1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 8 * Sun elects to license this software under the BSD license. 9 * See README for more details. 10 */ 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <string.h> 17 #include <time.h> 18 #include <netinet/in.h> 19 #include <sys/ethernet.h> 20 #include <fcntl.h> 21 #include <unistd.h> 22 23 #include "wpa_impl.h" 24 #include "wpa_enc.h" 25 #include "driver.h" 26 #include "eloop.h" 27 #include "l2_packet.h" 28 29 static void pmksa_cache_set_expiration(struct wpa_supplicant *); 30 31 /* 32 * IEEE 802.11i/D3.0 33 */ 34 static const int WPA_SELECTOR_LEN = 4; 35 static const uint8_t WPA_OUI_TYPE[] = { 0x00, 0x50, 0xf2, 1 }; 36 static const uint16_t WPA_VERSION = 1; 37 static const uint8_t 38 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x50, 0xf2, 1 }; 39 static const uint8_t 40 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x50, 0xf2, 2 }; 41 static const uint8_t WPA_CIPHER_SUITE_NONE[] = { 0x00, 0x50, 0xf2, 0 }; 42 static const uint8_t WPA_CIPHER_SUITE_WEP40[] = { 0x00, 0x50, 0xf2, 1 }; 43 static const uint8_t WPA_CIPHER_SUITE_TKIP[] = { 0x00, 0x50, 0xf2, 2 }; 44 static const uint8_t WPA_CIPHER_SUITE_CCMP[] = { 0x00, 0x50, 0xf2, 4 }; 45 static const uint8_t WPA_CIPHER_SUITE_WEP104[] = { 0x00, 0x50, 0xf2, 5 }; 46 47 /* 48 * WPA IE version 1 49 * 00-50-f2:1 (OUI:OUI type) 50 * 0x01 0x00 (version; little endian) 51 * (all following fields are optional:) 52 * Group Suite Selector (4 octets) (default: TKIP) 53 * Pairwise Suite Count (2 octets, little endian) (default: 1) 54 * Pairwise Suite List (4 * n octets) (default: TKIP) 55 * Authenticated Key Management Suite Count (2 octets, little endian) 56 * (default: 1) 57 * Authenticated Key Management Suite List (4 * n octets) 58 * (default: unspec 802.1x) 59 * WPA Capabilities (2 octets, little endian) (default: 0) 60 */ 61 #pragma pack(1) 62 struct wpa_ie_hdr { 63 uint8_t elem_id; 64 uint8_t len; 65 uint8_t oui[3]; 66 uint8_t oui_type; 67 uint16_t version; 68 }; 69 #pragma pack() 70 71 /* 72 * IEEE 802.11i/D9.0 73 */ 74 static const int RSN_SELECTOR_LEN = 4; 75 static const uint16_t RSN_VERSION = 1; 76 static const uint8_t 77 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x0f, 0xac, 1 }; 78 static const uint8_t 79 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x0f, 0xac, 2 }; 80 static const uint8_t RSN_CIPHER_SUITE_NONE[] = { 0x00, 0x0f, 0xac, 0 }; 81 static const uint8_t RSN_CIPHER_SUITE_WEP40[] = { 0x00, 0x0f, 0xac, 1 }; 82 static const uint8_t RSN_CIPHER_SUITE_TKIP[] = { 0x00, 0x0f, 0xac, 2 }; 83 static const uint8_t RSN_CIPHER_SUITE_CCMP[] = { 0x00, 0x0f, 0xac, 4 }; 84 static const uint8_t RSN_CIPHER_SUITE_WEP104[] = { 0x00, 0x0f, 0xac, 5 }; 85 86 /* 87 * EAPOL-Key Key Data Encapsulation 88 * GroupKey and STAKey require encryption, otherwise, encryption is optional. 89 */ 90 static const uint8_t RSN_KEY_DATA_GROUPKEY[] = { 0x00, 0x0f, 0xac, 1 }; 91 static const uint8_t RSN_KEY_DATA_PMKID[] = { 0x00, 0x0f, 0xac, 4 }; 92 93 /* 94 * 1/4: PMKID 95 * 2/4: RSN IE 96 * 3/4: one or two RSN IEs + GTK IE (encrypted) 97 * 4/4: empty 98 * 1/2: GTK IE (encrypted) 99 * 2/2: empty 100 */ 101 102 /* 103 * RSN IE version 1 104 * 0x01 0x00 (version; little endian) 105 * (all following fields are optional:) 106 * Group Suite Selector (4 octets) (default: CCMP) 107 * Pairwise Suite Count (2 octets, little endian) (default: 1) 108 * Pairwise Suite List (4 * n octets) (default: CCMP) 109 * Authenticated Key Management Suite Count (2 octets, little endian) 110 * (default: 1) 111 * Authenticated Key Management Suite List (4 * n octets) 112 * (default: unspec 802.1x) 113 * RSN Capabilities (2 octets, little endian) (default: 0) 114 * PMKID Count (2 octets) (default: 0) 115 * PMKID List (16 * n octets) 116 */ 117 #pragma pack(1) 118 struct rsn_ie_hdr { 119 uint8_t elem_id; /* WLAN_EID_RSN */ 120 uint8_t len; 121 uint16_t version; 122 }; 123 #pragma pack() 124 125 static int 126 random_get_pseudo_bytes(uint8_t *ptr, size_t len) 127 { 128 int fd; 129 size_t resid = len; 130 size_t bytes; 131 132 fd = open("/dev/urandom", O_RDONLY); 133 if (fd == -1) { 134 wpa_printf(MSG_ERROR, "Could not open /dev/urandom.\n"); 135 return (-1); 136 } 137 138 while (resid != 0) { 139 bytes = read(fd, ptr, resid); 140 ptr += bytes; 141 resid -= bytes; 142 } 143 144 (void) close(fd); 145 146 return (0); 147 } 148 149 static void 150 inc_byte_array(uint8_t *counter, size_t len) 151 { 152 int pos = len - 1; 153 while (pos >= 0) { 154 counter[pos]++; 155 if (counter[pos] != 0) 156 break; 157 pos--; 158 } 159 } 160 161 static int 162 wpa_selector_to_bitfield(uint8_t *s) 163 { 164 if (memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0) 165 return (WPA_CIPHER_NONE); 166 if (memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0) 167 return (WPA_CIPHER_WEP40); 168 if (memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0) 169 return (WPA_CIPHER_TKIP); 170 if (memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0) 171 return (WPA_CIPHER_CCMP); 172 if (memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0) 173 return (WPA_CIPHER_WEP104); 174 return (0); 175 } 176 177 static int 178 wpa_key_mgmt_to_bitfield(uint8_t *s) 179 { 180 if (memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) == 0) 181 return (WPA_KEY_MGMT_IEEE8021X); 182 if (memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN) == 183 0) 184 return (WPA_KEY_MGMT_PSK); 185 return (0); 186 } 187 188 static int 189 rsn_selector_to_bitfield(uint8_t *s) 190 { 191 if (memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0) 192 return (WPA_CIPHER_NONE); 193 if (memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0) 194 return (WPA_CIPHER_WEP40); 195 if (memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0) 196 return (WPA_CIPHER_TKIP); 197 if (memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0) 198 return (WPA_CIPHER_CCMP); 199 if (memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0) 200 return (WPA_CIPHER_WEP104); 201 return (0); 202 } 203 204 static int 205 rsn_key_mgmt_to_bitfield(uint8_t *s) 206 { 207 if (memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) == 0) 208 return (WPA_KEY_MGMT_IEEE8021X); 209 if (memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN) == 210 0) 211 return (WPA_KEY_MGMT_PSK); 212 return (0); 213 } 214 215 static void 216 pmksa_cache_free_entry(struct wpa_supplicant *wpa_s, 217 struct rsn_pmksa_cache *entry) 218 { 219 wpa_s->pmksa_count--; 220 if (wpa_s->cur_pmksa == entry) { 221 wpa_printf(MSG_DEBUG, "RSN: removed current PMKSA entry"); 222 wpa_s->cur_pmksa = NULL; 223 } 224 free(entry); 225 } 226 227 /* ARGSUSED */ 228 static void 229 pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx) 230 { 231 struct wpa_supplicant *wpa_s = eloop_ctx; 232 time_t now; 233 234 (void) time(&now); 235 while (wpa_s->pmksa && wpa_s->pmksa->expiration <= now) { 236 struct rsn_pmksa_cache *entry = wpa_s->pmksa; 237 wpa_s->pmksa = entry->next; 238 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for " 239 MACSTR, MAC2STR(entry->aa)); 240 pmksa_cache_free_entry(wpa_s, entry); 241 } 242 243 pmksa_cache_set_expiration(wpa_s); 244 } 245 246 static void 247 pmksa_cache_set_expiration(struct wpa_supplicant *wpa_s) 248 { 249 int sec; 250 eloop_cancel_timeout(pmksa_cache_expire, wpa_s, NULL); 251 if (wpa_s->pmksa == NULL) 252 return; 253 sec = wpa_s->pmksa->expiration - time(NULL); 254 if (sec < 0) 255 sec = 0; 256 (void) eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, 257 wpa_s, NULL); 258 } 259 260 void 261 pmksa_cache_free(struct wpa_supplicant *wpa_s) 262 { 263 struct rsn_pmksa_cache *entry, *prev; 264 265 entry = wpa_s->pmksa; 266 wpa_s->pmksa = NULL; 267 while (entry) { 268 prev = entry; 269 entry = entry->next; 270 free(prev); 271 } 272 pmksa_cache_set_expiration(wpa_s); 273 wpa_s->cur_pmksa = NULL; 274 } 275 276 struct rsn_pmksa_cache * 277 pmksa_cache_get(struct wpa_supplicant *wpa_s, 278 uint8_t *aa, uint8_t *pmkid) 279 { 280 struct rsn_pmksa_cache *entry = wpa_s->pmksa; 281 while (entry) { 282 if ((aa == NULL || 283 memcmp(entry->aa, aa, IEEE80211_ADDR_LEN) == 0) && 284 (pmkid == NULL || 285 memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)) 286 return (entry); 287 entry = entry->next; 288 } 289 return (NULL); 290 } 291 292 int 293 pmksa_cache_list(struct wpa_supplicant *wpa_s, char *buf, size_t len) 294 { 295 int i, j; 296 char *pos = buf; 297 struct rsn_pmksa_cache *entry; 298 time_t now; 299 300 (void) time(&now); 301 pos += snprintf(pos, buf + len - pos, 302 "Index / AA / PMKID / expiration (in seconds)\n"); 303 i = 0; 304 entry = wpa_s->pmksa; 305 while (entry) { 306 i++; 307 pos += snprintf(pos, buf + len - pos, "%d " MACSTR " ", 308 i, MAC2STR(entry->aa)); 309 for (j = 0; j < PMKID_LEN; j++) 310 pos += snprintf(pos, buf + len - pos, "%02x", 311 entry->pmkid[j]); 312 pos += snprintf(pos, buf + len - pos, " %d\n", 313 (int)(entry->expiration - now)); 314 entry = entry->next; 315 } 316 return (pos - buf); 317 } 318 319 void 320 pmksa_candidate_free(struct wpa_supplicant *wpa_s) 321 { 322 struct rsn_pmksa_candidate *entry, *prev; 323 324 entry = wpa_s->pmksa_candidates; 325 wpa_s->pmksa_candidates = NULL; 326 while (entry) { 327 prev = entry; 328 entry = entry->next; 329 free(prev); 330 } 331 } 332 333 /* ARGSUSED */ 334 static int 335 wpa_parse_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 336 size_t wpa_ie_len, struct wpa_ie_data *data) 337 { 338 struct wpa_ie_hdr *hdr; 339 uint8_t *pos; 340 int left; 341 int i, count; 342 343 data->proto = WPA_PROTO_WPA; 344 data->pairwise_cipher = WPA_CIPHER_TKIP; 345 data->group_cipher = WPA_CIPHER_TKIP; 346 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 347 data->capabilities = 0; 348 349 if (wpa_ie_len == 0) { 350 /* No WPA IE - fail silently */ 351 return (-1); 352 } 353 354 if (wpa_ie_len < sizeof (struct wpa_ie_hdr)) { 355 wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 356 "wpa_parse_wpa_ie_wpa", wpa_ie_len); 357 return (-1); 358 } 359 360 hdr = (struct wpa_ie_hdr *)wpa_ie; 361 362 if (hdr->elem_id != GENERIC_INFO_ELEM || 363 hdr->len != wpa_ie_len - 2 || 364 memcmp(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN) != 0 || 365 LE_16(hdr->version) != WPA_VERSION) { 366 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 367 "wpa_parse_wpa_ie_wpa"); 368 return (-1); 369 } 370 371 pos = (uint8_t *)(hdr + 1); 372 left = wpa_ie_len - sizeof (*hdr); 373 374 if (left >= WPA_SELECTOR_LEN) { 375 data->group_cipher = wpa_selector_to_bitfield(pos); 376 pos += WPA_SELECTOR_LEN; 377 left -= WPA_SELECTOR_LEN; 378 } else if (left > 0) { 379 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 380 "wpa_parse_wpa_ie_wpa", left); 381 return (-1); 382 } 383 384 if (left >= 2) { 385 data->pairwise_cipher = 0; 386 count = pos[0] | (pos[1] << 8); 387 pos += 2; 388 left -= 2; 389 if (count == 0 || left < count * WPA_SELECTOR_LEN) { 390 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 391 "count %u left %u", 392 "wpa_parse_wpa_ie_wpa", count, left); 393 return (-1); 394 } 395 for (i = 0; i < count; i++) { 396 data->pairwise_cipher |= wpa_selector_to_bitfield(pos); 397 pos += WPA_SELECTOR_LEN; 398 left -= WPA_SELECTOR_LEN; 399 } 400 } else if (left == 1) { 401 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 402 "wpa_parse_wpa_ie_wpa"); 403 return (-1); 404 } 405 406 if (left >= 2) { 407 data->key_mgmt = 0; 408 count = pos[0] | (pos[1] << 8); 409 pos += 2; 410 left -= 2; 411 if (count == 0 || left < count * WPA_SELECTOR_LEN) { 412 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 413 "count %u left %u", 414 "wpa_parse_wpa_ie_wpa", count, left); 415 return (-1); 416 } 417 for (i = 0; i < count; i++) { 418 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos); 419 pos += WPA_SELECTOR_LEN; 420 left -= WPA_SELECTOR_LEN; 421 } 422 } else if (left == 1) { 423 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 424 "wpa_parse_wpa_ie_wpa"); 425 return (-1); 426 } 427 428 if (left >= 2) { 429 data->capabilities = pos[0] | (pos[1] << 8); 430 pos += 2; 431 left -= 2; 432 } 433 434 if (left > 0) { 435 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes", 436 "wpa_parse_wpa_ie_wpa", left); 437 return (-1); 438 } 439 440 return (0); 441 } 442 443 /* ARGSUSED */ 444 static int 445 wpa_parse_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie, 446 size_t rsn_ie_len, struct wpa_ie_data *data) 447 { 448 struct rsn_ie_hdr *hdr; 449 uint8_t *pos; 450 int left; 451 int i, count; 452 453 data->proto = WPA_PROTO_RSN; 454 data->pairwise_cipher = WPA_CIPHER_CCMP; 455 data->group_cipher = WPA_CIPHER_CCMP; 456 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X; 457 data->capabilities = 0; 458 459 if (rsn_ie_len == 0) { 460 /* No RSN IE - fail silently */ 461 return (-1); 462 } 463 464 if (rsn_ie_len < sizeof (struct rsn_ie_hdr)) { 465 wpa_printf(MSG_DEBUG, "%s: ie len too short %u", 466 "wpa_parse_wpa_ie_rsn", rsn_ie_len); 467 return (-1); 468 } 469 470 hdr = (struct rsn_ie_hdr *)rsn_ie; 471 472 if (hdr->elem_id != RSN_INFO_ELEM || 473 hdr->len != rsn_ie_len - 2 || 474 LE_16(hdr->version) != RSN_VERSION) { 475 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version", 476 "wpa_parse_wpa_ie_rsn"); 477 return (-1); 478 } 479 480 pos = (uint8_t *)(hdr + 1); 481 left = rsn_ie_len - sizeof (*hdr); 482 483 if (left >= RSN_SELECTOR_LEN) { 484 data->group_cipher = rsn_selector_to_bitfield(pos); 485 pos += RSN_SELECTOR_LEN; 486 left -= RSN_SELECTOR_LEN; 487 } else if (left > 0) { 488 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much", 489 "wpa_parse_wpa_ie_rsn", left); 490 return (-1); 491 } 492 493 if (left >= 2) { 494 data->pairwise_cipher = 0; 495 count = pos[0] | (pos[1] << 8); 496 pos += 2; 497 left -= 2; 498 if (count == 0 || left < count * RSN_SELECTOR_LEN) { 499 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " 500 "count %u left %u", 501 "wpa_parse_wpa_ie_rsn", count, left); 502 return (-1); 503 } 504 for (i = 0; i < count; i++) { 505 data->pairwise_cipher |= rsn_selector_to_bitfield(pos); 506 pos += RSN_SELECTOR_LEN; 507 left -= RSN_SELECTOR_LEN; 508 } 509 } else if (left == 1) { 510 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)", 511 "wpa_parse_wpa_ie_rsn"); 512 return (-1); 513 } 514 515 if (left >= 2) { 516 data->key_mgmt = 0; 517 count = pos[0] | (pos[1] << 8); 518 pos += 2; 519 left -= 2; 520 if (count == 0 || left < count * RSN_SELECTOR_LEN) { 521 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " 522 "count %u left %u", 523 "wpa_parse_wpa_ie_rsn", count, left); 524 return (-1); 525 } 526 for (i = 0; i < count; i++) { 527 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos); 528 pos += RSN_SELECTOR_LEN; 529 left -= RSN_SELECTOR_LEN; 530 } 531 } else if (left == 1) { 532 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)", 533 "wpa_parse_wpa_ie_rsn"); 534 return (-1); 535 } 536 537 if (left >= 2) { 538 data->capabilities = pos[0] | (pos[1] << 8); 539 pos += 2; 540 left -= 2; 541 } 542 543 if (left > 0) { 544 /* 545 * RSN IE could include PMKID data, but Authenticator should 546 * never include it, so no need to parse it in the Supplicant. 547 */ 548 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored", 549 "wpa_parse_wpa_ie_rsn", left); 550 } 551 552 return (0); 553 } 554 555 int 556 wpa_parse_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie, 557 size_t wpa_ie_len, struct wpa_ie_data *data) 558 { 559 if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM) 560 return (wpa_parse_wpa_ie_rsn(wpa_s, wpa_ie, wpa_ie_len, data)); 561 else 562 return (wpa_parse_wpa_ie_wpa(wpa_s, wpa_ie, wpa_ie_len, data)); 563 } 564 565 static int 566 wpa_gen_wpa_ie_wpa(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 567 { 568 uint8_t *pos; 569 struct wpa_ie_hdr *hdr; 570 571 hdr = (struct wpa_ie_hdr *)wpa_ie; 572 hdr->elem_id = GENERIC_INFO_ELEM; 573 (void) memcpy(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN); 574 hdr->version = LE_16(WPA_VERSION); 575 pos = (uint8_t *)(hdr + 1); 576 577 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 578 (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 579 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 580 (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 581 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 582 (void) memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN); 583 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 584 (void) memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN); 585 } else { 586 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 587 wpa_s->group_cipher); 588 return (-1); 589 } 590 pos += WPA_SELECTOR_LEN; 591 592 *pos++ = 1; 593 *pos++ = 0; 594 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 595 (void) memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN); 596 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 597 (void) memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN); 598 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 599 (void) memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN); 600 } else { 601 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 602 wpa_s->pairwise_cipher); 603 return (-1); 604 } 605 pos += WPA_SELECTOR_LEN; 606 607 *pos++ = 1; 608 *pos++ = 0; 609 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 610 (void) memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, 611 WPA_SELECTOR_LEN); 612 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 613 (void) memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, 614 WPA_SELECTOR_LEN); 615 } else { 616 wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 617 wpa_s->key_mgmt); 618 return (-1); 619 } 620 pos += WPA_SELECTOR_LEN; 621 622 /* 623 * WPA Capabilities; use defaults, so no need to include it 624 */ 625 hdr->len = (pos - wpa_ie) - 2; 626 627 return (pos - wpa_ie); 628 } 629 630 static int 631 wpa_gen_wpa_ie_rsn(struct wpa_supplicant *wpa_s, uint8_t *rsn_ie) 632 { 633 uint8_t *pos; 634 struct rsn_ie_hdr *hdr; 635 636 hdr = (struct rsn_ie_hdr *)rsn_ie; 637 hdr->elem_id = RSN_INFO_ELEM; 638 hdr->version = LE_16(RSN_VERSION); 639 pos = (uint8_t *)(hdr + 1); 640 641 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) { 642 (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 643 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 644 (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 645 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) { 646 (void) memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN); 647 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) { 648 (void) memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN); 649 } else { 650 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).", 651 wpa_s->group_cipher); 652 return (-1); 653 } 654 pos += RSN_SELECTOR_LEN; 655 656 *pos++ = 1; 657 *pos++ = 0; 658 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) { 659 (void) memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN); 660 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) { 661 (void) memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN); 662 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 663 (void) memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN); 664 } else { 665 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).", 666 wpa_s->pairwise_cipher); 667 return (-1); 668 } 669 pos += RSN_SELECTOR_LEN; 670 671 *pos++ = 1; 672 *pos++ = 0; 673 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { 674 (void) memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, 675 RSN_SELECTOR_LEN); 676 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) { 677 (void) memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, 678 RSN_SELECTOR_LEN); 679 } else { 680 wpa_printf(MSG_WARNING, "Invalid key management type (%d).", 681 wpa_s->key_mgmt); 682 return (-1); 683 } 684 pos += RSN_SELECTOR_LEN; 685 686 /* RSN Capabilities */ 687 *pos++ = 0; 688 *pos++ = 0; 689 690 if (wpa_s->cur_pmksa) { 691 /* PMKID Count (2 octets, little endian) */ 692 *pos++ = 1; 693 *pos++ = 0; 694 /* PMKID */ 695 (void) memcpy(pos, wpa_s->cur_pmksa->pmkid, PMKID_LEN); 696 pos += PMKID_LEN; 697 } 698 699 hdr->len = (pos - rsn_ie) - 2; 700 701 return (pos - rsn_ie); 702 } 703 704 int 705 wpa_gen_wpa_ie(struct wpa_supplicant *wpa_s, uint8_t *wpa_ie) 706 { 707 if (wpa_s->proto == WPA_PROTO_RSN) 708 return (wpa_gen_wpa_ie_rsn(wpa_s, wpa_ie)); 709 else 710 return (wpa_gen_wpa_ie_wpa(wpa_s, wpa_ie)); 711 } 712 713 static void 714 wpa_pmk_to_ptk(uint8_t *pmk, uint8_t *addr1, uint8_t *addr2, 715 uint8_t *nonce1, uint8_t *nonce2, uint8_t *ptk, size_t ptk_len) 716 { 717 uint8_t data[2 * IEEE80211_ADDR_LEN + 2 * WPA_PMK_LEN]; 718 719 /* 720 * PTK = PRF-X(PMK, "Pairwise key expansion", 721 * Min(AA, SA) || Max(AA, SA) || 722 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) 723 */ 724 725 if (memcmp(addr1, addr2, IEEE80211_ADDR_LEN) < 0) { 726 (void) memcpy(data, addr1, IEEE80211_ADDR_LEN); 727 (void) memcpy(data + IEEE80211_ADDR_LEN, addr2, 728 IEEE80211_ADDR_LEN); 729 } else { 730 (void) memcpy(data, addr2, IEEE80211_ADDR_LEN); 731 (void) memcpy(data + IEEE80211_ADDR_LEN, addr1, 732 IEEE80211_ADDR_LEN); 733 } 734 735 if (memcmp(nonce1, nonce2, WPA_PMK_LEN) < 0) { 736 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce1, 737 WPA_PMK_LEN); 738 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 739 nonce2, WPA_PMK_LEN); 740 } else { 741 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN, nonce2, 742 WPA_PMK_LEN); 743 (void) memcpy(data + 2 * IEEE80211_ADDR_LEN + WPA_PMK_LEN, 744 nonce1, WPA_PMK_LEN); 745 } 746 747 sha1_prf(pmk, WPA_PMK_LEN, "Pairwise key expansion", data, 748 sizeof (data), ptk, ptk_len); 749 750 wpa_hexdump(MSG_DEBUG, "WPA: PMK", pmk, WPA_PMK_LEN); 751 wpa_hexdump(MSG_DEBUG, "WPA: PTK", ptk, ptk_len); 752 } 753 754 struct wpa_ssid * 755 wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s) 756 { 757 struct wpa_ssid *entry; 758 uint8_t ssid[MAX_ESSID_LENGTH]; 759 int ssid_len; 760 uint8_t bssid[IEEE80211_ADDR_LEN]; 761 762 (void) memset(ssid, 0, MAX_ESSID_LENGTH); 763 ssid_len = wpa_s->driver->get_ssid(wpa_s->linkid, (char *)ssid); 764 if (ssid_len < 0) { 765 wpa_printf(MSG_WARNING, "Could not read SSID from driver."); 766 return (NULL); 767 } 768 769 if (wpa_s->driver->get_bssid(wpa_s->linkid, (char *)bssid) < 0) { 770 wpa_printf(MSG_WARNING, "Could not read BSSID from driver."); 771 return (NULL); 772 } 773 774 entry = wpa_s->conf->ssid; 775 wpa_printf(MSG_DEBUG, "entry len=%d ssid=%s," 776 " driver len=%d ssid=%s", 777 entry->ssid_len, entry->ssid, ssid_len, ssid); 778 779 if (ssid_len == entry->ssid_len && 780 memcmp(ssid, entry->ssid, ssid_len) == 0 && 781 (!entry->bssid_set || 782 memcmp(bssid, entry->bssid, IEEE80211_ADDR_LEN) == 0)) 783 return (entry); 784 785 return (NULL); 786 } 787 788 static void 789 wpa_eapol_key_mic(uint8_t *key, int ver, uint8_t *buf, size_t len, uint8_t *mic) 790 { 791 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 792 hmac_md5(key, 16, buf, len, mic); 793 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 794 uint8_t hash[SHA1_MAC_LEN]; 795 hmac_sha1(key, 16, buf, len, hash); 796 (void) memcpy(mic, hash, MD5_MAC_LEN); 797 } 798 } 799 800 void 801 wpa_supplicant_key_request(struct wpa_supplicant *wpa_s, 802 int error, int pairwise) 803 { 804 int rlen; 805 struct ieee802_1x_hdr *hdr; 806 struct wpa_eapol_key *reply; 807 unsigned char *rbuf; 808 struct l2_ethhdr *ethhdr; 809 int key_info, ver; 810 uint8_t bssid[IEEE80211_ADDR_LEN]; 811 812 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) 813 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 814 else 815 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 816 817 if (wpa_s->driver->get_bssid(wpa_s->linkid, (char *)bssid) < 0) { 818 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key " 819 "request"); 820 return; 821 } 822 823 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 824 rbuf = malloc(rlen); 825 if (rbuf == NULL) 826 return; 827 828 (void) memset(rbuf, 0, rlen); 829 ethhdr = (struct l2_ethhdr *)rbuf; 830 (void) memcpy(ethhdr->h_dest, bssid, IEEE80211_ADDR_LEN); 831 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 832 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 833 834 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 835 hdr->version = wpa_s->conf->eapol_version; 836 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 837 hdr->length = htons(sizeof (*reply)); 838 839 reply = (struct wpa_eapol_key *)(hdr + 1); 840 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 841 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 842 key_info = WPA_KEY_INFO_REQUEST | ver; 843 if (wpa_s->ptk_set) 844 key_info |= WPA_KEY_INFO_MIC; 845 if (error) 846 key_info |= WPA_KEY_INFO_ERROR; 847 if (pairwise) 848 key_info |= WPA_KEY_INFO_KEY_TYPE; 849 reply->key_info = BE_16(key_info); 850 reply->key_length = 0; 851 (void) memcpy(reply->replay_counter, wpa_s->request_counter, 852 WPA_REPLAY_COUNTER_LEN); 853 inc_byte_array(wpa_s->request_counter, WPA_REPLAY_COUNTER_LEN); 854 855 reply->key_data_length = BE_16(0); 856 857 if (key_info & WPA_KEY_INFO_MIC) { 858 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 859 rlen - sizeof (*ethhdr), reply->key_mic); 860 } 861 862 wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d " 863 "pairwise=%d ptk_set=%d len=%d)", 864 error, pairwise, wpa_s->ptk_set, rlen); 865 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key Request", rbuf, rlen); 866 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 867 free(rbuf); 868 } 869 870 static void 871 wpa_supplicant_process_1_of_4(struct wpa_supplicant *wpa_s, 872 unsigned char *src_addr, struct wpa_eapol_key *key, int ver) 873 { 874 int rlen; 875 struct ieee802_1x_hdr *hdr; 876 struct wpa_eapol_key *reply; 877 unsigned char *rbuf; 878 struct l2_ethhdr *ethhdr; 879 struct wpa_ssid *ssid; 880 struct wpa_ptk *ptk; 881 uint8_t buf[8], wpa_ie_buf[80], *wpa_ie, *pmkid = NULL; 882 int wpa_ie_len; 883 884 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 885 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from " 886 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 887 888 ssid = wpa_supplicant_get_ssid(wpa_s); 889 if (ssid == NULL) { 890 wpa_printf(MSG_WARNING, 891 "WPA: No SSID info found (msg 1 of 4)."); 892 return; 893 } 894 895 if (wpa_s->proto == WPA_PROTO_RSN) { 896 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 897 uint8_t *pos = (uint8_t *)(key + 1); 898 uint8_t *end = pos + BE_16(key->key_data_length); 899 900 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 901 pos, BE_16(key->key_data_length)); 902 903 while (pos + 1 < end) { 904 if (pos + 2 + pos[1] > end) { 905 wpa_printf(MSG_DEBUG, "RSN: key data " 906 "underflow (ie=%d len=%d)", 907 pos[0], pos[1]); 908 break; 909 } 910 if (pos[0] == GENERIC_INFO_ELEM && 911 pos + 1 + RSN_SELECTOR_LEN < end && 912 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN && 913 memcmp(pos + 2, RSN_KEY_DATA_PMKID, 914 RSN_SELECTOR_LEN) == 0) { 915 pmkid = pos + 2 + RSN_SELECTOR_LEN; 916 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 917 "Authenticator", pmkid, PMKID_LEN); 918 break; 919 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 920 break; 921 pos += 2 + pos[1]; 922 } 923 } 924 925 wpa_ie = wpa_ie_buf; 926 wpa_ie_len = wpa_gen_wpa_ie(wpa_s, wpa_ie); 927 if (wpa_ie_len < 0) { 928 wpa_printf(MSG_WARNING, "WPA: Failed to generate " 929 "WPA IE (for msg 2 of 4)."); 930 return; 931 } 932 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 933 934 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply) + wpa_ie_len; 935 rbuf = malloc(rlen); 936 if (rbuf == NULL) 937 return; 938 939 (void) memset(rbuf, 0, rlen); 940 ethhdr = (struct l2_ethhdr *)rbuf; 941 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 942 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 943 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 944 945 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 946 hdr->version = wpa_s->conf->eapol_version; 947 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 948 hdr->length = htons(sizeof (*reply) + wpa_ie_len); 949 950 reply = (struct wpa_eapol_key *)(hdr + 1); 951 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 952 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 953 reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC); 954 reply->key_length = key->key_length; 955 (void) memcpy(reply->replay_counter, key->replay_counter, 956 WPA_REPLAY_COUNTER_LEN); 957 958 reply->key_data_length = BE_16(wpa_ie_len); 959 (void) memcpy(reply + 1, wpa_ie, wpa_ie_len); 960 961 if (wpa_s->renew_snonce) { 962 if (random_get_pseudo_bytes(wpa_s->snonce, WPA_NONCE_LEN)) { 963 wpa_printf(MSG_WARNING, "WPA: Failed to get " 964 "random data for SNonce"); 965 free(rbuf); 966 return; 967 } 968 969 wpa_s->renew_snonce = 0; 970 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 971 wpa_s->snonce, WPA_NONCE_LEN); 972 } 973 (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 974 ptk = &wpa_s->tptk; 975 (void) memcpy(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN); 976 977 wpa_pmk_to_ptk(wpa_s->pmk, wpa_s->own_addr, src_addr, 978 wpa_s->snonce, key->key_nonce, (uint8_t *)ptk, sizeof (*ptk)); 979 980 /* 981 * Supplicant: swap tx/rx Mic keys 982 */ 983 (void) memcpy(buf, ptk->u.auth.tx_mic_key, 8); 984 (void) memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8); 985 (void) memcpy(ptk->u.auth.rx_mic_key, buf, 8); 986 wpa_s->tptk_set = 1; 987 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, (uint8_t *)hdr, 988 rlen - sizeof (*ethhdr), reply->key_mic); 989 wpa_hexdump(MSG_DEBUG, "WPA: EAPOL-Key MIC", reply->key_mic, 16); 990 991 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 992 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/4", rbuf, rlen); 993 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 994 995 free(rbuf); 996 } 997 998 static void 999 wpa_supplicant_process_3_of_4_gtk(struct wpa_supplicant *wpa_s, 1000 unsigned char *src_addr, struct wpa_eapol_key *key, 1001 uint8_t *gtk, int gtk_len) 1002 { 1003 int keyidx, tx, key_rsc_len = 0, alg; 1004 1005 wpa_hexdump(MSG_DEBUG, 1006 "WPA: received GTK in pairwise handshake", gtk, gtk_len); 1007 1008 keyidx = gtk[0] & 0x3; 1009 tx = !!(gtk[0] & BIT(2)); 1010 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1011 /* 1012 * Ignore Tx bit in GTK IE if a pairwise key is used. 1013 * One AP seemed to set this bit (incorrectly, since Tx 1014 * is only when doing Group Key only APs) and without 1015 * this workaround, the data connection does not work 1016 * because wpa_supplicant configured non-zero keyidx to 1017 * be used for unicast. 1018 */ 1019 wpa_printf(MSG_INFO, "RSN: Tx bit set for GTK IE, but " 1020 "pairwise keys are used - ignore Tx bit"); 1021 tx = 0; 1022 } 1023 1024 gtk += 2; 1025 gtk_len -= 2; 1026 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, gtk_len); 1027 1028 switch (wpa_s->group_cipher) { 1029 case WPA_CIPHER_CCMP: 1030 if (gtk_len != 16) { 1031 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP" 1032 " Group Cipher key length %d.", gtk_len); 1033 return; 1034 } 1035 key_rsc_len = 6; 1036 alg = WPA_ALG_CCMP; 1037 break; 1038 case WPA_CIPHER_TKIP: 1039 if (gtk_len != 32) { 1040 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP" 1041 " Group Cipher key length %d.", gtk_len); 1042 return; 1043 } 1044 key_rsc_len = 6; 1045 alg = WPA_ALG_TKIP; 1046 break; 1047 case WPA_CIPHER_WEP104: 1048 if (gtk_len != 13) { 1049 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1050 "WEP104 Group Cipher key length " "%d.", gtk_len); 1051 return; 1052 } 1053 alg = WPA_ALG_WEP; 1054 break; 1055 case WPA_CIPHER_WEP40: 1056 if (gtk_len != 5) { 1057 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1058 "WEP40 Group Cipher key length %d.", gtk_len); 1059 return; 1060 } 1061 alg = WPA_ALG_WEP; 1062 break; 1063 default: 1064 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher " 1065 "%d", wpa_s->group_cipher); 1066 return; 1067 } 1068 1069 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver " 1070 "(keyidx=%d tx=%d).", keyidx, tx); 1071 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1072 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1073 uint8_t tmpbuf[8]; 1074 /* 1075 * Swap Tx/Rx keys for Michael MIC 1076 */ 1077 (void) memcpy(tmpbuf, gtk + 16, 8); 1078 (void) memcpy(gtk + 16, gtk + 24, 8); 1079 (void) memcpy(gtk + 24, tmpbuf, 8); 1080 } 1081 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1082 if (wpa_s->driver->set_key(wpa_s->linkid, alg, 1083 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1084 keyidx, 1, key->key_rsc, 1085 key_rsc_len, gtk, gtk_len) < 0) 1086 wpa_printf(MSG_WARNING, "WPA: Failed to set " 1087 "GTK to the driver (Group only)."); 1088 } else if (wpa_s->driver->set_key(wpa_s->linkid, alg, 1089 (uint8_t *)"\xff\xff\xff\xff\xff\xff", keyidx, tx, 1090 key->key_rsc, key_rsc_len, gtk, gtk_len) < 0) { 1091 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to " 1092 "the driver."); 1093 } 1094 1095 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " 1096 MACSTR, MAC2STR(src_addr)); 1097 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1098 wpa_supplicant_cancel_auth_timeout(wpa_s); 1099 wpa_s->wpa_state = WPA_COMPLETED; 1100 } 1101 1102 static void 1103 wpa_supplicant_process_3_of_4(struct wpa_supplicant *wpa_s, 1104 unsigned char *src_addr, struct wpa_eapol_key *key, 1105 int extra_len, int ver) 1106 { 1107 int rlen; 1108 struct ieee802_1x_hdr *hdr; 1109 struct wpa_eapol_key *reply; 1110 unsigned char *rbuf; 1111 struct l2_ethhdr *ethhdr; 1112 int key_info, ie_len = 0, keylen, gtk_len = 0; 1113 uint8_t *ie = NULL, *gtk = NULL, *key_rsc; 1114 uint8_t null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 1115 1116 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE; 1117 wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from " 1118 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1119 1120 key_info = BE_16(key->key_info); 1121 1122 if (wpa_s->proto == WPA_PROTO_RSN) { 1123 uint8_t *pos = (uint8_t *)(key + 1); 1124 uint8_t *end = pos + BE_16(key->key_data_length); 1125 while (pos + 1 < end) { 1126 if (pos + 2 + pos[1] > end) { 1127 wpa_printf(MSG_DEBUG, "RSN: key data " 1128 "underflow (ie=%d len=%d)", 1129 pos[0], pos[1]); 1130 break; 1131 } 1132 if (*pos == RSN_INFO_ELEM) { 1133 ie = pos; 1134 ie_len = pos[1] + 2; 1135 } else if (pos[0] == GENERIC_INFO_ELEM && 1136 pos + 1 + RSN_SELECTOR_LEN < end && 1137 pos[1] > RSN_SELECTOR_LEN + 2 && 1138 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1139 RSN_SELECTOR_LEN) == 0) { 1140 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1141 wpa_printf(MSG_WARNING, "WPA: GTK IE " 1142 "in unencrypted key data"); 1143 return; 1144 } 1145 gtk = pos + 2 + RSN_SELECTOR_LEN; 1146 gtk_len = pos[1] - RSN_SELECTOR_LEN; 1147 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) 1148 break; 1149 1150 pos += 2 + pos[1]; 1151 } 1152 } else { 1153 ie = (uint8_t *)(key + 1); 1154 ie_len = BE_16(key->key_data_length); 1155 if (ie_len > extra_len) { 1156 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1157 " ie_len=%d > extra_len=%d", 1158 ie_len, extra_len); 1159 return; 1160 } 1161 } 1162 1163 if (wpa_s->ap_wpa_ie && 1164 (wpa_s->ap_wpa_ie_len != ie_len || 1165 memcmp(wpa_s->ap_wpa_ie, ie, ie_len) != 0)) { 1166 wpa_printf(MSG_WARNING, "WPA: WPA IE in 3/4 msg does not match" 1167 " with WPA IE in Beacon/ProbeResp (src=" MACSTR ")", 1168 MAC2STR(src_addr)); 1169 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1170 wpa_s->ap_wpa_ie, wpa_s->ap_wpa_ie_len); 1171 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", ie, ie_len); 1172 wpa_supplicant_disassociate(wpa_s, REASON_IE_IN_4WAY_DIFFERS); 1173 wpa_supplicant_req_scan(wpa_s, 0, 0); 1174 return; 1175 } 1176 1177 if (memcmp(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1178 wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way " 1179 "Handshake differs from 3 of 4-Way Handshake - drop" 1180 " packet (src=" MACSTR ")", MAC2STR(src_addr)); 1181 return; 1182 } 1183 1184 keylen = BE_16(key->key_length); 1185 switch (wpa_s->pairwise_cipher) { 1186 case WPA_CIPHER_CCMP: 1187 if (keylen != 16) { 1188 wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length " 1189 "%d (src=" MACSTR ")", 1190 keylen, MAC2STR(src_addr)); 1191 return; 1192 } 1193 break; 1194 case WPA_CIPHER_TKIP: 1195 if (keylen != 32) { 1196 wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length " 1197 "%d (src=" MACSTR ")", 1198 keylen, MAC2STR(src_addr)); 1199 return; 1200 } 1201 break; 1202 } 1203 1204 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1205 rbuf = malloc(rlen); 1206 if (rbuf == NULL) 1207 return; 1208 1209 (void) memset(rbuf, 0, rlen); 1210 ethhdr = (struct l2_ethhdr *)rbuf; 1211 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1212 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1213 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1214 1215 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1216 hdr->version = wpa_s->conf->eapol_version; 1217 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1218 hdr->length = htons(sizeof (*reply)); 1219 1220 reply = (struct wpa_eapol_key *)(hdr + 1); 1221 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1222 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1223 reply->key_info = BE_16(ver | WPA_KEY_INFO_KEY_TYPE | 1224 WPA_KEY_INFO_MIC | (key_info & WPA_KEY_INFO_SECURE)); 1225 reply->key_length = key->key_length; 1226 (void) memcpy(reply->replay_counter, key->replay_counter, 1227 WPA_REPLAY_COUNTER_LEN); 1228 1229 reply->key_data_length = BE_16(0); 1230 1231 (void) memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN); 1232 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1233 rlen - sizeof (*ethhdr), reply->key_mic); 1234 1235 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 1236 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 4/4", rbuf, rlen); 1237 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1238 1239 free(rbuf); 1240 1241 /* 1242 * SNonce was successfully used in msg 3/4, so mark it to be renewed 1243 * for the next 4-Way Handshake. If msg 3 is received again, the old 1244 * SNonce will still be used to avoid changing PTK. 1245 */ 1246 wpa_s->renew_snonce = 1; 1247 1248 if (key_info & WPA_KEY_INFO_INSTALL) { 1249 int alg, keylen, rsclen; 1250 wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver."); 1251 switch (wpa_s->pairwise_cipher) { 1252 case WPA_CIPHER_CCMP: 1253 alg = WPA_ALG_CCMP; 1254 keylen = 16; 1255 rsclen = 6; 1256 break; 1257 case WPA_CIPHER_TKIP: 1258 alg = WPA_ALG_TKIP; 1259 keylen = 32; 1260 rsclen = 6; 1261 break; 1262 case WPA_CIPHER_NONE: 1263 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: " 1264 "NONE - do not use pairwise keys"); 1265 return; 1266 default: 1267 wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise " 1268 "cipher %d", wpa_s->pairwise_cipher); 1269 return; 1270 } 1271 if (wpa_s->proto == WPA_PROTO_RSN) { 1272 key_rsc = null_rsc; 1273 } else { 1274 key_rsc = key->key_rsc; 1275 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 1276 } 1277 1278 if (wpa_s->driver->set_key(wpa_s->linkid, alg, src_addr, 1279 0, 1, key_rsc, rsclen, 1280 (uint8_t *)&wpa_s->ptk.tk1, keylen) < 0) { 1281 wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the" 1282 " driver."); 1283 } 1284 } 1285 1286 wpa_printf(MSG_DEBUG, "%s: key_info=%x gtk=%p\n", 1287 "wpa_supplicant_process_3_of_4", key_info, gtk); 1288 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1289 1290 if (gtk) 1291 wpa_supplicant_process_3_of_4_gtk(wpa_s, 1292 src_addr, key, gtk, gtk_len); 1293 } 1294 1295 static void 1296 wpa_supplicant_process_1_of_2(struct wpa_supplicant *wpa_s, 1297 unsigned char *src_addr, struct wpa_eapol_key *key, 1298 int extra_len, int ver) 1299 { 1300 int rlen; 1301 struct ieee802_1x_hdr *hdr; 1302 struct wpa_eapol_key *reply; 1303 unsigned char *rbuf; 1304 struct l2_ethhdr *ethhdr; 1305 int key_info, keylen, keydatalen, maxkeylen, keyidx, key_rsc_len = 0; 1306 int alg, tx; 1307 uint8_t ek[32], tmpbuf[8], gtk[32]; 1308 uint8_t *gtk_ie = NULL; 1309 size_t gtk_ie_len = 0; 1310 1311 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE; 1312 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from " 1313 MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 1314 1315 key_info = BE_16(key->key_info); 1316 keydatalen = BE_16(key->key_data_length); 1317 1318 if (wpa_s->proto == WPA_PROTO_RSN) { 1319 uint8_t *pos = (uint8_t *)(key + 1); 1320 uint8_t *end = pos + keydatalen; 1321 while (pos + 1 < end) { 1322 if (pos + 2 + pos[1] > end) { 1323 wpa_printf(MSG_DEBUG, "RSN: key data " 1324 "underflow (ie=%d len=%d)", 1325 pos[0], pos[1]); 1326 break; 1327 } 1328 if (pos[0] == GENERIC_INFO_ELEM && 1329 pos + 1 + RSN_SELECTOR_LEN < end && 1330 pos[1] > RSN_SELECTOR_LEN + 2 && 1331 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, 1332 RSN_SELECTOR_LEN) == 0) { 1333 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1334 wpa_printf(MSG_WARNING, "WPA: GTK IE " 1335 "in unencrypted key data"); 1336 return; 1337 } 1338 gtk_ie = pos + 2 + RSN_SELECTOR_LEN; 1339 gtk_ie_len = pos[1] - RSN_SELECTOR_LEN; 1340 break; 1341 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0) { 1342 break; 1343 } 1344 1345 pos += 2 + pos[1]; 1346 } 1347 1348 if (gtk_ie == NULL) { 1349 wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key " 1350 "message 1/2"); 1351 return; 1352 } 1353 maxkeylen = keylen = gtk_ie_len - 2; 1354 } else { 1355 keylen = BE_16(key->key_length); 1356 maxkeylen = keydatalen; 1357 if (keydatalen > extra_len) { 1358 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:" 1359 " key_data_length=%d > extra_len=%d", 1360 keydatalen, extra_len); 1361 return; 1362 } 1363 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) 1364 maxkeylen -= 8; 1365 } 1366 1367 switch (wpa_s->group_cipher) { 1368 case WPA_CIPHER_CCMP: 1369 if (keylen != 16 || maxkeylen < 16) { 1370 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP Group " 1371 "Cipher key length %d (%d).", keylen, maxkeylen); 1372 return; 1373 } 1374 key_rsc_len = 6; 1375 alg = WPA_ALG_CCMP; 1376 break; 1377 case WPA_CIPHER_TKIP: 1378 if (keylen != 32 || maxkeylen < 32) { 1379 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP Group " 1380 "Cipher key length %d (%d).", keylen, maxkeylen); 1381 return; 1382 } 1383 key_rsc_len = 6; /* key->key_data; */ 1384 alg = WPA_ALG_TKIP; 1385 break; 1386 case WPA_CIPHER_WEP104: 1387 if (keylen != 13 || maxkeylen < 13) { 1388 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP104 Group" 1389 " Cipher key length %d (%d).", keylen, maxkeylen); 1390 return; 1391 } 1392 alg = WPA_ALG_WEP; 1393 break; 1394 case WPA_CIPHER_WEP40: 1395 if (keylen != 5 || maxkeylen < 5) { 1396 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP40 Group " 1397 "Cipher key length %d (%d).", keylen, maxkeylen); 1398 return; 1399 } 1400 alg = WPA_ALG_WEP; 1401 break; 1402 default: 1403 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher %d", 1404 wpa_s->group_cipher); 1405 return; 1406 } 1407 1408 if (wpa_s->proto == WPA_PROTO_RSN) { 1409 wpa_hexdump(MSG_DEBUG, 1410 "WPA: received GTK in group key handshake", 1411 gtk_ie, gtk_ie_len); 1412 keyidx = gtk_ie[0] & 0x3; 1413 tx = !!(gtk_ie[0] & BIT(2)); 1414 if (gtk_ie_len - 2 > sizeof (gtk)) { 1415 wpa_printf(MSG_INFO, "WPA: Too long GTK in GTK IE " 1416 "(len=%d)", gtk_ie_len - 2); 1417 return; 1418 } 1419 (void) memcpy(gtk, gtk_ie + 2, gtk_ie_len - 2); 1420 } else { 1421 keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1422 WPA_KEY_INFO_KEY_INDEX_SHIFT; 1423 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1424 (void) memcpy(ek, key->key_iv, 16); 1425 (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1426 rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1427 (void) memcpy(gtk, key + 1, keylen); 1428 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1429 if (keydatalen % 8) { 1430 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1431 "AES-WRAP len %d", keydatalen); 1432 return; 1433 } 1434 if (aes_unwrap(wpa_s->ptk.encr_key, maxkeylen / 8, 1435 (uint8_t *)(key + 1), gtk)) { 1436 wpa_printf(MSG_WARNING, "WPA: AES unwrap " 1437 "failed - could not decrypt GTK"); 1438 return; 1439 } 1440 } 1441 tx = !!(key_info & WPA_KEY_INFO_TXRX); 1442 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) { 1443 /* 1444 * Ignore Tx bit in Group Key message if a pairwise key 1445 * is used. Some APs seem to setting this bit 1446 * (incorrectly, since Tx is only when doing Group Key 1447 * only APs) and without this workaround, the data 1448 * connection does not work because wpa_supplicant 1449 * configured non-zero keyidx to be used for unicast. 1450 */ 1451 wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but " 1452 "pairwise keys are used - ignore Tx bit"); 1453 tx = 0; 1454 } 1455 } 1456 wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gtk, keylen); 1457 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver (keyidx=%d " 1458 "tx=%d).", keyidx, tx); 1459 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len); 1460 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) { 1461 /* 1462 * Swap Tx/Rx keys for Michael MIC 1463 */ 1464 (void) memcpy(tmpbuf, gtk + 16, 8); 1465 (void) memcpy(gtk + 16, gtk + 24, 8); 1466 (void) memcpy(gtk + 24, tmpbuf, 8); 1467 } 1468 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) { 1469 if (wpa_s->driver->set_key(wpa_s->linkid, alg, 1470 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1471 keyidx, 1, key->key_rsc, 1472 key_rsc_len, gtk, keylen) < 0) 1473 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the" 1474 " driver (Group only)."); 1475 } else if (wpa_s->driver->set_key(wpa_s->linkid, alg, 1476 (uint8_t *)"\xff\xff\xff\xff\xff\xff", 1477 keyidx, tx, 1478 key->key_rsc, key_rsc_len, 1479 gtk, keylen) < 0) { 1480 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the " 1481 "driver."); 1482 } 1483 1484 rlen = sizeof (*ethhdr) + sizeof (*hdr) + sizeof (*reply); 1485 rbuf = malloc(rlen); 1486 if (rbuf == NULL) 1487 return; 1488 1489 (void) memset(rbuf, 0, rlen); 1490 ethhdr = (struct l2_ethhdr *)rbuf; 1491 (void) memcpy(ethhdr->h_dest, src_addr, IEEE80211_ADDR_LEN); 1492 (void) memcpy(ethhdr->h_source, wpa_s->own_addr, IEEE80211_ADDR_LEN); 1493 ethhdr->h_proto = htons(ETHERTYPE_EAPOL); 1494 1495 hdr = (struct ieee802_1x_hdr *)(ethhdr + 1); 1496 hdr->version = wpa_s->conf->eapol_version; 1497 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1498 hdr->length = htons(sizeof (*reply)); 1499 1500 reply = (struct wpa_eapol_key *)(hdr + 1); 1501 reply->type = wpa_s->proto == WPA_PROTO_RSN ? 1502 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1503 reply->key_info = 1504 BE_16(ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE | 1505 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK)); 1506 reply->key_length = key->key_length; 1507 (void) memcpy(reply->replay_counter, key->replay_counter, 1508 WPA_REPLAY_COUNTER_LEN); 1509 1510 reply->key_data_length = BE_16(0); 1511 1512 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (uint8_t *)hdr, 1513 rlen - sizeof (*ethhdr), reply->key_mic); 1514 1515 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 1516 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/2", rbuf, rlen); 1517 (void) l2_packet_send(wpa_s->l2, rbuf, rlen); 1518 free(rbuf); 1519 1520 wpa_printf(MSG_INFO, "WPA: Key negotiation completed with " MACSTR, 1521 MAC2STR(src_addr)); 1522 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL); 1523 wpa_supplicant_cancel_auth_timeout(wpa_s); 1524 wpa_s->wpa_state = WPA_COMPLETED; 1525 wpa_printf(MSG_INFO, "-----------------------------------\n"); 1526 } 1527 1528 static int 1529 wpa_supplicant_verify_eapol_key_mic(struct wpa_supplicant *wpa_s, 1530 struct wpa_eapol_key *key, int ver, uint8_t *buf, size_t len) 1531 { 1532 uint8_t mic[16]; 1533 int ok = 0; 1534 1535 (void) memcpy(mic, key->key_mic, 16); 1536 if (wpa_s->tptk_set) { 1537 (void) memset(key->key_mic, 0, 16); 1538 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, buf, len, 1539 key->key_mic); 1540 if (memcmp(mic, key->key_mic, 16) != 0) { 1541 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1542 "when using TPTK - ignoring TPTK"); 1543 } else { 1544 ok = 1; 1545 wpa_s->tptk_set = 0; 1546 wpa_s->ptk_set = 1; 1547 (void) memcpy(&wpa_s->ptk, &wpa_s->tptk, 1548 sizeof (wpa_s->ptk)); 1549 } 1550 } 1551 1552 if (!ok && wpa_s->ptk_set) { 1553 (void) memset(key->key_mic, 0, 16); 1554 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, buf, len, 1555 key->key_mic); 1556 if (memcmp(mic, key->key_mic, 16) != 0) { 1557 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC " 1558 "- dropping packet"); 1559 return (-1); 1560 } 1561 ok = 1; 1562 } 1563 1564 if (!ok) { 1565 wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC " 1566 "- dropping packet"); 1567 return (-1); 1568 } 1569 1570 (void) memcpy(wpa_s->rx_replay_counter, key->replay_counter, 1571 WPA_REPLAY_COUNTER_LEN); 1572 wpa_s->rx_replay_counter_set = 1; 1573 1574 return (0); 1575 } 1576 1577 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 1578 static int 1579 wpa_supplicant_decrypt_key_data(struct wpa_supplicant *wpa_s, 1580 struct wpa_eapol_key *key, int ver) 1581 { 1582 int keydatalen = BE_16(key->key_data_length); 1583 1584 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 1585 (uint8_t *)(key + 1), keydatalen); 1586 if (!wpa_s->ptk_set) { 1587 wpa_printf(MSG_WARNING, "WPA: PTK not available, " 1588 "cannot decrypt EAPOL-Key key data."); 1589 return (-1); 1590 } 1591 1592 /* 1593 * Decrypt key data here so that this operation does not need 1594 * to be implemented separately for each message type. 1595 */ 1596 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) { 1597 uint8_t ek[32]; 1598 (void) memcpy(ek, key->key_iv, 16); 1599 (void) memcpy(ek + 16, wpa_s->ptk.encr_key, 16); 1600 rc4_skip(ek, 32, 256, (uint8_t *)(key + 1), keydatalen); 1601 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1602 uint8_t *buf; 1603 if (keydatalen % 8) { 1604 wpa_printf(MSG_WARNING, "WPA: Unsupported " 1605 "AES-WRAP len %d", keydatalen); 1606 return (-1); 1607 } 1608 keydatalen -= 8; /* AES-WRAP adds 8 bytes */ 1609 buf = malloc(keydatalen); 1610 if (buf == NULL) { 1611 wpa_printf(MSG_WARNING, "WPA: No memory for " 1612 "AES-UNWRAP buffer"); 1613 return (-1); 1614 } 1615 if (aes_unwrap(wpa_s->ptk.encr_key, keydatalen / 8, 1616 (uint8_t *)(key + 1), buf)) { 1617 free(buf); 1618 wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - " 1619 "could not decrypt EAPOL-Key key data"); 1620 return (-1); 1621 } 1622 (void) memcpy(key + 1, buf, keydatalen); 1623 free(buf); 1624 key->key_data_length = BE_16(keydatalen); 1625 } 1626 wpa_hexdump(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 1627 (uint8_t *)(key + 1), keydatalen); 1628 1629 return (0); 1630 } 1631 1632 static void 1633 wpa_sm_rx_eapol(struct wpa_supplicant *wpa_s, 1634 unsigned char *src_addr, unsigned char *buf, size_t len) 1635 { 1636 size_t plen, data_len, extra_len; 1637 struct ieee802_1x_hdr *hdr; 1638 struct wpa_eapol_key *key; 1639 int key_info, ver; 1640 1641 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame len %u\n ", len); 1642 1643 hdr = (struct ieee802_1x_hdr *)buf; 1644 key = (struct wpa_eapol_key *)(hdr + 1); 1645 wpa_printf(MSG_DEBUG, "hdr_len=%u, key_len=%u", 1646 sizeof (*hdr), sizeof (*key)); 1647 if (len < sizeof (*hdr) + sizeof (*key)) { 1648 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short, len %u, " 1649 "expecting at least %u", 1650 len, sizeof (*hdr) + sizeof (*key)); 1651 return; 1652 } 1653 plen = ntohs(hdr->length); 1654 data_len = plen + sizeof (*hdr); 1655 wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%d", 1656 hdr->version, hdr->type, plen); 1657 1658 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 1659 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, " 1660 "not a Key frame", hdr->type); 1661 return; 1662 } 1663 if (plen > len - sizeof (*hdr) || plen < sizeof (*key)) { 1664 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %u " 1665 "invalid (frame size %u)", plen, len); 1666 return; 1667 } 1668 1669 wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type); 1670 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != 1671 EAPOL_KEY_TYPE_RSN) { 1672 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, " 1673 "discarded", key->type); 1674 return; 1675 } 1676 1677 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 1678 if (data_len < len) { 1679 wpa_printf(MSG_DEBUG, "WPA: ignoring %d bytes after the IEEE " 1680 "802.1X data", len - data_len); 1681 } 1682 key_info = BE_16(key->key_info); 1683 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1684 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 1685 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1686 wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor " 1687 "version %d.", ver); 1688 return; 1689 } 1690 1691 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP && 1692 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1693 wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key " 1694 "descriptor version (%d) is not 2.", ver); 1695 if (wpa_s->group_cipher != WPA_CIPHER_CCMP && 1696 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 1697 /* 1698 * Earlier versions of IEEE 802.11i did not explicitly 1699 * require version 2 descriptor for all EAPOL-Key 1700 * packets, so allow group keys to use version 1 if 1701 * CCMP is not used for them. 1702 */ 1703 wpa_printf(MSG_INFO, "WPA: Backwards compatibility: " 1704 "allow invalid version for non-CCMP group keys"); 1705 } else 1706 return; 1707 } 1708 1709 if (wpa_s->rx_replay_counter_set && 1710 memcmp(key->replay_counter, wpa_s->rx_replay_counter, 1711 WPA_REPLAY_COUNTER_LEN) <= 0) { 1712 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not" 1713 " increase - dropping packet"); 1714 return; 1715 } 1716 1717 if (!(key_info & WPA_KEY_INFO_ACK)) { 1718 wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info"); 1719 return; 1720 } 1721 1722 if (key_info & WPA_KEY_INFO_REQUEST) { 1723 wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - " 1724 "dropped"); 1725 return; 1726 } 1727 1728 if ((key_info & WPA_KEY_INFO_MIC) && 1729 wpa_supplicant_verify_eapol_key_mic(wpa_s, key, ver, buf, 1730 data_len)) { 1731 return; 1732 } 1733 1734 extra_len = data_len - sizeof (*hdr) - sizeof (*key); 1735 1736 if (wpa_s->proto == WPA_PROTO_RSN && 1737 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 1738 wpa_supplicant_decrypt_key_data(wpa_s, key, ver)) 1739 return; 1740 1741 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1742 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 1743 wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key " 1744 "(Pairwise) with non-zero key index"); 1745 return; 1746 } 1747 if (key_info & WPA_KEY_INFO_MIC) { 1748 /* 3/4 4-Way Handshake */ 1749 wpa_supplicant_process_3_of_4(wpa_s, src_addr, key, 1750 extra_len, ver); 1751 } else { 1752 /* 1/4 4-Way Handshake */ 1753 wpa_supplicant_process_1_of_4(wpa_s, src_addr, key, 1754 ver); 1755 } 1756 } else { 1757 if (key_info & WPA_KEY_INFO_MIC) { 1758 /* 1/2 Group Key Handshake */ 1759 wpa_supplicant_process_1_of_2(wpa_s, src_addr, key, 1760 extra_len, ver); 1761 } else { 1762 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) " 1763 "without Mic bit - dropped"); 1764 } 1765 } 1766 } 1767 1768 void 1769 wpa_supplicant_rx_eapol(void *ctx, unsigned char *src_addr, 1770 unsigned char *buf, size_t len) 1771 { 1772 struct wpa_supplicant *wpa_s = ctx; 1773 1774 wpa_printf(MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr)); 1775 wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len); 1776 1777 if (wpa_s->eapol_received == 0) { 1778 /* Timeout for completing IEEE 802.1X and WPA authentication */ 1779 wpa_supplicant_req_auth_timeout( 1780 wpa_s, wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ? 1781 70 : 10, 0); 1782 } 1783 wpa_s->eapol_received++; 1784 1785 /* 1786 * Source address of the incoming EAPOL frame could be compared to the 1787 * current BSSID. However, it is possible that a centralized 1788 * Authenticator could be using another MAC address than the BSSID of 1789 * an AP, so just allow any address to be used for now. The replies are 1790 * still sent to the current BSSID (if available), though. 1791 */ 1792 wpa_sm_rx_eapol(wpa_s, src_addr, buf, len); 1793 } 1794