1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "common/ieee802_11_defs.h"
15 #include "crypto/aes_wrap.h"
16 #include "crypto/crypto.h"
17 #include "crypto/sha1.h"
18 #include "crypto/sha256.h"
19 #include "crypto/random.h"
20 #include "eapol_auth/eapol_auth_sm.h"
21 #include "ap_config.h"
22 #include "ieee802_11.h"
23 #include "wpa_auth.h"
24 #include "pmksa_cache_auth.h"
25 #include "wpa_auth_i.h"
26 #include "wpa_auth_ie.h"
27
28 #define STATE_MACHINE_DATA struct wpa_state_machine
29 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
30 #define STATE_MACHINE_ADDR sm->addr
31
32
33 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
34 static int wpa_sm_step(struct wpa_state_machine *sm);
35 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len);
36 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
37 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
38 struct wpa_group *group);
39 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
40 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
41 struct wpa_group *group);
42 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
43 struct wpa_group *group);
44
45 static const u32 dot11RSNAConfigGroupUpdateCount = 4;
46 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
47 static const u32 eapol_key_timeout_first = 100; /* ms */
48 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
49 static const u32 eapol_key_timeout_first_group = 500; /* ms */
50
51 /* TODO: make these configurable */
52 static const int dot11RSNAConfigPMKLifetime = 43200;
53 static const int dot11RSNAConfigPMKReauthThreshold = 70;
54 static const int dot11RSNAConfigSATimeout = 60;
55
56
wpa_auth_mic_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)57 static inline int wpa_auth_mic_failure_report(
58 struct wpa_authenticator *wpa_auth, const u8 *addr)
59 {
60 if (wpa_auth->cb.mic_failure_report)
61 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
62 return 0;
63 }
64
65
wpa_auth_set_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var,int value)66 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
67 const u8 *addr, wpa_eapol_variable var,
68 int value)
69 {
70 if (wpa_auth->cb.set_eapol)
71 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
72 }
73
74
wpa_auth_get_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var)75 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
76 const u8 *addr, wpa_eapol_variable var)
77 {
78 if (wpa_auth->cb.get_eapol == NULL)
79 return -1;
80 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
81 }
82
83
wpa_auth_get_psk(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk)84 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
85 const u8 *addr,
86 const u8 *p2p_dev_addr,
87 const u8 *prev_psk)
88 {
89 if (wpa_auth->cb.get_psk == NULL)
90 return NULL;
91 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
92 prev_psk);
93 }
94
95
wpa_auth_get_msk(struct wpa_authenticator * wpa_auth,const u8 * addr,u8 * msk,size_t * len)96 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
97 const u8 *addr, u8 *msk, size_t *len)
98 {
99 if (wpa_auth->cb.get_msk == NULL)
100 return -1;
101 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
102 }
103
104
wpa_auth_set_key(struct wpa_authenticator * wpa_auth,int vlan_id,enum wpa_alg alg,const u8 * addr,int idx,u8 * key,size_t key_len)105 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
106 int vlan_id,
107 enum wpa_alg alg, const u8 *addr, int idx,
108 u8 *key, size_t key_len)
109 {
110 if (wpa_auth->cb.set_key == NULL)
111 return -1;
112 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
113 key, key_len);
114 }
115
116
wpa_auth_get_seqnum(struct wpa_authenticator * wpa_auth,const u8 * addr,int idx,u8 * seq)117 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
118 const u8 *addr, int idx, u8 *seq)
119 {
120 if (wpa_auth->cb.get_seqnum == NULL)
121 return -1;
122 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
123 }
124
125
126 static inline int
wpa_auth_send_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * data,size_t data_len,int encrypt)127 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
128 const u8 *data, size_t data_len, int encrypt)
129 {
130 if (wpa_auth->cb.send_eapol == NULL)
131 return -1;
132 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
133 encrypt);
134 }
135
136
wpa_auth_for_each_sta(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_state_machine * sm,void * ctx),void * cb_ctx)137 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
138 int (*cb)(struct wpa_state_machine *sm, void *ctx),
139 void *cb_ctx)
140 {
141 if (wpa_auth->cb.for_each_sta == NULL)
142 return 0;
143 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
144 }
145
146
wpa_auth_for_each_auth(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_authenticator * a,void * ctx),void * cb_ctx)147 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
148 int (*cb)(struct wpa_authenticator *a, void *ctx),
149 void *cb_ctx)
150 {
151 if (wpa_auth->cb.for_each_auth == NULL)
152 return 0;
153 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
154 }
155
156
wpa_auth_logger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * txt)157 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
158 logger_level level, const char *txt)
159 {
160 if (wpa_auth->cb.logger == NULL)
161 return;
162 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
163 }
164
165
wpa_auth_vlogger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * fmt,...)166 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
167 logger_level level, const char *fmt, ...)
168 {
169 char *format;
170 int maxlen;
171 va_list ap;
172
173 if (wpa_auth->cb.logger == NULL)
174 return;
175
176 maxlen = os_strlen(fmt) + 100;
177 format = os_malloc(maxlen);
178 if (!format)
179 return;
180
181 va_start(ap, fmt);
182 vsnprintf(format, maxlen, fmt, ap);
183 va_end(ap);
184
185 wpa_auth_logger(wpa_auth, addr, level, format);
186
187 os_free(format);
188 }
189
190
wpa_sta_disconnect(struct wpa_authenticator * wpa_auth,const u8 * addr)191 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
192 const u8 *addr)
193 {
194 if (wpa_auth->cb.disconnect == NULL)
195 return;
196 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
197 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
198 WLAN_REASON_PREV_AUTH_NOT_VALID);
199 }
200
201
wpa_use_aes_cmac(struct wpa_state_machine * sm)202 static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
203 {
204 int ret = 0;
205 #ifdef CONFIG_IEEE80211R
206 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
207 ret = 1;
208 #endif /* CONFIG_IEEE80211R */
209 #ifdef CONFIG_IEEE80211W
210 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
211 ret = 1;
212 #endif /* CONFIG_IEEE80211W */
213 return ret;
214 }
215
216
wpa_rekey_gmk(void * eloop_ctx,void * timeout_ctx)217 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
218 {
219 struct wpa_authenticator *wpa_auth = eloop_ctx;
220
221 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
222 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
223 "initialization.");
224 } else {
225 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
226 wpa_hexdump_key(MSG_DEBUG, "GMK",
227 wpa_auth->group->GMK, WPA_GMK_LEN);
228 }
229
230 if (wpa_auth->conf.wpa_gmk_rekey) {
231 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
232 wpa_rekey_gmk, wpa_auth, NULL);
233 }
234 }
235
236
wpa_rekey_gtk(void * eloop_ctx,void * timeout_ctx)237 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
238 {
239 struct wpa_authenticator *wpa_auth = eloop_ctx;
240 struct wpa_group *group;
241
242 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
243 for (group = wpa_auth->group; group; group = group->next) {
244 group->GTKReKey = TRUE;
245 do {
246 group->changed = FALSE;
247 wpa_group_sm_step(wpa_auth, group);
248 } while (group->changed);
249 }
250
251 if (wpa_auth->conf.wpa_group_rekey) {
252 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
253 0, wpa_rekey_gtk, wpa_auth, NULL);
254 }
255 }
256
257
wpa_rekey_ptk(void * eloop_ctx,void * timeout_ctx)258 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
259 {
260 struct wpa_authenticator *wpa_auth = eloop_ctx;
261 struct wpa_state_machine *sm = timeout_ctx;
262
263 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
264 wpa_request_new_ptk(sm);
265 wpa_sm_step(sm);
266 }
267
268
wpa_auth_pmksa_clear_cb(struct wpa_state_machine * sm,void * ctx)269 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
270 {
271 if (sm->pmksa == ctx)
272 sm->pmksa = NULL;
273 return 0;
274 }
275
276
wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)277 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
278 void *ctx)
279 {
280 struct wpa_authenticator *wpa_auth = ctx;
281 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
282 }
283
284
wpa_group_init_gmk_and_counter(struct wpa_authenticator * wpa_auth,struct wpa_group * group)285 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
286 struct wpa_group *group)
287 {
288 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
289 u8 rkey[32];
290 unsigned long ptr;
291
292 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
293 return -1;
294 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
295
296 /*
297 * Counter = PRF-256(Random number, "Init Counter",
298 * Local MAC Address || Time)
299 */
300 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
301 wpa_get_ntp_timestamp(buf + ETH_ALEN);
302 ptr = (unsigned long) group;
303 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
304 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
305 return -1;
306
307 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
308 group->Counter, WPA_NONCE_LEN) < 0)
309 return -1;
310 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
311 group->Counter, WPA_NONCE_LEN);
312
313 return 0;
314 }
315
316
wpa_group_init(struct wpa_authenticator * wpa_auth,int vlan_id,int delay_init)317 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
318 int vlan_id, int delay_init)
319 {
320 struct wpa_group *group;
321
322 group = os_zalloc(sizeof(struct wpa_group));
323 if (group == NULL)
324 return NULL;
325
326 group->GTKAuthenticator = TRUE;
327 group->vlan_id = vlan_id;
328 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
329
330 if (random_pool_ready() != 1) {
331 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
332 "for secure operations - update keys later when "
333 "the first station connects");
334 }
335
336 /*
337 * Set initial GMK/Counter value here. The actual values that will be
338 * used in negotiations will be set once the first station tries to
339 * connect. This allows more time for collecting additional randomness
340 * on embedded devices.
341 */
342 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
343 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
344 "initialization.");
345 os_free(group);
346 return NULL;
347 }
348
349 group->GInit = TRUE;
350 if (delay_init) {
351 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
352 "until Beacon frames have been configured");
353 /* Initialization is completed in wpa_init_keys(). */
354 } else {
355 wpa_group_sm_step(wpa_auth, group);
356 group->GInit = FALSE;
357 wpa_group_sm_step(wpa_auth, group);
358 }
359
360 return group;
361 }
362
363
364 /**
365 * wpa_init - Initialize WPA authenticator
366 * @addr: Authenticator address
367 * @conf: Configuration for WPA authenticator
368 * @cb: Callback functions for WPA authenticator
369 * Returns: Pointer to WPA authenticator data or %NULL on failure
370 */
wpa_init(const u8 * addr,struct wpa_auth_config * conf,struct wpa_auth_callbacks * cb)371 struct wpa_authenticator * wpa_init(const u8 *addr,
372 struct wpa_auth_config *conf,
373 struct wpa_auth_callbacks *cb)
374 {
375 struct wpa_authenticator *wpa_auth;
376
377 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
378 if (wpa_auth == NULL)
379 return NULL;
380 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
381 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
382 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
383
384 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
385 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
386 os_free(wpa_auth);
387 return NULL;
388 }
389
390 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
391 if (wpa_auth->group == NULL) {
392 os_free(wpa_auth->wpa_ie);
393 os_free(wpa_auth);
394 return NULL;
395 }
396
397 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
398 wpa_auth);
399 if (wpa_auth->pmksa == NULL) {
400 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
401 os_free(wpa_auth->wpa_ie);
402 os_free(wpa_auth);
403 return NULL;
404 }
405
406 #ifdef CONFIG_IEEE80211R
407 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
408 if (wpa_auth->ft_pmk_cache == NULL) {
409 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
410 os_free(wpa_auth->wpa_ie);
411 pmksa_cache_auth_deinit(wpa_auth->pmksa);
412 os_free(wpa_auth);
413 return NULL;
414 }
415 #endif /* CONFIG_IEEE80211R */
416
417 if (wpa_auth->conf.wpa_gmk_rekey) {
418 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
419 wpa_rekey_gmk, wpa_auth, NULL);
420 }
421
422 if (wpa_auth->conf.wpa_group_rekey) {
423 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
424 wpa_rekey_gtk, wpa_auth, NULL);
425 }
426
427 return wpa_auth;
428 }
429
430
wpa_init_keys(struct wpa_authenticator * wpa_auth)431 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
432 {
433 struct wpa_group *group = wpa_auth->group;
434
435 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
436 "keys");
437 wpa_group_sm_step(wpa_auth, group);
438 group->GInit = FALSE;
439 wpa_group_sm_step(wpa_auth, group);
440 return 0;
441 }
442
443
444 /**
445 * wpa_deinit - Deinitialize WPA authenticator
446 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
447 */
wpa_deinit(struct wpa_authenticator * wpa_auth)448 void wpa_deinit(struct wpa_authenticator *wpa_auth)
449 {
450 struct wpa_group *group, *prev;
451
452 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
453 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
454
455 #ifdef CONFIG_PEERKEY
456 while (wpa_auth->stsl_negotiations)
457 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
458 #endif /* CONFIG_PEERKEY */
459
460 pmksa_cache_auth_deinit(wpa_auth->pmksa);
461
462 #ifdef CONFIG_IEEE80211R
463 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
464 wpa_auth->ft_pmk_cache = NULL;
465 #endif /* CONFIG_IEEE80211R */
466
467 os_free(wpa_auth->wpa_ie);
468
469 group = wpa_auth->group;
470 while (group) {
471 prev = group;
472 group = group->next;
473 os_free(prev);
474 }
475
476 os_free(wpa_auth);
477 }
478
479
480 /**
481 * wpa_reconfig - Update WPA authenticator configuration
482 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
483 * @conf: Configuration for WPA authenticator
484 */
wpa_reconfig(struct wpa_authenticator * wpa_auth,struct wpa_auth_config * conf)485 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
486 struct wpa_auth_config *conf)
487 {
488 struct wpa_group *group;
489 if (wpa_auth == NULL)
490 return 0;
491
492 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
493 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
494 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
495 return -1;
496 }
497
498 /*
499 * Reinitialize GTK to make sure it is suitable for the new
500 * configuration.
501 */
502 group = wpa_auth->group;
503 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
504 group->GInit = TRUE;
505 wpa_group_sm_step(wpa_auth, group);
506 group->GInit = FALSE;
507 wpa_group_sm_step(wpa_auth, group);
508
509 return 0;
510 }
511
512
513 struct wpa_state_machine *
wpa_auth_sta_init(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr)514 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
515 const u8 *p2p_dev_addr)
516 {
517 struct wpa_state_machine *sm;
518
519 sm = os_zalloc(sizeof(struct wpa_state_machine));
520 if (sm == NULL)
521 return NULL;
522 os_memcpy(sm->addr, addr, ETH_ALEN);
523 if (p2p_dev_addr)
524 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
525
526 sm->wpa_auth = wpa_auth;
527 sm->group = wpa_auth->group;
528
529 return sm;
530 }
531
532
wpa_auth_sta_associated(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm)533 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
534 struct wpa_state_machine *sm)
535 {
536 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
537 return -1;
538
539 #ifdef CONFIG_IEEE80211R
540 if (sm->ft_completed) {
541 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
542 "FT authentication already completed - do not "
543 "start 4-way handshake");
544 return 0;
545 }
546 #endif /* CONFIG_IEEE80211R */
547
548 if (sm->started) {
549 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
550 sm->ReAuthenticationRequest = TRUE;
551 return wpa_sm_step(sm);
552 }
553
554 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
555 "start authentication");
556 sm->started = 1;
557
558 sm->Init = TRUE;
559 if (wpa_sm_step(sm) == 1)
560 return 1; /* should not really happen */
561 sm->Init = FALSE;
562 sm->AuthenticationRequest = TRUE;
563 return wpa_sm_step(sm);
564 }
565
566
wpa_auth_sta_no_wpa(struct wpa_state_machine * sm)567 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
568 {
569 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
570 * reassociates back to the same AP while the previous entry for the
571 * STA has not yet been removed. */
572 if (sm == NULL)
573 return;
574
575 sm->wpa_key_mgmt = 0;
576 }
577
578
wpa_free_sta_sm(struct wpa_state_machine * sm)579 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
580 {
581 if (sm->GUpdateStationKeys) {
582 sm->group->GKeyDoneStations--;
583 sm->GUpdateStationKeys = FALSE;
584 }
585 #ifdef CONFIG_IEEE80211R
586 os_free(sm->assoc_resp_ftie);
587 #endif /* CONFIG_IEEE80211R */
588 os_free(sm->last_rx_eapol_key);
589 os_free(sm->wpa_ie);
590 os_free(sm);
591 }
592
593
wpa_auth_sta_deinit(struct wpa_state_machine * sm)594 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
595 {
596 if (sm == NULL)
597 return;
598
599 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
600 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
601 "strict rekeying - force GTK rekey since STA "
602 "is leaving");
603 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
604 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
605 NULL);
606 }
607
608 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
609 sm->pending_1_of_4_timeout = 0;
610 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
611 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
612 if (sm->in_step_loop) {
613 /* Must not free state machine while wpa_sm_step() is running.
614 * Freeing will be completed in the end of wpa_sm_step(). */
615 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
616 "machine deinit for " MACSTR, MAC2STR(sm->addr));
617 sm->pending_deinit = 1;
618 } else
619 wpa_free_sta_sm(sm);
620 }
621
622
wpa_request_new_ptk(struct wpa_state_machine * sm)623 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
624 {
625 if (sm == NULL)
626 return;
627
628 sm->PTKRequest = TRUE;
629 sm->PTK_valid = 0;
630 }
631
632
wpa_replay_counter_valid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)633 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
634 const u8 *replay_counter)
635 {
636 int i;
637 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
638 if (!ctr[i].valid)
639 break;
640 if (os_memcmp(replay_counter, ctr[i].counter,
641 WPA_REPLAY_COUNTER_LEN) == 0)
642 return 1;
643 }
644 return 0;
645 }
646
647
wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)648 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
649 const u8 *replay_counter)
650 {
651 int i;
652 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
653 if (ctr[i].valid &&
654 (replay_counter == NULL ||
655 os_memcmp(replay_counter, ctr[i].counter,
656 WPA_REPLAY_COUNTER_LEN) == 0))
657 ctr[i].valid = FALSE;
658 }
659 }
660
661
662 #ifdef CONFIG_IEEE80211R
ft_check_msg_2_of_4(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,struct wpa_eapol_ie_parse * kde)663 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
664 struct wpa_state_machine *sm,
665 struct wpa_eapol_ie_parse *kde)
666 {
667 struct wpa_ie_data ie;
668 struct rsn_mdie *mdie;
669
670 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
671 ie.num_pmkid != 1 || ie.pmkid == NULL) {
672 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
673 "FT 4-way handshake message 2/4");
674 return -1;
675 }
676
677 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
678 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
679 sm->sup_pmk_r1_name, PMKID_LEN);
680
681 if (!kde->mdie || !kde->ftie) {
682 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
683 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
684 return -1;
685 }
686
687 mdie = (struct rsn_mdie *) (kde->mdie + 2);
688 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
689 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
690 MOBILITY_DOMAIN_ID_LEN) != 0) {
691 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
692 return -1;
693 }
694
695 if (sm->assoc_resp_ftie &&
696 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
697 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
698 2 + sm->assoc_resp_ftie[1]) != 0)) {
699 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
700 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
701 kde->ftie, kde->ftie_len);
702 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
703 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
704 return -1;
705 }
706
707 return 0;
708 }
709 #endif /* CONFIG_IEEE80211R */
710
711
wpa_receive_error_report(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int group)712 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
713 struct wpa_state_machine *sm, int group)
714 {
715 /* Supplicant reported a Michael MIC error */
716 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
717 "received EAPOL-Key Error Request "
718 "(STA detected Michael MIC failure (group=%d))",
719 group);
720
721 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
722 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
723 "ignore Michael MIC failure report since "
724 "group cipher is not TKIP");
725 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
726 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
727 "ignore Michael MIC failure report since "
728 "pairwise cipher is not TKIP");
729 } else {
730 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
731 return 1; /* STA entry was removed */
732 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
733 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
734 }
735
736 /*
737 * Error report is not a request for a new key handshake, but since
738 * Authenticator may do it, let's change the keys now anyway.
739 */
740 wpa_request_new_ptk(sm);
741 return 0;
742 }
743
744
wpa_receive(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,u8 * data,size_t data_len)745 void wpa_receive(struct wpa_authenticator *wpa_auth,
746 struct wpa_state_machine *sm,
747 u8 *data, size_t data_len)
748 {
749 struct ieee802_1x_hdr *hdr;
750 struct wpa_eapol_key *key;
751 u16 key_info, key_data_length;
752 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
753 SMK_M1, SMK_M3, SMK_ERROR } msg;
754 char *msgtxt;
755 struct wpa_eapol_ie_parse kde;
756 int ft;
757 const u8 *eapol_key_ie;
758 size_t eapol_key_ie_len;
759
760 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
761 return;
762
763 if (data_len < sizeof(*hdr) + sizeof(*key))
764 return;
765
766 hdr = (struct ieee802_1x_hdr *) data;
767 key = (struct wpa_eapol_key *) (hdr + 1);
768 key_info = WPA_GET_BE16(key->key_info);
769 key_data_length = WPA_GET_BE16(key->key_data_length);
770 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
771 " key_info=0x%x type=%u key_data_length=%u",
772 MAC2STR(sm->addr), key_info, key->type, key_data_length);
773 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
774 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
775 "key_data overflow (%d > %lu)",
776 key_data_length,
777 (unsigned long) (data_len - sizeof(*hdr) -
778 sizeof(*key)));
779 return;
780 }
781
782 if (sm->wpa == WPA_VERSION_WPA2) {
783 if (key->type == EAPOL_KEY_TYPE_WPA) {
784 /*
785 * Some deployed station implementations seem to send
786 * msg 4/4 with incorrect type value in WPA2 mode.
787 */
788 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
789 "with unexpected WPA type in RSN mode");
790 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
791 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
792 "unexpected type %d in RSN mode",
793 key->type);
794 return;
795 }
796 } else {
797 if (key->type != EAPOL_KEY_TYPE_WPA) {
798 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
799 "unexpected type %d in WPA mode",
800 key->type);
801 return;
802 }
803 }
804
805 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
806 WPA_NONCE_LEN);
807 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
808 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
809
810 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
811 * are set */
812
813 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
814 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
815 if (key_info & WPA_KEY_INFO_ERROR) {
816 msg = SMK_ERROR;
817 msgtxt = "SMK Error";
818 } else {
819 msg = SMK_M1;
820 msgtxt = "SMK M1";
821 }
822 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
823 msg = SMK_M3;
824 msgtxt = "SMK M3";
825 } else if (key_info & WPA_KEY_INFO_REQUEST) {
826 msg = REQUEST;
827 msgtxt = "Request";
828 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
829 msg = GROUP_2;
830 msgtxt = "2/2 Group";
831 } else if (key_data_length == 0) {
832 msg = PAIRWISE_4;
833 msgtxt = "4/4 Pairwise";
834 } else {
835 msg = PAIRWISE_2;
836 msgtxt = "2/4 Pairwise";
837 }
838
839 /* TODO: key_info type validation for PeerKey */
840 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
841 msg == GROUP_2) {
842 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
843 if (sm->pairwise == WPA_CIPHER_CCMP ||
844 sm->pairwise == WPA_CIPHER_GCMP) {
845 if (wpa_use_aes_cmac(sm) &&
846 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
847 wpa_auth_logger(wpa_auth, sm->addr,
848 LOGGER_WARNING,
849 "advertised support for "
850 "AES-128-CMAC, but did not "
851 "use it");
852 return;
853 }
854
855 if (!wpa_use_aes_cmac(sm) &&
856 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
857 wpa_auth_logger(wpa_auth, sm->addr,
858 LOGGER_WARNING,
859 "did not use HMAC-SHA1-AES "
860 "with CCMP/GCMP");
861 return;
862 }
863 }
864 }
865
866 if (key_info & WPA_KEY_INFO_REQUEST) {
867 if (sm->req_replay_counter_used &&
868 os_memcmp(key->replay_counter, sm->req_replay_counter,
869 WPA_REPLAY_COUNTER_LEN) <= 0) {
870 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
871 "received EAPOL-Key request with "
872 "replayed counter");
873 return;
874 }
875 }
876
877 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
878 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
879 int i;
880
881 if (msg == PAIRWISE_2 &&
882 wpa_replay_counter_valid(sm->prev_key_replay,
883 key->replay_counter) &&
884 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
885 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
886 {
887 /*
888 * Some supplicant implementations (e.g., Windows XP
889 * WZC) update SNonce for each EAPOL-Key 2/4. This
890 * breaks the workaround on accepting any of the
891 * pending requests, so allow the SNonce to be updated
892 * even if we have already sent out EAPOL-Key 3/4.
893 */
894 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
895 "Process SNonce update from STA "
896 "based on retransmitted EAPOL-Key "
897 "1/4");
898 sm->update_snonce = 1;
899 wpa_replay_counter_mark_invalid(sm->prev_key_replay,
900 key->replay_counter);
901 goto continue_processing;
902 }
903
904 if (msg == PAIRWISE_2 &&
905 wpa_replay_counter_valid(sm->prev_key_replay,
906 key->replay_counter) &&
907 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
908 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
909 "ignore retransmitted EAPOL-Key %s - "
910 "SNonce did not change", msgtxt);
911 } else {
912 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
913 "received EAPOL-Key %s with "
914 "unexpected replay counter", msgtxt);
915 }
916 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
917 if (!sm->key_replay[i].valid)
918 break;
919 wpa_hexdump(MSG_DEBUG, "pending replay counter",
920 sm->key_replay[i].counter,
921 WPA_REPLAY_COUNTER_LEN);
922 }
923 wpa_hexdump(MSG_DEBUG, "received replay counter",
924 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
925 return;
926 }
927
928 continue_processing:
929 switch (msg) {
930 case PAIRWISE_2:
931 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
932 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
933 (!sm->update_snonce ||
934 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
935 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
936 "received EAPOL-Key msg 2/4 in "
937 "invalid state (%d) - dropped",
938 sm->wpa_ptk_state);
939 return;
940 }
941 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
942 if (sm->group->reject_4way_hs_for_entropy) {
943 /*
944 * The system did not have enough entropy to generate
945 * strong random numbers. Reject the first 4-way
946 * handshake(s) and collect some entropy based on the
947 * information from it. Once enough entropy is
948 * available, the next atempt will trigger GMK/Key
949 * Counter update and the station will be allowed to
950 * continue.
951 */
952 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
953 "collect more entropy for random number "
954 "generation");
955 random_mark_pool_ready();
956 wpa_sta_disconnect(wpa_auth, sm->addr);
957 return;
958 }
959 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length,
960 &kde) < 0) {
961 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
962 "received EAPOL-Key msg 2/4 with "
963 "invalid Key Data contents");
964 return;
965 }
966 if (kde.rsn_ie) {
967 eapol_key_ie = kde.rsn_ie;
968 eapol_key_ie_len = kde.rsn_ie_len;
969 } else {
970 eapol_key_ie = kde.wpa_ie;
971 eapol_key_ie_len = kde.wpa_ie_len;
972 }
973 ft = sm->wpa == WPA_VERSION_WPA2 &&
974 wpa_key_mgmt_ft(sm->wpa_key_mgmt);
975 if (sm->wpa_ie == NULL ||
976 wpa_compare_rsn_ie(ft,
977 sm->wpa_ie, sm->wpa_ie_len,
978 eapol_key_ie, eapol_key_ie_len)) {
979 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
980 "WPA IE from (Re)AssocReq did not "
981 "match with msg 2/4");
982 if (sm->wpa_ie) {
983 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
984 sm->wpa_ie, sm->wpa_ie_len);
985 }
986 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
987 eapol_key_ie, eapol_key_ie_len);
988 /* MLME-DEAUTHENTICATE.request */
989 wpa_sta_disconnect(wpa_auth, sm->addr);
990 return;
991 }
992 #ifdef CONFIG_IEEE80211R
993 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
994 wpa_sta_disconnect(wpa_auth, sm->addr);
995 return;
996 }
997 #endif /* CONFIG_IEEE80211R */
998 break;
999 case PAIRWISE_4:
1000 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1001 !sm->PTK_valid) {
1002 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1003 "received EAPOL-Key msg 4/4 in "
1004 "invalid state (%d) - dropped",
1005 sm->wpa_ptk_state);
1006 return;
1007 }
1008 break;
1009 case GROUP_2:
1010 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1011 || !sm->PTK_valid) {
1012 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1013 "received EAPOL-Key msg 2/2 in "
1014 "invalid state (%d) - dropped",
1015 sm->wpa_ptk_group_state);
1016 return;
1017 }
1018 break;
1019 #ifdef CONFIG_PEERKEY
1020 case SMK_M1:
1021 case SMK_M3:
1022 case SMK_ERROR:
1023 if (!wpa_auth->conf.peerkey) {
1024 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1025 "PeerKey use disabled - ignoring message");
1026 return;
1027 }
1028 if (!sm->PTK_valid) {
1029 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1030 "received EAPOL-Key msg SMK in "
1031 "invalid state - dropped");
1032 return;
1033 }
1034 break;
1035 #else /* CONFIG_PEERKEY */
1036 case SMK_M1:
1037 case SMK_M3:
1038 case SMK_ERROR:
1039 return; /* STSL disabled - ignore SMK messages */
1040 #endif /* CONFIG_PEERKEY */
1041 case REQUEST:
1042 break;
1043 }
1044
1045 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1046 "received EAPOL-Key frame (%s)", msgtxt);
1047
1048 if (key_info & WPA_KEY_INFO_ACK) {
1049 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1050 "received invalid EAPOL-Key: Key Ack set");
1051 return;
1052 }
1053
1054 if (!(key_info & WPA_KEY_INFO_MIC)) {
1055 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1056 "received invalid EAPOL-Key: Key MIC not set");
1057 return;
1058 }
1059
1060 sm->MICVerified = FALSE;
1061 if (sm->PTK_valid && !sm->update_snonce) {
1062 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) {
1063 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1064 "received EAPOL-Key with invalid MIC");
1065 return;
1066 }
1067 sm->MICVerified = TRUE;
1068 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1069 sm->pending_1_of_4_timeout = 0;
1070 }
1071
1072 if (key_info & WPA_KEY_INFO_REQUEST) {
1073 if (sm->MICVerified) {
1074 sm->req_replay_counter_used = 1;
1075 os_memcpy(sm->req_replay_counter, key->replay_counter,
1076 WPA_REPLAY_COUNTER_LEN);
1077 } else {
1078 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1079 "received EAPOL-Key request with "
1080 "invalid MIC");
1081 return;
1082 }
1083
1084 /*
1085 * TODO: should decrypt key data field if encryption was used;
1086 * even though MAC address KDE is not normally encrypted,
1087 * supplicant is allowed to encrypt it.
1088 */
1089 if (msg == SMK_ERROR) {
1090 #ifdef CONFIG_PEERKEY
1091 wpa_smk_error(wpa_auth, sm, key);
1092 #endif /* CONFIG_PEERKEY */
1093 return;
1094 } else if (key_info & WPA_KEY_INFO_ERROR) {
1095 if (wpa_receive_error_report(
1096 wpa_auth, sm,
1097 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1098 return; /* STA entry was removed */
1099 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1100 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1101 "received EAPOL-Key Request for new "
1102 "4-Way Handshake");
1103 wpa_request_new_ptk(sm);
1104 #ifdef CONFIG_PEERKEY
1105 } else if (msg == SMK_M1) {
1106 wpa_smk_m1(wpa_auth, sm, key);
1107 #endif /* CONFIG_PEERKEY */
1108 } else if (key_data_length > 0 &&
1109 wpa_parse_kde_ies((const u8 *) (key + 1),
1110 key_data_length, &kde) == 0 &&
1111 kde.mac_addr) {
1112 } else {
1113 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1114 "received EAPOL-Key Request for GTK "
1115 "rekeying");
1116 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1117 wpa_rekey_gtk(wpa_auth, NULL);
1118 }
1119 } else {
1120 /* Do not allow the same key replay counter to be reused. */
1121 wpa_replay_counter_mark_invalid(sm->key_replay,
1122 key->replay_counter);
1123
1124 if (msg == PAIRWISE_2) {
1125 /*
1126 * Maintain a copy of the pending EAPOL-Key frames in
1127 * case the EAPOL-Key frame was retransmitted. This is
1128 * needed to allow EAPOL-Key msg 2/4 reply to another
1129 * pending msg 1/4 to update the SNonce to work around
1130 * unexpected supplicant behavior.
1131 */
1132 os_memcpy(sm->prev_key_replay, sm->key_replay,
1133 sizeof(sm->key_replay));
1134 } else {
1135 os_memset(sm->prev_key_replay, 0,
1136 sizeof(sm->prev_key_replay));
1137 }
1138
1139 /*
1140 * Make sure old valid counters are not accepted anymore and
1141 * do not get copied again.
1142 */
1143 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1144 }
1145
1146 #ifdef CONFIG_PEERKEY
1147 if (msg == SMK_M3) {
1148 wpa_smk_m3(wpa_auth, sm, key);
1149 return;
1150 }
1151 #endif /* CONFIG_PEERKEY */
1152
1153 os_free(sm->last_rx_eapol_key);
1154 sm->last_rx_eapol_key = os_malloc(data_len);
1155 if (sm->last_rx_eapol_key == NULL)
1156 return;
1157 os_memcpy(sm->last_rx_eapol_key, data, data_len);
1158 sm->last_rx_eapol_key_len = data_len;
1159
1160 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1161 sm->EAPOLKeyReceived = TRUE;
1162 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1163 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1164 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1165 wpa_sm_step(sm);
1166 }
1167
1168
wpa_gmk_to_gtk(const u8 * gmk,const char * label,const u8 * addr,const u8 * gnonce,u8 * gtk,size_t gtk_len)1169 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1170 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1171 {
1172 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1173 u8 *pos;
1174 int ret = 0;
1175
1176 /* GTK = PRF-X(GMK, "Group key expansion",
1177 * AA || GNonce || Time || random data)
1178 * The example described in the IEEE 802.11 standard uses only AA and
1179 * GNonce as inputs here. Add some more entropy since this derivation
1180 * is done only at the Authenticator and as such, does not need to be
1181 * exactly same.
1182 */
1183 os_memcpy(data, addr, ETH_ALEN);
1184 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1185 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1186 wpa_get_ntp_timestamp(pos);
1187 pos += 8;
1188 if (random_get_bytes(pos, 16) < 0)
1189 ret = -1;
1190
1191 #ifdef CONFIG_IEEE80211W
1192 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1193 #else /* CONFIG_IEEE80211W */
1194 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1195 < 0)
1196 ret = -1;
1197 #endif /* CONFIG_IEEE80211W */
1198
1199 return ret;
1200 }
1201
1202
wpa_send_eapol_timeout(void * eloop_ctx,void * timeout_ctx)1203 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1204 {
1205 struct wpa_authenticator *wpa_auth = eloop_ctx;
1206 struct wpa_state_machine *sm = timeout_ctx;
1207
1208 sm->pending_1_of_4_timeout = 0;
1209 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1210 sm->TimeoutEvt = TRUE;
1211 wpa_sm_step(sm);
1212 }
1213
1214
__wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr,int force_version)1215 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1216 struct wpa_state_machine *sm, int key_info,
1217 const u8 *key_rsc, const u8 *nonce,
1218 const u8 *kde, size_t kde_len,
1219 int keyidx, int encr, int force_version)
1220 {
1221 struct ieee802_1x_hdr *hdr;
1222 struct wpa_eapol_key *key;
1223 size_t len;
1224 int alg;
1225 int key_data_len, pad_len = 0;
1226 u8 *buf, *pos;
1227 int version, pairwise;
1228 int i;
1229
1230 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key);
1231
1232 if (force_version)
1233 version = force_version;
1234 else if (wpa_use_aes_cmac(sm))
1235 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1236 else if (sm->pairwise != WPA_CIPHER_TKIP)
1237 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1238 else
1239 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1240
1241 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1242
1243 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1244 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1245 "encr=%d)",
1246 version,
1247 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1248 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1249 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1250 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1251 pairwise, (unsigned long) kde_len, keyidx, encr);
1252
1253 key_data_len = kde_len;
1254
1255 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1256 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1257 pad_len = key_data_len % 8;
1258 if (pad_len)
1259 pad_len = 8 - pad_len;
1260 key_data_len += pad_len + 8;
1261 }
1262
1263 len += key_data_len;
1264
1265 hdr = os_zalloc(len);
1266 if (hdr == NULL)
1267 return;
1268 hdr->version = wpa_auth->conf.eapol_version;
1269 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1270 hdr->length = host_to_be16(len - sizeof(*hdr));
1271 key = (struct wpa_eapol_key *) (hdr + 1);
1272
1273 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1274 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1275 key_info |= version;
1276 if (encr && sm->wpa == WPA_VERSION_WPA2)
1277 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1278 if (sm->wpa != WPA_VERSION_WPA2)
1279 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1280 WPA_PUT_BE16(key->key_info, key_info);
1281
1282 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1283 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1284 if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1285 WPA_PUT_BE16(key->key_length, 0);
1286
1287 /* FIX: STSL: what to use as key_replay_counter? */
1288 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1289 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1290 os_memcpy(sm->key_replay[i].counter,
1291 sm->key_replay[i - 1].counter,
1292 WPA_REPLAY_COUNTER_LEN);
1293 }
1294 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1295 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1296 WPA_REPLAY_COUNTER_LEN);
1297 sm->key_replay[0].valid = TRUE;
1298
1299 if (nonce)
1300 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1301
1302 if (key_rsc)
1303 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1304
1305 if (kde && !encr) {
1306 os_memcpy(key + 1, kde, kde_len);
1307 WPA_PUT_BE16(key->key_data_length, kde_len);
1308 } else if (encr && kde) {
1309 buf = os_zalloc(key_data_len);
1310 if (buf == NULL) {
1311 os_free(hdr);
1312 return;
1313 }
1314 pos = buf;
1315 os_memcpy(pos, kde, kde_len);
1316 pos += kde_len;
1317
1318 if (pad_len)
1319 *pos++ = 0xdd;
1320
1321 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1322 buf, key_data_len);
1323 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1324 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1325 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf,
1326 (u8 *) (key + 1))) {
1327 os_free(hdr);
1328 os_free(buf);
1329 return;
1330 }
1331 WPA_PUT_BE16(key->key_data_length, key_data_len);
1332 } else {
1333 u8 ek[32];
1334 os_memcpy(key->key_iv,
1335 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1336 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1337 os_memcpy(ek, key->key_iv, 16);
1338 os_memcpy(ek + 16, sm->PTK.kek, 16);
1339 os_memcpy(key + 1, buf, key_data_len);
1340 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len);
1341 WPA_PUT_BE16(key->key_data_length, key_data_len);
1342 }
1343 os_free(buf);
1344 }
1345
1346 if (key_info & WPA_KEY_INFO_MIC) {
1347 if (!sm->PTK_valid) {
1348 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1349 "PTK not valid when sending EAPOL-Key "
1350 "frame");
1351 os_free(hdr);
1352 return;
1353 }
1354 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
1355 key->key_mic);
1356 #ifdef CONFIG_TESTING_OPTIONS
1357 if (!pairwise &&
1358 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0d &&
1359 drand48() <
1360 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1361 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1362 "Corrupting group EAPOL-Key Key MIC");
1363 key->key_mic[0]++;
1364 }
1365 #endif /* CONFIG_TESTING_OPTIONS */
1366 }
1367
1368 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1369 1);
1370 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1371 sm->pairwise_set);
1372 os_free(hdr);
1373 }
1374
1375
wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr)1376 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1377 struct wpa_state_machine *sm, int key_info,
1378 const u8 *key_rsc, const u8 *nonce,
1379 const u8 *kde, size_t kde_len,
1380 int keyidx, int encr)
1381 {
1382 int timeout_ms;
1383 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1384 int ctr;
1385
1386 if (sm == NULL)
1387 return;
1388
1389 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1390 keyidx, encr, 0);
1391
1392 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1393 if (ctr == 1 && wpa_auth->conf.tx_status)
1394 timeout_ms = pairwise ? eapol_key_timeout_first :
1395 eapol_key_timeout_first_group;
1396 else
1397 timeout_ms = eapol_key_timeout_subseq;
1398 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1399 sm->pending_1_of_4_timeout = 1;
1400 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1401 "counter %d)", timeout_ms, ctr);
1402 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1403 wpa_send_eapol_timeout, wpa_auth, sm);
1404 }
1405
1406
wpa_verify_key_mic(struct wpa_ptk * PTK,u8 * data,size_t data_len)1407 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len)
1408 {
1409 struct ieee802_1x_hdr *hdr;
1410 struct wpa_eapol_key *key;
1411 u16 key_info;
1412 int ret = 0;
1413 u8 mic[16];
1414
1415 if (data_len < sizeof(*hdr) + sizeof(*key))
1416 return -1;
1417
1418 hdr = (struct ieee802_1x_hdr *) data;
1419 key = (struct wpa_eapol_key *) (hdr + 1);
1420 key_info = WPA_GET_BE16(key->key_info);
1421 os_memcpy(mic, key->key_mic, 16);
1422 os_memset(key->key_mic, 0, 16);
1423 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK,
1424 data, data_len, key->key_mic) ||
1425 os_memcmp(mic, key->key_mic, 16) != 0)
1426 ret = -1;
1427 os_memcpy(key->key_mic, mic, 16);
1428 return ret;
1429 }
1430
1431
wpa_remove_ptk(struct wpa_state_machine * sm)1432 void wpa_remove_ptk(struct wpa_state_machine *sm)
1433 {
1434 sm->PTK_valid = FALSE;
1435 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1436 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
1437 sm->pairwise_set = FALSE;
1438 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1439 }
1440
1441
wpa_auth_sm_event(struct wpa_state_machine * sm,wpa_event event)1442 int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
1443 {
1444 int remove_ptk = 1;
1445
1446 if (sm == NULL)
1447 return -1;
1448
1449 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1450 "event %d notification", event);
1451
1452 switch (event) {
1453 case WPA_AUTH:
1454 case WPA_ASSOC:
1455 break;
1456 case WPA_DEAUTH:
1457 case WPA_DISASSOC:
1458 sm->DeauthenticationRequest = TRUE;
1459 break;
1460 case WPA_REAUTH:
1461 case WPA_REAUTH_EAPOL:
1462 if (!sm->started) {
1463 /*
1464 * When using WPS, we may end up here if the STA
1465 * manages to re-associate without the previous STA
1466 * entry getting removed. Consequently, we need to make
1467 * sure that the WPA state machines gets initialized
1468 * properly at this point.
1469 */
1470 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1471 "started - initialize now");
1472 sm->started = 1;
1473 sm->Init = TRUE;
1474 if (wpa_sm_step(sm) == 1)
1475 return 1; /* should not really happen */
1476 sm->Init = FALSE;
1477 sm->AuthenticationRequest = TRUE;
1478 break;
1479 }
1480 if (sm->GUpdateStationKeys) {
1481 /*
1482 * Reauthentication cancels the pending group key
1483 * update for this STA.
1484 */
1485 sm->group->GKeyDoneStations--;
1486 sm->GUpdateStationKeys = FALSE;
1487 sm->PtkGroupInit = TRUE;
1488 }
1489 sm->ReAuthenticationRequest = TRUE;
1490 break;
1491 case WPA_ASSOC_FT:
1492 #ifdef CONFIG_IEEE80211R
1493 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1494 "after association");
1495 wpa_ft_install_ptk(sm);
1496
1497 /* Using FT protocol, not WPA auth state machine */
1498 sm->ft_completed = 1;
1499 return 0;
1500 #else /* CONFIG_IEEE80211R */
1501 break;
1502 #endif /* CONFIG_IEEE80211R */
1503 }
1504
1505 #ifdef CONFIG_IEEE80211R
1506 sm->ft_completed = 0;
1507 #endif /* CONFIG_IEEE80211R */
1508
1509 #ifdef CONFIG_IEEE80211W
1510 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1511 remove_ptk = 0;
1512 #endif /* CONFIG_IEEE80211W */
1513
1514 if (remove_ptk) {
1515 sm->PTK_valid = FALSE;
1516 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1517
1518 if (event != WPA_REAUTH_EAPOL)
1519 wpa_remove_ptk(sm);
1520 }
1521
1522 return wpa_sm_step(sm);
1523 }
1524
1525
SM_STATE(WPA_PTK,INITIALIZE)1526 SM_STATE(WPA_PTK, INITIALIZE)
1527 {
1528 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1529 if (sm->Init) {
1530 /* Init flag is not cleared here, so avoid busy
1531 * loop by claiming nothing changed. */
1532 sm->changed = FALSE;
1533 }
1534
1535 sm->keycount = 0;
1536 if (sm->GUpdateStationKeys)
1537 sm->group->GKeyDoneStations--;
1538 sm->GUpdateStationKeys = FALSE;
1539 if (sm->wpa == WPA_VERSION_WPA)
1540 sm->PInitAKeys = FALSE;
1541 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1542 * Local AA > Remote AA)) */) {
1543 sm->Pair = TRUE;
1544 }
1545 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1546 wpa_remove_ptk(sm);
1547 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1548 sm->TimeoutCtr = 0;
1549 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1550 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1551 WPA_EAPOL_authorized, 0);
1552 }
1553 }
1554
1555
SM_STATE(WPA_PTK,DISCONNECT)1556 SM_STATE(WPA_PTK, DISCONNECT)
1557 {
1558 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1559 sm->Disconnect = FALSE;
1560 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1561 }
1562
1563
SM_STATE(WPA_PTK,DISCONNECTED)1564 SM_STATE(WPA_PTK, DISCONNECTED)
1565 {
1566 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1567 sm->DeauthenticationRequest = FALSE;
1568 }
1569
1570
SM_STATE(WPA_PTK,AUTHENTICATION)1571 SM_STATE(WPA_PTK, AUTHENTICATION)
1572 {
1573 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1574 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1575 sm->PTK_valid = FALSE;
1576 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1577 1);
1578 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1579 sm->AuthenticationRequest = FALSE;
1580 }
1581
1582
wpa_group_ensure_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)1583 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1584 struct wpa_group *group)
1585 {
1586 if (group->first_sta_seen)
1587 return;
1588 /*
1589 * System has run bit further than at the time hostapd was started
1590 * potentially very early during boot up. This provides better chances
1591 * of collecting more randomness on embedded systems. Re-initialize the
1592 * GMK and Counter here to improve their strength if there was not
1593 * enough entropy available immediately after system startup.
1594 */
1595 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1596 "station");
1597 if (random_pool_ready() != 1) {
1598 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1599 "to proceed - reject first 4-way handshake");
1600 group->reject_4way_hs_for_entropy = TRUE;
1601 } else {
1602 group->first_sta_seen = TRUE;
1603 group->reject_4way_hs_for_entropy = FALSE;
1604 }
1605
1606 wpa_group_init_gmk_and_counter(wpa_auth, group);
1607 wpa_gtk_update(wpa_auth, group);
1608 wpa_group_config_group_keys(wpa_auth, group);
1609 }
1610
1611
SM_STATE(WPA_PTK,AUTHENTICATION2)1612 SM_STATE(WPA_PTK, AUTHENTICATION2)
1613 {
1614 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1615
1616 wpa_group_ensure_init(sm->wpa_auth, sm->group);
1617 sm->ReAuthenticationRequest = FALSE;
1618
1619 /*
1620 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1621 * ambiguous. The Authenticator state machine uses a counter that is
1622 * incremented by one for each 4-way handshake. However, the security
1623 * analysis of 4-way handshake points out that unpredictable nonces
1624 * help in preventing precomputation attacks. Instead of the state
1625 * machine definition, use an unpredictable nonce value here to provide
1626 * stronger protection against potential precomputation attacks.
1627 */
1628 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1629 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1630 "ANonce.");
1631 sm->Disconnect = TRUE;
1632 return;
1633 }
1634 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1635 WPA_NONCE_LEN);
1636 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1637 * logical place than INITIALIZE since AUTHENTICATION2 can be
1638 * re-entered on ReAuthenticationRequest without going through
1639 * INITIALIZE. */
1640 sm->TimeoutCtr = 0;
1641 }
1642
1643
SM_STATE(WPA_PTK,INITPMK)1644 SM_STATE(WPA_PTK, INITPMK)
1645 {
1646 u8 msk[2 * PMK_LEN];
1647 size_t len = 2 * PMK_LEN;
1648
1649 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1650 #ifdef CONFIG_IEEE80211R
1651 sm->xxkey_len = 0;
1652 #endif /* CONFIG_IEEE80211R */
1653 if (sm->pmksa) {
1654 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1655 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
1656 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1657 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1658 "(len=%lu)", (unsigned long) len);
1659 os_memcpy(sm->PMK, msk, PMK_LEN);
1660 #ifdef CONFIG_IEEE80211R
1661 if (len >= 2 * PMK_LEN) {
1662 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1663 sm->xxkey_len = PMK_LEN;
1664 }
1665 #endif /* CONFIG_IEEE80211R */
1666 } else {
1667 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK");
1668 }
1669
1670 sm->req_replay_counter_used = 0;
1671 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1672 * will break reauthentication since EAPOL state machines may not be
1673 * get into AUTHENTICATING state that clears keyRun before WPA state
1674 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1675 * state and takes PMK from the previously used AAA Key. This will
1676 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1677 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1678 * be good workaround for this issue. */
1679 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1680 }
1681
1682
SM_STATE(WPA_PTK,INITPSK)1683 SM_STATE(WPA_PTK, INITPSK)
1684 {
1685 const u8 *psk;
1686 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1687 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
1688 if (psk) {
1689 os_memcpy(sm->PMK, psk, PMK_LEN);
1690 #ifdef CONFIG_IEEE80211R
1691 os_memcpy(sm->xxkey, psk, PMK_LEN);
1692 sm->xxkey_len = PMK_LEN;
1693 #endif /* CONFIG_IEEE80211R */
1694 }
1695 sm->req_replay_counter_used = 0;
1696 }
1697
1698
SM_STATE(WPA_PTK,PTKSTART)1699 SM_STATE(WPA_PTK, PTKSTART)
1700 {
1701 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1702 size_t pmkid_len = 0;
1703
1704 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1705 sm->PTKRequest = FALSE;
1706 sm->TimeoutEvt = FALSE;
1707
1708 sm->TimeoutCtr++;
1709 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1710 /* No point in sending the EAPOL-Key - we will disconnect
1711 * immediately following this. */
1712 return;
1713 }
1714
1715 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1716 "sending 1/4 msg of 4-Way Handshake");
1717 /*
1718 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1719 * one possible PSK for this STA.
1720 */
1721 if (sm->wpa == WPA_VERSION_WPA2 &&
1722 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) {
1723 pmkid = buf;
1724 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
1725 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
1726 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
1727 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
1728 if (sm->pmksa)
1729 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
1730 sm->pmksa->pmkid, PMKID_LEN);
1731 else {
1732 /*
1733 * Calculate PMKID since no PMKSA cache entry was
1734 * available with pre-calculated PMKID.
1735 */
1736 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
1737 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
1738 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1739 }
1740 }
1741 wpa_send_eapol(sm->wpa_auth, sm,
1742 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
1743 sm->ANonce, pmkid, pmkid_len, 0, 0);
1744 }
1745
1746
wpa_derive_ptk(struct wpa_state_machine * sm,const u8 * pmk,struct wpa_ptk * ptk)1747 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk,
1748 struct wpa_ptk *ptk)
1749 {
1750 size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64;
1751 #ifdef CONFIG_IEEE80211R
1752 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
1753 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len);
1754 #endif /* CONFIG_IEEE80211R */
1755
1756 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
1757 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce,
1758 (u8 *) ptk, ptk_len,
1759 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1760
1761 return 0;
1762 }
1763
1764
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING)1765 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
1766 {
1767 struct wpa_ptk PTK;
1768 int ok = 0;
1769 const u8 *pmk = NULL;
1770
1771 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
1772 sm->EAPOLKeyReceived = FALSE;
1773 sm->update_snonce = FALSE;
1774
1775 /* WPA with IEEE 802.1X: use the derived PMK from EAP
1776 * WPA-PSK: iterate through possible PSKs and select the one matching
1777 * the packet */
1778 for (;;) {
1779 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1780 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
1781 sm->p2p_dev_addr, pmk);
1782 if (pmk == NULL)
1783 break;
1784 } else
1785 pmk = sm->PMK;
1786
1787 wpa_derive_ptk(sm, pmk, &PTK);
1788
1789 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key,
1790 sm->last_rx_eapol_key_len) == 0) {
1791 ok = 1;
1792 break;
1793 }
1794
1795 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
1796 break;
1797 }
1798
1799 if (!ok) {
1800 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1801 "invalid MIC in msg 2/4 of 4-Way Handshake");
1802 return;
1803 }
1804
1805 #ifdef CONFIG_IEEE80211R
1806 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1807 /*
1808 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
1809 * with the value we derived.
1810 */
1811 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name,
1812 WPA_PMK_NAME_LEN) != 0) {
1813 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1814 "PMKR1Name mismatch in FT 4-way "
1815 "handshake");
1816 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
1817 "Supplicant",
1818 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
1819 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1820 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1821 return;
1822 }
1823 }
1824 #endif /* CONFIG_IEEE80211R */
1825
1826 sm->pending_1_of_4_timeout = 0;
1827 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
1828
1829 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1830 /* PSK may have changed from the previous choice, so update
1831 * state machine data based on whatever PSK was selected here.
1832 */
1833 os_memcpy(sm->PMK, pmk, PMK_LEN);
1834 }
1835
1836 sm->MICVerified = TRUE;
1837
1838 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1839 sm->PTK_valid = TRUE;
1840 }
1841
1842
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING2)1843 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
1844 {
1845 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
1846 sm->TimeoutCtr = 0;
1847 }
1848
1849
1850 #ifdef CONFIG_IEEE80211W
1851
ieee80211w_kde_len(struct wpa_state_machine * sm)1852 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1853 {
1854 if (sm->mgmt_frame_prot) {
1855 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde);
1856 }
1857
1858 return 0;
1859 }
1860
1861
ieee80211w_kde_add(struct wpa_state_machine * sm,u8 * pos)1862 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1863 {
1864 struct wpa_igtk_kde igtk;
1865 struct wpa_group *gsm = sm->group;
1866
1867 if (!sm->mgmt_frame_prot)
1868 return pos;
1869
1870 igtk.keyid[0] = gsm->GN_igtk;
1871 igtk.keyid[1] = 0;
1872 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
1873 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0)
1874 os_memset(igtk.pn, 0, sizeof(igtk.pn));
1875 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
1876 if (sm->wpa_auth->conf.disable_gtk) {
1877 /*
1878 * Provide unique random IGTK to each STA to prevent use of
1879 * IGTK in the BSS.
1880 */
1881 if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0)
1882 return pos;
1883 }
1884 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
1885 (const u8 *) &igtk, sizeof(igtk), NULL, 0);
1886
1887 return pos;
1888 }
1889
1890 #else /* CONFIG_IEEE80211W */
1891
ieee80211w_kde_len(struct wpa_state_machine * sm)1892 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1893 {
1894 return 0;
1895 }
1896
1897
ieee80211w_kde_add(struct wpa_state_machine * sm,u8 * pos)1898 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1899 {
1900 return pos;
1901 }
1902
1903 #endif /* CONFIG_IEEE80211W */
1904
1905
SM_STATE(WPA_PTK,PTKINITNEGOTIATING)1906 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
1907 {
1908 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
1909 size_t gtk_len, kde_len;
1910 struct wpa_group *gsm = sm->group;
1911 u8 *wpa_ie;
1912 int wpa_ie_len, secure, keyidx, encr = 0;
1913
1914 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
1915 sm->TimeoutEvt = FALSE;
1916
1917 sm->TimeoutCtr++;
1918 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1919 /* No point in sending the EAPOL-Key - we will disconnect
1920 * immediately following this. */
1921 return;
1922 }
1923
1924 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
1925 GTK[GN], IGTK, [FTIE], [TIE * 2])
1926 */
1927 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
1928 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
1929 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
1930 wpa_ie = sm->wpa_auth->wpa_ie;
1931 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
1932 if (sm->wpa == WPA_VERSION_WPA &&
1933 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
1934 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
1935 /* WPA-only STA, remove RSN IE */
1936 wpa_ie = wpa_ie + wpa_ie[1] + 2;
1937 wpa_ie_len = wpa_ie[1] + 2;
1938 }
1939 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1940 "sending 3/4 msg of 4-Way Handshake");
1941 if (sm->wpa == WPA_VERSION_WPA2) {
1942 /* WPA2 send GTK in the 4-way handshake */
1943 secure = 1;
1944 gtk = gsm->GTK[gsm->GN - 1];
1945 gtk_len = gsm->GTK_len;
1946 if (sm->wpa_auth->conf.disable_gtk) {
1947 /*
1948 * Provide unique random GTK to each STA to prevent use
1949 * of GTK in the BSS.
1950 */
1951 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
1952 return;
1953 gtk = dummy_gtk;
1954 }
1955 keyidx = gsm->GN;
1956 _rsc = rsc;
1957 encr = 1;
1958 } else {
1959 /* WPA does not include GTK in msg 3/4 */
1960 secure = 0;
1961 gtk = NULL;
1962 gtk_len = 0;
1963 keyidx = 0;
1964 _rsc = NULL;
1965 if (sm->rx_eapol_key_secure) {
1966 /*
1967 * It looks like Windows 7 supplicant tries to use
1968 * Secure bit in msg 2/4 after having reported Michael
1969 * MIC failure and it then rejects the 4-way handshake
1970 * if msg 3/4 does not set Secure bit. Work around this
1971 * by setting the Secure bit here even in the case of
1972 * WPA if the supplicant used it first.
1973 */
1974 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1975 "STA used Secure bit in WPA msg 2/4 - "
1976 "set Secure for 3/4 as workaround");
1977 secure = 1;
1978 }
1979 }
1980
1981 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
1982 if (gtk)
1983 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
1984 #ifdef CONFIG_IEEE80211R
1985 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1986 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
1987 kde_len += 300; /* FTIE + 2 * TIE */
1988 }
1989 #endif /* CONFIG_IEEE80211R */
1990 kde = os_malloc(kde_len);
1991 if (kde == NULL)
1992 return;
1993
1994 pos = kde;
1995 os_memcpy(pos, wpa_ie, wpa_ie_len);
1996 pos += wpa_ie_len;
1997 #ifdef CONFIG_IEEE80211R
1998 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1999 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
2000 if (res < 0) {
2001 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2002 "PMKR1Name into RSN IE in EAPOL-Key data");
2003 os_free(kde);
2004 return;
2005 }
2006 pos += res;
2007 }
2008 #endif /* CONFIG_IEEE80211R */
2009 if (gtk) {
2010 u8 hdr[2];
2011 hdr[0] = keyidx & 0x03;
2012 hdr[1] = 0;
2013 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2014 gtk, gtk_len);
2015 }
2016 pos = ieee80211w_kde_add(sm, pos);
2017
2018 #ifdef CONFIG_IEEE80211R
2019 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2020 int res;
2021 struct wpa_auth_config *conf;
2022
2023 conf = &sm->wpa_auth->conf;
2024 res = wpa_write_ftie(conf, conf->r0_key_holder,
2025 conf->r0_key_holder_len,
2026 NULL, NULL, pos, kde + kde_len - pos,
2027 NULL, 0);
2028 if (res < 0) {
2029 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2030 "into EAPOL-Key Key Data");
2031 os_free(kde);
2032 return;
2033 }
2034 pos += res;
2035
2036 /* TIE[ReassociationDeadline] (TU) */
2037 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2038 *pos++ = 5;
2039 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2040 WPA_PUT_LE32(pos, conf->reassociation_deadline);
2041 pos += 4;
2042
2043 /* TIE[KeyLifetime] (seconds) */
2044 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2045 *pos++ = 5;
2046 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2047 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2048 pos += 4;
2049 }
2050 #endif /* CONFIG_IEEE80211R */
2051
2052 wpa_send_eapol(sm->wpa_auth, sm,
2053 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
2054 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2055 WPA_KEY_INFO_KEY_TYPE,
2056 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2057 os_free(kde);
2058 }
2059
2060
SM_STATE(WPA_PTK,PTKINITDONE)2061 SM_STATE(WPA_PTK, PTKINITDONE)
2062 {
2063 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2064 sm->EAPOLKeyReceived = FALSE;
2065 if (sm->Pair) {
2066 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2067 int klen = wpa_cipher_key_len(sm->pairwise);
2068 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2069 sm->PTK.tk1, klen)) {
2070 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2071 return;
2072 }
2073 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2074 sm->pairwise_set = TRUE;
2075
2076 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2077 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2078 eloop_register_timeout(sm->wpa_auth->conf.
2079 wpa_ptk_rekey, 0, wpa_rekey_ptk,
2080 sm->wpa_auth, sm);
2081 }
2082
2083 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2084 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2085 WPA_EAPOL_authorized, 1);
2086 }
2087 }
2088
2089 if (0 /* IBSS == TRUE */) {
2090 sm->keycount++;
2091 if (sm->keycount == 2) {
2092 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2093 WPA_EAPOL_portValid, 1);
2094 }
2095 } else {
2096 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2097 1);
2098 }
2099 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2100 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2101 if (sm->wpa == WPA_VERSION_WPA)
2102 sm->PInitAKeys = TRUE;
2103 else
2104 sm->has_GTK = TRUE;
2105 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2106 "pairwise key handshake completed (%s)",
2107 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2108
2109 #ifdef CONFIG_IEEE80211R
2110 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2111 #endif /* CONFIG_IEEE80211R */
2112 }
2113
2114
SM_STEP(WPA_PTK)2115 SM_STEP(WPA_PTK)
2116 {
2117 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2118
2119 if (sm->Init)
2120 SM_ENTER(WPA_PTK, INITIALIZE);
2121 else if (sm->Disconnect
2122 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2123 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2124 "WPA_PTK: sm->Disconnect");
2125 SM_ENTER(WPA_PTK, DISCONNECT);
2126 }
2127 else if (sm->DeauthenticationRequest)
2128 SM_ENTER(WPA_PTK, DISCONNECTED);
2129 else if (sm->AuthenticationRequest)
2130 SM_ENTER(WPA_PTK, AUTHENTICATION);
2131 else if (sm->ReAuthenticationRequest)
2132 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2133 else if (sm->PTKRequest)
2134 SM_ENTER(WPA_PTK, PTKSTART);
2135 else switch (sm->wpa_ptk_state) {
2136 case WPA_PTK_INITIALIZE:
2137 break;
2138 case WPA_PTK_DISCONNECT:
2139 SM_ENTER(WPA_PTK, DISCONNECTED);
2140 break;
2141 case WPA_PTK_DISCONNECTED:
2142 SM_ENTER(WPA_PTK, INITIALIZE);
2143 break;
2144 case WPA_PTK_AUTHENTICATION:
2145 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2146 break;
2147 case WPA_PTK_AUTHENTICATION2:
2148 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2149 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2150 WPA_EAPOL_keyRun) > 0)
2151 SM_ENTER(WPA_PTK, INITPMK);
2152 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
2153 /* FIX: && 802.1X::keyRun */)
2154 SM_ENTER(WPA_PTK, INITPSK);
2155 break;
2156 case WPA_PTK_INITPMK:
2157 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2158 WPA_EAPOL_keyAvailable) > 0)
2159 SM_ENTER(WPA_PTK, PTKSTART);
2160 else {
2161 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2162 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2163 "INITPMK - keyAvailable = false");
2164 SM_ENTER(WPA_PTK, DISCONNECT);
2165 }
2166 break;
2167 case WPA_PTK_INITPSK:
2168 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2169 NULL))
2170 SM_ENTER(WPA_PTK, PTKSTART);
2171 else {
2172 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2173 "no PSK configured for the STA");
2174 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2175 SM_ENTER(WPA_PTK, DISCONNECT);
2176 }
2177 break;
2178 case WPA_PTK_PTKSTART:
2179 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2180 sm->EAPOLKeyPairwise)
2181 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2182 else if (sm->TimeoutCtr >
2183 (int) dot11RSNAConfigPairwiseUpdateCount) {
2184 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2185 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2186 "PTKSTART: Retry limit %d reached",
2187 dot11RSNAConfigPairwiseUpdateCount);
2188 SM_ENTER(WPA_PTK, DISCONNECT);
2189 } else if (sm->TimeoutEvt)
2190 SM_ENTER(WPA_PTK, PTKSTART);
2191 break;
2192 case WPA_PTK_PTKCALCNEGOTIATING:
2193 if (sm->MICVerified)
2194 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2195 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2196 sm->EAPOLKeyPairwise)
2197 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2198 else if (sm->TimeoutEvt)
2199 SM_ENTER(WPA_PTK, PTKSTART);
2200 break;
2201 case WPA_PTK_PTKCALCNEGOTIATING2:
2202 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2203 break;
2204 case WPA_PTK_PTKINITNEGOTIATING:
2205 if (sm->update_snonce)
2206 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2207 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2208 sm->EAPOLKeyPairwise && sm->MICVerified)
2209 SM_ENTER(WPA_PTK, PTKINITDONE);
2210 else if (sm->TimeoutCtr >
2211 (int) dot11RSNAConfigPairwiseUpdateCount) {
2212 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2213 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2214 "PTKINITNEGOTIATING: Retry limit %d "
2215 "reached",
2216 dot11RSNAConfigPairwiseUpdateCount);
2217 SM_ENTER(WPA_PTK, DISCONNECT);
2218 } else if (sm->TimeoutEvt)
2219 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2220 break;
2221 case WPA_PTK_PTKINITDONE:
2222 break;
2223 }
2224 }
2225
2226
SM_STATE(WPA_PTK_GROUP,IDLE)2227 SM_STATE(WPA_PTK_GROUP, IDLE)
2228 {
2229 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2230 if (sm->Init) {
2231 /* Init flag is not cleared here, so avoid busy
2232 * loop by claiming nothing changed. */
2233 sm->changed = FALSE;
2234 }
2235 sm->GTimeoutCtr = 0;
2236 }
2237
2238
SM_STATE(WPA_PTK_GROUP,REKEYNEGOTIATING)2239 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
2240 {
2241 u8 rsc[WPA_KEY_RSC_LEN];
2242 struct wpa_group *gsm = sm->group;
2243 u8 *kde, *pos, hdr[2];
2244 size_t kde_len;
2245 u8 *gtk, dummy_gtk[32];
2246
2247 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
2248
2249 sm->GTimeoutCtr++;
2250 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
2251 /* No point in sending the EAPOL-Key - we will disconnect
2252 * immediately following this. */
2253 return;
2254 }
2255
2256 if (sm->wpa == WPA_VERSION_WPA)
2257 sm->PInitAKeys = FALSE;
2258 sm->TimeoutEvt = FALSE;
2259 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
2260 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2261 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
2262 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2263 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2264 "sending 1/2 msg of Group Key Handshake");
2265
2266 gtk = gsm->GTK[gsm->GN - 1];
2267 if (sm->wpa_auth->conf.disable_gtk) {
2268 /*
2269 * Provide unique random GTK to each STA to prevent use
2270 * of GTK in the BSS.
2271 */
2272 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
2273 return;
2274 gtk = dummy_gtk;
2275 }
2276 if (sm->wpa == WPA_VERSION_WPA2) {
2277 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
2278 ieee80211w_kde_len(sm);
2279 kde = os_malloc(kde_len);
2280 if (kde == NULL)
2281 return;
2282
2283 pos = kde;
2284 hdr[0] = gsm->GN & 0x03;
2285 hdr[1] = 0;
2286 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2287 gtk, gsm->GTK_len);
2288 pos = ieee80211w_kde_add(sm, pos);
2289 } else {
2290 kde = gtk;
2291 pos = kde + gsm->GTK_len;
2292 }
2293
2294 wpa_send_eapol(sm->wpa_auth, sm,
2295 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
2296 WPA_KEY_INFO_ACK |
2297 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
2298 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1);
2299 if (sm->wpa == WPA_VERSION_WPA2)
2300 os_free(kde);
2301 }
2302
2303
SM_STATE(WPA_PTK_GROUP,REKEYESTABLISHED)2304 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
2305 {
2306 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
2307 sm->EAPOLKeyReceived = FALSE;
2308 if (sm->GUpdateStationKeys)
2309 sm->group->GKeyDoneStations--;
2310 sm->GUpdateStationKeys = FALSE;
2311 sm->GTimeoutCtr = 0;
2312 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
2313 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2314 "group key handshake completed (%s)",
2315 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2316 sm->has_GTK = TRUE;
2317 }
2318
2319
SM_STATE(WPA_PTK_GROUP,KEYERROR)2320 SM_STATE(WPA_PTK_GROUP, KEYERROR)
2321 {
2322 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
2323 if (sm->GUpdateStationKeys)
2324 sm->group->GKeyDoneStations--;
2325 sm->GUpdateStationKeys = FALSE;
2326 sm->Disconnect = TRUE;
2327 }
2328
2329
SM_STEP(WPA_PTK_GROUP)2330 SM_STEP(WPA_PTK_GROUP)
2331 {
2332 if (sm->Init || sm->PtkGroupInit) {
2333 SM_ENTER(WPA_PTK_GROUP, IDLE);
2334 sm->PtkGroupInit = FALSE;
2335 } else switch (sm->wpa_ptk_group_state) {
2336 case WPA_PTK_GROUP_IDLE:
2337 if (sm->GUpdateStationKeys ||
2338 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
2339 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2340 break;
2341 case WPA_PTK_GROUP_REKEYNEGOTIATING:
2342 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2343 !sm->EAPOLKeyPairwise && sm->MICVerified)
2344 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
2345 else if (sm->GTimeoutCtr >
2346 (int) dot11RSNAConfigGroupUpdateCount)
2347 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
2348 else if (sm->TimeoutEvt)
2349 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2350 break;
2351 case WPA_PTK_GROUP_KEYERROR:
2352 SM_ENTER(WPA_PTK_GROUP, IDLE);
2353 break;
2354 case WPA_PTK_GROUP_REKEYESTABLISHED:
2355 SM_ENTER(WPA_PTK_GROUP, IDLE);
2356 break;
2357 }
2358 }
2359
2360
wpa_gtk_update(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2361 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
2362 struct wpa_group *group)
2363 {
2364 int ret = 0;
2365
2366 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2367 inc_byte_array(group->Counter, WPA_NONCE_LEN);
2368 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
2369 wpa_auth->addr, group->GNonce,
2370 group->GTK[group->GN - 1], group->GTK_len) < 0)
2371 ret = -1;
2372 wpa_hexdump_key(MSG_DEBUG, "GTK",
2373 group->GTK[group->GN - 1], group->GTK_len);
2374
2375 #ifdef CONFIG_IEEE80211W
2376 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2377 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2378 inc_byte_array(group->Counter, WPA_NONCE_LEN);
2379 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
2380 wpa_auth->addr, group->GNonce,
2381 group->IGTK[group->GN_igtk - 4],
2382 WPA_IGTK_LEN) < 0)
2383 ret = -1;
2384 wpa_hexdump_key(MSG_DEBUG, "IGTK",
2385 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN);
2386 }
2387 #endif /* CONFIG_IEEE80211W */
2388
2389 return ret;
2390 }
2391
2392
wpa_group_gtk_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2393 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
2394 struct wpa_group *group)
2395 {
2396 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2397 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
2398 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
2399 group->wpa_group_state = WPA_GROUP_GTK_INIT;
2400
2401 /* GTK[0..N] = 0 */
2402 os_memset(group->GTK, 0, sizeof(group->GTK));
2403 group->GN = 1;
2404 group->GM = 2;
2405 #ifdef CONFIG_IEEE80211W
2406 group->GN_igtk = 4;
2407 group->GM_igtk = 5;
2408 #endif /* CONFIG_IEEE80211W */
2409 /* GTK[GN] = CalcGTK() */
2410 wpa_gtk_update(wpa_auth, group);
2411 }
2412
2413
wpa_group_update_sta(struct wpa_state_machine * sm,void * ctx)2414 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
2415 {
2416 if (ctx != NULL && ctx != sm->group)
2417 return 0;
2418
2419 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
2420 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2421 "Not in PTKINITDONE; skip Group Key update");
2422 sm->GUpdateStationKeys = FALSE;
2423 return 0;
2424 }
2425 if (sm->GUpdateStationKeys) {
2426 /*
2427 * This should not really happen, so add a debug log entry.
2428 * Since we clear the GKeyDoneStations before the loop, the
2429 * station needs to be counted here anyway.
2430 */
2431 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2432 "GUpdateStationKeys was already set when "
2433 "marking station for GTK rekeying");
2434 }
2435
2436 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
2437 if (sm->is_wnmsleep)
2438 return 0;
2439
2440 sm->group->GKeyDoneStations++;
2441 sm->GUpdateStationKeys = TRUE;
2442
2443 wpa_sm_step(sm);
2444 return 0;
2445 }
2446
2447
2448 #ifdef CONFIG_WNM
2449 /* update GTK when exiting WNM-Sleep Mode */
wpa_wnmsleep_rekey_gtk(struct wpa_state_machine * sm)2450 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
2451 {
2452 if (sm->is_wnmsleep)
2453 return;
2454
2455 wpa_group_update_sta(sm, NULL);
2456 }
2457
2458
wpa_set_wnmsleep(struct wpa_state_machine * sm,int flag)2459 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
2460 {
2461 sm->is_wnmsleep = !!flag;
2462 }
2463
2464
wpa_wnmsleep_gtk_subelem(struct wpa_state_machine * sm,u8 * pos)2465 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2466 {
2467 struct wpa_group *gsm = sm->group;
2468 u8 *start = pos;
2469
2470 /*
2471 * GTK subelement:
2472 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
2473 * Key[5..32]
2474 */
2475 *pos++ = WNM_SLEEP_SUBELEM_GTK;
2476 *pos++ = 11 + gsm->GTK_len;
2477 /* Key ID in B0-B1 of Key Info */
2478 WPA_PUT_LE16(pos, gsm->GN & 0x03);
2479 pos += 2;
2480 *pos++ = gsm->GTK_len;
2481 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
2482 return 0;
2483 pos += 8;
2484 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2485 pos += gsm->GTK_len;
2486
2487 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
2488 gsm->GN);
2489 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
2490 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2491
2492 return pos - start;
2493 }
2494
2495
2496 #ifdef CONFIG_IEEE80211W
wpa_wnmsleep_igtk_subelem(struct wpa_state_machine * sm,u8 * pos)2497 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2498 {
2499 struct wpa_group *gsm = sm->group;
2500 u8 *start = pos;
2501
2502 /*
2503 * IGTK subelement:
2504 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
2505 */
2506 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
2507 *pos++ = 2 + 6 + WPA_IGTK_LEN;
2508 WPA_PUT_LE16(pos, gsm->GN_igtk);
2509 pos += 2;
2510 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
2511 return 0;
2512 pos += 6;
2513
2514 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
2515 pos += WPA_IGTK_LEN;
2516
2517 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
2518 gsm->GN_igtk);
2519 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
2520 gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
2521
2522 return pos - start;
2523 }
2524 #endif /* CONFIG_IEEE80211W */
2525 #endif /* CONFIG_WNM */
2526
2527
wpa_group_setkeys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2528 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
2529 struct wpa_group *group)
2530 {
2531 int tmp;
2532
2533 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2534 "SETKEYS (VLAN-ID %d)", group->vlan_id);
2535 group->changed = TRUE;
2536 group->wpa_group_state = WPA_GROUP_SETKEYS;
2537 group->GTKReKey = FALSE;
2538 tmp = group->GM;
2539 group->GM = group->GN;
2540 group->GN = tmp;
2541 #ifdef CONFIG_IEEE80211W
2542 tmp = group->GM_igtk;
2543 group->GM_igtk = group->GN_igtk;
2544 group->GN_igtk = tmp;
2545 #endif /* CONFIG_IEEE80211W */
2546 /* "GKeyDoneStations = GNoStations" is done in more robust way by
2547 * counting the STAs that are marked with GUpdateStationKeys instead of
2548 * including all STAs that could be in not-yet-completed state. */
2549 wpa_gtk_update(wpa_auth, group);
2550
2551 if (group->GKeyDoneStations) {
2552 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
2553 "GKeyDoneStations=%d when starting new GTK rekey",
2554 group->GKeyDoneStations);
2555 group->GKeyDoneStations = 0;
2556 }
2557 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
2558 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
2559 group->GKeyDoneStations);
2560 }
2561
2562
wpa_group_config_group_keys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2563 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
2564 struct wpa_group *group)
2565 {
2566 int ret = 0;
2567
2568 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
2569 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
2570 broadcast_ether_addr, group->GN,
2571 group->GTK[group->GN - 1], group->GTK_len) < 0)
2572 ret = -1;
2573
2574 #ifdef CONFIG_IEEE80211W
2575 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
2576 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK,
2577 broadcast_ether_addr, group->GN_igtk,
2578 group->IGTK[group->GN_igtk - 4],
2579 WPA_IGTK_LEN) < 0)
2580 ret = -1;
2581 #endif /* CONFIG_IEEE80211W */
2582
2583 return ret;
2584 }
2585
2586
wpa_group_setkeysdone(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2587 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
2588 struct wpa_group *group)
2589 {
2590 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2591 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
2592 group->changed = TRUE;
2593 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
2594
2595 if (wpa_group_config_group_keys(wpa_auth, group) < 0)
2596 return -1;
2597
2598 return 0;
2599 }
2600
2601
wpa_group_sm_step(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2602 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
2603 struct wpa_group *group)
2604 {
2605 if (group->GInit) {
2606 wpa_group_gtk_init(wpa_auth, group);
2607 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
2608 group->GTKAuthenticator) {
2609 wpa_group_setkeysdone(wpa_auth, group);
2610 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
2611 group->GTKReKey) {
2612 wpa_group_setkeys(wpa_auth, group);
2613 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
2614 if (group->GKeyDoneStations == 0)
2615 wpa_group_setkeysdone(wpa_auth, group);
2616 else if (group->GTKReKey)
2617 wpa_group_setkeys(wpa_auth, group);
2618 }
2619 }
2620
2621
wpa_sm_step(struct wpa_state_machine * sm)2622 static int wpa_sm_step(struct wpa_state_machine *sm)
2623 {
2624 if (sm == NULL)
2625 return 0;
2626
2627 if (sm->in_step_loop) {
2628 /* This should not happen, but if it does, make sure we do not
2629 * end up freeing the state machine too early by exiting the
2630 * recursive call. */
2631 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
2632 return 0;
2633 }
2634
2635 sm->in_step_loop = 1;
2636 do {
2637 if (sm->pending_deinit)
2638 break;
2639
2640 sm->changed = FALSE;
2641 sm->wpa_auth->group->changed = FALSE;
2642
2643 SM_STEP_RUN(WPA_PTK);
2644 if (sm->pending_deinit)
2645 break;
2646 SM_STEP_RUN(WPA_PTK_GROUP);
2647 if (sm->pending_deinit)
2648 break;
2649 wpa_group_sm_step(sm->wpa_auth, sm->group);
2650 } while (sm->changed || sm->wpa_auth->group->changed);
2651 sm->in_step_loop = 0;
2652
2653 if (sm->pending_deinit) {
2654 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
2655 "machine deinit for " MACSTR, MAC2STR(sm->addr));
2656 wpa_free_sta_sm(sm);
2657 return 1;
2658 }
2659 return 0;
2660 }
2661
2662
wpa_sm_call_step(void * eloop_ctx,void * timeout_ctx)2663 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
2664 {
2665 struct wpa_state_machine *sm = eloop_ctx;
2666 wpa_sm_step(sm);
2667 }
2668
2669
wpa_auth_sm_notify(struct wpa_state_machine * sm)2670 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
2671 {
2672 if (sm == NULL)
2673 return;
2674 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
2675 }
2676
2677
wpa_gtk_rekey(struct wpa_authenticator * wpa_auth)2678 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
2679 {
2680 int tmp, i;
2681 struct wpa_group *group;
2682
2683 if (wpa_auth == NULL)
2684 return;
2685
2686 group = wpa_auth->group;
2687
2688 for (i = 0; i < 2; i++) {
2689 tmp = group->GM;
2690 group->GM = group->GN;
2691 group->GN = tmp;
2692 #ifdef CONFIG_IEEE80211W
2693 tmp = group->GM_igtk;
2694 group->GM_igtk = group->GN_igtk;
2695 group->GN_igtk = tmp;
2696 #endif /* CONFIG_IEEE80211W */
2697 wpa_gtk_update(wpa_auth, group);
2698 wpa_group_config_group_keys(wpa_auth, group);
2699 }
2700 }
2701
2702
wpa_bool_txt(int bool)2703 static const char * wpa_bool_txt(int bool)
2704 {
2705 return bool ? "TRUE" : "FALSE";
2706 }
2707
2708
2709 #define RSN_SUITE "%02x-%02x-%02x-%d"
2710 #define RSN_SUITE_ARG(s) \
2711 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2712
wpa_get_mib(struct wpa_authenticator * wpa_auth,char * buf,size_t buflen)2713 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
2714 {
2715 int len = 0, ret;
2716 char pmkid_txt[PMKID_LEN * 2 + 1];
2717 #ifdef CONFIG_RSN_PREAUTH
2718 const int preauth = 1;
2719 #else /* CONFIG_RSN_PREAUTH */
2720 const int preauth = 0;
2721 #endif /* CONFIG_RSN_PREAUTH */
2722
2723 if (wpa_auth == NULL)
2724 return len;
2725
2726 ret = os_snprintf(buf + len, buflen - len,
2727 "dot11RSNAOptionImplemented=TRUE\n"
2728 "dot11RSNAPreauthenticationImplemented=%s\n"
2729 "dot11RSNAEnabled=%s\n"
2730 "dot11RSNAPreauthenticationEnabled=%s\n",
2731 wpa_bool_txt(preauth),
2732 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
2733 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
2734 if (ret < 0 || (size_t) ret >= buflen - len)
2735 return len;
2736 len += ret;
2737
2738 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2739 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
2740
2741 ret = os_snprintf(
2742 buf + len, buflen - len,
2743 "dot11RSNAConfigVersion=%u\n"
2744 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
2745 /* FIX: dot11RSNAConfigGroupCipher */
2746 /* FIX: dot11RSNAConfigGroupRekeyMethod */
2747 /* FIX: dot11RSNAConfigGroupRekeyTime */
2748 /* FIX: dot11RSNAConfigGroupRekeyPackets */
2749 "dot11RSNAConfigGroupRekeyStrict=%u\n"
2750 "dot11RSNAConfigGroupUpdateCount=%u\n"
2751 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
2752 "dot11RSNAConfigGroupCipherSize=%u\n"
2753 "dot11RSNAConfigPMKLifetime=%u\n"
2754 "dot11RSNAConfigPMKReauthThreshold=%u\n"
2755 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
2756 "dot11RSNAConfigSATimeout=%u\n"
2757 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2758 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2759 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2760 "dot11RSNAPMKIDUsed=%s\n"
2761 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2762 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2763 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2764 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
2765 "dot11RSNA4WayHandshakeFailures=%u\n"
2766 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
2767 RSN_VERSION,
2768 !!wpa_auth->conf.wpa_strict_rekey,
2769 dot11RSNAConfigGroupUpdateCount,
2770 dot11RSNAConfigPairwiseUpdateCount,
2771 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
2772 dot11RSNAConfigPMKLifetime,
2773 dot11RSNAConfigPMKReauthThreshold,
2774 dot11RSNAConfigSATimeout,
2775 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
2776 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
2777 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
2778 pmkid_txt,
2779 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
2780 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
2781 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
2782 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
2783 wpa_auth->dot11RSNA4WayHandshakeFailures);
2784 if (ret < 0 || (size_t) ret >= buflen - len)
2785 return len;
2786 len += ret;
2787
2788 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
2789 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
2790
2791 /* Private MIB */
2792 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
2793 wpa_auth->group->wpa_group_state);
2794 if (ret < 0 || (size_t) ret >= buflen - len)
2795 return len;
2796 len += ret;
2797
2798 return len;
2799 }
2800
2801
wpa_get_mib_sta(struct wpa_state_machine * sm,char * buf,size_t buflen)2802 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
2803 {
2804 int len = 0, ret;
2805 u32 pairwise = 0;
2806
2807 if (sm == NULL)
2808 return 0;
2809
2810 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
2811
2812 /* dot11RSNAStatsEntry */
2813
2814 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
2815 WPA_PROTO_RSN : WPA_PROTO_WPA,
2816 sm->pairwise);
2817 if (pairwise == 0)
2818 return 0;
2819
2820 ret = os_snprintf(
2821 buf + len, buflen - len,
2822 /* TODO: dot11RSNAStatsIndex */
2823 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
2824 "dot11RSNAStatsVersion=1\n"
2825 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
2826 /* TODO: dot11RSNAStatsTKIPICVErrors */
2827 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
2828 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
2829 /* TODO: dot11RSNAStatsCCMPReplays */
2830 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
2831 /* TODO: dot11RSNAStatsTKIPReplays */,
2832 MAC2STR(sm->addr),
2833 RSN_SUITE_ARG(pairwise),
2834 sm->dot11RSNAStatsTKIPLocalMICFailures,
2835 sm->dot11RSNAStatsTKIPRemoteMICFailures);
2836 if (ret < 0 || (size_t) ret >= buflen - len)
2837 return len;
2838 len += ret;
2839
2840 /* Private MIB */
2841 ret = os_snprintf(buf + len, buflen - len,
2842 "hostapdWPAPTKState=%d\n"
2843 "hostapdWPAPTKGroupState=%d\n",
2844 sm->wpa_ptk_state,
2845 sm->wpa_ptk_group_state);
2846 if (ret < 0 || (size_t) ret >= buflen - len)
2847 return len;
2848 len += ret;
2849
2850 return len;
2851 }
2852
2853
wpa_auth_countermeasures_start(struct wpa_authenticator * wpa_auth)2854 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
2855 {
2856 if (wpa_auth)
2857 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
2858 }
2859
2860
wpa_auth_pairwise_set(struct wpa_state_machine * sm)2861 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
2862 {
2863 return sm && sm->pairwise_set;
2864 }
2865
2866
wpa_auth_get_pairwise(struct wpa_state_machine * sm)2867 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
2868 {
2869 return sm->pairwise;
2870 }
2871
2872
wpa_auth_sta_key_mgmt(struct wpa_state_machine * sm)2873 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
2874 {
2875 if (sm == NULL)
2876 return -1;
2877 return sm->wpa_key_mgmt;
2878 }
2879
2880
wpa_auth_sta_wpa_version(struct wpa_state_machine * sm)2881 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
2882 {
2883 if (sm == NULL)
2884 return 0;
2885 return sm->wpa;
2886 }
2887
2888
wpa_auth_sta_clear_pmksa(struct wpa_state_machine * sm,struct rsn_pmksa_cache_entry * entry)2889 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
2890 struct rsn_pmksa_cache_entry *entry)
2891 {
2892 if (sm == NULL || sm->pmksa != entry)
2893 return -1;
2894 sm->pmksa = NULL;
2895 return 0;
2896 }
2897
2898
2899 struct rsn_pmksa_cache_entry *
wpa_auth_sta_get_pmksa(struct wpa_state_machine * sm)2900 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
2901 {
2902 return sm ? sm->pmksa : NULL;
2903 }
2904
2905
wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine * sm)2906 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
2907 {
2908 if (sm)
2909 sm->dot11RSNAStatsTKIPLocalMICFailures++;
2910 }
2911
2912
wpa_auth_get_wpa_ie(struct wpa_authenticator * wpa_auth,size_t * len)2913 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
2914 {
2915 if (wpa_auth == NULL)
2916 return NULL;
2917 *len = wpa_auth->wpa_ie_len;
2918 return wpa_auth->wpa_ie;
2919 }
2920
2921
wpa_auth_pmksa_add(struct wpa_state_machine * sm,const u8 * pmk,int session_timeout,struct eapol_state_machine * eapol)2922 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
2923 int session_timeout, struct eapol_state_machine *eapol)
2924 {
2925 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
2926 sm->wpa_auth->conf.disable_pmksa_caching)
2927 return -1;
2928
2929 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
2930 sm->wpa_auth->addr, sm->addr, session_timeout,
2931 eapol, sm->wpa_key_mgmt))
2932 return 0;
2933
2934 return -1;
2935 }
2936
2937
wpa_auth_pmksa_add_preauth(struct wpa_authenticator * wpa_auth,const u8 * pmk,size_t len,const u8 * sta_addr,int session_timeout,struct eapol_state_machine * eapol)2938 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
2939 const u8 *pmk, size_t len, const u8 *sta_addr,
2940 int session_timeout,
2941 struct eapol_state_machine *eapol)
2942 {
2943 if (wpa_auth == NULL)
2944 return -1;
2945
2946 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr,
2947 sta_addr, session_timeout, eapol,
2948 WPA_KEY_MGMT_IEEE8021X))
2949 return 0;
2950
2951 return -1;
2952 }
2953
2954
wpa_auth_pmksa_remove(struct wpa_authenticator * wpa_auth,const u8 * sta_addr)2955 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
2956 const u8 *sta_addr)
2957 {
2958 struct rsn_pmksa_cache_entry *pmksa;
2959
2960 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
2961 return;
2962 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
2963 if (pmksa) {
2964 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
2965 MACSTR " based on request", MAC2STR(sta_addr));
2966 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
2967 }
2968 }
2969
2970
2971 static struct wpa_group *
wpa_auth_add_group(struct wpa_authenticator * wpa_auth,int vlan_id)2972 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
2973 {
2974 struct wpa_group *group;
2975
2976 if (wpa_auth == NULL || wpa_auth->group == NULL)
2977 return NULL;
2978
2979 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
2980 vlan_id);
2981 group = wpa_group_init(wpa_auth, vlan_id, 0);
2982 if (group == NULL)
2983 return NULL;
2984
2985 group->next = wpa_auth->group->next;
2986 wpa_auth->group->next = group;
2987
2988 return group;
2989 }
2990
2991
wpa_auth_sta_set_vlan(struct wpa_state_machine * sm,int vlan_id)2992 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
2993 {
2994 struct wpa_group *group;
2995
2996 if (sm == NULL || sm->wpa_auth == NULL)
2997 return 0;
2998
2999 group = sm->wpa_auth->group;
3000 while (group) {
3001 if (group->vlan_id == vlan_id)
3002 break;
3003 group = group->next;
3004 }
3005
3006 if (group == NULL) {
3007 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
3008 if (group == NULL)
3009 return -1;
3010 }
3011
3012 if (sm->group == group)
3013 return 0;
3014
3015 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
3016 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
3017
3018 sm->group = group;
3019 return 0;
3020 }
3021
3022
wpa_auth_eapol_key_tx_status(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int ack)3023 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
3024 struct wpa_state_machine *sm, int ack)
3025 {
3026 if (wpa_auth == NULL || sm == NULL)
3027 return;
3028 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
3029 " ack=%d", MAC2STR(sm->addr), ack);
3030 if (sm->pending_1_of_4_timeout && ack) {
3031 /*
3032 * Some deployed supplicant implementations update their SNonce
3033 * for each EAPOL-Key 2/4 message even within the same 4-way
3034 * handshake and then fail to use the first SNonce when
3035 * deriving the PTK. This results in unsuccessful 4-way
3036 * handshake whenever the relatively short initial timeout is
3037 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
3038 * around this by increasing the timeout now that we know that
3039 * the station has received the frame.
3040 */
3041 int timeout_ms = eapol_key_timeout_subseq;
3042 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
3043 "timeout by %u ms because of acknowledged frame",
3044 timeout_ms);
3045 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
3046 eloop_register_timeout(timeout_ms / 1000,
3047 (timeout_ms % 1000) * 1000,
3048 wpa_send_eapol_timeout, wpa_auth, sm);
3049 }
3050 }
3051
3052
wpa_auth_uses_sae(struct wpa_state_machine * sm)3053 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
3054 {
3055 if (sm == NULL)
3056 return 0;
3057 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
3058 }
3059