wpa_auth.c 82 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061
  1. /*
  2. * IEEE 802.11 RSN / WPA Authenticator
  3. * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
  4. *
  5. * This software may be distributed under the terms of the BSD license.
  6. * See README for more details.
  7. */
  8. #include "utils/includes.h"
  9. #include "utils/common.h"
  10. #include "utils/eloop.h"
  11. #include "utils/state_machine.h"
  12. #include "common/ieee802_11_defs.h"
  13. #include "crypto/aes_wrap.h"
  14. #include "crypto/crypto.h"
  15. #include "crypto/sha1.h"
  16. #include "crypto/sha256.h"
  17. #include "crypto/random.h"
  18. #include "eapol_auth/eapol_auth_sm.h"
  19. #include "ap_config.h"
  20. #include "ieee802_11.h"
  21. #include "wpa_auth.h"
  22. #include "pmksa_cache_auth.h"
  23. #include "wpa_auth_i.h"
  24. #include "wpa_auth_ie.h"
  25. #define STATE_MACHINE_DATA struct wpa_state_machine
  26. #define STATE_MACHINE_DEBUG_PREFIX "WPA"
  27. #define STATE_MACHINE_ADDR sm->addr
  28. static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
  29. static int wpa_sm_step(struct wpa_state_machine *sm);
  30. static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len);
  31. static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
  32. static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
  33. struct wpa_group *group);
  34. static void wpa_request_new_ptk(struct wpa_state_machine *sm);
  35. static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
  36. struct wpa_group *group);
  37. static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
  38. struct wpa_group *group);
  39. static const u32 dot11RSNAConfigGroupUpdateCount = 4;
  40. static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
  41. static const u32 eapol_key_timeout_first = 100; /* ms */
  42. static const u32 eapol_key_timeout_subseq = 1000; /* ms */
  43. static const u32 eapol_key_timeout_first_group = 500; /* ms */
  44. /* TODO: make these configurable */
  45. static const int dot11RSNAConfigPMKLifetime = 43200;
  46. static const int dot11RSNAConfigPMKReauthThreshold = 70;
  47. static const int dot11RSNAConfigSATimeout = 60;
  48. static inline int wpa_auth_mic_failure_report(
  49. struct wpa_authenticator *wpa_auth, const u8 *addr)
  50. {
  51. if (wpa_auth->cb.mic_failure_report)
  52. return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
  53. return 0;
  54. }
  55. static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
  56. const u8 *addr, wpa_eapol_variable var,
  57. int value)
  58. {
  59. if (wpa_auth->cb.set_eapol)
  60. wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
  61. }
  62. static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
  63. const u8 *addr, wpa_eapol_variable var)
  64. {
  65. if (wpa_auth->cb.get_eapol == NULL)
  66. return -1;
  67. return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
  68. }
  69. static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
  70. const u8 *addr,
  71. const u8 *p2p_dev_addr,
  72. const u8 *prev_psk)
  73. {
  74. if (wpa_auth->cb.get_psk == NULL)
  75. return NULL;
  76. return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
  77. prev_psk);
  78. }
  79. static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
  80. const u8 *addr, u8 *msk, size_t *len)
  81. {
  82. if (wpa_auth->cb.get_msk == NULL)
  83. return -1;
  84. return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
  85. }
  86. static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
  87. int vlan_id,
  88. enum wpa_alg alg, const u8 *addr, int idx,
  89. u8 *key, size_t key_len)
  90. {
  91. if (wpa_auth->cb.set_key == NULL)
  92. return -1;
  93. return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
  94. key, key_len);
  95. }
  96. static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
  97. const u8 *addr, int idx, u8 *seq)
  98. {
  99. if (wpa_auth->cb.get_seqnum == NULL)
  100. return -1;
  101. return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
  102. }
  103. static inline int
  104. wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
  105. const u8 *data, size_t data_len, int encrypt)
  106. {
  107. if (wpa_auth->cb.send_eapol == NULL)
  108. return -1;
  109. return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
  110. encrypt);
  111. }
  112. int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
  113. int (*cb)(struct wpa_state_machine *sm, void *ctx),
  114. void *cb_ctx)
  115. {
  116. if (wpa_auth->cb.for_each_sta == NULL)
  117. return 0;
  118. return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
  119. }
  120. int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
  121. int (*cb)(struct wpa_authenticator *a, void *ctx),
  122. void *cb_ctx)
  123. {
  124. if (wpa_auth->cb.for_each_auth == NULL)
  125. return 0;
  126. return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
  127. }
  128. void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
  129. logger_level level, const char *txt)
  130. {
  131. if (wpa_auth->cb.logger == NULL)
  132. return;
  133. wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
  134. }
  135. void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
  136. logger_level level, const char *fmt, ...)
  137. {
  138. char *format;
  139. int maxlen;
  140. va_list ap;
  141. if (wpa_auth->cb.logger == NULL)
  142. return;
  143. maxlen = os_strlen(fmt) + 100;
  144. format = os_malloc(maxlen);
  145. if (!format)
  146. return;
  147. va_start(ap, fmt);
  148. vsnprintf(format, maxlen, fmt, ap);
  149. va_end(ap);
  150. wpa_auth_logger(wpa_auth, addr, level, format);
  151. os_free(format);
  152. }
  153. static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
  154. const u8 *addr)
  155. {
  156. if (wpa_auth->cb.disconnect == NULL)
  157. return;
  158. wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
  159. wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
  160. WLAN_REASON_PREV_AUTH_NOT_VALID);
  161. }
  162. static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
  163. {
  164. int ret = 0;
  165. #ifdef CONFIG_IEEE80211R
  166. if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
  167. ret = 1;
  168. #endif /* CONFIG_IEEE80211R */
  169. #ifdef CONFIG_IEEE80211W
  170. if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
  171. ret = 1;
  172. #endif /* CONFIG_IEEE80211W */
  173. return ret;
  174. }
  175. static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
  176. {
  177. struct wpa_authenticator *wpa_auth = eloop_ctx;
  178. if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
  179. wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
  180. "initialization.");
  181. } else {
  182. wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
  183. wpa_hexdump_key(MSG_DEBUG, "GMK",
  184. wpa_auth->group->GMK, WPA_GMK_LEN);
  185. }
  186. if (wpa_auth->conf.wpa_gmk_rekey) {
  187. eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
  188. wpa_rekey_gmk, wpa_auth, NULL);
  189. }
  190. }
  191. static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
  192. {
  193. struct wpa_authenticator *wpa_auth = eloop_ctx;
  194. struct wpa_group *group;
  195. wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
  196. for (group = wpa_auth->group; group; group = group->next) {
  197. group->GTKReKey = TRUE;
  198. do {
  199. group->changed = FALSE;
  200. wpa_group_sm_step(wpa_auth, group);
  201. } while (group->changed);
  202. }
  203. if (wpa_auth->conf.wpa_group_rekey) {
  204. eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
  205. 0, wpa_rekey_gtk, wpa_auth, NULL);
  206. }
  207. }
  208. static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
  209. {
  210. struct wpa_authenticator *wpa_auth = eloop_ctx;
  211. struct wpa_state_machine *sm = timeout_ctx;
  212. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
  213. wpa_request_new_ptk(sm);
  214. wpa_sm_step(sm);
  215. }
  216. static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
  217. {
  218. if (sm->pmksa == ctx)
  219. sm->pmksa = NULL;
  220. return 0;
  221. }
  222. static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
  223. void *ctx)
  224. {
  225. struct wpa_authenticator *wpa_auth = ctx;
  226. wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
  227. }
  228. static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
  229. struct wpa_group *group)
  230. {
  231. u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
  232. u8 rkey[32];
  233. unsigned long ptr;
  234. if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
  235. return -1;
  236. wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
  237. /*
  238. * Counter = PRF-256(Random number, "Init Counter",
  239. * Local MAC Address || Time)
  240. */
  241. os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
  242. wpa_get_ntp_timestamp(buf + ETH_ALEN);
  243. ptr = (unsigned long) group;
  244. os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
  245. if (random_get_bytes(rkey, sizeof(rkey)) < 0)
  246. return -1;
  247. if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
  248. group->Counter, WPA_NONCE_LEN) < 0)
  249. return -1;
  250. wpa_hexdump_key(MSG_DEBUG, "Key Counter",
  251. group->Counter, WPA_NONCE_LEN);
  252. return 0;
  253. }
  254. static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
  255. int vlan_id, int delay_init)
  256. {
  257. struct wpa_group *group;
  258. group = os_zalloc(sizeof(struct wpa_group));
  259. if (group == NULL)
  260. return NULL;
  261. group->GTKAuthenticator = TRUE;
  262. group->vlan_id = vlan_id;
  263. group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
  264. if (random_pool_ready() != 1) {
  265. wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
  266. "for secure operations - update keys later when "
  267. "the first station connects");
  268. }
  269. /*
  270. * Set initial GMK/Counter value here. The actual values that will be
  271. * used in negotiations will be set once the first station tries to
  272. * connect. This allows more time for collecting additional randomness
  273. * on embedded devices.
  274. */
  275. if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
  276. wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
  277. "initialization.");
  278. os_free(group);
  279. return NULL;
  280. }
  281. group->GInit = TRUE;
  282. if (delay_init) {
  283. wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
  284. "until Beacon frames have been configured");
  285. /* Initialization is completed in wpa_init_keys(). */
  286. } else {
  287. wpa_group_sm_step(wpa_auth, group);
  288. group->GInit = FALSE;
  289. wpa_group_sm_step(wpa_auth, group);
  290. }
  291. return group;
  292. }
  293. /**
  294. * wpa_init - Initialize WPA authenticator
  295. * @addr: Authenticator address
  296. * @conf: Configuration for WPA authenticator
  297. * @cb: Callback functions for WPA authenticator
  298. * Returns: Pointer to WPA authenticator data or %NULL on failure
  299. */
  300. struct wpa_authenticator * wpa_init(const u8 *addr,
  301. struct wpa_auth_config *conf,
  302. struct wpa_auth_callbacks *cb)
  303. {
  304. struct wpa_authenticator *wpa_auth;
  305. wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
  306. if (wpa_auth == NULL)
  307. return NULL;
  308. os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
  309. os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
  310. os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
  311. if (wpa_auth_gen_wpa_ie(wpa_auth)) {
  312. wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
  313. os_free(wpa_auth);
  314. return NULL;
  315. }
  316. wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
  317. if (wpa_auth->group == NULL) {
  318. os_free(wpa_auth->wpa_ie);
  319. os_free(wpa_auth);
  320. return NULL;
  321. }
  322. wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
  323. wpa_auth);
  324. if (wpa_auth->pmksa == NULL) {
  325. wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
  326. os_free(wpa_auth->wpa_ie);
  327. os_free(wpa_auth);
  328. return NULL;
  329. }
  330. #ifdef CONFIG_IEEE80211R
  331. wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
  332. if (wpa_auth->ft_pmk_cache == NULL) {
  333. wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
  334. os_free(wpa_auth->wpa_ie);
  335. pmksa_cache_auth_deinit(wpa_auth->pmksa);
  336. os_free(wpa_auth);
  337. return NULL;
  338. }
  339. #endif /* CONFIG_IEEE80211R */
  340. if (wpa_auth->conf.wpa_gmk_rekey) {
  341. eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
  342. wpa_rekey_gmk, wpa_auth, NULL);
  343. }
  344. if (wpa_auth->conf.wpa_group_rekey) {
  345. eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
  346. wpa_rekey_gtk, wpa_auth, NULL);
  347. }
  348. return wpa_auth;
  349. }
  350. int wpa_init_keys(struct wpa_authenticator *wpa_auth)
  351. {
  352. struct wpa_group *group = wpa_auth->group;
  353. wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
  354. "keys");
  355. wpa_group_sm_step(wpa_auth, group);
  356. group->GInit = FALSE;
  357. wpa_group_sm_step(wpa_auth, group);
  358. return 0;
  359. }
  360. /**
  361. * wpa_deinit - Deinitialize WPA authenticator
  362. * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
  363. */
  364. void wpa_deinit(struct wpa_authenticator *wpa_auth)
  365. {
  366. struct wpa_group *group, *prev;
  367. eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
  368. eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
  369. #ifdef CONFIG_PEERKEY
  370. while (wpa_auth->stsl_negotiations)
  371. wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
  372. #endif /* CONFIG_PEERKEY */
  373. pmksa_cache_auth_deinit(wpa_auth->pmksa);
  374. #ifdef CONFIG_IEEE80211R
  375. wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
  376. wpa_auth->ft_pmk_cache = NULL;
  377. #endif /* CONFIG_IEEE80211R */
  378. os_free(wpa_auth->wpa_ie);
  379. group = wpa_auth->group;
  380. while (group) {
  381. prev = group;
  382. group = group->next;
  383. os_free(prev);
  384. }
  385. os_free(wpa_auth);
  386. }
  387. /**
  388. * wpa_reconfig - Update WPA authenticator configuration
  389. * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
  390. * @conf: Configuration for WPA authenticator
  391. */
  392. int wpa_reconfig(struct wpa_authenticator *wpa_auth,
  393. struct wpa_auth_config *conf)
  394. {
  395. struct wpa_group *group;
  396. if (wpa_auth == NULL)
  397. return 0;
  398. os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
  399. if (wpa_auth_gen_wpa_ie(wpa_auth)) {
  400. wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
  401. return -1;
  402. }
  403. /*
  404. * Reinitialize GTK to make sure it is suitable for the new
  405. * configuration.
  406. */
  407. group = wpa_auth->group;
  408. group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
  409. group->GInit = TRUE;
  410. wpa_group_sm_step(wpa_auth, group);
  411. group->GInit = FALSE;
  412. wpa_group_sm_step(wpa_auth, group);
  413. return 0;
  414. }
  415. struct wpa_state_machine *
  416. wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
  417. const u8 *p2p_dev_addr)
  418. {
  419. struct wpa_state_machine *sm;
  420. sm = os_zalloc(sizeof(struct wpa_state_machine));
  421. if (sm == NULL)
  422. return NULL;
  423. os_memcpy(sm->addr, addr, ETH_ALEN);
  424. if (p2p_dev_addr)
  425. os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
  426. sm->wpa_auth = wpa_auth;
  427. sm->group = wpa_auth->group;
  428. return sm;
  429. }
  430. int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
  431. struct wpa_state_machine *sm)
  432. {
  433. if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
  434. return -1;
  435. #ifdef CONFIG_IEEE80211R
  436. if (sm->ft_completed) {
  437. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
  438. "FT authentication already completed - do not "
  439. "start 4-way handshake");
  440. return 0;
  441. }
  442. #endif /* CONFIG_IEEE80211R */
  443. if (sm->started) {
  444. os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
  445. sm->ReAuthenticationRequest = TRUE;
  446. return wpa_sm_step(sm);
  447. }
  448. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
  449. "start authentication");
  450. sm->started = 1;
  451. sm->Init = TRUE;
  452. if (wpa_sm_step(sm) == 1)
  453. return 1; /* should not really happen */
  454. sm->Init = FALSE;
  455. sm->AuthenticationRequest = TRUE;
  456. return wpa_sm_step(sm);
  457. }
  458. void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
  459. {
  460. /* WPA/RSN was not used - clear WPA state. This is needed if the STA
  461. * reassociates back to the same AP while the previous entry for the
  462. * STA has not yet been removed. */
  463. if (sm == NULL)
  464. return;
  465. sm->wpa_key_mgmt = 0;
  466. }
  467. static void wpa_free_sta_sm(struct wpa_state_machine *sm)
  468. {
  469. if (sm->GUpdateStationKeys) {
  470. sm->group->GKeyDoneStations--;
  471. sm->GUpdateStationKeys = FALSE;
  472. }
  473. #ifdef CONFIG_IEEE80211R
  474. os_free(sm->assoc_resp_ftie);
  475. #endif /* CONFIG_IEEE80211R */
  476. os_free(sm->last_rx_eapol_key);
  477. os_free(sm->wpa_ie);
  478. os_free(sm);
  479. }
  480. void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
  481. {
  482. if (sm == NULL)
  483. return;
  484. if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
  485. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  486. "strict rekeying - force GTK rekey since STA "
  487. "is leaving");
  488. eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
  489. eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
  490. NULL);
  491. }
  492. eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
  493. sm->pending_1_of_4_timeout = 0;
  494. eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
  495. eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
  496. if (sm->in_step_loop) {
  497. /* Must not free state machine while wpa_sm_step() is running.
  498. * Freeing will be completed in the end of wpa_sm_step(). */
  499. wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
  500. "machine deinit for " MACSTR, MAC2STR(sm->addr));
  501. sm->pending_deinit = 1;
  502. } else
  503. wpa_free_sta_sm(sm);
  504. }
  505. static void wpa_request_new_ptk(struct wpa_state_machine *sm)
  506. {
  507. if (sm == NULL)
  508. return;
  509. sm->PTKRequest = TRUE;
  510. sm->PTK_valid = 0;
  511. }
  512. static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
  513. const u8 *replay_counter)
  514. {
  515. int i;
  516. for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
  517. if (!ctr[i].valid)
  518. break;
  519. if (os_memcmp(replay_counter, ctr[i].counter,
  520. WPA_REPLAY_COUNTER_LEN) == 0)
  521. return 1;
  522. }
  523. return 0;
  524. }
  525. static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
  526. const u8 *replay_counter)
  527. {
  528. int i;
  529. for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
  530. if (ctr[i].valid &&
  531. (replay_counter == NULL ||
  532. os_memcmp(replay_counter, ctr[i].counter,
  533. WPA_REPLAY_COUNTER_LEN) == 0))
  534. ctr[i].valid = FALSE;
  535. }
  536. }
  537. #ifdef CONFIG_IEEE80211R
  538. static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
  539. struct wpa_state_machine *sm,
  540. struct wpa_eapol_ie_parse *kde)
  541. {
  542. struct wpa_ie_data ie;
  543. struct rsn_mdie *mdie;
  544. if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
  545. ie.num_pmkid != 1 || ie.pmkid == NULL) {
  546. wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
  547. "FT 4-way handshake message 2/4");
  548. return -1;
  549. }
  550. os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
  551. wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
  552. sm->sup_pmk_r1_name, PMKID_LEN);
  553. if (!kde->mdie || !kde->ftie) {
  554. wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
  555. "message 2/4", kde->mdie ? "FTIE" : "MDIE");
  556. return -1;
  557. }
  558. mdie = (struct rsn_mdie *) (kde->mdie + 2);
  559. if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
  560. os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
  561. MOBILITY_DOMAIN_ID_LEN) != 0) {
  562. wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
  563. return -1;
  564. }
  565. if (sm->assoc_resp_ftie &&
  566. (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
  567. os_memcmp(kde->ftie, sm->assoc_resp_ftie,
  568. 2 + sm->assoc_resp_ftie[1]) != 0)) {
  569. wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
  570. wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
  571. kde->ftie, kde->ftie_len);
  572. wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
  573. sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
  574. return -1;
  575. }
  576. return 0;
  577. }
  578. #endif /* CONFIG_IEEE80211R */
  579. static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
  580. struct wpa_state_machine *sm, int group)
  581. {
  582. /* Supplicant reported a Michael MIC error */
  583. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
  584. "received EAPOL-Key Error Request "
  585. "(STA detected Michael MIC failure (group=%d))",
  586. group);
  587. if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
  588. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  589. "ignore Michael MIC failure report since "
  590. "group cipher is not TKIP");
  591. } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
  592. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  593. "ignore Michael MIC failure report since "
  594. "pairwise cipher is not TKIP");
  595. } else {
  596. if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
  597. return 1; /* STA entry was removed */
  598. sm->dot11RSNAStatsTKIPRemoteMICFailures++;
  599. wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
  600. }
  601. /*
  602. * Error report is not a request for a new key handshake, but since
  603. * Authenticator may do it, let's change the keys now anyway.
  604. */
  605. wpa_request_new_ptk(sm);
  606. return 0;
  607. }
  608. void wpa_receive(struct wpa_authenticator *wpa_auth,
  609. struct wpa_state_machine *sm,
  610. u8 *data, size_t data_len)
  611. {
  612. struct ieee802_1x_hdr *hdr;
  613. struct wpa_eapol_key *key;
  614. u16 key_info, key_data_length;
  615. enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
  616. SMK_M1, SMK_M3, SMK_ERROR } msg;
  617. char *msgtxt;
  618. struct wpa_eapol_ie_parse kde;
  619. int ft;
  620. const u8 *eapol_key_ie;
  621. size_t eapol_key_ie_len;
  622. if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
  623. return;
  624. if (data_len < sizeof(*hdr) + sizeof(*key))
  625. return;
  626. hdr = (struct ieee802_1x_hdr *) data;
  627. key = (struct wpa_eapol_key *) (hdr + 1);
  628. key_info = WPA_GET_BE16(key->key_info);
  629. key_data_length = WPA_GET_BE16(key->key_data_length);
  630. wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
  631. " key_info=0x%x type=%u key_data_length=%u",
  632. MAC2STR(sm->addr), key_info, key->type, key_data_length);
  633. if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
  634. wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
  635. "key_data overflow (%d > %lu)",
  636. key_data_length,
  637. (unsigned long) (data_len - sizeof(*hdr) -
  638. sizeof(*key)));
  639. return;
  640. }
  641. if (sm->wpa == WPA_VERSION_WPA2) {
  642. if (key->type == EAPOL_KEY_TYPE_WPA) {
  643. /*
  644. * Some deployed station implementations seem to send
  645. * msg 4/4 with incorrect type value in WPA2 mode.
  646. */
  647. wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
  648. "with unexpected WPA type in RSN mode");
  649. } else if (key->type != EAPOL_KEY_TYPE_RSN) {
  650. wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
  651. "unexpected type %d in RSN mode",
  652. key->type);
  653. return;
  654. }
  655. } else {
  656. if (key->type != EAPOL_KEY_TYPE_WPA) {
  657. wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
  658. "unexpected type %d in WPA mode",
  659. key->type);
  660. return;
  661. }
  662. }
  663. wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
  664. WPA_NONCE_LEN);
  665. wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
  666. key->replay_counter, WPA_REPLAY_COUNTER_LEN);
  667. /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
  668. * are set */
  669. if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
  670. (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
  671. if (key_info & WPA_KEY_INFO_ERROR) {
  672. msg = SMK_ERROR;
  673. msgtxt = "SMK Error";
  674. } else {
  675. msg = SMK_M1;
  676. msgtxt = "SMK M1";
  677. }
  678. } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
  679. msg = SMK_M3;
  680. msgtxt = "SMK M3";
  681. } else if (key_info & WPA_KEY_INFO_REQUEST) {
  682. msg = REQUEST;
  683. msgtxt = "Request";
  684. } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
  685. msg = GROUP_2;
  686. msgtxt = "2/2 Group";
  687. } else if (key_data_length == 0) {
  688. msg = PAIRWISE_4;
  689. msgtxt = "4/4 Pairwise";
  690. } else {
  691. msg = PAIRWISE_2;
  692. msgtxt = "2/4 Pairwise";
  693. }
  694. /* TODO: key_info type validation for PeerKey */
  695. if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
  696. msg == GROUP_2) {
  697. u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
  698. if (sm->pairwise == WPA_CIPHER_CCMP ||
  699. sm->pairwise == WPA_CIPHER_GCMP) {
  700. if (wpa_use_aes_cmac(sm) &&
  701. ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
  702. wpa_auth_logger(wpa_auth, sm->addr,
  703. LOGGER_WARNING,
  704. "advertised support for "
  705. "AES-128-CMAC, but did not "
  706. "use it");
  707. return;
  708. }
  709. if (!wpa_use_aes_cmac(sm) &&
  710. ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
  711. wpa_auth_logger(wpa_auth, sm->addr,
  712. LOGGER_WARNING,
  713. "did not use HMAC-SHA1-AES "
  714. "with CCMP/GCMP");
  715. return;
  716. }
  717. }
  718. }
  719. if (key_info & WPA_KEY_INFO_REQUEST) {
  720. if (sm->req_replay_counter_used &&
  721. os_memcmp(key->replay_counter, sm->req_replay_counter,
  722. WPA_REPLAY_COUNTER_LEN) <= 0) {
  723. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
  724. "received EAPOL-Key request with "
  725. "replayed counter");
  726. return;
  727. }
  728. }
  729. if (!(key_info & WPA_KEY_INFO_REQUEST) &&
  730. !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
  731. int i;
  732. if (msg == PAIRWISE_2 &&
  733. wpa_replay_counter_valid(sm->prev_key_replay,
  734. key->replay_counter) &&
  735. sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
  736. os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
  737. {
  738. /*
  739. * Some supplicant implementations (e.g., Windows XP
  740. * WZC) update SNonce for each EAPOL-Key 2/4. This
  741. * breaks the workaround on accepting any of the
  742. * pending requests, so allow the SNonce to be updated
  743. * even if we have already sent out EAPOL-Key 3/4.
  744. */
  745. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
  746. "Process SNonce update from STA "
  747. "based on retransmitted EAPOL-Key "
  748. "1/4");
  749. sm->update_snonce = 1;
  750. wpa_replay_counter_mark_invalid(sm->prev_key_replay,
  751. key->replay_counter);
  752. goto continue_processing;
  753. }
  754. if (msg == PAIRWISE_2 &&
  755. wpa_replay_counter_valid(sm->prev_key_replay,
  756. key->replay_counter) &&
  757. sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
  758. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
  759. "ignore retransmitted EAPOL-Key %s - "
  760. "SNonce did not change", msgtxt);
  761. } else {
  762. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
  763. "received EAPOL-Key %s with "
  764. "unexpected replay counter", msgtxt);
  765. }
  766. for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
  767. if (!sm->key_replay[i].valid)
  768. break;
  769. wpa_hexdump(MSG_DEBUG, "pending replay counter",
  770. sm->key_replay[i].counter,
  771. WPA_REPLAY_COUNTER_LEN);
  772. }
  773. wpa_hexdump(MSG_DEBUG, "received replay counter",
  774. key->replay_counter, WPA_REPLAY_COUNTER_LEN);
  775. return;
  776. }
  777. continue_processing:
  778. switch (msg) {
  779. case PAIRWISE_2:
  780. if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
  781. sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
  782. (!sm->update_snonce ||
  783. sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
  784. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
  785. "received EAPOL-Key msg 2/4 in "
  786. "invalid state (%d) - dropped",
  787. sm->wpa_ptk_state);
  788. return;
  789. }
  790. random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
  791. if (sm->group->reject_4way_hs_for_entropy) {
  792. /*
  793. * The system did not have enough entropy to generate
  794. * strong random numbers. Reject the first 4-way
  795. * handshake(s) and collect some entropy based on the
  796. * information from it. Once enough entropy is
  797. * available, the next atempt will trigger GMK/Key
  798. * Counter update and the station will be allowed to
  799. * continue.
  800. */
  801. wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
  802. "collect more entropy for random number "
  803. "generation");
  804. random_mark_pool_ready();
  805. wpa_sta_disconnect(wpa_auth, sm->addr);
  806. return;
  807. }
  808. if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length,
  809. &kde) < 0) {
  810. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
  811. "received EAPOL-Key msg 2/4 with "
  812. "invalid Key Data contents");
  813. return;
  814. }
  815. if (kde.rsn_ie) {
  816. eapol_key_ie = kde.rsn_ie;
  817. eapol_key_ie_len = kde.rsn_ie_len;
  818. } else {
  819. eapol_key_ie = kde.wpa_ie;
  820. eapol_key_ie_len = kde.wpa_ie_len;
  821. }
  822. ft = sm->wpa == WPA_VERSION_WPA2 &&
  823. wpa_key_mgmt_ft(sm->wpa_key_mgmt);
  824. if (sm->wpa_ie == NULL ||
  825. wpa_compare_rsn_ie(ft,
  826. sm->wpa_ie, sm->wpa_ie_len,
  827. eapol_key_ie, eapol_key_ie_len)) {
  828. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  829. "WPA IE from (Re)AssocReq did not "
  830. "match with msg 2/4");
  831. if (sm->wpa_ie) {
  832. wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
  833. sm->wpa_ie, sm->wpa_ie_len);
  834. }
  835. wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
  836. eapol_key_ie, eapol_key_ie_len);
  837. /* MLME-DEAUTHENTICATE.request */
  838. wpa_sta_disconnect(wpa_auth, sm->addr);
  839. return;
  840. }
  841. #ifdef CONFIG_IEEE80211R
  842. if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
  843. wpa_sta_disconnect(wpa_auth, sm->addr);
  844. return;
  845. }
  846. #endif /* CONFIG_IEEE80211R */
  847. break;
  848. case PAIRWISE_4:
  849. if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
  850. !sm->PTK_valid) {
  851. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
  852. "received EAPOL-Key msg 4/4 in "
  853. "invalid state (%d) - dropped",
  854. sm->wpa_ptk_state);
  855. return;
  856. }
  857. break;
  858. case GROUP_2:
  859. if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
  860. || !sm->PTK_valid) {
  861. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
  862. "received EAPOL-Key msg 2/2 in "
  863. "invalid state (%d) - dropped",
  864. sm->wpa_ptk_group_state);
  865. return;
  866. }
  867. break;
  868. #ifdef CONFIG_PEERKEY
  869. case SMK_M1:
  870. case SMK_M3:
  871. case SMK_ERROR:
  872. if (!wpa_auth->conf.peerkey) {
  873. wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
  874. "PeerKey use disabled - ignoring message");
  875. return;
  876. }
  877. if (!sm->PTK_valid) {
  878. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  879. "received EAPOL-Key msg SMK in "
  880. "invalid state - dropped");
  881. return;
  882. }
  883. break;
  884. #else /* CONFIG_PEERKEY */
  885. case SMK_M1:
  886. case SMK_M3:
  887. case SMK_ERROR:
  888. return; /* STSL disabled - ignore SMK messages */
  889. #endif /* CONFIG_PEERKEY */
  890. case REQUEST:
  891. break;
  892. }
  893. wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
  894. "received EAPOL-Key frame (%s)", msgtxt);
  895. if (key_info & WPA_KEY_INFO_ACK) {
  896. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  897. "received invalid EAPOL-Key: Key Ack set");
  898. return;
  899. }
  900. if (!(key_info & WPA_KEY_INFO_MIC)) {
  901. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  902. "received invalid EAPOL-Key: Key MIC not set");
  903. return;
  904. }
  905. sm->MICVerified = FALSE;
  906. if (sm->PTK_valid && !sm->update_snonce) {
  907. if (wpa_verify_key_mic(&sm->PTK, data, data_len)) {
  908. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  909. "received EAPOL-Key with invalid MIC");
  910. return;
  911. }
  912. sm->MICVerified = TRUE;
  913. eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
  914. sm->pending_1_of_4_timeout = 0;
  915. }
  916. if (key_info & WPA_KEY_INFO_REQUEST) {
  917. if (sm->MICVerified) {
  918. sm->req_replay_counter_used = 1;
  919. os_memcpy(sm->req_replay_counter, key->replay_counter,
  920. WPA_REPLAY_COUNTER_LEN);
  921. } else {
  922. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  923. "received EAPOL-Key request with "
  924. "invalid MIC");
  925. return;
  926. }
  927. /*
  928. * TODO: should decrypt key data field if encryption was used;
  929. * even though MAC address KDE is not normally encrypted,
  930. * supplicant is allowed to encrypt it.
  931. */
  932. if (msg == SMK_ERROR) {
  933. #ifdef CONFIG_PEERKEY
  934. wpa_smk_error(wpa_auth, sm, key);
  935. #endif /* CONFIG_PEERKEY */
  936. return;
  937. } else if (key_info & WPA_KEY_INFO_ERROR) {
  938. if (wpa_receive_error_report(
  939. wpa_auth, sm,
  940. !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
  941. return; /* STA entry was removed */
  942. } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
  943. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  944. "received EAPOL-Key Request for new "
  945. "4-Way Handshake");
  946. wpa_request_new_ptk(sm);
  947. #ifdef CONFIG_PEERKEY
  948. } else if (msg == SMK_M1) {
  949. wpa_smk_m1(wpa_auth, sm, key);
  950. #endif /* CONFIG_PEERKEY */
  951. } else if (key_data_length > 0 &&
  952. wpa_parse_kde_ies((const u8 *) (key + 1),
  953. key_data_length, &kde) == 0 &&
  954. kde.mac_addr) {
  955. } else {
  956. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  957. "received EAPOL-Key Request for GTK "
  958. "rekeying");
  959. eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
  960. wpa_rekey_gtk(wpa_auth, NULL);
  961. }
  962. } else {
  963. /* Do not allow the same key replay counter to be reused. */
  964. wpa_replay_counter_mark_invalid(sm->key_replay,
  965. key->replay_counter);
  966. if (msg == PAIRWISE_2) {
  967. /*
  968. * Maintain a copy of the pending EAPOL-Key frames in
  969. * case the EAPOL-Key frame was retransmitted. This is
  970. * needed to allow EAPOL-Key msg 2/4 reply to another
  971. * pending msg 1/4 to update the SNonce to work around
  972. * unexpected supplicant behavior.
  973. */
  974. os_memcpy(sm->prev_key_replay, sm->key_replay,
  975. sizeof(sm->key_replay));
  976. } else {
  977. os_memset(sm->prev_key_replay, 0,
  978. sizeof(sm->prev_key_replay));
  979. }
  980. /*
  981. * Make sure old valid counters are not accepted anymore and
  982. * do not get copied again.
  983. */
  984. wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
  985. }
  986. #ifdef CONFIG_PEERKEY
  987. if (msg == SMK_M3) {
  988. wpa_smk_m3(wpa_auth, sm, key);
  989. return;
  990. }
  991. #endif /* CONFIG_PEERKEY */
  992. os_free(sm->last_rx_eapol_key);
  993. sm->last_rx_eapol_key = os_malloc(data_len);
  994. if (sm->last_rx_eapol_key == NULL)
  995. return;
  996. os_memcpy(sm->last_rx_eapol_key, data, data_len);
  997. sm->last_rx_eapol_key_len = data_len;
  998. sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
  999. sm->EAPOLKeyReceived = TRUE;
  1000. sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
  1001. sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
  1002. os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
  1003. wpa_sm_step(sm);
  1004. }
  1005. static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
  1006. const u8 *gnonce, u8 *gtk, size_t gtk_len)
  1007. {
  1008. u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
  1009. u8 *pos;
  1010. int ret = 0;
  1011. /* GTK = PRF-X(GMK, "Group key expansion",
  1012. * AA || GNonce || Time || random data)
  1013. * The example described in the IEEE 802.11 standard uses only AA and
  1014. * GNonce as inputs here. Add some more entropy since this derivation
  1015. * is done only at the Authenticator and as such, does not need to be
  1016. * exactly same.
  1017. */
  1018. os_memcpy(data, addr, ETH_ALEN);
  1019. os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
  1020. pos = data + ETH_ALEN + WPA_NONCE_LEN;
  1021. wpa_get_ntp_timestamp(pos);
  1022. pos += 8;
  1023. if (random_get_bytes(pos, 16) < 0)
  1024. ret = -1;
  1025. #ifdef CONFIG_IEEE80211W
  1026. sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
  1027. #else /* CONFIG_IEEE80211W */
  1028. if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
  1029. < 0)
  1030. ret = -1;
  1031. #endif /* CONFIG_IEEE80211W */
  1032. return ret;
  1033. }
  1034. static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
  1035. {
  1036. struct wpa_authenticator *wpa_auth = eloop_ctx;
  1037. struct wpa_state_machine *sm = timeout_ctx;
  1038. sm->pending_1_of_4_timeout = 0;
  1039. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
  1040. sm->TimeoutEvt = TRUE;
  1041. wpa_sm_step(sm);
  1042. }
  1043. void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
  1044. struct wpa_state_machine *sm, int key_info,
  1045. const u8 *key_rsc, const u8 *nonce,
  1046. const u8 *kde, size_t kde_len,
  1047. int keyidx, int encr, int force_version)
  1048. {
  1049. struct ieee802_1x_hdr *hdr;
  1050. struct wpa_eapol_key *key;
  1051. size_t len;
  1052. int alg;
  1053. int key_data_len, pad_len = 0;
  1054. u8 *buf, *pos;
  1055. int version, pairwise;
  1056. int i;
  1057. len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key);
  1058. if (force_version)
  1059. version = force_version;
  1060. else if (wpa_use_aes_cmac(sm))
  1061. version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
  1062. else if (sm->pairwise != WPA_CIPHER_TKIP)
  1063. version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
  1064. else
  1065. version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
  1066. pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
  1067. wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
  1068. "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
  1069. "encr=%d)",
  1070. version,
  1071. (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
  1072. (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
  1073. (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
  1074. (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
  1075. pairwise, (unsigned long) kde_len, keyidx, encr);
  1076. key_data_len = kde_len;
  1077. if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
  1078. version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
  1079. pad_len = key_data_len % 8;
  1080. if (pad_len)
  1081. pad_len = 8 - pad_len;
  1082. key_data_len += pad_len + 8;
  1083. }
  1084. len += key_data_len;
  1085. hdr = os_zalloc(len);
  1086. if (hdr == NULL)
  1087. return;
  1088. hdr->version = wpa_auth->conf.eapol_version;
  1089. hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
  1090. hdr->length = host_to_be16(len - sizeof(*hdr));
  1091. key = (struct wpa_eapol_key *) (hdr + 1);
  1092. key->type = sm->wpa == WPA_VERSION_WPA2 ?
  1093. EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
  1094. key_info |= version;
  1095. if (encr && sm->wpa == WPA_VERSION_WPA2)
  1096. key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
  1097. if (sm->wpa != WPA_VERSION_WPA2)
  1098. key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
  1099. WPA_PUT_BE16(key->key_info, key_info);
  1100. alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
  1101. WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
  1102. if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
  1103. WPA_PUT_BE16(key->key_length, 0);
  1104. /* FIX: STSL: what to use as key_replay_counter? */
  1105. for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
  1106. sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
  1107. os_memcpy(sm->key_replay[i].counter,
  1108. sm->key_replay[i - 1].counter,
  1109. WPA_REPLAY_COUNTER_LEN);
  1110. }
  1111. inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
  1112. os_memcpy(key->replay_counter, sm->key_replay[0].counter,
  1113. WPA_REPLAY_COUNTER_LEN);
  1114. sm->key_replay[0].valid = TRUE;
  1115. if (nonce)
  1116. os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
  1117. if (key_rsc)
  1118. os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
  1119. if (kde && !encr) {
  1120. os_memcpy(key + 1, kde, kde_len);
  1121. WPA_PUT_BE16(key->key_data_length, kde_len);
  1122. } else if (encr && kde) {
  1123. buf = os_zalloc(key_data_len);
  1124. if (buf == NULL) {
  1125. os_free(hdr);
  1126. return;
  1127. }
  1128. pos = buf;
  1129. os_memcpy(pos, kde, kde_len);
  1130. pos += kde_len;
  1131. if (pad_len)
  1132. *pos++ = 0xdd;
  1133. wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
  1134. buf, key_data_len);
  1135. if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
  1136. version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
  1137. if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf,
  1138. (u8 *) (key + 1))) {
  1139. os_free(hdr);
  1140. os_free(buf);
  1141. return;
  1142. }
  1143. WPA_PUT_BE16(key->key_data_length, key_data_len);
  1144. } else {
  1145. u8 ek[32];
  1146. os_memcpy(key->key_iv,
  1147. sm->group->Counter + WPA_NONCE_LEN - 16, 16);
  1148. inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
  1149. os_memcpy(ek, key->key_iv, 16);
  1150. os_memcpy(ek + 16, sm->PTK.kek, 16);
  1151. os_memcpy(key + 1, buf, key_data_len);
  1152. rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len);
  1153. WPA_PUT_BE16(key->key_data_length, key_data_len);
  1154. }
  1155. os_free(buf);
  1156. }
  1157. if (key_info & WPA_KEY_INFO_MIC) {
  1158. if (!sm->PTK_valid) {
  1159. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
  1160. "PTK not valid when sending EAPOL-Key "
  1161. "frame");
  1162. os_free(hdr);
  1163. return;
  1164. }
  1165. wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
  1166. key->key_mic);
  1167. #ifdef CONFIG_TESTING_OPTIONS
  1168. if (!pairwise &&
  1169. wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0d &&
  1170. drand48() <
  1171. wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
  1172. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
  1173. "Corrupting group EAPOL-Key Key MIC");
  1174. key->key_mic[0]++;
  1175. }
  1176. #endif /* CONFIG_TESTING_OPTIONS */
  1177. }
  1178. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
  1179. 1);
  1180. wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
  1181. sm->pairwise_set);
  1182. os_free(hdr);
  1183. }
  1184. static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
  1185. struct wpa_state_machine *sm, int key_info,
  1186. const u8 *key_rsc, const u8 *nonce,
  1187. const u8 *kde, size_t kde_len,
  1188. int keyidx, int encr)
  1189. {
  1190. int timeout_ms;
  1191. int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
  1192. int ctr;
  1193. if (sm == NULL)
  1194. return;
  1195. __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
  1196. keyidx, encr, 0);
  1197. ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
  1198. if (ctr == 1 && wpa_auth->conf.tx_status)
  1199. timeout_ms = pairwise ? eapol_key_timeout_first :
  1200. eapol_key_timeout_first_group;
  1201. else
  1202. timeout_ms = eapol_key_timeout_subseq;
  1203. if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
  1204. sm->pending_1_of_4_timeout = 1;
  1205. wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
  1206. "counter %d)", timeout_ms, ctr);
  1207. eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
  1208. wpa_send_eapol_timeout, wpa_auth, sm);
  1209. }
  1210. static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len)
  1211. {
  1212. struct ieee802_1x_hdr *hdr;
  1213. struct wpa_eapol_key *key;
  1214. u16 key_info;
  1215. int ret = 0;
  1216. u8 mic[16];
  1217. if (data_len < sizeof(*hdr) + sizeof(*key))
  1218. return -1;
  1219. hdr = (struct ieee802_1x_hdr *) data;
  1220. key = (struct wpa_eapol_key *) (hdr + 1);
  1221. key_info = WPA_GET_BE16(key->key_info);
  1222. os_memcpy(mic, key->key_mic, 16);
  1223. os_memset(key->key_mic, 0, 16);
  1224. if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK,
  1225. data, data_len, key->key_mic) ||
  1226. os_memcmp(mic, key->key_mic, 16) != 0)
  1227. ret = -1;
  1228. os_memcpy(key->key_mic, mic, 16);
  1229. return ret;
  1230. }
  1231. void wpa_remove_ptk(struct wpa_state_machine *sm)
  1232. {
  1233. sm->PTK_valid = FALSE;
  1234. os_memset(&sm->PTK, 0, sizeof(sm->PTK));
  1235. wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
  1236. sm->pairwise_set = FALSE;
  1237. eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
  1238. }
  1239. int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
  1240. {
  1241. int remove_ptk = 1;
  1242. if (sm == NULL)
  1243. return -1;
  1244. wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1245. "event %d notification", event);
  1246. switch (event) {
  1247. case WPA_AUTH:
  1248. case WPA_ASSOC:
  1249. break;
  1250. case WPA_DEAUTH:
  1251. case WPA_DISASSOC:
  1252. sm->DeauthenticationRequest = TRUE;
  1253. break;
  1254. case WPA_REAUTH:
  1255. case WPA_REAUTH_EAPOL:
  1256. if (!sm->started) {
  1257. /*
  1258. * When using WPS, we may end up here if the STA
  1259. * manages to re-associate without the previous STA
  1260. * entry getting removed. Consequently, we need to make
  1261. * sure that the WPA state machines gets initialized
  1262. * properly at this point.
  1263. */
  1264. wpa_printf(MSG_DEBUG, "WPA state machine had not been "
  1265. "started - initialize now");
  1266. sm->started = 1;
  1267. sm->Init = TRUE;
  1268. if (wpa_sm_step(sm) == 1)
  1269. return 1; /* should not really happen */
  1270. sm->Init = FALSE;
  1271. sm->AuthenticationRequest = TRUE;
  1272. break;
  1273. }
  1274. if (sm->GUpdateStationKeys) {
  1275. /*
  1276. * Reauthentication cancels the pending group key
  1277. * update for this STA.
  1278. */
  1279. sm->group->GKeyDoneStations--;
  1280. sm->GUpdateStationKeys = FALSE;
  1281. sm->PtkGroupInit = TRUE;
  1282. }
  1283. sm->ReAuthenticationRequest = TRUE;
  1284. break;
  1285. case WPA_ASSOC_FT:
  1286. #ifdef CONFIG_IEEE80211R
  1287. wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
  1288. "after association");
  1289. wpa_ft_install_ptk(sm);
  1290. /* Using FT protocol, not WPA auth state machine */
  1291. sm->ft_completed = 1;
  1292. return 0;
  1293. #else /* CONFIG_IEEE80211R */
  1294. break;
  1295. #endif /* CONFIG_IEEE80211R */
  1296. }
  1297. #ifdef CONFIG_IEEE80211R
  1298. sm->ft_completed = 0;
  1299. #endif /* CONFIG_IEEE80211R */
  1300. #ifdef CONFIG_IEEE80211W
  1301. if (sm->mgmt_frame_prot && event == WPA_AUTH)
  1302. remove_ptk = 0;
  1303. #endif /* CONFIG_IEEE80211W */
  1304. if (remove_ptk) {
  1305. sm->PTK_valid = FALSE;
  1306. os_memset(&sm->PTK, 0, sizeof(sm->PTK));
  1307. if (event != WPA_REAUTH_EAPOL)
  1308. wpa_remove_ptk(sm);
  1309. }
  1310. return wpa_sm_step(sm);
  1311. }
  1312. SM_STATE(WPA_PTK, INITIALIZE)
  1313. {
  1314. SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
  1315. if (sm->Init) {
  1316. /* Init flag is not cleared here, so avoid busy
  1317. * loop by claiming nothing changed. */
  1318. sm->changed = FALSE;
  1319. }
  1320. sm->keycount = 0;
  1321. if (sm->GUpdateStationKeys)
  1322. sm->group->GKeyDoneStations--;
  1323. sm->GUpdateStationKeys = FALSE;
  1324. if (sm->wpa == WPA_VERSION_WPA)
  1325. sm->PInitAKeys = FALSE;
  1326. if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
  1327. * Local AA > Remote AA)) */) {
  1328. sm->Pair = TRUE;
  1329. }
  1330. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
  1331. wpa_remove_ptk(sm);
  1332. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
  1333. sm->TimeoutCtr = 0;
  1334. if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
  1335. wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
  1336. WPA_EAPOL_authorized, 0);
  1337. }
  1338. }
  1339. SM_STATE(WPA_PTK, DISCONNECT)
  1340. {
  1341. SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
  1342. sm->Disconnect = FALSE;
  1343. wpa_sta_disconnect(sm->wpa_auth, sm->addr);
  1344. }
  1345. SM_STATE(WPA_PTK, DISCONNECTED)
  1346. {
  1347. SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
  1348. sm->DeauthenticationRequest = FALSE;
  1349. }
  1350. SM_STATE(WPA_PTK, AUTHENTICATION)
  1351. {
  1352. SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
  1353. os_memset(&sm->PTK, 0, sizeof(sm->PTK));
  1354. sm->PTK_valid = FALSE;
  1355. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
  1356. 1);
  1357. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
  1358. sm->AuthenticationRequest = FALSE;
  1359. }
  1360. static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
  1361. struct wpa_group *group)
  1362. {
  1363. if (group->first_sta_seen)
  1364. return;
  1365. /*
  1366. * System has run bit further than at the time hostapd was started
  1367. * potentially very early during boot up. This provides better chances
  1368. * of collecting more randomness on embedded systems. Re-initialize the
  1369. * GMK and Counter here to improve their strength if there was not
  1370. * enough entropy available immediately after system startup.
  1371. */
  1372. wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
  1373. "station");
  1374. if (random_pool_ready() != 1) {
  1375. wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
  1376. "to proceed - reject first 4-way handshake");
  1377. group->reject_4way_hs_for_entropy = TRUE;
  1378. } else {
  1379. group->first_sta_seen = TRUE;
  1380. group->reject_4way_hs_for_entropy = FALSE;
  1381. }
  1382. wpa_group_init_gmk_and_counter(wpa_auth, group);
  1383. wpa_gtk_update(wpa_auth, group);
  1384. wpa_group_config_group_keys(wpa_auth, group);
  1385. }
  1386. SM_STATE(WPA_PTK, AUTHENTICATION2)
  1387. {
  1388. SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
  1389. wpa_group_ensure_init(sm->wpa_auth, sm->group);
  1390. sm->ReAuthenticationRequest = FALSE;
  1391. /*
  1392. * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
  1393. * ambiguous. The Authenticator state machine uses a counter that is
  1394. * incremented by one for each 4-way handshake. However, the security
  1395. * analysis of 4-way handshake points out that unpredictable nonces
  1396. * help in preventing precomputation attacks. Instead of the state
  1397. * machine definition, use an unpredictable nonce value here to provide
  1398. * stronger protection against potential precomputation attacks.
  1399. */
  1400. if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
  1401. wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
  1402. "ANonce.");
  1403. sm->Disconnect = TRUE;
  1404. return;
  1405. }
  1406. wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
  1407. WPA_NONCE_LEN);
  1408. /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
  1409. * logical place than INITIALIZE since AUTHENTICATION2 can be
  1410. * re-entered on ReAuthenticationRequest without going through
  1411. * INITIALIZE. */
  1412. sm->TimeoutCtr = 0;
  1413. }
  1414. SM_STATE(WPA_PTK, INITPMK)
  1415. {
  1416. u8 msk[2 * PMK_LEN];
  1417. size_t len = 2 * PMK_LEN;
  1418. SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
  1419. #ifdef CONFIG_IEEE80211R
  1420. sm->xxkey_len = 0;
  1421. #endif /* CONFIG_IEEE80211R */
  1422. if (sm->pmksa) {
  1423. wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
  1424. os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
  1425. } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
  1426. wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
  1427. "(len=%lu)", (unsigned long) len);
  1428. os_memcpy(sm->PMK, msk, PMK_LEN);
  1429. #ifdef CONFIG_IEEE80211R
  1430. if (len >= 2 * PMK_LEN) {
  1431. os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
  1432. sm->xxkey_len = PMK_LEN;
  1433. }
  1434. #endif /* CONFIG_IEEE80211R */
  1435. } else {
  1436. wpa_printf(MSG_DEBUG, "WPA: Could not get PMK");
  1437. }
  1438. sm->req_replay_counter_used = 0;
  1439. /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
  1440. * will break reauthentication since EAPOL state machines may not be
  1441. * get into AUTHENTICATING state that clears keyRun before WPA state
  1442. * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
  1443. * state and takes PMK from the previously used AAA Key. This will
  1444. * eventually fail in 4-Way Handshake because Supplicant uses PMK
  1445. * derived from the new AAA Key. Setting keyRun = FALSE here seems to
  1446. * be good workaround for this issue. */
  1447. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
  1448. }
  1449. SM_STATE(WPA_PTK, INITPSK)
  1450. {
  1451. const u8 *psk;
  1452. SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
  1453. psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
  1454. if (psk) {
  1455. os_memcpy(sm->PMK, psk, PMK_LEN);
  1456. #ifdef CONFIG_IEEE80211R
  1457. os_memcpy(sm->xxkey, psk, PMK_LEN);
  1458. sm->xxkey_len = PMK_LEN;
  1459. #endif /* CONFIG_IEEE80211R */
  1460. }
  1461. sm->req_replay_counter_used = 0;
  1462. }
  1463. SM_STATE(WPA_PTK, PTKSTART)
  1464. {
  1465. u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
  1466. size_t pmkid_len = 0;
  1467. SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
  1468. sm->PTKRequest = FALSE;
  1469. sm->TimeoutEvt = FALSE;
  1470. sm->TimeoutCtr++;
  1471. if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
  1472. /* No point in sending the EAPOL-Key - we will disconnect
  1473. * immediately following this. */
  1474. return;
  1475. }
  1476. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1477. "sending 1/4 msg of 4-Way Handshake");
  1478. /*
  1479. * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
  1480. * one possible PSK for this STA.
  1481. */
  1482. if (sm->wpa == WPA_VERSION_WPA2 &&
  1483. wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) {
  1484. pmkid = buf;
  1485. pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
  1486. pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
  1487. pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
  1488. RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
  1489. if (sm->pmksa)
  1490. os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
  1491. sm->pmksa->pmkid, PMKID_LEN);
  1492. else {
  1493. /*
  1494. * Calculate PMKID since no PMKSA cache entry was
  1495. * available with pre-calculated PMKID.
  1496. */
  1497. rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
  1498. sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
  1499. wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
  1500. }
  1501. }
  1502. wpa_send_eapol(sm->wpa_auth, sm,
  1503. WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
  1504. sm->ANonce, pmkid, pmkid_len, 0, 0);
  1505. }
  1506. static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk,
  1507. struct wpa_ptk *ptk)
  1508. {
  1509. size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64;
  1510. #ifdef CONFIG_IEEE80211R
  1511. if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
  1512. return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len);
  1513. #endif /* CONFIG_IEEE80211R */
  1514. wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
  1515. sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce,
  1516. (u8 *) ptk, ptk_len,
  1517. wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
  1518. return 0;
  1519. }
  1520. SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
  1521. {
  1522. struct wpa_ptk PTK;
  1523. int ok = 0;
  1524. const u8 *pmk = NULL;
  1525. SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
  1526. sm->EAPOLKeyReceived = FALSE;
  1527. sm->update_snonce = FALSE;
  1528. /* WPA with IEEE 802.1X: use the derived PMK from EAP
  1529. * WPA-PSK: iterate through possible PSKs and select the one matching
  1530. * the packet */
  1531. for (;;) {
  1532. if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
  1533. pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
  1534. sm->p2p_dev_addr, pmk);
  1535. if (pmk == NULL)
  1536. break;
  1537. } else
  1538. pmk = sm->PMK;
  1539. wpa_derive_ptk(sm, pmk, &PTK);
  1540. if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key,
  1541. sm->last_rx_eapol_key_len) == 0) {
  1542. ok = 1;
  1543. break;
  1544. }
  1545. if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
  1546. break;
  1547. }
  1548. if (!ok) {
  1549. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1550. "invalid MIC in msg 2/4 of 4-Way Handshake");
  1551. return;
  1552. }
  1553. #ifdef CONFIG_IEEE80211R
  1554. if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
  1555. /*
  1556. * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
  1557. * with the value we derived.
  1558. */
  1559. if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name,
  1560. WPA_PMK_NAME_LEN) != 0) {
  1561. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1562. "PMKR1Name mismatch in FT 4-way "
  1563. "handshake");
  1564. wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
  1565. "Supplicant",
  1566. sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
  1567. wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
  1568. sm->pmk_r1_name, WPA_PMK_NAME_LEN);
  1569. return;
  1570. }
  1571. }
  1572. #endif /* CONFIG_IEEE80211R */
  1573. sm->pending_1_of_4_timeout = 0;
  1574. eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
  1575. if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
  1576. /* PSK may have changed from the previous choice, so update
  1577. * state machine data based on whatever PSK was selected here.
  1578. */
  1579. os_memcpy(sm->PMK, pmk, PMK_LEN);
  1580. }
  1581. sm->MICVerified = TRUE;
  1582. os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
  1583. sm->PTK_valid = TRUE;
  1584. }
  1585. SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
  1586. {
  1587. SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
  1588. sm->TimeoutCtr = 0;
  1589. }
  1590. #ifdef CONFIG_IEEE80211W
  1591. static int ieee80211w_kde_len(struct wpa_state_machine *sm)
  1592. {
  1593. if (sm->mgmt_frame_prot) {
  1594. return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde);
  1595. }
  1596. return 0;
  1597. }
  1598. static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
  1599. {
  1600. struct wpa_igtk_kde igtk;
  1601. struct wpa_group *gsm = sm->group;
  1602. u8 rsc[WPA_KEY_RSC_LEN];
  1603. if (!sm->mgmt_frame_prot)
  1604. return pos;
  1605. igtk.keyid[0] = gsm->GN_igtk;
  1606. igtk.keyid[1] = 0;
  1607. if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
  1608. wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
  1609. os_memset(igtk.pn, 0, sizeof(igtk.pn));
  1610. else
  1611. os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
  1612. os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
  1613. if (sm->wpa_auth->conf.disable_gtk) {
  1614. /*
  1615. * Provide unique random IGTK to each STA to prevent use of
  1616. * IGTK in the BSS.
  1617. */
  1618. if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0)
  1619. return pos;
  1620. }
  1621. pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
  1622. (const u8 *) &igtk, sizeof(igtk), NULL, 0);
  1623. return pos;
  1624. }
  1625. #else /* CONFIG_IEEE80211W */
  1626. static int ieee80211w_kde_len(struct wpa_state_machine *sm)
  1627. {
  1628. return 0;
  1629. }
  1630. static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
  1631. {
  1632. return pos;
  1633. }
  1634. #endif /* CONFIG_IEEE80211W */
  1635. SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
  1636. {
  1637. u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
  1638. size_t gtk_len, kde_len;
  1639. struct wpa_group *gsm = sm->group;
  1640. u8 *wpa_ie;
  1641. int wpa_ie_len, secure, keyidx, encr = 0;
  1642. SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
  1643. sm->TimeoutEvt = FALSE;
  1644. sm->TimeoutCtr++;
  1645. if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
  1646. /* No point in sending the EAPOL-Key - we will disconnect
  1647. * immediately following this. */
  1648. return;
  1649. }
  1650. /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
  1651. GTK[GN], IGTK, [FTIE], [TIE * 2])
  1652. */
  1653. os_memset(rsc, 0, WPA_KEY_RSC_LEN);
  1654. wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
  1655. /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
  1656. wpa_ie = sm->wpa_auth->wpa_ie;
  1657. wpa_ie_len = sm->wpa_auth->wpa_ie_len;
  1658. if (sm->wpa == WPA_VERSION_WPA &&
  1659. (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
  1660. wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
  1661. /* WPA-only STA, remove RSN IE */
  1662. wpa_ie = wpa_ie + wpa_ie[1] + 2;
  1663. wpa_ie_len = wpa_ie[1] + 2;
  1664. }
  1665. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1666. "sending 3/4 msg of 4-Way Handshake");
  1667. if (sm->wpa == WPA_VERSION_WPA2) {
  1668. /* WPA2 send GTK in the 4-way handshake */
  1669. secure = 1;
  1670. gtk = gsm->GTK[gsm->GN - 1];
  1671. gtk_len = gsm->GTK_len;
  1672. if (sm->wpa_auth->conf.disable_gtk) {
  1673. /*
  1674. * Provide unique random GTK to each STA to prevent use
  1675. * of GTK in the BSS.
  1676. */
  1677. if (random_get_bytes(dummy_gtk, gtk_len) < 0)
  1678. return;
  1679. gtk = dummy_gtk;
  1680. }
  1681. keyidx = gsm->GN;
  1682. _rsc = rsc;
  1683. encr = 1;
  1684. } else {
  1685. /* WPA does not include GTK in msg 3/4 */
  1686. secure = 0;
  1687. gtk = NULL;
  1688. gtk_len = 0;
  1689. keyidx = 0;
  1690. _rsc = NULL;
  1691. if (sm->rx_eapol_key_secure) {
  1692. /*
  1693. * It looks like Windows 7 supplicant tries to use
  1694. * Secure bit in msg 2/4 after having reported Michael
  1695. * MIC failure and it then rejects the 4-way handshake
  1696. * if msg 3/4 does not set Secure bit. Work around this
  1697. * by setting the Secure bit here even in the case of
  1698. * WPA if the supplicant used it first.
  1699. */
  1700. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1701. "STA used Secure bit in WPA msg 2/4 - "
  1702. "set Secure for 3/4 as workaround");
  1703. secure = 1;
  1704. }
  1705. }
  1706. kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
  1707. if (gtk)
  1708. kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
  1709. #ifdef CONFIG_IEEE80211R
  1710. if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
  1711. kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
  1712. kde_len += 300; /* FTIE + 2 * TIE */
  1713. }
  1714. #endif /* CONFIG_IEEE80211R */
  1715. kde = os_malloc(kde_len);
  1716. if (kde == NULL)
  1717. return;
  1718. pos = kde;
  1719. os_memcpy(pos, wpa_ie, wpa_ie_len);
  1720. pos += wpa_ie_len;
  1721. #ifdef CONFIG_IEEE80211R
  1722. if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
  1723. int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
  1724. if (res < 0) {
  1725. wpa_printf(MSG_ERROR, "FT: Failed to insert "
  1726. "PMKR1Name into RSN IE in EAPOL-Key data");
  1727. os_free(kde);
  1728. return;
  1729. }
  1730. pos += res;
  1731. }
  1732. #endif /* CONFIG_IEEE80211R */
  1733. if (gtk) {
  1734. u8 hdr[2];
  1735. hdr[0] = keyidx & 0x03;
  1736. hdr[1] = 0;
  1737. pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
  1738. gtk, gtk_len);
  1739. }
  1740. pos = ieee80211w_kde_add(sm, pos);
  1741. #ifdef CONFIG_IEEE80211R
  1742. if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
  1743. int res;
  1744. struct wpa_auth_config *conf;
  1745. conf = &sm->wpa_auth->conf;
  1746. res = wpa_write_ftie(conf, conf->r0_key_holder,
  1747. conf->r0_key_holder_len,
  1748. NULL, NULL, pos, kde + kde_len - pos,
  1749. NULL, 0);
  1750. if (res < 0) {
  1751. wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
  1752. "into EAPOL-Key Key Data");
  1753. os_free(kde);
  1754. return;
  1755. }
  1756. pos += res;
  1757. /* TIE[ReassociationDeadline] (TU) */
  1758. *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
  1759. *pos++ = 5;
  1760. *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
  1761. WPA_PUT_LE32(pos, conf->reassociation_deadline);
  1762. pos += 4;
  1763. /* TIE[KeyLifetime] (seconds) */
  1764. *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
  1765. *pos++ = 5;
  1766. *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
  1767. WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
  1768. pos += 4;
  1769. }
  1770. #endif /* CONFIG_IEEE80211R */
  1771. wpa_send_eapol(sm->wpa_auth, sm,
  1772. (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
  1773. WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
  1774. WPA_KEY_INFO_KEY_TYPE,
  1775. _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
  1776. os_free(kde);
  1777. }
  1778. SM_STATE(WPA_PTK, PTKINITDONE)
  1779. {
  1780. SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
  1781. sm->EAPOLKeyReceived = FALSE;
  1782. if (sm->Pair) {
  1783. enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
  1784. int klen = wpa_cipher_key_len(sm->pairwise);
  1785. if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
  1786. sm->PTK.tk1, klen)) {
  1787. wpa_sta_disconnect(sm->wpa_auth, sm->addr);
  1788. return;
  1789. }
  1790. /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
  1791. sm->pairwise_set = TRUE;
  1792. if (sm->wpa_auth->conf.wpa_ptk_rekey) {
  1793. eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
  1794. eloop_register_timeout(sm->wpa_auth->conf.
  1795. wpa_ptk_rekey, 0, wpa_rekey_ptk,
  1796. sm->wpa_auth, sm);
  1797. }
  1798. if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
  1799. wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
  1800. WPA_EAPOL_authorized, 1);
  1801. }
  1802. }
  1803. if (0 /* IBSS == TRUE */) {
  1804. sm->keycount++;
  1805. if (sm->keycount == 2) {
  1806. wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
  1807. WPA_EAPOL_portValid, 1);
  1808. }
  1809. } else {
  1810. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
  1811. 1);
  1812. }
  1813. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
  1814. wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
  1815. if (sm->wpa == WPA_VERSION_WPA)
  1816. sm->PInitAKeys = TRUE;
  1817. else
  1818. sm->has_GTK = TRUE;
  1819. wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
  1820. "pairwise key handshake completed (%s)",
  1821. sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
  1822. #ifdef CONFIG_IEEE80211R
  1823. wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
  1824. #endif /* CONFIG_IEEE80211R */
  1825. }
  1826. SM_STEP(WPA_PTK)
  1827. {
  1828. struct wpa_authenticator *wpa_auth = sm->wpa_auth;
  1829. if (sm->Init)
  1830. SM_ENTER(WPA_PTK, INITIALIZE);
  1831. else if (sm->Disconnect
  1832. /* || FIX: dot11RSNAConfigSALifetime timeout */) {
  1833. wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
  1834. "WPA_PTK: sm->Disconnect");
  1835. SM_ENTER(WPA_PTK, DISCONNECT);
  1836. }
  1837. else if (sm->DeauthenticationRequest)
  1838. SM_ENTER(WPA_PTK, DISCONNECTED);
  1839. else if (sm->AuthenticationRequest)
  1840. SM_ENTER(WPA_PTK, AUTHENTICATION);
  1841. else if (sm->ReAuthenticationRequest)
  1842. SM_ENTER(WPA_PTK, AUTHENTICATION2);
  1843. else if (sm->PTKRequest)
  1844. SM_ENTER(WPA_PTK, PTKSTART);
  1845. else switch (sm->wpa_ptk_state) {
  1846. case WPA_PTK_INITIALIZE:
  1847. break;
  1848. case WPA_PTK_DISCONNECT:
  1849. SM_ENTER(WPA_PTK, DISCONNECTED);
  1850. break;
  1851. case WPA_PTK_DISCONNECTED:
  1852. SM_ENTER(WPA_PTK, INITIALIZE);
  1853. break;
  1854. case WPA_PTK_AUTHENTICATION:
  1855. SM_ENTER(WPA_PTK, AUTHENTICATION2);
  1856. break;
  1857. case WPA_PTK_AUTHENTICATION2:
  1858. if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
  1859. wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
  1860. WPA_EAPOL_keyRun) > 0)
  1861. SM_ENTER(WPA_PTK, INITPMK);
  1862. else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
  1863. /* FIX: && 802.1X::keyRun */)
  1864. SM_ENTER(WPA_PTK, INITPSK);
  1865. break;
  1866. case WPA_PTK_INITPMK:
  1867. if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
  1868. WPA_EAPOL_keyAvailable) > 0)
  1869. SM_ENTER(WPA_PTK, PTKSTART);
  1870. else {
  1871. wpa_auth->dot11RSNA4WayHandshakeFailures++;
  1872. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
  1873. "INITPMK - keyAvailable = false");
  1874. SM_ENTER(WPA_PTK, DISCONNECT);
  1875. }
  1876. break;
  1877. case WPA_PTK_INITPSK:
  1878. if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
  1879. NULL))
  1880. SM_ENTER(WPA_PTK, PTKSTART);
  1881. else {
  1882. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
  1883. "no PSK configured for the STA");
  1884. wpa_auth->dot11RSNA4WayHandshakeFailures++;
  1885. SM_ENTER(WPA_PTK, DISCONNECT);
  1886. }
  1887. break;
  1888. case WPA_PTK_PTKSTART:
  1889. if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
  1890. sm->EAPOLKeyPairwise)
  1891. SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
  1892. else if (sm->TimeoutCtr >
  1893. (int) dot11RSNAConfigPairwiseUpdateCount) {
  1894. wpa_auth->dot11RSNA4WayHandshakeFailures++;
  1895. wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1896. "PTKSTART: Retry limit %d reached",
  1897. dot11RSNAConfigPairwiseUpdateCount);
  1898. SM_ENTER(WPA_PTK, DISCONNECT);
  1899. } else if (sm->TimeoutEvt)
  1900. SM_ENTER(WPA_PTK, PTKSTART);
  1901. break;
  1902. case WPA_PTK_PTKCALCNEGOTIATING:
  1903. if (sm->MICVerified)
  1904. SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
  1905. else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
  1906. sm->EAPOLKeyPairwise)
  1907. SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
  1908. else if (sm->TimeoutEvt)
  1909. SM_ENTER(WPA_PTK, PTKSTART);
  1910. break;
  1911. case WPA_PTK_PTKCALCNEGOTIATING2:
  1912. SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
  1913. break;
  1914. case WPA_PTK_PTKINITNEGOTIATING:
  1915. if (sm->update_snonce)
  1916. SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
  1917. else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
  1918. sm->EAPOLKeyPairwise && sm->MICVerified)
  1919. SM_ENTER(WPA_PTK, PTKINITDONE);
  1920. else if (sm->TimeoutCtr >
  1921. (int) dot11RSNAConfigPairwiseUpdateCount) {
  1922. wpa_auth->dot11RSNA4WayHandshakeFailures++;
  1923. wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1924. "PTKINITNEGOTIATING: Retry limit %d "
  1925. "reached",
  1926. dot11RSNAConfigPairwiseUpdateCount);
  1927. SM_ENTER(WPA_PTK, DISCONNECT);
  1928. } else if (sm->TimeoutEvt)
  1929. SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
  1930. break;
  1931. case WPA_PTK_PTKINITDONE:
  1932. break;
  1933. }
  1934. }
  1935. SM_STATE(WPA_PTK_GROUP, IDLE)
  1936. {
  1937. SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
  1938. if (sm->Init) {
  1939. /* Init flag is not cleared here, so avoid busy
  1940. * loop by claiming nothing changed. */
  1941. sm->changed = FALSE;
  1942. }
  1943. sm->GTimeoutCtr = 0;
  1944. }
  1945. SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
  1946. {
  1947. u8 rsc[WPA_KEY_RSC_LEN];
  1948. struct wpa_group *gsm = sm->group;
  1949. u8 *kde, *pos, hdr[2];
  1950. size_t kde_len;
  1951. u8 *gtk, dummy_gtk[32];
  1952. SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
  1953. sm->GTimeoutCtr++;
  1954. if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
  1955. /* No point in sending the EAPOL-Key - we will disconnect
  1956. * immediately following this. */
  1957. return;
  1958. }
  1959. if (sm->wpa == WPA_VERSION_WPA)
  1960. sm->PInitAKeys = FALSE;
  1961. sm->TimeoutEvt = FALSE;
  1962. /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
  1963. os_memset(rsc, 0, WPA_KEY_RSC_LEN);
  1964. if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
  1965. wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
  1966. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  1967. "sending 1/2 msg of Group Key Handshake");
  1968. gtk = gsm->GTK[gsm->GN - 1];
  1969. if (sm->wpa_auth->conf.disable_gtk) {
  1970. /*
  1971. * Provide unique random GTK to each STA to prevent use
  1972. * of GTK in the BSS.
  1973. */
  1974. if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
  1975. return;
  1976. gtk = dummy_gtk;
  1977. }
  1978. if (sm->wpa == WPA_VERSION_WPA2) {
  1979. kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
  1980. ieee80211w_kde_len(sm);
  1981. kde = os_malloc(kde_len);
  1982. if (kde == NULL)
  1983. return;
  1984. pos = kde;
  1985. hdr[0] = gsm->GN & 0x03;
  1986. hdr[1] = 0;
  1987. pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
  1988. gtk, gsm->GTK_len);
  1989. pos = ieee80211w_kde_add(sm, pos);
  1990. } else {
  1991. kde = gtk;
  1992. pos = kde + gsm->GTK_len;
  1993. }
  1994. wpa_send_eapol(sm->wpa_auth, sm,
  1995. WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
  1996. WPA_KEY_INFO_ACK |
  1997. (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
  1998. rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1);
  1999. if (sm->wpa == WPA_VERSION_WPA2)
  2000. os_free(kde);
  2001. }
  2002. SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
  2003. {
  2004. SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
  2005. sm->EAPOLKeyReceived = FALSE;
  2006. if (sm->GUpdateStationKeys)
  2007. sm->group->GKeyDoneStations--;
  2008. sm->GUpdateStationKeys = FALSE;
  2009. sm->GTimeoutCtr = 0;
  2010. /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
  2011. wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
  2012. "group key handshake completed (%s)",
  2013. sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
  2014. sm->has_GTK = TRUE;
  2015. }
  2016. SM_STATE(WPA_PTK_GROUP, KEYERROR)
  2017. {
  2018. SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
  2019. if (sm->GUpdateStationKeys)
  2020. sm->group->GKeyDoneStations--;
  2021. sm->GUpdateStationKeys = FALSE;
  2022. sm->Disconnect = TRUE;
  2023. }
  2024. SM_STEP(WPA_PTK_GROUP)
  2025. {
  2026. if (sm->Init || sm->PtkGroupInit) {
  2027. SM_ENTER(WPA_PTK_GROUP, IDLE);
  2028. sm->PtkGroupInit = FALSE;
  2029. } else switch (sm->wpa_ptk_group_state) {
  2030. case WPA_PTK_GROUP_IDLE:
  2031. if (sm->GUpdateStationKeys ||
  2032. (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
  2033. SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
  2034. break;
  2035. case WPA_PTK_GROUP_REKEYNEGOTIATING:
  2036. if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
  2037. !sm->EAPOLKeyPairwise && sm->MICVerified)
  2038. SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
  2039. else if (sm->GTimeoutCtr >
  2040. (int) dot11RSNAConfigGroupUpdateCount)
  2041. SM_ENTER(WPA_PTK_GROUP, KEYERROR);
  2042. else if (sm->TimeoutEvt)
  2043. SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
  2044. break;
  2045. case WPA_PTK_GROUP_KEYERROR:
  2046. SM_ENTER(WPA_PTK_GROUP, IDLE);
  2047. break;
  2048. case WPA_PTK_GROUP_REKEYESTABLISHED:
  2049. SM_ENTER(WPA_PTK_GROUP, IDLE);
  2050. break;
  2051. }
  2052. }
  2053. static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
  2054. struct wpa_group *group)
  2055. {
  2056. int ret = 0;
  2057. os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
  2058. inc_byte_array(group->Counter, WPA_NONCE_LEN);
  2059. if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
  2060. wpa_auth->addr, group->GNonce,
  2061. group->GTK[group->GN - 1], group->GTK_len) < 0)
  2062. ret = -1;
  2063. wpa_hexdump_key(MSG_DEBUG, "GTK",
  2064. group->GTK[group->GN - 1], group->GTK_len);
  2065. #ifdef CONFIG_IEEE80211W
  2066. if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
  2067. os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
  2068. inc_byte_array(group->Counter, WPA_NONCE_LEN);
  2069. if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
  2070. wpa_auth->addr, group->GNonce,
  2071. group->IGTK[group->GN_igtk - 4],
  2072. WPA_IGTK_LEN) < 0)
  2073. ret = -1;
  2074. wpa_hexdump_key(MSG_DEBUG, "IGTK",
  2075. group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN);
  2076. }
  2077. #endif /* CONFIG_IEEE80211W */
  2078. return ret;
  2079. }
  2080. static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
  2081. struct wpa_group *group)
  2082. {
  2083. wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
  2084. "GTK_INIT (VLAN-ID %d)", group->vlan_id);
  2085. group->changed = FALSE; /* GInit is not cleared here; avoid loop */
  2086. group->wpa_group_state = WPA_GROUP_GTK_INIT;
  2087. /* GTK[0..N] = 0 */
  2088. os_memset(group->GTK, 0, sizeof(group->GTK));
  2089. group->GN = 1;
  2090. group->GM = 2;
  2091. #ifdef CONFIG_IEEE80211W
  2092. group->GN_igtk = 4;
  2093. group->GM_igtk = 5;
  2094. #endif /* CONFIG_IEEE80211W */
  2095. /* GTK[GN] = CalcGTK() */
  2096. wpa_gtk_update(wpa_auth, group);
  2097. }
  2098. static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
  2099. {
  2100. if (ctx != NULL && ctx != sm->group)
  2101. return 0;
  2102. if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
  2103. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  2104. "Not in PTKINITDONE; skip Group Key update");
  2105. sm->GUpdateStationKeys = FALSE;
  2106. return 0;
  2107. }
  2108. if (sm->GUpdateStationKeys) {
  2109. /*
  2110. * This should not really happen, so add a debug log entry.
  2111. * Since we clear the GKeyDoneStations before the loop, the
  2112. * station needs to be counted here anyway.
  2113. */
  2114. wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
  2115. "GUpdateStationKeys was already set when "
  2116. "marking station for GTK rekeying");
  2117. }
  2118. /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
  2119. if (sm->is_wnmsleep)
  2120. return 0;
  2121. sm->group->GKeyDoneStations++;
  2122. sm->GUpdateStationKeys = TRUE;
  2123. wpa_sm_step(sm);
  2124. return 0;
  2125. }
  2126. #ifdef CONFIG_WNM
  2127. /* update GTK when exiting WNM-Sleep Mode */
  2128. void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
  2129. {
  2130. if (sm->is_wnmsleep)
  2131. return;
  2132. wpa_group_update_sta(sm, NULL);
  2133. }
  2134. void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
  2135. {
  2136. sm->is_wnmsleep = !!flag;
  2137. }
  2138. int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
  2139. {
  2140. struct wpa_group *gsm = sm->group;
  2141. u8 *start = pos;
  2142. /*
  2143. * GTK subelement:
  2144. * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
  2145. * Key[5..32]
  2146. */
  2147. *pos++ = WNM_SLEEP_SUBELEM_GTK;
  2148. *pos++ = 11 + gsm->GTK_len;
  2149. /* Key ID in B0-B1 of Key Info */
  2150. WPA_PUT_LE16(pos, gsm->GN & 0x03);
  2151. pos += 2;
  2152. *pos++ = gsm->GTK_len;
  2153. if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
  2154. return 0;
  2155. pos += 8;
  2156. os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
  2157. pos += gsm->GTK_len;
  2158. wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
  2159. gsm->GN);
  2160. wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
  2161. gsm->GTK[gsm->GN - 1], gsm->GTK_len);
  2162. return pos - start;
  2163. }
  2164. #ifdef CONFIG_IEEE80211W
  2165. int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
  2166. {
  2167. struct wpa_group *gsm = sm->group;
  2168. u8 *start = pos;
  2169. /*
  2170. * IGTK subelement:
  2171. * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
  2172. */
  2173. *pos++ = WNM_SLEEP_SUBELEM_IGTK;
  2174. *pos++ = 2 + 6 + WPA_IGTK_LEN;
  2175. WPA_PUT_LE16(pos, gsm->GN_igtk);
  2176. pos += 2;
  2177. if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
  2178. return 0;
  2179. pos += 6;
  2180. os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
  2181. pos += WPA_IGTK_LEN;
  2182. wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
  2183. gsm->GN_igtk);
  2184. wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
  2185. gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
  2186. return pos - start;
  2187. }
  2188. #endif /* CONFIG_IEEE80211W */
  2189. #endif /* CONFIG_WNM */
  2190. static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
  2191. struct wpa_group *group)
  2192. {
  2193. int tmp;
  2194. wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
  2195. "SETKEYS (VLAN-ID %d)", group->vlan_id);
  2196. group->changed = TRUE;
  2197. group->wpa_group_state = WPA_GROUP_SETKEYS;
  2198. group->GTKReKey = FALSE;
  2199. tmp = group->GM;
  2200. group->GM = group->GN;
  2201. group->GN = tmp;
  2202. #ifdef CONFIG_IEEE80211W
  2203. tmp = group->GM_igtk;
  2204. group->GM_igtk = group->GN_igtk;
  2205. group->GN_igtk = tmp;
  2206. #endif /* CONFIG_IEEE80211W */
  2207. /* "GKeyDoneStations = GNoStations" is done in more robust way by
  2208. * counting the STAs that are marked with GUpdateStationKeys instead of
  2209. * including all STAs that could be in not-yet-completed state. */
  2210. wpa_gtk_update(wpa_auth, group);
  2211. if (group->GKeyDoneStations) {
  2212. wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
  2213. "GKeyDoneStations=%d when starting new GTK rekey",
  2214. group->GKeyDoneStations);
  2215. group->GKeyDoneStations = 0;
  2216. }
  2217. wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
  2218. wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
  2219. group->GKeyDoneStations);
  2220. }
  2221. static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
  2222. struct wpa_group *group)
  2223. {
  2224. int ret = 0;
  2225. if (wpa_auth_set_key(wpa_auth, group->vlan_id,
  2226. wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
  2227. broadcast_ether_addr, group->GN,
  2228. group->GTK[group->GN - 1], group->GTK_len) < 0)
  2229. ret = -1;
  2230. #ifdef CONFIG_IEEE80211W
  2231. if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
  2232. wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK,
  2233. broadcast_ether_addr, group->GN_igtk,
  2234. group->IGTK[group->GN_igtk - 4],
  2235. WPA_IGTK_LEN) < 0)
  2236. ret = -1;
  2237. #endif /* CONFIG_IEEE80211W */
  2238. return ret;
  2239. }
  2240. static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
  2241. struct wpa_group *group)
  2242. {
  2243. wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
  2244. "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
  2245. group->changed = TRUE;
  2246. group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
  2247. if (wpa_group_config_group_keys(wpa_auth, group) < 0)
  2248. return -1;
  2249. return 0;
  2250. }
  2251. static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
  2252. struct wpa_group *group)
  2253. {
  2254. if (group->GInit) {
  2255. wpa_group_gtk_init(wpa_auth, group);
  2256. } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
  2257. group->GTKAuthenticator) {
  2258. wpa_group_setkeysdone(wpa_auth, group);
  2259. } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
  2260. group->GTKReKey) {
  2261. wpa_group_setkeys(wpa_auth, group);
  2262. } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
  2263. if (group->GKeyDoneStations == 0)
  2264. wpa_group_setkeysdone(wpa_auth, group);
  2265. else if (group->GTKReKey)
  2266. wpa_group_setkeys(wpa_auth, group);
  2267. }
  2268. }
  2269. static int wpa_sm_step(struct wpa_state_machine *sm)
  2270. {
  2271. if (sm == NULL)
  2272. return 0;
  2273. if (sm->in_step_loop) {
  2274. /* This should not happen, but if it does, make sure we do not
  2275. * end up freeing the state machine too early by exiting the
  2276. * recursive call. */
  2277. wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
  2278. return 0;
  2279. }
  2280. sm->in_step_loop = 1;
  2281. do {
  2282. if (sm->pending_deinit)
  2283. break;
  2284. sm->changed = FALSE;
  2285. sm->wpa_auth->group->changed = FALSE;
  2286. SM_STEP_RUN(WPA_PTK);
  2287. if (sm->pending_deinit)
  2288. break;
  2289. SM_STEP_RUN(WPA_PTK_GROUP);
  2290. if (sm->pending_deinit)
  2291. break;
  2292. wpa_group_sm_step(sm->wpa_auth, sm->group);
  2293. } while (sm->changed || sm->wpa_auth->group->changed);
  2294. sm->in_step_loop = 0;
  2295. if (sm->pending_deinit) {
  2296. wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
  2297. "machine deinit for " MACSTR, MAC2STR(sm->addr));
  2298. wpa_free_sta_sm(sm);
  2299. return 1;
  2300. }
  2301. return 0;
  2302. }
  2303. static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
  2304. {
  2305. struct wpa_state_machine *sm = eloop_ctx;
  2306. wpa_sm_step(sm);
  2307. }
  2308. void wpa_auth_sm_notify(struct wpa_state_machine *sm)
  2309. {
  2310. if (sm == NULL)
  2311. return;
  2312. eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
  2313. }
  2314. void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
  2315. {
  2316. int tmp, i;
  2317. struct wpa_group *group;
  2318. if (wpa_auth == NULL)
  2319. return;
  2320. group = wpa_auth->group;
  2321. for (i = 0; i < 2; i++) {
  2322. tmp = group->GM;
  2323. group->GM = group->GN;
  2324. group->GN = tmp;
  2325. #ifdef CONFIG_IEEE80211W
  2326. tmp = group->GM_igtk;
  2327. group->GM_igtk = group->GN_igtk;
  2328. group->GN_igtk = tmp;
  2329. #endif /* CONFIG_IEEE80211W */
  2330. wpa_gtk_update(wpa_auth, group);
  2331. wpa_group_config_group_keys(wpa_auth, group);
  2332. }
  2333. }
  2334. static const char * wpa_bool_txt(int bool)
  2335. {
  2336. return bool ? "TRUE" : "FALSE";
  2337. }
  2338. #define RSN_SUITE "%02x-%02x-%02x-%d"
  2339. #define RSN_SUITE_ARG(s) \
  2340. ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
  2341. int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
  2342. {
  2343. int len = 0, ret;
  2344. char pmkid_txt[PMKID_LEN * 2 + 1];
  2345. #ifdef CONFIG_RSN_PREAUTH
  2346. const int preauth = 1;
  2347. #else /* CONFIG_RSN_PREAUTH */
  2348. const int preauth = 0;
  2349. #endif /* CONFIG_RSN_PREAUTH */
  2350. if (wpa_auth == NULL)
  2351. return len;
  2352. ret = os_snprintf(buf + len, buflen - len,
  2353. "dot11RSNAOptionImplemented=TRUE\n"
  2354. "dot11RSNAPreauthenticationImplemented=%s\n"
  2355. "dot11RSNAEnabled=%s\n"
  2356. "dot11RSNAPreauthenticationEnabled=%s\n",
  2357. wpa_bool_txt(preauth),
  2358. wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
  2359. wpa_bool_txt(wpa_auth->conf.rsn_preauth));
  2360. if (ret < 0 || (size_t) ret >= buflen - len)
  2361. return len;
  2362. len += ret;
  2363. wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
  2364. wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
  2365. ret = os_snprintf(
  2366. buf + len, buflen - len,
  2367. "dot11RSNAConfigVersion=%u\n"
  2368. "dot11RSNAConfigPairwiseKeysSupported=9999\n"
  2369. /* FIX: dot11RSNAConfigGroupCipher */
  2370. /* FIX: dot11RSNAConfigGroupRekeyMethod */
  2371. /* FIX: dot11RSNAConfigGroupRekeyTime */
  2372. /* FIX: dot11RSNAConfigGroupRekeyPackets */
  2373. "dot11RSNAConfigGroupRekeyStrict=%u\n"
  2374. "dot11RSNAConfigGroupUpdateCount=%u\n"
  2375. "dot11RSNAConfigPairwiseUpdateCount=%u\n"
  2376. "dot11RSNAConfigGroupCipherSize=%u\n"
  2377. "dot11RSNAConfigPMKLifetime=%u\n"
  2378. "dot11RSNAConfigPMKReauthThreshold=%u\n"
  2379. "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
  2380. "dot11RSNAConfigSATimeout=%u\n"
  2381. "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
  2382. "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
  2383. "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
  2384. "dot11RSNAPMKIDUsed=%s\n"
  2385. "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
  2386. "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
  2387. "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
  2388. "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
  2389. "dot11RSNA4WayHandshakeFailures=%u\n"
  2390. "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
  2391. RSN_VERSION,
  2392. !!wpa_auth->conf.wpa_strict_rekey,
  2393. dot11RSNAConfigGroupUpdateCount,
  2394. dot11RSNAConfigPairwiseUpdateCount,
  2395. wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
  2396. dot11RSNAConfigPMKLifetime,
  2397. dot11RSNAConfigPMKReauthThreshold,
  2398. dot11RSNAConfigSATimeout,
  2399. RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
  2400. RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
  2401. RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
  2402. pmkid_txt,
  2403. RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
  2404. RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
  2405. RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
  2406. wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
  2407. wpa_auth->dot11RSNA4WayHandshakeFailures);
  2408. if (ret < 0 || (size_t) ret >= buflen - len)
  2409. return len;
  2410. len += ret;
  2411. /* TODO: dot11RSNAConfigPairwiseCiphersTable */
  2412. /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
  2413. /* Private MIB */
  2414. ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
  2415. wpa_auth->group->wpa_group_state);
  2416. if (ret < 0 || (size_t) ret >= buflen - len)
  2417. return len;
  2418. len += ret;
  2419. return len;
  2420. }
  2421. int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
  2422. {
  2423. int len = 0, ret;
  2424. u32 pairwise = 0;
  2425. if (sm == NULL)
  2426. return 0;
  2427. /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
  2428. /* dot11RSNAStatsEntry */
  2429. pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
  2430. WPA_PROTO_RSN : WPA_PROTO_WPA,
  2431. sm->pairwise);
  2432. if (pairwise == 0)
  2433. return 0;
  2434. ret = os_snprintf(
  2435. buf + len, buflen - len,
  2436. /* TODO: dot11RSNAStatsIndex */
  2437. "dot11RSNAStatsSTAAddress=" MACSTR "\n"
  2438. "dot11RSNAStatsVersion=1\n"
  2439. "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
  2440. /* TODO: dot11RSNAStatsTKIPICVErrors */
  2441. "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
  2442. "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
  2443. /* TODO: dot11RSNAStatsCCMPReplays */
  2444. /* TODO: dot11RSNAStatsCCMPDecryptErrors */
  2445. /* TODO: dot11RSNAStatsTKIPReplays */,
  2446. MAC2STR(sm->addr),
  2447. RSN_SUITE_ARG(pairwise),
  2448. sm->dot11RSNAStatsTKIPLocalMICFailures,
  2449. sm->dot11RSNAStatsTKIPRemoteMICFailures);
  2450. if (ret < 0 || (size_t) ret >= buflen - len)
  2451. return len;
  2452. len += ret;
  2453. /* Private MIB */
  2454. ret = os_snprintf(buf + len, buflen - len,
  2455. "hostapdWPAPTKState=%d\n"
  2456. "hostapdWPAPTKGroupState=%d\n",
  2457. sm->wpa_ptk_state,
  2458. sm->wpa_ptk_group_state);
  2459. if (ret < 0 || (size_t) ret >= buflen - len)
  2460. return len;
  2461. len += ret;
  2462. return len;
  2463. }
  2464. void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
  2465. {
  2466. if (wpa_auth)
  2467. wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
  2468. }
  2469. int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
  2470. {
  2471. return sm && sm->pairwise_set;
  2472. }
  2473. int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
  2474. {
  2475. return sm->pairwise;
  2476. }
  2477. int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
  2478. {
  2479. if (sm == NULL)
  2480. return -1;
  2481. return sm->wpa_key_mgmt;
  2482. }
  2483. int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
  2484. {
  2485. if (sm == NULL)
  2486. return 0;
  2487. return sm->wpa;
  2488. }
  2489. int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
  2490. struct rsn_pmksa_cache_entry *entry)
  2491. {
  2492. if (sm == NULL || sm->pmksa != entry)
  2493. return -1;
  2494. sm->pmksa = NULL;
  2495. return 0;
  2496. }
  2497. struct rsn_pmksa_cache_entry *
  2498. wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
  2499. {
  2500. return sm ? sm->pmksa : NULL;
  2501. }
  2502. void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
  2503. {
  2504. if (sm)
  2505. sm->dot11RSNAStatsTKIPLocalMICFailures++;
  2506. }
  2507. const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
  2508. {
  2509. if (wpa_auth == NULL)
  2510. return NULL;
  2511. *len = wpa_auth->wpa_ie_len;
  2512. return wpa_auth->wpa_ie;
  2513. }
  2514. int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
  2515. int session_timeout, struct eapol_state_machine *eapol)
  2516. {
  2517. if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
  2518. sm->wpa_auth->conf.disable_pmksa_caching)
  2519. return -1;
  2520. if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
  2521. sm->wpa_auth->addr, sm->addr, session_timeout,
  2522. eapol, sm->wpa_key_mgmt))
  2523. return 0;
  2524. return -1;
  2525. }
  2526. int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
  2527. const u8 *pmk, size_t len, const u8 *sta_addr,
  2528. int session_timeout,
  2529. struct eapol_state_machine *eapol)
  2530. {
  2531. if (wpa_auth == NULL)
  2532. return -1;
  2533. if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr,
  2534. sta_addr, session_timeout, eapol,
  2535. WPA_KEY_MGMT_IEEE8021X))
  2536. return 0;
  2537. return -1;
  2538. }
  2539. void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
  2540. const u8 *sta_addr)
  2541. {
  2542. struct rsn_pmksa_cache_entry *pmksa;
  2543. if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
  2544. return;
  2545. pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
  2546. if (pmksa) {
  2547. wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
  2548. MACSTR " based on request", MAC2STR(sta_addr));
  2549. pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
  2550. }
  2551. }
  2552. static struct wpa_group *
  2553. wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
  2554. {
  2555. struct wpa_group *group;
  2556. if (wpa_auth == NULL || wpa_auth->group == NULL)
  2557. return NULL;
  2558. wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
  2559. vlan_id);
  2560. group = wpa_group_init(wpa_auth, vlan_id, 0);
  2561. if (group == NULL)
  2562. return NULL;
  2563. group->next = wpa_auth->group->next;
  2564. wpa_auth->group->next = group;
  2565. return group;
  2566. }
  2567. int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
  2568. {
  2569. struct wpa_group *group;
  2570. if (sm == NULL || sm->wpa_auth == NULL)
  2571. return 0;
  2572. group = sm->wpa_auth->group;
  2573. while (group) {
  2574. if (group->vlan_id == vlan_id)
  2575. break;
  2576. group = group->next;
  2577. }
  2578. if (group == NULL) {
  2579. group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
  2580. if (group == NULL)
  2581. return -1;
  2582. }
  2583. if (sm->group == group)
  2584. return 0;
  2585. wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
  2586. "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
  2587. sm->group = group;
  2588. return 0;
  2589. }
  2590. void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
  2591. struct wpa_state_machine *sm, int ack)
  2592. {
  2593. if (wpa_auth == NULL || sm == NULL)
  2594. return;
  2595. wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
  2596. " ack=%d", MAC2STR(sm->addr), ack);
  2597. if (sm->pending_1_of_4_timeout && ack) {
  2598. /*
  2599. * Some deployed supplicant implementations update their SNonce
  2600. * for each EAPOL-Key 2/4 message even within the same 4-way
  2601. * handshake and then fail to use the first SNonce when
  2602. * deriving the PTK. This results in unsuccessful 4-way
  2603. * handshake whenever the relatively short initial timeout is
  2604. * reached and EAPOL-Key 1/4 is retransmitted. Try to work
  2605. * around this by increasing the timeout now that we know that
  2606. * the station has received the frame.
  2607. */
  2608. int timeout_ms = eapol_key_timeout_subseq;
  2609. wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
  2610. "timeout by %u ms because of acknowledged frame",
  2611. timeout_ms);
  2612. eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
  2613. eloop_register_timeout(timeout_ms / 1000,
  2614. (timeout_ms % 1000) * 1000,
  2615. wpa_send_eapol_timeout, wpa_auth, sm);
  2616. }
  2617. }
  2618. int wpa_auth_uses_sae(struct wpa_state_machine *sm)
  2619. {
  2620. if (sm == NULL)
  2621. return 0;
  2622. return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
  2623. }