xref: /freebsd/contrib/wpa/src/rsn_supp/wpa_i.h (revision b214fcceacad6b842545150664bd2695c1c2b34f)
1 /*
2  * Internal WPA/RSN supplicant state machine definitions
3  * Copyright (c) 2004-2018, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef WPA_I_H
10 #define WPA_I_H
11 
12 #include "utils/list.h"
13 
14 struct wpa_tdls_peer;
15 struct wpa_eapol_key;
16 
17 struct pasn_ft_r1kh {
18 	u8 bssid[ETH_ALEN];
19 	u8 r1kh_id[FT_R1KH_ID_LEN];
20 };
21 
22 /**
23  * struct wpa_sm - Internal WPA state machine data
24  */
25 struct wpa_sm {
26 	u8 pmk[PMK_LEN_MAX];
27 	size_t pmk_len;
28 	struct wpa_ptk ptk, tptk;
29 	int ptk_set, tptk_set;
30 	unsigned int msg_3_of_4_ok:1;
31 	u8 snonce[WPA_NONCE_LEN];
32 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
33 	int renew_snonce;
34 	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
35 	int rx_replay_counter_set;
36 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
37 	struct wpa_gtk gtk;
38 	struct wpa_gtk gtk_wnm_sleep;
39 	struct wpa_igtk igtk;
40 	struct wpa_igtk igtk_wnm_sleep;
41 	struct wpa_bigtk bigtk;
42 	struct wpa_bigtk bigtk_wnm_sleep;
43 
44 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
45 
46 	struct rsn_pmksa_cache *pmksa; /* PMKSA cache */
47 	struct rsn_pmksa_cache_entry *cur_pmksa; /* current PMKSA entry */
48 	struct dl_list pmksa_candidates;
49 
50 	struct l2_packet_data *l2_preauth;
51 	struct l2_packet_data *l2_preauth_br;
52 	struct l2_packet_data *l2_tdls;
53 	u8 preauth_bssid[ETH_ALEN]; /* current RSN pre-auth peer or
54 				     * 00:00:00:00:00:00 if no pre-auth is
55 				     * in progress */
56 	struct eapol_sm *preauth_eapol;
57 
58 	struct wpa_sm_ctx *ctx;
59 
60 	void *scard_ctx; /* context for smartcard callbacks */
61 	int fast_reauth; /* whether EAP fast re-authentication is enabled */
62 
63 	void *network_ctx;
64 	int allowed_pairwise_cipher; /* bitfield of WPA_CIPHER_* */
65 	int proactive_key_caching;
66 	int eap_workaround;
67 	void *eap_conf_ctx;
68 	u8 ssid[32];
69 	size_t ssid_len;
70 	int wpa_ptk_rekey;
71 	int wpa_deny_ptk0_rekey:1;
72 	int p2p;
73 	int wpa_rsc_relaxation;
74 	int owe_ptk_workaround;
75 	int beacon_prot;
76 	int ext_key_id; /* whether Extended Key ID is enabled */
77 	int use_ext_key_id; /* whether Extended Key ID has been detected
78 			     * to be used */
79 	int keyidx_active; /* Key ID for the active TK */
80 
81 	/*
82 	 * If set Key Derivation Key should be derived as part of PMK to
83 	 * PTK derivation regardless of advertised capabilities.
84 	 */
85 	bool force_kdk_derivation;
86 
87 	u8 own_addr[ETH_ALEN];
88 	const char *ifname;
89 	const char *bridge_ifname;
90 	u8 bssid[ETH_ALEN];
91 
92 	unsigned int dot11RSNAConfigPMKLifetime;
93 	unsigned int dot11RSNAConfigPMKReauthThreshold;
94 	unsigned int dot11RSNAConfigSATimeout;
95 
96 	unsigned int dot11RSNA4WayHandshakeFailures;
97 
98 	/* Selected configuration (based on Beacon/ProbeResp WPA IE) */
99 	unsigned int proto;
100 	unsigned int pairwise_cipher;
101 	unsigned int group_cipher;
102 	unsigned int key_mgmt;
103 	unsigned int mgmt_group_cipher;
104 
105 	int rsn_enabled; /* Whether RSN is enabled in configuration */
106 	int mfp; /* 0 = disabled, 1 = optional, 2 = mandatory */
107 	int ocv; /* Operating Channel Validation */
108 	int sae_pwe; /* SAE PWE generation options */
109 
110 	unsigned int sae_pk:1; /* whether SAE-PK is used */
111 	unsigned int secure_ltf:1;
112 	unsigned int secure_rtt:1;
113 	unsigned int prot_range_neg:1;
114 
115 	u8 *assoc_wpa_ie; /* Own WPA/RSN IE from (Re)AssocReq */
116 	size_t assoc_wpa_ie_len;
117 	u8 *assoc_rsnxe; /* Own RSNXE from (Re)AssocReq */
118 	size_t assoc_rsnxe_len;
119 	u8 *ap_wpa_ie, *ap_rsn_ie, *ap_rsnxe;
120 	size_t ap_wpa_ie_len, ap_rsn_ie_len, ap_rsnxe_len;
121 
122 #ifdef CONFIG_TDLS
123 	struct wpa_tdls_peer *tdls;
124 	int tdls_prohibited;
125 	int tdls_chan_switch_prohibited;
126 	int tdls_disabled;
127 
128 	/* The driver supports TDLS */
129 	int tdls_supported;
130 
131 	/*
132 	 * The driver requires explicit discovery/setup/teardown frames sent
133 	 * to it via tdls_mgmt.
134 	 */
135 	int tdls_external_setup;
136 
137 	/* The driver supports TDLS channel switching */
138 	int tdls_chan_switch;
139 #endif /* CONFIG_TDLS */
140 
141 #ifdef CONFIG_IEEE80211R
142 	u8 xxkey[PMK_LEN_MAX]; /* PSK or the second 256 bits of MSK, or the
143 				* first 384 bits of MSK */
144 	size_t xxkey_len;
145 	u8 pmk_r0[PMK_LEN_MAX];
146 	size_t pmk_r0_len;
147 	u8 pmk_r0_name[WPA_PMK_NAME_LEN];
148 	u8 pmk_r1[PMK_LEN_MAX];
149 	size_t pmk_r1_len;
150 	u8 pmk_r1_name[WPA_PMK_NAME_LEN];
151 	u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];
152 	u8 r0kh_id[FT_R0KH_ID_MAX_LEN];
153 	size_t r0kh_id_len;
154 	u8 r1kh_id[FT_R1KH_ID_LEN];
155 	unsigned int ft_completed:1;
156 	unsigned int ft_reassoc_completed:1;
157 	unsigned int ft_protocol:1;
158 	int over_the_ds_in_progress;
159 	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
160 	int set_ptk_after_assoc;
161 	u8 mdie_ft_capab; /* FT Capability and Policy from target AP MDIE */
162 	u8 *assoc_resp_ies; /* MDIE and FTIE from (Re)Association Response */
163 	size_t assoc_resp_ies_len;
164 #ifdef CONFIG_PASN
165 	/*
166 	 * Currently, the WPA state machine stores the PMK-R1, PMK-R1-Name and
167 	 * R1KH-ID only for the current association. As PMK-R1 is required to
168 	 * perform PASN authentication with FT, store the R1KH-ID for previous
169 	 * associations, which would later be used to derive the PMK-R1 as part
170 	 * of the PASN authentication flow.
171 	 */
172 	struct pasn_ft_r1kh *pasn_r1kh;
173 	unsigned int n_pasn_r1kh;
174 #endif /* CONFIG_PASN */
175 #endif /* CONFIG_IEEE80211R */
176 
177 #ifdef CONFIG_P2P
178 	u8 p2p_ip_addr[3 * 4];
179 #endif /* CONFIG_P2P */
180 
181 #ifdef CONFIG_TESTING_OPTIONS
182 	struct wpabuf *test_assoc_ie;
183 	int ft_rsnxe_used;
184 	unsigned int oci_freq_override_eapol;
185 	unsigned int oci_freq_override_eapol_g2;
186 	unsigned int oci_freq_override_ft_assoc;
187 	unsigned int oci_freq_override_fils_assoc;
188 #endif /* CONFIG_TESTING_OPTIONS */
189 
190 #ifdef CONFIG_FILS
191 	u8 fils_nonce[FILS_NONCE_LEN];
192 	u8 fils_session[FILS_SESSION_LEN];
193 	u8 fils_anonce[FILS_NONCE_LEN];
194 	u8 fils_key_auth_ap[FILS_MAX_KEY_AUTH_LEN];
195 	u8 fils_key_auth_sta[FILS_MAX_KEY_AUTH_LEN];
196 	size_t fils_key_auth_len;
197 	unsigned int fils_completed:1;
198 	unsigned int fils_erp_pmkid_set:1;
199 	unsigned int fils_cache_id_set:1;
200 	u8 fils_erp_pmkid[PMKID_LEN];
201 	u8 fils_cache_id[FILS_CACHE_ID_LEN];
202 	struct crypto_ecdh *fils_ecdh;
203 	int fils_dh_group;
204 	size_t fils_dh_elem_len;
205 	struct wpabuf *fils_ft_ies;
206 	u8 fils_ft[FILS_FT_MAX_LEN];
207 	size_t fils_ft_len;
208 #endif /* CONFIG_FILS */
209 
210 #ifdef CONFIG_OWE
211 	struct crypto_ecdh *owe_ecdh;
212 	u16 owe_group;
213 #endif /* CONFIG_OWE */
214 
215 #ifdef CONFIG_DPP2
216 	struct wpabuf *dpp_z;
217 	int dpp_pfs;
218 #endif /* CONFIG_DPP2 */
219 };
220 
221 
222 static inline void wpa_sm_set_state(struct wpa_sm *sm, enum wpa_states state)
223 {
224 	WPA_ASSERT(sm->ctx->set_state);
225 	sm->ctx->set_state(sm->ctx->ctx, state);
226 }
227 
228 static inline enum wpa_states wpa_sm_get_state(struct wpa_sm *sm)
229 {
230 	WPA_ASSERT(sm->ctx->get_state);
231 	return sm->ctx->get_state(sm->ctx->ctx);
232 }
233 
234 static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, u16 reason_code)
235 {
236 	WPA_ASSERT(sm->ctx->deauthenticate);
237 	sm->ctx->deauthenticate(sm->ctx->ctx, reason_code);
238 }
239 
240 static inline int wpa_sm_set_key(struct wpa_sm *sm, enum wpa_alg alg,
241 				 const u8 *addr, int key_idx, int set_tx,
242 				 const u8 *seq, size_t seq_len,
243 				 const u8 *key, size_t key_len,
244 				 enum key_flag key_flag)
245 {
246 	WPA_ASSERT(sm->ctx->set_key);
247 	return sm->ctx->set_key(sm->ctx->ctx, alg, addr, key_idx, set_tx,
248 				seq, seq_len, key, key_len, key_flag);
249 }
250 
251 static inline void wpa_sm_reconnect(struct wpa_sm *sm)
252 {
253 	WPA_ASSERT(sm->ctx->reconnect);
254 	sm->ctx->reconnect(sm->ctx->ctx);
255 }
256 
257 static inline void * wpa_sm_get_network_ctx(struct wpa_sm *sm)
258 {
259 	WPA_ASSERT(sm->ctx->get_network_ctx);
260 	return sm->ctx->get_network_ctx(sm->ctx->ctx);
261 }
262 
263 static inline int wpa_sm_get_bssid(struct wpa_sm *sm, u8 *bssid)
264 {
265 	WPA_ASSERT(sm->ctx->get_bssid);
266 	return sm->ctx->get_bssid(sm->ctx->ctx, bssid);
267 }
268 
269 static inline int wpa_sm_ether_send(struct wpa_sm *sm, const u8 *dest,
270 				    u16 proto, const u8 *buf, size_t len)
271 {
272 	WPA_ASSERT(sm->ctx->ether_send);
273 	return sm->ctx->ether_send(sm->ctx->ctx, dest, proto, buf, len);
274 }
275 
276 static inline int wpa_sm_get_beacon_ie(struct wpa_sm *sm)
277 {
278 	WPA_ASSERT(sm->ctx->get_beacon_ie);
279 	return sm->ctx->get_beacon_ie(sm->ctx->ctx);
280 }
281 
282 static inline void wpa_sm_cancel_auth_timeout(struct wpa_sm *sm)
283 {
284 	WPA_ASSERT(sm->ctx->cancel_auth_timeout);
285 	sm->ctx->cancel_auth_timeout(sm->ctx->ctx);
286 }
287 
288 static inline u8 * wpa_sm_alloc_eapol(struct wpa_sm *sm, u8 type,
289 				      const void *data, u16 data_len,
290 				      size_t *msg_len, void **data_pos)
291 {
292 	WPA_ASSERT(sm->ctx->alloc_eapol);
293 	return sm->ctx->alloc_eapol(sm->ctx->ctx, type, data, data_len,
294 				    msg_len, data_pos);
295 }
296 
297 static inline int wpa_sm_add_pmkid(struct wpa_sm *sm, void *network_ctx,
298 				   const u8 *bssid, const u8 *pmkid,
299 				   const u8 *cache_id, const u8 *pmk,
300 				   size_t pmk_len, u32 pmk_lifetime,
301 				   u8 pmk_reauth_threshold, int akmp)
302 {
303 	WPA_ASSERT(sm->ctx->add_pmkid);
304 	return sm->ctx->add_pmkid(sm->ctx->ctx, network_ctx, bssid, pmkid,
305 				  cache_id, pmk, pmk_len, pmk_lifetime,
306 				  pmk_reauth_threshold, akmp);
307 }
308 
309 static inline int wpa_sm_remove_pmkid(struct wpa_sm *sm, void *network_ctx,
310 				      const u8 *bssid, const u8 *pmkid,
311 				      const u8 *cache_id)
312 {
313 	WPA_ASSERT(sm->ctx->remove_pmkid);
314 	return sm->ctx->remove_pmkid(sm->ctx->ctx, network_ctx, bssid, pmkid,
315 				     cache_id);
316 }
317 
318 static inline int wpa_sm_mlme_setprotection(struct wpa_sm *sm, const u8 *addr,
319 					    int protect_type, int key_type)
320 {
321 	WPA_ASSERT(sm->ctx->mlme_setprotection);
322 	return sm->ctx->mlme_setprotection(sm->ctx->ctx, addr, protect_type,
323 					   key_type);
324 }
325 
326 static inline int wpa_sm_update_ft_ies(struct wpa_sm *sm, const u8 *md,
327 				       const u8 *ies, size_t ies_len)
328 {
329 	if (sm->ctx->update_ft_ies)
330 		return sm->ctx->update_ft_ies(sm->ctx->ctx, md, ies, ies_len);
331 	return -1;
332 }
333 
334 static inline int wpa_sm_send_ft_action(struct wpa_sm *sm, u8 action,
335 					const u8 *target_ap,
336 					const u8 *ies, size_t ies_len)
337 {
338 	if (sm->ctx->send_ft_action)
339 		return sm->ctx->send_ft_action(sm->ctx->ctx, action, target_ap,
340 					       ies, ies_len);
341 	return -1;
342 }
343 
344 static inline int wpa_sm_mark_authenticated(struct wpa_sm *sm,
345 					    const u8 *target_ap)
346 {
347 	if (sm->ctx->mark_authenticated)
348 		return sm->ctx->mark_authenticated(sm->ctx->ctx, target_ap);
349 	return -1;
350 }
351 
352 static inline void wpa_sm_set_rekey_offload(struct wpa_sm *sm)
353 {
354 	if (!sm->ctx->set_rekey_offload)
355 		return;
356 	sm->ctx->set_rekey_offload(sm->ctx->ctx, sm->ptk.kek, sm->ptk.kek_len,
357 				   sm->ptk.kck, sm->ptk.kck_len,
358 				   sm->rx_replay_counter);
359 }
360 
361 #ifdef CONFIG_TDLS
362 static inline int wpa_sm_tdls_get_capa(struct wpa_sm *sm,
363 				       int *tdls_supported,
364 				       int *tdls_ext_setup,
365 				       int *tdls_chan_switch)
366 {
367 	if (sm->ctx->tdls_get_capa)
368 		return sm->ctx->tdls_get_capa(sm->ctx->ctx, tdls_supported,
369 					      tdls_ext_setup, tdls_chan_switch);
370 	return -1;
371 }
372 
373 static inline int wpa_sm_send_tdls_mgmt(struct wpa_sm *sm, const u8 *dst,
374 					u8 action_code, u8 dialog_token,
375 					u16 status_code, u32 peer_capab,
376 					int initiator, const u8 *buf,
377 					size_t len)
378 {
379 	if (sm->ctx->send_tdls_mgmt)
380 		return sm->ctx->send_tdls_mgmt(sm->ctx->ctx, dst, action_code,
381 					       dialog_token, status_code,
382 					       peer_capab, initiator, buf,
383 					       len);
384 	return -1;
385 }
386 
387 static inline int wpa_sm_tdls_oper(struct wpa_sm *sm, int oper,
388 				   const u8 *peer)
389 {
390 	if (sm->ctx->tdls_oper)
391 		return sm->ctx->tdls_oper(sm->ctx->ctx, oper, peer);
392 	return -1;
393 }
394 
395 static inline int
396 wpa_sm_tdls_peer_addset(struct wpa_sm *sm, const u8 *addr, int add,
397 			u16 aid, u16 capability, const u8 *supp_rates,
398 			size_t supp_rates_len,
399 			const struct ieee80211_ht_capabilities *ht_capab,
400 			const struct ieee80211_vht_capabilities *vht_capab,
401 			const struct ieee80211_he_capabilities *he_capab,
402 			size_t he_capab_len,
403 			const struct ieee80211_he_6ghz_band_cap *he_6ghz_capab,
404 			u8 qosinfo, int wmm, const u8 *ext_capab,
405 			size_t ext_capab_len, const u8 *supp_channels,
406 			size_t supp_channels_len, const u8 *supp_oper_classes,
407 			size_t supp_oper_classes_len)
408 {
409 	if (sm->ctx->tdls_peer_addset)
410 		return sm->ctx->tdls_peer_addset(sm->ctx->ctx, addr, add,
411 						 aid, capability, supp_rates,
412 						 supp_rates_len, ht_capab,
413 						 vht_capab,
414 						 he_capab, he_capab_len,
415 						 he_6ghz_capab, qosinfo, wmm,
416 						 ext_capab, ext_capab_len,
417 						 supp_channels,
418 						 supp_channels_len,
419 						 supp_oper_classes,
420 						 supp_oper_classes_len);
421 	return -1;
422 }
423 
424 static inline int
425 wpa_sm_tdls_enable_channel_switch(struct wpa_sm *sm, const u8 *addr,
426 				  u8 oper_class,
427 				  const struct hostapd_freq_params *freq_params)
428 {
429 	if (sm->ctx->tdls_enable_channel_switch)
430 		return sm->ctx->tdls_enable_channel_switch(sm->ctx->ctx, addr,
431 							   oper_class,
432 							   freq_params);
433 	return -1;
434 }
435 
436 static inline int
437 wpa_sm_tdls_disable_channel_switch(struct wpa_sm *sm, const u8 *addr)
438 {
439 	if (sm->ctx->tdls_disable_channel_switch)
440 		return sm->ctx->tdls_disable_channel_switch(sm->ctx->ctx, addr);
441 	return -1;
442 }
443 #endif /* CONFIG_TDLS */
444 
445 static inline int wpa_sm_key_mgmt_set_pmk(struct wpa_sm *sm,
446 					  const u8 *pmk, size_t pmk_len)
447 {
448 	if (!sm->ctx->key_mgmt_set_pmk)
449 		return -1;
450 	return sm->ctx->key_mgmt_set_pmk(sm->ctx->ctx, pmk, pmk_len);
451 }
452 
453 static inline void wpa_sm_fils_hlp_rx(struct wpa_sm *sm,
454 				      const u8 *dst, const u8 *src,
455 				      const u8 *pkt, size_t pkt_len)
456 {
457 	if (sm->ctx->fils_hlp_rx)
458 		sm->ctx->fils_hlp_rx(sm->ctx->ctx, dst, src, pkt, pkt_len);
459 }
460 
461 static inline int wpa_sm_channel_info(struct wpa_sm *sm,
462 				      struct wpa_channel_info *ci)
463 {
464 	if (!sm->ctx->channel_info)
465 		return -1;
466 	return sm->ctx->channel_info(sm->ctx->ctx, ci);
467 }
468 
469 static inline void wpa_sm_transition_disable(struct wpa_sm *sm, u8 bitmap)
470 {
471 	if (sm->ctx->transition_disable)
472 		sm->ctx->transition_disable(sm->ctx->ctx, bitmap);
473 }
474 
475 static inline void wpa_sm_store_ptk(struct wpa_sm *sm,
476 				    u8 *addr, int cipher,
477 				    u32 life_time, struct wpa_ptk *ptk)
478 {
479 	if (sm->ctx->store_ptk)
480 		sm->ctx->store_ptk(sm->ctx->ctx, addr, cipher, life_time,
481 				   ptk);
482 }
483 
484 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
485 		       int ver, const u8 *dest, u16 proto,
486 		       u8 *msg, size_t msg_len, u8 *key_mic);
487 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
488 			       const struct wpa_eapol_key *key,
489 			       int ver, const u8 *nonce,
490 			       const u8 *wpa_ie, size_t wpa_ie_len,
491 			       struct wpa_ptk *ptk);
492 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
493 			       const struct wpa_eapol_key *key,
494 			       u16 ver, u16 key_info,
495 			       struct wpa_ptk *ptk);
496 
497 int wpa_derive_ptk_ft(struct wpa_sm *sm, const unsigned char *src_addr,
498 		      const struct wpa_eapol_key *key, struct wpa_ptk *ptk);
499 
500 void wpa_tdls_assoc(struct wpa_sm *sm);
501 void wpa_tdls_disassoc(struct wpa_sm *sm);
502 
503 #endif /* WPA_I_H */
504