1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 8 * Sun elects to license this software under the BSD license. 9 * See README for more details. 10 */ 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <string.h> 17 #include <time.h> 18 #include <netinet/in.h> 19 #include <sys/ethernet.h> 20 #include <fcntl.h> 21 #include <unistd.h> 22 23 #include "wpa_impl.h" 24 #include "wpa_enc.h" 25 #include "driver.h" 26 #include "eloop.h" 27 #include "l2_packet.h" 28 29 static void pmksa_cache_set_expiration(struct wpa_supplicant *); 30 31 /* 32 * IEEE 802.11i/D3.0 33 */ 34 static const int WPA_SELECTOR_LEN = 4; 35 static const uint8_t WPA_OUI_AND_TYPE[] = { 0x00, 0x50, 0xf2, 1 }; 36 static const uint8_t 37 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x50, 0xf2, 1 }; 38 static const uint8_t 39 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x50, 0xf2, 2 }; 40 static const uint8_t WPA_CIPHER_SUITE_NONE[] = { 0x00, 0x50, 0xf2, 0 }; 41 static const uint8_t WPA_CIPHER_SUITE_WEP40[] = { 0x00, 0x50, 0xf2, 1 }; 42 static const uint8_t WPA_CIPHER_SUITE_TKIP[] = { 0x00, 0x50, 0xf2, 2 }; 43 static const uint8_t WPA_CIPHER_SUITE_CCMP[] = { 0x00, 0x50, 0xf2, 4 }; 44 static const uint8_t WPA_CIPHER_SUITE_WEP104[] = { 0x00, 0x50, 0xf2, 5 }; 45 46 /* 47 * WPA IE version 1 48 * 00-50-f2:1 (OUI:OUI type) 49 * 0x01 0x00 (version; little endian) 50 * (all following fields are optional:) 51 * Group Suite Selector (4 octets) (default: TKIP) 52 * Pairwise Suite Count (2 octets, little endian) (default: 1) 53 * Pairwise Suite List (4 * n octets) (default: TKIP) 54 * Authenticated Key Management Suite Count (2 octets, little endian) 55 * (default: 1) 56 * Authenticated Key Management Suite List (4 * n octets) 57 * (default: unspec 802.1x) 58 * WPA Capabilities (2 octets, little endian) (default: 0) 59 */ 60 #pragma pack(1) 61 struct wpa_ie_hdr { 62 uint8_t elem_id; 63 uint8_t len; 64 uint8_t oui[3]; 65 uint8_t oui_type; 66 uint16_t version; 67 }; 68 #pragma pack() 69 70 /* 71 * IEEE 802.11i/D9.0 72 */ 73 static const int RSN_SELECTOR_LEN = 4; 74 static const uint16_t RSN_VERSION = 1; 75 static const uint8_t 76 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x0f, 0xac, 1 }; 77 static const uint8_t 78 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x0f, 0xac, 2 }; 79 static const uint8_t RSN_CIPHER_SUITE_NONE[] = { 0x00, 0x0f, 0xac, 0 }; 80 static const uint8_t RSN_CIPHER_SUITE_WEP40[] = { 0x00, 0x0f, 0xac, 1 }; 81 static const uint8_t RSN_CIPHER_SUITE_TKIP[] = { 0x00, 0x0f, 0xac, 2 }; 82 static const uint8_t RSN_CIPHER_SUITE_CCMP[] = { 0x00, 0x0f, 0xac, 4 }; 83 static const uint8_t RSN_CIPHER_SUITE_WEP104[] = { 0x00, 0x0f, 0xac, 5 }; 84 85 /* 86 * EAPOL-Key Key Data Encapsulation 87 * GroupKey and STAKey require encryption, otherwise, encryption is optional. 88 */ 89 static const uint8_t RSN_KEY_DATA_GROUPKEY[] = { 0x00, 0x0f, 0xac, 1 }; 90 static const uint8_t RSN_KEY_DATA_PMKID[] = { 0x00, 0x0f, 0xac, 4 }; 91 92 /* 93 * 1/4: PMKID 94 * 2/4: RSN IE 95 * 3/4: one or two RSN IEs + GTK IE (encrypted) 96 * 4/4: empty 97 * 1/2: GTK IE (encrypted) 98 * 2/2: empty 99 */ 100 101 /* 102 * RSN IE version 1 103 * 0x01 0x00 (version; little endian) 104 * (all following fields are optional:) 105 * Group Suite Selector (4 octets) (default: CCMP) 106 * Pairwise Suite Count (2 octets, little endian) (default: 1) 107 * Pairwise Suite List (4 * n octets) (default: CCMP) 108 * Authenticated Key Management Suite Count (2 octets, little endian) 109 * (default: 1) 110 * Authenticated Key Management Suite List (4 * n octets) 111 * (default: unspec 802.1x) 112 * RSN Capabilities (2 octets, little endian) (default: 0) 113 * PMKID Count (2 octets) (default: 0) 114 * PMKID List (16 * n octets) 115 */ 116 #pragma pack(1) 117 struct rsn_ie_hdr { 118 uint8_t elem_id; /* WLAN_EID_RSN */ 119 uint8_t len; 120 uint16_t version; 121 }; 122 #pragma pack() 123 124 static int 125 random_get_pseudo_bytes(uint8_t *ptr, size_t len) 126 { 127 int fd; 128 size_t resid = len; 129 size_t bytes; 130 131 fd = open("/dev/urandom", O_RDONLY); 132 if (fd == -1) { 133 wpa_printf(MSG_ERROR, "Could not open /dev/urandom.\n"); 134 return (-1); 135 } 136 137 while (resid != 0) { 138 bytes = read(fd, ptr, resid); 139 ptr += bytes; 140 resid -= bytes; 141 } 142 143 (void) close(fd); 144 145 return (0); 146 } 147 148 static void 149 inc_byte_array(uint8_t *counter, size_t len) 150 { 151 int pos = len - 1; 152 while (pos >= 0) { 153 counter[pos]++; 154 if (counter[pos] != 0) 155 break; 156 pos--; 157 } 158 } 159 160 static int 161 wpa_selector_to_bitfield(uint8_t *s) 162 { 163 if (memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0) 164 return (WPA_CIPHER_NONE); 165 if (memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0) 166 return (WPA_CIPHER_WEP40); 167 if (memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0) 168 return (WPA_CIPHER_TKIP); 169 if (memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0) 170 return (WPA_CIPHER_CCMP); 171 if (memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0) 172 return (WPA_CIPHER_WEP104); 173 return (0); 174 } 175 176 static int 177 wpa_key_mgmt_to_bitfield(uint8_t *s) 178 { 179 if (memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) == 0) 180 return (WPA_KEY_MGMT_IEEE8021X); 181 if (memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN) == 182 0) 183 return (WPA_KEY_MGMT_PSK); 184 return (0); 185 } 186 187 static int 188 rsn_selector_to_bitfield(uint8_t *s) 189 { 190 if (memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0) 191 return (WPA_CIPHER_NONE); 192 if (memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0) 193 return (WPA_CIPHER_WEP40); 194 if (memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0) 195 return (WPA_CIPHER_TKIP); 196 if (memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0) 197 return (WPA_CIPHER_CCMP); 198 if (memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0) 199 return (WPA_CIPHER_WEP104); 200 return (0); 201 } 202 203 static int 204 rsn_key_mgmt_to_bitfield(uint8_t *s) 205 { 206 if (memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) == 0) 207 return (WPA_KEY_MGMT_IEEE8021X); 208 if (memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN) == 209 0) 210 return (WPA_KEY_MGMT_PSK); 211 return (0); 212 } 213 214 static void 215 pmksa_cache_free_entry(struct wpa_supplicant *wpa_s, 216 struct rsn_pmksa_cache *entry) 217 { 218 wpa_s->pmksa_count--; 219 if (wpa_s->cur_pmksa == entry) { 220 wpa_printf(MSG_DEBUG, "RSN: removed current PMKSA entry"); 221 wpa_s->cur_pmksa = NULL; 222 } 223 free(entry); 224 } 225 226 /* ARGSUSED */ 227 static void 228 pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx) 229 { 230 struct wpa_supplicant *wpa_s = eloop_ctx; 231 time_t now; 232 233 (void) time(&now); 234 while (wpa_s->pmksa && wpa_s->pmksa->expiration <= now) { 235 struct rsn_pmksa_cache *entry = wpa_s->pmksa; 236 wpa_s->pmksa = entry->next; 237 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for " 238 MACSTR, MAC2STR(entry->aa)); 239 pmksa_cache_free_entry(wpa_s, entry); 240 } 241 242 pmksa_cache_set_expiration(wpa_s); 243 } 244 245 static void 246 pmksa_cache_set_expiration(struct wpa_supplicant *wpa_s) 247 { 248 int sec; 249 eloop_cancel_timeout(pmksa_cache_expire, wpa_s, NULL); 250 if (wpa_s->pmksa == NULL) 251 return; 252 sec = wpa_s->pmksa->expiration - time(NULL); 253 if (sec < 0) 254 sec = 0; 255 (void) eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, 256 wpa_s, NULL); 257 } 258 259 void 260 pmksa_cache_free(struct wpa_supplicant *wpa_s) 261 { 262 struct rsn_pmksa_cache *entry, *prev; 263 264 entry = wpa_s->pmksa; 265 wpa_s->pmksa = NULL; 266 while (entry) { 267 prev = entry; 268 entry = entry->next; 269 free(prev); 270 } 271 pmksa_cache_set_expiration(wpa_s); 272 wpa_s->cur_pmksa = NULL; 273 } 274 275 struct rsn_pmksa_cache * 276 pmksa_cache_get(struct wpa_supplicant *wpa_s, 277 uint8_t *aa, uint8_t *pmkid) 278 { 279 struct rsn_pmksa_cache *entry = wpa_s->pmksa; 280 while (entry) { 281 if ((aa == NULL || 282 memcmp(entry->aa, aa, IEEE80211_ADDR_LEN) == 0) && 283 (pmkid == NULL || 284 memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)) 285 return (entry); 286 entry = entry->next; 287 } 288 return (NULL); 289 } 290 291 int 292 pmksa_cache_list(struct wpa_supplicant *wpa_s, char *buf, size_t len) 293 { 294 int i, j; 295 char *pos = buf; 296 struct rsn_pmksa_cache *entry; 297 time_t now; 298 299 (void) time(&now); 300 pos += snprintf(pos, buf + len - pos, 301 "Index / AA / PMKID / expiration (in seconds)\n"); 302 i = 0; 303 entry = wpa_s->pmksa; 304 while (entry) { 305 i++; 306 pos += snprintf(pos, buf + len - pos, "%d " MACSTR " ", 307 i, MAC2STR(entry->aa)); 308 for (j = 0; j < PMKID_LEN; j++) 309 pos += snprintf(pos, buf + len - pos, "%02x", 310 entry->pmkid[j]); 311 pos += snprintf(pos, buf + len - pos, " %d\n", 312 (int)(entry->expiration - now)); 313 entry = entry->next; 314 } 315 return (pos - buf); 316 } 317 318 void 319 pmksa_candidate_free(struct wpa_supplicant *wpa_s) 320 { 321 struct rsn_pmksa_candidate *entry, *prev; 322 323 entry = wpa_s->pmksa_candidates; 324 wpa_s->pmksa_candidates = NULL; 325 while (entry) { 326 prev = entry; 327 entry = entry->next; 328 free(prev); 329 } 330 } 331 332 /* ARGSUSED */ 333 static int 334 wpa_parse_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 335 size_t wpa_ie_len, struct wpa_ie_data *data) 336 { 337 struct wpa_ie_hdr *hdr; 338 uint8_t *pos; 339 int left; 340 int i, count; 341 342 data->proto = WPA_PROTO_WPA; 343 data->pairwise_cipher = WPA_CIPHER_TKIP; 344 data->group_cipher = WPA_CIPHER_TKIP; 345 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 346 data->capabilities = 0; 347 348 if (wpa_ie_len == 0) { 349 /* No WPA IE - fail silently */ 350 return (-1); 351 } 352 353 if (wpa_ie_len < sizeof (struct wpa_ie_hdr)) { 354 wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 355 "wpa_parse_wpa_ie_wpa", wpa_ie_len); 356 return (-1); 357 } 358 359 hdr = (struct wpa_ie_hdr *)wpa_ie; 360 361 if (hdr->elem_id != GENERIC_INFO_ELEM || 362 hdr->len != wpa_ie_len - 2 || 363 memcmp(&hdr->oui, WPA_OUI_AND_TYPE, WPA_SELECTOR_LEN) != 0 || 364 LE_16(hdr->version) != WPA_VERSION) { 365 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 366 "wpa_parse_wpa_ie_wpa"); 367 return (-1); 368 } 369 370 pos = (uint8_t *)(hdr + 1); 371 left = wpa_ie_len - sizeof (*hdr); 372 373 if (left >= WPA_SELECTOR_LEN) { 374 data->group_cipher = wpa_selector_to_bitfield(pos); 375 pos += WPA_SELECTOR_LEN; 376 left -= WPA_SELECTOR_LEN; 377 } else if (left > 0) { 378 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 379 "wpa_parse_wpa_ie_wpa", left); 380 return (-1); 381 } 382 383 if (left >= 2) { 384 data->pairwise_cipher = 0; 385 count = pos[0] | (pos[1] << 8); 386 pos += 2; 387 left -= 2; 388 if (count == 0 || left < count * WPA_SELECTOR_LEN) { 389 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 390 "count %u left %u", 391 "wpa_parse_wpa_ie_wpa", count, left); 392 return (-1); 393 } 394 for (i = 0; i < count; i++) { 395 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 396 pos += WPA_SELECTOR_LEN; 397 left -= WPA_SELECTOR_LEN; 398 } 399 } else if (left == 1) { 400 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 401 "wpa_parse_wpa_ie_wpa"); 402 return (-1); 403 } 404 405 if (left >= 2) { 406 data->key_mgmt = 0; 407 count = pos[0] | (pos[1] << 8); 408 pos += 2; 409 left -= 2; 410 if (count == 0 || left < count * WPA_SELECTOR_LEN) { 411 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 412 "count %u left %u", 413 "wpa_parse_wpa_ie_wpa", count, left); 414 return (-1); 415 } 416 for (i = 0; i < count; i++) { 417 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 418 pos += WPA_SELECTOR_LEN; 419 left -= WPA_SELECTOR_LEN; 420 } 421 } else if (left == 1) { 422 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 423 "wpa_parse_wpa_ie_wpa"); 424 return (-1); 425 } 426 427 if (left >= 2) { 428 data->capabilities = pos[0] | (pos[1] << 8); 429 pos += 2; 430 left -= 2; 431 } 432 433 if (left > 0) { 434 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes", 435 "wpa_parse_wpa_ie_wpa", left); 436 return (-1); 437 } 438 439 return (0); 440 } 441 442 /* ARGSUSED */ 443 static int 444 wpa_parse_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie, 445 size_t rsn_ie_len, struct wpa_ie_data *data) 446 { 447 struct rsn_ie_hdr *hdr; 448 uint8_t *pos; 449 int left; 450 int i, count; 451 452 data->proto = WPA_PROTO_RSN; 453 data->pairwise_cipher = WPA_CIPHER_CCMP; 454 data->group_cipher = WPA_CIPHER_CCMP; 455 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 456 data->capabilities = 0; 457 458 if (rsn_ie_len == 0) { 459 /* No RSN IE - fail silently */ 460 return (-1); 461 } 462 463 if (rsn_ie_len < sizeof (struct rsn_ie_hdr)) { 464 wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 465 "wpa_parse_wpa_ie_rsn", rsn_ie_len); 466 return (-1); 467 } 468 469 hdr = (struct rsn_ie_hdr *)rsn_ie; 470 471 if (hdr->elem_id != RSN_INFO_ELEM || 472 hdr->len != rsn_ie_len - 2 || 473 LE_16(hdr->version) != RSN_VERSION) { 474 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 475 "wpa_parse_wpa_ie_rsn"); 476 return (-1); 477 } 478 479 pos = (uint8_t *)(hdr + 1); 480 left = rsn_ie_len - sizeof (*hdr); 481 482 if (left >= RSN_SELECTOR_LEN) { 483 data->group_cipher = rsn_selector_to_bitfield(pos); 484 pos += RSN_SELECTOR_LEN; 485 left -= RSN_SELECTOR_LEN; 486 } else if (left > 0) { 487 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 488 "wpa_parse_wpa_ie_rsn", left); 489 return (-1); 490 } 491 492 if (left >= 2) { 493 data->pairwise_cipher = 0; 494 count = pos[0] | (pos[1] << 8); 495 pos += 2; 496 left -= 2; 497 if (count == 0 || left < count * RSN_SELECTOR_LEN) { 498 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 499 "count %u left %u", 500 "wpa_parse_wpa_ie_rsn", count, left); 501 return (-1); 502 } 503 for (i = 0; i < count; i++) { 504 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 505 pos += RSN_SELECTOR_LEN; 506 left -= RSN_SELECTOR_LEN; 507 } 508 } else if (left == 1) { 509 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 510 "wpa_parse_wpa_ie_rsn"); 511 return (-1); 512 } 513 514 if (left >= 2) { 515 data->key_mgmt = 0; 516 count = pos[0] | (pos[1] << 8); 517 pos += 2; 518 left -= 2; 519 if (count == 0 || left < count * RSN_SELECTOR_LEN) { 520 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 521 "count %u left %u", 522 "wpa_parse_wpa_ie_rsn", count, left); 523 return (-1); 524 } 525 for (i = 0; i < count; i++) { 526 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 527 pos += RSN_SELECTOR_LEN; 528 left -= RSN_SELECTOR_LEN; 529 } 530 } else if (left == 1) { 531 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 532 "wpa_parse_wpa_ie_rsn"); 533 return (-1); 534 } 535 536 if (left >= 2) { 537 data->capabilities = pos[0] | (pos[1] << 8); 538 pos += 2; 539 left -= 2; 540 } 541 542 if (left > 0) { 543 /* 544 * RSN IE could include PMKID data, but Authenticator should 545 * never include it, so no need to parse it in the Supplicant. 546 */ 547 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored", 548 "wpa_parse_wpa_ie_rsn", left); 549 } 550 551 return (0); 552 } 553 554 int 555 wpa_parse_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 556 size_t wpa_ie_len, struct wpa_ie_data *data) 557 { 558 if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM) 559 return (wpa_parse_wpa_ie_rsn(wpa_s, wpa_ie, wpa_ie_len, data)); 560 else 561 return (wpa_parse_wpa_ie_wpa(wpa_s, wpa_ie, wpa_ie_len, data)); 562 } 563 564 static int 565 wpa_gen_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 566 { 567 uint8_t *pos; 568 struct wpa_ie_hdr *hdr; 569 570 hdr = (struct wpa_ie_hdr *)wpa_ie; 571 hdr->elem_id = GENERIC_INFO_ELEM; 572 (void) memcpy(&hdr->oui, WPA_OUI_AND_TYPE, WPA_SELECTOR_LEN); 573 hdr->version = LE_16(WPA_VERSION); 574 pos = (uint8_t *)(hdr + 1); 575 576 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 577 (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 578 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 579 (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 580 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 581 (void) memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN); 582 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 583 (void) memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN); 584 } else { 585 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 586 wpa_s->group_cipher); 587 return (-1); 588 } 589 pos += WPA_SELECTOR_LEN; 590 591 *pos++ = 1; 592 *pos++ = 0; 593 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 594 (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 595 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 596 (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 597 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 598 (void) memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN); 599 } else { 600 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 601 wpa_s->pairwise_cipher); 602 return (-1); 603 } 604 pos += WPA_SELECTOR_LEN; 605 606 *pos++ = 1; 607 *pos++ = 0; 608 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 609 (void) memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, 610 WPA_SELECTOR_LEN); 611 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 612 (void) memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, 613 WPA_SELECTOR_LEN); 614 } else { 615 wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 616 wpa_s->key_mgmt); 617 return (-1); 618 } 619 pos += WPA_SELECTOR_LEN; 620 621 /* 622 * WPA Capabilities; use defaults, so no need to include it 623 */ 624 hdr->len = (pos - wpa_ie) - 2; 625 626 return (pos - wpa_ie); 627 } 628 629 static int 630 wpa_gen_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie) 631 { 632 uint8_t *pos; 633 struct rsn_ie_hdr *hdr; 634 635 hdr = (struct rsn_ie_hdr *)rsn_ie; 636 hdr->elem_id = RSN_INFO_ELEM; 637 hdr->version = LE_16(RSN_VERSION); 638 pos = (uint8_t *)(hdr + 1); 639 640 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 641 (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 642 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 643 (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 644 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 645 (void) memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN); 646 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 647 (void) memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN); 648 } else { 649 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 650 wpa_s->group_cipher); 651 return (-1); 652 } 653 pos += RSN_SELECTOR_LEN; 654 655 *pos++ = 1; 656 *pos++ = 0; 657 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 658 (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 659 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 660 (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 661 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 662 (void) memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN); 663 } else { 664 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 665 wpa_s->pairwise_cipher); 666 return (-1); 667 } 668 pos += RSN_SELECTOR_LEN; 669 670 *pos++ = 1; 671 *pos++ = 0; 672 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 673 (void) memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, 674 RSN_SELECTOR_LEN); 675 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 676 (void) memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, 677 RSN_SELECTOR_LEN); 678 } else { 679 wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 680 wpa_s->key_mgmt); 681 return (-1); 682 } 683 pos += RSN_SELECTOR_LEN; 684 685 /* RSN Capabilities */ 686 *pos++ = 0; 687 *pos++ = 0; 688 689 if (wpa_s->cur_pmksa) { 690 /* PMKID Count (2 octets, little endian) */ 691 *pos++ = 1; 692 *pos++ = 0; 693 /* PMKID */ 694 (void) memcpy(pos, wpa_s->cur_pmksa->pmkid, PMKID_LEN); 695 pos += PMKID_LEN; 696 } 697 698 hdr->len = (pos - rsn_ie) - 2; 699 700 return (pos - rsn_ie); 701 } 702 703 int 704 wpa_gen_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 705 { 706 if (wpa_s->proto == WPA_PROTO_RSN) 707 return (wpa_gen_wpa_ie_rsn(wpa_s, wpa_ie)); 708 else 709 return (wpa_gen_wpa_ie_wpa(wpa_s, wpa_ie)); 710 } 711 712 static void 713 wpa_pmk_to_ptk(uint8_t *pmk, uint8_t *addr1, uint8_t *addr2, 714 uint8_t *nonce1, uint8_t *nonce2, uint8_t *ptk, size_t ptk_len) 715 { 716 uint8_t data[2 * IEEE80211_ADDR_LEN + 2 * WPA_PMK_LEN]; 717 718 /* 719 * PTK = PRF-X(PMK, "Pairwise key expansion", 720 * Min(AA, SA) || Max(AA, SA) || 721 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 722 */ 723 724 if (memcmp(addr1, addr2, IEEE80211_ADDR_LEN) < 0) { 725 (void) memcpy(data, addr1, IEEE80211_ADDR_LEN); 726 (void) memcpy(data + IEEE80211_ADDR_LEN, addr2, 727 IEEE80211_ADDR_LEN); 728 } else { 729 (void) memcpy(data, addr2, IEEE80211_ADDR_LEN); 730 (void) memcpy(data + IEEE80211_ADDR_LEN, addr1, 731 IEEE80211_ADDR_LEN); 732 } 733 734 if (memcmp(nonce1, nonce2, WPA_PMK_LEN) < 0) { 735 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce1, 736 WPA_PMK_LEN); 737 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 738 nonce2, WPA_PMK_LEN); 739 } else { 740 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce2, 741 WPA_PMK_LEN); 742 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 743 nonce1, WPA_PMK_LEN); 744 } 745 746 sha1_prf(pmk, WPA_PMK_LEN, "Pairwise key expansion", data, 747 sizeof (data), ptk, ptk_len); 748 749 wpa_hexdump(MSG_DEBUG, "WPA: PMK", pmk, WPA_PMK_LEN); 750 wpa_hexdump(MSG_DEBUG, "WPA: PTK", ptk, ptk_len); 751 } 752 753 struct wpa_ssid * 754 wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s) 755 { 756 struct wpa_ssid *entry; 757 uint8_t ssid[MAX_ESSID_LENGTH]; 758 int ssid_len; 759 uint8_t bssid[IEEE80211_ADDR_LEN]; 760 761 (void) memset(ssid, 0, MAX_ESSID_LENGTH); 762 ssid_len = wpa_s->driver->get_ssid(wpa_s->linkid, (char *)ssid); 763 if (ssid_len < 0) { 764 wpa_printf(MSG_WARNING, "Could not read SSID from driver."); 765 return (NULL); 766 } 767 768 if (wpa_s->driver->get_bssid(wpa_s->linkid, (char *)bssid) < 0) { 769 wpa_printf(MSG_WARNING, "Could not read BSSID from driver."); 770 return (NULL); 771 } 772 773 entry = wpa_s->conf->ssid; 774 wpa_printf(MSG_DEBUG, "entry len=%d ssid=%s," 775 " driver len=%d ssid=%s", 776 entry->ssid_len, entry->ssid, ssid_len, ssid); 777 778 if (ssid_len == entry->ssid_len && 779 memcmp(ssid, entry->ssid, ssid_len) == 0 && 780 (!entry->bssid_set || 781 memcmp(bssid, entry->bssid, IEEE80211_ADDR_LEN) == 0)) 782 return (entry); 783 784 return (NULL); 785 } 786 787 static void 788 wpa_eapol_key_mic(uint8_t *key, int ver, uint8_t *buf, size_t len, uint8_t *mic) 789 { 790 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 791 hmac_md5(key, 16, buf, len, mic); 792 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 793 uint8_t hash[SHA1_MAC_LEN]; 794 hmac_sha1(key, 16, buf, len, hash); 795 (void) memcpy(mic, hash, MD5_MAC_LEN); 796 } 797 } 798 799 void 800 wpa_supplicant_key_request(struct wpa_supplicant *wpa_s, 801 int error, int pairwise) 802 { 803 int rlen; 804 struct ieee802_1x_hdr *hdr; 805 struct wpa_eapol_key *reply; 806 unsigned char *rbuf; 807 struct l2_ethhdr *ethhdr; 808 int key_info, ver; 809 uint8_t bssid[IEEE80211_ADDR_LEN]; 810 811 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) 812 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 813 else 814 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 815 816 if (wpa_s->driver->get_bssid(wpa_s->linkid, (char *)bssid) < 0) { 817 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key " 818 "request"); 819 return; 820 } 821 822 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 823 rbuf = malloc(rlen); 824 if (rbuf == NULL) 825 return; 826 827 (void) memset(rbuf, 0, rlen); 828 ethhdr = (struct l2_ethhdr *)rbuf; 829 (void) memcpy(ethhdr->h_dest, bssid, IEEE80211_ADDR_LEN); 830 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 831 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 832 833 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 834 hdr->version = wpa_s->conf->eapol_version; 835 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 836 hdr->length = htons(sizeof (*reply)); 837 838 reply = (struct wpa_eapol_key *)(hdr + 1); 839 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 840 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 841 key_info = WPA_KEY_INFO_REQUEST | ver; 842 if (wpa_s->ptk_set) 843 key_info |= WPA_KEY_INFO_MIC; 844 if (error) 845 key_info |= WPA_KEY_INFO_ERROR; 846 if (pairwise) 847 key_info |= WPA_KEY_INFO_KEY_TYPE; 848 reply->key_info = BE_16(key_info); 849 reply->key_length = 0; 850 (void) memcpy(reply->replay_counter, wpa_s->request_counter, 851 WPA_REPLAY_COUNTER_LEN); 852 inc_byte_array(wpa_s->request_counter, WPA_REPLAY_COUNTER_LEN); 853 854 reply->key_data_length = BE_16(0); 855 856 if (key_info & WPA_KEY_INFO_MIC) { 857 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 858 rlen - sizeof (*ethhdr), reply->key_mic); 859 } 860 861 wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d " 862 "pairwise=%d ptk_set=%d len=%d)", 863 error, pairwise, wpa_s->ptk_set, rlen); 864 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key Request", rbuf, rlen); 865 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 866 free(rbuf); 867 } 868 869 static void 870 wpa_supplicant_process_1_of_4(struct wpa_supplicant *wpa_s, 871 unsigned char *src_addr, struct wpa_eapol_key *key, int ver) 872 { 873 int rlen; 874 struct ieee802_1x_hdr *hdr; 875 struct wpa_eapol_key *reply; 876 unsigned char *rbuf; 877 struct l2_ethhdr *ethhdr; 878 struct wpa_ssid *ssid; 879 struct wpa_ptk *ptk; 880 uint8_t buf[8], wpa_ie_buf[80], *wpa_ie, *pmkid = NULL; 881 int wpa_ie_len; 882 883 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 884 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from " 885 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 886 887 ssid = wpa_supplicant_get_ssid(wpa_s); 888 if (ssid == NULL) { 889 wpa_printf(MSG_WARNING, 890 "WPA: No SSID info found (msg 1 of 4)."); 891 return; 892 } 893 894 if (wpa_s->proto == WPA_PROTO_RSN) { 895 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 896 uint8_t *pos = (uint8_t *)(key + 1); 897 uint8_t *end = pos + BE_16(key->key_data_length); 898 899 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 900 pos, BE_16(key->key_data_length)); 901 902 while (pos + 1 < end) { 903 if (pos + 2 + pos[1] > end) { 904 wpa_printf(MSG_DEBUG, "RSN: key data " 905 "underflow (ie=%d len=%d)", 906 pos[0], pos[1]); 907 break; 908 } 909 if (pos[0] == GENERIC_INFO_ELEM && 910 pos + 1 + RSN_SELECTOR_LEN < end && 911 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN && 912 memcmp(pos + 2, RSN_KEY_DATA_PMKID, 913 RSN_SELECTOR_LEN) == 0) { 914 pmkid = pos + 2 + RSN_SELECTOR_LEN; 915 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 916 "Authenticator", pmkid, PMKID_LEN); 917 break; 918 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 919 break; 920 pos += 2 + pos[1]; 921 } 922 } 923 924 wpa_ie = wpa_ie_buf; 925 wpa_ie_len = wpa_gen_wpa_ie(wpa_s, wpa_ie); 926 if (wpa_ie_len < 0) { 927 wpa_printf(MSG_WARNING, "WPA: Failed to generate " 928 "WPA IE (for msg 2 of 4)."); 929 return; 930 } 931 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 932 933 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply) + wpa_ie_len; 934 rbuf = malloc(rlen); 935 if (rbuf == NULL) 936 return; 937 938 (void) memset(rbuf, 0, rlen); 939 ethhdr = (struct l2_ethhdr *)rbuf; 940 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 941 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 942 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 943 944 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 945 hdr->version = wpa_s->conf->eapol_version; 946 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 947 hdr->length = htons(sizeof (*reply) + wpa_ie_len); 948 949 reply = (struct wpa_eapol_key *)(hdr + 1); 950 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 951 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 952 reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC); 953 reply->key_length = key->key_length; 954 (void) memcpy(reply->replay_counter, key->replay_counter, 955 WPA_REPLAY_COUNTER_LEN); 956 957 reply->key_data_length = BE_16(wpa_ie_len); 958 (void) memcpy(reply + 1, wpa_ie, wpa_ie_len); 959 960 if (wpa_s->renew_snonce) { 961 if (random_get_pseudo_bytes(wpa_s->snonce, WPA_NONCE_LEN)) { 962 wpa_printf(MSG_WARNING, "WPA: Failed to get " 963 "random data for SNonce"); 964 free(rbuf); 965 return; 966 } 967 968 wpa_s->renew_snonce = 0; 969 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 970 wpa_s->snonce, WPA_NONCE_LEN); 971 } 972 (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 973 ptk = &wpa_s->tptk; 974 (void) memcpy(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN); 975 976 wpa_pmk_to_ptk(wpa_s->pmk, wpa_s->own_addr, src_addr, 977 wpa_s->snonce, key->key_nonce, (uint8_t *)ptk, sizeof (*ptk)); 978 979 /* 980 * Supplicant: swap tx/rx Mic keys 981 */ 982 (void) memcpy(buf, ptk->u.auth.tx_mic_key, 8); 983 (void) memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8); 984 (void) memcpy(ptk->u.auth.rx_mic_key, buf, 8); 985 wpa_s->tptk_set = 1; 986 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, (uint8_t *)hdr, 987 rlen - sizeof (*ethhdr), reply->key_mic); 988 wpa_hexdump(MSG_DEBUG, "WPA: EAPOL-Key MIC", reply->key_mic, 16); 989 990 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 991 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/4", rbuf, rlen); 992 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 993 994 free(rbuf); 995 } 996 997 static void 998 wpa_supplicant_process_3_of_4_gtk(struct wpa_supplicant *wpa_s, 999 unsigned char *src_addr, struct wpa_eapol_key *key, 1000 uint8_t *gtk, int gtk_len) 1001 { 1002 int keyidx, tx, key_rsc_len = 0, alg; 1003 1004 wpa_hexdump(MSG_DEBUG, 1005 "WPA: received GTK in pairwise handshake", gtk, gtk_len); 1006 1007 keyidx = gtk[0] & 0x3; 1008 tx = !!(gtk[0] & BIT(2)); 1009 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1010 /* 1011 * Ignore Tx bit in GTK IE if a pairwise key is used. 1012 * One AP seemed to set this bit (incorrectly, since Tx 1013 * is only when doing Group Key only APs) and without 1014 * this workaround, the data connection does not work 1015 * because wpa_supplicant configured non-zero keyidx to 1016 * be used for unicast. 1017 */ 1018 wpa_printf(MSG_INFO, "RSN: Tx bit set for GTK IE, but " 1019 "pairwise keys are used - ignore Tx bit"); 1020 tx = 0; 1021 } 1022 1023 gtk += 2; 1024 gtk_len -= 2; 1025 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, gtk_len); 1026 1027 switch (wpa_s->group_cipher) { 1028 case WPA_CIPHER_CCMP: 1029 if (gtk_len != 16) { 1030 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP" 1031 " Group Cipher key length %d.", gtk_len); 1032 return; 1033 } 1034 key_rsc_len = 6; 1035 alg = WPA_ALG_CCMP; 1036 break; 1037 case WPA_CIPHER_TKIP: 1038 if (gtk_len != 32) { 1039 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP" 1040 " Group Cipher key length %d.", gtk_len); 1041 return; 1042 } 1043 key_rsc_len = 6; 1044 alg = WPA_ALG_TKIP; 1045 break; 1046 case WPA_CIPHER_WEP104: 1047 if (gtk_len != 13) { 1048 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1049 "WEP104 Group Cipher key length " "%d.", gtk_len); 1050 return; 1051 } 1052 alg = WPA_ALG_WEP; 1053 break; 1054 case WPA_CIPHER_WEP40: 1055 if (gtk_len != 5) { 1056 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1057 "WEP40 Group Cipher key length %d.", gtk_len); 1058 return; 1059 } 1060 alg = WPA_ALG_WEP; 1061 break; 1062 default: 1063 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher " 1064 "%d", wpa_s->group_cipher); 1065 return; 1066 } 1067 1068 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver " 1069 "(keyidx=%d tx=%d).", keyidx, tx); 1070 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1071 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1072 uint8_t tmpbuf[8]; 1073 /* 1074 * Swap Tx/Rx keys for Michael MIC 1075 */ 1076 (void) memcpy(tmpbuf, gtk + 16, 8); 1077 (void) memcpy(gtk + 16, gtk + 24, 8); 1078 (void) memcpy(gtk + 24, tmpbuf, 8); 1079 } 1080 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1081 if (wpa_s->driver->set_key(wpa_s->linkid, alg, 1082 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1083 keyidx, 1, key->key_rsc, 1084 key_rsc_len, gtk, gtk_len) < 0) 1085 wpa_printf(MSG_WARNING, "WPA: Failed to set " 1086 "GTK to the driver (Group only)."); 1087 } else if (wpa_s->driver->set_key(wpa_s->linkid, alg, 1088 (uint8_t *)"\xff\xff\xff\xff\xff\xff", keyidx, tx, 1089 key->key_rsc, key_rsc_len, gtk, gtk_len) < 0) { 1090 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to " 1091 "the driver."); 1092 } 1093 1094 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " 1095 MACSTR, MAC2STR(src_addr)); 1096 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1097 wpa_supplicant_cancel_auth_timeout(wpa_s); 1098 wpa_s->wpa_state = WPA_COMPLETED; 1099 } 1100 1101 static void 1102 wpa_supplicant_process_3_of_4(struct wpa_supplicant *wpa_s, 1103 unsigned char *src_addr, struct wpa_eapol_key *key, 1104 int extra_len, int ver) 1105 { 1106 int rlen; 1107 struct ieee802_1x_hdr *hdr; 1108 struct wpa_eapol_key *reply; 1109 unsigned char *rbuf; 1110 struct l2_ethhdr *ethhdr; 1111 int key_info, ie_len = 0, keylen, gtk_len = 0; 1112 uint8_t *ie = NULL, *gtk = NULL, *key_rsc; 1113 uint8_t null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 1114 1115 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 1116 wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from " 1117 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1118 1119 key_info = BE_16(key->key_info); 1120 1121 if (wpa_s->proto == WPA_PROTO_RSN) { 1122 uint8_t *pos = (uint8_t *)(key + 1); 1123 uint8_t *end = pos + BE_16(key->key_data_length); 1124 while (pos + 1 < end) { 1125 if (pos + 2 + pos[1] > end) { 1126 wpa_printf(MSG_DEBUG, "RSN: key data " 1127 "underflow (ie=%d len=%d)", 1128 pos[0], pos[1]); 1129 break; 1130 } 1131 if (*pos == RSN_INFO_ELEM) { 1132 ie = pos; 1133 ie_len = pos[1] + 2; 1134 } else if (pos[0] == GENERIC_INFO_ELEM && 1135 pos + 1 + RSN_SELECTOR_LEN < end && 1136 pos[1] > RSN_SELECTOR_LEN + 2 && 1137 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1138 RSN_SELECTOR_LEN) == 0) { 1139 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1140 wpa_printf(MSG_WARNING, "WPA: GTK IE " 1141 "in unencrypted key data"); 1142 return; 1143 } 1144 gtk = pos + 2 + RSN_SELECTOR_LEN; 1145 gtk_len = pos[1] - RSN_SELECTOR_LEN; 1146 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 1147 break; 1148 1149 pos += 2 + pos[1]; 1150 } 1151 } else { 1152 ie = (uint8_t *)(key + 1); 1153 ie_len = BE_16(key->key_data_length); 1154 if (ie_len > extra_len) { 1155 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1156 " ie_len=%d > extra_len=%d", 1157 ie_len, extra_len); 1158 return; 1159 } 1160 } 1161 1162 if (wpa_s->ap_wpa_ie && 1163 (wpa_s->ap_wpa_ie_len != ie_len || 1164 memcmp(wpa_s->ap_wpa_ie, ie, ie_len) != 0)) { 1165 wpa_printf(MSG_WARNING, "WPA: WPA IE in 3/4 msg does not match" 1166 " with WPA IE in Beacon/ProbeResp (src=" MACSTR ")", 1167 MAC2STR(src_addr)); 1168 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1169 wpa_s->ap_wpa_ie, wpa_s->ap_wpa_ie_len); 1170 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", ie, ie_len); 1171 wpa_supplicant_disassociate(wpa_s, REASON_IE_IN_4WAY_DIFFERS); 1172 wpa_supplicant_req_scan(wpa_s, 0, 0); 1173 return; 1174 } 1175 1176 if (memcmp(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1177 wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way " 1178 "Handshake differs from 3 of 4-Way Handshake - drop" 1179 " packet (src=" MACSTR ")", MAC2STR(src_addr)); 1180 return; 1181 } 1182 1183 keylen = BE_16(key->key_length); 1184 switch (wpa_s->pairwise_cipher) { 1185 case WPA_CIPHER_CCMP: 1186 if (keylen != 16) { 1187 wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length " 1188 "%d (src=" MACSTR ")", 1189 keylen, MAC2STR(src_addr)); 1190 return; 1191 } 1192 break; 1193 case WPA_CIPHER_TKIP: 1194 if (keylen != 32) { 1195 wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length " 1196 "%d (src=" MACSTR ")", 1197 keylen, MAC2STR(src_addr)); 1198 return; 1199 } 1200 break; 1201 } 1202 1203 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1204 rbuf = malloc(rlen); 1205 if (rbuf == NULL) 1206 return; 1207 1208 (void) memset(rbuf, 0, rlen); 1209 ethhdr = (struct l2_ethhdr *)rbuf; 1210 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1211 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1212 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1213 1214 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1215 hdr->version = wpa_s->conf->eapol_version; 1216 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1217 hdr->length = htons(sizeof (*reply)); 1218 1219 reply = (struct wpa_eapol_key *)(hdr + 1); 1220 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1221 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1222 reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | 1223 WPA_KEY_INFO_MIC | (key_info & WPA_KEY_INFO_SECURE)); 1224 reply->key_length = key->key_length; 1225 (void) memcpy(reply->replay_counter, key->replay_counter, 1226 WPA_REPLAY_COUNTER_LEN); 1227 1228 reply->key_data_length = BE_16(0); 1229 1230 (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 1231 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1232 rlen - sizeof (*ethhdr), reply->key_mic); 1233 1234 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 1235 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 4/4", rbuf, rlen); 1236 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1237 1238 free(rbuf); 1239 1240 /* 1241 * SNonce was successfully used in msg 3/4, so mark it to be renewed 1242 * for the next 4-Way Handshake. If msg 3 is received again, the old 1243 * SNonce will still be used to avoid changing PTK. 1244 */ 1245 wpa_s->renew_snonce = 1; 1246 1247 if (key_info & WPA_KEY_INFO_INSTALL) { 1248 int alg, keylen, rsclen; 1249 wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver."); 1250 switch (wpa_s->pairwise_cipher) { 1251 case WPA_CIPHER_CCMP: 1252 alg = WPA_ALG_CCMP; 1253 keylen = 16; 1254 rsclen = 6; 1255 break; 1256 case WPA_CIPHER_TKIP: 1257 alg = WPA_ALG_TKIP; 1258 keylen = 32; 1259 rsclen = 6; 1260 break; 1261 case WPA_CIPHER_NONE: 1262 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: " 1263 "NONE - do not use pairwise keys"); 1264 return; 1265 default: 1266 wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise " 1267 "cipher %d", wpa_s->pairwise_cipher); 1268 return; 1269 } 1270 if (wpa_s->proto == WPA_PROTO_RSN) { 1271 key_rsc = null_rsc; 1272 } else { 1273 key_rsc = key->key_rsc; 1274 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 1275 } 1276 1277 if (wpa_s->driver->set_key(wpa_s->linkid, alg, src_addr, 1278 0, 1, key_rsc, rsclen, 1279 (uint8_t *)&wpa_s->ptk.tk1, keylen) < 0) { 1280 wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the" 1281 " driver."); 1282 } 1283 } 1284 1285 wpa_printf(MSG_DEBUG, "%s: key_info=%x gtk=%p\n", 1286 "wpa_supplicant_process_3_of_4", key_info, gtk); 1287 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1288 1289 if (gtk) 1290 wpa_supplicant_process_3_of_4_gtk(wpa_s, 1291 src_addr, key, gtk, gtk_len); 1292 } 1293 1294 static void 1295 wpa_supplicant_process_1_of_2(struct wpa_supplicant *wpa_s, 1296 unsigned char *src_addr, struct wpa_eapol_key *key, 1297 int extra_len, int ver) 1298 { 1299 int rlen; 1300 struct ieee802_1x_hdr *hdr; 1301 struct wpa_eapol_key *reply; 1302 unsigned char *rbuf; 1303 struct l2_ethhdr *ethhdr; 1304 int key_info, keylen, keydatalen, maxkeylen, keyidx, key_rsc_len = 0; 1305 int alg, tx; 1306 uint8_t ek[32], tmpbuf[8], gtk[32]; 1307 uint8_t *gtk_ie = NULL; 1308 size_t gtk_ie_len = 0; 1309 1310 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1311 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from " 1312 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1313 1314 key_info = BE_16(key->key_info); 1315 keydatalen = BE_16(key->key_data_length); 1316 1317 if (wpa_s->proto == WPA_PROTO_RSN) { 1318 uint8_t *pos = (uint8_t *)(key + 1); 1319 uint8_t *end = pos + keydatalen; 1320 while (pos + 1 < end) { 1321 if (pos + 2 + pos[1] > end) { 1322 wpa_printf(MSG_DEBUG, "RSN: key data " 1323 "underflow (ie=%d len=%d)", 1324 pos[0], pos[1]); 1325 break; 1326 } 1327 if (pos[0] == GENERIC_INFO_ELEM && 1328 pos + 1 + RSN_SELECTOR_LEN < end && 1329 pos[1] > RSN_SELECTOR_LEN + 2 && 1330 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1331 RSN_SELECTOR_LEN) == 0) { 1332 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1333 wpa_printf(MSG_WARNING, "WPA: GTK IE " 1334 "in unencrypted key data"); 1335 return; 1336 } 1337 gtk_ie = pos + 2 + RSN_SELECTOR_LEN; 1338 gtk_ie_len = pos[1] - RSN_SELECTOR_LEN; 1339 break; 1340 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) { 1341 break; 1342 } 1343 1344 pos += 2 + pos[1]; 1345 } 1346 1347 if (gtk_ie == NULL) { 1348 wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key " 1349 "message 1/2"); 1350 return; 1351 } 1352 maxkeylen = keylen = gtk_ie_len - 2; 1353 } else { 1354 keylen = BE_16(key->key_length); 1355 maxkeylen = keydatalen; 1356 if (keydatalen > extra_len) { 1357 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1358 " key_data_length=%d > extra_len=%d", 1359 keydatalen, extra_len); 1360 return; 1361 } 1362 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) 1363 maxkeylen -= 8; 1364 } 1365 1366 switch (wpa_s->group_cipher) { 1367 case WPA_CIPHER_CCMP: 1368 if (keylen != 16 || maxkeylen < 16) { 1369 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP Group " 1370 "Cipher key length %d (%d).", keylen, maxkeylen); 1371 return; 1372 } 1373 key_rsc_len = 6; 1374 alg = WPA_ALG_CCMP; 1375 break; 1376 case WPA_CIPHER_TKIP: 1377 if (keylen != 32 || maxkeylen < 32) { 1378 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP Group " 1379 "Cipher key length %d (%d).", keylen, maxkeylen); 1380 return; 1381 } 1382 key_rsc_len = 6; /* key->key_data; */ 1383 alg = WPA_ALG_TKIP; 1384 break; 1385 case WPA_CIPHER_WEP104: 1386 if (keylen != 13 || maxkeylen < 13) { 1387 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP104 Group" 1388 " Cipher key length %d (%d).", keylen, maxkeylen); 1389 return; 1390 } 1391 alg = WPA_ALG_WEP; 1392 break; 1393 case WPA_CIPHER_WEP40: 1394 if (keylen != 5 || maxkeylen < 5) { 1395 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP40 Group " 1396 "Cipher key length %d (%d).", keylen, maxkeylen); 1397 return; 1398 } 1399 alg = WPA_ALG_WEP; 1400 break; 1401 default: 1402 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher %d", 1403 wpa_s->group_cipher); 1404 return; 1405 } 1406 1407 if (wpa_s->proto == WPA_PROTO_RSN) { 1408 wpa_hexdump(MSG_DEBUG, 1409 "WPA: received GTK in group key handshake", 1410 gtk_ie, gtk_ie_len); 1411 keyidx = gtk_ie[0] & 0x3; 1412 tx = !!(gtk_ie[0] & BIT(2)); 1413 if (gtk_ie_len - 2 > sizeof (gtk)) { 1414 wpa_printf(MSG_INFO, "WPA: Too long GTK in GTK IE " 1415 "(len=%d)", gtk_ie_len - 2); 1416 return; 1417 } 1418 (void) memcpy(gtk, gtk_ie + 2, gtk_ie_len - 2); 1419 } else { 1420 keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1421 WPA_KEY_INFO_KEY_INDEX_SHIFT; 1422 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1423 (void) memcpy(ek, key->key_iv, 16); 1424 (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1425 rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1426 (void) memcpy(gtk, key + 1, keylen); 1427 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1428 if (keydatalen % 8) { 1429 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1430 "AES-WRAP len %d", keydatalen); 1431 return; 1432 } 1433 if (aes_unwrap(wpa_s->ptk.encr_key, maxkeylen / 8, 1434 (uint8_t *)(key + 1), gtk)) { 1435 wpa_printf(MSG_WARNING, "WPA: AES unwrap " 1436 "failed - could not decrypt GTK"); 1437 return; 1438 } 1439 } 1440 tx = !!(key_info & WPA_KEY_INFO_TXRX); 1441 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1442 /* 1443 * Ignore Tx bit in Group Key message if a pairwise key 1444 * is used. Some APs seem to setting this bit 1445 * (incorrectly, since Tx is only when doing Group Key 1446 * only APs) and without this workaround, the data 1447 * connection does not work because wpa_supplicant 1448 * configured non-zero keyidx to be used for unicast. 1449 */ 1450 wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but " 1451 "pairwise keys are used - ignore Tx bit"); 1452 tx = 0; 1453 } 1454 } 1455 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, keylen); 1456 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver (keyidx=%d " 1457 "tx=%d).", keyidx, tx); 1458 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1459 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1460 /* 1461 * Swap Tx/Rx keys for Michael MIC 1462 */ 1463 (void) memcpy(tmpbuf, gtk + 16, 8); 1464 (void) memcpy(gtk + 16, gtk + 24, 8); 1465 (void) memcpy(gtk + 24, tmpbuf, 8); 1466 } 1467 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1468 if (wpa_s->driver->set_key(wpa_s->linkid, alg, 1469 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1470 keyidx, 1, key->key_rsc, 1471 key_rsc_len, gtk, keylen) < 0) 1472 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the" 1473 " driver (Group only)."); 1474 } else if (wpa_s->driver->set_key(wpa_s->linkid, alg, 1475 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1476 keyidx, tx, 1477 key->key_rsc, key_rsc_len, 1478 gtk, keylen) < 0) { 1479 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the " 1480 "driver."); 1481 } 1482 1483 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1484 rbuf = malloc(rlen); 1485 if (rbuf == NULL) 1486 return; 1487 1488 (void) memset(rbuf, 0, rlen); 1489 ethhdr = (struct l2_ethhdr *)rbuf; 1490 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1491 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1492 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1493 1494 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1495 hdr->version = wpa_s->conf->eapol_version; 1496 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1497 hdr->length = htons(sizeof (*reply)); 1498 1499 reply = (struct wpa_eapol_key *)(hdr + 1); 1500 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1501 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1502 reply->key_info = 1503 BE_16(ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE | 1504 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK)); 1505 reply->key_length = key->key_length; 1506 (void) memcpy(reply->replay_counter, key->replay_counter, 1507 WPA_REPLAY_COUNTER_LEN); 1508 1509 reply->key_data_length = BE_16(0); 1510 1511 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1512 rlen - sizeof (*ethhdr), reply->key_mic); 1513 1514 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 1515 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/2", rbuf, rlen); 1516 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1517 free(rbuf); 1518 1519 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " MACSTR, 1520 MAC2STR(src_addr)); 1521 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1522 wpa_supplicant_cancel_auth_timeout(wpa_s); 1523 wpa_s->wpa_state = WPA_COMPLETED; 1524 wpa_printf(MSG_INFO, "-----------------------------------\n"); 1525 } 1526 1527 static int 1528 wpa_supplicant_verify_eapol_key_mic(struct wpa_supplicant *wpa_s, 1529 struct wpa_eapol_key *key, int ver, uint8_t *buf, size_t len) 1530 { 1531 uint8_t mic[16]; 1532 int ok = 0; 1533 1534 (void) memcpy(mic, key->key_mic, 16); 1535 if (wpa_s->tptk_set) { 1536 (void) memset(key->key_mic, 0, 16); 1537 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, buf, len, 1538 key->key_mic); 1539 if (memcmp(mic, key->key_mic, 16) != 0) { 1540 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1541 "when using TPTK - ignoring TPTK"); 1542 } else { 1543 ok = 1; 1544 wpa_s->tptk_set = 0; 1545 wpa_s->ptk_set = 1; 1546 (void) memcpy(&wpa_s->ptk, &wpa_s->tptk, 1547 sizeof (wpa_s->ptk)); 1548 } 1549 } 1550 1551 if (!ok && wpa_s->ptk_set) { 1552 (void) memset(key->key_mic, 0, 16); 1553 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, buf, len, 1554 key->key_mic); 1555 if (memcmp(mic, key->key_mic, 16) != 0) { 1556 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1557 "- dropping packet"); 1558 return (-1); 1559 } 1560 ok = 1; 1561 } 1562 1563 if (!ok) { 1564 wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC " 1565 "- dropping packet"); 1566 return (-1); 1567 } 1568 1569 (void) memcpy(wpa_s->rx_replay_counter, key->replay_counter, 1570 WPA_REPLAY_COUNTER_LEN); 1571 wpa_s->rx_replay_counter_set = 1; 1572 1573 return (0); 1574 } 1575 1576 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 1577 static int 1578 wpa_supplicant_decrypt_key_data(struct wpa_supplicant *wpa_s, 1579 struct wpa_eapol_key *key, int ver) 1580 { 1581 int keydatalen = BE_16(key->key_data_length); 1582 1583 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 1584 (uint8_t *)(key + 1), keydatalen); 1585 if (!wpa_s->ptk_set) { 1586 wpa_printf(MSG_WARNING, "WPA: PTK not available, " 1587 "cannot decrypt EAPOL-Key key data."); 1588 return (-1); 1589 } 1590 1591 /* 1592 * Decrypt key data here so that this operation does not need 1593 * to be implemented separately for each message type. 1594 */ 1595 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1596 uint8_t ek[32]; 1597 (void) memcpy(ek, key->key_iv, 16); 1598 (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1599 rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1600 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1601 uint8_t *buf; 1602 if (keydatalen % 8) { 1603 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1604 "AES-WRAP len %d", keydatalen); 1605 return (-1); 1606 } 1607 keydatalen -= 8; /* AES-WRAP adds 8 bytes */ 1608 buf = malloc(keydatalen); 1609 if (buf == NULL) { 1610 wpa_printf(MSG_WARNING, "WPA: No memory for " 1611 "AES-UNWRAP buffer"); 1612 return (-1); 1613 } 1614 if (aes_unwrap(wpa_s->ptk.encr_key, keydatalen / 8, 1615 (uint8_t *)(key + 1), buf)) { 1616 free(buf); 1617 wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - " 1618 "could not decrypt EAPOL-Key key data"); 1619 return (-1); 1620 } 1621 (void) memcpy(key + 1, buf, keydatalen); 1622 free(buf); 1623 key->key_data_length = BE_16(keydatalen); 1624 } 1625 wpa_hexdump(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 1626 (uint8_t *)(key + 1), keydatalen); 1627 1628 return (0); 1629 } 1630 1631 static void 1632 wpa_sm_rx_eapol(struct wpa_supplicant *wpa_s, 1633 unsigned char *src_addr, unsigned char *buf, size_t len) 1634 { 1635 size_t plen, data_len, extra_len; 1636 struct ieee802_1x_hdr *hdr; 1637 struct wpa_eapol_key *key; 1638 int key_info, ver; 1639 1640 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame len %u\n ", len); 1641 1642 hdr = (struct ieee802_1x_hdr *)buf; 1643 key = (struct wpa_eapol_key *)(hdr + 1); 1644 wpa_printf(MSG_DEBUG, "hdr_len=%u, key_len=%u", 1645 sizeof (*hdr), sizeof (*key)); 1646 if (len < sizeof (*hdr) + sizeof (*key)) { 1647 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short, len %u, " 1648 "expecting at least %u", 1649 len, sizeof (*hdr) + sizeof (*key)); 1650 return; 1651 } 1652 plen = ntohs(hdr->length); 1653 data_len = plen + sizeof (*hdr); 1654 wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%d", 1655 hdr->version, hdr->type, plen); 1656 1657 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 1658 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, " 1659 "not a Key frame", hdr->type); 1660 return; 1661 } 1662 if (plen > len - sizeof (*hdr) || plen < sizeof (*key)) { 1663 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %u " 1664 "invalid (frame size %u)", plen, len); 1665 return; 1666 } 1667 1668 wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type); 1669 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != 1670 EAPOL_KEY_TYPE_RSN) { 1671 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, " 1672 "discarded", key->type); 1673 return; 1674 } 1675 1676 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 1677 if (data_len < len) { 1678 wpa_printf(MSG_DEBUG, "WPA: ignoring %d bytes after the IEEE " 1679 "802.1X data", len - data_len); 1680 } 1681 key_info = BE_16(key->key_info); 1682 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1683 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 1684 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1685 wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor " 1686 "version %d.", ver); 1687 return; 1688 } 1689 1690 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP && 1691 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1692 wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key " 1693 "descriptor version (%d) is not 2.", ver); 1694 if (wpa_s->group_cipher != WPA_CIPHER_CCMP && 1695 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1696 /* 1697 * Earlier versions of IEEE 802.11i did not explicitly 1698 * require version 2 descriptor for all EAPOL-Key 1699 * packets, so allow group keys to use version 1 if 1700 * CCMP is not used for them. 1701 */ 1702 wpa_printf(MSG_INFO, "WPA: Backwards compatibility: " 1703 "allow invalid version for non-CCMP group keys"); 1704 } else 1705 return; 1706 } 1707 1708 if (wpa_s->rx_replay_counter_set && 1709 memcmp(key->replay_counter, wpa_s->rx_replay_counter, 1710 WPA_REPLAY_COUNTER_LEN) <= 0) { 1711 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not" 1712 " increase - dropping packet"); 1713 return; 1714 } 1715 1716 if (!(key_info & WPA_KEY_INFO_ACK)) { 1717 wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info"); 1718 return; 1719 } 1720 1721 if (key_info & WPA_KEY_INFO_REQUEST) { 1722 wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - " 1723 "dropped"); 1724 return; 1725 } 1726 1727 if ((key_info & WPA_KEY_INFO_MIC) && 1728 wpa_supplicant_verify_eapol_key_mic(wpa_s, key, ver, buf, 1729 data_len)) { 1730 return; 1731 } 1732 1733 extra_len = data_len - sizeof (*hdr) - sizeof (*key); 1734 1735 if (wpa_s->proto == WPA_PROTO_RSN && 1736 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1737 wpa_supplicant_decrypt_key_data(wpa_s, key, ver)) 1738 return; 1739 1740 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1741 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 1742 wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key " 1743 "(Pairwise) with non-zero key index"); 1744 return; 1745 } 1746 if (key_info & WPA_KEY_INFO_MIC) { 1747 /* 3/4 4-Way Handshake */ 1748 wpa_supplicant_process_3_of_4(wpa_s, src_addr, key, 1749 extra_len, ver); 1750 } else { 1751 /* 1/4 4-Way Handshake */ 1752 wpa_supplicant_process_1_of_4(wpa_s, src_addr, key, 1753 ver); 1754 } 1755 } else { 1756 if (key_info & WPA_KEY_INFO_MIC) { 1757 /* 1/2 Group Key Handshake */ 1758 wpa_supplicant_process_1_of_2(wpa_s, src_addr, key, 1759 extra_len, ver); 1760 } else { 1761 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) " 1762 "without Mic bit - dropped"); 1763 } 1764 } 1765 } 1766 1767 void 1768 wpa_supplicant_rx_eapol(void *ctx, unsigned char *src_addr, 1769 unsigned char *buf, size_t len) 1770 { 1771 struct wpa_supplicant *wpa_s = ctx; 1772 1773 wpa_printf(MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr)); 1774 wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len); 1775 1776 if (wpa_s->eapol_received == 0) { 1777 /* Timeout for completing IEEE 802.1X and WPA authentication */ 1778 wpa_supplicant_req_auth_timeout( 1779 wpa_s, wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ? 1780 70 : 10, 0); 1781 } 1782 wpa_s->eapol_received++; 1783 1784 /* 1785 * Source address of the incoming EAPOL frame could be compared to the 1786 * current BSSID. However, it is possible that a centralized 1787 * Authenticator could be using another MAC address than the BSSID of 1788 * an AP, so just allow any address to be used for now. The replies are 1789 * still sent to the current BSSID (if available), though. 1790 */ 1791 wpa_sm_rx_eapol(wpa_s, src_addr, buf, len); 1792 } 1793