1 /* 2 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 8 * Sun elects to license this software under the BSD license. 9 * See README for more details. 10 */ 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <string.h> 17 #include <time.h> 18 #include <netinet/in.h> 19 #include <sys/ethernet.h> 20 #include <fcntl.h> 21 #include <unistd.h> 22 23 #include "wpa_impl.h" 24 #include "wpa_enc.h" 25 #include "driver.h" 26 #include "eloop.h" 27 #include "l2_packet.h" 28 29 static void pmksa_cache_set_expiration(struct wpa_supplicant *); 30 31 /* 32 * IEEE 802.11i/D3.0 33 */ 34 static const int WPA_SELECTOR_LEN = 4; 35 static const uint8_t WPA_OUI_TYPE[] = { 0x00, 0x50, 0xf2, 1 }; 36 static const uint16_t WPA_VERSION = 1; 37 static const uint8_t 38 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x50, 0xf2, 1 }; 39 static const uint8_t 40 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x50, 0xf2, 2 }; 41 static const uint8_t WPA_CIPHER_SUITE_NONE[] = { 0x00, 0x50, 0xf2, 0 }; 42 static const uint8_t WPA_CIPHER_SUITE_WEP40[] = { 0x00, 0x50, 0xf2, 1 }; 43 static const uint8_t WPA_CIPHER_SUITE_TKIP[] = { 0x00, 0x50, 0xf2, 2 }; 44 static const uint8_t WPA_CIPHER_SUITE_CCMP[] = { 0x00, 0x50, 0xf2, 4 }; 45 static const uint8_t WPA_CIPHER_SUITE_WEP104[] = { 0x00, 0x50, 0xf2, 5 }; 46 47 /* 48 * WPA IE version 1 49 * 00-50-f2:1 (OUI:OUI type) 50 * 0x01 0x00 (version; little endian) 51 * (all following fields are optional:) 52 * Group Suite Selector (4 octets) (default: TKIP) 53 * Pairwise Suite Count (2 octets, little endian) (default: 1) 54 * Pairwise Suite List (4 * n octets) (default: TKIP) 55 * Authenticated Key Management Suite Count (2 octets, little endian) 56 * (default: 1) 57 * Authenticated Key Management Suite List (4 * n octets) 58 * (default: unspec 802.1x) 59 * WPA Capabilities (2 octets, little endian) (default: 0) 60 */ 61 #pragma pack(1) 62 struct wpa_ie_hdr { 63 uint8_t elem_id; 64 uint8_t len; 65 uint8_t oui[3]; 66 uint8_t oui_type; 67 uint16_t version; 68 }; 69 #pragma pack() 70 71 /* 72 * IEEE 802.11i/D9.0 73 */ 74 static const int RSN_SELECTOR_LEN = 4; 75 static const uint16_t RSN_VERSION = 1; 76 static const uint8_t 77 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x0f, 0xac, 1 }; 78 static const uint8_t 79 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x0f, 0xac, 2 }; 80 static const uint8_t RSN_CIPHER_SUITE_NONE[] = { 0x00, 0x0f, 0xac, 0 }; 81 static const uint8_t RSN_CIPHER_SUITE_WEP40[] = { 0x00, 0x0f, 0xac, 1 }; 82 static const uint8_t RSN_CIPHER_SUITE_TKIP[] = { 0x00, 0x0f, 0xac, 2 }; 83 static const uint8_t RSN_CIPHER_SUITE_CCMP[] = { 0x00, 0x0f, 0xac, 4 }; 84 static const uint8_t RSN_CIPHER_SUITE_WEP104[] = { 0x00, 0x0f, 0xac, 5 }; 85 86 /* 87 * EAPOL-Key Key Data Encapsulation 88 * GroupKey and STAKey require encryption, otherwise, encryption is optional. 89 */ 90 static const uint8_t RSN_KEY_DATA_GROUPKEY[] = { 0x00, 0x0f, 0xac, 1 }; 91 static const uint8_t RSN_KEY_DATA_PMKID[] = { 0x00, 0x0f, 0xac, 4 }; 92 93 /* 94 * 1/4: PMKID 95 * 2/4: RSN IE 96 * 3/4: one or two RSN IEs + GTK IE (encrypted) 97 * 4/4: empty 98 * 1/2: GTK IE (encrypted) 99 * 2/2: empty 100 */ 101 102 /* 103 * RSN IE version 1 104 * 0x01 0x00 (version; little endian) 105 * (all following fields are optional:) 106 * Group Suite Selector (4 octets) (default: CCMP) 107 * Pairwise Suite Count (2 octets, little endian) (default: 1) 108 * Pairwise Suite List (4 * n octets) (default: CCMP) 109 * Authenticated Key Management Suite Count (2 octets, little endian) 110 * (default: 1) 111 * Authenticated Key Management Suite List (4 * n octets) 112 * (default: unspec 802.1x) 113 * RSN Capabilities (2 octets, little endian) (default: 0) 114 * PMKID Count (2 octets) (default: 0) 115 * PMKID List (16 * n octets) 116 */ 117 #pragma pack(1) 118 struct rsn_ie_hdr { 119 uint8_t elem_id; /* WLAN_EID_RSN */ 120 uint8_t len; 121 uint16_t version; 122 }; 123 #pragma pack() 124 125 static int 126 random_get_pseudo_bytes(uint8_t *ptr, size_t len) 127 { 128 int fd; 129 size_t resid = len; 130 size_t bytes; 131 132 fd = open("/dev/urandom", O_RDONLY); 133 if (fd == -1) { 134 wpa_printf(MSG_ERROR, "Could not open /dev/urandom.\n"); 135 return (-1); 136 } 137 138 while (resid != 0) { 139 bytes = read(fd, ptr, resid); 140 ptr += bytes; 141 resid -= bytes; 142 } 143 144 (void) close(fd); 145 146 return (0); 147 } 148 149 static void 150 inc_byte_array(uint8_t *counter, size_t len) 151 { 152 int pos = len - 1; 153 while (pos >= 0) { 154 counter[pos]++; 155 if (counter[pos] != 0) 156 break; 157 pos--; 158 } 159 } 160 161 static int 162 wpa_selector_to_bitfield(uint8_t *s) 163 { 164 if (memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0) 165 return (WPA_CIPHER_NONE); 166 if (memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0) 167 return (WPA_CIPHER_WEP40); 168 if (memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0) 169 return (WPA_CIPHER_TKIP); 170 if (memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0) 171 return (WPA_CIPHER_CCMP); 172 if (memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0) 173 return (WPA_CIPHER_WEP104); 174 return (0); 175 } 176 177 static int 178 wpa_key_mgmt_to_bitfield(uint8_t *s) 179 { 180 if (memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) == 0) 181 return (WPA_KEY_MGMT_IEEE8021X); 182 if (memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN) == 183 0) 184 return (WPA_KEY_MGMT_PSK); 185 return (0); 186 } 187 188 static int 189 rsn_selector_to_bitfield(uint8_t *s) 190 { 191 if (memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0) 192 return (WPA_CIPHER_NONE); 193 if (memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0) 194 return (WPA_CIPHER_WEP40); 195 if (memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0) 196 return (WPA_CIPHER_TKIP); 197 if (memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0) 198 return (WPA_CIPHER_CCMP); 199 if (memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0) 200 return (WPA_CIPHER_WEP104); 201 return (0); 202 } 203 204 static int 205 rsn_key_mgmt_to_bitfield(uint8_t *s) 206 { 207 if (memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) == 0) 208 return (WPA_KEY_MGMT_IEEE8021X); 209 if (memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN) == 210 0) 211 return (WPA_KEY_MGMT_PSK); 212 return (0); 213 } 214 215 static void 216 pmksa_cache_free_entry(struct wpa_supplicant *wpa_s, 217 struct rsn_pmksa_cache *entry) 218 { 219 wpa_s->pmksa_count--; 220 if (wpa_s->cur_pmksa == entry) { 221 wpa_printf(MSG_DEBUG, "RSN: removed current PMKSA entry"); 222 wpa_s->cur_pmksa = NULL; 223 } 224 free(entry); 225 } 226 227 /* ARGSUSED */ 228 static void 229 pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx) 230 { 231 struct wpa_supplicant *wpa_s = eloop_ctx; 232 time_t now; 233 234 (void) time(&now); 235 while (wpa_s->pmksa && wpa_s->pmksa->expiration <= now) { 236 struct rsn_pmksa_cache *entry = wpa_s->pmksa; 237 wpa_s->pmksa = entry->next; 238 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for " 239 MACSTR, MAC2STR(entry->aa)); 240 pmksa_cache_free_entry(wpa_s, entry); 241 } 242 243 pmksa_cache_set_expiration(wpa_s); 244 } 245 246 static void 247 pmksa_cache_set_expiration(struct wpa_supplicant *wpa_s) 248 { 249 int sec; 250 eloop_cancel_timeout(pmksa_cache_expire, wpa_s, NULL); 251 if (wpa_s->pmksa == NULL) 252 return; 253 sec = wpa_s->pmksa->expiration - time(NULL); 254 if (sec < 0) 255 sec = 0; 256 (void) eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, 257 wpa_s, NULL); 258 } 259 260 void 261 pmksa_cache_free(struct wpa_supplicant *wpa_s) 262 { 263 struct rsn_pmksa_cache *entry, *prev; 264 265 entry = wpa_s->pmksa; 266 wpa_s->pmksa = NULL; 267 while (entry) { 268 prev = entry; 269 entry = entry->next; 270 free(prev); 271 } 272 pmksa_cache_set_expiration(wpa_s); 273 wpa_s->cur_pmksa = NULL; 274 } 275 276 struct rsn_pmksa_cache * 277 pmksa_cache_get(struct wpa_supplicant *wpa_s, 278 uint8_t *aa, uint8_t *pmkid) 279 { 280 struct rsn_pmksa_cache *entry = wpa_s->pmksa; 281 while (entry) { 282 if ((aa == NULL || 283 memcmp(entry->aa, aa, IEEE80211_ADDR_LEN) == 0) && 284 (pmkid == NULL || 285 memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)) 286 return (entry); 287 entry = entry->next; 288 } 289 return (NULL); 290 } 291 292 int 293 pmksa_cache_list(struct wpa_supplicant *wpa_s, char *buf, size_t len) 294 { 295 int i, j; 296 char *pos = buf; 297 struct rsn_pmksa_cache *entry; 298 time_t now; 299 300 (void) time(&now); 301 pos += snprintf(pos, buf + len - pos, 302 "Index / AA / PMKID / expiration (in seconds)\n"); 303 i = 0; 304 entry = wpa_s->pmksa; 305 while (entry) { 306 i++; 307 pos += snprintf(pos, buf + len - pos, "%d " MACSTR " ", 308 i, MAC2STR(entry->aa)); 309 for (j = 0; j < PMKID_LEN; j++) 310 pos += snprintf(pos, buf + len - pos, "%02x", 311 entry->pmkid[j]); 312 pos += snprintf(pos, buf + len - pos, " %d\n", 313 (int)(entry->expiration - now)); 314 entry = entry->next; 315 } 316 return (pos - buf); 317 } 318 319 void 320 pmksa_candidate_free(struct wpa_supplicant *wpa_s) 321 { 322 struct rsn_pmksa_candidate *entry, *prev; 323 324 entry = wpa_s->pmksa_candidates; 325 wpa_s->pmksa_candidates = NULL; 326 while (entry) { 327 prev = entry; 328 entry = entry->next; 329 free(prev); 330 } 331 } 332 333 /* ARGSUSED */ 334 static int 335 wpa_parse_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 336 size_t wpa_ie_len, struct wpa_ie_data *data) 337 { 338 struct wpa_ie_hdr *hdr; 339 uint8_t *pos; 340 int left; 341 int i, count; 342 343 data->proto = WPA_PROTO_WPA; 344 data->pairwise_cipher = WPA_CIPHER_TKIP; 345 data->group_cipher = WPA_CIPHER_TKIP; 346 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 347 data->capabilities = 0; 348 349 if (wpa_ie_len == 0) { 350 /* No WPA IE - fail silently */ 351 return (-1); 352 } 353 354 if (wpa_ie_len < sizeof (struct wpa_ie_hdr)) { 355 wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 356 "wpa_parse_wpa_ie_wpa", wpa_ie_len); 357 return (-1); 358 } 359 360 hdr = (struct wpa_ie_hdr *)wpa_ie; 361 362 if (hdr->elem_id != GENERIC_INFO_ELEM || 363 hdr->len != wpa_ie_len - 2 || 364 memcmp(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN) != 0 || 365 LE_16(hdr->version) != WPA_VERSION) { 366 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 367 "wpa_parse_wpa_ie_wpa"); 368 return (-1); 369 } 370 371 pos = (uint8_t *)(hdr + 1); 372 left = wpa_ie_len - sizeof (*hdr); 373 374 if (left >= WPA_SELECTOR_LEN) { 375 data->group_cipher = wpa_selector_to_bitfield(pos); 376 pos += WPA_SELECTOR_LEN; 377 left -= WPA_SELECTOR_LEN; 378 } else if (left > 0) { 379 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 380 "wpa_parse_wpa_ie_wpa", left); 381 return (-1); 382 } 383 384 if (left >= 2) { 385 data->pairwise_cipher = 0; 386 count = pos[0] | (pos[1] << 8); 387 pos += 2; 388 left -= 2; 389 if (count == 0 || left < count * WPA_SELECTOR_LEN) { 390 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 391 "count %u left %u", 392 "wpa_parse_wpa_ie_wpa", count, left); 393 return (-1); 394 } 395 for (i = 0; i < count; i++) { 396 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 397 pos += WPA_SELECTOR_LEN; 398 left -= WPA_SELECTOR_LEN; 399 } 400 } else if (left == 1) { 401 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 402 "wpa_parse_wpa_ie_wpa"); 403 return (-1); 404 } 405 406 if (left >= 2) { 407 data->key_mgmt = 0; 408 count = pos[0] | (pos[1] << 8); 409 pos += 2; 410 left -= 2; 411 if (count == 0 || left < count * WPA_SELECTOR_LEN) { 412 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 413 "count %u left %u", 414 "wpa_parse_wpa_ie_wpa", count, left); 415 return (-1); 416 } 417 for (i = 0; i < count; i++) { 418 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 419 pos += WPA_SELECTOR_LEN; 420 left -= WPA_SELECTOR_LEN; 421 } 422 } else if (left == 1) { 423 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 424 "wpa_parse_wpa_ie_wpa"); 425 return (-1); 426 } 427 428 if (left >= 2) { 429 data->capabilities = pos[0] | (pos[1] << 8); 430 pos += 2; 431 left -= 2; 432 } 433 434 if (left > 0) { 435 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes", 436 "wpa_parse_wpa_ie_wpa", left); 437 return (-1); 438 } 439 440 return (0); 441 } 442 443 /* ARGSUSED */ 444 static int 445 wpa_parse_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie, 446 size_t rsn_ie_len, struct wpa_ie_data *data) 447 { 448 struct rsn_ie_hdr *hdr; 449 uint8_t *pos; 450 int left; 451 int i, count; 452 453 data->proto = WPA_PROTO_RSN; 454 data->pairwise_cipher = WPA_CIPHER_CCMP; 455 data->group_cipher = WPA_CIPHER_CCMP; 456 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 457 data->capabilities = 0; 458 459 if (rsn_ie_len == 0) { 460 /* No RSN IE - fail silently */ 461 return (-1); 462 } 463 464 if (rsn_ie_len < sizeof (struct rsn_ie_hdr)) { 465 wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 466 "wpa_parse_wpa_ie_rsn", rsn_ie_len); 467 return (-1); 468 } 469 470 hdr = (struct rsn_ie_hdr *)rsn_ie; 471 472 if (hdr->elem_id != RSN_INFO_ELEM || 473 hdr->len != rsn_ie_len - 2 || 474 LE_16(hdr->version) != RSN_VERSION) { 475 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 476 "wpa_parse_wpa_ie_rsn"); 477 return (-1); 478 } 479 480 pos = (uint8_t *)(hdr + 1); 481 left = rsn_ie_len - sizeof (*hdr); 482 483 if (left >= RSN_SELECTOR_LEN) { 484 data->group_cipher = rsn_selector_to_bitfield(pos); 485 pos += RSN_SELECTOR_LEN; 486 left -= RSN_SELECTOR_LEN; 487 } else if (left > 0) { 488 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 489 "wpa_parse_wpa_ie_rsn", left); 490 return (-1); 491 } 492 493 if (left >= 2) { 494 data->pairwise_cipher = 0; 495 count = pos[0] | (pos[1] << 8); 496 pos += 2; 497 left -= 2; 498 if (count == 0 || left < count * RSN_SELECTOR_LEN) { 499 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 500 "count %u left %u", 501 "wpa_parse_wpa_ie_rsn", count, left); 502 return (-1); 503 } 504 for (i = 0; i < count; i++) { 505 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 506 pos += RSN_SELECTOR_LEN; 507 left -= RSN_SELECTOR_LEN; 508 } 509 } else if (left == 1) { 510 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 511 "wpa_parse_wpa_ie_rsn"); 512 return (-1); 513 } 514 515 if (left >= 2) { 516 data->key_mgmt = 0; 517 count = pos[0] | (pos[1] << 8); 518 pos += 2; 519 left -= 2; 520 if (count == 0 || left < count * RSN_SELECTOR_LEN) { 521 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 522 "count %u left %u", 523 "wpa_parse_wpa_ie_rsn", count, left); 524 return (-1); 525 } 526 for (i = 0; i < count; i++) { 527 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 528 pos += RSN_SELECTOR_LEN; 529 left -= RSN_SELECTOR_LEN; 530 } 531 } else if (left == 1) { 532 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 533 "wpa_parse_wpa_ie_rsn"); 534 return (-1); 535 } 536 537 if (left >= 2) { 538 data->capabilities = pos[0] | (pos[1] << 8); 539 pos += 2; 540 left -= 2; 541 } 542 543 if (left > 0) { 544 /* 545 * RSN IE could include PMKID data, but Authenticator should 546 * never include it, so no need to parse it in the Supplicant. 547 */ 548 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored", 549 "wpa_parse_wpa_ie_rsn", left); 550 } 551 552 return (0); 553 } 554 555 int 556 wpa_parse_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 557 size_t wpa_ie_len, struct wpa_ie_data *data) 558 { 559 if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM) 560 return (wpa_parse_wpa_ie_rsn(wpa_s, wpa_ie, wpa_ie_len, data)); 561 else 562 return (wpa_parse_wpa_ie_wpa(wpa_s, wpa_ie, wpa_ie_len, data)); 563 } 564 565 static int 566 wpa_gen_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 567 { 568 uint8_t *pos; 569 struct wpa_ie_hdr *hdr; 570 571 hdr = (struct wpa_ie_hdr *)wpa_ie; 572 hdr->elem_id = GENERIC_INFO_ELEM; 573 (void) memcpy(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN); 574 hdr->version = LE_16(WPA_VERSION); 575 pos = (uint8_t *)(hdr + 1); 576 577 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 578 (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 579 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 580 (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 581 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 582 (void) memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN); 583 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 584 (void) memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN); 585 } else { 586 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 587 wpa_s->group_cipher); 588 return (-1); 589 } 590 pos += WPA_SELECTOR_LEN; 591 592 *pos++ = 1; 593 *pos++ = 0; 594 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 595 (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 596 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 597 (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 598 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 599 (void) memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN); 600 } else { 601 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 602 wpa_s->pairwise_cipher); 603 return (-1); 604 } 605 pos += WPA_SELECTOR_LEN; 606 607 *pos++ = 1; 608 *pos++ = 0; 609 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 610 (void) memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, 611 WPA_SELECTOR_LEN); 612 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 613 (void) memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, 614 WPA_SELECTOR_LEN); 615 } else { 616 wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 617 wpa_s->key_mgmt); 618 return (-1); 619 } 620 pos += WPA_SELECTOR_LEN; 621 622 /* 623 * WPA Capabilities; use defaults, so no need to include it 624 */ 625 hdr->len = (pos - wpa_ie) - 2; 626 627 return (pos - wpa_ie); 628 } 629 630 static int 631 wpa_gen_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie) 632 { 633 uint8_t *pos; 634 struct rsn_ie_hdr *hdr; 635 636 hdr = (struct rsn_ie_hdr *)rsn_ie; 637 hdr->elem_id = RSN_INFO_ELEM; 638 hdr->version = LE_16(RSN_VERSION); 639 pos = (uint8_t *)(hdr + 1); 640 641 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 642 (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 643 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 644 (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 645 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 646 (void) memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN); 647 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 648 (void) memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN); 649 } else { 650 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 651 wpa_s->group_cipher); 652 return (-1); 653 } 654 pos += RSN_SELECTOR_LEN; 655 656 *pos++ = 1; 657 *pos++ = 0; 658 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 659 (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 660 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 661 (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 662 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 663 (void) memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN); 664 } else { 665 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 666 wpa_s->pairwise_cipher); 667 return (-1); 668 } 669 pos += RSN_SELECTOR_LEN; 670 671 *pos++ = 1; 672 *pos++ = 0; 673 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 674 (void) memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, 675 RSN_SELECTOR_LEN); 676 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 677 (void) memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, 678 RSN_SELECTOR_LEN); 679 } else { 680 wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 681 wpa_s->key_mgmt); 682 return (-1); 683 } 684 pos += RSN_SELECTOR_LEN; 685 686 /* RSN Capabilities */ 687 *pos++ = 0; 688 *pos++ = 0; 689 690 if (wpa_s->cur_pmksa) { 691 /* PMKID Count (2 octets, little endian) */ 692 *pos++ = 1; 693 *pos++ = 0; 694 /* PMKID */ 695 (void) memcpy(pos, wpa_s->cur_pmksa->pmkid, PMKID_LEN); 696 pos += PMKID_LEN; 697 } 698 699 hdr->len = (pos - rsn_ie) - 2; 700 701 return (pos - rsn_ie); 702 } 703 704 int 705 wpa_gen_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 706 { 707 if (wpa_s->proto == WPA_PROTO_RSN) 708 return (wpa_gen_wpa_ie_rsn(wpa_s, wpa_ie)); 709 else 710 return (wpa_gen_wpa_ie_wpa(wpa_s, wpa_ie)); 711 } 712 713 static void 714 wpa_pmk_to_ptk(uint8_t *pmk, uint8_t *addr1, uint8_t *addr2, 715 uint8_t *nonce1, uint8_t *nonce2, uint8_t *ptk, size_t ptk_len) 716 { 717 uint8_t data[2 * IEEE80211_ADDR_LEN + 2 * WPA_PMK_LEN]; 718 719 /* 720 * PTK = PRF-X(PMK, "Pairwise key expansion", 721 * Min(AA, SA) || Max(AA, SA) || 722 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 723 */ 724 725 if (memcmp(addr1, addr2, IEEE80211_ADDR_LEN) < 0) { 726 (void) memcpy(data, addr1, IEEE80211_ADDR_LEN); 727 (void) memcpy(data + IEEE80211_ADDR_LEN, addr2, 728 IEEE80211_ADDR_LEN); 729 } else { 730 (void) memcpy(data, addr2, IEEE80211_ADDR_LEN); 731 (void) memcpy(data + IEEE80211_ADDR_LEN, addr1, 732 IEEE80211_ADDR_LEN); 733 } 734 735 if (memcmp(nonce1, nonce2, WPA_PMK_LEN) < 0) { 736 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce1, 737 WPA_PMK_LEN); 738 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 739 nonce2, WPA_PMK_LEN); 740 } else { 741 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce2, 742 WPA_PMK_LEN); 743 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 744 nonce1, WPA_PMK_LEN); 745 } 746 747 sha1_prf(pmk, WPA_PMK_LEN, "Pairwise key expansion", data, 748 sizeof (data), ptk, ptk_len); 749 750 wpa_hexdump(MSG_DEBUG, "WPA: PMK", pmk, WPA_PMK_LEN); 751 wpa_hexdump(MSG_DEBUG, "WPA: PTK", ptk, ptk_len); 752 } 753 754 struct wpa_ssid * 755 wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s) 756 { 757 struct wpa_ssid *entry; 758 uint8_t ssid[MAX_ESSID_LENGTH]; 759 int ssid_len; 760 uint8_t bssid[IEEE80211_ADDR_LEN]; 761 762 (void) memset(ssid, 0, MAX_ESSID_LENGTH); 763 ssid_len = wpa_s->driver->get_ssid(wpa_s->ifname, (char *)ssid); 764 if (ssid_len < 0) { 765 wpa_printf(MSG_WARNING, "Could not read SSID from driver."); 766 return (NULL); 767 } 768 769 if (wpa_s->driver->get_bssid(wpa_s->ifname, (char *)bssid) < 0) { 770 wpa_printf(MSG_WARNING, "Could not read BSSID from driver."); 771 return (NULL); 772 } 773 774 entry = wpa_s->conf->ssid; 775 wpa_printf(MSG_DEBUG, "entry len=%d ssid=%s," 776 " driver len=%d ssid=%s", 777 entry->ssid_len, entry->ssid, ssid_len, ssid); 778 779 if (ssid_len == entry->ssid_len && 780 memcmp(ssid, entry->ssid, ssid_len) == 0 && 781 (!entry->bssid_set || 782 memcmp(bssid, entry->bssid, IEEE80211_ADDR_LEN) == 0)) 783 return (entry); 784 785 return (NULL); 786 } 787 788 static void 789 wpa_eapol_key_mic(uint8_t *key, int ver, uint8_t *buf, size_t len, uint8_t *mic) 790 { 791 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 792 hmac_md5(key, 16, buf, len, mic); 793 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 794 uint8_t hash[SHA1_MAC_LEN]; 795 hmac_sha1(key, 16, buf, len, hash); 796 (void) memcpy(mic, hash, MD5_MAC_LEN); 797 } 798 } 799 800 void 801 wpa_supplicant_key_request(struct wpa_supplicant *wpa_s, 802 int error, int pairwise) 803 { 804 int rlen; 805 struct ieee802_1x_hdr *hdr; 806 struct wpa_eapol_key *reply; 807 unsigned char *rbuf; 808 struct l2_ethhdr *ethhdr; 809 int key_info, ver; 810 uint8_t bssid[IEEE80211_ADDR_LEN]; 811 812 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) 813 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 814 else 815 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 816 817 if (wpa_s->driver->get_bssid(wpa_s->ifname, (char *)bssid) < 0) { 818 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key " 819 "request"); 820 return; 821 } 822 823 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 824 rbuf = malloc(rlen); 825 if (rbuf == NULL) 826 return; 827 828 (void) memset(rbuf, 0, rlen); 829 ethhdr = (struct l2_ethhdr *)rbuf; 830 (void) memcpy(ethhdr->h_dest, bssid, IEEE80211_ADDR_LEN); 831 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 832 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 833 834 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 835 hdr->version = wpa_s->conf->eapol_version; 836 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 837 hdr->length = htons(sizeof (*reply)); 838 839 reply = (struct wpa_eapol_key *)(hdr + 1); 840 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 841 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 842 key_info = WPA_KEY_INFO_REQUEST | ver; 843 if (wpa_s->ptk_set) 844 key_info |= WPA_KEY_INFO_MIC; 845 if (error) 846 key_info |= WPA_KEY_INFO_ERROR; 847 if (pairwise) 848 key_info |= WPA_KEY_INFO_KEY_TYPE; 849 reply->key_info = BE_16(key_info); 850 reply->key_length = 0; 851 (void) memcpy(reply->replay_counter, wpa_s->request_counter, 852 WPA_REPLAY_COUNTER_LEN); 853 inc_byte_array(wpa_s->request_counter, WPA_REPLAY_COUNTER_LEN); 854 855 reply->key_data_length = BE_16(0); 856 857 if (key_info & WPA_KEY_INFO_MIC) { 858 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 859 rlen - sizeof (*ethhdr), reply->key_mic); 860 } 861 862 wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d " 863 "pairwise=%d ptk_set=%d len=%d)", 864 error, pairwise, wpa_s->ptk_set, rlen); 865 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key Request", rbuf, rlen); 866 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 867 free(rbuf); 868 } 869 870 static void 871 wpa_supplicant_process_1_of_4(struct wpa_supplicant *wpa_s, 872 unsigned char *src_addr, struct wpa_eapol_key *key, int ver) 873 { 874 int rlen; 875 struct ieee802_1x_hdr *hdr; 876 struct wpa_eapol_key *reply; 877 unsigned char *rbuf; 878 struct l2_ethhdr *ethhdr; 879 struct wpa_ssid *ssid; 880 struct wpa_ptk *ptk; 881 uint8_t buf[8], wpa_ie_buf[80], *wpa_ie, *pmkid = NULL; 882 int wpa_ie_len; 883 884 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 885 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from " 886 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 887 888 ssid = wpa_supplicant_get_ssid(wpa_s); 889 if (ssid == NULL) { 890 wpa_printf(MSG_WARNING, 891 "WPA: No SSID info found (msg 1 of 4)."); 892 return; 893 } 894 895 if (wpa_s->proto == WPA_PROTO_RSN) { 896 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 897 uint8_t *pos = (uint8_t *)(key + 1); 898 uint8_t *end = pos + BE_16(key->key_data_length); 899 900 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 901 pos, BE_16(key->key_data_length)); 902 903 while (pos + 1 < end) { 904 if (pos + 2 + pos[1] > end) { 905 wpa_printf(MSG_DEBUG, "RSN: key data " 906 "underflow (ie=%d len=%d)", 907 pos[0], pos[1]); 908 break; 909 } 910 if (pos[0] == GENERIC_INFO_ELEM && 911 pos + 1 + RSN_SELECTOR_LEN < end && 912 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN && 913 memcmp(pos + 2, RSN_KEY_DATA_PMKID, 914 RSN_SELECTOR_LEN) == 0) { 915 pmkid = pos + 2 + RSN_SELECTOR_LEN; 916 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 917 "Authenticator", pmkid, PMKID_LEN); 918 break; 919 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 920 break; 921 pos += 2 + pos[1]; 922 } 923 } 924 925 wpa_ie = wpa_ie_buf; 926 wpa_ie_len = wpa_gen_wpa_ie(wpa_s, wpa_ie); 927 if (wpa_ie_len < 0) { 928 wpa_printf(MSG_WARNING, "WPA: Failed to generate " 929 "WPA IE (for msg 2 of 4)."); 930 return; 931 } 932 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 933 934 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply) + wpa_ie_len; 935 rbuf = malloc(rlen); 936 if (rbuf == NULL) 937 return; 938 939 (void) memset(rbuf, 0, rlen); 940 ethhdr = (struct l2_ethhdr *)rbuf; 941 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 942 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 943 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 944 945 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 946 hdr->version = wpa_s->conf->eapol_version; 947 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 948 hdr->length = htons(sizeof (*reply) + wpa_ie_len); 949 950 reply = (struct wpa_eapol_key *)(hdr + 1); 951 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 952 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 953 reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | 954 WPA_KEY_INFO_MIC); 955 reply->key_length = key->key_length; 956 (void) memcpy(reply->replay_counter, key->replay_counter, 957 WPA_REPLAY_COUNTER_LEN); 958 959 reply->key_data_length = BE_16(wpa_ie_len); 960 (void) memcpy(reply + 1, wpa_ie, wpa_ie_len); 961 962 if (wpa_s->renew_snonce) { 963 if (random_get_pseudo_bytes(wpa_s->snonce, WPA_NONCE_LEN)) { 964 wpa_printf(MSG_WARNING, "WPA: Failed to get " 965 "random data for SNonce"); 966 free(rbuf); 967 return; 968 } 969 970 wpa_s->renew_snonce = 0; 971 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 972 wpa_s->snonce, WPA_NONCE_LEN); 973 } 974 (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 975 ptk = &wpa_s->tptk; 976 (void) memcpy(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN); 977 978 wpa_pmk_to_ptk(wpa_s->pmk, wpa_s->own_addr, src_addr, 979 wpa_s->snonce, key->key_nonce, (uint8_t *)ptk, sizeof (*ptk)); 980 981 /* 982 * Supplicant: swap tx/rx Mic keys 983 */ 984 (void) memcpy(buf, ptk->u.auth.tx_mic_key, 8); 985 (void) memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8); 986 (void) memcpy(ptk->u.auth.rx_mic_key, buf, 8); 987 wpa_s->tptk_set = 1; 988 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, (uint8_t *)hdr, 989 rlen - sizeof (*ethhdr), reply->key_mic); 990 wpa_hexdump(MSG_DEBUG, "WPA: EAPOL-Key MIC", reply->key_mic, 16); 991 992 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 993 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/4", rbuf, rlen); 994 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 995 996 free(rbuf); 997 } 998 999 static void 1000 wpa_supplicant_process_3_of_4_gtk(struct wpa_supplicant *wpa_s, 1001 unsigned char *src_addr, struct wpa_eapol_key *key, 1002 uint8_t *gtk, int gtk_len) 1003 { 1004 int keyidx, tx, key_rsc_len = 0, alg; 1005 1006 wpa_hexdump(MSG_DEBUG, 1007 "WPA: received GTK in pairwise handshake", gtk, gtk_len); 1008 1009 keyidx = gtk[0] & 0x3; 1010 tx = !!(gtk[0] & BIT(2)); 1011 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1012 /* 1013 * Ignore Tx bit in GTK IE if a pairwise key is used. 1014 * One AP seemed to set this bit (incorrectly, since Tx 1015 * is only when doing Group Key only APs) and without 1016 * this workaround, the data connection does not work 1017 * because wpa_supplicant configured non-zero keyidx to 1018 * be used for unicast. 1019 */ 1020 wpa_printf(MSG_INFO, "RSN: Tx bit set for GTK IE, but " 1021 "pairwise keys are used - ignore Tx bit"); 1022 tx = 0; 1023 } 1024 1025 gtk += 2; 1026 gtk_len -= 2; 1027 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, gtk_len); 1028 1029 switch (wpa_s->group_cipher) { 1030 case WPA_CIPHER_CCMP: 1031 if (gtk_len != 16) { 1032 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP" 1033 " Group Cipher key length %d.", gtk_len); 1034 return; 1035 } 1036 key_rsc_len = 6; 1037 alg = WPA_ALG_CCMP; 1038 break; 1039 case WPA_CIPHER_TKIP: 1040 if (gtk_len != 32) { 1041 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP" 1042 " Group Cipher key length %d.", gtk_len); 1043 return; 1044 } 1045 key_rsc_len = 6; 1046 alg = WPA_ALG_TKIP; 1047 break; 1048 case WPA_CIPHER_WEP104: 1049 if (gtk_len != 13) { 1050 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1051 "WEP104 Group Cipher key length " "%d.", gtk_len); 1052 return; 1053 } 1054 alg = WPA_ALG_WEP; 1055 break; 1056 case WPA_CIPHER_WEP40: 1057 if (gtk_len != 5) { 1058 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1059 "WEP40 Group Cipher key length %d.", gtk_len); 1060 return; 1061 } 1062 alg = WPA_ALG_WEP; 1063 break; 1064 default: 1065 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher " 1066 "%d", wpa_s->group_cipher); 1067 return; 1068 } 1069 1070 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver " 1071 "(keyidx=%d tx=%d).", keyidx, tx); 1072 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1073 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1074 uint8_t tmpbuf[8]; 1075 /* 1076 * Swap Tx/Rx keys for Michael MIC 1077 */ 1078 (void) memcpy(tmpbuf, gtk + 16, 8); 1079 (void) memcpy(gtk + 16, gtk + 24, 8); 1080 (void) memcpy(gtk + 24, tmpbuf, 8); 1081 } 1082 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1083 if (wpa_s->driver->set_key(wpa_s->ifname, alg, 1084 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1085 keyidx, 1, key->key_rsc, 1086 key_rsc_len, gtk, gtk_len) < 0) 1087 wpa_printf(MSG_WARNING, "WPA: Failed to set " 1088 "GTK to the driver (Group only)."); 1089 } else if (wpa_s->driver->set_key(wpa_s->ifname, alg, 1090 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1091 keyidx, tx, 1092 key->key_rsc, key_rsc_len, 1093 gtk, gtk_len) < 0) { 1094 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to " 1095 "the driver."); 1096 } 1097 1098 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " 1099 MACSTR, MAC2STR(src_addr)); 1100 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1101 wpa_supplicant_cancel_auth_timeout(wpa_s); 1102 wpa_s->wpa_state = WPA_COMPLETED; 1103 } 1104 1105 static void 1106 wpa_supplicant_process_3_of_4(struct wpa_supplicant *wpa_s, 1107 unsigned char *src_addr, struct wpa_eapol_key *key, 1108 int extra_len, int ver) 1109 { 1110 int rlen; 1111 struct ieee802_1x_hdr *hdr; 1112 struct wpa_eapol_key *reply; 1113 unsigned char *rbuf; 1114 struct l2_ethhdr *ethhdr; 1115 int key_info, ie_len = 0, keylen, gtk_len = 0; 1116 uint8_t *ie = NULL, *gtk = NULL, *key_rsc; 1117 uint8_t null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 1118 1119 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 1120 wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from " 1121 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1122 1123 key_info = BE_16(key->key_info); 1124 1125 if (wpa_s->proto == WPA_PROTO_RSN) { 1126 uint8_t *pos = (uint8_t *)(key + 1); 1127 uint8_t *end = pos + BE_16(key->key_data_length); 1128 while (pos + 1 < end) { 1129 if (pos + 2 + pos[1] > end) { 1130 wpa_printf(MSG_DEBUG, "RSN: key data " 1131 "underflow (ie=%d len=%d)", 1132 pos[0], pos[1]); 1133 break; 1134 } 1135 if (*pos == RSN_INFO_ELEM) { 1136 ie = pos; 1137 ie_len = pos[1] + 2; 1138 } else if (pos[0] == GENERIC_INFO_ELEM && 1139 pos + 1 + RSN_SELECTOR_LEN < end && 1140 pos[1] > RSN_SELECTOR_LEN + 2 && 1141 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1142 RSN_SELECTOR_LEN) == 0) { 1143 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1144 wpa_printf(MSG_WARNING, "WPA: GTK IE " 1145 "in unencrypted key data"); 1146 return; 1147 } 1148 gtk = pos + 2 + RSN_SELECTOR_LEN; 1149 gtk_len = pos[1] - RSN_SELECTOR_LEN; 1150 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 1151 break; 1152 1153 pos += 2 + pos[1]; 1154 } 1155 } else { 1156 ie = (uint8_t *)(key + 1); 1157 ie_len = BE_16(key->key_data_length); 1158 if (ie_len > extra_len) { 1159 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1160 " ie_len=%d > extra_len=%d", 1161 ie_len, extra_len); 1162 return; 1163 } 1164 } 1165 1166 if (wpa_s->ap_wpa_ie && 1167 (wpa_s->ap_wpa_ie_len != ie_len || 1168 memcmp(wpa_s->ap_wpa_ie, ie, ie_len) != 0)) { 1169 wpa_printf(MSG_WARNING, "WPA: WPA IE in 3/4 msg does not match" 1170 " with WPA IE in Beacon/ProbeResp (src=" MACSTR ")", 1171 MAC2STR(src_addr)); 1172 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1173 wpa_s->ap_wpa_ie, wpa_s->ap_wpa_ie_len); 1174 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", ie, ie_len); 1175 wpa_supplicant_disassociate(wpa_s, REASON_IE_IN_4WAY_DIFFERS); 1176 wpa_supplicant_req_scan(wpa_s, 0, 0); 1177 return; 1178 } 1179 1180 if (memcmp(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1181 wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way " 1182 "Handshake differs from 3 of 4-Way Handshake - drop" 1183 " packet (src=" MACSTR ")", MAC2STR(src_addr)); 1184 return; 1185 } 1186 1187 keylen = BE_16(key->key_length); 1188 switch (wpa_s->pairwise_cipher) { 1189 case WPA_CIPHER_CCMP: 1190 if (keylen != 16) { 1191 wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length " 1192 "%d (src=" MACSTR ")", 1193 keylen, MAC2STR(src_addr)); 1194 return; 1195 } 1196 break; 1197 case WPA_CIPHER_TKIP: 1198 if (keylen != 32) { 1199 wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length " 1200 "%d (src=" MACSTR ")", 1201 keylen, MAC2STR(src_addr)); 1202 return; 1203 } 1204 break; 1205 } 1206 1207 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1208 rbuf = malloc(rlen); 1209 if (rbuf == NULL) 1210 return; 1211 1212 (void) memset(rbuf, 0, rlen); 1213 ethhdr = (struct l2_ethhdr *)rbuf; 1214 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1215 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1216 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1217 1218 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1219 hdr->version = wpa_s->conf->eapol_version; 1220 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1221 hdr->length = htons(sizeof (*reply)); 1222 1223 reply = (struct wpa_eapol_key *)(hdr + 1); 1224 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1225 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1226 reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | 1227 WPA_KEY_INFO_MIC | 1228 (key_info & WPA_KEY_INFO_SECURE)); 1229 reply->key_length = key->key_length; 1230 (void) memcpy(reply->replay_counter, key->replay_counter, 1231 WPA_REPLAY_COUNTER_LEN); 1232 1233 reply->key_data_length = BE_16(0); 1234 1235 (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 1236 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1237 rlen - sizeof (*ethhdr), reply->key_mic); 1238 1239 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 1240 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 4/4", rbuf, rlen); 1241 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1242 1243 free(rbuf); 1244 1245 /* 1246 * SNonce was successfully used in msg 3/4, so mark it to be renewed 1247 * for the next 4-Way Handshake. If msg 3 is received again, the old 1248 * SNonce will still be used to avoid changing PTK. 1249 */ 1250 wpa_s->renew_snonce = 1; 1251 1252 if (key_info & WPA_KEY_INFO_INSTALL) { 1253 int alg, keylen, rsclen; 1254 wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver."); 1255 switch (wpa_s->pairwise_cipher) { 1256 case WPA_CIPHER_CCMP: 1257 alg = WPA_ALG_CCMP; 1258 keylen = 16; 1259 rsclen = 6; 1260 break; 1261 case WPA_CIPHER_TKIP: 1262 alg = WPA_ALG_TKIP; 1263 keylen = 32; 1264 rsclen = 6; 1265 break; 1266 case WPA_CIPHER_NONE: 1267 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: " 1268 "NONE - do not use pairwise keys"); 1269 return; 1270 default: 1271 wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise " 1272 "cipher %d", wpa_s->pairwise_cipher); 1273 return; 1274 } 1275 if (wpa_s->proto == WPA_PROTO_RSN) { 1276 key_rsc = null_rsc; 1277 } else { 1278 key_rsc = key->key_rsc; 1279 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 1280 } 1281 1282 if (wpa_s->driver->set_key(wpa_s->ifname, alg, src_addr, 1283 0, 1, key_rsc, rsclen, 1284 (uint8_t *)&wpa_s->ptk.tk1, keylen) < 0) { 1285 wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the" 1286 " driver."); 1287 } 1288 } 1289 1290 wpa_printf(MSG_DEBUG, "%s: key_info=%x gtk=%p\n", 1291 "wpa_supplicant_process_3_of_4", key_info, gtk); 1292 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1293 1294 if (gtk) 1295 wpa_supplicant_process_3_of_4_gtk(wpa_s, 1296 src_addr, key, gtk, gtk_len); 1297 } 1298 1299 static void 1300 wpa_supplicant_process_1_of_2(struct wpa_supplicant *wpa_s, 1301 unsigned char *src_addr, struct wpa_eapol_key *key, 1302 int extra_len, int ver) 1303 { 1304 int rlen; 1305 struct ieee802_1x_hdr *hdr; 1306 struct wpa_eapol_key *reply; 1307 unsigned char *rbuf; 1308 struct l2_ethhdr *ethhdr; 1309 int key_info, keylen, keydatalen, maxkeylen, keyidx, key_rsc_len = 0; 1310 int alg, tx; 1311 uint8_t ek[32], tmpbuf[8], gtk[32]; 1312 uint8_t *gtk_ie = NULL; 1313 size_t gtk_ie_len = 0; 1314 1315 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1316 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from " 1317 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1318 1319 key_info = BE_16(key->key_info); 1320 keydatalen = BE_16(key->key_data_length); 1321 1322 if (wpa_s->proto == WPA_PROTO_RSN) { 1323 uint8_t *pos = (uint8_t *)(key + 1); 1324 uint8_t *end = pos + keydatalen; 1325 while (pos + 1 < end) { 1326 if (pos + 2 + pos[1] > end) { 1327 wpa_printf(MSG_DEBUG, "RSN: key data " 1328 "underflow (ie=%d len=%d)", 1329 pos[0], pos[1]); 1330 break; 1331 } 1332 if (pos[0] == GENERIC_INFO_ELEM && 1333 pos + 1 + RSN_SELECTOR_LEN < end && 1334 pos[1] > RSN_SELECTOR_LEN + 2 && 1335 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1336 RSN_SELECTOR_LEN) == 0) { 1337 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1338 wpa_printf(MSG_WARNING, "WPA: GTK IE " 1339 "in unencrypted key data"); 1340 return; 1341 } 1342 gtk_ie = pos + 2 + RSN_SELECTOR_LEN; 1343 gtk_ie_len = pos[1] - RSN_SELECTOR_LEN; 1344 break; 1345 } else if (pos[0] == GENERIC_INFO_ELEM && 1346 pos[1] == 0) 1347 break; 1348 1349 pos += 2 + pos[1]; 1350 } 1351 1352 if (gtk_ie == NULL) { 1353 wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key " 1354 "message 1/2"); 1355 return; 1356 } 1357 maxkeylen = keylen = gtk_ie_len - 2; 1358 } else { 1359 keylen = BE_16(key->key_length); 1360 maxkeylen = keydatalen; 1361 if (keydatalen > extra_len) { 1362 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1363 " key_data_length=%d > extra_len=%d", 1364 keydatalen, extra_len); 1365 return; 1366 } 1367 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) 1368 maxkeylen -= 8; 1369 } 1370 1371 switch (wpa_s->group_cipher) { 1372 case WPA_CIPHER_CCMP: 1373 if (keylen != 16 || maxkeylen < 16) { 1374 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP Group " 1375 "Cipher key length %d (%d).", keylen, maxkeylen); 1376 return; 1377 } 1378 key_rsc_len = 6; 1379 alg = WPA_ALG_CCMP; 1380 break; 1381 case WPA_CIPHER_TKIP: 1382 if (keylen != 32 || maxkeylen < 32) { 1383 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP Group " 1384 "Cipher key length %d (%d).", keylen, maxkeylen); 1385 return; 1386 } 1387 key_rsc_len = 6; /* key->key_data; */ 1388 alg = WPA_ALG_TKIP; 1389 break; 1390 case WPA_CIPHER_WEP104: 1391 if (keylen != 13 || maxkeylen < 13) { 1392 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP104 Group" 1393 " Cipher key length %d (%d).", keylen, maxkeylen); 1394 return; 1395 } 1396 alg = WPA_ALG_WEP; 1397 break; 1398 case WPA_CIPHER_WEP40: 1399 if (keylen != 5 || maxkeylen < 5) { 1400 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP40 Group " 1401 "Cipher key length %d (%d).", keylen, maxkeylen); 1402 return; 1403 } 1404 alg = WPA_ALG_WEP; 1405 break; 1406 default: 1407 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher %d", 1408 wpa_s->group_cipher); 1409 return; 1410 } 1411 1412 if (wpa_s->proto == WPA_PROTO_RSN) { 1413 wpa_hexdump(MSG_DEBUG, 1414 "WPA: received GTK in group key handshake", 1415 gtk_ie, gtk_ie_len); 1416 keyidx = gtk_ie[0] & 0x3; 1417 tx = !!(gtk_ie[0] & BIT(2)); 1418 if (gtk_ie_len - 2 > sizeof (gtk)) { 1419 wpa_printf(MSG_INFO, "WPA: Too long GTK in GTK IE " 1420 "(len=%d)", gtk_ie_len - 2); 1421 return; 1422 } 1423 (void) memcpy(gtk, gtk_ie + 2, gtk_ie_len - 2); 1424 } else { 1425 keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1426 WPA_KEY_INFO_KEY_INDEX_SHIFT; 1427 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1428 (void) memcpy(ek, key->key_iv, 16); 1429 (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1430 rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1431 (void) memcpy(gtk, key + 1, keylen); 1432 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1433 if (keydatalen % 8) { 1434 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1435 "AES-WRAP len %d", keydatalen); 1436 return; 1437 } 1438 if (aes_unwrap(wpa_s->ptk.encr_key, maxkeylen / 8, 1439 (uint8_t *)(key + 1), gtk)) { 1440 wpa_printf(MSG_WARNING, "WPA: AES unwrap " 1441 "failed - could not decrypt GTK"); 1442 return; 1443 } 1444 } 1445 tx = !!(key_info & WPA_KEY_INFO_TXRX); 1446 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1447 /* 1448 * Ignore Tx bit in Group Key message if a pairwise key 1449 * is used. Some APs seem to setting this bit 1450 * (incorrectly, since Tx is only when doing Group Key 1451 * only APs) and without this workaround, the data 1452 * connection does not work because wpa_supplicant 1453 * configured non-zero keyidx to be used for unicast. 1454 */ 1455 wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but " 1456 "pairwise keys are used - ignore Tx bit"); 1457 tx = 0; 1458 } 1459 } 1460 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, keylen); 1461 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver (keyidx=%d " 1462 "tx=%d).", keyidx, tx); 1463 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1464 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1465 /* 1466 * Swap Tx/Rx keys for Michael MIC 1467 */ 1468 (void) memcpy(tmpbuf, gtk + 16, 8); 1469 (void) memcpy(gtk + 16, gtk + 24, 8); 1470 (void) memcpy(gtk + 24, tmpbuf, 8); 1471 } 1472 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1473 if (wpa_s->driver->set_key(wpa_s->ifname, alg, 1474 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1475 keyidx, 1, key->key_rsc, 1476 key_rsc_len, gtk, keylen) < 0) 1477 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the" 1478 " driver (Group only)."); 1479 } else if (wpa_s->driver->set_key(wpa_s->ifname, alg, 1480 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1481 keyidx, tx, 1482 key->key_rsc, key_rsc_len, 1483 gtk, keylen) < 0) { 1484 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the " 1485 "driver."); 1486 } 1487 1488 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1489 rbuf = malloc(rlen); 1490 if (rbuf == NULL) 1491 return; 1492 1493 (void) memset(rbuf, 0, rlen); 1494 ethhdr = (struct l2_ethhdr *)rbuf; 1495 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1496 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1497 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1498 1499 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1500 hdr->version = wpa_s->conf->eapol_version; 1501 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1502 hdr->length = htons(sizeof (*reply)); 1503 1504 reply = (struct wpa_eapol_key *)(hdr + 1); 1505 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1506 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1507 reply->key_info = 1508 BE_16(ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE | 1509 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK)); 1510 reply->key_length = key->key_length; 1511 (void) memcpy(reply->replay_counter, key->replay_counter, 1512 WPA_REPLAY_COUNTER_LEN); 1513 1514 reply->key_data_length = BE_16(0); 1515 1516 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1517 rlen - sizeof (*ethhdr), reply->key_mic); 1518 1519 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 1520 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/2", rbuf, rlen); 1521 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1522 free(rbuf); 1523 1524 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " MACSTR, 1525 MAC2STR(src_addr)); 1526 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1527 wpa_supplicant_cancel_auth_timeout(wpa_s); 1528 wpa_s->wpa_state = WPA_COMPLETED; 1529 wpa_printf(MSG_INFO, "-----------------------------------\n"); 1530 } 1531 1532 static int 1533 wpa_supplicant_verify_eapol_key_mic(struct wpa_supplicant *wpa_s, 1534 struct wpa_eapol_key *key, int ver, uint8_t *buf, size_t len) 1535 { 1536 uint8_t mic[16]; 1537 int ok = 0; 1538 1539 (void) memcpy(mic, key->key_mic, 16); 1540 if (wpa_s->tptk_set) { 1541 (void) memset(key->key_mic, 0, 16); 1542 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, buf, len, 1543 key->key_mic); 1544 if (memcmp(mic, key->key_mic, 16) != 0) { 1545 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1546 "when using TPTK - ignoring TPTK"); 1547 } else { 1548 ok = 1; 1549 wpa_s->tptk_set = 0; 1550 wpa_s->ptk_set = 1; 1551 (void) memcpy(&wpa_s->ptk, &wpa_s->tptk, 1552 sizeof (wpa_s->ptk)); 1553 } 1554 } 1555 1556 if (!ok && wpa_s->ptk_set) { 1557 (void) memset(key->key_mic, 0, 16); 1558 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, buf, len, 1559 key->key_mic); 1560 if (memcmp(mic, key->key_mic, 16) != 0) { 1561 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1562 "- dropping packet"); 1563 return (-1); 1564 } 1565 ok = 1; 1566 } 1567 1568 if (!ok) { 1569 wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC " 1570 "- dropping packet"); 1571 return (-1); 1572 } 1573 1574 (void) memcpy(wpa_s->rx_replay_counter, key->replay_counter, 1575 WPA_REPLAY_COUNTER_LEN); 1576 wpa_s->rx_replay_counter_set = 1; 1577 1578 return (0); 1579 } 1580 1581 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 1582 static int 1583 wpa_supplicant_decrypt_key_data(struct wpa_supplicant *wpa_s, 1584 struct wpa_eapol_key *key, int ver) 1585 { 1586 int keydatalen = BE_16(key->key_data_length); 1587 1588 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 1589 (uint8_t *)(key + 1), keydatalen); 1590 if (!wpa_s->ptk_set) { 1591 wpa_printf(MSG_WARNING, "WPA: PTK not available, " 1592 "cannot decrypt EAPOL-Key key data."); 1593 return (-1); 1594 } 1595 1596 /* 1597 * Decrypt key data here so that this operation does not need 1598 * to be implemented separately for each message type. 1599 */ 1600 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1601 uint8_t ek[32]; 1602 (void) memcpy(ek, key->key_iv, 16); 1603 (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1604 rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1605 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1606 uint8_t *buf; 1607 if (keydatalen % 8) { 1608 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1609 "AES-WRAP len %d", keydatalen); 1610 return (-1); 1611 } 1612 keydatalen -= 8; /* AES-WRAP adds 8 bytes */ 1613 buf = malloc(keydatalen); 1614 if (buf == NULL) { 1615 wpa_printf(MSG_WARNING, "WPA: No memory for " 1616 "AES-UNWRAP buffer"); 1617 return (-1); 1618 } 1619 if (aes_unwrap(wpa_s->ptk.encr_key, keydatalen / 8, 1620 (uint8_t *)(key + 1), buf)) { 1621 free(buf); 1622 wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - " 1623 "could not decrypt EAPOL-Key key data"); 1624 return (-1); 1625 } 1626 (void) memcpy(key + 1, buf, keydatalen); 1627 free(buf); 1628 key->key_data_length = BE_16(keydatalen); 1629 } 1630 wpa_hexdump(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 1631 (uint8_t *)(key + 1), keydatalen); 1632 1633 return (0); 1634 } 1635 1636 static void 1637 wpa_sm_rx_eapol(struct wpa_supplicant *wpa_s, 1638 unsigned char *src_addr, unsigned char *buf, size_t len) 1639 { 1640 size_t plen, data_len, extra_len; 1641 struct ieee802_1x_hdr *hdr; 1642 struct wpa_eapol_key *key; 1643 int key_info, ver; 1644 1645 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame len %u\n ", len); 1646 1647 hdr = (struct ieee802_1x_hdr *)buf; 1648 key = (struct wpa_eapol_key *)(hdr + 1); 1649 wpa_printf(MSG_DEBUG, "hdr_len=%u, key_len=%u", 1650 sizeof (*hdr), sizeof (*key)); 1651 if (len < sizeof (*hdr) + sizeof (*key)) { 1652 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short, len %u, " 1653 "expecting at least %u", 1654 len, sizeof (*hdr) + sizeof (*key)); 1655 return; 1656 } 1657 plen = ntohs(hdr->length); 1658 data_len = plen + sizeof (*hdr); 1659 wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%d", 1660 hdr->version, hdr->type, plen); 1661 1662 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 1663 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, " 1664 "not a Key frame", hdr->type); 1665 return; 1666 } 1667 if (plen > len - sizeof (*hdr) || plen < sizeof (*key)) { 1668 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %u " 1669 "invalid (frame size %u)", plen, len); 1670 return; 1671 } 1672 1673 wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type); 1674 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != 1675 EAPOL_KEY_TYPE_RSN) { 1676 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, " 1677 "discarded", key->type); 1678 return; 1679 } 1680 1681 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 1682 if (data_len < len) { 1683 wpa_printf(MSG_DEBUG, "WPA: ignoring %d bytes after the IEEE " 1684 "802.1X data", len - data_len); 1685 } 1686 key_info = BE_16(key->key_info); 1687 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1688 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 1689 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1690 wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor " 1691 "version %d.", ver); 1692 return; 1693 } 1694 1695 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP && 1696 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1697 wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key " 1698 "descriptor version (%d) is not 2.", ver); 1699 if (wpa_s->group_cipher != WPA_CIPHER_CCMP && 1700 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1701 /* 1702 * Earlier versions of IEEE 802.11i did not explicitly 1703 * require version 2 descriptor for all EAPOL-Key 1704 * packets, so allow group keys to use version 1 if 1705 * CCMP is not used for them. 1706 */ 1707 wpa_printf(MSG_INFO, "WPA: Backwards compatibility: " 1708 "allow invalid version for non-CCMP group keys"); 1709 } else 1710 return; 1711 } 1712 1713 if (wpa_s->rx_replay_counter_set && 1714 memcmp(key->replay_counter, wpa_s->rx_replay_counter, 1715 WPA_REPLAY_COUNTER_LEN) <= 0) { 1716 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not" 1717 " increase - dropping packet"); 1718 return; 1719 } 1720 1721 if (!(key_info & WPA_KEY_INFO_ACK)) { 1722 wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info"); 1723 return; 1724 } 1725 1726 if (key_info & WPA_KEY_INFO_REQUEST) { 1727 wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - " 1728 "dropped"); 1729 return; 1730 } 1731 1732 if ((key_info & WPA_KEY_INFO_MIC) && 1733 wpa_supplicant_verify_eapol_key_mic(wpa_s, key, ver, buf, 1734 data_len)) 1735 return; 1736 1737 extra_len = data_len - sizeof (*hdr) - sizeof (*key); 1738 1739 if (wpa_s->proto == WPA_PROTO_RSN && 1740 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1741 wpa_supplicant_decrypt_key_data(wpa_s, key, ver)) 1742 return; 1743 1744 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1745 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 1746 wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key " 1747 "(Pairwise) with non-zero key index"); 1748 return; 1749 } 1750 if (key_info & WPA_KEY_INFO_MIC) { 1751 /* 3/4 4-Way Handshake */ 1752 wpa_supplicant_process_3_of_4(wpa_s, src_addr, key, 1753 extra_len, ver); 1754 } else { 1755 /* 1/4 4-Way Handshake */ 1756 wpa_supplicant_process_1_of_4(wpa_s, src_addr, key, 1757 ver); 1758 } 1759 } else { 1760 if (key_info & WPA_KEY_INFO_MIC) { 1761 /* 1/2 Group Key Handshake */ 1762 wpa_supplicant_process_1_of_2(wpa_s, src_addr, key, 1763 extra_len, ver); 1764 } else { 1765 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) " 1766 "without Mic bit - dropped"); 1767 } 1768 } 1769 } 1770 1771 void 1772 wpa_supplicant_rx_eapol(void *ctx, unsigned char *src_addr, 1773 unsigned char *buf, size_t len) 1774 { 1775 struct wpa_supplicant *wpa_s = ctx; 1776 1777 wpa_printf(MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr)); 1778 wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len); 1779 1780 if (wpa_s->eapol_received == 0) { 1781 /* Timeout for completing IEEE 802.1X and WPA authentication */ 1782 wpa_supplicant_req_auth_timeout( 1783 wpa_s, wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ? 1784 70 : 10, 0); 1785 } 1786 wpa_s->eapol_received++; 1787 1788 /* 1789 * Source address of the incoming EAPOL frame could be compared to the 1790 * current BSSID. However, it is possible that a centralized 1791 * Authenticator could be using another MAC address than the BSSID of 1792 * an AP, so just allow any address to be used for now. The replies are 1793 * still sent to the current BSSID (if available), though. 1794 */ 1795 wpa_sm_rx_eapol(wpa_s, src_addr, buf, len); 1796 } 1797