1/*
2 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3 * Use is subject to license terms.
4 */
5
6/*
7 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
8 * Sun elects to license this software under the BSD license.
9 * See README for more details.
10 */
11
12#include <stdio.h>
13#include <stdlib.h>
14#include <string.h>
15#include <time.h>
16#include <netinet/in.h>
17#include <sys/ethernet.h>
18#include <fcntl.h>
19#include <unistd.h>
20
21#include "wpa_impl.h"
22#include "wpa_enc.h"
23#include "driver.h"
24#include "eloop.h"
25#include "l2_packet.h"
26
27static void pmksa_cache_set_expiration(struct wpa_supplicant *);
28
29/*
30 * IEEE 802.11i/D3.0
31 */
32static const int WPA_SELECTOR_LEN = 4;
33static const uint8_t WPA_OUI_AND_TYPE[] = { 0x00, 0x50, 0xf2, 1 };
34static const uint8_t
35WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] 		= { 0x00, 0x50, 0xf2, 1 };
36static const uint8_t
37WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] 		= { 0x00, 0x50, 0xf2, 2 };
38static const uint8_t WPA_CIPHER_SUITE_NONE[]	= { 0x00, 0x50, 0xf2, 0 };
39static const uint8_t WPA_CIPHER_SUITE_WEP40[]	= { 0x00, 0x50, 0xf2, 1 };
40static const uint8_t WPA_CIPHER_SUITE_TKIP[]	= { 0x00, 0x50, 0xf2, 2 };
41static const uint8_t WPA_CIPHER_SUITE_CCMP[]	= { 0x00, 0x50, 0xf2, 4 };
42static const uint8_t WPA_CIPHER_SUITE_WEP104[]	= { 0x00, 0x50, 0xf2, 5 };
43
44/*
45 * WPA IE version 1
46 * 00-50-f2:1 (OUI:OUI type)
47 * 0x01 0x00 (version; little endian)
48 * (all following fields are optional:)
49 * Group Suite Selector (4 octets) (default: TKIP)
50 * Pairwise Suite Count (2 octets, little endian) (default: 1)
51 * Pairwise Suite List (4 * n octets) (default: TKIP)
52 * Authenticated Key Management Suite Count (2 octets, little endian)
53 * (default: 1)
54 * Authenticated Key Management Suite List (4 * n octets)
55 * (default: unspec 802.1x)
56 * WPA Capabilities (2 octets, little endian) (default: 0)
57 */
58#pragma pack(1)
59struct wpa_ie_hdr {
60	uint8_t		elem_id;
61	uint8_t		len;
62	uint8_t		oui[3];
63	uint8_t		oui_type;
64	uint16_t	version;
65};
66#pragma pack()
67
68/*
69 * IEEE 802.11i/D9.0
70 */
71static const int RSN_SELECTOR_LEN = 4;
72static const uint16_t RSN_VERSION = 1;
73static const uint8_t
74RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[]		= { 0x00, 0x0f, 0xac, 1 };
75static const uint8_t
76RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[]		= { 0x00, 0x0f, 0xac, 2 };
77static const uint8_t RSN_CIPHER_SUITE_NONE[]	= { 0x00, 0x0f, 0xac, 0 };
78static const uint8_t RSN_CIPHER_SUITE_WEP40[]	= { 0x00, 0x0f, 0xac, 1 };
79static const uint8_t RSN_CIPHER_SUITE_TKIP[]	= { 0x00, 0x0f, 0xac, 2 };
80static const uint8_t RSN_CIPHER_SUITE_CCMP[]	= { 0x00, 0x0f, 0xac, 4 };
81static const uint8_t RSN_CIPHER_SUITE_WEP104[]	= { 0x00, 0x0f, 0xac, 5 };
82
83/*
84 * EAPOL-Key Key Data Encapsulation
85 * GroupKey and STAKey require encryption, otherwise, encryption is optional.
86 */
87static const uint8_t RSN_KEY_DATA_GROUPKEY[]	= { 0x00, 0x0f, 0xac, 1 };
88static const uint8_t RSN_KEY_DATA_PMKID[]	= { 0x00, 0x0f, 0xac, 4 };
89
90/*
91 * 1/4: PMKID
92 * 2/4: RSN IE
93 * 3/4: one or two RSN IEs + GTK IE (encrypted)
94 * 4/4: empty
95 * 1/2: GTK IE (encrypted)
96 * 2/2: empty
97 */
98
99/*
100 * RSN IE version 1
101 * 0x01 0x00 (version; little endian)
102 * (all following fields are optional:)
103 * Group Suite Selector (4 octets) (default: CCMP)
104 * Pairwise Suite Count (2 octets, little endian) (default: 1)
105 * Pairwise Suite List (4 * n octets) (default: CCMP)
106 * Authenticated Key Management Suite Count (2 octets, little endian)
107 *    (default: 1)
108 * Authenticated Key Management Suite List (4 * n octets)
109 *    (default: unspec 802.1x)
110 * RSN Capabilities (2 octets, little endian) (default: 0)
111 * PMKID Count (2 octets) (default: 0)
112 * PMKID List (16 * n octets)
113 */
114#pragma pack(1)
115struct rsn_ie_hdr {
116	uint8_t		elem_id; /* WLAN_EID_RSN */
117	uint8_t		len;
118	uint16_t	version;
119};
120#pragma pack()
121
122static int
123random_get_pseudo_bytes(uint8_t *ptr, size_t len)
124{
125	int fd;
126	size_t resid = len;
127	size_t bytes;
128
129	fd = open("/dev/urandom", O_RDONLY);
130	if (fd == -1) {
131		wpa_printf(MSG_ERROR, "Could not open /dev/urandom.\n");
132		return (-1);
133	}
134
135	while (resid != 0) {
136		bytes = read(fd, ptr, resid);
137		ptr += bytes;
138		resid -= bytes;
139	}
140
141	(void) close(fd);
142
143	return (0);
144}
145
146static void
147inc_byte_array(uint8_t *counter, size_t len)
148{
149	int pos = len - 1;
150	while (pos >= 0) {
151		counter[pos]++;
152		if (counter[pos] != 0)
153			break;
154		pos--;
155	}
156}
157
158static int
159wpa_selector_to_bitfield(uint8_t *s)
160{
161	if (memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0)
162		return (WPA_CIPHER_NONE);
163	if (memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0)
164		return (WPA_CIPHER_WEP40);
165	if (memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0)
166		return (WPA_CIPHER_TKIP);
167	if (memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0)
168		return (WPA_CIPHER_CCMP);
169	if (memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0)
170		return (WPA_CIPHER_WEP104);
171	return (0);
172}
173
174static int
175wpa_key_mgmt_to_bitfield(uint8_t *s)
176{
177	if (memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) == 0)
178		return (WPA_KEY_MGMT_IEEE8021X);
179	if (memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN) ==
180	    0)
181		return (WPA_KEY_MGMT_PSK);
182	return (0);
183}
184
185static int
186rsn_selector_to_bitfield(uint8_t *s)
187{
188	if (memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0)
189		return (WPA_CIPHER_NONE);
190	if (memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0)
191		return (WPA_CIPHER_WEP40);
192	if (memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0)
193		return (WPA_CIPHER_TKIP);
194	if (memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0)
195		return (WPA_CIPHER_CCMP);
196	if (memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0)
197		return (WPA_CIPHER_WEP104);
198	return (0);
199}
200
201static int
202rsn_key_mgmt_to_bitfield(uint8_t *s)
203{
204	if (memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) == 0)
205		return (WPA_KEY_MGMT_IEEE8021X);
206	if (memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN) ==
207	    0)
208		return (WPA_KEY_MGMT_PSK);
209	return (0);
210}
211
212static void
213pmksa_cache_free_entry(struct wpa_supplicant *wpa_s,
214	struct rsn_pmksa_cache *entry)
215{
216	wpa_s->pmksa_count--;
217	if (wpa_s->cur_pmksa == entry) {
218		wpa_printf(MSG_DEBUG, "RSN: removed current PMKSA entry");
219		wpa_s->cur_pmksa = NULL;
220	}
221	free(entry);
222}
223
224/* ARGSUSED */
225static void
226pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
227{
228	struct wpa_supplicant *wpa_s = eloop_ctx;
229	time_t now;
230
231	(void) time(&now);
232	while (wpa_s->pmksa && wpa_s->pmksa->expiration <= now) {
233		struct rsn_pmksa_cache *entry = wpa_s->pmksa;
234		wpa_s->pmksa = entry->next;
235		wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
236		    MACSTR, MAC2STR(entry->aa));
237		pmksa_cache_free_entry(wpa_s, entry);
238	}
239
240	pmksa_cache_set_expiration(wpa_s);
241}
242
243static void
244pmksa_cache_set_expiration(struct wpa_supplicant *wpa_s)
245{
246	int sec;
247	eloop_cancel_timeout(pmksa_cache_expire, wpa_s, NULL);
248	if (wpa_s->pmksa == NULL)
249		return;
250	sec = wpa_s->pmksa->expiration - time(NULL);
251	if (sec < 0)
252		sec = 0;
253	(void) eloop_register_timeout(sec + 1, 0, pmksa_cache_expire,
254	    wpa_s, NULL);
255}
256
257void
258pmksa_cache_free(struct wpa_supplicant *wpa_s)
259{
260	struct rsn_pmksa_cache *entry, *prev;
261
262	entry = wpa_s->pmksa;
263	wpa_s->pmksa = NULL;
264	while (entry) {
265		prev = entry;
266		entry = entry->next;
267		free(prev);
268	}
269	pmksa_cache_set_expiration(wpa_s);
270	wpa_s->cur_pmksa = NULL;
271}
272
273struct rsn_pmksa_cache *
274pmksa_cache_get(struct wpa_supplicant *wpa_s,
275		uint8_t *aa, uint8_t *pmkid)
276{
277	struct rsn_pmksa_cache *entry = wpa_s->pmksa;
278	while (entry) {
279		if ((aa == NULL ||
280		    memcmp(entry->aa, aa, IEEE80211_ADDR_LEN) == 0) &&
281		    (pmkid == NULL ||
282		    memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0))
283			return (entry);
284		entry = entry->next;
285	}
286	return (NULL);
287}
288
289int
290pmksa_cache_list(struct wpa_supplicant *wpa_s, char *buf, size_t len)
291{
292	int i, j;
293	char *pos = buf;
294	struct rsn_pmksa_cache *entry;
295	time_t now;
296
297	(void) time(&now);
298	pos += snprintf(pos, buf + len - pos,
299	    "Index / AA / PMKID / expiration (in seconds)\n");
300	i = 0;
301	entry = wpa_s->pmksa;
302	while (entry) {
303		i++;
304		pos += snprintf(pos, buf + len - pos, "%d " MACSTR " ",
305		    i, MAC2STR(entry->aa));
306		for (j = 0; j < PMKID_LEN; j++)
307			pos += snprintf(pos, buf + len - pos, "%02x",
308			    entry->pmkid[j]);
309		pos += snprintf(pos, buf + len - pos, " %d\n",
310		    (int)(entry->expiration - now));
311		entry = entry->next;
312	}
313	return (pos - buf);
314}
315
316void
317pmksa_candidate_free(struct wpa_supplicant *wpa_s)
318{
319	struct rsn_pmksa_candidate *entry, *prev;
320
321	entry = wpa_s->pmksa_candidates;
322	wpa_s->pmksa_candidates = NULL;
323	while (entry) {
324		prev = entry;
325		entry = entry->next;
326		free(prev);
327	}
328}
329
330/* ARGSUSED */
331static int
332wpa_parse_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie,
333    size_t wpa_ie_len, struct wpa_ie_data *data)
334{
335	struct wpa_ie_hdr *hdr;
336	uint8_t *pos;
337	int left;
338	int i, count;
339
340	data->proto = WPA_PROTO_WPA;
341	data->pairwise_cipher = WPA_CIPHER_TKIP;
342	data->group_cipher = WPA_CIPHER_TKIP;
343	data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
344	data->capabilities = 0;
345
346	if (wpa_ie_len == 0) {
347		/* No WPA IE - fail silently */
348		return (-1);
349	}
350
351	if (wpa_ie_len < sizeof (struct wpa_ie_hdr)) {
352		wpa_printf(MSG_DEBUG, "%s: ie len too short %u",
353		    "wpa_parse_wpa_ie_wpa", wpa_ie_len);
354		return (-1);
355	}
356
357	hdr = (struct wpa_ie_hdr *)wpa_ie;
358
359	if (hdr->elem_id != GENERIC_INFO_ELEM ||
360	    hdr->len != wpa_ie_len - 2 ||
361	    memcmp(&hdr->oui, WPA_OUI_AND_TYPE, WPA_SELECTOR_LEN) != 0 ||
362	    LE_16(hdr->version) != WPA_VERSION) {
363		wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
364		    "wpa_parse_wpa_ie_wpa");
365		return (-1);
366	}
367
368	pos = (uint8_t *)(hdr + 1);
369	left = wpa_ie_len - sizeof (*hdr);
370
371	if (left >= WPA_SELECTOR_LEN) {
372		data->group_cipher = wpa_selector_to_bitfield(pos);
373		pos += WPA_SELECTOR_LEN;
374		left -= WPA_SELECTOR_LEN;
375	} else if (left > 0) {
376		wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
377		    "wpa_parse_wpa_ie_wpa", left);
378		return (-1);
379	}
380
381	if (left >= 2) {
382		data->pairwise_cipher = 0;
383		count = pos[0] | (pos[1] << 8);
384		pos += 2;
385		left -= 2;
386		if (count == 0 || left < count * WPA_SELECTOR_LEN) {
387			wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
388			    "count %u left %u",
389			    "wpa_parse_wpa_ie_wpa", count, left);
390			return (-1);
391		}
392		for (i = 0; i < count; i++) {
393			data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
394			pos += WPA_SELECTOR_LEN;
395			left -= WPA_SELECTOR_LEN;
396		}
397	} else if (left == 1) {
398		wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
399		    "wpa_parse_wpa_ie_wpa");
400		return (-1);
401	}
402
403	if (left >= 2) {
404		data->key_mgmt = 0;
405		count = pos[0] | (pos[1] << 8);
406		pos += 2;
407		left -= 2;
408		if (count == 0 || left < count * WPA_SELECTOR_LEN) {
409			wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
410			    "count %u left %u",
411			    "wpa_parse_wpa_ie_wpa", count, left);
412			return (-1);
413		}
414		for (i = 0; i < count; i++) {
415			data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
416			pos += WPA_SELECTOR_LEN;
417			left -= WPA_SELECTOR_LEN;
418		}
419	} else if (left == 1) {
420		wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
421		    "wpa_parse_wpa_ie_wpa");
422		return (-1);
423	}
424
425	if (left >= 2) {
426		data->capabilities = pos[0] | (pos[1] << 8);
427		pos += 2;
428		left -= 2;
429	}
430
431	if (left > 0) {
432		wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes",
433		    "wpa_parse_wpa_ie_wpa", left);
434		return (-1);
435	}
436
437	return (0);
438}
439
440/* ARGSUSED */
441static int
442wpa_parse_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie,
443    size_t rsn_ie_len, struct wpa_ie_data *data)
444{
445	struct rsn_ie_hdr *hdr;
446	uint8_t *pos;
447	int left;
448	int i, count;
449
450	data->proto = WPA_PROTO_RSN;
451	data->pairwise_cipher = WPA_CIPHER_CCMP;
452	data->group_cipher = WPA_CIPHER_CCMP;
453	data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
454	data->capabilities = 0;
455
456	if (rsn_ie_len == 0) {
457		/* No RSN IE - fail silently */
458		return (-1);
459	}
460
461	if (rsn_ie_len < sizeof (struct rsn_ie_hdr)) {
462		wpa_printf(MSG_DEBUG, "%s: ie len too short %u",
463		    "wpa_parse_wpa_ie_rsn", rsn_ie_len);
464		return (-1);
465	}
466
467	hdr = (struct rsn_ie_hdr *)rsn_ie;
468
469	if (hdr->elem_id != RSN_INFO_ELEM ||
470	    hdr->len != rsn_ie_len - 2 ||
471	    LE_16(hdr->version) != RSN_VERSION) {
472		wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
473		    "wpa_parse_wpa_ie_rsn");
474		return (-1);
475	}
476
477	pos = (uint8_t *)(hdr + 1);
478	left = rsn_ie_len - sizeof (*hdr);
479
480	if (left >= RSN_SELECTOR_LEN) {
481		data->group_cipher = rsn_selector_to_bitfield(pos);
482		pos += RSN_SELECTOR_LEN;
483		left -= RSN_SELECTOR_LEN;
484	} else if (left > 0) {
485		wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
486		    "wpa_parse_wpa_ie_rsn", left);
487		return (-1);
488	}
489
490	if (left >= 2) {
491		data->pairwise_cipher = 0;
492		count = pos[0] | (pos[1] << 8);
493		pos += 2;
494		left -= 2;
495		if (count == 0 || left < count * RSN_SELECTOR_LEN) {
496			wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
497			    "count %u left %u",
498			    "wpa_parse_wpa_ie_rsn", count, left);
499			return (-1);
500		}
501		for (i = 0; i < count; i++) {
502			data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
503			pos += RSN_SELECTOR_LEN;
504			left -= RSN_SELECTOR_LEN;
505		}
506	} else if (left == 1) {
507		wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
508		    "wpa_parse_wpa_ie_rsn");
509		return (-1);
510	}
511
512	if (left >= 2) {
513		data->key_mgmt = 0;
514		count = pos[0] | (pos[1] << 8);
515		pos += 2;
516		left -= 2;
517		if (count == 0 || left < count * RSN_SELECTOR_LEN) {
518			wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
519			    "count %u left %u",
520			    "wpa_parse_wpa_ie_rsn", count, left);
521			return (-1);
522		}
523		for (i = 0; i < count; i++) {
524			data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
525			pos += RSN_SELECTOR_LEN;
526			left -= RSN_SELECTOR_LEN;
527		}
528	} else if (left == 1) {
529		wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
530		    "wpa_parse_wpa_ie_rsn");
531		return (-1);
532	}
533
534	if (left >= 2) {
535		data->capabilities = pos[0] | (pos[1] << 8);
536		pos += 2;
537		left -= 2;
538	}
539
540	if (left > 0) {
541		/*
542		 * RSN IE could include PMKID data, but Authenticator should
543		 * never include it, so no need to parse it in the Supplicant.
544		 */
545		wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
546		    "wpa_parse_wpa_ie_rsn", left);
547	}
548
549	return (0);
550}
551
552int
553wpa_parse_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie,
554    size_t wpa_ie_len, struct wpa_ie_data *data)
555{
556	if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM)
557		return (wpa_parse_wpa_ie_rsn(wpa_s, wpa_ie, wpa_ie_len, data));
558	else
559		return (wpa_parse_wpa_ie_wpa(wpa_s, wpa_ie, wpa_ie_len, data));
560}
561
562static int
563wpa_gen_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie)
564{
565	uint8_t *pos;
566	struct wpa_ie_hdr *hdr;
567
568	hdr = (struct wpa_ie_hdr *)wpa_ie;
569	hdr->elem_id = GENERIC_INFO_ELEM;
570	(void) memcpy(&hdr->oui, WPA_OUI_AND_TYPE, WPA_SELECTOR_LEN);
571	hdr->version = LE_16(WPA_VERSION);
572	pos = (uint8_t *)(hdr + 1);
573
574	if (wpa_s->group_cipher == WPA_CIPHER_CCMP) {
575		(void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN);
576	} else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) {
577		(void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN);
578	} else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) {
579		(void) memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN);
580	} else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) {
581		(void) memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN);
582	} else {
583		wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
584		    wpa_s->group_cipher);
585		return (-1);
586	}
587	pos += WPA_SELECTOR_LEN;
588
589	*pos++ = 1;
590	*pos++ = 0;
591	if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) {
592		(void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN);
593	} else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) {
594		(void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN);
595	} else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) {
596		(void) memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN);
597	} else {
598		wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
599		    wpa_s->pairwise_cipher);
600		return (-1);
601	}
602	pos += WPA_SELECTOR_LEN;
603
604	*pos++ = 1;
605	*pos++ = 0;
606	if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
607		(void) memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X,
608		    WPA_SELECTOR_LEN);
609	} else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) {
610		(void) memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X,
611		    WPA_SELECTOR_LEN);
612	} else {
613		wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
614		    wpa_s->key_mgmt);
615		return (-1);
616	}
617	pos += WPA_SELECTOR_LEN;
618
619	/*
620	 * WPA Capabilities; use defaults, so no need to include it
621	 */
622	hdr->len = (pos - wpa_ie) - 2;
623
624	return (pos - wpa_ie);
625}
626
627static int
628wpa_gen_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie)
629{
630	uint8_t *pos;
631	struct rsn_ie_hdr *hdr;
632
633	hdr = (struct rsn_ie_hdr *)rsn_ie;
634	hdr->elem_id = RSN_INFO_ELEM;
635	hdr->version = LE_16(RSN_VERSION);
636	pos = (uint8_t *)(hdr + 1);
637
638	if (wpa_s->group_cipher == WPA_CIPHER_CCMP) {
639		(void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
640	} else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) {
641		(void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
642	} else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) {
643		(void) memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN);
644	} else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) {
645		(void) memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN);
646	} else {
647		wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
648		    wpa_s->group_cipher);
649		return (-1);
650	}
651	pos += RSN_SELECTOR_LEN;
652
653	*pos++ = 1;
654	*pos++ = 0;
655	if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) {
656		(void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
657	} else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) {
658		(void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
659	} else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) {
660		(void) memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN);
661	} else {
662		wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
663		    wpa_s->pairwise_cipher);
664		return (-1);
665	}
666	pos += RSN_SELECTOR_LEN;
667
668	*pos++ = 1;
669	*pos++ = 0;
670	if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
671		(void) memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X,
672		    RSN_SELECTOR_LEN);
673	} else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) {
674		(void) memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X,
675		    RSN_SELECTOR_LEN);
676	} else {
677		wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
678		    wpa_s->key_mgmt);
679		return (-1);
680	}
681	pos += RSN_SELECTOR_LEN;
682
683	/* RSN Capabilities */
684	*pos++ = 0;
685	*pos++ = 0;
686
687	if (wpa_s->cur_pmksa) {
688		/* PMKID Count (2 octets, little endian) */
689		*pos++ = 1;
690		*pos++ = 0;
691		/* PMKID */
692		(void) memcpy(pos, wpa_s->cur_pmksa->pmkid, PMKID_LEN);
693		pos += PMKID_LEN;
694	}
695
696	hdr->len = (pos - rsn_ie) - 2;
697
698	return (pos - rsn_ie);
699}
700
701int
702wpa_gen_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie)
703{
704	if (wpa_s->proto == WPA_PROTO_RSN)
705		return (wpa_gen_wpa_ie_rsn(wpa_s, wpa_ie));
706	else
707		return (wpa_gen_wpa_ie_wpa(wpa_s, wpa_ie));
708}
709
710static void
711wpa_pmk_to_ptk(uint8_t *pmk, uint8_t *addr1, uint8_t *addr2,
712    uint8_t *nonce1, uint8_t *nonce2, uint8_t *ptk, size_t ptk_len)
713{
714	uint8_t data[2 * IEEE80211_ADDR_LEN + 2 * WPA_PMK_LEN];
715
716	/*
717	 * PTK = PRF-X(PMK, "Pairwise key expansion",
718	 * 	Min(AA, SA) || Max(AA, SA) ||
719	 * 	Min(ANonce, SNonce) || Max(ANonce, SNonce))
720	 */
721
722	if (memcmp(addr1, addr2, IEEE80211_ADDR_LEN) < 0) {
723		(void) memcpy(data, addr1, IEEE80211_ADDR_LEN);
724		(void) memcpy(data + IEEE80211_ADDR_LEN, addr2,
725		    IEEE80211_ADDR_LEN);
726	} else {
727		(void) memcpy(data, addr2, IEEE80211_ADDR_LEN);
728		(void) memcpy(data + IEEE80211_ADDR_LEN, addr1,
729		    IEEE80211_ADDR_LEN);
730	}
731
732	if (memcmp(nonce1, nonce2, WPA_PMK_LEN) < 0) {
733		(void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce1,
734		    WPA_PMK_LEN);
735		(void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN,
736		    nonce2, WPA_PMK_LEN);
737	} else {
738		(void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce2,
739		    WPA_PMK_LEN);
740		(void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN,
741		    nonce1, WPA_PMK_LEN);
742	}
743
744	sha1_prf(pmk, WPA_PMK_LEN, "Pairwise key expansion", data,
745	    sizeof (data), ptk, ptk_len);
746
747	wpa_hexdump(MSG_DEBUG, "WPA: PMK", pmk, WPA_PMK_LEN);
748	wpa_hexdump(MSG_DEBUG, "WPA: PTK", ptk, ptk_len);
749}
750
751struct wpa_ssid *
752wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s)
753{
754	struct wpa_ssid *entry;
755	uint8_t ssid[MAX_ESSID_LENGTH];
756	int ssid_len;
757	uint8_t bssid[IEEE80211_ADDR_LEN];
758
759	(void) memset(ssid, 0, MAX_ESSID_LENGTH);
760	ssid_len = wpa_s->driver->get_ssid(wpa_s->handle, wpa_s->linkid,
761	    (char *)ssid);
762	if (ssid_len < 0) {
763		wpa_printf(MSG_WARNING, "Could not read SSID from driver.");
764		return (NULL);
765	}
766
767	if (wpa_s->driver->get_bssid(wpa_s->handle, wpa_s->linkid,
768	    (char *)bssid) < 0) {
769		wpa_printf(MSG_WARNING, "Could not read BSSID from driver.");
770		return (NULL);
771	}
772
773	entry = wpa_s->conf->ssid;
774	wpa_printf(MSG_DEBUG, "entry len=%d ssid=%s,"
775	    " driver len=%d ssid=%s",
776	    entry->ssid_len, entry->ssid, ssid_len, ssid);
777
778	if (ssid_len == entry->ssid_len &&
779	    memcmp(ssid, entry->ssid, ssid_len) == 0 &&
780	    (!entry->bssid_set ||
781	    memcmp(bssid, entry->bssid, IEEE80211_ADDR_LEN) == 0))
782		return (entry);
783
784	return (NULL);
785}
786
787static void
788wpa_eapol_key_mic(uint8_t *key, int ver, uint8_t *buf, size_t len, uint8_t *mic)
789{
790	if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
791		hmac_md5(key, 16, buf, len, mic);
792	} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
793		uint8_t hash[SHA1_MAC_LEN];
794		hmac_sha1(key, 16, buf, len, hash);
795		(void) memcpy(mic, hash, MD5_MAC_LEN);
796	}
797}
798
799void
800wpa_supplicant_key_request(struct wpa_supplicant *wpa_s,
801	int error, int pairwise)
802{
803	int rlen;
804	struct ieee802_1x_hdr *hdr;
805	struct wpa_eapol_key *reply;
806	unsigned char *rbuf;
807	struct l2_ethhdr *ethhdr;
808	int key_info, ver;
809	uint8_t bssid[IEEE80211_ADDR_LEN];
810
811	if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP)
812		ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
813	else
814		ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
815
816	if (wpa_s->driver->get_bssid(wpa_s->handle, wpa_s->linkid,
817	    (char *)bssid) < 0) {
818		wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
819		    "request");
820		return;
821	}
822
823	rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply);
824	rbuf = malloc(rlen);
825	if (rbuf == NULL)
826		return;
827
828	(void) memset(rbuf, 0, rlen);
829	ethhdr = (struct l2_ethhdr *)rbuf;
830	(void) memcpy(ethhdr->h_dest, bssid, IEEE80211_ADDR_LEN);
831	(void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN);
832	ethhdr->h_proto = htons(ETHERTYPE_EAPOL);
833
834	hdr = (struct ieee802_1x_hdr *)(ethhdr + 1);
835	hdr->version = wpa_s->conf->eapol_version;
836	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
837	hdr->length = htons(sizeof (*reply));
838
839	reply = (struct wpa_eapol_key *)(hdr + 1);
840	reply->type = wpa_s->proto == WPA_PROTO_RSN ?
841	    EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
842	key_info = WPA_KEY_INFO_REQUEST | ver;
843	if (wpa_s->ptk_set)
844		key_info |= WPA_KEY_INFO_MIC;
845	if (error)
846		key_info |= WPA_KEY_INFO_ERROR;
847	if (pairwise)
848		key_info |= WPA_KEY_INFO_KEY_TYPE;
849	reply->key_info = BE_16(key_info);
850	reply->key_length = 0;
851	(void) memcpy(reply->replay_counter, wpa_s->request_counter,
852	    WPA_REPLAY_COUNTER_LEN);
853	inc_byte_array(wpa_s->request_counter, WPA_REPLAY_COUNTER_LEN);
854
855	reply->key_data_length = BE_16(0);
856
857	if (key_info & WPA_KEY_INFO_MIC) {
858		wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr,
859		    rlen - sizeof (*ethhdr), reply->key_mic);
860	}
861
862	wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d "
863	    "pairwise=%d ptk_set=%d len=%d)",
864	    error, pairwise, wpa_s->ptk_set, rlen);
865	wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key Request", rbuf, rlen);
866	(void) l2_packet_send(wpa_s->l2, rbuf, rlen);
867	free(rbuf);
868}
869
870static void
871wpa_supplicant_process_1_of_4(struct wpa_supplicant *wpa_s,
872    unsigned char *src_addr, struct wpa_eapol_key *key, int ver)
873{
874	int rlen;
875	struct ieee802_1x_hdr *hdr;
876	struct wpa_eapol_key *reply;
877	unsigned char *rbuf;
878	struct l2_ethhdr *ethhdr;
879	struct wpa_ssid *ssid;
880	struct wpa_ptk *ptk;
881	uint8_t buf[8], wpa_ie_buf[80], *wpa_ie, *pmkid = NULL;
882	int wpa_ie_len;
883
884	wpa_s->wpa_state = WPA_4WAY_HANDSHAKE;
885	wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from "
886	    MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
887
888	ssid = wpa_supplicant_get_ssid(wpa_s);
889	if (ssid == NULL) {
890		wpa_printf(MSG_WARNING,
891		    "WPA: No SSID info found (msg 1 of 4).");
892		return;
893	}
894
895	if (wpa_s->proto == WPA_PROTO_RSN) {
896		/* RSN: msg 1/4 should contain PMKID for the selected PMK */
897		uint8_t *pos = (uint8_t *)(key + 1);
898		uint8_t *end = pos + BE_16(key->key_data_length);
899
900		wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
901		    pos, BE_16(key->key_data_length));
902
903		while (pos + 1 < end) {
904			if (pos + 2 + pos[1] > end) {
905				wpa_printf(MSG_DEBUG, "RSN: key data "
906				    "underflow (ie=%d len=%d)",
907				    pos[0], pos[1]);
908				break;
909			}
910			if (pos[0] == GENERIC_INFO_ELEM &&
911			    pos + 1 + RSN_SELECTOR_LEN < end &&
912			    pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
913			    memcmp(pos + 2, RSN_KEY_DATA_PMKID,
914			    RSN_SELECTOR_LEN) == 0) {
915				pmkid = pos + 2 + RSN_SELECTOR_LEN;
916				wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
917				    "Authenticator", pmkid, PMKID_LEN);
918				break;
919			} else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0)
920				break;
921			pos += 2 + pos[1];
922		}
923	}
924
925	wpa_ie = wpa_ie_buf;
926	wpa_ie_len = wpa_gen_wpa_ie(wpa_s, wpa_ie);
927	if (wpa_ie_len < 0) {
928		wpa_printf(MSG_WARNING, "WPA: Failed to generate "
929		    "WPA IE (for msg 2 of 4).");
930		return;
931	}
932	wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
933
934	rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply) + wpa_ie_len;
935	rbuf = malloc(rlen);
936	if (rbuf == NULL)
937		return;
938
939	(void) memset(rbuf, 0, rlen);
940	ethhdr = (struct l2_ethhdr *)rbuf;
941	(void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN);
942	(void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN);
943	ethhdr->h_proto = htons(ETHERTYPE_EAPOL);
944
945	hdr = (struct ieee802_1x_hdr *)(ethhdr + 1);
946	hdr->version = wpa_s->conf->eapol_version;
947	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
948	hdr->length = htons(sizeof (*reply) + wpa_ie_len);
949
950	reply = (struct wpa_eapol_key *)(hdr + 1);
951	reply->type = wpa_s->proto == WPA_PROTO_RSN ?
952	    EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
953	reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC);
954	reply->key_length = key->key_length;
955	(void) memcpy(reply->replay_counter, key->replay_counter,
956	    WPA_REPLAY_COUNTER_LEN);
957
958	reply->key_data_length = BE_16(wpa_ie_len);
959	(void) memcpy(reply + 1, wpa_ie, wpa_ie_len);
960
961	if (wpa_s->renew_snonce) {
962		if (random_get_pseudo_bytes(wpa_s->snonce, WPA_NONCE_LEN)) {
963			wpa_printf(MSG_WARNING, "WPA: Failed to get "
964			    "random data for SNonce");
965			free(rbuf);
966			return;
967		}
968
969		wpa_s->renew_snonce = 0;
970		wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
971		    wpa_s->snonce, WPA_NONCE_LEN);
972	}
973	(void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN);
974	ptk = &wpa_s->tptk;
975	(void) memcpy(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN);
976
977	wpa_pmk_to_ptk(wpa_s->pmk, wpa_s->own_addr, src_addr,
978	    wpa_s->snonce, key->key_nonce, (uint8_t *)ptk, sizeof (*ptk));
979
980	/*
981	 * Supplicant: swap tx/rx Mic keys
982	 */
983	(void) memcpy(buf, ptk->u.auth.tx_mic_key, 8);
984	(void) memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8);
985	(void) memcpy(ptk->u.auth.rx_mic_key, buf, 8);
986	wpa_s->tptk_set = 1;
987	wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, (uint8_t *)hdr,
988	    rlen - sizeof (*ethhdr), reply->key_mic);
989	wpa_hexdump(MSG_DEBUG, "WPA: EAPOL-Key MIC", reply->key_mic, 16);
990
991	wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
992	wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/4", rbuf, rlen);
993	(void) l2_packet_send(wpa_s->l2, rbuf, rlen);
994
995	free(rbuf);
996}
997
998static void
999wpa_supplicant_process_3_of_4_gtk(struct wpa_supplicant *wpa_s,
1000    unsigned char *src_addr, struct wpa_eapol_key *key,
1001    uint8_t *gtk, int gtk_len)
1002{
1003	int keyidx, tx, key_rsc_len = 0, alg;
1004
1005	wpa_hexdump(MSG_DEBUG,
1006	    "WPA: received GTK in pairwise handshake", gtk, gtk_len);
1007
1008	keyidx = gtk[0] & 0x3;
1009	tx = !!(gtk[0] & BIT(2));
1010	if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) {
1011		/*
1012		 * Ignore Tx bit in GTK IE if a pairwise key is used.
1013		 * One AP seemed to set this bit (incorrectly, since Tx
1014		 * is only when doing Group Key only APs) and without
1015		 * this workaround, the data connection does not work
1016		 * because wpa_supplicant configured non-zero keyidx to
1017		 * be used for unicast.
1018		 */
1019		wpa_printf(MSG_INFO, "RSN: Tx bit set for GTK IE, but "
1020		    "pairwise keys are used - ignore Tx bit");
1021		tx = 0;
1022	}
1023
1024	gtk += 2;
1025	gtk_len -= 2;
1026	wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, gtk_len);
1027
1028	switch (wpa_s->group_cipher) {
1029	case WPA_CIPHER_CCMP:
1030		if (gtk_len != 16) {
1031			wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP"
1032			    " Group Cipher key length %d.", gtk_len);
1033			return;
1034		}
1035		key_rsc_len = 6;
1036		alg = WPA_ALG_CCMP;
1037		break;
1038	case WPA_CIPHER_TKIP:
1039		if (gtk_len != 32) {
1040			wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP"
1041			    " Group Cipher key length %d.", gtk_len);
1042			return;
1043		}
1044		key_rsc_len = 6;
1045		alg = WPA_ALG_TKIP;
1046		break;
1047	case WPA_CIPHER_WEP104:
1048		if (gtk_len != 13) {
1049			wpa_printf(MSG_WARNING, "WPA: Unsupported "
1050			    "WEP104 Group Cipher key length " "%d.", gtk_len);
1051			return;
1052		}
1053		alg = WPA_ALG_WEP;
1054		break;
1055	case WPA_CIPHER_WEP40:
1056		if (gtk_len != 5) {
1057			wpa_printf(MSG_WARNING, "WPA: Unsupported "
1058			    "WEP40 Group Cipher key length %d.", gtk_len);
1059			return;
1060		}
1061		alg = WPA_ALG_WEP;
1062		break;
1063	default:
1064		wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher "
1065		    "%d", wpa_s->group_cipher);
1066		return;
1067	}
1068
1069	wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver "
1070	    "(keyidx=%d tx=%d).", keyidx, tx);
1071	wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len);
1072	if (wpa_s->group_cipher == WPA_CIPHER_TKIP) {
1073		uint8_t tmpbuf[8];
1074		/*
1075		 * Swap Tx/Rx keys for Michael MIC
1076		 */
1077		(void) memcpy(tmpbuf, gtk + 16, 8);
1078		(void) memcpy(gtk + 16, gtk + 24, 8);
1079		(void) memcpy(gtk + 24, tmpbuf, 8);
1080	}
1081	if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) {
1082		if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg,
1083		    (uint8_t *)"\xff\xff\xff\xff\xff\xff",
1084		    keyidx, 1, key->key_rsc,
1085		    key_rsc_len, gtk, gtk_len) < 0)
1086			wpa_printf(MSG_WARNING, "WPA: Failed to set "
1087			    "GTK to the driver (Group only).");
1088	} else if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg,
1089	    (uint8_t *)"\xff\xff\xff\xff\xff\xff", keyidx, tx,
1090	    key->key_rsc, key_rsc_len, gtk, gtk_len) < 0) {
1091		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to "
1092		    "the driver.");
1093	}
1094
1095	wpa_printf(MSG_INFO, "WPA: Key negotiation completed with "
1096	    MACSTR, MAC2STR(src_addr));
1097	eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL);
1098	wpa_supplicant_cancel_auth_timeout(wpa_s);
1099	wpa_s->wpa_state = WPA_COMPLETED;
1100}
1101
1102static void
1103wpa_supplicant_process_3_of_4(struct wpa_supplicant *wpa_s,
1104    unsigned char *src_addr, struct wpa_eapol_key *key,
1105    int extra_len, int ver)
1106{
1107	int rlen;
1108	struct ieee802_1x_hdr *hdr;
1109	struct wpa_eapol_key *reply;
1110	unsigned char *rbuf;
1111	struct l2_ethhdr *ethhdr;
1112	int key_info, ie_len = 0, keylen, gtk_len = 0;
1113	uint8_t *ie = NULL, *gtk = NULL, *key_rsc;
1114	uint8_t null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
1115
1116	wpa_s->wpa_state = WPA_4WAY_HANDSHAKE;
1117	wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from "
1118	    MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1119
1120	key_info = BE_16(key->key_info);
1121
1122	if (wpa_s->proto == WPA_PROTO_RSN) {
1123		uint8_t *pos = (uint8_t *)(key + 1);
1124		uint8_t *end = pos + BE_16(key->key_data_length);
1125		while (pos + 1 < end) {
1126			if (pos + 2 + pos[1] > end) {
1127				wpa_printf(MSG_DEBUG, "RSN: key data "
1128				    "underflow (ie=%d len=%d)",
1129				    pos[0], pos[1]);
1130				break;
1131			}
1132			if (*pos == RSN_INFO_ELEM) {
1133				ie = pos;
1134				ie_len = pos[1] + 2;
1135			} else if (pos[0] == GENERIC_INFO_ELEM &&
1136			    pos + 1 + RSN_SELECTOR_LEN < end &&
1137			    pos[1] > RSN_SELECTOR_LEN + 2 &&
1138			    memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY,
1139			    RSN_SELECTOR_LEN) == 0) {
1140				if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1141					wpa_printf(MSG_WARNING, "WPA: GTK IE "
1142					    "in unencrypted key data");
1143					return;
1144				}
1145				gtk = pos + 2 + RSN_SELECTOR_LEN;
1146				gtk_len = pos[1] - RSN_SELECTOR_LEN;
1147			} else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0)
1148				break;
1149
1150			pos += 2 + pos[1];
1151		}
1152	} else {
1153		ie = (uint8_t *)(key + 1);
1154		ie_len = BE_16(key->key_data_length);
1155		if (ie_len > extra_len) {
1156			wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:"
1157			    " ie_len=%d > extra_len=%d",
1158			    ie_len, extra_len);
1159			return;
1160		}
1161	}
1162
1163	if (wpa_s->ap_wpa_ie &&
1164	    (wpa_s->ap_wpa_ie_len != ie_len ||
1165	    memcmp(wpa_s->ap_wpa_ie, ie, ie_len) != 0)) {
1166		wpa_printf(MSG_WARNING, "WPA: WPA IE in 3/4 msg does not match"
1167		    " with WPA IE in Beacon/ProbeResp (src=" MACSTR ")",
1168		    MAC2STR(src_addr));
1169		wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1170		    wpa_s->ap_wpa_ie, wpa_s->ap_wpa_ie_len);
1171		wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", ie, ie_len);
1172		wpa_supplicant_disassociate(wpa_s, REASON_IE_IN_4WAY_DIFFERS);
1173		wpa_supplicant_req_scan(wpa_s, 0, 0);
1174		return;
1175	}
1176
1177	if (memcmp(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1178		wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way "
1179		    "Handshake differs from 3 of 4-Way Handshake - drop"
1180		    " packet (src=" MACSTR ")", MAC2STR(src_addr));
1181		return;
1182	}
1183
1184	keylen = BE_16(key->key_length);
1185	switch (wpa_s->pairwise_cipher) {
1186	case WPA_CIPHER_CCMP:
1187		if (keylen != 16) {
1188			wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length "
1189			    "%d (src=" MACSTR ")",
1190			    keylen, MAC2STR(src_addr));
1191			return;
1192		}
1193		break;
1194	case WPA_CIPHER_TKIP:
1195		if (keylen != 32) {
1196			wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length "
1197			    "%d (src=" MACSTR ")",
1198			    keylen, MAC2STR(src_addr));
1199			return;
1200		}
1201		break;
1202	}
1203
1204	rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply);
1205	rbuf = malloc(rlen);
1206	if (rbuf == NULL)
1207		return;
1208
1209	(void) memset(rbuf, 0, rlen);
1210	ethhdr = (struct l2_ethhdr *)rbuf;
1211	(void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN);
1212	(void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN);
1213	ethhdr->h_proto = htons(ETHERTYPE_EAPOL);
1214
1215	hdr = (struct ieee802_1x_hdr *)(ethhdr + 1);
1216	hdr->version = wpa_s->conf->eapol_version;
1217	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1218	hdr->length = htons(sizeof (*reply));
1219
1220	reply = (struct wpa_eapol_key *)(hdr + 1);
1221	reply->type = wpa_s->proto == WPA_PROTO_RSN ?
1222	    EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1223	reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE |
1224	    WPA_KEY_INFO_MIC | (key_info & WPA_KEY_INFO_SECURE));
1225	reply->key_length = key->key_length;
1226	(void) memcpy(reply->replay_counter, key->replay_counter,
1227	    WPA_REPLAY_COUNTER_LEN);
1228
1229	reply->key_data_length = BE_16(0);
1230
1231	(void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN);
1232	wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr,
1233	    rlen - sizeof (*ethhdr), reply->key_mic);
1234
1235	wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1236	wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 4/4", rbuf, rlen);
1237	(void) l2_packet_send(wpa_s->l2, rbuf, rlen);
1238
1239	free(rbuf);
1240
1241	/*
1242	 * SNonce was successfully used in msg 3/4, so mark it to be renewed
1243	 * for the next 4-Way Handshake. If msg 3 is received again, the old
1244	 * SNonce will still be used to avoid changing PTK.
1245	 */
1246	wpa_s->renew_snonce = 1;
1247
1248	if (key_info & WPA_KEY_INFO_INSTALL) {
1249		int alg, keylen, rsclen;
1250		wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver.");
1251		switch (wpa_s->pairwise_cipher) {
1252		case WPA_CIPHER_CCMP:
1253			alg = WPA_ALG_CCMP;
1254			keylen = 16;
1255			rsclen = 6;
1256			break;
1257		case WPA_CIPHER_TKIP:
1258			alg = WPA_ALG_TKIP;
1259			keylen = 32;
1260			rsclen = 6;
1261			break;
1262		case WPA_CIPHER_NONE:
1263			wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: "
1264			    "NONE - do not use pairwise keys");
1265			return;
1266		default:
1267			wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise "
1268			    "cipher %d", wpa_s->pairwise_cipher);
1269			return;
1270		}
1271		if (wpa_s->proto == WPA_PROTO_RSN) {
1272			key_rsc = null_rsc;
1273		} else {
1274			key_rsc = key->key_rsc;
1275			wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1276		}
1277
1278		if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg,
1279		    src_addr, 0, 1, key_rsc, rsclen,
1280		    (uint8_t *)&wpa_s->ptk.tk1, keylen) < 0) {
1281			wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the"
1282			    " driver.");
1283		}
1284	}
1285
1286	wpa_printf(MSG_DEBUG, "%s: key_info=%x gtk=%p\n",
1287	    "wpa_supplicant_process_3_of_4", key_info, gtk);
1288	wpa_s->wpa_state = WPA_GROUP_HANDSHAKE;
1289
1290	if (gtk)
1291		wpa_supplicant_process_3_of_4_gtk(wpa_s,
1292		    src_addr, key, gtk, gtk_len);
1293}
1294
1295static void
1296wpa_supplicant_process_1_of_2(struct wpa_supplicant *wpa_s,
1297    unsigned char *src_addr, struct wpa_eapol_key *key,
1298    int extra_len, int ver)
1299{
1300	int rlen;
1301	struct ieee802_1x_hdr *hdr;
1302	struct wpa_eapol_key *reply;
1303	unsigned char *rbuf;
1304	struct l2_ethhdr *ethhdr;
1305	int key_info, keylen, keydatalen, maxkeylen, keyidx, key_rsc_len = 0;
1306	int alg, tx;
1307	uint8_t ek[32], tmpbuf[8], gtk[32];
1308	uint8_t *gtk_ie = NULL;
1309	size_t gtk_ie_len = 0;
1310
1311	wpa_s->wpa_state = WPA_GROUP_HANDSHAKE;
1312	wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from "
1313	    MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1314
1315	key_info = BE_16(key->key_info);
1316	keydatalen = BE_16(key->key_data_length);
1317
1318	if (wpa_s->proto == WPA_PROTO_RSN) {
1319		uint8_t *pos = (uint8_t *)(key + 1);
1320		uint8_t *end = pos + keydatalen;
1321		while (pos + 1 < end) {
1322			if (pos + 2 + pos[1] > end) {
1323				wpa_printf(MSG_DEBUG, "RSN: key data "
1324				    "underflow (ie=%d len=%d)",
1325				    pos[0], pos[1]);
1326				break;
1327			}
1328			if (pos[0] == GENERIC_INFO_ELEM &&
1329			    pos + 1 + RSN_SELECTOR_LEN < end &&
1330			    pos[1] > RSN_SELECTOR_LEN + 2 &&
1331			    memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY,
1332			    RSN_SELECTOR_LEN) == 0) {
1333				if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1334					wpa_printf(MSG_WARNING, "WPA: GTK IE "
1335					    "in unencrypted key data");
1336					return;
1337				}
1338				gtk_ie = pos + 2 + RSN_SELECTOR_LEN;
1339				gtk_ie_len = pos[1] - RSN_SELECTOR_LEN;
1340				break;
1341			} else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) {
1342				break;
1343			}
1344
1345			pos += 2 + pos[1];
1346		}
1347
1348		if (gtk_ie == NULL) {
1349			wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key "
1350			    "message 1/2");
1351			return;
1352		}
1353		maxkeylen = keylen = gtk_ie_len - 2;
1354	} else {
1355		keylen = BE_16(key->key_length);
1356		maxkeylen = keydatalen;
1357		if (keydatalen > extra_len) {
1358			wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:"
1359			    " key_data_length=%d > extra_len=%d",
1360			    keydatalen, extra_len);
1361			return;
1362		}
1363		if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES)
1364			maxkeylen -= 8;
1365	}
1366
1367	switch (wpa_s->group_cipher) {
1368	case WPA_CIPHER_CCMP:
1369		if (keylen != 16 || maxkeylen < 16) {
1370			wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP Group "
1371			    "Cipher key length %d (%d).", keylen, maxkeylen);
1372			return;
1373		}
1374		key_rsc_len = 6;
1375		alg = WPA_ALG_CCMP;
1376		break;
1377	case WPA_CIPHER_TKIP:
1378		if (keylen != 32 || maxkeylen < 32) {
1379			wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP Group "
1380			    "Cipher key length %d (%d).", keylen, maxkeylen);
1381			return;
1382		}
1383		key_rsc_len = 6; /* key->key_data; */
1384		alg = WPA_ALG_TKIP;
1385		break;
1386	case WPA_CIPHER_WEP104:
1387		if (keylen != 13 || maxkeylen < 13) {
1388			wpa_printf(MSG_WARNING, "WPA: Unsupported WEP104 Group"
1389			    " Cipher key length %d (%d).", keylen, maxkeylen);
1390			return;
1391		}
1392		alg = WPA_ALG_WEP;
1393		break;
1394	case WPA_CIPHER_WEP40:
1395		if (keylen != 5 || maxkeylen < 5) {
1396			wpa_printf(MSG_WARNING, "WPA: Unsupported WEP40 Group "
1397			    "Cipher key length %d (%d).", keylen, maxkeylen);
1398			return;
1399		}
1400		alg = WPA_ALG_WEP;
1401		break;
1402	default:
1403		wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher %d",
1404		    wpa_s->group_cipher);
1405		return;
1406	}
1407
1408	if (wpa_s->proto == WPA_PROTO_RSN) {
1409		wpa_hexdump(MSG_DEBUG,
1410		    "WPA: received GTK in group key handshake",
1411		    gtk_ie, gtk_ie_len);
1412		keyidx = gtk_ie[0] & 0x3;
1413		tx = !!(gtk_ie[0] & BIT(2));
1414		if (gtk_ie_len - 2 > sizeof (gtk)) {
1415			wpa_printf(MSG_INFO, "WPA: Too long GTK in GTK IE "
1416			    "(len=%d)", gtk_ie_len - 2);
1417			return;
1418		}
1419		(void) memcpy(gtk, gtk_ie + 2, gtk_ie_len - 2);
1420	} else {
1421		keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1422		    WPA_KEY_INFO_KEY_INDEX_SHIFT;
1423		if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
1424			(void) memcpy(ek, key->key_iv, 16);
1425			(void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16);
1426			rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen);
1427			(void) memcpy(gtk, key + 1, keylen);
1428		} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1429			if (keydatalen % 8) {
1430				wpa_printf(MSG_WARNING, "WPA: Unsupported "
1431				    "AES-WRAP len %d", keydatalen);
1432				return;
1433			}
1434			if (aes_unwrap(wpa_s->ptk.encr_key, maxkeylen / 8,
1435			    (uint8_t *)(key + 1), gtk)) {
1436				wpa_printf(MSG_WARNING, "WPA: AES unwrap "
1437				    "failed - could not decrypt GTK");
1438				return;
1439			}
1440		}
1441		tx = !!(key_info & WPA_KEY_INFO_TXRX);
1442		if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) {
1443			/*
1444			 * Ignore Tx bit in Group Key message if a pairwise key
1445			 * is used. Some APs seem to setting this bit
1446			 * (incorrectly, since Tx is only when doing Group Key
1447			 * only APs) and without this workaround, the data
1448			 * connection does not work because wpa_supplicant
1449			 * configured non-zero keyidx to be used for unicast.
1450			 */
1451			wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but "
1452			    "pairwise keys are used - ignore Tx bit");
1453			tx = 0;
1454		}
1455	}
1456	wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, keylen);
1457	wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver (keyidx=%d "
1458	    "tx=%d).", keyidx, tx);
1459	wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len);
1460	if (wpa_s->group_cipher == WPA_CIPHER_TKIP) {
1461		/*
1462		 * Swap Tx/Rx keys for Michael MIC
1463		 */
1464		(void) memcpy(tmpbuf, gtk + 16, 8);
1465		(void) memcpy(gtk + 16, gtk + 24, 8);
1466		(void) memcpy(gtk + 24, tmpbuf, 8);
1467	}
1468	if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) {
1469		if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg,
1470		    (uint8_t *)"\xff\xff\xff\xff\xff\xff",
1471		    keyidx, 1, key->key_rsc,
1472		    key_rsc_len, gtk, keylen) < 0)
1473			wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the"
1474			    " driver (Group only).");
1475	} else if (wpa_s->driver->set_key(wpa_s->handle, wpa_s->linkid, alg,
1476	    (uint8_t *)"\xff\xff\xff\xff\xff\xff",
1477	    keyidx, tx,
1478	    key->key_rsc, key_rsc_len,
1479	    gtk, keylen) < 0) {
1480		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
1481		    "driver.");
1482	}
1483
1484	rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply);
1485	rbuf = malloc(rlen);
1486	if (rbuf == NULL)
1487		return;
1488
1489	(void) memset(rbuf, 0, rlen);
1490	ethhdr = (struct l2_ethhdr *)rbuf;
1491	(void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN);
1492	(void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN);
1493	ethhdr->h_proto = htons(ETHERTYPE_EAPOL);
1494
1495	hdr = (struct ieee802_1x_hdr *)(ethhdr + 1);
1496	hdr->version = wpa_s->conf->eapol_version;
1497	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1498	hdr->length = htons(sizeof (*reply));
1499
1500	reply = (struct wpa_eapol_key *)(hdr + 1);
1501	reply->type = wpa_s->proto == WPA_PROTO_RSN ?
1502	    EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1503	reply->key_info =
1504	    BE_16(ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE |
1505	    (key_info & WPA_KEY_INFO_KEY_INDEX_MASK));
1506	reply->key_length = key->key_length;
1507	(void) memcpy(reply->replay_counter, key->replay_counter,
1508	    WPA_REPLAY_COUNTER_LEN);
1509
1510	reply->key_data_length = BE_16(0);
1511
1512	wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr,
1513	    rlen - sizeof (*ethhdr), reply->key_mic);
1514
1515	wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1516	wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/2", rbuf, rlen);
1517	(void) l2_packet_send(wpa_s->l2, rbuf, rlen);
1518	free(rbuf);
1519
1520	wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " MACSTR,
1521	    MAC2STR(src_addr));
1522	eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL);
1523	wpa_supplicant_cancel_auth_timeout(wpa_s);
1524	wpa_s->wpa_state = WPA_COMPLETED;
1525	wpa_printf(MSG_INFO, "-----------------------------------\n");
1526}
1527
1528static int
1529wpa_supplicant_verify_eapol_key_mic(struct wpa_supplicant *wpa_s,
1530    struct wpa_eapol_key *key, int ver, uint8_t *buf, size_t len)
1531{
1532	uint8_t mic[16];
1533	int ok = 0;
1534
1535	(void) memcpy(mic, key->key_mic, 16);
1536	if (wpa_s->tptk_set) {
1537		(void) memset(key->key_mic, 0, 16);
1538		wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, buf, len,
1539		    key->key_mic);
1540		if (memcmp(mic, key->key_mic, 16) != 0) {
1541			wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC "
1542			    "when using TPTK - ignoring TPTK");
1543		} else {
1544			ok = 1;
1545			wpa_s->tptk_set = 0;
1546			wpa_s->ptk_set = 1;
1547			(void) memcpy(&wpa_s->ptk, &wpa_s->tptk,
1548			    sizeof (wpa_s->ptk));
1549		}
1550	}
1551
1552	if (!ok && wpa_s->ptk_set) {
1553		(void) memset(key->key_mic, 0, 16);
1554		wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, buf, len,
1555		    key->key_mic);
1556		if (memcmp(mic, key->key_mic, 16) != 0) {
1557			wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC "
1558			    "- dropping packet");
1559			return (-1);
1560		}
1561		ok = 1;
1562	}
1563
1564	if (!ok) {
1565		wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC "
1566		    "- dropping packet");
1567		return (-1);
1568	}
1569
1570	(void) memcpy(wpa_s->rx_replay_counter, key->replay_counter,
1571	    WPA_REPLAY_COUNTER_LEN);
1572	wpa_s->rx_replay_counter_set = 1;
1573
1574	return (0);
1575}
1576
1577/* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1578static int
1579wpa_supplicant_decrypt_key_data(struct wpa_supplicant *wpa_s,
1580	struct wpa_eapol_key *key, int ver)
1581{
1582	int keydatalen = BE_16(key->key_data_length);
1583
1584	wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
1585	    (uint8_t *)(key + 1), keydatalen);
1586	if (!wpa_s->ptk_set) {
1587		wpa_printf(MSG_WARNING, "WPA: PTK not available, "
1588		    "cannot decrypt EAPOL-Key key data.");
1589		return (-1);
1590	}
1591
1592	/*
1593	 * Decrypt key data here so that this operation does not need
1594	 * to be implemented separately for each message type.
1595	 */
1596	if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
1597		uint8_t ek[32];
1598		(void) memcpy(ek, key->key_iv, 16);
1599		(void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16);
1600		rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen);
1601	} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1602		uint8_t *buf;
1603		if (keydatalen % 8) {
1604			wpa_printf(MSG_WARNING, "WPA: Unsupported "
1605			    "AES-WRAP len %d", keydatalen);
1606			return (-1);
1607		}
1608		keydatalen -= 8; /* AES-WRAP adds 8 bytes */
1609		buf = malloc(keydatalen);
1610		if (buf == NULL) {
1611			wpa_printf(MSG_WARNING, "WPA: No memory for "
1612			    "AES-UNWRAP buffer");
1613			return (-1);
1614		}
1615		if (aes_unwrap(wpa_s->ptk.encr_key, keydatalen / 8,
1616		    (uint8_t *)(key + 1), buf)) {
1617			free(buf);
1618			wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - "
1619			    "could not decrypt EAPOL-Key key data");
1620			return (-1);
1621		}
1622		(void) memcpy(key + 1, buf, keydatalen);
1623		free(buf);
1624		key->key_data_length = BE_16(keydatalen);
1625	}
1626	wpa_hexdump(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
1627	    (uint8_t *)(key + 1), keydatalen);
1628
1629	return (0);
1630}
1631
1632static void
1633wpa_sm_rx_eapol(struct wpa_supplicant *wpa_s,
1634    unsigned char *src_addr, unsigned char *buf, size_t len)
1635{
1636	size_t plen, data_len, extra_len;
1637	struct ieee802_1x_hdr *hdr;
1638	struct wpa_eapol_key *key;
1639	int key_info, ver;
1640
1641	wpa_printf(MSG_DEBUG, "WPA: EAPOL frame len %u\n ", len);
1642
1643	hdr = (struct ieee802_1x_hdr *)buf;
1644	key = (struct wpa_eapol_key *)(hdr + 1);
1645	wpa_printf(MSG_DEBUG, "hdr_len=%u, key_len=%u",
1646	    sizeof (*hdr), sizeof (*key));
1647	if (len < sizeof (*hdr) + sizeof (*key)) {
1648		wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short, len %u, "
1649		    "expecting at least %u",
1650		    len, sizeof (*hdr) + sizeof (*key));
1651		return;
1652	}
1653	plen = ntohs(hdr->length);
1654	data_len = plen + sizeof (*hdr);
1655	wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%d",
1656	    hdr->version, hdr->type, plen);
1657
1658	if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
1659		wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, "
1660		    "not a Key frame", hdr->type);
1661		return;
1662	}
1663	if (plen > len - sizeof (*hdr) || plen < sizeof (*key)) {
1664		wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %u "
1665		    "invalid (frame size %u)", plen, len);
1666		return;
1667	}
1668
1669	wpa_printf(MSG_DEBUG, "  EAPOL-Key type=%d", key->type);
1670	if (key->type != EAPOL_KEY_TYPE_WPA && key->type !=
1671	    EAPOL_KEY_TYPE_RSN) {
1672		wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, "
1673		    "discarded", key->type);
1674		return;
1675	}
1676
1677	wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
1678	if (data_len < len) {
1679		wpa_printf(MSG_DEBUG, "WPA: ignoring %d bytes after the IEEE "
1680		    "802.1X data", len - data_len);
1681	}
1682	key_info = BE_16(key->key_info);
1683	ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1684	if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
1685	    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1686		wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor "
1687		    "version %d.", ver);
1688		return;
1689	}
1690
1691	if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP &&
1692	    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1693		wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key "
1694		    "descriptor version (%d) is not 2.", ver);
1695		if (wpa_s->group_cipher != WPA_CIPHER_CCMP &&
1696		    !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1697			/*
1698			 * Earlier versions of IEEE 802.11i did not explicitly
1699			 * require version 2 descriptor for all EAPOL-Key
1700			 * packets, so allow group keys to use version 1 if
1701			 * CCMP is not used for them.
1702			 */
1703			wpa_printf(MSG_INFO, "WPA: Backwards compatibility: "
1704			    "allow invalid version for non-CCMP group keys");
1705		} else
1706			return;
1707	}
1708
1709	if (wpa_s->rx_replay_counter_set &&
1710	    memcmp(key->replay_counter, wpa_s->rx_replay_counter,
1711	    WPA_REPLAY_COUNTER_LEN) <= 0) {
1712		wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not"
1713		    " increase - dropping packet");
1714		return;
1715	}
1716
1717	if (!(key_info & WPA_KEY_INFO_ACK)) {
1718		wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info");
1719		return;
1720	}
1721
1722	if (key_info & WPA_KEY_INFO_REQUEST) {
1723		wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - "
1724		    "dropped");
1725		return;
1726	}
1727
1728	if ((key_info & WPA_KEY_INFO_MIC) &&
1729	    wpa_supplicant_verify_eapol_key_mic(wpa_s, key, ver, buf,
1730	    data_len)) {
1731		return;
1732	}
1733
1734	extra_len = data_len - sizeof (*hdr) - sizeof (*key);
1735
1736	if (wpa_s->proto == WPA_PROTO_RSN &&
1737	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1738	    wpa_supplicant_decrypt_key_data(wpa_s, key, ver))
1739		return;
1740
1741	if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1742		if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
1743			wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key "
1744			    "(Pairwise) with non-zero key index");
1745			return;
1746		}
1747		if (key_info & WPA_KEY_INFO_MIC) {
1748			/* 3/4 4-Way Handshake */
1749			wpa_supplicant_process_3_of_4(wpa_s, src_addr, key,
1750			    extra_len, ver);
1751		} else {
1752			/* 1/4 4-Way Handshake */
1753			wpa_supplicant_process_1_of_4(wpa_s, src_addr, key,
1754			    ver);
1755		}
1756	} else {
1757		if (key_info & WPA_KEY_INFO_MIC) {
1758			/* 1/2 Group Key Handshake */
1759			wpa_supplicant_process_1_of_2(wpa_s, src_addr, key,
1760			    extra_len, ver);
1761		} else {
1762			wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) "
1763			    "without Mic bit - dropped");
1764		}
1765	}
1766}
1767
1768void
1769wpa_supplicant_rx_eapol(void *ctx, unsigned char *src_addr,
1770    unsigned char *buf, size_t len)
1771{
1772	struct wpa_supplicant *wpa_s = ctx;
1773
1774	wpa_printf(MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr));
1775	wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len);
1776
1777	if (wpa_s->eapol_received == 0) {
1778		/* Timeout for completing IEEE 802.1X and WPA authentication */
1779		wpa_supplicant_req_auth_timeout(
1780		    wpa_s, wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ?
1781		    70 : 10, 0);
1782	}
1783	wpa_s->eapol_received++;
1784
1785	/*
1786	 * Source address of the incoming EAPOL frame could be compared to the
1787	 * current BSSID. However, it is possible that a centralized
1788	 * Authenticator could be using another MAC address than the BSSID of
1789	 * an AP, so just allow any address to be used for now. The replies are
1790	 * still sent to the current BSSID (if available), though.
1791	 */
1792	wpa_sm_rx_eapol(wpa_s, src_addr, buf, len);
1793}
1794