1*a399b765Szf /* 2*a399b765Szf * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3*a399b765Szf * Use is subject to license terms. 4*a399b765Szf */ 5*a399b765Szf 6*a399b765Szf /* 7*a399b765Szf * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 8*a399b765Szf * Sun elects to license this software under the BSD license. 9*a399b765Szf * See README for more details. 10*a399b765Szf */ 11*a399b765Szf 12*a399b765Szf #pragma ident "%Z%%M% %I% %E% SMI" 13*a399b765Szf 14*a399b765Szf #include <stdio.h> 15*a399b765Szf #include <stdlib.h> 16*a399b765Szf #include <string.h> 17*a399b765Szf #include <time.h> 18*a399b765Szf #include <netinet/in.h> 19*a399b765Szf #include <sys/ethernet.h> 20*a399b765Szf #include <fcntl.h> 21*a399b765Szf #include <unistd.h> 22*a399b765Szf 23*a399b765Szf #include "wpa_impl.h" 24*a399b765Szf #include "wpa_enc.h" 25*a399b765Szf #include "driver.h" 26*a399b765Szf #include "eloop.h" 27*a399b765Szf #include "l2_packet.h" 28*a399b765Szf 29*a399b765Szf static void pmksa_cache_set_expiration(struct wpa_supplicant *); 30*a399b765Szf 31*a399b765Szf /* 32*a399b765Szf * IEEE 802.11i/D3.0 33*a399b765Szf */ 34*a399b765Szf static const int WPA_SELECTOR_LEN = 4; 35*a399b765Szf static const uint8_t WPA_OUI_TYPE[] = { 0x00, 0x50, 0xf2, 1 }; 36*a399b765Szf static const uint16_t WPA_VERSION = 1; 37*a399b765Szf static const uint8_t 38*a399b765Szf WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x50, 0xf2, 1 }; 39*a399b765Szf static const uint8_t 40*a399b765Szf WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x50, 0xf2, 2 }; 41*a399b765Szf static const uint8_t WPA_CIPHER_SUITE_NONE[] = { 0x00, 0x50, 0xf2, 0 }; 42*a399b765Szf static const uint8_t WPA_CIPHER_SUITE_WEP40[] = { 0x00, 0x50, 0xf2, 1 }; 43*a399b765Szf static const uint8_t WPA_CIPHER_SUITE_TKIP[] = { 0x00, 0x50, 0xf2, 2 }; 44*a399b765Szf static const uint8_t WPA_CIPHER_SUITE_CCMP[] = { 0x00, 0x50, 0xf2, 4 }; 45*a399b765Szf static const uint8_t WPA_CIPHER_SUITE_WEP104[] = { 0x00, 0x50, 0xf2, 5 }; 46*a399b765Szf 47*a399b765Szf /* 48*a399b765Szf * WPA IE version 1 49*a399b765Szf * 00-50-f2:1 (OUI:OUI type) 50*a399b765Szf * 0x01 0x00 (version; little endian) 51*a399b765Szf * (all following fields are optional:) 52*a399b765Szf * Group Suite Selector (4 octets) (default: TKIP) 53*a399b765Szf * Pairwise Suite Count (2 octets, little endian) (default: 1) 54*a399b765Szf * Pairwise Suite List (4 * n octets) (default: TKIP) 55*a399b765Szf * Authenticated Key Management Suite Count (2 octets, little endian) 56*a399b765Szf * (default: 1) 57*a399b765Szf * Authenticated Key Management Suite List (4 * n octets) 58*a399b765Szf * (default: unspec 802.1x) 59*a399b765Szf * WPA Capabilities (2 octets, little endian) (default: 0) 60*a399b765Szf */ 61*a399b765Szf #pragma pack(1) 62*a399b765Szf struct wpa_ie_hdr { 63*a399b765Szf uint8_t elem_id; 64*a399b765Szf uint8_t len; 65*a399b765Szf uint8_t oui[3]; 66*a399b765Szf uint8_t oui_type; 67*a399b765Szf uint16_t version; 68*a399b765Szf }; 69*a399b765Szf #pragma pack() 70*a399b765Szf 71*a399b765Szf /* 72*a399b765Szf * IEEE 802.11i/D9.0 73*a399b765Szf */ 74*a399b765Szf static const int RSN_SELECTOR_LEN = 4; 75*a399b765Szf static const uint16_t RSN_VERSION = 1; 76*a399b765Szf static const uint8_t 77*a399b765Szf RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x0f, 0xac, 1 }; 78*a399b765Szf static const uint8_t 79*a399b765Szf RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x0f, 0xac, 2 }; 80*a399b765Szf static const uint8_t RSN_CIPHER_SUITE_NONE[] = { 0x00, 0x0f, 0xac, 0 }; 81*a399b765Szf static const uint8_t RSN_CIPHER_SUITE_WEP40[] = { 0x00, 0x0f, 0xac, 1 }; 82*a399b765Szf static const uint8_t RSN_CIPHER_SUITE_TKIP[] = { 0x00, 0x0f, 0xac, 2 }; 83*a399b765Szf static const uint8_t RSN_CIPHER_SUITE_CCMP[] = { 0x00, 0x0f, 0xac, 4 }; 84*a399b765Szf static const uint8_t RSN_CIPHER_SUITE_WEP104[] = { 0x00, 0x0f, 0xac, 5 }; 85*a399b765Szf 86*a399b765Szf /* 87*a399b765Szf * EAPOL-Key Key Data Encapsulation 88*a399b765Szf * GroupKey and STAKey require encryption, otherwise, encryption is optional. 89*a399b765Szf */ 90*a399b765Szf static const uint8_t RSN_KEY_DATA_GROUPKEY[] = { 0x00, 0x0f, 0xac, 1 }; 91*a399b765Szf static const uint8_t RSN_KEY_DATA_PMKID[] = { 0x00, 0x0f, 0xac, 4 }; 92*a399b765Szf 93*a399b765Szf /* 94*a399b765Szf * 1/4: PMKID 95*a399b765Szf * 2/4: RSN IE 96*a399b765Szf * 3/4: one or two RSN IEs + GTK IE (encrypted) 97*a399b765Szf * 4/4: empty 98*a399b765Szf * 1/2: GTK IE (encrypted) 99*a399b765Szf * 2/2: empty 100*a399b765Szf */ 101*a399b765Szf 102*a399b765Szf /* 103*a399b765Szf * RSN IE version 1 104*a399b765Szf * 0x01 0x00 (version; little endian) 105*a399b765Szf * (all following fields are optional:) 106*a399b765Szf * Group Suite Selector (4 octets) (default: CCMP) 107*a399b765Szf * Pairwise Suite Count (2 octets, little endian) (default: 1) 108*a399b765Szf * Pairwise Suite List (4 * n octets) (default: CCMP) 109*a399b765Szf * Authenticated Key Management Suite Count (2 octets, little endian) 110*a399b765Szf * (default: 1) 111*a399b765Szf * Authenticated Key Management Suite List (4 * n octets) 112*a399b765Szf * (default: unspec 802.1x) 113*a399b765Szf * RSN Capabilities (2 octets, little endian) (default: 0) 114*a399b765Szf * PMKID Count (2 octets) (default: 0) 115*a399b765Szf * PMKID List (16 * n octets) 116*a399b765Szf */ 117*a399b765Szf #pragma pack(1) 118*a399b765Szf struct rsn_ie_hdr { 119*a399b765Szf uint8_t elem_id; /* WLAN_EID_RSN */ 120*a399b765Szf uint8_t len; 121*a399b765Szf uint16_t version; 122*a399b765Szf }; 123*a399b765Szf #pragma pack() 124*a399b765Szf 125*a399b765Szf static int 126*a399b765Szf random_get_pseudo_bytes(uint8_t *ptr, size_t len) 127*a399b765Szf { 128*a399b765Szf int fd; 129*a399b765Szf size_t resid = len; 130*a399b765Szf size_t bytes; 131*a399b765Szf 132*a399b765Szf fd = open("/dev/urandom", O_RDONLY); 133*a399b765Szf if (fd == -1) { 134*a399b765Szf wpa_printf(MSG_ERROR, "Could not open /dev/urandom.\n"); 135*a399b765Szf return (-1); 136*a399b765Szf } 137*a399b765Szf 138*a399b765Szf while (resid != 0) { 139*a399b765Szf bytes = read(fd, ptr, resid); 140*a399b765Szf ptr += bytes; 141*a399b765Szf resid -= bytes; 142*a399b765Szf } 143*a399b765Szf 144*a399b765Szf (void) close(fd); 145*a399b765Szf 146*a399b765Szf return (0); 147*a399b765Szf } 148*a399b765Szf 149*a399b765Szf static void 150*a399b765Szf inc_byte_array(uint8_t *counter, size_t len) 151*a399b765Szf { 152*a399b765Szf int pos = len - 1; 153*a399b765Szf while (pos >= 0) { 154*a399b765Szf counter[pos]++; 155*a399b765Szf if (counter[pos] != 0) 156*a399b765Szf break; 157*a399b765Szf pos--; 158*a399b765Szf } 159*a399b765Szf } 160*a399b765Szf 161*a399b765Szf static int 162*a399b765Szf wpa_selector_to_bitfield(uint8_t *s) 163*a399b765Szf { 164*a399b765Szf if (memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0) 165*a399b765Szf return (WPA_CIPHER_NONE); 166*a399b765Szf if (memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0) 167*a399b765Szf return (WPA_CIPHER_WEP40); 168*a399b765Szf if (memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0) 169*a399b765Szf return (WPA_CIPHER_TKIP); 170*a399b765Szf if (memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0) 171*a399b765Szf return (WPA_CIPHER_CCMP); 172*a399b765Szf if (memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0) 173*a399b765Szf return (WPA_CIPHER_WEP104); 174*a399b765Szf return (0); 175*a399b765Szf } 176*a399b765Szf 177*a399b765Szf static int 178*a399b765Szf wpa_key_mgmt_to_bitfield(uint8_t *s) 179*a399b765Szf { 180*a399b765Szf if (memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) == 0) 181*a399b765Szf return (WPA_KEY_MGMT_IEEE8021X); 182*a399b765Szf if (memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN) == 183*a399b765Szf 0) 184*a399b765Szf return (WPA_KEY_MGMT_PSK); 185*a399b765Szf return (0); 186*a399b765Szf } 187*a399b765Szf 188*a399b765Szf static int 189*a399b765Szf rsn_selector_to_bitfield(uint8_t *s) 190*a399b765Szf { 191*a399b765Szf if (memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0) 192*a399b765Szf return (WPA_CIPHER_NONE); 193*a399b765Szf if (memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0) 194*a399b765Szf return (WPA_CIPHER_WEP40); 195*a399b765Szf if (memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0) 196*a399b765Szf return (WPA_CIPHER_TKIP); 197*a399b765Szf if (memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0) 198*a399b765Szf return (WPA_CIPHER_CCMP); 199*a399b765Szf if (memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0) 200*a399b765Szf return (WPA_CIPHER_WEP104); 201*a399b765Szf return (0); 202*a399b765Szf } 203*a399b765Szf 204*a399b765Szf static int 205*a399b765Szf rsn_key_mgmt_to_bitfield(uint8_t *s) 206*a399b765Szf { 207*a399b765Szf if (memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) == 0) 208*a399b765Szf return (WPA_KEY_MGMT_IEEE8021X); 209*a399b765Szf if (memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN) == 210*a399b765Szf 0) 211*a399b765Szf return (WPA_KEY_MGMT_PSK); 212*a399b765Szf return (0); 213*a399b765Szf } 214*a399b765Szf 215*a399b765Szf static void 216*a399b765Szf pmksa_cache_free_entry(struct wpa_supplicant *wpa_s, 217*a399b765Szf struct rsn_pmksa_cache *entry) 218*a399b765Szf { 219*a399b765Szf wpa_s->pmksa_count--; 220*a399b765Szf if (wpa_s->cur_pmksa == entry) { 221*a399b765Szf wpa_printf(MSG_DEBUG, "RSN: removed current PMKSA entry"); 222*a399b765Szf wpa_s->cur_pmksa = NULL; 223*a399b765Szf } 224*a399b765Szf free(entry); 225*a399b765Szf } 226*a399b765Szf 227*a399b765Szf /* ARGSUSED */ 228*a399b765Szf static void 229*a399b765Szf pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx) 230*a399b765Szf { 231*a399b765Szf struct wpa_supplicant *wpa_s = eloop_ctx; 232*a399b765Szf time_t now; 233*a399b765Szf 234*a399b765Szf (void) time(&now); 235*a399b765Szf while (wpa_s->pmksa && wpa_s->pmksa->expiration <= now) { 236*a399b765Szf struct rsn_pmksa_cache *entry = wpa_s->pmksa; 237*a399b765Szf wpa_s->pmksa = entry->next; 238*a399b765Szf wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for " 239*a399b765Szf MACSTR, MAC2STR(entry->aa)); 240*a399b765Szf pmksa_cache_free_entry(wpa_s, entry); 241*a399b765Szf } 242*a399b765Szf 243*a399b765Szf pmksa_cache_set_expiration(wpa_s); 244*a399b765Szf } 245*a399b765Szf 246*a399b765Szf static void 247*a399b765Szf pmksa_cache_set_expiration(struct wpa_supplicant *wpa_s) 248*a399b765Szf { 249*a399b765Szf int sec; 250*a399b765Szf eloop_cancel_timeout(pmksa_cache_expire, wpa_s, NULL); 251*a399b765Szf if (wpa_s->pmksa == NULL) 252*a399b765Szf return; 253*a399b765Szf sec = wpa_s->pmksa->expiration - time(NULL); 254*a399b765Szf if (sec < 0) 255*a399b765Szf sec = 0; 256*a399b765Szf (void) eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, 257*a399b765Szf wpa_s, NULL); 258*a399b765Szf } 259*a399b765Szf 260*a399b765Szf void 261*a399b765Szf pmksa_cache_free(struct wpa_supplicant *wpa_s) 262*a399b765Szf { 263*a399b765Szf struct rsn_pmksa_cache *entry, *prev; 264*a399b765Szf 265*a399b765Szf entry = wpa_s->pmksa; 266*a399b765Szf wpa_s->pmksa = NULL; 267*a399b765Szf while (entry) { 268*a399b765Szf prev = entry; 269*a399b765Szf entry = entry->next; 270*a399b765Szf free(prev); 271*a399b765Szf } 272*a399b765Szf pmksa_cache_set_expiration(wpa_s); 273*a399b765Szf wpa_s->cur_pmksa = NULL; 274*a399b765Szf } 275*a399b765Szf 276*a399b765Szf struct rsn_pmksa_cache * 277*a399b765Szf pmksa_cache_get(struct wpa_supplicant *wpa_s, 278*a399b765Szf uint8_t *aa, uint8_t *pmkid) 279*a399b765Szf { 280*a399b765Szf struct rsn_pmksa_cache *entry = wpa_s->pmksa; 281*a399b765Szf while (entry) { 282*a399b765Szf if ((aa == NULL || 283*a399b765Szf memcmp(entry->aa, aa, IEEE80211_ADDR_LEN) == 0) && 284*a399b765Szf (pmkid == NULL || 285*a399b765Szf memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)) 286*a399b765Szf return (entry); 287*a399b765Szf entry = entry->next; 288*a399b765Szf } 289*a399b765Szf return (NULL); 290*a399b765Szf } 291*a399b765Szf 292*a399b765Szf int 293*a399b765Szf pmksa_cache_list(struct wpa_supplicant *wpa_s, char *buf, size_t len) 294*a399b765Szf { 295*a399b765Szf int i, j; 296*a399b765Szf char *pos = buf; 297*a399b765Szf struct rsn_pmksa_cache *entry; 298*a399b765Szf time_t now; 299*a399b765Szf 300*a399b765Szf (void) time(&now); 301*a399b765Szf pos += snprintf(pos, buf + len - pos, 302*a399b765Szf "Index / AA / PMKID / expiration (in seconds)\n"); 303*a399b765Szf i = 0; 304*a399b765Szf entry = wpa_s->pmksa; 305*a399b765Szf while (entry) { 306*a399b765Szf i++; 307*a399b765Szf pos += snprintf(pos, buf + len - pos, "%d " MACSTR " ", 308*a399b765Szf i, MAC2STR(entry->aa)); 309*a399b765Szf for (j = 0; j < PMKID_LEN; j++) 310*a399b765Szf pos += snprintf(pos, buf + len - pos, "%02x", 311*a399b765Szf entry->pmkid[j]); 312*a399b765Szf pos += snprintf(pos, buf + len - pos, " %d\n", 313*a399b765Szf (int)(entry->expiration - now)); 314*a399b765Szf entry = entry->next; 315*a399b765Szf } 316*a399b765Szf return (pos - buf); 317*a399b765Szf } 318*a399b765Szf 319*a399b765Szf void 320*a399b765Szf pmksa_candidate_free(struct wpa_supplicant *wpa_s) 321*a399b765Szf { 322*a399b765Szf struct rsn_pmksa_candidate *entry, *prev; 323*a399b765Szf 324*a399b765Szf entry = wpa_s->pmksa_candidates; 325*a399b765Szf wpa_s->pmksa_candidates = NULL; 326*a399b765Szf while (entry) { 327*a399b765Szf prev = entry; 328*a399b765Szf entry = entry->next; 329*a399b765Szf free(prev); 330*a399b765Szf } 331*a399b765Szf } 332*a399b765Szf 333*a399b765Szf /* ARGSUSED */ 334*a399b765Szf static int 335*a399b765Szf wpa_parse_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 336*a399b765Szf size_t wpa_ie_len, struct wpa_ie_data *data) 337*a399b765Szf { 338*a399b765Szf struct wpa_ie_hdr *hdr; 339*a399b765Szf uint8_t *pos; 340*a399b765Szf int left; 341*a399b765Szf int i, count; 342*a399b765Szf 343*a399b765Szf data->proto = WPA_PROTO_WPA; 344*a399b765Szf data->pairwise_cipher = WPA_CIPHER_TKIP; 345*a399b765Szf data->group_cipher = WPA_CIPHER_TKIP; 346*a399b765Szf data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 347*a399b765Szf data->capabilities = 0; 348*a399b765Szf 349*a399b765Szf if (wpa_ie_len == 0) { 350*a399b765Szf /* No WPA IE - fail silently */ 351*a399b765Szf return (-1); 352*a399b765Szf } 353*a399b765Szf 354*a399b765Szf if (wpa_ie_len < sizeof (struct wpa_ie_hdr)) { 355*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 356*a399b765Szf "wpa_parse_wpa_ie_wpa", wpa_ie_len); 357*a399b765Szf return (-1); 358*a399b765Szf } 359*a399b765Szf 360*a399b765Szf hdr = (struct wpa_ie_hdr *)wpa_ie; 361*a399b765Szf 362*a399b765Szf if (hdr->elem_id != GENERIC_INFO_ELEM || 363*a399b765Szf hdr->len != wpa_ie_len - 2 || 364*a399b765Szf memcmp(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN) != 0 || 365*a399b765Szf LE_16(hdr->version) != WPA_VERSION) { 366*a399b765Szf wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 367*a399b765Szf "wpa_parse_wpa_ie_wpa"); 368*a399b765Szf return (-1); 369*a399b765Szf } 370*a399b765Szf 371*a399b765Szf pos = (uint8_t *)(hdr + 1); 372*a399b765Szf left = wpa_ie_len - sizeof (*hdr); 373*a399b765Szf 374*a399b765Szf if (left >= WPA_SELECTOR_LEN) { 375*a399b765Szf data->group_cipher = wpa_selector_to_bitfield(pos); 376*a399b765Szf pos += WPA_SELECTOR_LEN; 377*a399b765Szf left -= WPA_SELECTOR_LEN; 378*a399b765Szf } else if (left > 0) { 379*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 380*a399b765Szf "wpa_parse_wpa_ie_wpa", left); 381*a399b765Szf return (-1); 382*a399b765Szf } 383*a399b765Szf 384*a399b765Szf if (left >= 2) { 385*a399b765Szf data->pairwise_cipher = 0; 386*a399b765Szf count = pos[0] | (pos[1] << 8); 387*a399b765Szf pos += 2; 388*a399b765Szf left -= 2; 389*a399b765Szf if (count == 0 || left < count * WPA_SELECTOR_LEN) { 390*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 391*a399b765Szf "count %u left %u", 392*a399b765Szf "wpa_parse_wpa_ie_wpa", count, left); 393*a399b765Szf return (-1); 394*a399b765Szf } 395*a399b765Szf for (i = 0; i < count; i++) { 396*a399b765Szf data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 397*a399b765Szf pos += WPA_SELECTOR_LEN; 398*a399b765Szf left -= WPA_SELECTOR_LEN; 399*a399b765Szf } 400*a399b765Szf } else if (left == 1) { 401*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 402*a399b765Szf "wpa_parse_wpa_ie_wpa"); 403*a399b765Szf return (-1); 404*a399b765Szf } 405*a399b765Szf 406*a399b765Szf if (left >= 2) { 407*a399b765Szf data->key_mgmt = 0; 408*a399b765Szf count = pos[0] | (pos[1] << 8); 409*a399b765Szf pos += 2; 410*a399b765Szf left -= 2; 411*a399b765Szf if (count == 0 || left < count * WPA_SELECTOR_LEN) { 412*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 413*a399b765Szf "count %u left %u", 414*a399b765Szf "wpa_parse_wpa_ie_wpa", count, left); 415*a399b765Szf return (-1); 416*a399b765Szf } 417*a399b765Szf for (i = 0; i < count; i++) { 418*a399b765Szf data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 419*a399b765Szf pos += WPA_SELECTOR_LEN; 420*a399b765Szf left -= WPA_SELECTOR_LEN; 421*a399b765Szf } 422*a399b765Szf } else if (left == 1) { 423*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 424*a399b765Szf "wpa_parse_wpa_ie_wpa"); 425*a399b765Szf return (-1); 426*a399b765Szf } 427*a399b765Szf 428*a399b765Szf if (left >= 2) { 429*a399b765Szf data->capabilities = pos[0] | (pos[1] << 8); 430*a399b765Szf pos += 2; 431*a399b765Szf left -= 2; 432*a399b765Szf } 433*a399b765Szf 434*a399b765Szf if (left > 0) { 435*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes", 436*a399b765Szf "wpa_parse_wpa_ie_wpa", left); 437*a399b765Szf return (-1); 438*a399b765Szf } 439*a399b765Szf 440*a399b765Szf return (0); 441*a399b765Szf } 442*a399b765Szf 443*a399b765Szf /* ARGSUSED */ 444*a399b765Szf static int 445*a399b765Szf wpa_parse_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie, 446*a399b765Szf size_t rsn_ie_len, struct wpa_ie_data *data) 447*a399b765Szf { 448*a399b765Szf struct rsn_ie_hdr *hdr; 449*a399b765Szf uint8_t *pos; 450*a399b765Szf int left; 451*a399b765Szf int i, count; 452*a399b765Szf 453*a399b765Szf data->proto = WPA_PROTO_RSN; 454*a399b765Szf data->pairwise_cipher = WPA_CIPHER_CCMP; 455*a399b765Szf data->group_cipher = WPA_CIPHER_CCMP; 456*a399b765Szf data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 457*a399b765Szf data->capabilities = 0; 458*a399b765Szf 459*a399b765Szf if (rsn_ie_len == 0) { 460*a399b765Szf /* No RSN IE - fail silently */ 461*a399b765Szf return (-1); 462*a399b765Szf } 463*a399b765Szf 464*a399b765Szf if (rsn_ie_len < sizeof (struct rsn_ie_hdr)) { 465*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 466*a399b765Szf "wpa_parse_wpa_ie_rsn", rsn_ie_len); 467*a399b765Szf return (-1); 468*a399b765Szf } 469*a399b765Szf 470*a399b765Szf hdr = (struct rsn_ie_hdr *)rsn_ie; 471*a399b765Szf 472*a399b765Szf if (hdr->elem_id != RSN_INFO_ELEM || 473*a399b765Szf hdr->len != rsn_ie_len - 2 || 474*a399b765Szf LE_16(hdr->version) != RSN_VERSION) { 475*a399b765Szf wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 476*a399b765Szf "wpa_parse_wpa_ie_rsn"); 477*a399b765Szf return (-1); 478*a399b765Szf } 479*a399b765Szf 480*a399b765Szf pos = (uint8_t *)(hdr + 1); 481*a399b765Szf left = rsn_ie_len - sizeof (*hdr); 482*a399b765Szf 483*a399b765Szf if (left >= RSN_SELECTOR_LEN) { 484*a399b765Szf data->group_cipher = rsn_selector_to_bitfield(pos); 485*a399b765Szf pos += RSN_SELECTOR_LEN; 486*a399b765Szf left -= RSN_SELECTOR_LEN; 487*a399b765Szf } else if (left > 0) { 488*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 489*a399b765Szf "wpa_parse_wpa_ie_rsn", left); 490*a399b765Szf return (-1); 491*a399b765Szf } 492*a399b765Szf 493*a399b765Szf if (left >= 2) { 494*a399b765Szf data->pairwise_cipher = 0; 495*a399b765Szf count = pos[0] | (pos[1] << 8); 496*a399b765Szf pos += 2; 497*a399b765Szf left -= 2; 498*a399b765Szf if (count == 0 || left < count * RSN_SELECTOR_LEN) { 499*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 500*a399b765Szf "count %u left %u", 501*a399b765Szf "wpa_parse_wpa_ie_rsn", count, left); 502*a399b765Szf return (-1); 503*a399b765Szf } 504*a399b765Szf for (i = 0; i < count; i++) { 505*a399b765Szf data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 506*a399b765Szf pos += RSN_SELECTOR_LEN; 507*a399b765Szf left -= RSN_SELECTOR_LEN; 508*a399b765Szf } 509*a399b765Szf } else if (left == 1) { 510*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 511*a399b765Szf "wpa_parse_wpa_ie_rsn"); 512*a399b765Szf return (-1); 513*a399b765Szf } 514*a399b765Szf 515*a399b765Szf if (left >= 2) { 516*a399b765Szf data->key_mgmt = 0; 517*a399b765Szf count = pos[0] | (pos[1] << 8); 518*a399b765Szf pos += 2; 519*a399b765Szf left -= 2; 520*a399b765Szf if (count == 0 || left < count * RSN_SELECTOR_LEN) { 521*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 522*a399b765Szf "count %u left %u", 523*a399b765Szf "wpa_parse_wpa_ie_rsn", count, left); 524*a399b765Szf return (-1); 525*a399b765Szf } 526*a399b765Szf for (i = 0; i < count; i++) { 527*a399b765Szf data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 528*a399b765Szf pos += RSN_SELECTOR_LEN; 529*a399b765Szf left -= RSN_SELECTOR_LEN; 530*a399b765Szf } 531*a399b765Szf } else if (left == 1) { 532*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 533*a399b765Szf "wpa_parse_wpa_ie_rsn"); 534*a399b765Szf return (-1); 535*a399b765Szf } 536*a399b765Szf 537*a399b765Szf if (left >= 2) { 538*a399b765Szf data->capabilities = pos[0] | (pos[1] << 8); 539*a399b765Szf pos += 2; 540*a399b765Szf left -= 2; 541*a399b765Szf } 542*a399b765Szf 543*a399b765Szf if (left > 0) { 544*a399b765Szf /* 545*a399b765Szf * RSN IE could include PMKID data, but Authenticator should 546*a399b765Szf * never include it, so no need to parse it in the Supplicant. 547*a399b765Szf */ 548*a399b765Szf wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored", 549*a399b765Szf "wpa_parse_wpa_ie_rsn", left); 550*a399b765Szf } 551*a399b765Szf 552*a399b765Szf return (0); 553*a399b765Szf } 554*a399b765Szf 555*a399b765Szf int 556*a399b765Szf wpa_parse_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 557*a399b765Szf size_t wpa_ie_len, struct wpa_ie_data *data) 558*a399b765Szf { 559*a399b765Szf if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM) 560*a399b765Szf return (wpa_parse_wpa_ie_rsn(wpa_s, wpa_ie, wpa_ie_len, data)); 561*a399b765Szf else 562*a399b765Szf return (wpa_parse_wpa_ie_wpa(wpa_s, wpa_ie, wpa_ie_len, data)); 563*a399b765Szf } 564*a399b765Szf 565*a399b765Szf static int 566*a399b765Szf wpa_gen_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 567*a399b765Szf { 568*a399b765Szf uint8_t *pos; 569*a399b765Szf struct wpa_ie_hdr *hdr; 570*a399b765Szf 571*a399b765Szf hdr = (struct wpa_ie_hdr *)wpa_ie; 572*a399b765Szf hdr->elem_id = GENERIC_INFO_ELEM; 573*a399b765Szf (void) memcpy(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN); 574*a399b765Szf hdr->version = LE_16(WPA_VERSION); 575*a399b765Szf pos = (uint8_t *)(hdr + 1); 576*a399b765Szf 577*a399b765Szf if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 578*a399b765Szf (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 579*a399b765Szf } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 580*a399b765Szf (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 581*a399b765Szf } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 582*a399b765Szf (void) memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN); 583*a399b765Szf } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 584*a399b765Szf (void) memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN); 585*a399b765Szf } else { 586*a399b765Szf wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 587*a399b765Szf wpa_s->group_cipher); 588*a399b765Szf return (-1); 589*a399b765Szf } 590*a399b765Szf pos += WPA_SELECTOR_LEN; 591*a399b765Szf 592*a399b765Szf *pos++ = 1; 593*a399b765Szf *pos++ = 0; 594*a399b765Szf if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 595*a399b765Szf (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 596*a399b765Szf } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 597*a399b765Szf (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 598*a399b765Szf } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 599*a399b765Szf (void) memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN); 600*a399b765Szf } else { 601*a399b765Szf wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 602*a399b765Szf wpa_s->pairwise_cipher); 603*a399b765Szf return (-1); 604*a399b765Szf } 605*a399b765Szf pos += WPA_SELECTOR_LEN; 606*a399b765Szf 607*a399b765Szf *pos++ = 1; 608*a399b765Szf *pos++ = 0; 609*a399b765Szf if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 610*a399b765Szf (void) memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, 611*a399b765Szf WPA_SELECTOR_LEN); 612*a399b765Szf } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 613*a399b765Szf (void) memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, 614*a399b765Szf WPA_SELECTOR_LEN); 615*a399b765Szf } else { 616*a399b765Szf wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 617*a399b765Szf wpa_s->key_mgmt); 618*a399b765Szf return (-1); 619*a399b765Szf } 620*a399b765Szf pos += WPA_SELECTOR_LEN; 621*a399b765Szf 622*a399b765Szf /* 623*a399b765Szf * WPA Capabilities; use defaults, so no need to include it 624*a399b765Szf */ 625*a399b765Szf hdr->len = (pos - wpa_ie) - 2; 626*a399b765Szf 627*a399b765Szf return (pos - wpa_ie); 628*a399b765Szf } 629*a399b765Szf 630*a399b765Szf static int 631*a399b765Szf wpa_gen_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie) 632*a399b765Szf { 633*a399b765Szf uint8_t *pos; 634*a399b765Szf struct rsn_ie_hdr *hdr; 635*a399b765Szf 636*a399b765Szf hdr = (struct rsn_ie_hdr *)rsn_ie; 637*a399b765Szf hdr->elem_id = RSN_INFO_ELEM; 638*a399b765Szf hdr->version = LE_16(RSN_VERSION); 639*a399b765Szf pos = (uint8_t *)(hdr + 1); 640*a399b765Szf 641*a399b765Szf if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 642*a399b765Szf (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 643*a399b765Szf } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 644*a399b765Szf (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 645*a399b765Szf } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 646*a399b765Szf (void) memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN); 647*a399b765Szf } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 648*a399b765Szf (void) memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN); 649*a399b765Szf } else { 650*a399b765Szf wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 651*a399b765Szf wpa_s->group_cipher); 652*a399b765Szf return (-1); 653*a399b765Szf } 654*a399b765Szf pos += RSN_SELECTOR_LEN; 655*a399b765Szf 656*a399b765Szf *pos++ = 1; 657*a399b765Szf *pos++ = 0; 658*a399b765Szf if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 659*a399b765Szf (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 660*a399b765Szf } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 661*a399b765Szf (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 662*a399b765Szf } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 663*a399b765Szf (void) memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN); 664*a399b765Szf } else { 665*a399b765Szf wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 666*a399b765Szf wpa_s->pairwise_cipher); 667*a399b765Szf return (-1); 668*a399b765Szf } 669*a399b765Szf pos += RSN_SELECTOR_LEN; 670*a399b765Szf 671*a399b765Szf *pos++ = 1; 672*a399b765Szf *pos++ = 0; 673*a399b765Szf if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 674*a399b765Szf (void) memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, 675*a399b765Szf RSN_SELECTOR_LEN); 676*a399b765Szf } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 677*a399b765Szf (void) memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, 678*a399b765Szf RSN_SELECTOR_LEN); 679*a399b765Szf } else { 680*a399b765Szf wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 681*a399b765Szf wpa_s->key_mgmt); 682*a399b765Szf return (-1); 683*a399b765Szf } 684*a399b765Szf pos += RSN_SELECTOR_LEN; 685*a399b765Szf 686*a399b765Szf /* RSN Capabilities */ 687*a399b765Szf *pos++ = 0; 688*a399b765Szf *pos++ = 0; 689*a399b765Szf 690*a399b765Szf if (wpa_s->cur_pmksa) { 691*a399b765Szf /* PMKID Count (2 octets, little endian) */ 692*a399b765Szf *pos++ = 1; 693*a399b765Szf *pos++ = 0; 694*a399b765Szf /* PMKID */ 695*a399b765Szf (void) memcpy(pos, wpa_s->cur_pmksa->pmkid, PMKID_LEN); 696*a399b765Szf pos += PMKID_LEN; 697*a399b765Szf } 698*a399b765Szf 699*a399b765Szf hdr->len = (pos - rsn_ie) - 2; 700*a399b765Szf 701*a399b765Szf return (pos - rsn_ie); 702*a399b765Szf } 703*a399b765Szf 704*a399b765Szf int 705*a399b765Szf wpa_gen_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 706*a399b765Szf { 707*a399b765Szf if (wpa_s->proto == WPA_PROTO_RSN) 708*a399b765Szf return (wpa_gen_wpa_ie_rsn(wpa_s, wpa_ie)); 709*a399b765Szf else 710*a399b765Szf return (wpa_gen_wpa_ie_wpa(wpa_s, wpa_ie)); 711*a399b765Szf } 712*a399b765Szf 713*a399b765Szf static void 714*a399b765Szf wpa_pmk_to_ptk(uint8_t *pmk, uint8_t *addr1, uint8_t *addr2, 715*a399b765Szf uint8_t *nonce1, uint8_t *nonce2, uint8_t *ptk, size_t ptk_len) 716*a399b765Szf { 717*a399b765Szf uint8_t data[2 * IEEE80211_ADDR_LEN + 2 * WPA_PMK_LEN]; 718*a399b765Szf 719*a399b765Szf /* 720*a399b765Szf * PTK = PRF-X(PMK, "Pairwise key expansion", 721*a399b765Szf * Min(AA, SA) || Max(AA, SA) || 722*a399b765Szf * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 723*a399b765Szf */ 724*a399b765Szf 725*a399b765Szf if (memcmp(addr1, addr2, IEEE80211_ADDR_LEN) < 0) { 726*a399b765Szf (void) memcpy(data, addr1, IEEE80211_ADDR_LEN); 727*a399b765Szf (void) memcpy(data + IEEE80211_ADDR_LEN, addr2, 728*a399b765Szf IEEE80211_ADDR_LEN); 729*a399b765Szf } else { 730*a399b765Szf (void) memcpy(data, addr2, IEEE80211_ADDR_LEN); 731*a399b765Szf (void) memcpy(data + IEEE80211_ADDR_LEN, addr1, 732*a399b765Szf IEEE80211_ADDR_LEN); 733*a399b765Szf } 734*a399b765Szf 735*a399b765Szf if (memcmp(nonce1, nonce2, WPA_PMK_LEN) < 0) { 736*a399b765Szf (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce1, 737*a399b765Szf WPA_PMK_LEN); 738*a399b765Szf (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 739*a399b765Szf nonce2, WPA_PMK_LEN); 740*a399b765Szf } else { 741*a399b765Szf (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce2, 742*a399b765Szf WPA_PMK_LEN); 743*a399b765Szf (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 744*a399b765Szf nonce1, WPA_PMK_LEN); 745*a399b765Szf } 746*a399b765Szf 747*a399b765Szf sha1_prf(pmk, WPA_PMK_LEN, "Pairwise key expansion", data, 748*a399b765Szf sizeof (data), ptk, ptk_len); 749*a399b765Szf 750*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: PMK", pmk, WPA_PMK_LEN); 751*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: PTK", ptk, ptk_len); 752*a399b765Szf } 753*a399b765Szf 754*a399b765Szf struct wpa_ssid * 755*a399b765Szf wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s) 756*a399b765Szf { 757*a399b765Szf struct wpa_ssid *entry; 758*a399b765Szf uint8_t ssid[MAX_ESSID_LENGTH]; 759*a399b765Szf int ssid_len; 760*a399b765Szf uint8_t bssid[IEEE80211_ADDR_LEN]; 761*a399b765Szf 762*a399b765Szf (void) memset(ssid, 0, MAX_ESSID_LENGTH); 763*a399b765Szf ssid_len = wpa_s->driver->get_ssid(wpa_s->ifname, (char *)ssid); 764*a399b765Szf if (ssid_len < 0) { 765*a399b765Szf wpa_printf(MSG_WARNING, "Could not read SSID from driver."); 766*a399b765Szf return (NULL); 767*a399b765Szf } 768*a399b765Szf 769*a399b765Szf if (wpa_s->driver->get_bssid(wpa_s->ifname, (char *)bssid) < 0) { 770*a399b765Szf wpa_printf(MSG_WARNING, "Could not read BSSID from driver."); 771*a399b765Szf return (NULL); 772*a399b765Szf } 773*a399b765Szf 774*a399b765Szf entry = wpa_s->conf->ssid; 775*a399b765Szf wpa_printf(MSG_DEBUG, "entry len=%d ssid=%s," 776*a399b765Szf " driver len=%d ssid=%s", 777*a399b765Szf entry->ssid_len, entry->ssid, ssid_len, ssid); 778*a399b765Szf 779*a399b765Szf if (ssid_len == entry->ssid_len && 780*a399b765Szf memcmp(ssid, entry->ssid, ssid_len) == 0 && 781*a399b765Szf (!entry->bssid_set || 782*a399b765Szf memcmp(bssid, entry->bssid, IEEE80211_ADDR_LEN) == 0)) 783*a399b765Szf return (entry); 784*a399b765Szf 785*a399b765Szf return (NULL); 786*a399b765Szf } 787*a399b765Szf 788*a399b765Szf static void 789*a399b765Szf wpa_eapol_key_mic(uint8_t *key, int ver, uint8_t *buf, size_t len, uint8_t *mic) 790*a399b765Szf { 791*a399b765Szf if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 792*a399b765Szf hmac_md5(key, 16, buf, len, mic); 793*a399b765Szf } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 794*a399b765Szf uint8_t hash[SHA1_MAC_LEN]; 795*a399b765Szf hmac_sha1(key, 16, buf, len, hash); 796*a399b765Szf (void) memcpy(mic, hash, MD5_MAC_LEN); 797*a399b765Szf } 798*a399b765Szf } 799*a399b765Szf 800*a399b765Szf void 801*a399b765Szf wpa_supplicant_key_request(struct wpa_supplicant *wpa_s, 802*a399b765Szf int error, int pairwise) 803*a399b765Szf { 804*a399b765Szf int rlen; 805*a399b765Szf struct ieee802_1x_hdr *hdr; 806*a399b765Szf struct wpa_eapol_key *reply; 807*a399b765Szf unsigned char *rbuf; 808*a399b765Szf struct l2_ethhdr *ethhdr; 809*a399b765Szf int key_info, ver; 810*a399b765Szf uint8_t bssid[IEEE80211_ADDR_LEN]; 811*a399b765Szf 812*a399b765Szf if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) 813*a399b765Szf ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 814*a399b765Szf else 815*a399b765Szf ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 816*a399b765Szf 817*a399b765Szf if (wpa_s->driver->get_bssid(wpa_s->ifname, (char *)bssid) < 0) { 818*a399b765Szf wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key " 819*a399b765Szf "request"); 820*a399b765Szf return; 821*a399b765Szf } 822*a399b765Szf 823*a399b765Szf rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 824*a399b765Szf rbuf = malloc(rlen); 825*a399b765Szf if (rbuf == NULL) 826*a399b765Szf return; 827*a399b765Szf 828*a399b765Szf (void) memset(rbuf, 0, rlen); 829*a399b765Szf ethhdr = (struct l2_ethhdr *)rbuf; 830*a399b765Szf (void) memcpy(ethhdr->h_dest, bssid, IEEE80211_ADDR_LEN); 831*a399b765Szf (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 832*a399b765Szf ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 833*a399b765Szf 834*a399b765Szf hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 835*a399b765Szf hdr->version = wpa_s->conf->eapol_version; 836*a399b765Szf hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 837*a399b765Szf hdr->length = htons(sizeof (*reply)); 838*a399b765Szf 839*a399b765Szf reply = (struct wpa_eapol_key *)(hdr + 1); 840*a399b765Szf reply->type = wpa_s->proto == WPA_PROTO_RSN ? 841*a399b765Szf EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 842*a399b765Szf key_info = WPA_KEY_INFO_REQUEST | ver; 843*a399b765Szf if (wpa_s->ptk_set) 844*a399b765Szf key_info |= WPA_KEY_INFO_MIC; 845*a399b765Szf if (error) 846*a399b765Szf key_info |= WPA_KEY_INFO_ERROR; 847*a399b765Szf if (pairwise) 848*a399b765Szf key_info |= WPA_KEY_INFO_KEY_TYPE; 849*a399b765Szf reply->key_info = BE_16(key_info); 850*a399b765Szf reply->key_length = 0; 851*a399b765Szf (void) memcpy(reply->replay_counter, wpa_s->request_counter, 852*a399b765Szf WPA_REPLAY_COUNTER_LEN); 853*a399b765Szf inc_byte_array(wpa_s->request_counter, WPA_REPLAY_COUNTER_LEN); 854*a399b765Szf 855*a399b765Szf reply->key_data_length = BE_16(0); 856*a399b765Szf 857*a399b765Szf if (key_info & WPA_KEY_INFO_MIC) { 858*a399b765Szf wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 859*a399b765Szf rlen - sizeof (*ethhdr), reply->key_mic); 860*a399b765Szf } 861*a399b765Szf 862*a399b765Szf wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d " 863*a399b765Szf "pairwise=%d ptk_set=%d len=%d)", 864*a399b765Szf error, pairwise, wpa_s->ptk_set, rlen); 865*a399b765Szf wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key Request", rbuf, rlen); 866*a399b765Szf (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 867*a399b765Szf free(rbuf); 868*a399b765Szf } 869*a399b765Szf 870*a399b765Szf static void 871*a399b765Szf wpa_supplicant_process_1_of_4(struct wpa_supplicant *wpa_s, 872*a399b765Szf unsigned char *src_addr, struct wpa_eapol_key *key, int ver) 873*a399b765Szf { 874*a399b765Szf int rlen; 875*a399b765Szf struct ieee802_1x_hdr *hdr; 876*a399b765Szf struct wpa_eapol_key *reply; 877*a399b765Szf unsigned char *rbuf; 878*a399b765Szf struct l2_ethhdr *ethhdr; 879*a399b765Szf struct wpa_ssid *ssid; 880*a399b765Szf struct wpa_ptk *ptk; 881*a399b765Szf uint8_t buf[8], wpa_ie_buf[80], *wpa_ie, *pmkid = NULL; 882*a399b765Szf int wpa_ie_len; 883*a399b765Szf 884*a399b765Szf wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 885*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from " 886*a399b765Szf MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 887*a399b765Szf 888*a399b765Szf ssid = wpa_supplicant_get_ssid(wpa_s); 889*a399b765Szf if (ssid == NULL) { 890*a399b765Szf wpa_printf(MSG_WARNING, 891*a399b765Szf "WPA: No SSID info found (msg 1 of 4)."); 892*a399b765Szf return; 893*a399b765Szf } 894*a399b765Szf 895*a399b765Szf if (wpa_s->proto == WPA_PROTO_RSN) { 896*a399b765Szf /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 897*a399b765Szf uint8_t *pos = (uint8_t *)(key + 1); 898*a399b765Szf uint8_t *end = pos + BE_16(key->key_data_length); 899*a399b765Szf 900*a399b765Szf wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 901*a399b765Szf pos, BE_16(key->key_data_length)); 902*a399b765Szf 903*a399b765Szf while (pos + 1 < end) { 904*a399b765Szf if (pos + 2 + pos[1] > end) { 905*a399b765Szf wpa_printf(MSG_DEBUG, "RSN: key data " 906*a399b765Szf "underflow (ie=%d len=%d)", 907*a399b765Szf pos[0], pos[1]); 908*a399b765Szf break; 909*a399b765Szf } 910*a399b765Szf if (pos[0] == GENERIC_INFO_ELEM && 911*a399b765Szf pos + 1 + RSN_SELECTOR_LEN < end && 912*a399b765Szf pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN && 913*a399b765Szf memcmp(pos + 2, RSN_KEY_DATA_PMKID, 914*a399b765Szf RSN_SELECTOR_LEN) == 0) { 915*a399b765Szf pmkid = pos + 2 + RSN_SELECTOR_LEN; 916*a399b765Szf wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 917*a399b765Szf "Authenticator", pmkid, PMKID_LEN); 918*a399b765Szf break; 919*a399b765Szf } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 920*a399b765Szf break; 921*a399b765Szf pos += 2 + pos[1]; 922*a399b765Szf } 923*a399b765Szf } 924*a399b765Szf 925*a399b765Szf wpa_ie = wpa_ie_buf; 926*a399b765Szf wpa_ie_len = wpa_gen_wpa_ie(wpa_s, wpa_ie); 927*a399b765Szf if (wpa_ie_len < 0) { 928*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Failed to generate " 929*a399b765Szf "WPA IE (for msg 2 of 4)."); 930*a399b765Szf return; 931*a399b765Szf } 932*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 933*a399b765Szf 934*a399b765Szf rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply) + wpa_ie_len; 935*a399b765Szf rbuf = malloc(rlen); 936*a399b765Szf if (rbuf == NULL) 937*a399b765Szf return; 938*a399b765Szf 939*a399b765Szf (void) memset(rbuf, 0, rlen); 940*a399b765Szf ethhdr = (struct l2_ethhdr *)rbuf; 941*a399b765Szf (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 942*a399b765Szf (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 943*a399b765Szf ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 944*a399b765Szf 945*a399b765Szf hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 946*a399b765Szf hdr->version = wpa_s->conf->eapol_version; 947*a399b765Szf hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 948*a399b765Szf hdr->length = htons(sizeof (*reply) + wpa_ie_len); 949*a399b765Szf 950*a399b765Szf reply = (struct wpa_eapol_key *)(hdr + 1); 951*a399b765Szf reply->type = wpa_s->proto == WPA_PROTO_RSN ? 952*a399b765Szf EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 953*a399b765Szf reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | 954*a399b765Szf WPA_KEY_INFO_MIC); 955*a399b765Szf reply->key_length = key->key_length; 956*a399b765Szf (void) memcpy(reply->replay_counter, key->replay_counter, 957*a399b765Szf WPA_REPLAY_COUNTER_LEN); 958*a399b765Szf 959*a399b765Szf reply->key_data_length = BE_16(wpa_ie_len); 960*a399b765Szf (void) memcpy(reply + 1, wpa_ie, wpa_ie_len); 961*a399b765Szf 962*a399b765Szf if (wpa_s->renew_snonce) { 963*a399b765Szf if (random_get_pseudo_bytes(wpa_s->snonce, WPA_NONCE_LEN)) { 964*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Failed to get " 965*a399b765Szf "random data for SNonce"); 966*a399b765Szf free(rbuf); 967*a399b765Szf return; 968*a399b765Szf } 969*a399b765Szf 970*a399b765Szf wpa_s->renew_snonce = 0; 971*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 972*a399b765Szf wpa_s->snonce, WPA_NONCE_LEN); 973*a399b765Szf } 974*a399b765Szf (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 975*a399b765Szf ptk = &wpa_s->tptk; 976*a399b765Szf (void) memcpy(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN); 977*a399b765Szf 978*a399b765Szf wpa_pmk_to_ptk(wpa_s->pmk, wpa_s->own_addr, src_addr, 979*a399b765Szf wpa_s->snonce, key->key_nonce, (uint8_t *)ptk, sizeof (*ptk)); 980*a399b765Szf 981*a399b765Szf /* 982*a399b765Szf * Supplicant: swap tx/rx Mic keys 983*a399b765Szf */ 984*a399b765Szf (void) memcpy(buf, ptk->u.auth.tx_mic_key, 8); 985*a399b765Szf (void) memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8); 986*a399b765Szf (void) memcpy(ptk->u.auth.rx_mic_key, buf, 8); 987*a399b765Szf wpa_s->tptk_set = 1; 988*a399b765Szf wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, (uint8_t *)hdr, 989*a399b765Szf rlen - sizeof (*ethhdr), reply->key_mic); 990*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: EAPOL-Key MIC", reply->key_mic, 16); 991*a399b765Szf 992*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 993*a399b765Szf wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/4", rbuf, rlen); 994*a399b765Szf (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 995*a399b765Szf 996*a399b765Szf free(rbuf); 997*a399b765Szf } 998*a399b765Szf 999*a399b765Szf static void 1000*a399b765Szf wpa_supplicant_process_3_of_4_gtk(struct wpa_supplicant *wpa_s, 1001*a399b765Szf unsigned char *src_addr, struct wpa_eapol_key *key, 1002*a399b765Szf uint8_t *gtk, int gtk_len) 1003*a399b765Szf { 1004*a399b765Szf int keyidx, tx, key_rsc_len = 0, alg; 1005*a399b765Szf 1006*a399b765Szf wpa_hexdump(MSG_DEBUG, 1007*a399b765Szf "WPA: received GTK in pairwise handshake", gtk, gtk_len); 1008*a399b765Szf 1009*a399b765Szf keyidx = gtk[0] & 0x3; 1010*a399b765Szf tx = !!(gtk[0] & BIT(2)); 1011*a399b765Szf if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1012*a399b765Szf /* 1013*a399b765Szf * Ignore Tx bit in GTK IE if a pairwise key is used. 1014*a399b765Szf * One AP seemed to set this bit (incorrectly, since Tx 1015*a399b765Szf * is only when doing Group Key only APs) and without 1016*a399b765Szf * this workaround, the data connection does not work 1017*a399b765Szf * because wpa_supplicant configured non-zero keyidx to 1018*a399b765Szf * be used for unicast. 1019*a399b765Szf */ 1020*a399b765Szf wpa_printf(MSG_INFO, "RSN: Tx bit set for GTK IE, but " 1021*a399b765Szf "pairwise keys are used - ignore Tx bit"); 1022*a399b765Szf tx = 0; 1023*a399b765Szf } 1024*a399b765Szf 1025*a399b765Szf gtk += 2; 1026*a399b765Szf gtk_len -= 2; 1027*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, gtk_len); 1028*a399b765Szf 1029*a399b765Szf switch (wpa_s->group_cipher) { 1030*a399b765Szf case WPA_CIPHER_CCMP: 1031*a399b765Szf if (gtk_len != 16) { 1032*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP" 1033*a399b765Szf " Group Cipher key length %d.", gtk_len); 1034*a399b765Szf return; 1035*a399b765Szf } 1036*a399b765Szf key_rsc_len = 6; 1037*a399b765Szf alg = WPA_ALG_CCMP; 1038*a399b765Szf break; 1039*a399b765Szf case WPA_CIPHER_TKIP: 1040*a399b765Szf if (gtk_len != 32) { 1041*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP" 1042*a399b765Szf " Group Cipher key length %d.", gtk_len); 1043*a399b765Szf return; 1044*a399b765Szf } 1045*a399b765Szf key_rsc_len = 6; 1046*a399b765Szf alg = WPA_ALG_TKIP; 1047*a399b765Szf break; 1048*a399b765Szf case WPA_CIPHER_WEP104: 1049*a399b765Szf if (gtk_len != 13) { 1050*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported " 1051*a399b765Szf "WEP104 Group Cipher key length " "%d.", gtk_len); 1052*a399b765Szf return; 1053*a399b765Szf } 1054*a399b765Szf alg = WPA_ALG_WEP; 1055*a399b765Szf break; 1056*a399b765Szf case WPA_CIPHER_WEP40: 1057*a399b765Szf if (gtk_len != 5) { 1058*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported " 1059*a399b765Szf "WEP40 Group Cipher key length %d.", gtk_len); 1060*a399b765Szf return; 1061*a399b765Szf } 1062*a399b765Szf alg = WPA_ALG_WEP; 1063*a399b765Szf break; 1064*a399b765Szf default: 1065*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher " 1066*a399b765Szf "%d", wpa_s->group_cipher); 1067*a399b765Szf return; 1068*a399b765Szf } 1069*a399b765Szf 1070*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver " 1071*a399b765Szf "(keyidx=%d tx=%d).", keyidx, tx); 1072*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1073*a399b765Szf if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1074*a399b765Szf uint8_t tmpbuf[8]; 1075*a399b765Szf /* 1076*a399b765Szf * Swap Tx/Rx keys for Michael MIC 1077*a399b765Szf */ 1078*a399b765Szf (void) memcpy(tmpbuf, gtk + 16, 8); 1079*a399b765Szf (void) memcpy(gtk + 16, gtk + 24, 8); 1080*a399b765Szf (void) memcpy(gtk + 24, tmpbuf, 8); 1081*a399b765Szf } 1082*a399b765Szf if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1083*a399b765Szf if (wpa_s->driver->set_key(wpa_s->ifname, alg, 1084*a399b765Szf (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1085*a399b765Szf keyidx, 1, key->key_rsc, 1086*a399b765Szf key_rsc_len, gtk, gtk_len) < 0) 1087*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Failed to set " 1088*a399b765Szf "GTK to the driver (Group only)."); 1089*a399b765Szf } else if (wpa_s->driver->set_key(wpa_s->ifname, alg, 1090*a399b765Szf (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1091*a399b765Szf keyidx, tx, 1092*a399b765Szf key->key_rsc, key_rsc_len, 1093*a399b765Szf gtk, gtk_len) < 0) { 1094*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to " 1095*a399b765Szf "the driver."); 1096*a399b765Szf } 1097*a399b765Szf 1098*a399b765Szf wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " 1099*a399b765Szf MACSTR, MAC2STR(src_addr)); 1100*a399b765Szf eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1101*a399b765Szf wpa_supplicant_cancel_auth_timeout(wpa_s); 1102*a399b765Szf wpa_s->wpa_state = WPA_COMPLETED; 1103*a399b765Szf } 1104*a399b765Szf 1105*a399b765Szf static void 1106*a399b765Szf wpa_supplicant_process_3_of_4(struct wpa_supplicant *wpa_s, 1107*a399b765Szf unsigned char *src_addr, struct wpa_eapol_key *key, 1108*a399b765Szf int extra_len, int ver) 1109*a399b765Szf { 1110*a399b765Szf int rlen; 1111*a399b765Szf struct ieee802_1x_hdr *hdr; 1112*a399b765Szf struct wpa_eapol_key *reply; 1113*a399b765Szf unsigned char *rbuf; 1114*a399b765Szf struct l2_ethhdr *ethhdr; 1115*a399b765Szf int key_info, ie_len = 0, keylen, gtk_len = 0; 1116*a399b765Szf uint8_t *ie = NULL, *gtk = NULL, *key_rsc; 1117*a399b765Szf uint8_t null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 1118*a399b765Szf 1119*a399b765Szf wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 1120*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from " 1121*a399b765Szf MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1122*a399b765Szf 1123*a399b765Szf key_info = BE_16(key->key_info); 1124*a399b765Szf 1125*a399b765Szf if (wpa_s->proto == WPA_PROTO_RSN) { 1126*a399b765Szf uint8_t *pos = (uint8_t *)(key + 1); 1127*a399b765Szf uint8_t *end = pos + BE_16(key->key_data_length); 1128*a399b765Szf while (pos + 1 < end) { 1129*a399b765Szf if (pos + 2 + pos[1] > end) { 1130*a399b765Szf wpa_printf(MSG_DEBUG, "RSN: key data " 1131*a399b765Szf "underflow (ie=%d len=%d)", 1132*a399b765Szf pos[0], pos[1]); 1133*a399b765Szf break; 1134*a399b765Szf } 1135*a399b765Szf if (*pos == RSN_INFO_ELEM) { 1136*a399b765Szf ie = pos; 1137*a399b765Szf ie_len = pos[1] + 2; 1138*a399b765Szf } else if (pos[0] == GENERIC_INFO_ELEM && 1139*a399b765Szf pos + 1 + RSN_SELECTOR_LEN < end && 1140*a399b765Szf pos[1] > RSN_SELECTOR_LEN + 2 && 1141*a399b765Szf memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1142*a399b765Szf RSN_SELECTOR_LEN) == 0) { 1143*a399b765Szf if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1144*a399b765Szf wpa_printf(MSG_WARNING, "WPA: GTK IE " 1145*a399b765Szf "in unencrypted key data"); 1146*a399b765Szf return; 1147*a399b765Szf } 1148*a399b765Szf gtk = pos + 2 + RSN_SELECTOR_LEN; 1149*a399b765Szf gtk_len = pos[1] - RSN_SELECTOR_LEN; 1150*a399b765Szf } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 1151*a399b765Szf break; 1152*a399b765Szf 1153*a399b765Szf pos += 2 + pos[1]; 1154*a399b765Szf } 1155*a399b765Szf } else { 1156*a399b765Szf ie = (uint8_t *)(key + 1); 1157*a399b765Szf ie_len = BE_16(key->key_data_length); 1158*a399b765Szf if (ie_len > extra_len) { 1159*a399b765Szf wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1160*a399b765Szf " ie_len=%d > extra_len=%d", 1161*a399b765Szf ie_len, extra_len); 1162*a399b765Szf return; 1163*a399b765Szf } 1164*a399b765Szf } 1165*a399b765Szf 1166*a399b765Szf if (wpa_s->ap_wpa_ie && 1167*a399b765Szf (wpa_s->ap_wpa_ie_len != ie_len || 1168*a399b765Szf memcmp(wpa_s->ap_wpa_ie, ie, ie_len) != 0)) { 1169*a399b765Szf wpa_printf(MSG_WARNING, "WPA: WPA IE in 3/4 msg does not match" 1170*a399b765Szf " with WPA IE in Beacon/ProbeResp (src=" MACSTR ")", 1171*a399b765Szf MAC2STR(src_addr)); 1172*a399b765Szf wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1173*a399b765Szf wpa_s->ap_wpa_ie, wpa_s->ap_wpa_ie_len); 1174*a399b765Szf wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", ie, ie_len); 1175*a399b765Szf wpa_supplicant_disassociate(wpa_s, REASON_IE_IN_4WAY_DIFFERS); 1176*a399b765Szf wpa_supplicant_req_scan(wpa_s, 0, 0); 1177*a399b765Szf return; 1178*a399b765Szf } 1179*a399b765Szf 1180*a399b765Szf if (memcmp(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1181*a399b765Szf wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way " 1182*a399b765Szf "Handshake differs from 3 of 4-Way Handshake - drop" 1183*a399b765Szf " packet (src=" MACSTR ")", MAC2STR(src_addr)); 1184*a399b765Szf return; 1185*a399b765Szf } 1186*a399b765Szf 1187*a399b765Szf keylen = BE_16(key->key_length); 1188*a399b765Szf switch (wpa_s->pairwise_cipher) { 1189*a399b765Szf case WPA_CIPHER_CCMP: 1190*a399b765Szf if (keylen != 16) { 1191*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length " 1192*a399b765Szf "%d (src=" MACSTR ")", 1193*a399b765Szf keylen, MAC2STR(src_addr)); 1194*a399b765Szf return; 1195*a399b765Szf } 1196*a399b765Szf break; 1197*a399b765Szf case WPA_CIPHER_TKIP: 1198*a399b765Szf if (keylen != 32) { 1199*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length " 1200*a399b765Szf "%d (src=" MACSTR ")", 1201*a399b765Szf keylen, MAC2STR(src_addr)); 1202*a399b765Szf return; 1203*a399b765Szf } 1204*a399b765Szf break; 1205*a399b765Szf } 1206*a399b765Szf 1207*a399b765Szf rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1208*a399b765Szf rbuf = malloc(rlen); 1209*a399b765Szf if (rbuf == NULL) 1210*a399b765Szf return; 1211*a399b765Szf 1212*a399b765Szf (void) memset(rbuf, 0, rlen); 1213*a399b765Szf ethhdr = (struct l2_ethhdr *)rbuf; 1214*a399b765Szf (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1215*a399b765Szf (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1216*a399b765Szf ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1217*a399b765Szf 1218*a399b765Szf hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1219*a399b765Szf hdr->version = wpa_s->conf->eapol_version; 1220*a399b765Szf hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1221*a399b765Szf hdr->length = htons(sizeof (*reply)); 1222*a399b765Szf 1223*a399b765Szf reply = (struct wpa_eapol_key *)(hdr + 1); 1224*a399b765Szf reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1225*a399b765Szf EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1226*a399b765Szf reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | 1227*a399b765Szf WPA_KEY_INFO_MIC | 1228*a399b765Szf (key_info & WPA_KEY_INFO_SECURE)); 1229*a399b765Szf reply->key_length = key->key_length; 1230*a399b765Szf (void) memcpy(reply->replay_counter, key->replay_counter, 1231*a399b765Szf WPA_REPLAY_COUNTER_LEN); 1232*a399b765Szf 1233*a399b765Szf reply->key_data_length = BE_16(0); 1234*a399b765Szf 1235*a399b765Szf (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 1236*a399b765Szf wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1237*a399b765Szf rlen - sizeof (*ethhdr), reply->key_mic); 1238*a399b765Szf 1239*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 1240*a399b765Szf wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 4/4", rbuf, rlen); 1241*a399b765Szf (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1242*a399b765Szf 1243*a399b765Szf free(rbuf); 1244*a399b765Szf 1245*a399b765Szf /* 1246*a399b765Szf * SNonce was successfully used in msg 3/4, so mark it to be renewed 1247*a399b765Szf * for the next 4-Way Handshake. If msg 3 is received again, the old 1248*a399b765Szf * SNonce will still be used to avoid changing PTK. 1249*a399b765Szf */ 1250*a399b765Szf wpa_s->renew_snonce = 1; 1251*a399b765Szf 1252*a399b765Szf if (key_info & WPA_KEY_INFO_INSTALL) { 1253*a399b765Szf int alg, keylen, rsclen; 1254*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver."); 1255*a399b765Szf switch (wpa_s->pairwise_cipher) { 1256*a399b765Szf case WPA_CIPHER_CCMP: 1257*a399b765Szf alg = WPA_ALG_CCMP; 1258*a399b765Szf keylen = 16; 1259*a399b765Szf rsclen = 6; 1260*a399b765Szf break; 1261*a399b765Szf case WPA_CIPHER_TKIP: 1262*a399b765Szf alg = WPA_ALG_TKIP; 1263*a399b765Szf keylen = 32; 1264*a399b765Szf rsclen = 6; 1265*a399b765Szf break; 1266*a399b765Szf case WPA_CIPHER_NONE: 1267*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: " 1268*a399b765Szf "NONE - do not use pairwise keys"); 1269*a399b765Szf return; 1270*a399b765Szf default: 1271*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise " 1272*a399b765Szf "cipher %d", wpa_s->pairwise_cipher); 1273*a399b765Szf return; 1274*a399b765Szf } 1275*a399b765Szf if (wpa_s->proto == WPA_PROTO_RSN) { 1276*a399b765Szf key_rsc = null_rsc; 1277*a399b765Szf } else { 1278*a399b765Szf key_rsc = key->key_rsc; 1279*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 1280*a399b765Szf } 1281*a399b765Szf 1282*a399b765Szf if (wpa_s->driver->set_key(wpa_s->ifname, alg, src_addr, 1283*a399b765Szf 0, 1, key_rsc, rsclen, 1284*a399b765Szf (uint8_t *)&wpa_s->ptk.tk1, keylen) < 0) { 1285*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the" 1286*a399b765Szf " driver."); 1287*a399b765Szf } 1288*a399b765Szf } 1289*a399b765Szf 1290*a399b765Szf wpa_printf(MSG_DEBUG, "%s: key_info=%x gtk=%p\n", 1291*a399b765Szf "wpa_supplicant_process_3_of_4", key_info, gtk); 1292*a399b765Szf wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1293*a399b765Szf 1294*a399b765Szf if (gtk) 1295*a399b765Szf wpa_supplicant_process_3_of_4_gtk(wpa_s, 1296*a399b765Szf src_addr, key, gtk, gtk_len); 1297*a399b765Szf } 1298*a399b765Szf 1299*a399b765Szf static void 1300*a399b765Szf wpa_supplicant_process_1_of_2(struct wpa_supplicant *wpa_s, 1301*a399b765Szf unsigned char *src_addr, struct wpa_eapol_key *key, 1302*a399b765Szf int extra_len, int ver) 1303*a399b765Szf { 1304*a399b765Szf int rlen; 1305*a399b765Szf struct ieee802_1x_hdr *hdr; 1306*a399b765Szf struct wpa_eapol_key *reply; 1307*a399b765Szf unsigned char *rbuf; 1308*a399b765Szf struct l2_ethhdr *ethhdr; 1309*a399b765Szf int key_info, keylen, keydatalen, maxkeylen, keyidx, key_rsc_len = 0; 1310*a399b765Szf int alg, tx; 1311*a399b765Szf uint8_t ek[32], tmpbuf[8], gtk[32]; 1312*a399b765Szf uint8_t *gtk_ie = NULL; 1313*a399b765Szf size_t gtk_ie_len = 0; 1314*a399b765Szf 1315*a399b765Szf wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1316*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from " 1317*a399b765Szf MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1318*a399b765Szf 1319*a399b765Szf key_info = BE_16(key->key_info); 1320*a399b765Szf keydatalen = BE_16(key->key_data_length); 1321*a399b765Szf 1322*a399b765Szf if (wpa_s->proto == WPA_PROTO_RSN) { 1323*a399b765Szf uint8_t *pos = (uint8_t *)(key + 1); 1324*a399b765Szf uint8_t *end = pos + keydatalen; 1325*a399b765Szf while (pos + 1 < end) { 1326*a399b765Szf if (pos + 2 + pos[1] > end) { 1327*a399b765Szf wpa_printf(MSG_DEBUG, "RSN: key data " 1328*a399b765Szf "underflow (ie=%d len=%d)", 1329*a399b765Szf pos[0], pos[1]); 1330*a399b765Szf break; 1331*a399b765Szf } 1332*a399b765Szf if (pos[0] == GENERIC_INFO_ELEM && 1333*a399b765Szf pos + 1 + RSN_SELECTOR_LEN < end && 1334*a399b765Szf pos[1] > RSN_SELECTOR_LEN + 2 && 1335*a399b765Szf memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1336*a399b765Szf RSN_SELECTOR_LEN) == 0) { 1337*a399b765Szf if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1338*a399b765Szf wpa_printf(MSG_WARNING, "WPA: GTK IE " 1339*a399b765Szf "in unencrypted key data"); 1340*a399b765Szf return; 1341*a399b765Szf } 1342*a399b765Szf gtk_ie = pos + 2 + RSN_SELECTOR_LEN; 1343*a399b765Szf gtk_ie_len = pos[1] - RSN_SELECTOR_LEN; 1344*a399b765Szf break; 1345*a399b765Szf } else if (pos[0] == GENERIC_INFO_ELEM && 1346*a399b765Szf pos[1] == 0) 1347*a399b765Szf break; 1348*a399b765Szf 1349*a399b765Szf pos += 2 + pos[1]; 1350*a399b765Szf } 1351*a399b765Szf 1352*a399b765Szf if (gtk_ie == NULL) { 1353*a399b765Szf wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key " 1354*a399b765Szf "message 1/2"); 1355*a399b765Szf return; 1356*a399b765Szf } 1357*a399b765Szf maxkeylen = keylen = gtk_ie_len - 2; 1358*a399b765Szf } else { 1359*a399b765Szf keylen = BE_16(key->key_length); 1360*a399b765Szf maxkeylen = keydatalen; 1361*a399b765Szf if (keydatalen > extra_len) { 1362*a399b765Szf wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1363*a399b765Szf " key_data_length=%d > extra_len=%d", 1364*a399b765Szf keydatalen, extra_len); 1365*a399b765Szf return; 1366*a399b765Szf } 1367*a399b765Szf if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) 1368*a399b765Szf maxkeylen -= 8; 1369*a399b765Szf } 1370*a399b765Szf 1371*a399b765Szf switch (wpa_s->group_cipher) { 1372*a399b765Szf case WPA_CIPHER_CCMP: 1373*a399b765Szf if (keylen != 16 || maxkeylen < 16) { 1374*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP Group " 1375*a399b765Szf "Cipher key length %d (%d).", keylen, maxkeylen); 1376*a399b765Szf return; 1377*a399b765Szf } 1378*a399b765Szf key_rsc_len = 6; 1379*a399b765Szf alg = WPA_ALG_CCMP; 1380*a399b765Szf break; 1381*a399b765Szf case WPA_CIPHER_TKIP: 1382*a399b765Szf if (keylen != 32 || maxkeylen < 32) { 1383*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP Group " 1384*a399b765Szf "Cipher key length %d (%d).", keylen, maxkeylen); 1385*a399b765Szf return; 1386*a399b765Szf } 1387*a399b765Szf key_rsc_len = 6; /* key->key_data; */ 1388*a399b765Szf alg = WPA_ALG_TKIP; 1389*a399b765Szf break; 1390*a399b765Szf case WPA_CIPHER_WEP104: 1391*a399b765Szf if (keylen != 13 || maxkeylen < 13) { 1392*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported WEP104 Group" 1393*a399b765Szf " Cipher key length %d (%d).", keylen, maxkeylen); 1394*a399b765Szf return; 1395*a399b765Szf } 1396*a399b765Szf alg = WPA_ALG_WEP; 1397*a399b765Szf break; 1398*a399b765Szf case WPA_CIPHER_WEP40: 1399*a399b765Szf if (keylen != 5 || maxkeylen < 5) { 1400*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported WEP40 Group " 1401*a399b765Szf "Cipher key length %d (%d).", keylen, maxkeylen); 1402*a399b765Szf return; 1403*a399b765Szf } 1404*a399b765Szf alg = WPA_ALG_WEP; 1405*a399b765Szf break; 1406*a399b765Szf default: 1407*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher %d", 1408*a399b765Szf wpa_s->group_cipher); 1409*a399b765Szf return; 1410*a399b765Szf } 1411*a399b765Szf 1412*a399b765Szf if (wpa_s->proto == WPA_PROTO_RSN) { 1413*a399b765Szf wpa_hexdump(MSG_DEBUG, 1414*a399b765Szf "WPA: received GTK in group key handshake", 1415*a399b765Szf gtk_ie, gtk_ie_len); 1416*a399b765Szf keyidx = gtk_ie[0] & 0x3; 1417*a399b765Szf tx = !!(gtk_ie[0] & BIT(2)); 1418*a399b765Szf if (gtk_ie_len - 2 > sizeof (gtk)) { 1419*a399b765Szf wpa_printf(MSG_INFO, "WPA: Too long GTK in GTK IE " 1420*a399b765Szf "(len=%d)", gtk_ie_len - 2); 1421*a399b765Szf return; 1422*a399b765Szf } 1423*a399b765Szf (void) memcpy(gtk, gtk_ie + 2, gtk_ie_len - 2); 1424*a399b765Szf } else { 1425*a399b765Szf keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1426*a399b765Szf WPA_KEY_INFO_KEY_INDEX_SHIFT; 1427*a399b765Szf if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1428*a399b765Szf (void) memcpy(ek, key->key_iv, 16); 1429*a399b765Szf (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1430*a399b765Szf rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1431*a399b765Szf (void) memcpy(gtk, key + 1, keylen); 1432*a399b765Szf } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1433*a399b765Szf if (keydatalen % 8) { 1434*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported " 1435*a399b765Szf "AES-WRAP len %d", keydatalen); 1436*a399b765Szf return; 1437*a399b765Szf } 1438*a399b765Szf if (aes_unwrap(wpa_s->ptk.encr_key, maxkeylen / 8, 1439*a399b765Szf (uint8_t *)(key + 1), gtk)) { 1440*a399b765Szf wpa_printf(MSG_WARNING, "WPA: AES unwrap " 1441*a399b765Szf "failed - could not decrypt GTK"); 1442*a399b765Szf return; 1443*a399b765Szf } 1444*a399b765Szf } 1445*a399b765Szf tx = !!(key_info & WPA_KEY_INFO_TXRX); 1446*a399b765Szf if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1447*a399b765Szf /* 1448*a399b765Szf * Ignore Tx bit in Group Key message if a pairwise key 1449*a399b765Szf * is used. Some APs seem to setting this bit 1450*a399b765Szf * (incorrectly, since Tx is only when doing Group Key 1451*a399b765Szf * only APs) and without this workaround, the data 1452*a399b765Szf * connection does not work because wpa_supplicant 1453*a399b765Szf * configured non-zero keyidx to be used for unicast. 1454*a399b765Szf */ 1455*a399b765Szf wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but " 1456*a399b765Szf "pairwise keys are used - ignore Tx bit"); 1457*a399b765Szf tx = 0; 1458*a399b765Szf } 1459*a399b765Szf } 1460*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, keylen); 1461*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver (keyidx=%d " 1462*a399b765Szf "tx=%d).", keyidx, tx); 1463*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1464*a399b765Szf if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1465*a399b765Szf /* 1466*a399b765Szf * Swap Tx/Rx keys for Michael MIC 1467*a399b765Szf */ 1468*a399b765Szf (void) memcpy(tmpbuf, gtk + 16, 8); 1469*a399b765Szf (void) memcpy(gtk + 16, gtk + 24, 8); 1470*a399b765Szf (void) memcpy(gtk + 24, tmpbuf, 8); 1471*a399b765Szf } 1472*a399b765Szf if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1473*a399b765Szf if (wpa_s->driver->set_key(wpa_s->ifname, alg, 1474*a399b765Szf (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1475*a399b765Szf keyidx, 1, key->key_rsc, 1476*a399b765Szf key_rsc_len, gtk, keylen) < 0) 1477*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the" 1478*a399b765Szf " driver (Group only)."); 1479*a399b765Szf } else if (wpa_s->driver->set_key(wpa_s->ifname, alg, 1480*a399b765Szf (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1481*a399b765Szf keyidx, tx, 1482*a399b765Szf key->key_rsc, key_rsc_len, 1483*a399b765Szf gtk, keylen) < 0) { 1484*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the " 1485*a399b765Szf "driver."); 1486*a399b765Szf } 1487*a399b765Szf 1488*a399b765Szf rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1489*a399b765Szf rbuf = malloc(rlen); 1490*a399b765Szf if (rbuf == NULL) 1491*a399b765Szf return; 1492*a399b765Szf 1493*a399b765Szf (void) memset(rbuf, 0, rlen); 1494*a399b765Szf ethhdr = (struct l2_ethhdr *)rbuf; 1495*a399b765Szf (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1496*a399b765Szf (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1497*a399b765Szf ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1498*a399b765Szf 1499*a399b765Szf hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1500*a399b765Szf hdr->version = wpa_s->conf->eapol_version; 1501*a399b765Szf hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1502*a399b765Szf hdr->length = htons(sizeof (*reply)); 1503*a399b765Szf 1504*a399b765Szf reply = (struct wpa_eapol_key *)(hdr + 1); 1505*a399b765Szf reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1506*a399b765Szf EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1507*a399b765Szf reply->key_info = 1508*a399b765Szf BE_16(ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE | 1509*a399b765Szf (key_info & WPA_KEY_INFO_KEY_INDEX_MASK)); 1510*a399b765Szf reply->key_length = key->key_length; 1511*a399b765Szf (void) memcpy(reply->replay_counter, key->replay_counter, 1512*a399b765Szf WPA_REPLAY_COUNTER_LEN); 1513*a399b765Szf 1514*a399b765Szf reply->key_data_length = BE_16(0); 1515*a399b765Szf 1516*a399b765Szf wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1517*a399b765Szf rlen - sizeof (*ethhdr), reply->key_mic); 1518*a399b765Szf 1519*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 1520*a399b765Szf wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/2", rbuf, rlen); 1521*a399b765Szf (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1522*a399b765Szf free(rbuf); 1523*a399b765Szf 1524*a399b765Szf wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " MACSTR, 1525*a399b765Szf MAC2STR(src_addr)); 1526*a399b765Szf eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1527*a399b765Szf wpa_supplicant_cancel_auth_timeout(wpa_s); 1528*a399b765Szf wpa_s->wpa_state = WPA_COMPLETED; 1529*a399b765Szf wpa_printf(MSG_INFO, "-----------------------------------\n"); 1530*a399b765Szf } 1531*a399b765Szf 1532*a399b765Szf static int 1533*a399b765Szf wpa_supplicant_verify_eapol_key_mic(struct wpa_supplicant *wpa_s, 1534*a399b765Szf struct wpa_eapol_key *key, int ver, uint8_t *buf, size_t len) 1535*a399b765Szf { 1536*a399b765Szf uint8_t mic[16]; 1537*a399b765Szf int ok = 0; 1538*a399b765Szf 1539*a399b765Szf (void) memcpy(mic, key->key_mic, 16); 1540*a399b765Szf if (wpa_s->tptk_set) { 1541*a399b765Szf (void) memset(key->key_mic, 0, 16); 1542*a399b765Szf wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, buf, len, 1543*a399b765Szf key->key_mic); 1544*a399b765Szf if (memcmp(mic, key->key_mic, 16) != 0) { 1545*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1546*a399b765Szf "when using TPTK - ignoring TPTK"); 1547*a399b765Szf } else { 1548*a399b765Szf ok = 1; 1549*a399b765Szf wpa_s->tptk_set = 0; 1550*a399b765Szf wpa_s->ptk_set = 1; 1551*a399b765Szf (void) memcpy(&wpa_s->ptk, &wpa_s->tptk, 1552*a399b765Szf sizeof (wpa_s->ptk)); 1553*a399b765Szf } 1554*a399b765Szf } 1555*a399b765Szf 1556*a399b765Szf if (!ok && wpa_s->ptk_set) { 1557*a399b765Szf (void) memset(key->key_mic, 0, 16); 1558*a399b765Szf wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, buf, len, 1559*a399b765Szf key->key_mic); 1560*a399b765Szf if (memcmp(mic, key->key_mic, 16) != 0) { 1561*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1562*a399b765Szf "- dropping packet"); 1563*a399b765Szf return (-1); 1564*a399b765Szf } 1565*a399b765Szf ok = 1; 1566*a399b765Szf } 1567*a399b765Szf 1568*a399b765Szf if (!ok) { 1569*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC " 1570*a399b765Szf "- dropping packet"); 1571*a399b765Szf return (-1); 1572*a399b765Szf } 1573*a399b765Szf 1574*a399b765Szf (void) memcpy(wpa_s->rx_replay_counter, key->replay_counter, 1575*a399b765Szf WPA_REPLAY_COUNTER_LEN); 1576*a399b765Szf wpa_s->rx_replay_counter_set = 1; 1577*a399b765Szf 1578*a399b765Szf return (0); 1579*a399b765Szf } 1580*a399b765Szf 1581*a399b765Szf /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 1582*a399b765Szf static int 1583*a399b765Szf wpa_supplicant_decrypt_key_data(struct wpa_supplicant *wpa_s, 1584*a399b765Szf struct wpa_eapol_key *key, int ver) 1585*a399b765Szf { 1586*a399b765Szf int keydatalen = BE_16(key->key_data_length); 1587*a399b765Szf 1588*a399b765Szf wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 1589*a399b765Szf (uint8_t *)(key + 1), keydatalen); 1590*a399b765Szf if (!wpa_s->ptk_set) { 1591*a399b765Szf wpa_printf(MSG_WARNING, "WPA: PTK not available, " 1592*a399b765Szf "cannot decrypt EAPOL-Key key data."); 1593*a399b765Szf return (-1); 1594*a399b765Szf } 1595*a399b765Szf 1596*a399b765Szf /* 1597*a399b765Szf * Decrypt key data here so that this operation does not need 1598*a399b765Szf * to be implemented separately for each message type. 1599*a399b765Szf */ 1600*a399b765Szf if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1601*a399b765Szf uint8_t ek[32]; 1602*a399b765Szf (void) memcpy(ek, key->key_iv, 16); 1603*a399b765Szf (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1604*a399b765Szf rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1605*a399b765Szf } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1606*a399b765Szf uint8_t *buf; 1607*a399b765Szf if (keydatalen % 8) { 1608*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Unsupported " 1609*a399b765Szf "AES-WRAP len %d", keydatalen); 1610*a399b765Szf return (-1); 1611*a399b765Szf } 1612*a399b765Szf keydatalen -= 8; /* AES-WRAP adds 8 bytes */ 1613*a399b765Szf buf = malloc(keydatalen); 1614*a399b765Szf if (buf == NULL) { 1615*a399b765Szf wpa_printf(MSG_WARNING, "WPA: No memory for " 1616*a399b765Szf "AES-UNWRAP buffer"); 1617*a399b765Szf return (-1); 1618*a399b765Szf } 1619*a399b765Szf if (aes_unwrap(wpa_s->ptk.encr_key, keydatalen / 8, 1620*a399b765Szf (uint8_t *)(key + 1), buf)) { 1621*a399b765Szf free(buf); 1622*a399b765Szf wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - " 1623*a399b765Szf "could not decrypt EAPOL-Key key data"); 1624*a399b765Szf return (-1); 1625*a399b765Szf } 1626*a399b765Szf (void) memcpy(key + 1, buf, keydatalen); 1627*a399b765Szf free(buf); 1628*a399b765Szf key->key_data_length = BE_16(keydatalen); 1629*a399b765Szf } 1630*a399b765Szf wpa_hexdump(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 1631*a399b765Szf (uint8_t *)(key + 1), keydatalen); 1632*a399b765Szf 1633*a399b765Szf return (0); 1634*a399b765Szf } 1635*a399b765Szf 1636*a399b765Szf static void 1637*a399b765Szf wpa_sm_rx_eapol(struct wpa_supplicant *wpa_s, 1638*a399b765Szf unsigned char *src_addr, unsigned char *buf, size_t len) 1639*a399b765Szf { 1640*a399b765Szf size_t plen, data_len, extra_len; 1641*a399b765Szf struct ieee802_1x_hdr *hdr; 1642*a399b765Szf struct wpa_eapol_key *key; 1643*a399b765Szf int key_info, ver; 1644*a399b765Szf 1645*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: EAPOL frame len %u\n ", len); 1646*a399b765Szf 1647*a399b765Szf hdr = (struct ieee802_1x_hdr *)buf; 1648*a399b765Szf key = (struct wpa_eapol_key *)(hdr + 1); 1649*a399b765Szf wpa_printf(MSG_DEBUG, "hdr_len=%u, key_len=%u", 1650*a399b765Szf sizeof (*hdr), sizeof (*key)); 1651*a399b765Szf if (len < sizeof (*hdr) + sizeof (*key)) { 1652*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short, len %u, " 1653*a399b765Szf "expecting at least %u", 1654*a399b765Szf len, sizeof (*hdr) + sizeof (*key)); 1655*a399b765Szf return; 1656*a399b765Szf } 1657*a399b765Szf plen = ntohs(hdr->length); 1658*a399b765Szf data_len = plen + sizeof (*hdr); 1659*a399b765Szf wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%d", 1660*a399b765Szf hdr->version, hdr->type, plen); 1661*a399b765Szf 1662*a399b765Szf if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 1663*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, " 1664*a399b765Szf "not a Key frame", hdr->type); 1665*a399b765Szf return; 1666*a399b765Szf } 1667*a399b765Szf if (plen > len - sizeof (*hdr) || plen < sizeof (*key)) { 1668*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %u " 1669*a399b765Szf "invalid (frame size %u)", plen, len); 1670*a399b765Szf return; 1671*a399b765Szf } 1672*a399b765Szf 1673*a399b765Szf wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type); 1674*a399b765Szf if (key->type != EAPOL_KEY_TYPE_WPA && key->type != 1675*a399b765Szf EAPOL_KEY_TYPE_RSN) { 1676*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, " 1677*a399b765Szf "discarded", key->type); 1678*a399b765Szf return; 1679*a399b765Szf } 1680*a399b765Szf 1681*a399b765Szf wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 1682*a399b765Szf if (data_len < len) { 1683*a399b765Szf wpa_printf(MSG_DEBUG, "WPA: ignoring %d bytes after the IEEE " 1684*a399b765Szf "802.1X data", len - data_len); 1685*a399b765Szf } 1686*a399b765Szf key_info = BE_16(key->key_info); 1687*a399b765Szf ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1688*a399b765Szf if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 1689*a399b765Szf ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1690*a399b765Szf wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor " 1691*a399b765Szf "version %d.", ver); 1692*a399b765Szf return; 1693*a399b765Szf } 1694*a399b765Szf 1695*a399b765Szf if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP && 1696*a399b765Szf ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1697*a399b765Szf wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key " 1698*a399b765Szf "descriptor version (%d) is not 2.", ver); 1699*a399b765Szf if (wpa_s->group_cipher != WPA_CIPHER_CCMP && 1700*a399b765Szf !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1701*a399b765Szf /* 1702*a399b765Szf * Earlier versions of IEEE 802.11i did not explicitly 1703*a399b765Szf * require version 2 descriptor for all EAPOL-Key 1704*a399b765Szf * packets, so allow group keys to use version 1 if 1705*a399b765Szf * CCMP is not used for them. 1706*a399b765Szf */ 1707*a399b765Szf wpa_printf(MSG_INFO, "WPA: Backwards compatibility: " 1708*a399b765Szf "allow invalid version for non-CCMP group keys"); 1709*a399b765Szf } else 1710*a399b765Szf return; 1711*a399b765Szf } 1712*a399b765Szf 1713*a399b765Szf if (wpa_s->rx_replay_counter_set && 1714*a399b765Szf memcmp(key->replay_counter, wpa_s->rx_replay_counter, 1715*a399b765Szf WPA_REPLAY_COUNTER_LEN) <= 0) { 1716*a399b765Szf wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not" 1717*a399b765Szf " increase - dropping packet"); 1718*a399b765Szf return; 1719*a399b765Szf } 1720*a399b765Szf 1721*a399b765Szf if (!(key_info & WPA_KEY_INFO_ACK)) { 1722*a399b765Szf wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info"); 1723*a399b765Szf return; 1724*a399b765Szf } 1725*a399b765Szf 1726*a399b765Szf if (key_info & WPA_KEY_INFO_REQUEST) { 1727*a399b765Szf wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - " 1728*a399b765Szf "dropped"); 1729*a399b765Szf return; 1730*a399b765Szf } 1731*a399b765Szf 1732*a399b765Szf if ((key_info & WPA_KEY_INFO_MIC) && 1733*a399b765Szf wpa_supplicant_verify_eapol_key_mic(wpa_s, key, ver, buf, 1734*a399b765Szf data_len)) 1735*a399b765Szf return; 1736*a399b765Szf 1737*a399b765Szf extra_len = data_len - sizeof (*hdr) - sizeof (*key); 1738*a399b765Szf 1739*a399b765Szf if (wpa_s->proto == WPA_PROTO_RSN && 1740*a399b765Szf (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1741*a399b765Szf wpa_supplicant_decrypt_key_data(wpa_s, key, ver)) 1742*a399b765Szf return; 1743*a399b765Szf 1744*a399b765Szf if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1745*a399b765Szf if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 1746*a399b765Szf wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key " 1747*a399b765Szf "(Pairwise) with non-zero key index"); 1748*a399b765Szf return; 1749*a399b765Szf } 1750*a399b765Szf if (key_info & WPA_KEY_INFO_MIC) { 1751*a399b765Szf /* 3/4 4-Way Handshake */ 1752*a399b765Szf wpa_supplicant_process_3_of_4(wpa_s, src_addr, key, 1753*a399b765Szf extra_len, ver); 1754*a399b765Szf } else { 1755*a399b765Szf /* 1/4 4-Way Handshake */ 1756*a399b765Szf wpa_supplicant_process_1_of_4(wpa_s, src_addr, key, 1757*a399b765Szf ver); 1758*a399b765Szf } 1759*a399b765Szf } else { 1760*a399b765Szf if (key_info & WPA_KEY_INFO_MIC) { 1761*a399b765Szf /* 1/2 Group Key Handshake */ 1762*a399b765Szf wpa_supplicant_process_1_of_2(wpa_s, src_addr, key, 1763*a399b765Szf extra_len, ver); 1764*a399b765Szf } else { 1765*a399b765Szf wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) " 1766*a399b765Szf "without Mic bit - dropped"); 1767*a399b765Szf } 1768*a399b765Szf } 1769*a399b765Szf } 1770*a399b765Szf 1771*a399b765Szf void 1772*a399b765Szf wpa_supplicant_rx_eapol(void *ctx, unsigned char *src_addr, 1773*a399b765Szf unsigned char *buf, size_t len) 1774*a399b765Szf { 1775*a399b765Szf struct wpa_supplicant *wpa_s = ctx; 1776*a399b765Szf 1777*a399b765Szf wpa_printf(MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr)); 1778*a399b765Szf wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len); 1779*a399b765Szf 1780*a399b765Szf if (wpa_s->eapol_received == 0) { 1781*a399b765Szf /* Timeout for completing IEEE 802.1X and WPA authentication */ 1782*a399b765Szf wpa_supplicant_req_auth_timeout( 1783*a399b765Szf wpa_s, wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ? 1784*a399b765Szf 70 : 10, 0); 1785*a399b765Szf } 1786*a399b765Szf wpa_s->eapol_received++; 1787*a399b765Szf 1788*a399b765Szf /* 1789*a399b765Szf * Source address of the incoming EAPOL frame could be compared to the 1790*a399b765Szf * current BSSID. However, it is possible that a centralized 1791*a399b765Szf * Authenticator could be using another MAC address than the BSSID of 1792*a399b765Szf * an AP, so just allow any address to be used for now. The replies are 1793*a399b765Szf * still sent to the current BSSID (if available), though. 1794*a399b765Szf */ 1795*a399b765Szf wpa_sm_rx_eapol(wpa_s, src_addr, buf, len); 1796*a399b765Szf } 1797