1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 8 * Sun elects to license this software under the BSD license. 9 * See README for more details. 10 */ 11 12 #include <stdio.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <time.h> 16 #include <netinet/in.h> 17 #include <sys/ethernet.h> 18 #include <fcntl.h> 19 #include <unistd.h> 20 21 #include "wpa_impl.h" 22 #include "wpa_enc.h" 23 #include "driver.h" 24 #include "eloop.h" 25 #include "l2_packet.h" 26 27 static void pmksa_cache_set_expiration(struct wpa_supplicant *); 28 29 /* 30 * IEEE 802.11i/D3.0 31 */ 32 static const int WPA_SELECTOR_LEN = 4; 33 static const uint8_t WPA_OUI_AND_TYPE[] = { 0x00, 0x50, 0xf2, 1 }; 34 static const uint8_t 35 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x50, 0xf2, 1 }; 36 static const uint8_t 37 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x50, 0xf2, 2 }; 38 static const uint8_t WPA_CIPHER_SUITE_NONE[] = { 0x00, 0x50, 0xf2, 0 }; 39 static const uint8_t WPA_CIPHER_SUITE_WEP40[] = { 0x00, 0x50, 0xf2, 1 }; 40 static const uint8_t WPA_CIPHER_SUITE_TKIP[] = { 0x00, 0x50, 0xf2, 2 }; 41 static const uint8_t WPA_CIPHER_SUITE_CCMP[] = { 0x00, 0x50, 0xf2, 4 }; 42 static const uint8_t WPA_CIPHER_SUITE_WEP104[] = { 0x00, 0x50, 0xf2, 5 }; 43 44 /* 45 * WPA IE version 1 46 * 00-50-f2:1 (OUI:OUI type) 47 * 0x01 0x00 (version; little endian) 48 * (all following fields are optional:) 49 * Group Suite Selector (4 octets) (default: TKIP) 50 * Pairwise Suite Count (2 octets, little endian) (default: 1) 51 * Pairwise Suite List (4 * n octets) (default: TKIP) 52 * Authenticated Key Management Suite Count (2 octets, little endian) 53 * (default: 1) 54 * Authenticated Key Management Suite List (4 * n octets) 55 * (default: unspec 802.1x) 56 * WPA Capabilities (2 octets, little endian) (default: 0) 57 */ 58 #pragma pack(1) 59 struct wpa_ie_hdr { 60 uint8_t elem_id; 61 uint8_t len; 62 uint8_t oui[3]; 63 uint8_t oui_type; 64 uint16_t version; 65 }; 66 #pragma pack() 67 68 /* 69 * IEEE 802.11i/D9.0 70 */ 71 static const int RSN_SELECTOR_LEN = 4; 72 static const uint16_t RSN_VERSION = 1; 73 static const uint8_t 74 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x0f, 0xac, 1 }; 75 static const uint8_t 76 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x0f, 0xac, 2 }; 77 static const uint8_t RSN_CIPHER_SUITE_NONE[] = { 0x00, 0x0f, 0xac, 0 }; 78 static const uint8_t RSN_CIPHER_SUITE_WEP40[] = { 0x00, 0x0f, 0xac, 1 }; 79 static const uint8_t RSN_CIPHER_SUITE_TKIP[] = { 0x00, 0x0f, 0xac, 2 }; 80 static const uint8_t RSN_CIPHER_SUITE_CCMP[] = { 0x00, 0x0f, 0xac, 4 }; 81 static const uint8_t RSN_CIPHER_SUITE_WEP104[] = { 0x00, 0x0f, 0xac, 5 }; 82 83 /* 84 * EAPOL-Key Key Data Encapsulation 85 * GroupKey and STAKey require encryption, otherwise, encryption is optional. 86 */ 87 static const uint8_t RSN_KEY_DATA_GROUPKEY[] = { 0x00, 0x0f, 0xac, 1 }; 88 static const uint8_t RSN_KEY_DATA_PMKID[] = { 0x00, 0x0f, 0xac, 4 }; 89 90 /* 91 * 1/4: PMKID 92 * 2/4: RSN IE 93 * 3/4: one or two RSN IEs + GTK IE (encrypted) 94 * 4/4: empty 95 * 1/2: GTK IE (encrypted) 96 * 2/2: empty 97 */ 98 99 /* 100 * RSN IE version 1 101 * 0x01 0x00 (version; little endian) 102 * (all following fields are optional:) 103 * Group Suite Selector (4 octets) (default: CCMP) 104 * Pairwise Suite Count (2 octets, little endian) (default: 1) 105 * Pairwise Suite List (4 * n octets) (default: CCMP) 106 * Authenticated Key Management Suite Count (2 octets, little endian) 107 * (default: 1) 108 * Authenticated Key Management Suite List (4 * n octets) 109 * (default: unspec 802.1x) 110 * RSN Capabilities (2 octets, little endian) (default: 0) 111 * PMKID Count (2 octets) (default: 0) 112 * PMKID List (16 * n octets) 113 */ 114 #pragma pack(1) 115 struct rsn_ie_hdr { 116 uint8_t elem_id; /* WLAN_EID_RSN */ 117 uint8_t len; 118 uint16_t version; 119 }; 120 #pragma pack() 121 122 static int 123 random_get_pseudo_bytes(uint8_t *ptr, size_t len) 124 { 125 int fd; 126 size_t resid = len; 127 size_t bytes; 128 129 fd = open("/dev/urandom", O_RDONLY); 130 if (fd == -1) { 131 wpa_printf(MSG_ERROR, "Could not open /dev/urandom.\n"); 132 return (-1); 133 } 134 135 while (resid != 0) { 136 bytes = read(fd, ptr, resid); 137 ptr += bytes; 138 resid -= bytes; 139 } 140 141 (void) close(fd); 142 143 return (0); 144 } 145 146 static void 147 inc_byte_array(uint8_t *counter, size_t len) 148 { 149 int pos = len - 1; 150 while (pos >= 0) { 151 counter[pos]++; 152 if (counter[pos] != 0) 153 break; 154 pos--; 155 } 156 } 157 158 static int 159 wpa_selector_to_bitfield(uint8_t *s) 160 { 161 if (memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0) 162 return (WPA_CIPHER_NONE); 163 if (memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0) 164 return (WPA_CIPHER_WEP40); 165 if (memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0) 166 return (WPA_CIPHER_TKIP); 167 if (memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0) 168 return (WPA_CIPHER_CCMP); 169 if (memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0) 170 return (WPA_CIPHER_WEP104); 171 return (0); 172 } 173 174 static int 175 wpa_key_mgmt_to_bitfield(uint8_t *s) 176 { 177 if (memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) == 0) 178 return (WPA_KEY_MGMT_IEEE8021X); 179 if (memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN) == 180 0) 181 return (WPA_KEY_MGMT_PSK); 182 return (0); 183 } 184 185 static int 186 rsn_selector_to_bitfield(uint8_t *s) 187 { 188 if (memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0) 189 return (WPA_CIPHER_NONE); 190 if (memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0) 191 return (WPA_CIPHER_WEP40); 192 if (memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0) 193 return (WPA_CIPHER_TKIP); 194 if (memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0) 195 return (WPA_CIPHER_CCMP); 196 if (memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0) 197 return (WPA_CIPHER_WEP104); 198 return (0); 199 } 200 201 static int 202 rsn_key_mgmt_to_bitfield(uint8_t *s) 203 { 204 if (memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) == 0) 205 return (WPA_KEY_MGMT_IEEE8021X); 206 if (memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN) == 207 0) 208 return (WPA_KEY_MGMT_PSK); 209 return (0); 210 } 211 212 static void 213 pmksa_cache_free_entry(struct wpa_supplicant *wpa_s, 214 struct rsn_pmksa_cache *entry) 215 { 216 wpa_s->pmksa_count--; 217 if (wpa_s->cur_pmksa == entry) { 218 wpa_printf(MSG_DEBUG, "RSN: removed current PMKSA entry"); 219 wpa_s->cur_pmksa = NULL; 220 } 221 free(entry); 222 } 223 224 /* ARGSUSED */ 225 static void 226 pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx) 227 { 228 struct wpa_supplicant *wpa_s = eloop_ctx; 229 time_t now; 230 231 (void) time(&now); 232 while (wpa_s->pmksa && wpa_s->pmksa->expiration <= now) { 233 struct rsn_pmksa_cache *entry = wpa_s->pmksa; 234 wpa_s->pmksa = entry->next; 235 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for " 236 MACSTR, MAC2STR(entry->aa)); 237 pmksa_cache_free_entry(wpa_s, entry); 238 } 239 240 pmksa_cache_set_expiration(wpa_s); 241 } 242 243 static void 244 pmksa_cache_set_expiration(struct wpa_supplicant *wpa_s) 245 { 246 int sec; 247 eloop_cancel_timeout(pmksa_cache_expire, wpa_s, NULL); 248 if (wpa_s->pmksa == NULL) 249 return; 250 sec = wpa_s->pmksa->expiration - time(NULL); 251 if (sec < 0) 252 sec = 0; 253 (void) eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, 254 wpa_s, NULL); 255 } 256 257 void 258 pmksa_cache_free(struct wpa_supplicant *wpa_s) 259 { 260 struct rsn_pmksa_cache *entry, *prev; 261 262 entry = wpa_s->pmksa; 263 wpa_s->pmksa = NULL; 264 while (entry) { 265 prev = entry; 266 entry = entry->next; 267 free(prev); 268 } 269 pmksa_cache_set_expiration(wpa_s); 270 wpa_s->cur_pmksa = NULL; 271 } 272 273 struct rsn_pmksa_cache * 274 pmksa_cache_get(struct wpa_supplicant *wpa_s, 275 uint8_t *aa, uint8_t *pmkid) 276 { 277 struct rsn_pmksa_cache *entry = wpa_s->pmksa; 278 while (entry) { 279 if ((aa == NULL || 280 memcmp(entry->aa, aa, IEEE80211_ADDR_LEN) == 0) && 281 (pmkid == NULL || 282 memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)) 283 return (entry); 284 entry = entry->next; 285 } 286 return (NULL); 287 } 288 289 int 290 pmksa_cache_list(struct wpa_supplicant *wpa_s, char *buf, size_t len) 291 { 292 int i, j; 293 char *pos = buf; 294 struct rsn_pmksa_cache *entry; 295 time_t now; 296 297 (void) time(&now); 298 pos += snprintf(pos, buf + len - pos, 299 "Index / AA / PMKID / expiration (in seconds)\n"); 300 i = 0; 301 entry = wpa_s->pmksa; 302 while (entry) { 303 i++; 304 pos += snprintf(pos, buf + len - pos, "%d " MACSTR " ", 305 i, MAC2STR(entry->aa)); 306 for (j = 0; j < PMKID_LEN; j++) 307 pos += snprintf(pos, buf + len - pos, "%02x", 308 entry->pmkid[j]); 309 pos += snprintf(pos, buf + len - pos, " %d\n", 310 (int)(entry->expiration - now)); 311 entry = entry->next; 312 } 313 return (pos - buf); 314 } 315 316 void 317 pmksa_candidate_free(struct wpa_supplicant *wpa_s) 318 { 319 struct rsn_pmksa_candidate *entry, *prev; 320 321 entry = wpa_s->pmksa_candidates; 322 wpa_s->pmksa_candidates = NULL; 323 while (entry) { 324 prev = entry; 325 entry = entry->next; 326 free(prev); 327 } 328 } 329 330 /* ARGSUSED */ 331 static int 332 wpa_parse_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 333 size_t wpa_ie_len, struct wpa_ie_data *data) 334 { 335 struct wpa_ie_hdr *hdr; 336 uint8_t *pos; 337 int left; 338 int i, count; 339 340 data->proto = WPA_PROTO_WPA; 341 data->pairwise_cipher = WPA_CIPHER_TKIP; 342 data->group_cipher = WPA_CIPHER_TKIP; 343 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 344 data->capabilities = 0; 345 346 if (wpa_ie_len == 0) { 347 /* No WPA IE - fail silently */ 348 return (-1); 349 } 350 351 if (wpa_ie_len < sizeof (struct wpa_ie_hdr)) { 352 wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 353 "wpa_parse_wpa_ie_wpa", wpa_ie_len); 354 return (-1); 355 } 356 357 hdr = (struct wpa_ie_hdr *)wpa_ie; 358 359 if (hdr->elem_id != GENERIC_INFO_ELEM || 360 hdr->len != wpa_ie_len - 2 || 361 memcmp(&hdr->oui, WPA_OUI_AND_TYPE, WPA_SELECTOR_LEN) != 0 || 362 LE_16(hdr->version) != WPA_VERSION) { 363 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 364 "wpa_parse_wpa_ie_wpa"); 365 return (-1); 366 } 367 368 pos = (uint8_t *)(hdr + 1); 369 left = wpa_ie_len - sizeof (*hdr); 370 371 if (left >= WPA_SELECTOR_LEN) { 372 data->group_cipher = wpa_selector_to_bitfield(pos); 373 pos += WPA_SELECTOR_LEN; 374 left -= WPA_SELECTOR_LEN; 375 } else if (left > 0) { 376 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 377 "wpa_parse_wpa_ie_wpa", left); 378 return (-1); 379 } 380 381 if (left >= 2) { 382 data->pairwise_cipher = 0; 383 count = pos[0] | (pos[1] << 8); 384 pos += 2; 385 left -= 2; 386 if (count == 0 || left < count * WPA_SELECTOR_LEN) { 387 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 388 "count %u left %u", 389 "wpa_parse_wpa_ie_wpa", count, left); 390 return (-1); 391 } 392 for (i = 0; i < count; i++) { 393 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 394 pos += WPA_SELECTOR_LEN; 395 left -= WPA_SELECTOR_LEN; 396 } 397 } else if (left == 1) { 398 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 399 "wpa_parse_wpa_ie_wpa"); 400 return (-1); 401 } 402 403 if (left >= 2) { 404 data->key_mgmt = 0; 405 count = pos[0] | (pos[1] << 8); 406 pos += 2; 407 left -= 2; 408 if (count == 0 || left < count * WPA_SELECTOR_LEN) { 409 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 410 "count %u left %u", 411 "wpa_parse_wpa_ie_wpa", count, left); 412 return (-1); 413 } 414 for (i = 0; i < count; i++) { 415 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 416 pos += WPA_SELECTOR_LEN; 417 left -= WPA_SELECTOR_LEN; 418 } 419 } else if (left == 1) { 420 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 421 "wpa_parse_wpa_ie_wpa"); 422 return (-1); 423 } 424 425 if (left >= 2) { 426 data->capabilities = pos[0] | (pos[1] << 8); 427 pos += 2; 428 left -= 2; 429 } 430 431 if (left > 0) { 432 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes", 433 "wpa_parse_wpa_ie_wpa", left); 434 return (-1); 435 } 436 437 return (0); 438 } 439 440 /* ARGSUSED */ 441 static int 442 wpa_parse_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie, 443 size_t rsn_ie_len, struct wpa_ie_data *data) 444 { 445 struct rsn_ie_hdr *hdr; 446 uint8_t *pos; 447 int left; 448 int i, count; 449 450 data->proto = WPA_PROTO_RSN; 451 data->pairwise_cipher = WPA_CIPHER_CCMP; 452 data->group_cipher = WPA_CIPHER_CCMP; 453 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 454 data->capabilities = 0; 455 456 if (rsn_ie_len == 0) { 457 /* No RSN IE - fail silently */ 458 return (-1); 459 } 460 461 if (rsn_ie_len < sizeof (struct rsn_ie_hdr)) { 462 wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 463 "wpa_parse_wpa_ie_rsn", rsn_ie_len); 464 return (-1); 465 } 466 467 hdr = (struct rsn_ie_hdr *)rsn_ie; 468 469 if (hdr->elem_id != RSN_INFO_ELEM || 470 hdr->len != rsn_ie_len - 2 || 471 LE_16(hdr->version) != RSN_VERSION) { 472 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 473 "wpa_parse_wpa_ie_rsn"); 474 return (-1); 475 } 476 477 pos = (uint8_t *)(hdr + 1); 478 left = rsn_ie_len - sizeof (*hdr); 479 480 if (left >= RSN_SELECTOR_LEN) { 481 data->group_cipher = rsn_selector_to_bitfield(pos); 482 pos += RSN_SELECTOR_LEN; 483 left -= RSN_SELECTOR_LEN; 484 } else if (left > 0) { 485 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 486 "wpa_parse_wpa_ie_rsn", left); 487 return (-1); 488 } 489 490 if (left >= 2) { 491 data->pairwise_cipher = 0; 492 count = pos[0] | (pos[1] << 8); 493 pos += 2; 494 left -= 2; 495 if (count == 0 || left < count * RSN_SELECTOR_LEN) { 496 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 497 "count %u left %u", 498 "wpa_parse_wpa_ie_rsn", count, left); 499 return (-1); 500 } 501 for (i = 0; i < count; i++) { 502 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 503 pos += RSN_SELECTOR_LEN; 504 left -= RSN_SELECTOR_LEN; 505 } 506 } else if (left == 1) { 507 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 508 "wpa_parse_wpa_ie_rsn"); 509 return (-1); 510 } 511 512 if (left >= 2) { 513 data->key_mgmt = 0; 514 count = pos[0] | (pos[1] << 8); 515 pos += 2; 516 left -= 2; 517 if (count == 0 || left < count * RSN_SELECTOR_LEN) { 518 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 519 "count %u left %u", 520 "wpa_parse_wpa_ie_rsn", count, left); 521 return (-1); 522 } 523 for (i = 0; i < count; i++) { 524 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 525 pos += RSN_SELECTOR_LEN; 526 left -= RSN_SELECTOR_LEN; 527 } 528 } else if (left == 1) { 529 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 530 "wpa_parse_wpa_ie_rsn"); 531 return (-1); 532 } 533 534 if (left >= 2) { 535 data->capabilities = pos[0] | (pos[1] << 8); 536 pos += 2; 537 left -= 2; 538 } 539 540 if (left > 0) { 541 /* 542 * RSN IE could include PMKID data, but Authenticator should 543 * never include it, so no need to parse it in the Supplicant. 544 */ 545 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored", 546 "wpa_parse_wpa_ie_rsn", left); 547 } 548 549 return (0); 550 } 551 552 int 553 wpa_parse_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 554 size_t wpa_ie_len, struct wpa_ie_data *data) 555 { 556 if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM) 557 return (wpa_parse_wpa_ie_rsn(wpa_s, wpa_ie, wpa_ie_len, data)); 558 else 559 return (wpa_parse_wpa_ie_wpa(wpa_s, wpa_ie, wpa_ie_len, data)); 560 } 561 562 static int 563 wpa_gen_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 564 { 565 uint8_t *pos; 566 struct wpa_ie_hdr *hdr; 567 568 hdr = (struct wpa_ie_hdr *)wpa_ie; 569 hdr->elem_id = GENERIC_INFO_ELEM; 570 (void) memcpy(&hdr->oui, WPA_OUI_AND_TYPE, WPA_SELECTOR_LEN); 571 hdr->version = LE_16(WPA_VERSION); 572 pos = (uint8_t *)(hdr + 1); 573 574 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 575 (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 576 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 577 (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 578 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 579 (void) memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN); 580 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 581 (void) memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN); 582 } else { 583 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 584 wpa_s->group_cipher); 585 return (-1); 586 } 587 pos += WPA_SELECTOR_LEN; 588 589 *pos++ = 1; 590 *pos++ = 0; 591 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 592 (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 593 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 594 (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 595 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 596 (void) memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN); 597 } else { 598 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 599 wpa_s->pairwise_cipher); 600 return (-1); 601 } 602 pos += WPA_SELECTOR_LEN; 603 604 *pos++ = 1; 605 *pos++ = 0; 606 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 607 (void) memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, 608 WPA_SELECTOR_LEN); 609 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 610 (void) memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, 611 WPA_SELECTOR_LEN); 612 } else { 613 wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 614 wpa_s->key_mgmt); 615 return (-1); 616 } 617 pos += WPA_SELECTOR_LEN; 618 619 /* 620 * WPA Capabilities; use defaults, so no need to include it 621 */ 622 hdr->len = (pos - wpa_ie) - 2; 623 624 return (pos - wpa_ie); 625 } 626 627 static int 628 wpa_gen_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie) 629 { 630 uint8_t *pos; 631 struct rsn_ie_hdr *hdr; 632 633 hdr = (struct rsn_ie_hdr *)rsn_ie; 634 hdr->elem_id = RSN_INFO_ELEM; 635 hdr->version = LE_16(RSN_VERSION); 636 pos = (uint8_t *)(hdr + 1); 637 638 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 639 (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 640 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 641 (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 642 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 643 (void) memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN); 644 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 645 (void) memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN); 646 } else { 647 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 648 wpa_s->group_cipher); 649 return (-1); 650 } 651 pos += RSN_SELECTOR_LEN; 652 653 *pos++ = 1; 654 *pos++ = 0; 655 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 656 (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 657 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 658 (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 659 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 660 (void) memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN); 661 } else { 662 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 663 wpa_s->pairwise_cipher); 664 return (-1); 665 } 666 pos += RSN_SELECTOR_LEN; 667 668 *pos++ = 1; 669 *pos++ = 0; 670 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 671 (void) memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, 672 RSN_SELECTOR_LEN); 673 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 674 (void) memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, 675 RSN_SELECTOR_LEN); 676 } else { 677 wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 678 wpa_s->key_mgmt); 679 return (-1); 680 } 681 pos += RSN_SELECTOR_LEN; 682 683 /* RSN Capabilities */ 684 *pos++ = 0; 685 *pos++ = 0; 686 687 if (wpa_s->cur_pmksa) { 688 /* PMKID Count (2 octets, little endian) */ 689 *pos++ = 1; 690 *pos++ = 0; 691 /* PMKID */ 692 (void) memcpy(pos, wpa_s->cur_pmksa->pmkid, PMKID_LEN); 693 pos += PMKID_LEN; 694 } 695 696 hdr->len = (pos - rsn_ie) - 2; 697 698 return (pos - rsn_ie); 699 } 700 701 int 702 wpa_gen_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 703 { 704 if (wpa_s->proto == WPA_PROTO_RSN) 705 return (wpa_gen_wpa_ie_rsn(wpa_s, wpa_ie)); 706 else 707 return (wpa_gen_wpa_ie_wpa(wpa_s, wpa_ie)); 708 } 709 710 static void 711 wpa_pmk_to_ptk(uint8_t *pmk, uint8_t *addr1, uint8_t *addr2, 712 uint8_t *nonce1, uint8_t *nonce2, uint8_t *ptk, size_t ptk_len) 713 { 714 uint8_t data[2 * IEEE80211_ADDR_LEN + 2 * WPA_PMK_LEN]; 715 716 /* 717 * PTK = PRF-X(PMK, "Pairwise key expansion", 718 * Min(AA, SA) || Max(AA, SA) || 719 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 720 */ 721 722 if (memcmp(addr1, addr2, IEEE80211_ADDR_LEN) < 0) { 723 (void) memcpy(data, addr1, IEEE80211_ADDR_LEN); 724 (void) memcpy(data + IEEE80211_ADDR_LEN, addr2, 725 IEEE80211_ADDR_LEN); 726 } else { 727 (void) memcpy(data, addr2, IEEE80211_ADDR_LEN); 728 (void) memcpy(data + IEEE80211_ADDR_LEN, addr1, 729 IEEE80211_ADDR_LEN); 730 } 731 732 if (memcmp(nonce1, nonce2, WPA_PMK_LEN) < 0) { 733 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce1, 734 WPA_PMK_LEN); 735 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 736 nonce2, WPA_PMK_LEN); 737 } else { 738 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce2, 739 WPA_PMK_LEN); 740 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 741 nonce1, WPA_PMK_LEN); 742 } 743 744 sha1_prf(pmk, WPA_PMK_LEN, "Pairwise key expansion", data, 745 sizeof (data), ptk, ptk_len); 746 747 wpa_hexdump(MSG_DEBUG, "WPA: PMK", pmk, WPA_PMK_LEN); 748 wpa_hexdump(MSG_DEBUG, "WPA: PTK", ptk, ptk_len); 749 } 750 751 struct wpa_ssid * 752 wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s) 753 { 754 struct wpa_ssid *entry; 755 uint8_t ssid[MAX_ESSID_LENGTH]; 756 int ssid_len; 757 uint8_t bssid[IEEE80211_ADDR_LEN]; 758 759 (void) memset(ssid, 0, MAX_ESSID_LENGTH); 760 ssid_len = wpa_s->driver->get_ssid(wpa_s->handle, wpa_s->linkid, 761 (char *)ssid); 762 if (ssid_len < 0) { 763 wpa_printf(MSG_WARNING, "Could not read SSID from driver."); 764 return (NULL); 765 } 766 767 if (wpa_s->driver->get_bssid(wpa_s->handle, wpa_s->linkid, 768 (char *)bssid) < 0) { 769 wpa_printf(MSG_WARNING, "Could not read BSSID from driver."); 770 return (NULL); 771 } 772 773 entry = wpa_s->conf->ssid; 774 wpa_printf(MSG_DEBUG, "entry len=%d ssid=%s," 775 " driver len=%d ssid=%s", 776 entry->ssid_len, entry->ssid, ssid_len, ssid); 777 778 if (ssid_len == entry->ssid_len && 779 memcmp(ssid, entry->ssid, ssid_len) == 0 && 780 (!entry->bssid_set || 781 memcmp(bssid, entry->bssid, IEEE80211_ADDR_LEN) == 0)) 782 return (entry); 783 784 return (NULL); 785 } 786 787 static void 788 wpa_eapol_key_mic(uint8_t *key, int ver, uint8_t *buf, size_t len, uint8_t *mic) 789 { 790 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 791 hmac_md5(key, 16, buf, len, mic); 792 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 793 uint8_t hash[SHA1_MAC_LEN]; 794 hmac_sha1(key, 16, buf, len, hash); 795 (void) memcpy(mic, hash, MD5_MAC_LEN); 796 } 797 } 798 799 void 800 wpa_supplicant_key_request(struct wpa_supplicant *wpa_s, 801 int error, int pairwise) 802 { 803 int rlen; 804 struct ieee802_1x_hdr *hdr; 805 struct wpa_eapol_key *reply; 806 unsigned char *rbuf; 807 struct l2_ethhdr *ethhdr; 808 int key_info, ver; 809 uint8_t bssid[IEEE80211_ADDR_LEN]; 810 811 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) 812 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 813 else 814 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 815 816 if (wpa_s->driver->get_bssid(wpa_s->handle, wpa_s->linkid, 817 (char *)bssid) < 0) { 818 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key " 819 "request"); 820 return; 821 } 822 823 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 824 rbuf = malloc(rlen); 825 if (rbuf == NULL) 826 return; 827 828 (void) memset(rbuf, 0, rlen); 829 ethhdr = (struct l2_ethhdr *)rbuf; 830 (void) memcpy(ethhdr->h_dest, bssid, IEEE80211_ADDR_LEN); 831 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 832 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 833 834 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 835 hdr->version = wpa_s->conf->eapol_version; 836 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 837 hdr->length = htons(sizeof (*reply)); 838 839 reply = (struct wpa_eapol_key *)(hdr + 1); 840 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 841 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 842 key_info = WPA_KEY_INFO_REQUEST | ver; 843 if (wpa_s->ptk_set) 844 key_info |= WPA_KEY_INFO_MIC; 845 if (error) 846 key_info |= WPA_KEY_INFO_ERROR; 847 if (pairwise) 848 key_info |= WPA_KEY_INFO_KEY_TYPE; 849 reply->key_info = BE_16(key_info); 850 reply->key_length = 0; 851 (void) memcpy(reply->replay_counter, wpa_s->request_counter, 852 WPA_REPLAY_COUNTER_LEN); 853 inc_byte_array(wpa_s->request_counter, WPA_REPLAY_COUNTER_LEN); 854 855 reply->key_data_length = BE_16(0); 856 857 if (key_info & WPA_KEY_INFO_MIC) { 858 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 859 rlen - sizeof (*ethhdr), reply->key_mic); 860 } 861 862 wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d " 863 "pairwise=%d ptk_set=%d len=%d)", 864 error, pairwise, wpa_s->ptk_set, rlen); 865 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key Request", rbuf, rlen); 866 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 867 free(rbuf); 868 } 869 870 static void 871 wpa_supplicant_process_1_of_4(struct wpa_supplicant *wpa_s, 872 unsigned char *src_addr, struct wpa_eapol_key *key, int ver) 873 { 874 int rlen; 875 struct ieee802_1x_hdr *hdr; 876 struct wpa_eapol_key *reply; 877 unsigned char *rbuf; 878 struct l2_ethhdr *ethhdr; 879 struct wpa_ssid *ssid; 880 struct wpa_ptk *ptk; 881 uint8_t buf[8], wpa_ie_buf[80], *wpa_ie, *pmkid = NULL; 882 int wpa_ie_len; 883 884 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 885 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from " 886 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 887 888 ssid = wpa_supplicant_get_ssid(wpa_s); 889 if (ssid == NULL) { 890 wpa_printf(MSG_WARNING, 891 "WPA: No SSID info found (msg 1 of 4)."); 892 return; 893 } 894 895 if (wpa_s->proto == WPA_PROTO_RSN) { 896 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 897 uint8_t *pos = (uint8_t *)(key + 1); 898 uint8_t *end = pos + BE_16(key->key_data_length); 899 900 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 901 pos, BE_16(key->key_data_length)); 902 903 while (pos + 1 < end) { 904 if (pos + 2 + pos[1] > end) { 905 wpa_printf(MSG_DEBUG, "RSN: key data " 906 "underflow (ie=%d len=%d)", 907 pos[0], pos[1]); 908 break; 909 } 910 if (pos[0] == GENERIC_INFO_ELEM && 911 pos + 1 + RSN_SELECTOR_LEN < end && 912 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN && 913 memcmp(pos + 2, RSN_KEY_DATA_PMKID, 914 RSN_SELECTOR_LEN) == 0) { 915 pmkid = pos + 2 + RSN_SELECTOR_LEN; 916 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 917 "Authenticator", pmkid, PMKID_LEN); 918 break; 919 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 920 break; 921 pos += 2 + pos[1]; 922 } 923 } 924 925 wpa_ie = wpa_ie_buf; 926 wpa_ie_len = wpa_gen_wpa_ie(wpa_s, wpa_ie); 927 if (wpa_ie_len < 0) { 928 wpa_printf(MSG_WARNING, "WPA: Failed to generate " 929 "WPA IE (for msg 2 of 4)."); 930 return; 931 } 932 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 933 934 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply) + wpa_ie_len; 935 rbuf = malloc(rlen); 936 if (rbuf == NULL) 937 return; 938 939 (void) memset(rbuf, 0, rlen); 940 ethhdr = (struct l2_ethhdr *)rbuf; 941 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 942 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 943 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 944 945 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 946 hdr->version = wpa_s->conf->eapol_version; 947 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 948 hdr->length = htons(sizeof (*reply) + wpa_ie_len); 949 950 reply = (struct wpa_eapol_key *)(hdr + 1); 951 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 952 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 953 reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC); 954 reply->key_length = key->key_length; 955 (void) memcpy(reply->replay_counter, key->replay_counter, 956 WPA_REPLAY_COUNTER_LEN); 957 958 reply->key_data_length = BE_16(wpa_ie_len); 959 (void) memcpy(reply + 1, wpa_ie, wpa_ie_len); 960 961 if (wpa_s->renew_snonce) { 962 if (random_get_pseudo_bytes(wpa_s->snonce, WPA_NONCE_LEN)) { 963 wpa_printf(MSG_WARNING, "WPA: Failed to get " 964 "random data for SNonce"); 965 free(rbuf); 966 return; 967 } 968 969 wpa_s->renew_snonce = 0; 970 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 971 wpa_s->snonce, WPA_NONCE_LEN); 972 } 973 (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 974 ptk = &wpa_s->tptk; 975 (void) memcpy(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN); 976 977 wpa_pmk_to_ptk(wpa_s->pmk, wpa_s->own_addr, src_addr, 978 wpa_s->snonce, key->key_nonce, (uint8_t *)ptk, sizeof (*ptk)); 979 980 /* 981 * Supplicant: swap tx/rx Mic keys 982 */ 983 (void) memcpy(buf, ptk->u.auth.tx_mic_key, 8); 984 (void) memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8); 985 (void) memcpy(ptk->u.auth.rx_mic_key, buf, 8); 986 wpa_s->tptk_set = 1; 987 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, (uint8_t *)hdr, 988 rlen - sizeof (*ethhdr), reply->key_mic); 989 wpa_hexdump(MSG_DEBUG, "WPA: EAPOL-Key MIC", reply->key_mic, 16); 990 991 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 992 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/4", rbuf, rlen); 993 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 994 995 free(rbuf); 996 } 997 998 static void 999 wpa_supplicant_process_3_of_4_gtk(struct wpa_supplicant *wpa_s, 1000 unsigned char *src_addr, struct wpa_eapol_key *key, 1001 uint8_t *gtk, int gtk_len) 1002 { 1003 int keyidx, tx, key_rsc_len = 0, alg; 1004 1005 wpa_hexdump(MSG_DEBUG, 1006 "WPA: received GTK in pairwise handshake", gtk, gtk_len); 1007 1008 keyidx = gtk[0] & 0x3; 1009 tx = !!(gtk[0] & BIT(2)); 1010 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1011 /* 1012 * Ignore Tx bit in GTK IE if a pairwise key is used. 1013 * One AP seemed to set this bit (incorrectly, since Tx 1014 * is only when doing Group Key only APs) and without 1015 * this workaround, the data connection does not work 1016 * because wpa_supplicant configured non-zero keyidx to 1017 * be used for unicast. 1018 */ 1019 wpa_printf(MSG_INFO, "RSN: Tx bit set for GTK IE, but " 1020 "pairwise keys are used - ignore Tx bit"); 1021 tx = 0; 1022 } 1023 1024 gtk += 2; 1025 gtk_len -= 2; 1026 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, gtk_len); 1027 1028 switch (wpa_s->group_cipher) { 1029 case WPA_CIPHER_CCMP: 1030 if (gtk_len != 16) { 1031 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP" 1032 " Group Cipher key length %d.", gtk_len); 1033 return; 1034 } 1035 key_rsc_len = 6; 1036 alg = WPA_ALG_CCMP; 1037 break; 1038 case WPA_CIPHER_TKIP: 1039 if (gtk_len != 32) { 1040 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP" 1041 " Group Cipher key length %d.", gtk_len); 1042 return; 1043 } 1044 key_rsc_len = 6; 1045 alg = WPA_ALG_TKIP; 1046 break; 1047 case WPA_CIPHER_WEP104: 1048 if (gtk_len != 13) { 1049 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1050 "WEP104 Group Cipher key length " "%d.", gtk_len); 1051 return; 1052 } 1053 alg = WPA_ALG_WEP; 1054 break; 1055 case WPA_CIPHER_WEP40: 1056 if (gtk_len != 5) { 1057 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1058 "WEP40 Group Cipher key length %d.", gtk_len); 1059 return; 1060 } 1061 alg = WPA_ALG_WEP; 1062 break; 1063 default: 1064 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher " 1065 "%d", wpa_s->group_cipher); 1066 return; 1067 } 1068 1069 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver " 1070 "(keyidx=%d tx=%d).", keyidx, tx); 1071 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1072 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1073 uint8_t tmpbuf[8]; 1074 /* 1075 * Swap Tx/Rx keys for Michael MIC 1076 */ 1077 (void) memcpy(tmpbuf, gtk + 16, 8); 1078 (void) memcpy(gtk + 16, gtk + 24, 8); 1079 (void) memcpy(gtk + 24, tmpbuf, 8); 1080 } 1081 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1082 if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg, 1083 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1084 keyidx, 1, key->key_rsc, 1085 key_rsc_len, gtk, gtk_len) < 0) 1086 wpa_printf(MSG_WARNING, "WPA: Failed to set " 1087 "GTK to the driver (Group only)."); 1088 } else if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg, 1089 (uint8_t *)"\xff\xff\xff\xff\xff\xff", keyidx, tx, 1090 key->key_rsc, key_rsc_len, gtk, gtk_len) < 0) { 1091 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to " 1092 "the driver."); 1093 } 1094 1095 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " 1096 MACSTR, MAC2STR(src_addr)); 1097 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1098 wpa_supplicant_cancel_auth_timeout(wpa_s); 1099 wpa_s->wpa_state = WPA_COMPLETED; 1100 } 1101 1102 static void 1103 wpa_supplicant_process_3_of_4(struct wpa_supplicant *wpa_s, 1104 unsigned char *src_addr, struct wpa_eapol_key *key, 1105 int extra_len, int ver) 1106 { 1107 int rlen; 1108 struct ieee802_1x_hdr *hdr; 1109 struct wpa_eapol_key *reply; 1110 unsigned char *rbuf; 1111 struct l2_ethhdr *ethhdr; 1112 int key_info, ie_len = 0, keylen, gtk_len = 0; 1113 uint8_t *ie = NULL, *gtk = NULL, *key_rsc; 1114 uint8_t null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 1115 1116 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 1117 wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from " 1118 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1119 1120 key_info = BE_16(key->key_info); 1121 1122 if (wpa_s->proto == WPA_PROTO_RSN) { 1123 uint8_t *pos = (uint8_t *)(key + 1); 1124 uint8_t *end = pos + BE_16(key->key_data_length); 1125 while (pos + 1 < end) { 1126 if (pos + 2 + pos[1] > end) { 1127 wpa_printf(MSG_DEBUG, "RSN: key data " 1128 "underflow (ie=%d len=%d)", 1129 pos[0], pos[1]); 1130 break; 1131 } 1132 if (*pos == RSN_INFO_ELEM) { 1133 ie = pos; 1134 ie_len = pos[1] + 2; 1135 } else if (pos[0] == GENERIC_INFO_ELEM && 1136 pos + 1 + RSN_SELECTOR_LEN < end && 1137 pos[1] > RSN_SELECTOR_LEN + 2 && 1138 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1139 RSN_SELECTOR_LEN) == 0) { 1140 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1141 wpa_printf(MSG_WARNING, "WPA: GTK IE " 1142 "in unencrypted key data"); 1143 return; 1144 } 1145 gtk = pos + 2 + RSN_SELECTOR_LEN; 1146 gtk_len = pos[1] - RSN_SELECTOR_LEN; 1147 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 1148 break; 1149 1150 pos += 2 + pos[1]; 1151 } 1152 } else { 1153 ie = (uint8_t *)(key + 1); 1154 ie_len = BE_16(key->key_data_length); 1155 if (ie_len > extra_len) { 1156 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1157 " ie_len=%d > extra_len=%d", 1158 ie_len, extra_len); 1159 return; 1160 } 1161 } 1162 1163 if (wpa_s->ap_wpa_ie && 1164 (wpa_s->ap_wpa_ie_len != ie_len || 1165 memcmp(wpa_s->ap_wpa_ie, ie, ie_len) != 0)) { 1166 wpa_printf(MSG_WARNING, "WPA: WPA IE in 3/4 msg does not match" 1167 " with WPA IE in Beacon/ProbeResp (src=" MACSTR ")", 1168 MAC2STR(src_addr)); 1169 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1170 wpa_s->ap_wpa_ie, wpa_s->ap_wpa_ie_len); 1171 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", ie, ie_len); 1172 wpa_supplicant_disassociate(wpa_s, REASON_IE_IN_4WAY_DIFFERS); 1173 wpa_supplicant_req_scan(wpa_s, 0, 0); 1174 return; 1175 } 1176 1177 if (memcmp(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1178 wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way " 1179 "Handshake differs from 3 of 4-Way Handshake - drop" 1180 " packet (src=" MACSTR ")", MAC2STR(src_addr)); 1181 return; 1182 } 1183 1184 keylen = BE_16(key->key_length); 1185 switch (wpa_s->pairwise_cipher) { 1186 case WPA_CIPHER_CCMP: 1187 if (keylen != 16) { 1188 wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length " 1189 "%d (src=" MACSTR ")", 1190 keylen, MAC2STR(src_addr)); 1191 return; 1192 } 1193 break; 1194 case WPA_CIPHER_TKIP: 1195 if (keylen != 32) { 1196 wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length " 1197 "%d (src=" MACSTR ")", 1198 keylen, MAC2STR(src_addr)); 1199 return; 1200 } 1201 break; 1202 } 1203 1204 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1205 rbuf = malloc(rlen); 1206 if (rbuf == NULL) 1207 return; 1208 1209 (void) memset(rbuf, 0, rlen); 1210 ethhdr = (struct l2_ethhdr *)rbuf; 1211 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1212 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1213 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1214 1215 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1216 hdr->version = wpa_s->conf->eapol_version; 1217 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1218 hdr->length = htons(sizeof (*reply)); 1219 1220 reply = (struct wpa_eapol_key *)(hdr + 1); 1221 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1222 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1223 reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | 1224 WPA_KEY_INFO_MIC | (key_info & WPA_KEY_INFO_SECURE)); 1225 reply->key_length = key->key_length; 1226 (void) memcpy(reply->replay_counter, key->replay_counter, 1227 WPA_REPLAY_COUNTER_LEN); 1228 1229 reply->key_data_length = BE_16(0); 1230 1231 (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 1232 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1233 rlen - sizeof (*ethhdr), reply->key_mic); 1234 1235 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 1236 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 4/4", rbuf, rlen); 1237 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1238 1239 free(rbuf); 1240 1241 /* 1242 * SNonce was successfully used in msg 3/4, so mark it to be renewed 1243 * for the next 4-Way Handshake. If msg 3 is received again, the old 1244 * SNonce will still be used to avoid changing PTK. 1245 */ 1246 wpa_s->renew_snonce = 1; 1247 1248 if (key_info & WPA_KEY_INFO_INSTALL) { 1249 int alg, keylen, rsclen; 1250 wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver."); 1251 switch (wpa_s->pairwise_cipher) { 1252 case WPA_CIPHER_CCMP: 1253 alg = WPA_ALG_CCMP; 1254 keylen = 16; 1255 rsclen = 6; 1256 break; 1257 case WPA_CIPHER_TKIP: 1258 alg = WPA_ALG_TKIP; 1259 keylen = 32; 1260 rsclen = 6; 1261 break; 1262 case WPA_CIPHER_NONE: 1263 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: " 1264 "NONE - do not use pairwise keys"); 1265 return; 1266 default: 1267 wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise " 1268 "cipher %d", wpa_s->pairwise_cipher); 1269 return; 1270 } 1271 if (wpa_s->proto == WPA_PROTO_RSN) { 1272 key_rsc = null_rsc; 1273 } else { 1274 key_rsc = key->key_rsc; 1275 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 1276 } 1277 1278 if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg, 1279 src_addr, 0, 1, key_rsc, rsclen, 1280 (uint8_t *)&wpa_s->ptk.tk1, keylen) < 0) { 1281 wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the" 1282 " driver."); 1283 } 1284 } 1285 1286 wpa_printf(MSG_DEBUG, "%s: key_info=%x gtk=%p\n", 1287 "wpa_supplicant_process_3_of_4", key_info, gtk); 1288 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1289 1290 if (gtk) 1291 wpa_supplicant_process_3_of_4_gtk(wpa_s, 1292 src_addr, key, gtk, gtk_len); 1293 } 1294 1295 static void 1296 wpa_supplicant_process_1_of_2(struct wpa_supplicant *wpa_s, 1297 unsigned char *src_addr, struct wpa_eapol_key *key, 1298 int extra_len, int ver) 1299 { 1300 int rlen; 1301 struct ieee802_1x_hdr *hdr; 1302 struct wpa_eapol_key *reply; 1303 unsigned char *rbuf; 1304 struct l2_ethhdr *ethhdr; 1305 int key_info, keylen, keydatalen, maxkeylen, keyidx, key_rsc_len = 0; 1306 int alg, tx; 1307 uint8_t ek[32], tmpbuf[8], gtk[32]; 1308 uint8_t *gtk_ie = NULL; 1309 size_t gtk_ie_len = 0; 1310 1311 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1312 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from " 1313 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1314 1315 key_info = BE_16(key->key_info); 1316 keydatalen = BE_16(key->key_data_length); 1317 1318 if (wpa_s->proto == WPA_PROTO_RSN) { 1319 uint8_t *pos = (uint8_t *)(key + 1); 1320 uint8_t *end = pos + keydatalen; 1321 while (pos + 1 < end) { 1322 if (pos + 2 + pos[1] > end) { 1323 wpa_printf(MSG_DEBUG, "RSN: key data " 1324 "underflow (ie=%d len=%d)", 1325 pos[0], pos[1]); 1326 break; 1327 } 1328 if (pos[0] == GENERIC_INFO_ELEM && 1329 pos + 1 + RSN_SELECTOR_LEN < end && 1330 pos[1] > RSN_SELECTOR_LEN + 2 && 1331 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1332 RSN_SELECTOR_LEN) == 0) { 1333 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1334 wpa_printf(MSG_WARNING, "WPA: GTK IE " 1335 "in unencrypted key data"); 1336 return; 1337 } 1338 gtk_ie = pos + 2 + RSN_SELECTOR_LEN; 1339 gtk_ie_len = pos[1] - RSN_SELECTOR_LEN; 1340 break; 1341 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) { 1342 break; 1343 } 1344 1345 pos += 2 + pos[1]; 1346 } 1347 1348 if (gtk_ie == NULL) { 1349 wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key " 1350 "message 1/2"); 1351 return; 1352 } 1353 maxkeylen = keylen = gtk_ie_len - 2; 1354 } else { 1355 keylen = BE_16(key->key_length); 1356 maxkeylen = keydatalen; 1357 if (keydatalen > extra_len) { 1358 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1359 " key_data_length=%d > extra_len=%d", 1360 keydatalen, extra_len); 1361 return; 1362 } 1363 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) 1364 maxkeylen -= 8; 1365 } 1366 1367 switch (wpa_s->group_cipher) { 1368 case WPA_CIPHER_CCMP: 1369 if (keylen != 16 || maxkeylen < 16) { 1370 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP Group " 1371 "Cipher key length %d (%d).", keylen, maxkeylen); 1372 return; 1373 } 1374 key_rsc_len = 6; 1375 alg = WPA_ALG_CCMP; 1376 break; 1377 case WPA_CIPHER_TKIP: 1378 if (keylen != 32 || maxkeylen < 32) { 1379 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP Group " 1380 "Cipher key length %d (%d).", keylen, maxkeylen); 1381 return; 1382 } 1383 key_rsc_len = 6; /* key->key_data; */ 1384 alg = WPA_ALG_TKIP; 1385 break; 1386 case WPA_CIPHER_WEP104: 1387 if (keylen != 13 || maxkeylen < 13) { 1388 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP104 Group" 1389 " Cipher key length %d (%d).", keylen, maxkeylen); 1390 return; 1391 } 1392 alg = WPA_ALG_WEP; 1393 break; 1394 case WPA_CIPHER_WEP40: 1395 if (keylen != 5 || maxkeylen < 5) { 1396 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP40 Group " 1397 "Cipher key length %d (%d).", keylen, maxkeylen); 1398 return; 1399 } 1400 alg = WPA_ALG_WEP; 1401 break; 1402 default: 1403 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher %d", 1404 wpa_s->group_cipher); 1405 return; 1406 } 1407 1408 if (wpa_s->proto == WPA_PROTO_RSN) { 1409 wpa_hexdump(MSG_DEBUG, 1410 "WPA: received GTK in group key handshake", 1411 gtk_ie, gtk_ie_len); 1412 keyidx = gtk_ie[0] & 0x3; 1413 tx = !!(gtk_ie[0] & BIT(2)); 1414 if (gtk_ie_len - 2 > sizeof (gtk)) { 1415 wpa_printf(MSG_INFO, "WPA: Too long GTK in GTK IE " 1416 "(len=%d)", gtk_ie_len - 2); 1417 return; 1418 } 1419 (void) memcpy(gtk, gtk_ie + 2, gtk_ie_len - 2); 1420 } else { 1421 keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1422 WPA_KEY_INFO_KEY_INDEX_SHIFT; 1423 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1424 (void) memcpy(ek, key->key_iv, 16); 1425 (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1426 rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1427 (void) memcpy(gtk, key + 1, keylen); 1428 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1429 if (keydatalen % 8) { 1430 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1431 "AES-WRAP len %d", keydatalen); 1432 return; 1433 } 1434 if (aes_unwrap(wpa_s->ptk.encr_key, maxkeylen / 8, 1435 (uint8_t *)(key + 1), gtk)) { 1436 wpa_printf(MSG_WARNING, "WPA: AES unwrap " 1437 "failed - could not decrypt GTK"); 1438 return; 1439 } 1440 } 1441 tx = !!(key_info & WPA_KEY_INFO_TXRX); 1442 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1443 /* 1444 * Ignore Tx bit in Group Key message if a pairwise key 1445 * is used. Some APs seem to setting this bit 1446 * (incorrectly, since Tx is only when doing Group Key 1447 * only APs) and without this workaround, the data 1448 * connection does not work because wpa_supplicant 1449 * configured non-zero keyidx to be used for unicast. 1450 */ 1451 wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but " 1452 "pairwise keys are used - ignore Tx bit"); 1453 tx = 0; 1454 } 1455 } 1456 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, keylen); 1457 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver (keyidx=%d " 1458 "tx=%d).", keyidx, tx); 1459 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1460 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1461 /* 1462 * Swap Tx/Rx keys for Michael MIC 1463 */ 1464 (void) memcpy(tmpbuf, gtk + 16, 8); 1465 (void) memcpy(gtk + 16, gtk + 24, 8); 1466 (void) memcpy(gtk + 24, tmpbuf, 8); 1467 } 1468 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1469 if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg, 1470 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1471 keyidx, 1, key->key_rsc, 1472 key_rsc_len, gtk, keylen) < 0) 1473 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the" 1474 " driver (Group only)."); 1475 } else if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg, 1476 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1477 keyidx, tx, 1478 key->key_rsc, key_rsc_len, 1479 gtk, keylen) < 0) { 1480 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the " 1481 "driver."); 1482 } 1483 1484 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1485 rbuf = malloc(rlen); 1486 if (rbuf == NULL) 1487 return; 1488 1489 (void) memset(rbuf, 0, rlen); 1490 ethhdr = (struct l2_ethhdr *)rbuf; 1491 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1492 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1493 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1494 1495 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1496 hdr->version = wpa_s->conf->eapol_version; 1497 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1498 hdr->length = htons(sizeof (*reply)); 1499 1500 reply = (struct wpa_eapol_key *)(hdr + 1); 1501 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1502 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1503 reply->key_info = 1504 BE_16(ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE | 1505 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK)); 1506 reply->key_length = key->key_length; 1507 (void) memcpy(reply->replay_counter, key->replay_counter, 1508 WPA_REPLAY_COUNTER_LEN); 1509 1510 reply->key_data_length = BE_16(0); 1511 1512 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1513 rlen - sizeof (*ethhdr), reply->key_mic); 1514 1515 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 1516 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/2", rbuf, rlen); 1517 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1518 free(rbuf); 1519 1520 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " MACSTR, 1521 MAC2STR(src_addr)); 1522 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1523 wpa_supplicant_cancel_auth_timeout(wpa_s); 1524 wpa_s->wpa_state = WPA_COMPLETED; 1525 wpa_printf(MSG_INFO, "-----------------------------------\n"); 1526 } 1527 1528 static int 1529 wpa_supplicant_verify_eapol_key_mic(struct wpa_supplicant *wpa_s, 1530 struct wpa_eapol_key *key, int ver, uint8_t *buf, size_t len) 1531 { 1532 uint8_t mic[16]; 1533 int ok = 0; 1534 1535 (void) memcpy(mic, key->key_mic, 16); 1536 if (wpa_s->tptk_set) { 1537 (void) memset(key->key_mic, 0, 16); 1538 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, buf, len, 1539 key->key_mic); 1540 if (memcmp(mic, key->key_mic, 16) != 0) { 1541 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1542 "when using TPTK - ignoring TPTK"); 1543 } else { 1544 ok = 1; 1545 wpa_s->tptk_set = 0; 1546 wpa_s->ptk_set = 1; 1547 (void) memcpy(&wpa_s->ptk, &wpa_s->tptk, 1548 sizeof (wpa_s->ptk)); 1549 } 1550 } 1551 1552 if (!ok && wpa_s->ptk_set) { 1553 (void) memset(key->key_mic, 0, 16); 1554 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, buf, len, 1555 key->key_mic); 1556 if (memcmp(mic, key->key_mic, 16) != 0) { 1557 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1558 "- dropping packet"); 1559 return (-1); 1560 } 1561 ok = 1; 1562 } 1563 1564 if (!ok) { 1565 wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC " 1566 "- dropping packet"); 1567 return (-1); 1568 } 1569 1570 (void) memcpy(wpa_s->rx_replay_counter, key->replay_counter, 1571 WPA_REPLAY_COUNTER_LEN); 1572 wpa_s->rx_replay_counter_set = 1; 1573 1574 return (0); 1575 } 1576 1577 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 1578 static int 1579 wpa_supplicant_decrypt_key_data(struct wpa_supplicant *wpa_s, 1580 struct wpa_eapol_key *key, int ver) 1581 { 1582 int keydatalen = BE_16(key->key_data_length); 1583 1584 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 1585 (uint8_t *)(key + 1), keydatalen); 1586 if (!wpa_s->ptk_set) { 1587 wpa_printf(MSG_WARNING, "WPA: PTK not available, " 1588 "cannot decrypt EAPOL-Key key data."); 1589 return (-1); 1590 } 1591 1592 /* 1593 * Decrypt key data here so that this operation does not need 1594 * to be implemented separately for each message type. 1595 */ 1596 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1597 uint8_t ek[32]; 1598 (void) memcpy(ek, key->key_iv, 16); 1599 (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1600 rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1601 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1602 uint8_t *buf; 1603 if (keydatalen % 8) { 1604 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1605 "AES-WRAP len %d", keydatalen); 1606 return (-1); 1607 } 1608 keydatalen -= 8; /* AES-WRAP adds 8 bytes */ 1609 buf = malloc(keydatalen); 1610 if (buf == NULL) { 1611 wpa_printf(MSG_WARNING, "WPA: No memory for " 1612 "AES-UNWRAP buffer"); 1613 return (-1); 1614 } 1615 if (aes_unwrap(wpa_s->ptk.encr_key, keydatalen / 8, 1616 (uint8_t *)(key + 1), buf)) { 1617 free(buf); 1618 wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - " 1619 "could not decrypt EAPOL-Key key data"); 1620 return (-1); 1621 } 1622 (void) memcpy(key + 1, buf, keydatalen); 1623 free(buf); 1624 key->key_data_length = BE_16(keydatalen); 1625 } 1626 wpa_hexdump(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 1627 (uint8_t *)(key + 1), keydatalen); 1628 1629 return (0); 1630 } 1631 1632 static void 1633 wpa_sm_rx_eapol(struct wpa_supplicant *wpa_s, 1634 unsigned char *src_addr, unsigned char *buf, size_t len) 1635 { 1636 size_t plen, data_len, extra_len; 1637 struct ieee802_1x_hdr *hdr; 1638 struct wpa_eapol_key *key; 1639 int key_info, ver; 1640 1641 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame len %u\n ", len); 1642 1643 hdr = (struct ieee802_1x_hdr *)buf; 1644 key = (struct wpa_eapol_key *)(hdr + 1); 1645 wpa_printf(MSG_DEBUG, "hdr_len=%u, key_len=%u", 1646 sizeof (*hdr), sizeof (*key)); 1647 if (len < sizeof (*hdr) + sizeof (*key)) { 1648 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short, len %u, " 1649 "expecting at least %u", 1650 len, sizeof (*hdr) + sizeof (*key)); 1651 return; 1652 } 1653 plen = ntohs(hdr->length); 1654 data_len = plen + sizeof (*hdr); 1655 wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%d", 1656 hdr->version, hdr->type, plen); 1657 1658 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 1659 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, " 1660 "not a Key frame", hdr->type); 1661 return; 1662 } 1663 if (plen > len - sizeof (*hdr) || plen < sizeof (*key)) { 1664 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %u " 1665 "invalid (frame size %u)", plen, len); 1666 return; 1667 } 1668 1669 wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type); 1670 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != 1671 EAPOL_KEY_TYPE_RSN) { 1672 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, " 1673 "discarded", key->type); 1674 return; 1675 } 1676 1677 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 1678 if (data_len < len) { 1679 wpa_printf(MSG_DEBUG, "WPA: ignoring %d bytes after the IEEE " 1680 "802.1X data", len - data_len); 1681 } 1682 key_info = BE_16(key->key_info); 1683 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1684 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 1685 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1686 wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor " 1687 "version %d.", ver); 1688 return; 1689 } 1690 1691 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP && 1692 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1693 wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key " 1694 "descriptor version (%d) is not 2.", ver); 1695 if (wpa_s->group_cipher != WPA_CIPHER_CCMP && 1696 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1697 /* 1698 * Earlier versions of IEEE 802.11i did not explicitly 1699 * require version 2 descriptor for all EAPOL-Key 1700 * packets, so allow group keys to use version 1 if 1701 * CCMP is not used for them. 1702 */ 1703 wpa_printf(MSG_INFO, "WPA: Backwards compatibility: " 1704 "allow invalid version for non-CCMP group keys"); 1705 } else 1706 return; 1707 } 1708 1709 if (wpa_s->rx_replay_counter_set && 1710 memcmp(key->replay_counter, wpa_s->rx_replay_counter, 1711 WPA_REPLAY_COUNTER_LEN) <= 0) { 1712 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not" 1713 " increase - dropping packet"); 1714 return; 1715 } 1716 1717 if (!(key_info & WPA_KEY_INFO_ACK)) { 1718 wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info"); 1719 return; 1720 } 1721 1722 if (key_info & WPA_KEY_INFO_REQUEST) { 1723 wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - " 1724 "dropped"); 1725 return; 1726 } 1727 1728 if ((key_info & WPA_KEY_INFO_MIC) && 1729 wpa_supplicant_verify_eapol_key_mic(wpa_s, key, ver, buf, 1730 data_len)) { 1731 return; 1732 } 1733 1734 extra_len = data_len - sizeof (*hdr) - sizeof (*key); 1735 1736 if (wpa_s->proto == WPA_PROTO_RSN && 1737 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1738 wpa_supplicant_decrypt_key_data(wpa_s, key, ver)) 1739 return; 1740 1741 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1742 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 1743 wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key " 1744 "(Pairwise) with non-zero key index"); 1745 return; 1746 } 1747 if (key_info & WPA_KEY_INFO_MIC) { 1748 /* 3/4 4-Way Handshake */ 1749 wpa_supplicant_process_3_of_4(wpa_s, src_addr, key, 1750 extra_len, ver); 1751 } else { 1752 /* 1/4 4-Way Handshake */ 1753 wpa_supplicant_process_1_of_4(wpa_s, src_addr, key, 1754 ver); 1755 } 1756 } else { 1757 if (key_info & WPA_KEY_INFO_MIC) { 1758 /* 1/2 Group Key Handshake */ 1759 wpa_supplicant_process_1_of_2(wpa_s, src_addr, key, 1760 extra_len, ver); 1761 } else { 1762 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) " 1763 "without Mic bit - dropped"); 1764 } 1765 } 1766 } 1767 1768 void 1769 wpa_supplicant_rx_eapol(void *ctx, unsigned char *src_addr, 1770 unsigned char *buf, size_t len) 1771 { 1772 struct wpa_supplicant *wpa_s = ctx; 1773 1774 wpa_printf(MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr)); 1775 wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len); 1776 1777 if (wpa_s->eapol_received == 0) { 1778 /* Timeout for completing IEEE 802.1X and WPA authentication */ 1779 wpa_supplicant_req_auth_timeout( 1780 wpa_s, wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ? 1781 70 : 10, 0); 1782 } 1783 wpa_s->eapol_received++; 1784 1785 /* 1786 * Source address of the incoming EAPOL frame could be compared to the 1787 * current BSSID. However, it is possible that a centralized 1788 * Authenticator could be using another MAC address than the BSSID of 1789 * an AP, so just allow any address to be used for now. The replies are 1790 * still sent to the current BSSID (if available), though. 1791 */ 1792 wpa_sm_rx_eapol(wpa_s, src_addr, buf, len); 1793 } 1794