2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2006, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
25 #include "l2_packet.h"
28 #include "pmksa_cache.h"
32 static const int WPA_SELECTOR_LEN = 4;
33 static const u8 WPA_OUI_TYPE[] = { 0x00, 0x50, 0xf2, 1 };
34 static const u16 WPA_VERSION = 1;
35 static const u8 WPA_AUTH_KEY_MGMT_NONE[] = { 0x00, 0x50, 0xf2, 0 };
36 static const u8 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x50, 0xf2, 1 };
37 static const u8 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x50, 0xf2, 2 };
38 static const u8 WPA_CIPHER_SUITE_NONE[] = { 0x00, 0x50, 0xf2, 0 };
39 static const u8 WPA_CIPHER_SUITE_WEP40[] = { 0x00, 0x50, 0xf2, 1 };
40 static const u8 WPA_CIPHER_SUITE_TKIP[] = { 0x00, 0x50, 0xf2, 2 };
42 static const u8 WPA_CIPHER_SUITE_WRAP[] = { 0x00, 0x50, 0xf2, 3 };
44 static const u8 WPA_CIPHER_SUITE_CCMP[] = { 0x00, 0x50, 0xf2, 4 };
45 static const u8 WPA_CIPHER_SUITE_WEP104[] = { 0x00, 0x50, 0xf2, 5 };
48 * 00-50-f2:1 (OUI:OUI type)
49 * 0x01 0x00 (version; little endian)
50 * (all following fields are optional:)
51 * Group Suite Selector (4 octets) (default: TKIP)
52 * Pairwise Suite Count (2 octets, little endian) (default: 1)
53 * Pairwise Suite List (4 * n octets) (default: TKIP)
54 * Authenticated Key Management Suite Count (2 octets, little endian)
56 * Authenticated Key Management Suite List (4 * n octets)
57 * (default: unspec 802.1X)
58 * WPA Capabilities (2 octets, little endian) (default: 0)
78 static const int RSN_SELECTOR_LEN = 4;
79 static const u16 RSN_VERSION = 1;
80 static const u8 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x0f, 0xac, 1 };
81 static const u8 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x0f, 0xac, 2 };
82 static const u8 RSN_CIPHER_SUITE_NONE[] = { 0x00, 0x0f, 0xac, 0 };
83 static const u8 RSN_CIPHER_SUITE_WEP40[] = { 0x00, 0x0f, 0xac, 1 };
84 static const u8 RSN_CIPHER_SUITE_TKIP[] = { 0x00, 0x0f, 0xac, 2 };
86 static const u8 RSN_CIPHER_SUITE_WRAP[] = { 0x00, 0x0f, 0xac, 3 };
88 static const u8 RSN_CIPHER_SUITE_CCMP[] = { 0x00, 0x0f, 0xac, 4 };
89 static const u8 RSN_CIPHER_SUITE_WEP104[] = { 0x00, 0x0f, 0xac, 5 };
90 #ifdef CONFIG_IEEE80211W
91 static const u8 RSN_CIPHER_SUITE_AES_128_CMAC[] = { 0x00, 0x0f, 0xac, 6 };
92 #endif /* CONFIG_IEEE80211W */
94 /* EAPOL-Key Key Data Encapsulation
95 * GroupKey and PeerKey require encryption, otherwise, encryption is optional.
97 static const u8 RSN_KEY_DATA_GROUPKEY[] = { 0x00, 0x0f, 0xac, 1 };
99 static const u8 RSN_KEY_DATA_STAKEY[] = { 0x00, 0x0f, 0xac, 2 };
101 static const u8 RSN_KEY_DATA_MAC_ADDR[] = { 0x00, 0x0f, 0xac, 3 };
102 static const u8 RSN_KEY_DATA_PMKID[] = { 0x00, 0x0f, 0xac, 4 };
103 #ifdef CONFIG_PEERKEY
104 static const u8 RSN_KEY_DATA_SMK[] = { 0x00, 0x0f, 0xac, 5 };
105 static const u8 RSN_KEY_DATA_NONCE[] = { 0x00, 0x0f, 0xac, 6 };
106 static const u8 RSN_KEY_DATA_LIFETIME[] = { 0x00, 0x0f, 0xac, 7 };
107 static const u8 RSN_KEY_DATA_ERROR[] = { 0x00, 0x0f, 0xac, 8 };
108 #endif /* CONFIG_PEERKEY */
109 #ifdef CONFIG_IEEE80211W
110 /* FIX: IEEE 802.11w/D1.0 is using subtypes 5 and 6 for these, but they were
111 * already taken by 802.11ma (PeerKey). Need to update the values here once
112 * IEEE 802.11w fixes these. */
113 static const u8 RSN_KEY_DATA_DHV[] = { 0x00, 0x0f, 0xac, 9 };
114 static const u8 RSN_KEY_DATA_IGTK[] = { 0x00, 0x0f, 0xac, 10 };
115 #endif /* CONFIG_IEEE80211W */
117 #ifdef CONFIG_PEERKEY
119 STK_MUI_4WAY_STA_AP = 1,
120 STK_MUI_4WAY_STAT_STA = 2,
127 STK_ERR_STA_NRSN = 2,
131 #endif /* CONFIG_PEERKEY */
135 * 3/4: one or two RSN IEs + GTK IE (encrypted)
137 * 1/2: GTK IE (encrypted)
142 * 0x01 0x00 (version; little endian)
143 * (all following fields are optional:)
144 * Group Suite Selector (4 octets) (default: CCMP)
145 * Pairwise Suite Count (2 octets, little endian) (default: 1)
146 * Pairwise Suite List (4 * n octets) (default: CCMP)
147 * Authenticated Key Management Suite Count (2 octets, little endian)
149 * Authenticated Key Management Suite List (4 * n octets)
150 * (default: unspec 802.1X)
151 * RSN Capabilities (2 octets, little endian) (default: 0)
152 * PMKID Count (2 octets) (default: 0)
153 * PMKID List (16 * n octets)
154 * Management Group Cipher Suite (4 octets) (default: AES-128-CMAC)
158 #pragma pack(push, 1)
159 #endif /* _MSC_VER */
162 u8 elem_id; /* WLAN_EID_RSN */
168 struct wpa_eapol_key {
170 /* Note: key_info, key_length, and key_data_length are unaligned */
173 u8 replay_counter[WPA_REPLAY_COUNTER_LEN];
174 u8 key_nonce[WPA_NONCE_LEN];
177 u8 key_id[8]; /* Reserved in IEEE 802.11i/RSN */
179 u8 key_data_length[2];
180 /* followed by key_data_length bytes of key_data */
184 struct rsn_error_kde {
189 #ifdef CONFIG_IEEE80211W
194 struct wpa_igtk_kde {
197 u8 igtk[WPA_IGTK_LEN];
199 #endif /* CONFIG_IEEE80211W */
203 #endif /* _MSC_VER */
205 #define WPA_KEY_INFO_TYPE_MASK ((u16) (BIT(0) | BIT(1) | BIT(2)))
206 #define WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 BIT(0)
207 #define WPA_KEY_INFO_TYPE_HMAC_SHA1_AES BIT(1)
208 #define WPA_KEY_INFO_KEY_TYPE BIT(3) /* 1 = Pairwise, 0 = Group key */
209 /* bit4..5 is used in WPA, but is reserved in IEEE 802.11i/RSN */
210 #define WPA_KEY_INFO_KEY_INDEX_MASK (BIT(4) | BIT(5))
211 #define WPA_KEY_INFO_KEY_INDEX_SHIFT 4
212 #define WPA_KEY_INFO_INSTALL BIT(6) /* pairwise */
213 #define WPA_KEY_INFO_TXRX BIT(6) /* group */
214 #define WPA_KEY_INFO_ACK BIT(7)
215 #define WPA_KEY_INFO_MIC BIT(8)
216 #define WPA_KEY_INFO_SECURE BIT(9)
217 #define WPA_KEY_INFO_ERROR BIT(10)
218 #define WPA_KEY_INFO_REQUEST BIT(11)
219 #define WPA_KEY_INFO_ENCR_KEY_DATA BIT(12) /* IEEE 802.11i/RSN only */
220 #define WPA_KEY_INFO_SMK_MESSAGE BIT(13)
223 #ifdef CONFIG_PEERKEY
224 static void wpa_supplicant_peerkey_free(struct wpa_sm *sm,
225 struct wpa_peerkey *peerkey);
226 #endif /* CONFIG_PEERKEY */
230 * wpa_cipher_txt - Convert cipher suite to a text string
231 * @cipher: Cipher suite (WPA_CIPHER_* enum)
232 * Returns: Pointer to a text string of the cipher suite name
234 static const char * wpa_cipher_txt(int cipher)
237 case WPA_CIPHER_NONE:
239 case WPA_CIPHER_WEP40:
241 case WPA_CIPHER_WEP104:
243 case WPA_CIPHER_TKIP:
245 case WPA_CIPHER_CCMP:
254 * wpa_key_mgmt_txt - Convert key management suite to a text string
255 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
256 * @proto: WPA/WPA2 version (WPA_PROTO_*)
257 * Returns: Pointer to a text string of the key management suite name
259 static const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
262 case WPA_KEY_MGMT_IEEE8021X:
263 return proto == WPA_PROTO_RSN ?
264 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
265 case WPA_KEY_MGMT_PSK:
266 return proto == WPA_PROTO_RSN ?
267 "WPA2-PSK" : "WPA-PSK";
268 case WPA_KEY_MGMT_NONE:
270 case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
271 return "IEEE 802.1X (no WPA)";
278 static int wpa_selector_to_bitfield(const u8 *s)
280 if (os_memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0)
281 return WPA_CIPHER_NONE;
282 if (os_memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0)
283 return WPA_CIPHER_WEP40;
284 if (os_memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0)
285 return WPA_CIPHER_TKIP;
286 if (os_memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0)
287 return WPA_CIPHER_CCMP;
288 if (os_memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0)
289 return WPA_CIPHER_WEP104;
294 static int wpa_key_mgmt_to_bitfield(const u8 *s)
296 if (os_memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) ==
298 return WPA_KEY_MGMT_IEEE8021X;
299 if (os_memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN)
301 return WPA_KEY_MGMT_PSK;
302 if (os_memcmp(s, WPA_AUTH_KEY_MGMT_NONE, WPA_SELECTOR_LEN) == 0)
303 return WPA_KEY_MGMT_WPA_NONE;
308 #ifndef CONFIG_NO_WPA2
309 static int rsn_selector_to_bitfield(const u8 *s)
311 if (os_memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0)
312 return WPA_CIPHER_NONE;
313 if (os_memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0)
314 return WPA_CIPHER_WEP40;
315 if (os_memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0)
316 return WPA_CIPHER_TKIP;
317 if (os_memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0)
318 return WPA_CIPHER_CCMP;
319 if (os_memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0)
320 return WPA_CIPHER_WEP104;
321 #ifdef CONFIG_IEEE80211W
322 if (os_memcmp(s, RSN_CIPHER_SUITE_AES_128_CMAC, RSN_SELECTOR_LEN) == 0)
323 return WPA_CIPHER_AES_128_CMAC;
324 #endif /* CONFIG_IEEE80211W */
329 static int rsn_key_mgmt_to_bitfield(const u8 *s)
331 if (os_memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) ==
333 return WPA_KEY_MGMT_IEEE8021X;
334 if (os_memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN)
336 return WPA_KEY_MGMT_PSK;
339 #endif /* CONFIG_NO_WPA2 */
342 #ifdef CONFIG_PEERKEY
343 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
345 os_memcpy(pos, ie, ie_len);
350 static u8 * wpa_add_kde(u8 *pos, const u8 *kde, const u8 *data,
353 *pos++ = GENERIC_INFO_ELEM;
354 *pos++ = RSN_SELECTOR_LEN + data_len;
355 os_memcpy(pos, kde, RSN_SELECTOR_LEN);
356 pos += RSN_SELECTOR_LEN;
357 os_memcpy(pos, data, data_len);
361 #endif /* CONFIG_PEERKEY */
364 static int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
365 struct wpa_ie_data *data)
367 const struct wpa_ie_hdr *hdr;
372 data->proto = WPA_PROTO_WPA;
373 data->pairwise_cipher = WPA_CIPHER_TKIP;
374 data->group_cipher = WPA_CIPHER_TKIP;
375 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
376 data->capabilities = 0;
379 data->mgmt_group_cipher = 0;
381 if (wpa_ie_len == 0) {
382 /* No WPA IE - fail silently */
386 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
387 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
388 __func__, (unsigned long) wpa_ie_len);
392 hdr = (const struct wpa_ie_hdr *) wpa_ie;
394 if (hdr->elem_id != GENERIC_INFO_ELEM ||
395 hdr->len != wpa_ie_len - 2 ||
396 os_memcmp(hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN) != 0 ||
397 WPA_GET_LE16(hdr->version) != WPA_VERSION) {
398 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
403 pos = (const u8 *) (hdr + 1);
404 left = wpa_ie_len - sizeof(*hdr);
406 if (left >= WPA_SELECTOR_LEN) {
407 data->group_cipher = wpa_selector_to_bitfield(pos);
408 pos += WPA_SELECTOR_LEN;
409 left -= WPA_SELECTOR_LEN;
410 } else if (left > 0) {
411 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
417 data->pairwise_cipher = 0;
418 count = WPA_GET_LE16(pos);
421 if (count == 0 || left < count * WPA_SELECTOR_LEN) {
422 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
423 "count %u left %u", __func__, count, left);
426 for (i = 0; i < count; i++) {
427 data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
428 pos += WPA_SELECTOR_LEN;
429 left -= WPA_SELECTOR_LEN;
431 } else if (left == 1) {
432 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
439 count = WPA_GET_LE16(pos);
442 if (count == 0 || left < count * WPA_SELECTOR_LEN) {
443 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
444 "count %u left %u", __func__, count, left);
447 for (i = 0; i < count; i++) {
448 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
449 pos += WPA_SELECTOR_LEN;
450 left -= WPA_SELECTOR_LEN;
452 } else if (left == 1) {
453 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
459 data->capabilities = WPA_GET_LE16(pos);
465 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
473 static int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
474 struct wpa_ie_data *data)
476 #ifndef CONFIG_NO_WPA2
477 const struct rsn_ie_hdr *hdr;
482 data->proto = WPA_PROTO_RSN;
483 data->pairwise_cipher = WPA_CIPHER_CCMP;
484 data->group_cipher = WPA_CIPHER_CCMP;
485 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
486 data->capabilities = 0;
489 #ifdef CONFIG_IEEE80211W
490 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
491 #else /* CONFIG_IEEE80211W */
492 data->mgmt_group_cipher = 0;
493 #endif /* CONFIG_IEEE80211W */
496 if (rsn_ie_len == 0) {
497 /* No RSN IE - fail silently */
501 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
502 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
503 __func__, (unsigned long) rsn_ie_len);
507 hdr = (const struct rsn_ie_hdr *) rsn_ie;
509 if (hdr->elem_id != RSN_INFO_ELEM ||
510 hdr->len != rsn_ie_len - 2 ||
511 WPA_GET_LE16(hdr->version) != RSN_VERSION) {
512 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
517 pos = (const u8 *) (hdr + 1);
518 left = rsn_ie_len - sizeof(*hdr);
520 if (left >= RSN_SELECTOR_LEN) {
521 data->group_cipher = rsn_selector_to_bitfield(pos);
522 #ifdef CONFIG_IEEE80211W
523 if (data->group_cipher == WPA_CIPHER_AES_128_CMAC) {
524 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as group "
528 #endif /* CONFIG_IEEE80211W */
529 pos += RSN_SELECTOR_LEN;
530 left -= RSN_SELECTOR_LEN;
531 } else if (left > 0) {
532 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
538 data->pairwise_cipher = 0;
539 count = WPA_GET_LE16(pos);
542 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
543 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
544 "count %u left %u", __func__, count, left);
547 for (i = 0; i < count; i++) {
548 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
549 pos += RSN_SELECTOR_LEN;
550 left -= RSN_SELECTOR_LEN;
552 #ifdef CONFIG_IEEE80211W
553 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
554 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
555 "pairwise cipher", __func__);
558 #endif /* CONFIG_IEEE80211W */
559 } else if (left == 1) {
560 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
567 count = WPA_GET_LE16(pos);
570 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
571 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
572 "count %u left %u", __func__, count, left);
575 for (i = 0; i < count; i++) {
576 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
577 pos += RSN_SELECTOR_LEN;
578 left -= RSN_SELECTOR_LEN;
580 } else if (left == 1) {
581 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
587 data->capabilities = WPA_GET_LE16(pos);
593 data->num_pmkid = WPA_GET_LE16(pos);
596 if (left < data->num_pmkid * PMKID_LEN) {
597 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
598 "(num_pmkid=%d left=%d)",
599 __func__, data->num_pmkid, left);
603 pos += data->num_pmkid * PMKID_LEN;
604 left -= data->num_pmkid * PMKID_LEN;
608 #ifdef CONFIG_IEEE80211W
610 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
611 if (data->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC) {
612 wpa_printf(MSG_DEBUG, "%s: Unsupported management "
613 "group cipher 0x%x", __func__,
614 data->mgmt_group_cipher);
617 pos += RSN_SELECTOR_LEN;
618 left -= RSN_SELECTOR_LEN;
620 #endif /* CONFIG_IEEE80211W */
623 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
628 #else /* CONFIG_NO_WPA2 */
630 #endif /* CONFIG_NO_WPA2 */
635 * wpa_parse_wpa_ie - Parse WPA/RSN IE
636 * @wpa_ie: Pointer to WPA or RSN IE
637 * @wpa_ie_len: Length of the WPA/RSN IE
638 * @data: Pointer to data area for parsing results
639 * Returns: 0 on success, -1 on failure
641 * Parse the contents of WPA or RSN IE and write the parsed data into data.
643 int wpa_parse_wpa_ie(const u8 *wpa_ie, size_t wpa_ie_len,
644 struct wpa_ie_data *data)
646 if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM)
647 return wpa_parse_wpa_ie_rsn(wpa_ie, wpa_ie_len, data);
649 return wpa_parse_wpa_ie_wpa(wpa_ie, wpa_ie_len, data);
653 static int wpa_gen_wpa_ie_wpa(u8 *wpa_ie, size_t wpa_ie_len,
654 int pairwise_cipher, int group_cipher,
658 struct wpa_ie_hdr *hdr;
660 if (wpa_ie_len < sizeof(*hdr) + WPA_SELECTOR_LEN +
661 2 + WPA_SELECTOR_LEN + 2 + WPA_SELECTOR_LEN)
664 hdr = (struct wpa_ie_hdr *) wpa_ie;
665 hdr->elem_id = GENERIC_INFO_ELEM;
666 os_memcpy(hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN);
667 WPA_PUT_LE16(hdr->version, WPA_VERSION);
668 pos = (u8 *) (hdr + 1);
670 if (group_cipher == WPA_CIPHER_CCMP) {
671 os_memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN);
672 } else if (group_cipher == WPA_CIPHER_TKIP) {
673 os_memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN);
674 } else if (group_cipher == WPA_CIPHER_WEP104) {
675 os_memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN);
676 } else if (group_cipher == WPA_CIPHER_WEP40) {
677 os_memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN);
679 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
683 pos += WPA_SELECTOR_LEN;
687 if (pairwise_cipher == WPA_CIPHER_CCMP) {
688 os_memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN);
689 } else if (pairwise_cipher == WPA_CIPHER_TKIP) {
690 os_memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN);
691 } else if (pairwise_cipher == WPA_CIPHER_NONE) {
692 os_memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN);
694 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
698 pos += WPA_SELECTOR_LEN;
702 if (key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
703 os_memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X,
705 } else if (key_mgmt == WPA_KEY_MGMT_PSK) {
706 os_memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X,
708 } else if (key_mgmt == WPA_KEY_MGMT_WPA_NONE) {
709 os_memcpy(pos, WPA_AUTH_KEY_MGMT_NONE, WPA_SELECTOR_LEN);
711 wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
715 pos += WPA_SELECTOR_LEN;
717 /* WPA Capabilities; use defaults, so no need to include it */
719 hdr->len = (pos - wpa_ie) - 2;
721 WPA_ASSERT((size_t) (pos - wpa_ie) <= wpa_ie_len);
727 static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
728 int pairwise_cipher, int group_cipher,
729 int key_mgmt, int mgmt_group_cipher,
732 #ifndef CONFIG_NO_WPA2
734 struct rsn_ie_hdr *hdr;
737 if (rsn_ie_len < sizeof(*hdr) + RSN_SELECTOR_LEN +
738 2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN + 2 +
739 (sm->cur_pmksa ? 2 + PMKID_LEN : 0))
742 hdr = (struct rsn_ie_hdr *) rsn_ie;
743 hdr->elem_id = RSN_INFO_ELEM;
744 WPA_PUT_LE16(hdr->version, RSN_VERSION);
745 pos = (u8 *) (hdr + 1);
747 if (group_cipher == WPA_CIPHER_CCMP) {
748 os_memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
749 } else if (group_cipher == WPA_CIPHER_TKIP) {
750 os_memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
751 } else if (group_cipher == WPA_CIPHER_WEP104) {
752 os_memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN);
753 } else if (group_cipher == WPA_CIPHER_WEP40) {
754 os_memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN);
756 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
760 pos += RSN_SELECTOR_LEN;
764 if (pairwise_cipher == WPA_CIPHER_CCMP) {
765 os_memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
766 } else if (pairwise_cipher == WPA_CIPHER_TKIP) {
767 os_memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
768 } else if (pairwise_cipher == WPA_CIPHER_NONE) {
769 os_memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN);
771 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
775 pos += RSN_SELECTOR_LEN;
779 if (key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
780 os_memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X,
782 } else if (key_mgmt == WPA_KEY_MGMT_PSK) {
783 os_memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X,
786 wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
790 pos += RSN_SELECTOR_LEN;
792 /* RSN Capabilities */
794 #ifdef CONFIG_IEEE80211W
795 if (mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
796 capab |= WPA_CAPABILITY_MGMT_FRAME_PROTECTION;
797 #endif /* CONFIG_IEEE80211W */
798 WPA_PUT_LE16(pos, capab);
802 /* PMKID Count (2 octets, little endian) */
806 os_memcpy(pos, sm->cur_pmksa->pmkid, PMKID_LEN);
810 #ifdef CONFIG_IEEE80211W
811 if (mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
812 if (!sm->cur_pmksa) {
814 WPA_PUT_LE16(pos, 0);
817 /* Management Group Cipher Suite */
818 memcpy(pos, RSN_CIPHER_SUITE_AES_128_CMAC,
820 pos += RSN_SELECTOR_LEN;
823 #endif /* CONFIG_IEEE80211W */
825 hdr->len = (pos - rsn_ie) - 2;
827 WPA_ASSERT((size_t) (pos - rsn_ie) <= rsn_ie_len);
830 #else /* CONFIG_NO_WPA2 */
832 #endif /* CONFIG_NO_WPA2 */
837 * wpa_gen_wpa_ie - Generate WPA/RSN IE based on current security policy
838 * @sm: Pointer to WPA state machine data from wpa_sm_init()
839 * @wpa_ie: Pointer to memory area for the generated WPA/RSN IE
840 * @wpa_ie_len: Maximum length of the generated WPA/RSN IE
841 * Returns: Length of the generated WPA/RSN IE or -1 on failure
843 static int wpa_gen_wpa_ie(struct wpa_sm *sm, u8 *wpa_ie, size_t wpa_ie_len)
845 if (sm->proto == WPA_PROTO_RSN)
846 return wpa_gen_wpa_ie_rsn(wpa_ie, wpa_ie_len,
849 sm->key_mgmt, sm->mgmt_group_cipher,
852 return wpa_gen_wpa_ie_wpa(wpa_ie, wpa_ie_len,
860 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
861 * @pmk: Pairwise master key
862 * @pmk_len: Length of PMK
863 * @label: Label to use in derivation
866 * @nonce1: ANonce or SNonce
867 * @nonce2: SNonce or ANonce
868 * @ptk: Buffer for pairwise transient key
869 * @ptk_len: Length of PTK
871 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
872 * PTK = PRF-X(PMK, "Pairwise key expansion",
873 * Min(AA, SA) || Max(AA, SA) ||
874 * Min(ANonce, SNonce) || Max(ANonce, SNonce))
876 * STK = PRF-X(SMK, "Peer key expansion",
877 * Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) ||
878 * Min(INonce, PNonce) || Max(INonce, PNonce))
880 static void wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
882 const u8 *addr1, const u8 *addr2,
883 const u8 *nonce1, const u8 *nonce2,
884 u8 *ptk, size_t ptk_len)
886 u8 data[2 * ETH_ALEN + 2 * 32];
888 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
889 os_memcpy(data, addr1, ETH_ALEN);
890 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
892 os_memcpy(data, addr2, ETH_ALEN);
893 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
896 if (os_memcmp(nonce1, nonce2, 32) < 0) {
897 os_memcpy(data + 2 * ETH_ALEN, nonce1, 32);
898 os_memcpy(data + 2 * ETH_ALEN + 32, nonce2, 32);
900 os_memcpy(data + 2 * ETH_ALEN, nonce2, 32);
901 os_memcpy(data + 2 * ETH_ALEN + 32, nonce1, 32);
904 sha1_prf(pmk, pmk_len, label, data, sizeof(data), ptk, ptk_len);
906 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
907 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", ptk, ptk_len);
912 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
913 * @key: EAPOL-Key Key Confirmation Key (KCK)
914 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
915 * @buf: Pointer to the beginning of the EAPOL header (version field)
916 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
917 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
919 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
920 * to be cleared (all zeroes) when calling this function.
922 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
923 * description of the Key MIC calculation. It includes packet data from the
924 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
925 * happened during final editing of the standard and the correct behavior is
926 * defined in the last draft (IEEE 802.11i/D10).
928 static void wpa_eapol_key_mic(const u8 *key, int ver,
929 const u8 *buf, size_t len, u8 *mic)
931 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
932 hmac_md5(key, 16, buf, len, mic);
933 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
934 u8 hash[SHA1_MAC_LEN];
935 hmac_sha1(key, 16, buf, len, hash);
936 os_memcpy(mic, hash, MD5_MAC_LEN);
941 static void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck,
942 int ver, const u8 *dest, u16 proto,
943 u8 *msg, size_t msg_len, u8 *key_mic)
945 if (os_memcmp(dest, "\x00\x00\x00\x00\x00\x00", ETH_ALEN) == 0 &&
946 os_memcmp(sm->bssid, "\x00\x00\x00\x00\x00\x00", ETH_ALEN) == 0) {
948 * Association event was not yet received; try to fetch
949 * BSSID from the driver.
951 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
952 wpa_printf(MSG_DEBUG, "WPA: Failed to read BSSID for "
953 "EAPOL-Key destination address");
956 wpa_printf(MSG_DEBUG, "WPA: Use BSSID (" MACSTR
957 ") as the destination for EAPOL-Key",
962 wpa_eapol_key_mic(kck, ver, msg, msg_len, key_mic);
964 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
965 wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
966 eapol_sm_notify_tx_eapol_key(sm->eapol);
972 * wpa_sm_key_request - Send EAPOL-Key Request
973 * @sm: Pointer to WPA state machine data from wpa_sm_init()
974 * @error: Indicate whether this is an Michael MIC error report
975 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
976 * Returns: Pointer to the current network structure or %NULL on failure
978 * Send an EAPOL-Key Request to the current authenticator. This function is
979 * used to request rekeying and it is usually called when a local Michael MIC
980 * failure is detected.
982 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
985 struct wpa_eapol_key *reply;
987 u8 bssid[ETH_ALEN], *rbuf;
989 if (sm->pairwise_cipher == WPA_CIPHER_CCMP)
990 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
992 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
994 if (wpa_sm_get_bssid(sm, bssid) < 0) {
995 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
1000 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1001 sizeof(*reply), &rlen, (void *) &reply);
1005 reply->type = sm->proto == WPA_PROTO_RSN ?
1006 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1007 key_info = WPA_KEY_INFO_REQUEST | ver;
1009 key_info |= WPA_KEY_INFO_MIC;
1011 key_info |= WPA_KEY_INFO_ERROR;
1013 key_info |= WPA_KEY_INFO_KEY_TYPE;
1014 WPA_PUT_BE16(reply->key_info, key_info);
1015 WPA_PUT_BE16(reply->key_length, 0);
1016 os_memcpy(reply->replay_counter, sm->request_counter,
1017 WPA_REPLAY_COUNTER_LEN);
1018 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
1020 WPA_PUT_BE16(reply->key_data_length, 0);
1022 wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d "
1023 "pairwise=%d ptk_set=%d len=%lu)",
1024 error, pairwise, sm->ptk_set, (unsigned long) rlen);
1025 wpa_eapol_key_send(sm, sm->ptk.kck, ver, bssid, ETH_P_EAPOL,
1026 rbuf, rlen, key_info & WPA_KEY_INFO_MIC ?
1027 reply->key_mic : NULL);
1032 * wpa_sm_stkstart - Send EAPOL-Key Request for STK handshake (STK M1)
1033 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1034 * @peer: MAC address of the peer STA
1035 * Returns: 0 on success, or -1 on failure
1037 * Send an EAPOL-Key Request to the current authenticator to start STK
1038 * handshake with the peer.
1040 int wpa_sm_stkstart(struct wpa_sm *sm, const u8 *peer)
1042 #ifdef CONFIG_PEERKEY
1043 size_t rlen, kde_len;
1044 struct wpa_eapol_key *req;
1046 u8 bssid[ETH_ALEN], *rbuf, *pos, *count_pos;
1048 struct wpa_ssid *ssid = sm->cur_ssid;
1049 struct rsn_ie_hdr *hdr;
1050 struct wpa_peerkey *peerkey;
1051 struct wpa_ie_data ie;
1053 if (sm->proto != WPA_PROTO_RSN || !sm->ptk_set ||
1054 ssid == NULL || !ssid->peerkey)
1057 if (sm->ap_rsn_ie &&
1058 wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &ie) == 0 &&
1059 !(ie.capabilities & WPA_CAPABILITY_PEERKEY_ENABLED)) {
1060 wpa_printf(MSG_DEBUG, "RSN: Current AP does not support STK");
1064 if (sm->pairwise_cipher == WPA_CIPHER_CCMP)
1065 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1067 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1069 if (wpa_sm_get_bssid(sm, bssid) < 0) {
1070 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
1075 /* TODO: find existing entry and if found, use that instead of adding
1077 peerkey = os_malloc(sizeof(*peerkey));
1078 if (peerkey == NULL)
1080 os_memset(peerkey, 0, sizeof(*peerkey));
1081 peerkey->initiator = 1;
1082 os_memcpy(peerkey->addr, peer, ETH_ALEN);
1085 * EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce,
1086 * MIC=MIC, DataKDs=(RSNIE_I, MAC_P KDE))
1089 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_i;
1090 hdr->elem_id = RSN_INFO_ELEM;
1091 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1092 pos = (u8 *) (hdr + 1);
1093 /* Group Suite can be anything for SMK RSN IE; receiver will just
1095 os_memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
1096 pos += RSN_SELECTOR_LEN;
1101 if (ssid->pairwise_cipher & WPA_CIPHER_CCMP) {
1102 os_memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
1103 pos += RSN_SELECTOR_LEN;
1106 if (ssid->pairwise_cipher & WPA_CIPHER_TKIP) {
1107 os_memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
1108 pos += RSN_SELECTOR_LEN;
1111 WPA_PUT_LE16(count_pos, count);
1113 hdr->len = (pos - peerkey->rsnie_i) - 2;
1114 peerkey->rsnie_i_len = pos - peerkey->rsnie_i;
1115 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
1116 peerkey->rsnie_i, peerkey->rsnie_i_len);
1118 kde_len = peerkey->rsnie_i_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN;
1120 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1121 sizeof(*req) + kde_len, &rlen,
1124 wpa_supplicant_peerkey_free(sm, peerkey);
1128 req->type = EAPOL_KEY_TYPE_RSN;
1129 key_info = WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
1130 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_REQUEST | ver;
1131 WPA_PUT_BE16(req->key_info, key_info);
1132 WPA_PUT_BE16(req->key_length, 0);
1133 os_memcpy(req->replay_counter, sm->request_counter,
1134 WPA_REPLAY_COUNTER_LEN);
1135 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
1137 if (hostapd_get_rand(peerkey->inonce, WPA_NONCE_LEN)) {
1138 wpa_msg(sm->ctx->ctx, MSG_WARNING,
1139 "WPA: Failed to get random data for INonce");
1141 wpa_supplicant_peerkey_free(sm, peerkey);
1144 os_memcpy(req->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
1145 wpa_hexdump(MSG_DEBUG, "WPA: INonce for SMK handshake",
1146 req->key_nonce, WPA_NONCE_LEN);
1148 WPA_PUT_BE16(req->key_data_length, (u16) kde_len);
1149 pos = (u8 *) (req + 1);
1151 /* Initiator RSN IE */
1152 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
1153 /* Peer MAC address KDE */
1154 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
1156 wpa_printf(MSG_INFO, "RSN: Sending EAPOL-Key SMK M1 Request (peer "
1157 MACSTR ")", MAC2STR(peer));
1158 wpa_eapol_key_send(sm, sm->ptk.kck, ver, bssid, ETH_P_EAPOL,
1159 rbuf, rlen, req->key_mic);
1161 peerkey->next = sm->peerkey;
1162 sm->peerkey = peerkey;
1166 #else /* CONFIG_PEERKEY */
1170 #endif /* CONFIG_PEERKEY */
1174 struct wpa_eapol_ie_parse {
1183 size_t mac_addr_len;
1184 #ifdef CONFIG_PEERKEY
1190 size_t lifetime_len;
1193 #endif /* CONFIG_PEERKEY */
1194 #ifdef CONFIG_IEEE80211W
1199 #endif /* CONFIG_IEEE80211W */
1204 * wpa_supplicant_parse_generic - Parse EAPOL-Key Key Data Generic IEs
1205 * @pos: Pointer to the IE header
1206 * @end: Pointer to the end of the Key Data buffer
1207 * @ie: Pointer to parsed IE data
1208 * Returns: 0 on success, 1 if end mark is found, -1 on failure
1210 static int wpa_supplicant_parse_generic(const u8 *pos, const u8 *end,
1211 struct wpa_eapol_ie_parse *ie)
1217 os_memcmp(pos + 2, WPA_OUI_TYPE, WPA_SELECTOR_LEN) == 0 &&
1218 pos[2 + WPA_SELECTOR_LEN] == 1 &&
1219 pos[2 + WPA_SELECTOR_LEN + 1] == 0) {
1221 ie->wpa_ie_len = pos[1] + 2;
1225 if (pos + 1 + RSN_SELECTOR_LEN < end &&
1226 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
1227 os_memcmp(pos + 2, RSN_KEY_DATA_PMKID, RSN_SELECTOR_LEN) == 0) {
1228 ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
1232 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
1233 os_memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, RSN_SELECTOR_LEN) == 0) {
1234 ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
1235 ie->gtk_len = pos[1] - RSN_SELECTOR_LEN;
1239 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
1240 os_memcmp(pos + 2, RSN_KEY_DATA_MAC_ADDR, RSN_SELECTOR_LEN) == 0) {
1241 ie->mac_addr = pos + 2 + RSN_SELECTOR_LEN;
1242 ie->mac_addr_len = pos[1] - RSN_SELECTOR_LEN;
1246 #ifdef CONFIG_PEERKEY
1247 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
1248 os_memcmp(pos + 2, RSN_KEY_DATA_SMK, RSN_SELECTOR_LEN) == 0) {
1249 ie->smk = pos + 2 + RSN_SELECTOR_LEN;
1250 ie->smk_len = pos[1] - RSN_SELECTOR_LEN;
1254 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
1255 os_memcmp(pos + 2, RSN_KEY_DATA_NONCE, RSN_SELECTOR_LEN) == 0) {
1256 ie->nonce = pos + 2 + RSN_SELECTOR_LEN;
1257 ie->nonce_len = pos[1] - RSN_SELECTOR_LEN;
1261 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
1262 os_memcmp(pos + 2, RSN_KEY_DATA_LIFETIME, RSN_SELECTOR_LEN) == 0) {
1263 ie->lifetime = pos + 2 + RSN_SELECTOR_LEN;
1264 ie->lifetime_len = pos[1] - RSN_SELECTOR_LEN;
1268 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
1269 os_memcmp(pos + 2, RSN_KEY_DATA_ERROR, RSN_SELECTOR_LEN) == 0) {
1270 ie->error = pos + 2 + RSN_SELECTOR_LEN;
1271 ie->error_len = pos[1] - RSN_SELECTOR_LEN;
1274 #endif /* CONFIG_PEERKEY */
1276 #ifdef CONFIG_IEEE80211W
1277 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
1278 os_memcmp(pos + 2, RSN_KEY_DATA_DHV, RSN_SELECTOR_LEN) == 0) {
1279 ie->dhv = pos + 2 + RSN_SELECTOR_LEN;
1280 ie->dhv_len = pos[1] - RSN_SELECTOR_LEN;
1284 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
1285 os_memcmp(pos + 2, RSN_KEY_DATA_IGTK, RSN_SELECTOR_LEN) == 0) {
1286 ie->igtk = pos + 2 + RSN_SELECTOR_LEN;
1287 ie->igtk_len = pos[1] - RSN_SELECTOR_LEN;
1290 #endif /* CONFIG_IEEE80211W */
1297 * wpa_supplicant_parse_ies - Parse EAPOL-Key Key Data IEs
1298 * @buf: Pointer to the Key Data buffer
1299 * @len: Key Data Length
1300 * @ie: Pointer to parsed IE data
1301 * Returns: 0 on success, -1 on failure
1303 static int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
1304 struct wpa_eapol_ie_parse *ie)
1306 const u8 *pos, *end;
1309 os_memset(ie, 0, sizeof(*ie));
1310 for (pos = buf, end = pos + len; pos + 1 < end; pos += 2 + pos[1]) {
1311 if (pos[0] == 0xdd &&
1312 ((pos == buf + len - 1) || pos[1] == 0)) {
1313 /* Ignore padding */
1316 if (pos + 2 + pos[1] > end) {
1317 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Key Data "
1318 "underflow (ie=%d len=%d pos=%d)",
1319 pos[0], pos[1], (int) (pos - buf));
1320 wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data",
1325 if (*pos == RSN_INFO_ELEM) {
1327 ie->rsn_ie_len = pos[1] + 2;
1328 } else if (*pos == GENERIC_INFO_ELEM) {
1329 ret = wpa_supplicant_parse_generic(pos, end, ie);
1337 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized EAPOL-Key "
1338 "Key Data IE", pos, 2 + pos[1]);
1346 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
1347 const unsigned char *src_addr,
1350 int abort_cached = 0;
1352 if (pmkid && !sm->cur_pmksa) {
1353 /* When using drivers that generate RSN IE, wpa_supplicant may
1354 * not have enough time to get the association information
1355 * event before receiving this 1/4 message, so try to find a
1356 * matching PMKSA cache entry here. */
1357 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid);
1358 if (sm->cur_pmksa) {
1359 wpa_printf(MSG_DEBUG, "RSN: found matching PMKID from "
1362 wpa_printf(MSG_DEBUG, "RSN: no matching PMKID found");
1367 if (pmkid && sm->cur_pmksa &&
1368 os_memcmp(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
1369 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
1370 wpa_sm_set_pmk_from_pmksa(sm);
1371 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
1372 sm->pmk, sm->pmk_len);
1373 eapol_sm_notify_cached(sm->eapol);
1374 } else if (sm->key_mgmt == WPA_KEY_MGMT_IEEE8021X && sm->eapol) {
1377 res = eapol_sm_get_key(sm->eapol, sm->pmk, PMK_LEN);
1380 * EAP-LEAP is an exception from other EAP methods: it
1381 * uses only 16-byte PMK.
1383 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
1387 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
1388 "machines", sm->pmk, pmk_len);
1389 sm->pmk_len = pmk_len;
1390 pmksa_cache_add(sm->pmksa, sm->pmk, pmk_len, src_addr,
1391 sm->own_addr, sm->cur_ssid);
1392 if (!sm->cur_pmksa && pmkid &&
1393 pmksa_cache_get(sm->pmksa, src_addr, pmkid)) {
1394 wpa_printf(MSG_DEBUG, "RSN: the new PMK "
1395 "matches with the PMKID");
1399 wpa_msg(sm->ctx->ctx, MSG_WARNING,
1400 "WPA: Failed to get master session key from "
1401 "EAPOL state machines");
1402 wpa_msg(sm->ctx->ctx, MSG_WARNING,
1403 "WPA: Key handshake aborted");
1404 if (sm->cur_pmksa) {
1405 wpa_printf(MSG_DEBUG, "RSN: Cancelled PMKSA "
1407 sm->cur_pmksa = NULL;
1415 if (abort_cached && sm->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
1416 /* Send EAPOL-Start to trigger full EAP authentication. */
1420 wpa_printf(MSG_DEBUG, "RSN: no PMKSA entry found - trigger "
1421 "full EAP authentication");
1422 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
1423 NULL, 0, &buflen, NULL);
1425 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
1437 static int wpa_supplicant_send_2_of_4(struct wpa_sm *sm,
1438 const unsigned char *dst,
1439 const struct wpa_eapol_key *key,
1440 int ver, const u8 *nonce,
1441 const u8 *wpa_ie, size_t wpa_ie_len,
1442 struct wpa_ptk *ptk)
1445 struct wpa_eapol_key *reply;
1448 if (wpa_ie == NULL) {
1449 wpa_printf(MSG_WARNING, "WPA: No wpa_ie set - cannot "
1450 "generate msg 2/4");
1454 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
1456 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
1457 NULL, sizeof(*reply) + wpa_ie_len,
1458 &rlen, (void *) &reply);
1462 reply->type = sm->proto == WPA_PROTO_RSN ?
1463 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1464 WPA_PUT_BE16(reply->key_info,
1465 ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC);
1466 if (sm->proto == WPA_PROTO_RSN)
1467 WPA_PUT_BE16(reply->key_length, 0);
1469 os_memcpy(reply->key_length, key->key_length, 2);
1470 os_memcpy(reply->replay_counter, key->replay_counter,
1471 WPA_REPLAY_COUNTER_LEN);
1473 WPA_PUT_BE16(reply->key_data_length, wpa_ie_len);
1474 os_memcpy(reply + 1, wpa_ie, wpa_ie_len);
1476 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
1478 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
1479 wpa_eapol_key_send(sm, ptk->kck, ver, dst, ETH_P_EAPOL,
1480 rbuf, rlen, reply->key_mic);
1486 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
1487 const unsigned char *src_addr,
1488 const struct wpa_eapol_key *key,
1491 struct wpa_eapol_ie_parse ie;
1492 struct wpa_ptk *ptk;
1495 if (wpa_sm_get_ssid(sm) == NULL) {
1496 wpa_printf(MSG_WARNING, "WPA: No SSID info found (msg 1 of "
1501 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1502 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from "
1503 MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1505 os_memset(&ie, 0, sizeof(ie));
1507 #ifndef CONFIG_NO_WPA2
1508 if (sm->proto == WPA_PROTO_RSN) {
1509 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
1510 const u8 *_buf = (const u8 *) (key + 1);
1511 size_t len = WPA_GET_BE16(key->key_data_length);
1512 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", _buf, len);
1513 wpa_supplicant_parse_ies(_buf, len, &ie);
1515 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
1516 "Authenticator", ie.pmkid, PMKID_LEN);
1519 #endif /* CONFIG_NO_WPA2 */
1521 if (wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid))
1524 if (sm->renew_snonce) {
1525 if (hostapd_get_rand(sm->snonce, WPA_NONCE_LEN)) {
1526 wpa_msg(sm->ctx->ctx, MSG_WARNING,
1527 "WPA: Failed to get random data for SNonce");
1530 sm->renew_snonce = 0;
1531 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
1532 sm->snonce, WPA_NONCE_LEN);
1535 /* Calculate PTK which will be stored as a temporary PTK until it has
1536 * been verified when processing message 3/4. */
1538 wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
1539 sm->own_addr, sm->bssid, sm->snonce, key->key_nonce,
1540 (u8 *) ptk, sizeof(*ptk));
1541 /* Supplicant: swap tx/rx Mic keys */
1542 os_memcpy(buf, ptk->u.auth.tx_mic_key, 8);
1543 os_memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8);
1544 os_memcpy(ptk->u.auth.rx_mic_key, buf, 8);
1547 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
1548 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len,
1552 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
1556 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
1558 struct wpa_sm *sm = eloop_ctx;
1559 rsn_preauth_candidate_process(sm);
1563 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
1564 const u8 *addr, int secure)
1566 wpa_msg(sm->ctx->ctx, MSG_INFO, "WPA: Key negotiation completed with "
1567 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
1568 wpa_cipher_txt(sm->pairwise_cipher),
1569 wpa_cipher_txt(sm->group_cipher));
1570 eloop_cancel_timeout(sm->ctx->scan, sm->ctx->ctx, NULL);
1571 wpa_sm_cancel_auth_timeout(sm);
1572 wpa_sm_set_state(sm, WPA_COMPLETED);
1575 wpa_sm_mlme_setprotection(
1576 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
1577 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1578 eapol_sm_notify_portValid(sm->eapol, TRUE);
1579 if (sm->key_mgmt == WPA_KEY_MGMT_PSK)
1580 eapol_sm_notify_eap_success(sm->eapol, TRUE);
1582 * Start preauthentication after a short wait to avoid a
1583 * possible race condition between the data receive and key
1584 * configuration after the 4-Way Handshake. This increases the
1585 * likelyhood of the first preauth EAPOL-Start frame getting to
1588 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL);
1591 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
1592 wpa_printf(MSG_DEBUG, "RSN: Authenticator accepted "
1593 "opportunistic PMKSA entry - marking it valid");
1594 sm->cur_pmksa->opportunistic = 0;
1599 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
1600 const struct wpa_eapol_key *key)
1605 u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
1607 wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver.");
1609 switch (sm->pairwise_cipher) {
1610 case WPA_CIPHER_CCMP:
1615 case WPA_CIPHER_TKIP:
1620 case WPA_CIPHER_NONE:
1621 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: "
1622 "NONE - do not use pairwise keys");
1625 wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise cipher %d",
1626 sm->pairwise_cipher);
1630 if (sm->proto == WPA_PROTO_RSN) {
1633 key_rsc = key->key_rsc;
1634 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1637 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
1638 (u8 *) sm->ptk.tk1, keylen) < 0) {
1639 wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the "
1647 static int wpa_supplicant_check_group_cipher(int group_cipher,
1648 int keylen, int maxkeylen,
1649 int *key_rsc_len, wpa_alg *alg)
1653 switch (group_cipher) {
1654 case WPA_CIPHER_CCMP:
1655 if (keylen != 16 || maxkeylen < 16) {
1660 *alg = WPA_ALG_CCMP;
1662 case WPA_CIPHER_TKIP:
1663 if (keylen != 32 || maxkeylen < 32) {
1668 *alg = WPA_ALG_TKIP;
1670 case WPA_CIPHER_WEP104:
1671 if (keylen != 13 || maxkeylen < 13) {
1678 case WPA_CIPHER_WEP40:
1679 if (keylen != 5 || maxkeylen < 5) {
1687 wpa_printf(MSG_WARNING, "WPA: Unsupported Group Cipher %d",
1693 wpa_printf(MSG_WARNING, "WPA: Unsupported %s Group Cipher key "
1695 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1702 struct wpa_gtk_data {
1704 int tx, key_rsc_len, keyidx;
1710 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1711 const struct wpa_gtk_data *gd,
1714 const u8 *_gtk = gd->gtk;
1717 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1718 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver "
1719 "(keyidx=%d tx=%d).", gd->keyidx, gd->tx);
1720 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1721 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1722 /* Swap Tx/Rx keys for Michael MIC */
1723 os_memcpy(gtk_buf, gd->gtk, 16);
1724 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1725 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1728 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1729 if (wpa_sm_set_key(sm, gd->alg,
1730 (u8 *) "\xff\xff\xff\xff\xff\xff",
1731 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1732 _gtk, gd->gtk_len) < 0) {
1733 wpa_printf(MSG_WARNING, "WPA: Failed to set "
1734 "GTK to the driver (Group only).");
1737 } else if (wpa_sm_set_key(sm, gd->alg,
1738 (u8 *) "\xff\xff\xff\xff\xff\xff",
1739 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1740 _gtk, gd->gtk_len) < 0) {
1741 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to "
1750 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1753 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1754 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1755 * seemed to set this bit (incorrectly, since Tx is only when
1756 * doing Group Key only APs) and without this workaround, the
1757 * data connection does not work because wpa_supplicant
1758 * configured non-zero keyidx to be used for unicast. */
1759 wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but pairwise "
1760 "keys are used - ignore Tx bit");
1767 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1768 const struct wpa_eapol_key *key,
1769 const u8 *gtk, size_t gtk_len,
1772 #ifndef CONFIG_NO_WPA2
1773 struct wpa_gtk_data gd;
1776 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1778 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1779 * Reserved [bits 0-7]
1783 os_memset(&gd, 0, sizeof(gd));
1784 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1787 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1790 gd.keyidx = gtk[0] & 0x3;
1791 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1792 !!(gtk[0] & BIT(2)));
1796 os_memcpy(gd.gtk, gtk, gtk_len);
1797 gd.gtk_len = gtk_len;
1799 if (wpa_supplicant_check_group_cipher(sm->group_cipher,
1801 &gd.key_rsc_len, &gd.alg) ||
1802 wpa_supplicant_install_gtk(sm, &gd, key->key_rsc)) {
1803 wpa_printf(MSG_DEBUG, "RSN: Failed to install GTK");
1807 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1808 key_info & WPA_KEY_INFO_SECURE);
1810 #else /* CONFIG_NO_WPA2 */
1812 #endif /* CONFIG_NO_WPA2 */
1816 static int ieee80211w_set_keys(struct wpa_sm *sm,
1817 struct wpa_eapol_ie_parse *ie)
1819 #ifdef CONFIG_IEEE80211W
1820 if (sm->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC)
1824 const struct wpa_igtk_kde *igtk;
1826 if (ie->igtk_len != sizeof(*igtk))
1828 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1829 keyidx = WPA_GET_LE16(igtk->keyid);
1830 wpa_printf(MSG_DEBUG, "WPA: IGTK keyid %d "
1831 "pn %02x%02x%02x%02x%02x%02x",
1832 keyidx, MAC2STR(igtk->pn));
1833 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
1834 igtk->igtk, WPA_IGTK_LEN);
1835 if (keyidx > 4095) {
1836 wpa_printf(MSG_WARNING, "WPA: Invalid IGTK KeyID %d",
1840 if (wpa_sm_set_key(sm, WPA_ALG_IGTK,
1841 (u8 *) "\xff\xff\xff\xff\xff\xff",
1842 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1843 igtk->igtk, WPA_IGTK_LEN) < 0) {
1844 wpa_printf(MSG_WARNING, "WPA: Failed to configure IGTK"
1851 const struct wpa_dhv_kde *dhv;
1852 if (ie->dhv_len != sizeof(*dhv))
1854 dhv = (const struct wpa_dhv_kde *) ie->dhv;
1855 wpa_hexdump_key(MSG_DEBUG, "WPA: DHV", dhv->dhv, WPA_DHV_LEN);
1856 if (wpa_sm_set_key(sm, WPA_ALG_DHV,
1857 (u8 *) "\xff\xff\xff\xff\xff\xff", 0, 0,
1858 NULL, 0, dhv->dhv, WPA_DHV_LEN) < 0) {
1859 wpa_printf(MSG_WARNING, "WPA: Failed to configure DHV "
1866 #else /* CONFIG_IEEE80211W */
1868 #endif /* CONFIG_IEEE80211W */
1872 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1873 const char *reason, const u8 *src_addr,
1874 const u8 *wpa_ie, size_t wpa_ie_len,
1875 const u8 *rsn_ie, size_t rsn_ie_len)
1877 wpa_msg(sm->ctx->ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1878 reason, MAC2STR(src_addr));
1880 if (sm->ap_wpa_ie) {
1881 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1882 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1885 if (!sm->ap_wpa_ie) {
1886 wpa_printf(MSG_INFO, "WPA: No WPA IE in "
1887 "Beacon/ProbeResp");
1889 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1890 wpa_ie, wpa_ie_len);
1893 if (sm->ap_rsn_ie) {
1894 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1895 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1898 if (!sm->ap_rsn_ie) {
1899 wpa_printf(MSG_INFO, "WPA: No RSN IE in "
1900 "Beacon/ProbeResp");
1902 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1903 rsn_ie, rsn_ie_len);
1906 wpa_sm_disassociate(sm, REASON_IE_IN_4WAY_DIFFERS);
1907 wpa_sm_req_scan(sm, 0, 0);
1911 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1912 const unsigned char *src_addr,
1913 struct wpa_eapol_ie_parse *ie)
1915 struct wpa_ssid *ssid = sm->cur_ssid;
1917 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
1918 wpa_printf(MSG_DEBUG, "WPA: No WPA/RSN IE for this AP known. "
1919 "Trying to get from scan results");
1920 if (wpa_sm_get_beacon_ie(sm) < 0) {
1921 wpa_printf(MSG_WARNING, "WPA: Could not find AP from "
1922 "the scan results");
1924 wpa_printf(MSG_DEBUG, "WPA: Found the current AP from "
1925 "updated scan results");
1929 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1930 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1931 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1932 "with IE in Beacon/ProbeResp (no IE?)",
1933 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1934 ie->rsn_ie, ie->rsn_ie_len);
1938 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1939 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1940 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1941 (ie->rsn_ie && sm->ap_rsn_ie &&
1942 (ie->rsn_ie_len != sm->ap_rsn_ie_len ||
1943 os_memcmp(ie->rsn_ie, sm->ap_rsn_ie, ie->rsn_ie_len) != 0))) {
1944 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1945 "with IE in Beacon/ProbeResp",
1946 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1947 ie->rsn_ie, ie->rsn_ie_len);
1951 if (sm->proto == WPA_PROTO_WPA &&
1952 ie->rsn_ie && sm->ap_rsn_ie == NULL &&
1953 ssid && (ssid->proto & WPA_PROTO_RSN)) {
1954 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1955 "detected - RSN was enabled and RSN IE "
1956 "was in msg 3/4, but not in "
1958 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1959 ie->rsn_ie, ie->rsn_ie_len);
1967 static int wpa_supplicant_send_4_of_4(struct wpa_sm *sm,
1968 const unsigned char *dst,
1969 const struct wpa_eapol_key *key,
1970 u16 ver, u16 key_info,
1971 const u8 *kde, size_t kde_len,
1972 struct wpa_ptk *ptk)
1975 struct wpa_eapol_key *reply;
1979 wpa_hexdump(MSG_DEBUG, "WPA: KDE for msg 4/4", kde, kde_len);
1981 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1982 sizeof(*reply) + kde_len,
1983 &rlen, (void *) &reply);
1987 reply->type = sm->proto == WPA_PROTO_RSN ?
1988 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1989 key_info &= WPA_KEY_INFO_SECURE;
1990 key_info |= ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC;
1991 WPA_PUT_BE16(reply->key_info, key_info);
1992 if (sm->proto == WPA_PROTO_RSN)
1993 WPA_PUT_BE16(reply->key_length, 0);
1995 os_memcpy(reply->key_length, key->key_length, 2);
1996 os_memcpy(reply->replay_counter, key->replay_counter,
1997 WPA_REPLAY_COUNTER_LEN);
1999 WPA_PUT_BE16(reply->key_data_length, kde_len);
2001 os_memcpy(reply + 1, kde, kde_len);
2003 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
2004 wpa_eapol_key_send(sm, ptk->kck, ver, dst, ETH_P_EAPOL,
2005 rbuf, rlen, reply->key_mic);
2011 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
2012 const struct wpa_eapol_key *key,
2015 u16 key_info, keylen, len;
2017 struct wpa_eapol_ie_parse ie;
2019 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2020 wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from "
2021 MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
2023 key_info = WPA_GET_BE16(key->key_info);
2025 pos = (const u8 *) (key + 1);
2026 len = WPA_GET_BE16(key->key_data_length);
2027 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", pos, len);
2028 wpa_supplicant_parse_ies(pos, len, &ie);
2029 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2030 wpa_printf(MSG_WARNING, "WPA: GTK IE in unencrypted key data");
2033 #ifdef CONFIG_IEEE80211W
2034 if ((ie.dhv || ie.igtk) && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2035 wpa_printf(MSG_WARNING, "WPA: DHV/IGTK KDE in unencrypted key "
2040 if (ie.dhv && ie.dhv_len != sizeof(struct wpa_dhv_kde)) {
2041 wpa_printf(MSG_WARNING, "WPA: Invalid DHV KDE length %lu",
2042 (unsigned long) ie.dhv_len);
2046 if (ie.igtk && ie.igtk_len != sizeof(struct wpa_igtk_kde)) {
2047 wpa_printf(MSG_WARNING, "WPA: Invalid IGTK KDE length %lu",
2048 (unsigned long) ie.igtk_len);
2051 #endif /* CONFIG_IEEE80211W */
2053 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2056 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2057 wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way "
2058 "Handshake differs from 3 of 4-Way Handshake - drop"
2059 " packet (src=" MACSTR ")", MAC2STR(sm->bssid));
2063 keylen = WPA_GET_BE16(key->key_length);
2064 switch (sm->pairwise_cipher) {
2065 case WPA_CIPHER_CCMP:
2067 wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length "
2068 "%d (src=" MACSTR ")",
2069 keylen, MAC2STR(sm->bssid));
2073 case WPA_CIPHER_TKIP:
2075 wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length "
2076 "%d (src=" MACSTR ")",
2077 keylen, MAC2STR(sm->bssid));
2083 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
2087 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2088 * for the next 4-Way Handshake. If msg 3 is received again, the old
2089 * SNonce will still be used to avoid changing PTK. */
2090 sm->renew_snonce = 1;
2092 if (key_info & WPA_KEY_INFO_INSTALL) {
2093 wpa_supplicant_install_ptk(sm, key);
2096 if (key_info & WPA_KEY_INFO_SECURE) {
2097 wpa_sm_mlme_setprotection(
2098 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2099 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2100 eapol_sm_notify_portValid(sm->eapol, TRUE);
2102 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2105 wpa_supplicant_pairwise_gtk(sm, key,
2106 ie.gtk, ie.gtk_len, key_info) < 0) {
2107 wpa_printf(MSG_INFO, "RSN: Failed to configure GTK");
2110 if (ieee80211w_set_keys(sm, &ie) < 0)
2111 wpa_printf(MSG_INFO, "RSN: Failed to configure DHV/IGTK");
2115 #ifdef CONFIG_PEERKEY
2116 static void wpa_supplicant_smk_timeout(void *eloop_ctx, void *timeout_ctx)
2119 struct wpa_sm *sm = eloop_ctx;
2120 struct wpa_peerkey *peerkey = timeout_ctx;
2122 /* TODO: time out SMK and any STK that was generated using this SMK */
2126 static void wpa_supplicant_peerkey_free(struct wpa_sm *sm,
2127 struct wpa_peerkey *peerkey)
2129 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
2134 static int wpa_supplicant_send_smk_error(struct wpa_sm *sm, const u8 *dst,
2136 u16 mui, u16 error_type, int ver)
2138 #ifndef CONFIG_NO_WPA2
2140 struct wpa_eapol_key *err;
2141 struct rsn_error_kde error;
2146 kde_len = 2 + RSN_SELECTOR_LEN + sizeof(error);
2148 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
2150 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
2151 NULL, sizeof(*err) + kde_len, &rlen,
2156 err->type = EAPOL_KEY_TYPE_RSN;
2157 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
2158 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_ERROR |
2159 WPA_KEY_INFO_REQUEST;
2160 WPA_PUT_BE16(err->key_info, key_info);
2161 WPA_PUT_BE16(err->key_length, 0);
2162 os_memcpy(err->replay_counter, sm->request_counter,
2163 WPA_REPLAY_COUNTER_LEN);
2164 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
2166 WPA_PUT_BE16(err->key_data_length, (u16) kde_len);
2167 pos = (u8 *) (err + 1);
2170 /* Peer MAC Address KDE */
2171 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
2175 error.mui = host_to_be16(mui);
2176 error.error_type = host_to_be16(error_type);
2177 pos = wpa_add_kde(pos, RSN_KEY_DATA_ERROR,
2178 (u8 *) &error, sizeof(error));
2181 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error (peer "
2182 MACSTR " mui %d error_type %d)",
2183 MAC2STR(peer), mui, error_type);
2185 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error "
2186 "(mui %d error_type %d)", mui, error_type);
2189 wpa_eapol_key_send(sm, sm->ptk.kck, ver, dst, ETH_P_EAPOL,
2190 rbuf, rlen, err->key_mic);
2193 #else /* CONFIG_NO_WPA2 */
2195 #endif /* CONFIG_NO_WPA2 */
2199 static int wpa_supplicant_send_smk_m3(struct wpa_sm *sm,
2200 const unsigned char *src_addr,
2201 const struct wpa_eapol_key *key,
2202 int ver, struct wpa_peerkey *peerkey)
2205 struct wpa_eapol_key *reply;
2210 /* KDEs: Peer RSN IE, Initiator MAC Address, Initiator Nonce */
2211 kde_len = peerkey->rsnie_p_len +
2212 2 + RSN_SELECTOR_LEN + ETH_ALEN +
2213 2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN;
2215 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
2216 NULL, sizeof(*reply) + kde_len, &rlen,
2221 reply->type = EAPOL_KEY_TYPE_RSN;
2222 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
2223 WPA_KEY_INFO_SECURE;
2224 WPA_PUT_BE16(reply->key_info, key_info);
2225 WPA_PUT_BE16(reply->key_length, 0);
2226 os_memcpy(reply->replay_counter, key->replay_counter,
2227 WPA_REPLAY_COUNTER_LEN);
2229 os_memcpy(reply->key_nonce, peerkey->pnonce, WPA_NONCE_LEN);
2231 WPA_PUT_BE16(reply->key_data_length, (u16) kde_len);
2232 pos = (u8 *) (reply + 1);
2235 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
2237 /* Initiator MAC Address KDE */
2238 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peerkey->addr, ETH_ALEN);
2240 /* Initiator Nonce */
2241 pos = wpa_add_kde(pos, RSN_KEY_DATA_NONCE,
2242 peerkey->inonce, WPA_NONCE_LEN);
2244 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK M3");
2245 wpa_eapol_key_send(sm, sm->ptk.kck, ver, src_addr, ETH_P_EAPOL,
2246 rbuf, rlen, reply->key_mic);
2252 static int wpa_supplicant_process_smk_m2(
2253 struct wpa_sm *sm, const unsigned char *src_addr,
2254 const struct wpa_eapol_key *key, size_t extra_len, int ver)
2256 struct wpa_ssid *ssid = sm->cur_ssid;
2257 struct wpa_peerkey *peerkey;
2258 struct wpa_eapol_ie_parse kde;
2259 struct wpa_ie_data ie;
2261 struct rsn_ie_hdr *hdr;
2264 wpa_printf(MSG_DEBUG, "RSN: Received SMK M2");
2266 if (ssid == NULL || !ssid->peerkey || sm->proto != WPA_PROTO_RSN) {
2267 wpa_printf(MSG_INFO, "RSN: SMK handshake not allowed for "
2268 "the current network");
2272 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
2274 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M2");
2278 if (kde.rsn_ie == NULL || kde.mac_addr == NULL ||
2279 kde.mac_addr_len < ETH_ALEN) {
2280 wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in "
2285 wpa_printf(MSG_DEBUG, "RSN: SMK M2 - SMK initiator " MACSTR,
2286 MAC2STR(kde.mac_addr));
2288 if (kde.rsn_ie_len > PEERKEY_MAX_IE_LEN) {
2289 wpa_printf(MSG_INFO, "RSN: Too long Initiator RSN IE in SMK "
2294 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
2295 wpa_printf(MSG_INFO, "RSN: Failed to parse RSN IE in SMK M2");
2299 cipher = ie.pairwise_cipher & ssid->pairwise_cipher;
2300 if (cipher & WPA_CIPHER_CCMP) {
2301 wpa_printf(MSG_DEBUG, "RSN: Using CCMP for PeerKey");
2302 cipher = WPA_CIPHER_CCMP;
2303 } else if (cipher & WPA_CIPHER_TKIP) {
2304 wpa_printf(MSG_DEBUG, "RSN: Using TKIP for PeerKey");
2305 cipher = WPA_CIPHER_TKIP;
2307 wpa_printf(MSG_INFO, "RSN: No acceptable cipher in SMK M2");
2308 wpa_supplicant_send_smk_error(sm, src_addr, kde.mac_addr,
2309 STK_MUI_SMK, STK_ERR_CPHR_NS,
2314 /* TODO: find existing entry and if found, use that instead of adding
2315 * a new one; how to handle the case where both ends initiate at the
2317 peerkey = os_malloc(sizeof(*peerkey));
2318 if (peerkey == NULL)
2320 os_memset(peerkey, 0, sizeof(*peerkey));
2321 os_memcpy(peerkey->addr, kde.mac_addr, ETH_ALEN);
2322 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
2323 os_memcpy(peerkey->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
2324 peerkey->rsnie_i_len = kde.rsn_ie_len;
2325 peerkey->cipher = cipher;
2327 if (hostapd_get_rand(peerkey->pnonce, WPA_NONCE_LEN)) {
2328 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2329 "WPA: Failed to get random data for PNonce");
2330 wpa_supplicant_peerkey_free(sm, peerkey);
2334 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_p;
2335 hdr->elem_id = RSN_INFO_ELEM;
2336 WPA_PUT_LE16(hdr->version, RSN_VERSION);
2337 pos = (u8 *) (hdr + 1);
2338 /* Group Suite can be anything for SMK RSN IE; receiver will just
2340 os_memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
2341 pos += RSN_SELECTOR_LEN;
2342 /* Include only the selected cipher in pairwise cipher suite */
2343 WPA_PUT_LE16(pos, 1);
2345 if (cipher == WPA_CIPHER_CCMP)
2346 os_memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
2347 else if (cipher == WPA_CIPHER_TKIP)
2348 os_memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
2349 pos += RSN_SELECTOR_LEN;
2351 hdr->len = (pos - peerkey->rsnie_p) - 2;
2352 peerkey->rsnie_p_len = pos - peerkey->rsnie_p;
2353 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
2354 peerkey->rsnie_p, peerkey->rsnie_p_len);
2356 wpa_supplicant_send_smk_m3(sm, src_addr, key, ver, peerkey);
2358 peerkey->next = sm->peerkey;
2359 sm->peerkey = peerkey;
2366 * rsn_smkid - Derive SMK identifier
2367 * @smk: Station master key (32 bytes)
2368 * @pnonce: Peer Nonce
2369 * @mac_p: Peer MAC address
2370 * @inonce: Initiator Nonce
2371 * @mac_i: Initiator MAC address
2373 * 8.5.1.4 Station to station (STK) key hierarchy
2374 * SMKID = HMAC-SHA1-128(SMK, "SMK Name" || PNonce || MAC_P || INonce || MAC_I)
2376 static void rsn_smkid(const u8 *smk, const u8 *pnonce, const u8 *mac_p,
2377 const u8 *inonce, const u8 *mac_i, u8 *smkid)
2379 char *title = "SMK Name";
2381 const size_t len[5] = { 8, WPA_NONCE_LEN, ETH_ALEN, WPA_NONCE_LEN,
2383 unsigned char hash[SHA1_MAC_LEN];
2385 addr[0] = (u8 *) title;
2391 hmac_sha1_vector(smk, PMK_LEN, 5, addr, len, hash);
2392 os_memcpy(smkid, hash, PMKID_LEN);
2396 static void wpa_supplicant_send_stk_1_of_4(struct wpa_sm *sm,
2397 struct wpa_peerkey *peerkey)
2400 struct wpa_eapol_key *msg;
2405 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2407 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2408 sizeof(*msg) + kde_len, &mlen,
2413 msg->type = EAPOL_KEY_TYPE_RSN;
2415 if (peerkey->cipher == WPA_CIPHER_CCMP)
2416 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
2418 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
2420 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK;
2421 WPA_PUT_BE16(msg->key_info, key_info);
2423 if (peerkey->cipher == WPA_CIPHER_CCMP)
2424 WPA_PUT_BE16(msg->key_length, 16);
2426 WPA_PUT_BE16(msg->key_length, 32);
2428 os_memcpy(msg->replay_counter, peerkey->replay_counter,
2429 WPA_REPLAY_COUNTER_LEN);
2430 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
2432 WPA_PUT_BE16(msg->key_data_length, kde_len);
2433 wpa_add_kde((u8 *) (msg + 1), RSN_KEY_DATA_PMKID,
2434 peerkey->smkid, PMKID_LEN);
2436 if (hostapd_get_rand(peerkey->inonce, WPA_NONCE_LEN)) {
2437 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2438 "RSN: Failed to get random data for INonce (STK)");
2442 wpa_hexdump(MSG_DEBUG, "RSN: INonce for STK 4-Way Handshake",
2443 peerkey->inonce, WPA_NONCE_LEN);
2444 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
2446 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 1/4 to " MACSTR,
2447 MAC2STR(peerkey->addr));
2448 wpa_eapol_key_send(sm, NULL, ver, peerkey->addr, ETH_P_EAPOL,
2453 static void wpa_supplicant_send_stk_3_of_4(struct wpa_sm *sm,
2454 struct wpa_peerkey *peerkey)
2457 struct wpa_eapol_key *msg;
2463 kde_len = peerkey->rsnie_i_len +
2464 2 + RSN_SELECTOR_LEN + sizeof(lifetime);
2466 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2467 sizeof(*msg) + kde_len, &mlen,
2472 msg->type = EAPOL_KEY_TYPE_RSN;
2474 if (peerkey->cipher == WPA_CIPHER_CCMP)
2475 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
2477 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
2479 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK |
2480 WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
2481 WPA_PUT_BE16(msg->key_info, key_info);
2483 if (peerkey->cipher == WPA_CIPHER_CCMP)
2484 WPA_PUT_BE16(msg->key_length, 16);
2486 WPA_PUT_BE16(msg->key_length, 32);
2488 os_memcpy(msg->replay_counter, peerkey->replay_counter,
2489 WPA_REPLAY_COUNTER_LEN);
2490 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
2492 WPA_PUT_BE16(msg->key_data_length, kde_len);
2493 pos = (u8 *) (msg + 1);
2494 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
2495 lifetime = host_to_be32(peerkey->lifetime);
2496 pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
2497 (u8 *) &lifetime, sizeof(lifetime));
2499 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
2501 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 3/4 to " MACSTR,
2502 MAC2STR(peerkey->addr));
2503 wpa_eapol_key_send(sm, peerkey->stk.kck, ver, peerkey->addr,
2504 ETH_P_EAPOL, mbuf, mlen, msg->key_mic);
2508 static int wpa_supplicant_process_smk_m45(
2509 struct wpa_sm *sm, const unsigned char *src_addr,
2510 const struct wpa_eapol_key *key, size_t extra_len, int ver)
2512 struct wpa_ssid *ssid = sm->cur_ssid;
2513 struct wpa_peerkey *peerkey;
2514 struct wpa_eapol_ie_parse kde;
2517 struct wpa_ie_data ie;
2519 if (ssid == NULL || !ssid->peerkey || sm->proto != WPA_PROTO_RSN) {
2520 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
2521 "the current network");
2525 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
2527 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M4/M5");
2531 if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN ||
2532 kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN ||
2533 kde.smk == NULL || kde.smk_len < PMK_LEN + WPA_NONCE_LEN ||
2534 kde.lifetime == NULL || kde.lifetime_len < 4) {
2535 wpa_printf(MSG_INFO, "RSN: No MAC Address, Nonce, SMK, or "
2536 "Lifetime KDE in SMK M4/M5");
2540 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
2541 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 0 &&
2542 os_memcmp(peerkey->initiator ? peerkey->inonce :
2544 key->key_nonce, WPA_NONCE_LEN) == 0)
2547 if (peerkey == NULL) {
2548 wpa_printf(MSG_INFO, "RSN: No matching SMK handshake found "
2549 "for SMK M4/M5: peer " MACSTR,
2550 MAC2STR(kde.mac_addr));
2554 if (peerkey->initiator) {
2556 wpa_printf(MSG_DEBUG, "RSN: Received SMK M5 (Peer " MACSTR ")",
2557 MAC2STR(kde.mac_addr));
2558 if (kde.rsn_ie == NULL || kde.rsn_ie_len > PEERKEY_MAX_IE_LEN
2559 || wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) <
2561 wpa_printf(MSG_INFO, "RSN: No RSN IE in SMK M5");
2562 /* TODO: abort negotiation */
2566 if (os_memcmp(key->key_nonce, peerkey->inonce, WPA_NONCE_LEN)
2568 wpa_printf(MSG_INFO, "RSN: Key Nonce in SMK M5 does "
2569 "not match with INonce used in SMK M1");
2573 if (os_memcmp(kde.smk + PMK_LEN, peerkey->inonce,
2574 WPA_NONCE_LEN) != 0) {
2575 wpa_printf(MSG_INFO, "RSN: INonce in SMK KDE does not "
2576 "match with the one used in SMK M1");
2580 os_memcpy(peerkey->rsnie_p, kde.rsn_ie, kde.rsn_ie_len);
2581 peerkey->rsnie_p_len = kde.rsn_ie_len;
2582 os_memcpy(peerkey->pnonce, kde.nonce, WPA_NONCE_LEN);
2584 cipher = ie.pairwise_cipher & ssid->pairwise_cipher;
2585 if (cipher & WPA_CIPHER_CCMP) {
2586 wpa_printf(MSG_DEBUG, "RSN: Using CCMP for PeerKey");
2587 peerkey->cipher = WPA_CIPHER_CCMP;
2588 } else if (cipher & WPA_CIPHER_TKIP) {
2589 wpa_printf(MSG_DEBUG, "RSN: Using TKIP for PeerKey");
2590 peerkey->cipher = WPA_CIPHER_TKIP;
2592 wpa_printf(MSG_INFO, "RSN: SMK Peer STA " MACSTR
2593 " selected unacceptable cipher",
2594 MAC2STR(kde.mac_addr));
2595 wpa_supplicant_send_smk_error(
2596 sm, src_addr, kde.mac_addr,
2597 STK_MUI_SMK, STK_ERR_CPHR_NS, ver);
2598 /* TODO: abort negotiation */
2602 wpa_printf(MSG_DEBUG, "RSN: Received SMK M4 (Initiator "
2603 MACSTR ")", MAC2STR(kde.mac_addr));
2605 if (os_memcmp(kde.smk + PMK_LEN, peerkey->pnonce,
2606 WPA_NONCE_LEN) != 0) {
2607 wpa_printf(MSG_INFO, "RSN: PNonce in SMK KDE does not "
2608 "match with the one used in SMK M3");
2612 if (os_memcmp(kde.nonce, peerkey->inonce, WPA_NONCE_LEN) != 0)
2614 wpa_printf(MSG_INFO, "RSN: INonce in SMK M5 did not "
2615 "match with the one received in SMK M2");
2620 os_memcpy(peerkey->smk, kde.smk, PMK_LEN);
2621 peerkey->smk_complete = 1;
2622 wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", peerkey->smk, PMK_LEN);
2623 lifetime = WPA_GET_BE32(kde.lifetime);
2624 wpa_printf(MSG_DEBUG, "RSN: SMK lifetime %u seconds", lifetime);
2625 if (lifetime > 1000000000)
2626 lifetime = 1000000000; /* avoid overflowing expiration time */
2627 peerkey->lifetime = lifetime;
2629 peerkey->expiration = now.sec + lifetime;
2630 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
2633 if (peerkey->initiator) {
2634 rsn_smkid(peerkey->smk, peerkey->pnonce, peerkey->addr,
2635 peerkey->inonce, sm->own_addr, peerkey->smkid);
2636 wpa_supplicant_send_stk_1_of_4(sm, peerkey);
2638 rsn_smkid(peerkey->smk, peerkey->pnonce, sm->own_addr,
2639 peerkey->inonce, peerkey->addr, peerkey->smkid);
2641 wpa_hexdump(MSG_DEBUG, "RSN: SMKID", peerkey->smkid, PMKID_LEN);
2647 static int wpa_supplicant_process_smk_error(
2648 struct wpa_sm *sm, const unsigned char *src_addr,
2649 const struct wpa_eapol_key *key, size_t extra_len)
2651 struct wpa_ssid *ssid = sm->cur_ssid;
2652 struct wpa_eapol_ie_parse kde;
2653 struct rsn_error_kde error;
2657 wpa_printf(MSG_DEBUG, "RSN: Received SMK Error");
2659 if (ssid == NULL || !ssid->peerkey || sm->proto != WPA_PROTO_RSN) {
2660 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
2661 "the current network");
2665 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
2667 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error");
2671 if (kde.error == NULL || kde.error_len < sizeof(error)) {
2672 wpa_printf(MSG_INFO, "RSN: No Error KDE in SMK Error");
2676 if (kde.mac_addr && kde.mac_addr_len >= ETH_ALEN)
2677 os_memcpy(peer, kde.mac_addr, ETH_ALEN);
2678 os_memcpy(&error, kde.error, sizeof(error));
2679 error_type = be_to_host16(error.error_type);
2680 wpa_msg(sm->ctx->ctx, MSG_INFO,
2681 "RSN: SMK Error KDE received: MUI %d error_type %d peer "
2683 be_to_host16(error.mui), error_type,
2687 (error_type == STK_ERR_STA_NR || error_type == STK_ERR_STA_NRSN ||
2688 error_type == STK_ERR_CPHR_NS)) {
2689 struct wpa_peerkey *peerkey;
2691 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
2692 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) ==
2696 if (peerkey == NULL) {
2697 wpa_printf(MSG_DEBUG, "RSN: No matching SMK handshake "
2698 "found for SMK Error");
2701 /* TODO: abort SMK/STK handshake and remove all related keys */
2708 static void wpa_supplicant_process_stk_1_of_4(struct wpa_sm *sm,
2709 struct wpa_peerkey *peerkey,
2710 const struct wpa_eapol_key *key,
2713 struct wpa_eapol_ie_parse ie;
2715 size_t len, kde_buf_len;
2716 struct wpa_ptk *stk;
2717 u8 buf[8], *kde_buf, *pos;
2720 wpa_printf(MSG_DEBUG, "RSN: RX message 1 of STK 4-Way Handshake from "
2721 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
2723 os_memset(&ie, 0, sizeof(ie));
2725 /* RSN: msg 1/4 should contain SMKID for the selected SMK */
2726 kde = (const u8 *) (key + 1);
2727 len = WPA_GET_BE16(key->key_data_length);
2728 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", kde, len);
2729 if (wpa_supplicant_parse_ies(kde, len, &ie) < 0 || ie.pmkid == NULL) {
2730 wpa_printf(MSG_DEBUG, "RSN: No SMKID in STK 1/4");
2733 if (os_memcmp(ie.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
2734 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 1/4",
2735 ie.pmkid, PMKID_LEN);
2739 if (hostapd_get_rand(peerkey->pnonce, WPA_NONCE_LEN)) {
2740 wpa_msg(sm->ctx->ctx, MSG_WARNING,
2741 "RSN: Failed to get random data for PNonce");
2744 wpa_hexdump(MSG_DEBUG, "WPA: Renewed PNonce",
2745 peerkey->pnonce, WPA_NONCE_LEN);
2747 /* Calculate STK which will be stored as a temporary STK until it has
2748 * been verified when processing message 3/4. */
2749 stk = &peerkey->tstk;
2750 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
2751 sm->own_addr, peerkey->addr,
2752 peerkey->pnonce, key->key_nonce,
2753 (u8 *) stk, sizeof(*stk));
2754 /* Supplicant: swap tx/rx Mic keys */
2755 os_memcpy(buf, stk->u.auth.tx_mic_key, 8);
2756 os_memcpy(stk->u.auth.tx_mic_key, stk->u.auth.rx_mic_key, 8);
2757 os_memcpy(stk->u.auth.rx_mic_key, buf, 8);
2758 peerkey->tstk_set = 1;
2760 kde_buf_len = peerkey->rsnie_p_len +
2761 2 + RSN_SELECTOR_LEN + sizeof(lifetime) +
2762 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2763 kde_buf = os_malloc(kde_buf_len);
2764 if (kde_buf == NULL)
2767 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
2768 lifetime = host_to_be32(peerkey->lifetime);
2769 pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
2770 (u8 *) &lifetime, sizeof(lifetime));
2771 pos = wpa_add_kde(pos, RSN_KEY_DATA_PMKID, peerkey->smkid, PMKID_LEN);
2773 if (wpa_supplicant_send_2_of_4(sm, peerkey->addr, key, ver,
2774 peerkey->pnonce, kde_buf, kde_buf_len,
2781 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
2785 static void wpa_supplicant_update_smk_lifetime(struct wpa_sm *sm,
2786 struct wpa_peerkey *peerkey,
2787 struct wpa_eapol_ie_parse *kde)
2792 if (kde->lifetime == NULL || kde->lifetime_len < sizeof(lifetime))
2795 lifetime = WPA_GET_BE32(kde->lifetime);
2797 if (lifetime >= peerkey->lifetime) {
2798 wpa_printf(MSG_DEBUG, "RSN: Peer used SMK lifetime %u seconds "
2799 "which is larger than or equal to own value %u "
2800 "seconds - ignored", lifetime, peerkey->lifetime);
2804 wpa_printf(MSG_DEBUG, "RSN: Peer used shorter SMK lifetime %u seconds "
2805 "(own was %u seconds) - updated",
2806 lifetime, peerkey->lifetime);
2807 peerkey->lifetime = lifetime;
2810 peerkey->expiration = now.sec + lifetime;
2811 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
2812 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
2817 static void wpa_supplicant_process_stk_2_of_4(struct wpa_sm *sm,
2818 struct wpa_peerkey *peerkey,
2819 const struct wpa_eapol_key *key,
2822 struct wpa_eapol_ie_parse kde;
2826 wpa_printf(MSG_DEBUG, "RSN: RX message 2 of STK 4-Way Handshake from "
2827 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
2829 os_memset(&kde, 0, sizeof(kde));
2831 /* RSN: msg 2/4 should contain SMKID for the selected SMK and RSN IE
2832 * from the peer. It may also include Lifetime KDE. */
2833 keydata = (const u8 *) (key + 1);
2834 len = WPA_GET_BE16(key->key_data_length);
2835 wpa_hexdump(MSG_DEBUG, "RSN: msg 2/4 key data", keydata, len);
2836 if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0 ||
2837 kde.pmkid == NULL || kde.rsn_ie == NULL) {
2838 wpa_printf(MSG_DEBUG, "RSN: No SMKID or RSN IE in STK 2/4");
2842 if (os_memcmp(kde.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
2843 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 2/4",
2844 kde.pmkid, PMKID_LEN);
2848 if (kde.rsn_ie_len != peerkey->rsnie_p_len ||
2849 os_memcmp(kde.rsn_ie, peerkey->rsnie_p, kde.rsn_ie_len) != 0) {
2850 wpa_printf(MSG_INFO, "RSN: Peer RSN IE in SMK and STK "
2851 "handshakes did not match");
2852 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in SMK handshake",
2853 peerkey->rsnie_p, peerkey->rsnie_p_len);
2854 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in STK handshake",
2855 kde.rsn_ie, kde.rsn_ie_len);
2859 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
2861 wpa_supplicant_send_stk_3_of_4(sm, peerkey);
2862 os_memcpy(peerkey->pnonce, key->key_nonce, WPA_NONCE_LEN);
2866 static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm,
2867 struct wpa_peerkey *peerkey,
2868 const struct wpa_eapol_key *key,
2871 struct wpa_eapol_ie_parse kde;
2873 size_t len, key_len;
2875 u8 key_buf[32], rsc[6];
2877 wpa_printf(MSG_DEBUG, "RSN: RX message 3 of STK 4-Way Handshake from "
2878 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
2880 os_memset(&kde, 0, sizeof(kde));
2882 /* RSN: msg 3/4 should contain Initiator RSN IE. It may also include
2884 keydata = (const u8 *) (key + 1);
2885 len = WPA_GET_BE16(key->key_data_length);
2886 wpa_hexdump(MSG_DEBUG, "RSN: msg 3/4 key data", keydata, len);
2887 if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0) {
2888 wpa_printf(MSG_DEBUG, "RSN: Failed to parse key data in "
2893 if (kde.rsn_ie_len != peerkey->rsnie_i_len ||
2894 os_memcmp(kde.rsn_ie, peerkey->rsnie_i, kde.rsn_ie_len) != 0) {
2895 wpa_printf(MSG_INFO, "RSN: Initiator RSN IE in SMK and STK "
2896 "handshakes did not match");
2897 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in SMK "
2899 peerkey->rsnie_i, peerkey->rsnie_i_len);
2900 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in STK "
2902 kde.rsn_ie, kde.rsn_ie_len);
2906 if (os_memcmp(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2907 wpa_printf(MSG_WARNING, "RSN: INonce from message 1 of STK "
2908 "4-Way Handshake differs from 3 of STK 4-Way "
2909 "Handshake - drop packet (src=" MACSTR ")",
2910 MAC2STR(peerkey->addr));
2914 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
2916 if (wpa_supplicant_send_4_of_4(sm, peerkey->addr, key, ver,
2917 WPA_GET_BE16(key->key_info),
2918 NULL, 0, &peerkey->stk))
2921 _key = (u8 *) peerkey->stk.tk1;
2922 if (peerkey->cipher == WPA_CIPHER_TKIP) {
2923 /* Swap Tx/Rx keys for Michael MIC */
2924 os_memcpy(key_buf, _key, 16);
2925 os_memcpy(key_buf + 16, _key + 24, 8);
2926 os_memcpy(key_buf + 24, _key + 16, 8);
2932 os_memset(rsc, 0, 6);
2933 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
2934 rsc, sizeof(rsc), _key, key_len) < 0) {
2935 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
2942 static void wpa_supplicant_process_stk_4_of_4(struct wpa_sm *sm,
2943 struct wpa_peerkey *peerkey,
2944 const struct wpa_eapol_key *key,
2949 wpa_printf(MSG_DEBUG, "RSN: RX message 4 of STK 4-Way Handshake from "
2950 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
2952 os_memset(rsc, 0, 6);
2953 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
2954 rsc, sizeof(rsc), (u8 *) peerkey->stk.tk1,
2955 peerkey->cipher == WPA_CIPHER_TKIP ? 32 : 16) < 0) {
2956 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
2961 #endif /* CONFIG_PEERKEY */
2964 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
2968 struct wpa_gtk_data *gd)
2971 struct wpa_eapol_ie_parse ie;
2973 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/2 key data", keydata, keydatalen);
2974 wpa_supplicant_parse_ies(keydata, keydatalen, &ie);
2975 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2976 wpa_printf(MSG_WARNING, "WPA: GTK IE in unencrypted key data");
2979 if (ie.gtk == NULL) {
2980 wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key msg 1/2");
2983 maxkeylen = gd->gtk_len = ie.gtk_len - 2;
2985 if (wpa_supplicant_check_group_cipher(sm->group_cipher,
2986 gd->gtk_len, maxkeylen,
2987 &gd->key_rsc_len, &gd->alg))
2990 wpa_hexdump(MSG_DEBUG, "RSN: received GTK in group key handshake",
2991 ie.gtk, ie.gtk_len);
2992 gd->keyidx = ie.gtk[0] & 0x3;
2993 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
2994 !!(ie.gtk[0] & BIT(2)));
2995 if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
2996 wpa_printf(MSG_INFO, "RSN: Too long GTK in GTK IE "
2997 "(len=%lu)", (unsigned long) ie.gtk_len - 2);
3000 os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
3002 if (ieee80211w_set_keys(sm, &ie) < 0)
3003 wpa_printf(MSG_INFO, "RSN: Failed to configure DHV/IGTK");
3009 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
3010 const struct wpa_eapol_key *key,
3011 size_t keydatalen, int key_info,
3012 size_t extra_len, u16 ver,
3013 struct wpa_gtk_data *gd)
3018 gd->gtk_len = WPA_GET_BE16(key->key_length);
3019 maxkeylen = keydatalen;
3020 if (keydatalen > extra_len) {
3021 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:"
3022 " key_data_length=%lu > extra_len=%lu",
3023 (unsigned long) keydatalen,
3024 (unsigned long) extra_len);
3027 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3028 if (maxkeylen < 8) {
3029 wpa_printf(MSG_INFO, "WPA: Too short maxkeylen (%lu)",
3030 (unsigned long) maxkeylen);
3036 if (wpa_supplicant_check_group_cipher(sm->group_cipher,
3037 gd->gtk_len, maxkeylen,
3038 &gd->key_rsc_len, &gd->alg))
3041 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3042 WPA_KEY_INFO_KEY_INDEX_SHIFT;
3043 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
3044 os_memcpy(ek, key->key_iv, 16);
3045 os_memcpy(ek + 16, sm->ptk.kek, 16);
3046 if (keydatalen > sizeof(gd->gtk)) {
3047 wpa_printf(MSG_WARNING, "WPA: RC4 key data "
3049 (unsigned long) keydatalen);
3052 os_memcpy(gd->gtk, key + 1, keydatalen);
3053 rc4_skip(ek, 32, 256, gd->gtk, keydatalen);
3054 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3055 if (keydatalen % 8) {
3056 wpa_printf(MSG_WARNING, "WPA: Unsupported AES-WRAP "
3057 "len %lu", (unsigned long) keydatalen);
3060 if (maxkeylen > sizeof(gd->gtk)) {
3061 wpa_printf(MSG_WARNING, "WPA: AES-WRAP key data "
3062 "too long (keydatalen=%lu maxkeylen=%lu)",
3063 (unsigned long) keydatalen,
3064 (unsigned long) maxkeylen);
3067 if (aes_unwrap(sm->ptk.kek, maxkeylen / 8,
3068 (const u8 *) (key + 1), gd->gtk)) {
3069 wpa_printf(MSG_WARNING, "WPA: AES unwrap "
3070 "failed - could not decrypt GTK");
3074 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
3075 sm, !!(key_info & WPA_KEY_INFO_TXRX));
3080 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
3081 const struct wpa_eapol_key *key,
3082 int ver, u16 key_info)
3085 struct wpa_eapol_key *reply;
3088 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
3089 sizeof(*reply), &rlen, (void *) &reply);
3093 reply->type = sm->proto == WPA_PROTO_RSN ?
3094 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
3095 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
3096 key_info |= ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
3097 WPA_PUT_BE16(reply->key_info, key_info);
3098 if (sm->proto == WPA_PROTO_RSN)
3099 WPA_PUT_BE16(reply->key_length, 0);
3101 os_memcpy(reply->key_length, key->key_length, 2);
3102 os_memcpy(reply->replay_counter, key->replay_counter,
3103 WPA_REPLAY_COUNTER_LEN);
3105 WPA_PUT_BE16(reply->key_data_length, 0);
3107 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
3108 wpa_eapol_key_send(sm, sm->ptk.kck, ver, sm->bssid, ETH_P_EAPOL,
3109 rbuf, rlen, reply->key_mic);
3115 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
3116 const unsigned char *src_addr,
3117 const struct wpa_eapol_key *key,
3118 int extra_len, u16 ver)
3120 u16 key_info, keydatalen;
3122 struct wpa_gtk_data gd;
3124 os_memset(&gd, 0, sizeof(gd));
3126 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
3127 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from "
3128 MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
3130 key_info = WPA_GET_BE16(key->key_info);
3131 keydatalen = WPA_GET_BE16(key->key_data_length);
3133 if (sm->proto == WPA_PROTO_RSN) {
3134 ret = wpa_supplicant_process_1_of_2_rsn(sm,
3135 (const u8 *) (key + 1),
3136 keydatalen, key_info,
3139 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, keydatalen,
3140 key_info, extra_len,
3144 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3149 if (wpa_supplicant_install_gtk(sm, &gd, key->key_rsc) ||
3150 wpa_supplicant_send_2_of_2(sm, key, ver, key_info))
3154 wpa_msg(sm->ctx->ctx, MSG_INFO, "WPA: Group rekeying "
3155 "completed with " MACSTR " [GTK=%s]",
3156 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3157 wpa_sm_set_state(sm, WPA_COMPLETED);
3159 wpa_supplicant_key_neg_complete(sm, sm->bssid,
3161 WPA_KEY_INFO_SECURE);
3166 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
3167 struct wpa_eapol_key *key,
3169 const u8 *buf, size_t len)
3174 os_memcpy(mic, key->key_mic, 16);
3176 os_memset(key->key_mic, 0, 16);
3177 wpa_eapol_key_mic(sm->tptk.kck, ver, buf, len,
3179 if (os_memcmp(mic, key->key_mic, 16) != 0) {
3180 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC "
3181 "when using TPTK - ignoring TPTK");
3186 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3190 if (!ok && sm->ptk_set) {
3191 os_memset(key->key_mic, 0, 16);
3192 wpa_eapol_key_mic(sm->ptk.kck, ver, buf, len,
3194 if (os_memcmp(mic, key->key_mic, 16) != 0) {
3195 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC "
3196 "- dropping packet");
3203 wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC "
3204 "- dropping packet");
3208 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3209 WPA_REPLAY_COUNTER_LEN);
3210 sm->rx_replay_counter_set = 1;
3215 #ifdef CONFIG_PEERKEY
3216 static int wpa_supplicant_verify_eapol_key_mic_peerkey(
3217 struct wpa_sm *sm, struct wpa_peerkey *peerkey,
3218 struct wpa_eapol_key *key, u16 ver, const u8 *buf, size_t len)
3223 if (peerkey->initiator && !peerkey->stk_set) {
3224 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
3225 sm->own_addr, peerkey->addr,
3226 peerkey->inonce, key->key_nonce,
3227 (u8 *) &peerkey->stk, sizeof(peerkey->stk));
3228 peerkey->stk_set = 1;
3231 os_memcpy(mic, key->key_mic, 16);
3232 if (peerkey->tstk_set) {
3233 os_memset(key->key_mic, 0, 16);
3234 wpa_eapol_key_mic(peerkey->tstk.kck, ver, buf, len,
3236 if (os_memcmp(mic, key->key_mic, 16) != 0) {
3237 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
3238 "when using TSTK - ignoring TSTK");
3241 peerkey->tstk_set = 0;
3242 peerkey->stk_set = 1;
3243 os_memcpy(&peerkey->stk, &peerkey->tstk,
3244 sizeof(peerkey->stk));
3248 if (!ok && peerkey->stk_set) {
3249 os_memset(key->key_mic, 0, 16);
3250 wpa_eapol_key_mic(peerkey->stk.kck, ver, buf, len,
3252 if (os_memcmp(mic, key->key_mic, 16) != 0) {
3253 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
3254 "- dropping packet");
3261 wpa_printf(MSG_WARNING, "RSN: Could not verify EAPOL-Key MIC "
3262 "- dropping packet");
3266 os_memcpy(peerkey->replay_counter, key->replay_counter,
3267 WPA_REPLAY_COUNTER_LEN);
3268 peerkey->replay_counter_set = 1;
3271 #endif /* CONFIG_PEERKEY */
3274 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
3275 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
3276 struct wpa_eapol_key *key, u16 ver)
3278 u16 keydatalen = WPA_GET_BE16(key->key_data_length);
3280 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
3281 (u8 *) (key + 1), keydatalen);
3283 wpa_printf(MSG_WARNING, "WPA: PTK not available, "
3284 "cannot decrypt EAPOL-Key key data.");
3288 /* Decrypt key data here so that this operation does not need
3289 * to be implemented separately for each message type. */
3290 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
3292 os_memcpy(ek, key->key_iv, 16);
3293 os_memcpy(ek + 16, sm->ptk.kek, 16);
3294 rc4_skip(ek, 32, 256, (u8 *) (key + 1), keydatalen);
3295 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3297 if (keydatalen % 8) {
3298 wpa_printf(MSG_WARNING, "WPA: Unsupported "
3299 "AES-WRAP len %d", keydatalen);
3302 keydatalen -= 8; /* AES-WRAP adds 8 bytes */
3303 buf = os_malloc(keydatalen);
3305 wpa_printf(MSG_WARNING, "WPA: No memory for "
3306 "AES-UNWRAP buffer");
3309 if (aes_unwrap(sm->ptk.kek, keydatalen / 8,
3310 (u8 *) (key + 1), buf)) {
3312 wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - "
3313 "could not decrypt EAPOL-Key key data");
3316 os_memcpy(key + 1, buf, keydatalen);
3318 WPA_PUT_BE16(key->key_data_length, keydatalen);
3320 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
3321 (u8 *) (key + 1), keydatalen);
3327 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
3328 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3330 void wpa_sm_aborted_cached(struct wpa_sm *sm)
3332 if (sm && sm->cur_pmksa) {
3333 wpa_printf(MSG_DEBUG, "RSN: Cancelling PMKSA caching attempt");
3334 sm->cur_pmksa = NULL;
3339 static void wpa_eapol_key_dump(const struct wpa_eapol_key *key)
3341 #ifndef CONFIG_NO_STDOUT_DEBUG
3342 u16 key_info = WPA_GET_BE16(key->key_info);
3344 wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type);
3345 wpa_printf(MSG_DEBUG, " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s"
3347 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
3348 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3349 WPA_KEY_INFO_KEY_INDEX_SHIFT,
3350 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
3351 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
3352 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
3353 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
3354 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
3355 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
3356 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
3357 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
3358 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
3359 wpa_printf(MSG_DEBUG, " key_length=%u key_data_length=%u",
3360 WPA_GET_BE16(key->key_length),
3361 WPA_GET_BE16(key->key_data_length));
3362 wpa_hexdump(MSG_DEBUG, " replay_counter",
3363 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
3364 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
3365 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
3366 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
3367 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
3368 wpa_hexdump(MSG_DEBUG, " key_mic", key->key_mic, 16);
3369 #endif /* CONFIG_NO_STDOUT_DEBUG */
3374 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
3375 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3376 * @src_addr: Source MAC address of the EAPOL packet
3377 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
3378 * @len: Length of the EAPOL frame
3379 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
3381 * This function is called for each received EAPOL frame. Other than EAPOL-Key
3382 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
3383 * only processing WPA and WPA2 EAPOL-Key frames.
3385 * The received EAPOL-Key packets are validated and valid packets are replied
3386 * to. In addition, key material (PTK, GTK) is configured at the end of a
3387 * successful key handshake.
3389 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
3390 const u8 *buf, size_t len)
3392 size_t plen, data_len, extra_len;
3393 struct ieee802_1x_hdr *hdr;
3394 struct wpa_eapol_key *key;
3398 struct wpa_peerkey *peerkey = NULL;
3400 if (len < sizeof(*hdr) + sizeof(*key)) {
3401 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short to be a WPA "
3402 "EAPOL-Key (len %lu, expecting at least %lu)",
3403 (unsigned long) len,
3404 (unsigned long) sizeof(*hdr) + sizeof(*key));
3408 tmp = os_malloc(len);
3411 os_memcpy(tmp, buf, len);
3413 hdr = (struct ieee802_1x_hdr *) tmp;
3414 key = (struct wpa_eapol_key *) (hdr + 1);
3415 plen = be_to_host16(hdr->length);
3416 data_len = plen + sizeof(*hdr);
3417 wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%lu",
3418 hdr->version, hdr->type, (unsigned long) plen);
3420 if (hdr->version < EAPOL_VERSION) {
3421 /* TODO: backwards compatibility */
3423 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
3424 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, "
3425 "not a Key frame", hdr->type);
3429 if (plen > len - sizeof(*hdr) || plen < sizeof(*key)) {
3430 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %lu "
3431 "invalid (frame size %lu)",
3432 (unsigned long) plen, (unsigned long) len);
3437 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
3439 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, "
3440 "discarded", key->type);
3444 wpa_eapol_key_dump(key);
3446 eapol_sm_notify_lower_layer_success(sm->eapol);
3447 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", tmp, len);
3448 if (data_len < len) {
3449 wpa_printf(MSG_DEBUG, "WPA: ignoring %lu bytes after the IEEE "
3450 "802.1X data", (unsigned long) len - data_len);
3452 key_info = WPA_GET_BE16(key->key_info);
3453 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3454 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3455 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3456 wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor "
3457 "version %d.", ver);
3461 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3462 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3463 wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key "
3464 "descriptor version (%d) is not 2.", ver);
3465 if (sm->group_cipher != WPA_CIPHER_CCMP &&
3466 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
3467 /* Earlier versions of IEEE 802.11i did not explicitly
3468 * require version 2 descriptor for all EAPOL-Key
3469 * packets, so allow group keys to use version 1 if
3470 * CCMP is not used for them. */
3471 wpa_printf(MSG_INFO, "WPA: Backwards compatibility: "
3472 "allow invalid version for non-CCMP group "
3478 #ifdef CONFIG_PEERKEY
3479 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
3480 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
3484 if (!(key_info & WPA_KEY_INFO_SMK_MESSAGE) && peerkey) {
3485 if (!peerkey->initiator && peerkey->replay_counter_set &&
3486 os_memcmp(key->replay_counter, peerkey->replay_counter,
3487 WPA_REPLAY_COUNTER_LEN) <= 0) {
3488 wpa_printf(MSG_WARNING, "RSN: EAPOL-Key Replay "
3489 "Counter did not increase (STK) - dropping "
3492 } else if (peerkey->initiator) {
3493 u8 _tmp[WPA_REPLAY_COUNTER_LEN];
3494 os_memcpy(_tmp, key->replay_counter,
3495 WPA_REPLAY_COUNTER_LEN);
3496 inc_byte_array(_tmp, WPA_REPLAY_COUNTER_LEN);
3497 if (os_memcmp(_tmp, peerkey->replay_counter,
3498 WPA_REPLAY_COUNTER_LEN) != 0) {
3499 wpa_printf(MSG_DEBUG, "RSN: EAPOL-Key Replay "
3500 "Counter did not match (STK) - "
3507 if (peerkey && peerkey->initiator && (key_info & WPA_KEY_INFO_ACK)) {
3508 wpa_printf(MSG_INFO, "RSN: Ack bit in key_info from STK peer");
3511 #endif /* CONFIG_PEERKEY */
3513 if (!peerkey && sm->rx_replay_counter_set &&
3514 os_memcmp(key->replay_counter, sm->rx_replay_counter,
3515 WPA_REPLAY_COUNTER_LEN) <= 0) {
3516 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not"
3517 " increase - dropping packet");
3521 if (!(key_info & (WPA_KEY_INFO_ACK | WPA_KEY_INFO_SMK_MESSAGE))
3522 #ifdef CONFIG_PEERKEY
3523 && (peerkey == NULL || !peerkey->initiator)
3524 #endif /* CONFIG_PEERKEY */
3526 wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info");
3530 if (key_info & WPA_KEY_INFO_REQUEST) {
3531 wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - "
3536 if ((key_info & WPA_KEY_INFO_MIC) && !peerkey &&
3537 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3540 #ifdef CONFIG_PEERKEY
3541 if ((key_info & WPA_KEY_INFO_MIC) && peerkey &&
3542 wpa_supplicant_verify_eapol_key_mic_peerkey(
3543 sm, peerkey, key, ver, tmp, data_len))
3545 #endif /* CONFIG_PEERKEY */
3547 extra_len = data_len - sizeof(*hdr) - sizeof(*key);
3549 if (WPA_GET_BE16(key->key_data_length) > extra_len) {
3550 wpa_msg(sm->ctx->ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
3551 "frame - key_data overflow (%d > %lu)",
3552 WPA_GET_BE16(key->key_data_length),
3553 (unsigned long) extra_len);
3556 extra_len = WPA_GET_BE16(key->key_data_length);
3558 if (sm->proto == WPA_PROTO_RSN &&
3559 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3560 if (wpa_supplicant_decrypt_key_data(sm, key, ver))
3562 extra_len = WPA_GET_BE16(key->key_data_length);
3565 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3566 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3567 wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key "
3568 "(Pairwise) with non-zero key index");
3571 #ifdef CONFIG_PEERKEY
3573 if ((key_info & (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK))
3574 == (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) {
3575 /* 3/4 STK 4-Way Handshake */
3576 wpa_supplicant_process_stk_3_of_4(sm, peerkey,
3578 } else if (key_info & WPA_KEY_INFO_ACK) {
3579 /* 1/4 STK 4-Way Handshake */
3580 wpa_supplicant_process_stk_1_of_4(sm, peerkey,
3582 } else if (key_info & WPA_KEY_INFO_SECURE) {
3583 /* 4/4 STK 4-Way Handshake */
3584 wpa_supplicant_process_stk_4_of_4(sm, peerkey,
3587 /* 2/4 STK 4-Way Handshake */
3588 wpa_supplicant_process_stk_2_of_4(sm, peerkey,
3592 #endif /* CONFIG_PEERKEY */
3593 if (key_info & WPA_KEY_INFO_MIC) {
3594 /* 3/4 4-Way Handshake */
3595 wpa_supplicant_process_3_of_4(sm, key, ver);
3597 /* 1/4 4-Way Handshake */
3598 wpa_supplicant_process_1_of_4(sm, src_addr, key,
3601 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
3602 #ifdef CONFIG_PEERKEY
3603 if (key_info & WPA_KEY_INFO_ERROR) {
3605 wpa_supplicant_process_smk_error(sm, src_addr, key,
3607 } else if (key_info & WPA_KEY_INFO_ACK) {
3609 wpa_supplicant_process_smk_m2(sm, src_addr, key,
3613 wpa_supplicant_process_smk_m45(sm, src_addr, key,
3616 #endif /* CONFIG_PEERKEY */
3618 if (key_info & WPA_KEY_INFO_MIC) {
3619 /* 1/2 Group Key Handshake */
3620 wpa_supplicant_process_1_of_2(sm, src_addr, key,
3623 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) "
3624 "without Mic bit - dropped");
3636 #ifdef CONFIG_CTRL_IFACE
3637 static int wpa_cipher_bits(int cipher)
3640 case WPA_CIPHER_CCMP:
3642 case WPA_CIPHER_TKIP:
3644 case WPA_CIPHER_WEP104:
3646 case WPA_CIPHER_WEP40:
3654 static const u8 * wpa_key_mgmt_suite(struct wpa_sm *sm)
3656 static const u8 *dummy = (u8 *) "\x00\x00\x00\x00";
3657 switch (sm->key_mgmt) {
3658 case WPA_KEY_MGMT_IEEE8021X:
3659 return (sm->proto == WPA_PROTO_RSN ?
3660 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
3661 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
3662 case WPA_KEY_MGMT_PSK:
3663 return (sm->proto == WPA_PROTO_RSN ?
3664 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
3665 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
3666 case WPA_KEY_MGMT_WPA_NONE:
3667 return WPA_AUTH_KEY_MGMT_NONE;
3674 static const u8 * wpa_cipher_suite(struct wpa_sm *sm, int cipher)
3676 static const u8 *dummy = (u8 *) "\x00\x00\x00\x00";
3678 case WPA_CIPHER_CCMP:
3679 return (sm->proto == WPA_PROTO_RSN ?
3680 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
3681 case WPA_CIPHER_TKIP:
3682 return (sm->proto == WPA_PROTO_RSN ?
3683 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
3684 case WPA_CIPHER_WEP104:
3685 return (sm->proto == WPA_PROTO_RSN ?
3686 RSN_CIPHER_SUITE_WEP104 : WPA_CIPHER_SUITE_WEP104);
3687 case WPA_CIPHER_WEP40:
3688 return (sm->proto == WPA_PROTO_RSN ?
3689 RSN_CIPHER_SUITE_WEP40 : WPA_CIPHER_SUITE_WEP40);
3690 case WPA_CIPHER_NONE:
3691 return (sm->proto == WPA_PROTO_RSN ?
3692 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
3699 #define RSN_SUITE "%02x-%02x-%02x-%d"
3700 #define RSN_SUITE_ARG(s) (s)[0], (s)[1], (s)[2], (s)[3]
3703 * wpa_sm_get_mib - Dump text list of MIB entries
3704 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3705 * @buf: Buffer for the list
3706 * @buflen: Length of the buffer
3707 * Returns: Number of bytes written to buffer
3709 * This function is used fetch dot11 MIB variables.
3711 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
3713 char pmkid_txt[PMKID_LEN * 2 + 1];
3717 if (sm->cur_pmksa) {
3718 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3719 sm->cur_pmksa->pmkid, PMKID_LEN);
3721 pmkid_txt[0] = '\0';
3723 if ((sm->key_mgmt == WPA_KEY_MGMT_PSK ||
3724 sm->key_mgmt == WPA_KEY_MGMT_IEEE8021X) &&
3725 sm->proto == WPA_PROTO_RSN)
3730 ret = os_snprintf(buf, buflen,
3731 "dot11RSNAOptionImplemented=TRUE\n"
3732 "dot11RSNAPreauthenticationImplemented=TRUE\n"
3733 "dot11RSNAEnabled=%s\n"
3734 "dot11RSNAPreauthenticationEnabled=%s\n"
3735 "dot11RSNAConfigVersion=%d\n"
3736 "dot11RSNAConfigPairwiseKeysSupported=5\n"
3737 "dot11RSNAConfigGroupCipherSize=%d\n"
3738 "dot11RSNAConfigPMKLifetime=%d\n"
3739 "dot11RSNAConfigPMKReauthThreshold=%d\n"
3740 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
3741 "dot11RSNAConfigSATimeout=%d\n",
3742 rsna ? "TRUE" : "FALSE",
3743 rsna ? "TRUE" : "FALSE",
3745 wpa_cipher_bits(sm->group_cipher),
3746 sm->dot11RSNAConfigPMKLifetime,
3747 sm->dot11RSNAConfigPMKReauthThreshold,
3748 sm->dot11RSNAConfigSATimeout);
3749 if (ret < 0 || (size_t) ret >= buflen)
3754 buf + len, buflen - len,
3755 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3756 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3757 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3758 "dot11RSNAPMKIDUsed=%s\n"
3759 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3760 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3761 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3762 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
3763 "dot11RSNA4WayHandshakeFailures=%u\n",
3764 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
3765 RSN_SUITE_ARG(wpa_cipher_suite(sm, sm->pairwise_cipher)),
3766 RSN_SUITE_ARG(wpa_cipher_suite(sm, sm->group_cipher)),
3768 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
3769 RSN_SUITE_ARG(wpa_cipher_suite(sm, sm->pairwise_cipher)),
3770 RSN_SUITE_ARG(wpa_cipher_suite(sm, sm->group_cipher)),
3771 sm->dot11RSNA4WayHandshakeFailures);
3772 if (ret >= 0 && (size_t) ret < buflen)
3777 #endif /* CONFIG_CTRL_IFACE */
3780 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
3781 void *ctx, int replace)
3783 struct wpa_sm *sm = ctx;
3785 if (sm->cur_pmksa == entry ||
3786 (sm->pmk_len == entry->pmk_len &&
3787 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
3788 wpa_printf(MSG_DEBUG, "RSN: removed current PMKSA entry");
3789 sm->cur_pmksa = NULL;
3792 /* A new entry is being added, so no need to
3793 * deauthenticate in this case. This happens when EAP
3794 * authentication is completed again (reauth or failed
3795 * PMKSA caching attempt). */
3799 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3800 wpa_sm_deauthenticate(sm, REASON_UNSPECIFIED);
3801 wpa_sm_req_scan(sm, 0, 0);
3807 * wpa_sm_init - Initialize WPA state machine
3808 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
3809 * Returns: Pointer to the allocated WPA state machine data
3811 * This function is used to allocate a new WPA state machine and the returned
3812 * value is passed to all WPA state machine calls.
3814 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
3818 sm = os_zalloc(sizeof(*sm));
3821 sm->renew_snonce = 1;
3824 sm->dot11RSNAConfigPMKLifetime = 43200;
3825 sm->dot11RSNAConfigPMKReauthThreshold = 70;
3826 sm->dot11RSNAConfigSATimeout = 60;
3828 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
3829 if (sm->pmksa == NULL) {
3830 wpa_printf(MSG_ERROR, "RSN: PMKSA cache initialization "
3841 * wpa_sm_deinit - Deinitialize WPA state machine
3842 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3844 void wpa_sm_deinit(struct wpa_sm *sm)
3848 pmksa_cache_deinit(sm->pmksa);
3849 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
3850 os_free(sm->assoc_wpa_ie);
3851 os_free(sm->ap_wpa_ie);
3852 os_free(sm->ap_rsn_ie);
3854 #ifdef CONFIG_PEERKEY
3856 struct wpa_peerkey *prev, *peerkey = sm->peerkey;
3859 peerkey = peerkey->next;
3863 #endif /* CONFIG_PEERKEY */
3869 * wpa_sm_notify_assoc - Notify WPA state machine about association
3870 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3871 * @bssid: The BSSID of the new association
3873 * This function is called to let WPA state machine know that the connection
3876 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
3881 wpa_printf(MSG_DEBUG, "WPA: Association event - clear replay counter");
3882 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3883 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
3884 sm->rx_replay_counter_set = 0;
3885 sm->renew_snonce = 1;
3886 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
3887 rsn_preauth_deinit(sm);
3892 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
3893 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3895 * This function is called to let WPA state machine know that the connection
3896 * was lost. This will abort any existing pre-authentication session.
3898 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
3900 rsn_preauth_deinit(sm);
3901 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
3902 sm->dot11RSNA4WayHandshakeFailures++;
3907 * wpa_sm_set_pmk - Set PMK
3908 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3910 * @pmk_len: The length of the new PMK in bytes
3912 * Configure the PMK for WPA state machine.
3914 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len)
3919 sm->pmk_len = pmk_len;
3920 os_memcpy(sm->pmk, pmk, pmk_len);
3925 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
3926 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3928 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
3931 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
3936 if (sm->cur_pmksa) {
3937 sm->pmk_len = sm->cur_pmksa->pmk_len;
3938 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
3940 sm->pmk_len = PMK_LEN;
3941 os_memset(sm->pmk, 0, PMK_LEN);
3947 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
3948 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3949 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
3951 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
3954 sm->fast_reauth = fast_reauth;
3959 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
3960 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3961 * @scard_ctx: Context pointer for smartcard related callback functions
3963 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
3967 sm->scard_ctx = scard_ctx;
3968 if (sm->preauth_eapol)
3969 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
3974 * wpa_sm_set_config - Notification of current configration change
3975 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3976 * @config: Pointer to current network configuration
3978 * Notify WPA state machine that configuration has changed. config will be
3979 * stored as a backpointer to network configuration. This can be %NULL to clear
3980 * the stored pointed.
3982 void wpa_sm_set_config(struct wpa_sm *sm, struct wpa_ssid *config)
3985 sm->cur_ssid = config;
3986 pmksa_cache_notify_reconfig(sm->pmksa);
3992 * wpa_sm_set_own_addr - Set own MAC address
3993 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3994 * @addr: Own MAC address
3996 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
3999 os_memcpy(sm->own_addr, addr, ETH_ALEN);
4004 * wpa_sm_set_ifname - Set network interface name
4005 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4006 * @ifname: Interface name
4007 * @bridge_ifname: Optional bridge interface name (for pre-auth)
4009 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
4010 const char *bridge_ifname)
4013 sm->ifname = ifname;
4014 sm->bridge_ifname = bridge_ifname;
4020 * wpa_sm_set_eapol - Set EAPOL state machine pointer
4021 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4022 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
4024 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
4032 * wpa_sm_set_param - Set WPA state machine parameters
4033 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4034 * @param: Parameter field
4035 * @value: Parameter value
4036 * Returns: 0 on success, -1 on failure
4038 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
4047 case RSNA_PMK_LIFETIME:
4049 sm->dot11RSNAConfigPMKLifetime = value;
4053 case RSNA_PMK_REAUTH_THRESHOLD:
4054 if (value > 0 && value <= 100)
4055 sm->dot11RSNAConfigPMKReauthThreshold = value;
4059 case RSNA_SA_TIMEOUT:
4061 sm->dot11RSNAConfigSATimeout = value;
4065 case WPA_PARAM_PROTO:
4068 case WPA_PARAM_PAIRWISE:
4069 sm->pairwise_cipher = value;
4071 case WPA_PARAM_GROUP:
4072 sm->group_cipher = value;
4074 case WPA_PARAM_KEY_MGMT:
4075 sm->key_mgmt = value;
4077 #ifdef CONFIG_IEEE80211W
4078 case WPA_PARAM_MGMT_GROUP:
4079 sm->mgmt_group_cipher = value;
4081 #endif /* CONFIG_IEEE80211W */
4091 * wpa_sm_get_param - Get WPA state machine parameters
4092 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4093 * @param: Parameter field
4094 * Returns: Parameter value
4096 unsigned int wpa_sm_get_param(struct wpa_sm *sm, enum wpa_sm_conf_params param)
4102 case RSNA_PMK_LIFETIME:
4103 return sm->dot11RSNAConfigPMKLifetime;
4104 case RSNA_PMK_REAUTH_THRESHOLD:
4105 return sm->dot11RSNAConfigPMKReauthThreshold;
4106 case RSNA_SA_TIMEOUT:
4107 return sm->dot11RSNAConfigSATimeout;
4108 case WPA_PARAM_PROTO:
4110 case WPA_PARAM_PAIRWISE:
4111 return sm->pairwise_cipher;
4112 case WPA_PARAM_GROUP:
4113 return sm->group_cipher;
4114 case WPA_PARAM_KEY_MGMT:
4115 return sm->key_mgmt;
4116 #ifdef CONFIG_IEEE80211W
4117 case WPA_PARAM_MGMT_GROUP:
4118 return sm->mgmt_group_cipher;
4119 #endif /* CONFIG_IEEE80211W */
4127 * wpa_sm_get_status - Get WPA state machine
4128 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4129 * @buf: Buffer for status information
4130 * @buflen: Maximum buffer length
4131 * @verbose: Whether to include verbose status information
4132 * Returns: Number of bytes written to buf.
4134 * Query WPA state machine for status information. This function fills in
4135 * a text area with current status information. If the buffer (buf) is not
4136 * large enough, status information will be truncated to fit the buffer.
4138 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
4141 char *pos = buf, *end = buf + buflen;
4144 ret = os_snprintf(pos, end - pos,
4145 "pairwise_cipher=%s\n"
4148 wpa_cipher_txt(sm->pairwise_cipher),
4149 wpa_cipher_txt(sm->group_cipher),
4150 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
4151 if (ret < 0 || ret >= end - pos)
4159 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
4160 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4161 * @wpa_ie: Pointer to buffer for WPA/RSN IE
4162 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
4163 * Returns: 0 on success, -1 on failure
4165 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
4166 * Request frame. The IE will be used to override the default value generated
4167 * with wpa_sm_set_assoc_wpa_ie_default().
4169 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
4177 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
4182 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
4183 wpa_ie, *wpa_ie_len);
4185 if (sm->assoc_wpa_ie == NULL) {
4187 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
4188 * the correct version of the IE even if PMKSA caching is
4189 * aborted (which would remove PMKID from IE generation).
4191 sm->assoc_wpa_ie = os_malloc(*wpa_ie_len);
4192 if (sm->assoc_wpa_ie == NULL)
4195 os_memcpy(sm->assoc_wpa_ie, wpa_ie, *wpa_ie_len);
4196 sm->assoc_wpa_ie_len = *wpa_ie_len;
4204 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
4205 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4206 * @ie: Pointer to IE data (starting from id)
4208 * Returns: 0 on success, -1 on failure
4210 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
4211 * Request frame. The IE will be used to override the default value generated
4212 * with wpa_sm_set_assoc_wpa_ie_default().
4214 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4219 os_free(sm->assoc_wpa_ie);
4220 if (ie == NULL || len == 0) {
4221 wpa_printf(MSG_DEBUG, "WPA: clearing own WPA/RSN IE");
4222 sm->assoc_wpa_ie = NULL;
4223 sm->assoc_wpa_ie_len = 0;
4225 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
4226 sm->assoc_wpa_ie = os_malloc(len);
4227 if (sm->assoc_wpa_ie == NULL)
4230 os_memcpy(sm->assoc_wpa_ie, ie, len);
4231 sm->assoc_wpa_ie_len = len;
4239 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
4240 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4241 * @ie: Pointer to IE data (starting from id)
4243 * Returns: 0 on success, -1 on failure
4245 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
4248 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4253 os_free(sm->ap_wpa_ie);
4254 if (ie == NULL || len == 0) {
4255 wpa_printf(MSG_DEBUG, "WPA: clearing AP WPA IE");
4256 sm->ap_wpa_ie = NULL;
4257 sm->ap_wpa_ie_len = 0;
4259 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
4260 sm->ap_wpa_ie = os_malloc(len);
4261 if (sm->ap_wpa_ie == NULL)
4264 os_memcpy(sm->ap_wpa_ie, ie, len);
4265 sm->ap_wpa_ie_len = len;
4273 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
4274 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4275 * @ie: Pointer to IE data (starting from id)
4277 * Returns: 0 on success, -1 on failure
4279 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
4282 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
4287 os_free(sm->ap_rsn_ie);
4288 if (ie == NULL || len == 0) {
4289 wpa_printf(MSG_DEBUG, "WPA: clearing AP RSN IE");
4290 sm->ap_rsn_ie = NULL;
4291 sm->ap_rsn_ie_len = 0;
4293 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
4294 sm->ap_rsn_ie = os_malloc(len);
4295 if (sm->ap_rsn_ie == NULL)
4298 os_memcpy(sm->ap_rsn_ie, ie, len);
4299 sm->ap_rsn_ie_len = len;
4307 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
4308 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4309 * @data: Pointer to data area for parsing results
4310 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
4312 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
4313 * parsed data into data.
4315 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
4317 if (sm == NULL || sm->assoc_wpa_ie == NULL) {
4318 wpa_printf(MSG_DEBUG, "WPA: No WPA/RSN IE available from "
4319 "association info");
4322 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
lentferj's projects / dragonfly.git / blob