2028 sm->pmksa->pmkid, PMKID_LEN); 2029 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2030 /* No KCK available to derive PMKID */ 2031 pmkid = NULL; 2032 } else { 2033 /* 2034 * Calculate PMKID since no PMKSA cache entry was 2035 * available with pre-calculated PMKID. 2036 */ 2037 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2038 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2039 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 2040 } 2041 } 2042 wpa_send_eapol(sm->wpa_auth, sm, 2043 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2044 sm->ANonce, pmkid, pmkid_len, 0, 0); 2045 } 2046 2047 2048 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2049 const u8 *pmk, unsigned int pmk_len, 2050 struct wpa_ptk *ptk) 2051 { 2052 #ifdef CONFIG_IEEE80211R 2053 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 2054 return wpa_auth_derive_ptk_ft(sm, pmk, ptk); 2055 #endif /* CONFIG_IEEE80211R */ 2056 2057 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2058 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2059 ptk, sm->wpa_key_mgmt, sm->pairwise); 2060 } 2061 2062 2063 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2064 { 2065 struct wpa_ptk PTK; 2066 int ok = 0, psk_found = 0; 2067 const u8 *pmk = NULL; 2068 unsigned int pmk_len; 2069 2070 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2071 sm->EAPOLKeyReceived = FALSE; 2072 sm->update_snonce = FALSE; 2073 2074 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2075 * WPA-PSK: iterate through possible PSKs and select the one matching 2076 * the packet */ 2077 for (;;) { 2078 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2079 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2080 sm->p2p_dev_addr, pmk); 2081 if (pmk == NULL) 2082 break; 2083 psk_found = 1; 2084 pmk_len = PMK_LEN; 2085 } else { 2086 pmk = sm->PMK; 2087 pmk_len = sm->pmk_len; 2088 } 2089 2090 wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK); 2091 2092 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, 2093 sm->last_rx_eapol_key, 2094 sm->last_rx_eapol_key_len) == 0) { 2095 ok = 1; 2096 break; 2097 } 2098 2099 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 2100 break; 2101 } 2102 2103 if (!ok) { 2104 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2105 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2106 if (psk_found) 2107 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2108 return; 2109 } 2110 2111 #ifdef CONFIG_IEEE80211R 2112 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2113 /* 2114 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2115 * with the value we derived. 2116 */ 2117 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2118 WPA_PMK_NAME_LEN) != 0) { 2119 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2120 "PMKR1Name mismatch in FT 4-way " 2121 "handshake"); 2122 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 2123 "Supplicant", 2124 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2125 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2126 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2127 return; 2128 } 2129 } 2130 #endif /* CONFIG_IEEE80211R */ 2131 2132 sm->pending_1_of_4_timeout = 0; 2133 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2134 2135 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2136 /* PSK may have changed from the previous choice, so update 2137 * state machine data based on whatever PSK was selected here. 2138 */ 2139 os_memcpy(sm->PMK, pmk, PMK_LEN); 2140 sm->pmk_len = PMK_LEN; 2141 } 2142 2143 sm->MICVerified = TRUE; 2144 2145 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2146 sm->PTK_valid = TRUE; 2147 } 2148 2149 2150 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2151 { 2152 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2153 sm->TimeoutCtr = 0; 2154 } 2155 2156 2157 #ifdef CONFIG_IEEE80211W 2158 2159 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2160 { 2161 if (sm->mgmt_frame_prot) { 2162 size_t len; 2163 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2164 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2165 } 2166 2167 return 0; 2168 } 2169 2170 2171 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2172 { 2173 struct wpa_igtk_kde igtk; 2174 struct wpa_group *gsm = sm->group; 2175 u8 rsc[WPA_KEY_RSC_LEN]; 2176 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2177 2178 if (!sm->mgmt_frame_prot) 2179 return pos; 2180 2181 igtk.keyid[0] = gsm->GN_igtk; 2182 igtk.keyid[1] = 0; 2183 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 2184 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 2185 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 2186 else 2187 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 2188 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 2189 if (sm->wpa_auth->conf.disable_gtk) { 2190 /* 2191 * Provide unique random IGTK to each STA to prevent use of 2192 * IGTK in the BSS. 2193 */ 2194 if (random_get_bytes(igtk.igtk, len) < 0) 2195 return pos; 2196 } 2197 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 2198 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 2199 NULL, 0); 2200 2201 return pos; 2202 } 2203 2204 #else /* CONFIG_IEEE80211W */ 2205 2206 static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2207 { 2208 return 0; 2209 } 2210 2211 2212 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2213 { 2214 return pos; 2215 } 2216 2217 #endif /* CONFIG_IEEE80211W */ 2218 2219 2220 SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 2221 { 2222 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 2223 size_t gtk_len, kde_len; 2224 struct wpa_group *gsm = sm->group; 2225 u8 *wpa_ie; 2226 int wpa_ie_len, secure, keyidx, encr = 0; 2227 2228 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 2229 sm->TimeoutEvt = FALSE; 2230 2231 sm->TimeoutCtr++; 2232 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) { 2233 /* No point in sending the EAPOL-Key - we will disconnect 2234 * immediately following this. */ 2235 return; 2236 } 2237 2238 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 2239 GTK[GN], IGTK, [FTIE], [TIE * 2]) 2240 */ 2241 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2242 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2243 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 2244 wpa_ie = sm->wpa_auth->wpa_ie; 2245 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 2246 if (sm->wpa == WPA_VERSION_WPA && 2247 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 2248 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 2249 /* WPA-only STA, remove RSN IE and possible MDIE */ 2250 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2251 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 2252 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2253 wpa_ie_len = wpa_ie[1] + 2; 2254 } 2255 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2256 "sending 3/4 msg of 4-Way Handshake"); 2257 if (sm->wpa == WPA_VERSION_WPA2) { 2258 /* WPA2 send GTK in the 4-way handshake */ 2259 secure = 1; 2260 gtk = gsm->GTK[gsm->GN - 1]; 2261 gtk_len = gsm->GTK_len; 2262 if (sm->wpa_auth->conf.disable_gtk) { 2263 /* 2264 * Provide unique random GTK to each STA to prevent use 2265 * of GTK in the BSS. 2266 */ 2267 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2268 return; 2269 gtk = dummy_gtk; 2270 } 2271 keyidx = gsm->GN; 2272 _rsc = rsc; 2273 encr = 1; 2274 } else { 2275 /* WPA does not include GTK in msg 3/4 */ 2276 secure = 0; 2277 gtk = NULL; 2278 gtk_len = 0; 2279 keyidx = 0; 2280 _rsc = NULL; 2281 if (sm->rx_eapol_key_secure) { 2282 /* 2283 * It looks like Windows 7 supplicant tries to use 2284 * Secure bit in msg 2/4 after having reported Michael 2285 * MIC failure and it then rejects the 4-way handshake 2286 * if msg 3/4 does not set Secure bit. Work around this 2287 * by setting the Secure bit here even in the case of 2288 * WPA if the supplicant used it first. 2289 */ 2290 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2291 "STA used Secure bit in WPA msg 2/4 - " 2292 "set Secure for 3/4 as workaround"); 2293 secure = 1; 2294 } 2295 } 2296 2297 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2298 if (gtk) 2299 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2300 #ifdef CONFIG_IEEE80211R 2301 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2302 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2303 kde_len += 300; /* FTIE + 2 * TIE */ 2304 } 2305 #endif /* CONFIG_IEEE80211R */ 2306 #ifdef CONFIG_P2P 2307 if (WPA_GET_BE32(sm->ip_addr) > 0) 2308 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2309 #endif /* CONFIG_P2P */ 2310 kde = os_malloc(kde_len); 2311 if (kde == NULL) 2312 return; 2313 2314 pos = kde; 2315 os_memcpy(pos, wpa_ie, wpa_ie_len); 2316 pos += wpa_ie_len; 2317 #ifdef CONFIG_IEEE80211R 2318 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2319 int res; 2320 size_t elen; 2321 2322 elen = pos - kde; 2323 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 2324 if (res < 0) { 2325 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2326 "PMKR1Name into RSN IE in EAPOL-Key data"); 2327 os_free(kde); 2328 return; 2329 } 2330 pos -= wpa_ie_len; 2331 pos += elen; 2332 } 2333 #endif /* CONFIG_IEEE80211R */ 2334 if (gtk) { 2335 u8 hdr[2]; 2336 hdr[0] = keyidx & 0x03; 2337 hdr[1] = 0; 2338 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2339 gtk, gtk_len); 2340 } 2341 pos = ieee80211w_kde_add(sm, pos); 2342 2343 #ifdef CONFIG_IEEE80211R 2344 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2345 int res; 2346 struct wpa_auth_config *conf; 2347 2348 conf = &sm->wpa_auth->conf; 2349 if (sm->assoc_resp_ftie && 2350 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 2351 os_memcpy(pos, sm->assoc_resp_ftie, 2352 2 + sm->assoc_resp_ftie[1]); 2353 res = 2 + sm->assoc_resp_ftie[1]; 2354 } else { 2355 res = wpa_write_ftie(conf, conf->r0_key_holder, 2356 conf->r0_key_holder_len, 2357 NULL, NULL, pos, 2358 kde + kde_len - pos, 2359 NULL, 0); 2360 } 2361 if (res < 0) { 2362 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2363 "into EAPOL-Key Key Data"); 2364 os_free(kde); 2365 return; 2366 } 2367 pos += res; 2368 2369 /* TIE[ReassociationDeadline] (TU) */ 2370 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2371 *pos++ = 5; 2372 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2373 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2374 pos += 4; 2375 2376 /* TIE[KeyLifetime] (seconds) */ 2377 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2378 *pos++ = 5; 2379 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2380 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2381 pos += 4; 2382 } 2383 #endif /* CONFIG_IEEE80211R */ 2384 #ifdef CONFIG_P2P 2385 if (WPA_GET_BE32(sm->ip_addr) > 0) { 2386 u8 addr[3 * 4]; 2387 os_memcpy(addr, sm->ip_addr, 4); 2388 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 2389 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 2390 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 2391 addr, sizeof(addr), NULL, 0); 2392 } 2393 #endif /* CONFIG_P2P */ 2394 2395 wpa_send_eapol(sm->wpa_auth, sm, 2396 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC | 2397 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2398 WPA_KEY_INFO_KEY_TYPE, 2399 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2400 os_free(kde); 2401 } 2402 2403 2404 SM_STATE(WPA_PTK, PTKINITDONE) 2405 { 2406 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2407 sm->EAPOLKeyReceived = FALSE; 2408 if (sm->Pair) { 2409 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2410 int klen = wpa_cipher_key_len(sm->pairwise); 2411 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2412 sm->PTK.tk, klen)) { 2413 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2414 return; 2415 } 2416 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2417 sm->pairwise_set = TRUE; 2418 2419 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2420 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2421 eloop_register_timeout(sm->wpa_auth->conf. 2422 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2423 sm->wpa_auth, sm); 2424 } 2425 2426 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2427 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2428 WPA_EAPOL_authorized, 1); 2429 } 2430 } 2431 2432 if (0 /* IBSS == TRUE */) { 2433 sm->keycount++; 2434 if (sm->keycount == 2) { 2435 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2436 WPA_EAPOL_portValid, 1); 2437 } 2438 } else { 2439 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2440 1); 2441 } 2442 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2443 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2444 if (sm->wpa == WPA_VERSION_WPA) 2445 sm->PInitAKeys = TRUE; 2446 else 2447 sm->has_GTK = TRUE; 2448 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2449 "pairwise key handshake completed (%s)", 2450 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2451 2452 #ifdef CONFIG_IEEE80211R 2453 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2454 #endif /* CONFIG_IEEE80211R */ 2455 } 2456 2457 2458 SM_STEP(WPA_PTK) 2459 { 2460 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2461 2462 if (sm->Init) 2463 SM_ENTER(WPA_PTK, INITIALIZE); 2464 else if (sm->Disconnect 2465 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2466 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2467 "WPA_PTK: sm->Disconnect"); 2468 SM_ENTER(WPA_PTK, DISCONNECT); 2469 } 2470 else if (sm->DeauthenticationRequest) 2471 SM_ENTER(WPA_PTK, DISCONNECTED); 2472 else if (sm->AuthenticationRequest) 2473 SM_ENTER(WPA_PTK, AUTHENTICATION); 2474 else if (sm->ReAuthenticationRequest) 2475 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2476 else if (sm->PTKRequest) { 2477 if (wpa_auth_sm_ptk_update(sm) < 0) 2478 SM_ENTER(WPA_PTK, DISCONNECTED); 2479 else 2480 SM_ENTER(WPA_PTK, PTKSTART); 2481 } else switch (sm->wpa_ptk_state) { 2482 case WPA_PTK_INITIALIZE: 2483 break; 2484 case WPA_PTK_DISCONNECT: 2485 SM_ENTER(WPA_PTK, DISCONNECTED); 2486 break; 2487 case WPA_PTK_DISCONNECTED: 2488 SM_ENTER(WPA_PTK, INITIALIZE); 2489 break; 2490 case WPA_PTK_AUTHENTICATION: 2491 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2492 break; 2493 case WPA_PTK_AUTHENTICATION2: 2494 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2495 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2496 WPA_EAPOL_keyRun) > 0) 2497 SM_ENTER(WPA_PTK, INITPMK); 2498 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2499 /* FIX: && 802.1X::keyRun */) 2500 SM_ENTER(WPA_PTK, INITPSK); 2501 break; 2502 case WPA_PTK_INITPMK: 2503 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2504 WPA_EAPOL_keyAvailable) > 0) 2505 SM_ENTER(WPA_PTK, PTKSTART); 2506 else { 2507 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2508 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2509 "INITPMK - keyAvailable = false"); 2510 SM_ENTER(WPA_PTK, DISCONNECT); 2511 } 2512 break; 2513 case WPA_PTK_INITPSK: 2514 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2515 NULL)) 2516 SM_ENTER(WPA_PTK, PTKSTART); 2517 else { 2518 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2519 "no PSK configured for the STA"); 2520 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2521 SM_ENTER(WPA_PTK, DISCONNECT); 2522 } 2523 break; 2524 case WPA_PTK_PTKSTART: 2525 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2526 sm->EAPOLKeyPairwise) 2527 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2528 else if (sm->TimeoutCtr > 2529 (int) dot11RSNAConfigPairwiseUpdateCount) { 2530 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2531 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2532 "PTKSTART: Retry limit %d reached", 2533 dot11RSNAConfigPairwiseUpdateCount); 2534 SM_ENTER(WPA_PTK, DISCONNECT); 2535 } else if (sm->TimeoutEvt) 2536 SM_ENTER(WPA_PTK, PTKSTART); 2537 break; 2538 case WPA_PTK_PTKCALCNEGOTIATING: 2539 if (sm->MICVerified) 2540 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2541 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2542 sm->EAPOLKeyPairwise) 2543 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2544 else if (sm->TimeoutEvt) 2545 SM_ENTER(WPA_PTK, PTKSTART); 2546 break; 2547 case WPA_PTK_PTKCALCNEGOTIATING2: 2548 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2549 break; 2550 case WPA_PTK_PTKINITNEGOTIATING: 2551 if (sm->update_snonce) 2552 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2553 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2554 sm->EAPOLKeyPairwise && sm->MICVerified) 2555 SM_ENTER(WPA_PTK, PTKINITDONE); 2556 else if (sm->TimeoutCtr > 2557 (int) dot11RSNAConfigPairwiseUpdateCount) { 2558 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2559 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2560 "PTKINITNEGOTIATING: Retry limit %d " 2561 "reached", 2562 dot11RSNAConfigPairwiseUpdateCount); 2563 SM_ENTER(WPA_PTK, DISCONNECT); 2564 } else if (sm->TimeoutEvt) 2565 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 2566 break; 2567 case WPA_PTK_PTKINITDONE: 2568 break; 2569 } 2570 } 2571 2572 2573 SM_STATE(WPA_PTK_GROUP, IDLE) 2574 { 2575 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 2576 if (sm->Init) { 2577 /* Init flag is not cleared here, so avoid busy 2578 * loop by claiming nothing changed. */ 2579 sm->changed = FALSE; 2580 } 2581 sm->GTimeoutCtr = 0; 2582 } 2583 2584 2585 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 2586 { 2587 u8 rsc[WPA_KEY_RSC_LEN]; 2588 struct wpa_group *gsm = sm->group; 2589 const u8 *kde; 2590 u8 *kde_buf = NULL, *pos, hdr[2]; 2591 size_t kde_len; 2592 u8 *gtk, dummy_gtk[32]; 2593 2594 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 2595 2596 sm->GTimeoutCtr++; 2597 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) { 2598 /* No point in sending the EAPOL-Key - we will disconnect 2599 * immediately following this. */ 2600 return; 2601 } 2602 2603 if (sm->wpa == WPA_VERSION_WPA) 2604 sm->PInitAKeys = FALSE; 2605 sm->TimeoutEvt = FALSE; 2606 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 2607 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2608 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 2609 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2610 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2611 "sending 1/2 msg of Group Key Handshake"); 2612 2613 gtk = gsm->GTK[gsm->GN - 1]; 2614 if (sm->wpa_auth->conf.disable_gtk) { 2615 /* 2616 * Provide unique random GTK to each STA to prevent use 2617 * of GTK in the BSS. 2618 */ 2619 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 2620 return; 2621 gtk = dummy_gtk; 2622 } 2623 if (sm->wpa == WPA_VERSION_WPA2) { 2624 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 2625 ieee80211w_kde_len(sm); 2626 kde_buf = os_malloc(kde_len); 2627 if (kde_buf == NULL) 2628 return; 2629 2630 kde = pos = kde_buf; 2631 hdr[0] = gsm->GN & 0x03; 2632 hdr[1] = 0; 2633 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2634 gtk, gsm->GTK_len); 2635 pos = ieee80211w_kde_add(sm, pos); 2636 kde_len = pos - kde; 2637 } else { 2638 kde = gtk; 2639 kde_len = gsm->GTK_len; 2640 } 2641 2642 wpa_send_eapol(sm->wpa_auth, sm, 2643 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC | 2644 WPA_KEY_INFO_ACK | 2645 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 2646 rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1); 2647 2648 os_free(kde_buf); 2649 } 2650 2651 2652 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 2653 { 2654 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 2655 sm->EAPOLKeyReceived = FALSE; 2656 if (sm->GUpdateStationKeys) 2657 sm->group->GKeyDoneStations--; 2658 sm->GUpdateStationKeys = FALSE; 2659 sm->GTimeoutCtr = 0; 2660 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 2661 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2662 "group key handshake completed (%s)", 2663 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2664 sm->has_GTK = TRUE; 2665 } 2666 2667 2668 SM_STATE(WPA_PTK_GROUP, KEYERROR) 2669 { 2670 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 2671 if (sm->GUpdateStationKeys) 2672 sm->group->GKeyDoneStations--; 2673 sm->GUpdateStationKeys = FALSE; 2674 sm->Disconnect = TRUE; 2675 } 2676 2677 2678 SM_STEP(WPA_PTK_GROUP) 2679 { 2680 if (sm->Init || sm->PtkGroupInit) { 2681 SM_ENTER(WPA_PTK_GROUP, IDLE); 2682 sm->PtkGroupInit = FALSE; 2683 } else switch (sm->wpa_ptk_group_state) { 2684 case WPA_PTK_GROUP_IDLE: 2685 if (sm->GUpdateStationKeys || 2686 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 2687 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2688 break; 2689 case WPA_PTK_GROUP_REKEYNEGOTIATING: 2690 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2691 !sm->EAPOLKeyPairwise && sm->MICVerified) 2692 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 2693 else if (sm->GTimeoutCtr > 2694 (int) dot11RSNAConfigGroupUpdateCount) 2695 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 2696 else if (sm->TimeoutEvt) 2697 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 2698 break; 2699 case WPA_PTK_GROUP_KEYERROR: 2700 SM_ENTER(WPA_PTK_GROUP, IDLE); 2701 break; 2702 case WPA_PTK_GROUP_REKEYESTABLISHED: 2703 SM_ENTER(WPA_PTK_GROUP, IDLE); 2704 break; 2705 } 2706 } 2707 2708 2709 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 2710 struct wpa_group *group) 2711 { 2712 int ret = 0; 2713 2714 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2715 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2716 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 2717 wpa_auth->addr, group->GNonce, 2718 group->GTK[group->GN - 1], group->GTK_len) < 0) 2719 ret = -1; 2720 wpa_hexdump_key(MSG_DEBUG, "GTK", 2721 group->GTK[group->GN - 1], group->GTK_len); 2722 2723 #ifdef CONFIG_IEEE80211W 2724 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2725 size_t len; 2726 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 2727 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 2728 inc_byte_array(group->Counter, WPA_NONCE_LEN); 2729 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 2730 wpa_auth->addr, group->GNonce, 2731 group->IGTK[group->GN_igtk - 4], len) < 0) 2732 ret = -1; 2733 wpa_hexdump_key(MSG_DEBUG, "IGTK", 2734 group->IGTK[group->GN_igtk - 4], len); 2735 } 2736 #endif /* CONFIG_IEEE80211W */ 2737 2738 return ret; 2739 } 2740 2741 2742 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 2743 struct wpa_group *group) 2744 { 2745 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2746 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 2747 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 2748 group->wpa_group_state = WPA_GROUP_GTK_INIT; 2749 2750 /* GTK[0..N] = 0 */ 2751 os_memset(group->GTK, 0, sizeof(group->GTK)); 2752 group->GN = 1; 2753 group->GM = 2; 2754 #ifdef CONFIG_IEEE80211W 2755 group->GN_igtk = 4; 2756 group->GM_igtk = 5; 2757 #endif /* CONFIG_IEEE80211W */ 2758 /* GTK[GN] = CalcGTK() */ 2759 wpa_gtk_update(wpa_auth, group); 2760 } 2761 2762 2763 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 2764 { 2765 if (ctx != NULL && ctx != sm->group) 2766 return 0; 2767 2768 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 2769 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2770 "Not in PTKINITDONE; skip Group Key update"); 2771 sm->GUpdateStationKeys = FALSE; 2772 return 0; 2773 } 2774 if (sm->GUpdateStationKeys) { 2775 /* 2776 * This should not really happen, so add a debug log entry. 2777 * Since we clear the GKeyDoneStations before the loop, the 2778 * station needs to be counted here anyway. 2779 */ 2780 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2781 "GUpdateStationKeys was already set when " 2782 "marking station for GTK rekeying"); 2783 } 2784 2785 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 2786 if (sm->is_wnmsleep) 2787 return 0; 2788 2789 sm->group->GKeyDoneStations++; 2790 sm->GUpdateStationKeys = TRUE; 2791 2792 wpa_sm_step(sm); 2793 return 0; 2794 } 2795 2796 2797 #ifdef CONFIG_WNM 2798 /* update GTK when exiting WNM-Sleep Mode */ 2799 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 2800 { 2801 if (sm == NULL || sm->is_wnmsleep) 2802 return; 2803 2804 wpa_group_update_sta(sm, NULL); 2805 } 2806 2807 2808 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 2809 { 2810 if (sm) 2811 sm->is_wnmsleep = !!flag; 2812 } 2813 2814 2815 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2816 { 2817 struct wpa_group *gsm = sm->group; 2818 u8 *start = pos; 2819 2820 /* 2821 * GTK subelement: 2822 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 2823 * Key[5..32] 2824 */ 2825 *pos++ = WNM_SLEEP_SUBELEM_GTK; 2826 *pos++ = 11 + gsm->GTK_len; 2827 /* Key ID in B0-B1 of Key Info */ 2828 WPA_PUT_LE16(pos, gsm->GN & 0x03); 2829 pos += 2; 2830 *pos++ = gsm->GTK_len; 2831 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 2832 return 0; 2833 pos += 8; 2834 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2835 pos += gsm->GTK_len; 2836 2837 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 2838 gsm->GN); 2839 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 2840 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 2841 2842 return pos - start; 2843 } 2844 2845 2846 #ifdef CONFIG_IEEE80211W 2847 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 2848 { 2849 struct wpa_group *gsm = sm->group; 2850 u8 *start = pos; 2851 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2852 2853 /* 2854 * IGTK subelement: 2855 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 2856 */ 2857 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 2858 *pos++ = 2 + 6 + len; 2859 WPA_PUT_LE16(pos, gsm->GN_igtk); 2860 pos += 2; 2861 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 2862 return 0; 2863 pos += 6; 2864 2865 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 2866 pos += len; 2867 2868 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 2869 gsm->GN_igtk); 2870 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 2871 gsm->IGTK[gsm->GN_igtk - 4], len); 2872 2873 return pos - start; 2874 } 2875 #endif /* CONFIG_IEEE80211W */ 2876 #endif /* CONFIG_WNM */ 2877 2878 2879 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 2880 struct wpa_group *group) 2881 { 2882 int tmp; 2883 2884 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2885 "SETKEYS (VLAN-ID %d)", group->vlan_id); 2886 group->changed = TRUE; 2887 group->wpa_group_state = WPA_GROUP_SETKEYS; 2888 group->GTKReKey = FALSE; 2889 tmp = group->GM; 2890 group->GM = group->GN; 2891 group->GN = tmp; 2892 #ifdef CONFIG_IEEE80211W 2893 tmp = group->GM_igtk; 2894 group->GM_igtk = group->GN_igtk; 2895 group->GN_igtk = tmp; 2896 #endif /* CONFIG_IEEE80211W */ 2897 /* "GKeyDoneStations = GNoStations" is done in more robust way by 2898 * counting the STAs that are marked with GUpdateStationKeys instead of 2899 * including all STAs that could be in not-yet-completed state. */ 2900 wpa_gtk_update(wpa_auth, group); 2901 2902 if (group->GKeyDoneStations) { 2903 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 2904 "GKeyDoneStations=%d when starting new GTK rekey", 2905 group->GKeyDoneStations); 2906 group->GKeyDoneStations = 0; 2907 } 2908 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 2909 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 2910 group->GKeyDoneStations); 2911 } 2912 2913 2914 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 2915 struct wpa_group *group) 2916 { 2917 int ret = 0; 2918 2919 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 2920 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 2921 broadcast_ether_addr, group->GN, 2922 group->GTK[group->GN - 1], group->GTK_len) < 0) 2923 ret = -1; 2924 2925 #ifdef CONFIG_IEEE80211W 2926 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2927 enum wpa_alg alg; 2928 size_t len; 2929 2930 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 2931 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 2932 2933 if (ret == 0 && 2934 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 2935 broadcast_ether_addr, group->GN_igtk, 2936 group->IGTK[group->GN_igtk - 4], len) < 0) 2937 ret = -1; 2938 } 2939 #endif /* CONFIG_IEEE80211W */ 2940 2941 return ret; 2942 } 2943 2944 2945 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 2946 { 2947 if (sm->group == ctx) { 2948 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 2949 " for discconnection due to fatal failure", 2950 MAC2STR(sm->addr)); 2951 sm->Disconnect = TRUE; 2952 } 2953 2954 return 0; 2955 } 2956 2957 2958 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 2959 struct wpa_group *group) 2960 { 2961 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 2962 group->changed = TRUE; 2963 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 2964 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 2965 } 2966 2967 2968 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 2969 struct wpa_group *group) 2970 { 2971 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 2972 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 2973 group->changed = TRUE; 2974 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 2975 2976 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 2977 wpa_group_fatal_failure(wpa_auth, group); 2978 return -1; 2979 } 2980 2981 return 0; 2982 } 2983 2984 2985 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 2986 struct wpa_group *group) 2987 { 2988 if (group->GInit) { 2989 wpa_group_gtk_init(wpa_auth, group); 2990 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 2991 /* Do not allow group operations */ 2992 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 2993 group->GTKAuthenticator) { 2994 wpa_group_setkeysdone(wpa_auth, group); 2995 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 2996 group->GTKReKey) { 2997 wpa_group_setkeys(wpa_auth, group); 2998 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 2999 if (group->GKeyDoneStations == 0) 3000 wpa_group_setkeysdone(wpa_auth, group); 3001 else if (group->GTKReKey) 3002 wpa_group_setkeys(wpa_auth, group); 3003 } 3004 } 3005 3006 3007 static int wpa_sm_step(struct wpa_state_machine *sm) 3008 { 3009 if (sm == NULL) 3010 return 0; 3011 3012 if (sm->in_step_loop) { 3013 /* This should not happen, but if it does, make sure we do not 3014 * end up freeing the state machine too early by exiting the 3015 * recursive call. */ 3016 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 3017 return 0; 3018 } 3019 3020 sm->in_step_loop = 1; 3021 do { 3022 if (sm->pending_deinit) 3023 break; 3024 3025 sm->changed = FALSE; 3026 sm->wpa_auth->group->changed = FALSE; 3027 3028 SM_STEP_RUN(WPA_PTK); 3029 if (sm->pending_deinit) 3030 break; 3031 SM_STEP_RUN(WPA_PTK_GROUP); 3032 if (sm->pending_deinit) 3033 break; 3034 wpa_group_sm_step(sm->wpa_auth, sm->group); 3035 } while (sm->changed || sm->wpa_auth->group->changed); 3036 sm->in_step_loop = 0; 3037 3038 if (sm->pending_deinit) { 3039 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 3040 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 3041 wpa_free_sta_sm(sm); 3042 return 1; 3043 } 3044 return 0; 3045 } 3046 3047 3048 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 3049 { 3050 struct wpa_state_machine *sm = eloop_ctx; 3051 wpa_sm_step(sm); 3052 } 3053 3054 3055 void wpa_auth_sm_notify(struct wpa_state_machine *sm) 3056 { 3057 if (sm == NULL) 3058 return; 3059 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 3060 } 3061 3062 3063 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 3064 { 3065 int tmp, i; 3066 struct wpa_group *group; 3067 3068 if (wpa_auth == NULL) 3069 return; 3070 3071 group = wpa_auth->group; 3072 3073 for (i = 0; i < 2; i++) { 3074 tmp = group->GM; 3075 group->GM = group->GN; 3076 group->GN = tmp; 3077 #ifdef CONFIG_IEEE80211W 3078 tmp = group->GM_igtk; 3079 group->GM_igtk = group->GN_igtk; 3080 group->GN_igtk = tmp; 3081 #endif /* CONFIG_IEEE80211W */ 3082 wpa_gtk_update(wpa_auth, group); 3083 wpa_group_config_group_keys(wpa_auth, group); 3084 } 3085 } 3086 3087 3088 static const char * wpa_bool_txt(int val) 3089 { 3090 return val ? "TRUE" : "FALSE"; 3091 } 3092 3093 3094 #define RSN_SUITE "%02x-%02x-%02x-%d" 3095 #define RSN_SUITE_ARG(s) \ 3096 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 3097 3098 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 3099 { 3100 int len = 0, ret; 3101 char pmkid_txt[PMKID_LEN * 2 + 1]; 3102 #ifdef CONFIG_RSN_PREAUTH 3103 const int preauth = 1; 3104 #else /* CONFIG_RSN_PREAUTH */ 3105 const int preauth = 0; 3106 #endif /* CONFIG_RSN_PREAUTH */ 3107 3108 if (wpa_auth == NULL) 3109 return len; 3110 3111 ret = os_snprintf(buf + len, buflen - len, 3112 "dot11RSNAOptionImplemented=TRUE\n" 3113 "dot11RSNAPreauthenticationImplemented=%s\n" 3114 "dot11RSNAEnabled=%s\n" 3115 "dot11RSNAPreauthenticationEnabled=%s\n", 3116 wpa_bool_txt(preauth), 3117 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 3118 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 3119 if (os_snprintf_error(buflen - len, ret)) 3120 return len; 3121 len += ret; 3122 3123 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 3124 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 3125 3126 ret = os_snprintf( 3127 buf + len, buflen - len, 3128 "dot11RSNAConfigVersion=%u\n" 3129 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 3130 /* FIX: dot11RSNAConfigGroupCipher */ 3131 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 3132 /* FIX: dot11RSNAConfigGroupRekeyTime */ 3133 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 3134 "dot11RSNAConfigGroupRekeyStrict=%u\n" 3135 "dot11RSNAConfigGroupUpdateCount=%u\n" 3136 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 3137 "dot11RSNAConfigGroupCipherSize=%u\n" 3138 "dot11RSNAConfigPMKLifetime=%u\n" 3139 "dot11RSNAConfigPMKReauthThreshold=%u\n" 3140 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 3141 "dot11RSNAConfigSATimeout=%u\n" 3142 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 3143 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 3144 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 3145 "dot11RSNAPMKIDUsed=%s\n" 3146 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 3147 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 3148 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 3149 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 3150 "dot11RSNA4WayHandshakeFailures=%u\n" 3151 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 3152 RSN_VERSION, 3153 !!wpa_auth->conf.wpa_strict_rekey, 3154 dot11RSNAConfigGroupUpdateCount, 3155 dot11RSNAConfigPairwiseUpdateCount, 3156 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 3157 dot11RSNAConfigPMKLifetime, 3158 dot11RSNAConfigPMKReauthThreshold, 3159 dot11RSNAConfigSATimeout, 3160 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 3161 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 3162 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 3163 pmkid_txt, 3164 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 3165 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 3166 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 3167 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 3168 wpa_auth->dot11RSNA4WayHandshakeFailures); 3169 if (os_snprintf_error(buflen - len, ret)) 3170 return len; 3171 len += ret; 3172 3173 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 3174 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 3175 3176 /* Private MIB */ 3177 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 3178 wpa_auth->group->wpa_group_state); 3179 if (os_snprintf_error(buflen - len, ret)) 3180 return len; 3181 len += ret; 3182 3183 return len; 3184 } 3185 3186 3187 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 3188 { 3189 int len = 0, ret; 3190 u32 pairwise = 0; 3191 3192 if (sm == NULL) 3193 return 0; 3194 3195 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 3196 3197 /* dot11RSNAStatsEntry */ 3198 3199 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 3200 WPA_PROTO_RSN : WPA_PROTO_WPA, 3201 sm->pairwise); 3202 if (pairwise == 0) 3203 return 0; 3204 3205 ret = os_snprintf( 3206 buf + len, buflen - len, 3207 /* TODO: dot11RSNAStatsIndex */ 3208 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 3209 "dot11RSNAStatsVersion=1\n" 3210 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 3211 /* TODO: dot11RSNAStatsTKIPICVErrors */ 3212 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 3213 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 3214 /* TODO: dot11RSNAStatsCCMPReplays */ 3215 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 3216 /* TODO: dot11RSNAStatsTKIPReplays */, 3217 MAC2STR(sm->addr), 3218 RSN_SUITE_ARG(pairwise), 3219 sm->dot11RSNAStatsTKIPLocalMICFailures, 3220 sm->dot11RSNAStatsTKIPRemoteMICFailures); 3221 if (os_snprintf_error(buflen - len, ret)) 3222 return len; 3223 len += ret; 3224 3225 /* Private MIB */ 3226 ret = os_snprintf(buf + len, buflen - len, 3227 "hostapdWPAPTKState=%d\n" 3228 "hostapdWPAPTKGroupState=%d\n", 3229 sm->wpa_ptk_state, 3230 sm->wpa_ptk_group_state); 3231 if (os_snprintf_error(buflen - len, ret)) 3232 return len; 3233 len += ret; 3234 3235 return len; 3236 } 3237 3238 3239 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 3240 { 3241 if (wpa_auth) 3242 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 3243 } 3244 3245 3246 int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 3247 { 3248 return sm && sm->pairwise_set; 3249 } 3250 3251 3252 int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 3253 { 3254 return sm->pairwise; 3255 } 3256 3257 3258 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 3259 { 3260 if (sm == NULL) 3261 return -1; 3262 return sm->wpa_key_mgmt; 3263 } 3264 3265 3266 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 3267 { 3268 if (sm == NULL) 3269 return 0; 3270 return sm->wpa; 3271 } 3272 3273 3274 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 3275 { 3276 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 3277 return 0; 3278 return sm->tk_already_set; 3279 } 3280 3281 3282 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 3283 struct rsn_pmksa_cache_entry *entry) 3284 { 3285 if (sm == NULL || sm->pmksa != entry) 3286 return -1; 3287 sm->pmksa = NULL; 3288 return 0; 3289 } 3290 3291 3292 struct rsn_pmksa_cache_entry * 3293 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 3294 { 3295 return sm ? sm->pmksa : NULL; 3296 } 3297 3298 3299 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 3300 { 3301 if (sm) 3302 sm->dot11RSNAStatsTKIPLocalMICFailures++; 3303 } 3304 3305 3306 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 3307 { 3308 if (wpa_auth == NULL) 3309 return NULL; 3310 *len = wpa_auth->wpa_ie_len; 3311 return wpa_auth->wpa_ie; 3312 } 3313 3314 3315 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 3316 unsigned int pmk_len, 3317 int session_timeout, struct eapol_state_machine *eapol) 3318 { 3319 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 3320 sm->wpa_auth->conf.disable_pmksa_caching) 3321 return -1; 3322 3323 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { 3324 if (pmk_len > PMK_LEN_SUITE_B_192) 3325 pmk_len = PMK_LEN_SUITE_B_192; 3326 } else if (pmk_len > PMK_LEN) { 3327 pmk_len = PMK_LEN; 3328 } 3329 3330 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 3331 sm->PTK.kck, sm->PTK.kck_len, 3332 sm->wpa_auth->addr, sm->addr, session_timeout, 3333 eapol, sm->wpa_key_mgmt)) 3334 return 0; 3335 3336 return -1; 3337 } 3338 3339 3340 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 3341 const u8 *pmk, size_t len, const u8 *sta_addr, 3342 int session_timeout, 3343 struct eapol_state_machine *eapol) 3344 { 3345 if (wpa_auth == NULL) 3346 return -1; 3347 3348 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 3349 NULL, 0, 3350 wpa_auth->addr, 3351 sta_addr, session_timeout, eapol, 3352 WPA_KEY_MGMT_IEEE8021X)) 3353 return 0; 3354 3355 return -1; 3356 } 3357 3358 3359 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 3360 const u8 *pmk, const u8 *pmkid) 3361 { 3362 if (wpa_auth->conf.disable_pmksa_caching) 3363 return -1; 3364 3365 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 3366 NULL, 0, 3367 wpa_auth->addr, addr, 0, NULL, 3368 WPA_KEY_MGMT_SAE)) 3369 return 0; 3370 3371 return -1; 3372 } 3373 3374 3375 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 3376 const u8 *sta_addr) 3377 { 3378 struct rsn_pmksa_cache_entry *pmksa; 3379 3380 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 3381 return; 3382 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3383 if (pmksa) { 3384 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 3385 MACSTR " based on request", MAC2STR(sta_addr)); 3386 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 3387 } 3388 } 3389 3390 3391 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 3392 size_t len) 3393 { 3394 if (!wpa_auth || !wpa_auth->pmksa) 3395 return 0; 3396 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 3397 } 3398 3399 3400 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 3401 { 3402 if (wpa_auth && wpa_auth->pmksa) 3403 pmksa_cache_auth_flush(wpa_auth->pmksa); 3404 } 3405 3406 3407 struct rsn_pmksa_cache_entry * 3408 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr) 3409 { 3410 if (!wpa_auth || !wpa_auth->pmksa) 3411 return NULL; 3412 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3413 } 3414 3415 3416 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 3417 struct wpa_state_machine *sm, 3418 struct wpa_authenticator *wpa_auth, 3419 u8 *pmkid, u8 *pmk) 3420 { 3421 if (!sm) 3422 return; 3423 3424 sm->pmksa = pmksa; 3425 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 3426 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 3427 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 3428 } 3429 3430 3431 /* 3432 * Remove and free the group from wpa_authenticator. This is triggered by a 3433 * callback to make sure nobody is currently iterating the group list while it 3434 * gets modified. 3435 */ 3436 static void wpa_group_free(struct wpa_authenticator *wpa_auth, 3437 struct wpa_group *group) 3438 { 3439 struct wpa_group *prev = wpa_auth->group; 3440 3441 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 3442 group->vlan_id); 3443 3444 while (prev) { 3445 if (prev->next == group) { 3446 /* This never frees the special first group as needed */ 3447 prev->next = group->next; 3448 os_free(group); 3449 break; 3450 } 3451 prev = prev->next; 3452 } 3453 3454 } 3455 3456 3457 /* Increase the reference counter for group */ 3458 static void wpa_group_get(struct wpa_authenticator *wpa_auth, 3459 struct wpa_group *group) 3460 { 3461 /* Skip the special first group */ 3462 if (wpa_auth->group == group) 3463 return; 3464 3465 group->references++; 3466 } 3467 3468 3469 /* Decrease the reference counter and maybe free the group */ 3470 static void wpa_group_put(struct wpa_authenticator *wpa_auth, 3471 struct wpa_group *group) 3472 { 3473 /* Skip the special first group */ 3474 if (wpa_auth->group == group) 3475 return; 3476 3477 group->references--; 3478 if (group->references) 3479 return; 3480 wpa_group_free(wpa_auth, group); 3481 } 3482 3483 3484 /* 3485 * Add a group that has its references counter set to zero. Caller needs to 3486 * call wpa_group_get() on the return value to mark the entry in use. 3487 */ 3488 static struct wpa_group * 3489 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3490 { 3491 struct wpa_group *group; 3492 3493 if (wpa_auth == NULL || wpa_auth->group == NULL) 3494 return NULL; 3495 3496 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 3497 vlan_id); 3498 group = wpa_group_init(wpa_auth, vlan_id, 0); 3499 if (group == NULL) 3500 return NULL; 3501 3502 group->next = wpa_auth->group->next; 3503 wpa_auth->group->next = group; 3504 3505 return group; 3506 } 3507 3508 3509 /* 3510 * Enforce that the group state machine for the VLAN is running, increase 3511 * reference counter as interface is up. References might have been increased 3512 * even if a negative value is returned. 3513 * Returns: -1 on error (group missing, group already failed); otherwise, 0 3514 */ 3515 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3516 { 3517 struct wpa_group *group; 3518 3519 if (wpa_auth == NULL) 3520 return 0; 3521 3522 group = wpa_auth->group; 3523 while (group) { 3524 if (group->vlan_id == vlan_id) 3525 break; 3526 group = group->next; 3527 } 3528 3529 if (group == NULL) { 3530 group = wpa_auth_add_group(wpa_auth, vlan_id); 3531 if (group == NULL) 3532 return -1; 3533 } 3534 3535 wpa_printf(MSG_DEBUG, 3536 "WPA: Ensure group state machine running for VLAN ID %d", 3537 vlan_id); 3538 3539 wpa_group_get(wpa_auth, group); 3540 group->num_setup_iface++; 3541 3542 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3543 return -1; 3544 3545 return 0; 3546 } 3547 3548 3549 /* 3550 * Decrease reference counter, expected to be zero afterwards. 3551 * returns: -1 on error (group not found, group in fail state) 3552 * -2 if wpa_group is still referenced 3553 * 0 else 3554 */ 3555 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3556 { 3557 struct wpa_group *group; 3558 int ret = 0; 3559 3560 if (wpa_auth == NULL) 3561 return 0; 3562 3563 group = wpa_auth->group; 3564 while (group) { 3565 if (group->vlan_id == vlan_id) 3566 break; 3567 group = group->next; 3568 } 3569 3570 if (group == NULL) 3571 return -1; 3572 3573 wpa_printf(MSG_DEBUG, 3574 "WPA: Try stopping group state machine for VLAN ID %d", 3575 vlan_id); 3576 3577 if (group->num_setup_iface <= 0) { 3578 wpa_printf(MSG_ERROR, 3579 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 3580 vlan_id); 3581 return -1; 3582 } 3583 group->num_setup_iface--; 3584 3585 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3586 ret = -1; 3587 3588 if (group->references > 1) { 3589 wpa_printf(MSG_DEBUG, 3590 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 3591 vlan_id); 3592 ret = -2; 3593 } 3594 3595 wpa_group_put(wpa_auth, group); 3596 3597 return ret; 3598 } 3599 3600 3601 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 3602 { 3603 struct wpa_group *group; 3604 3605 if (sm == NULL || sm->wpa_auth == NULL) 3606 return 0; 3607 3608 group = sm->wpa_auth->group; 3609 while (group) { 3610 if (group->vlan_id == vlan_id) 3611 break; 3612 group = group->next; 3613 } 3614 3615 if (group == NULL) { 3616 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 3617 if (group == NULL) 3618 return -1; 3619 } 3620 3621 if (sm->group == group) 3622 return 0; 3623 3624 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 3625 return -1; 3626 3627 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 3628 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 3629 3630 wpa_group_get(sm->wpa_auth, group); 3631 wpa_group_put(sm->wpa_auth, sm->group); 3632 sm->group = group; 3633 3634 return 0; 3635 } 3636 3637 3638 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 3639 struct wpa_state_machine *sm, int ack) 3640 { 3641 if (wpa_auth == NULL || sm == NULL) 3642 return; 3643 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 3644 " ack=%d", MAC2STR(sm->addr), ack); 3645 if (sm->pending_1_of_4_timeout && ack) { 3646 /* 3647 * Some deployed supplicant implementations update their SNonce 3648 * for each EAPOL-Key 2/4 message even within the same 4-way 3649 * handshake and then fail to use the first SNonce when 3650 * deriving the PTK. This results in unsuccessful 4-way 3651 * handshake whenever the relatively short initial timeout is 3652 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 3653 * around this by increasing the timeout now that we know that 3654 * the station has received the frame. 3655 */ 3656 int timeout_ms = eapol_key_timeout_subseq; 3657 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 3658 "timeout by %u ms because of acknowledged frame", 3659 timeout_ms); 3660 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 3661 eloop_register_timeout(timeout_ms / 1000, 3662 (timeout_ms % 1000) * 1000, 3663 wpa_send_eapol_timeout, wpa_auth, sm); 3664 } 3665 } 3666 3667 3668 int wpa_auth_uses_sae(struct wpa_state_machine *sm) 3669 { 3670 if (sm == NULL) 3671 return 0; 3672 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 3673 } 3674 3675 3676 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 3677 { 3678 if (sm == NULL) 3679 return 0; 3680 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 3681 } 3682 3683 3684 #ifdef CONFIG_P2P 3685 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 3686 { 3687 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 3688 return -1; 3689 os_memcpy(addr, sm->ip_addr, 4); 3690 return 0; 3691 } 3692 #endif /* CONFIG_P2P */ 3693 3694 3695 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 3696 struct radius_das_attrs *attr) 3697 { 3698 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 3699 } 3700 3701 3702 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 3703 { 3704 struct wpa_group *group; 3705 3706 if (!wpa_auth) 3707 return; 3708 for (group = wpa_auth->group; group; group = group->next) 3709 wpa_group_config_group_keys(wpa_auth, group); 3710 } 3711