3 * Copyright (c) 2003-2005, Jouni Malinen <jkmaline@cc.hut.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #ifndef CONFIG_NATIVE_WINDOWS
19 #include <netinet/in.h>
20 #endif /* CONFIG_NATIVE_WINDOWS */
32 #include "wpa_supplicant.h"
34 #include "l2_packet.h"
36 #include "wpa_supplicant_i.h"
38 static void rsn_preauth_candidate_process(struct wpa_supplicant *wpa_s);
40 #define PMKID_CANDIDATE_PRIO_SCAN 1000
42 /* TODO: make these configurable */
43 static const int dot11RSNAConfigPMKLifetime = 43200;
44 static const int dot11RSNAConfigPMKReauthThreshold = 70;
45 static const int dot11RSNAConfigSATimeout = 60;
46 static const int pmksa_cache_max_entries = 32;
48 static const int WPA_SELECTOR_LEN = 4;
49 static const u8 WPA_OUI_TYPE[] = { 0x00, 0x50, 0xf2, 1 };
50 static const u16 WPA_VERSION = 1;
51 static const u8 WPA_AUTH_KEY_MGMT_NONE[] = { 0x00, 0x50, 0xf2, 0 };
52 static const u8 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x50, 0xf2, 1 };
53 static const u8 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x50, 0xf2, 2 };
54 static const u8 WPA_CIPHER_SUITE_NONE[] = { 0x00, 0x50, 0xf2, 0 };
55 static const u8 WPA_CIPHER_SUITE_WEP40[] = { 0x00, 0x50, 0xf2, 1 };
56 static const u8 WPA_CIPHER_SUITE_TKIP[] = { 0x00, 0x50, 0xf2, 2 };
57 static const u8 WPA_CIPHER_SUITE_WRAP[] = { 0x00, 0x50, 0xf2, 3 };
58 static const u8 WPA_CIPHER_SUITE_CCMP[] = { 0x00, 0x50, 0xf2, 4 };
59 static const u8 WPA_CIPHER_SUITE_WEP104[] = { 0x00, 0x50, 0xf2, 5 };
62 * 00-50-f2:1 (OUI:OUI type)
63 * 0x01 0x00 (version; little endian)
64 * (all following fields are optional:)
65 * Group Suite Selector (4 octets) (default: TKIP)
66 * Pairwise Suite Count (2 octets, little endian) (default: 1)
67 * Pairwise Suite List (4 * n octets) (default: TKIP)
68 * Authenticated Key Management Suite Count (2 octets, little endian)
70 * Authenticated Key Management Suite List (4 * n octets)
71 * (default: unspec 802.1x)
72 * WPA Capabilities (2 octets, little endian) (default: 0)
81 } __attribute__ ((packed));
84 static const int RSN_SELECTOR_LEN = 4;
85 static const u16 RSN_VERSION = 1;
86 static const u8 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x0f, 0xac, 1 };
87 static const u8 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x0f, 0xac, 2 };
88 static const u8 RSN_CIPHER_SUITE_NONE[] = { 0x00, 0x0f, 0xac, 0 };
89 static const u8 RSN_CIPHER_SUITE_WEP40[] = { 0x00, 0x0f, 0xac, 1 };
90 static const u8 RSN_CIPHER_SUITE_TKIP[] = { 0x00, 0x0f, 0xac, 2 };
91 static const u8 RSN_CIPHER_SUITE_WRAP[] = { 0x00, 0x0f, 0xac, 3 };
92 static const u8 RSN_CIPHER_SUITE_CCMP[] = { 0x00, 0x0f, 0xac, 4 };
93 static const u8 RSN_CIPHER_SUITE_WEP104[] = { 0x00, 0x0f, 0xac, 5 };
95 /* EAPOL-Key Key Data Encapsulation
96 * GroupKey and STAKey require encryption, otherwise, encryption is optional.
98 static const u8 RSN_KEY_DATA_GROUPKEY[] = { 0x00, 0x0f, 0xac, 1 };
99 static const u8 RSN_KEY_DATA_STAKEY[] = { 0x00, 0x0f, 0xac, 2 };
100 static const u8 RSN_KEY_DATA_MAC_ADDR[] = { 0x00, 0x0f, 0xac, 3 };
101 static const u8 RSN_KEY_DATA_PMKID[] = { 0x00, 0x0f, 0xac, 4 };
105 * 3/4: one or two RSN IEs + GTK IE (encrypted)
107 * 1/2: GTK IE (encrypted)
112 * 0x01 0x00 (version; little endian)
113 * (all following fields are optional:)
114 * Group Suite Selector (4 octets) (default: CCMP)
115 * Pairwise Suite Count (2 octets, little endian) (default: 1)
116 * Pairwise Suite List (4 * n octets) (default: CCMP)
117 * Authenticated Key Management Suite Count (2 octets, little endian)
119 * Authenticated Key Management Suite List (4 * n octets)
120 * (default: unspec 802.1x)
121 * RSN Capabilities (2 octets, little endian) (default: 0)
122 * PMKID Count (2 octets) (default: 0)
123 * PMKID List (16 * n octets)
127 u8 elem_id; /* WLAN_EID_RSN */
130 } __attribute__ ((packed));
133 static int wpa_selector_to_bitfield(u8 *s)
135 if (memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0)
136 return WPA_CIPHER_NONE;
137 if (memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0)
138 return WPA_CIPHER_WEP40;
139 if (memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0)
140 return WPA_CIPHER_TKIP;
141 if (memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0)
142 return WPA_CIPHER_CCMP;
143 if (memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0)
144 return WPA_CIPHER_WEP104;
149 static int wpa_key_mgmt_to_bitfield(u8 *s)
151 if (memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) == 0)
152 return WPA_KEY_MGMT_IEEE8021X;
153 if (memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN) ==
155 return WPA_KEY_MGMT_PSK;
156 if (memcmp(s, WPA_AUTH_KEY_MGMT_NONE, WPA_SELECTOR_LEN) == 0)
157 return WPA_KEY_MGMT_WPA_NONE;
162 static int rsn_selector_to_bitfield(u8 *s)
164 if (memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0)
165 return WPA_CIPHER_NONE;
166 if (memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0)
167 return WPA_CIPHER_WEP40;
168 if (memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0)
169 return WPA_CIPHER_TKIP;
170 if (memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0)
171 return WPA_CIPHER_CCMP;
172 if (memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0)
173 return WPA_CIPHER_WEP104;
178 static int rsn_key_mgmt_to_bitfield(u8 *s)
180 if (memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) == 0)
181 return WPA_KEY_MGMT_IEEE8021X;
182 if (memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN) ==
184 return WPA_KEY_MGMT_PSK;
189 static void rsn_pmkid(u8 *pmk, u8 *aa, u8 *spa, u8 *pmkid)
191 char *title = "PMK Name";
192 const unsigned char *addr[3];
193 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
194 unsigned char hash[SHA1_MAC_LEN];
196 addr[0] = (unsigned char *) title;
200 hmac_sha1_vector(pmk, PMK_LEN, 3, addr, len, hash);
201 memcpy(pmkid, hash, PMKID_LEN);
205 static void pmksa_cache_set_expiration(struct wpa_supplicant *wpa_s);
208 static void pmksa_cache_free_entry(struct wpa_supplicant *wpa_s,
209 struct rsn_pmksa_cache *entry)
212 wpa_s->pmksa_count--;
213 if (wpa_s->cur_pmksa == entry) {
214 wpa_printf(MSG_DEBUG, "RSN: removed current PMKSA entry");
215 /* TODO: should drop PMK and PTK and trigger new key
217 wpa_s->cur_pmksa = NULL;
222 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
224 struct wpa_supplicant *wpa_s = eloop_ctx;
228 while (wpa_s->pmksa && wpa_s->pmksa->expiration <= now) {
229 struct rsn_pmksa_cache *entry = wpa_s->pmksa;
230 wpa_s->pmksa = entry->next;
231 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
232 MACSTR, MAC2STR(entry->aa));
233 pmksa_cache_free_entry(wpa_s, entry);
236 pmksa_cache_set_expiration(wpa_s);
240 static void pmksa_cache_set_expiration(struct wpa_supplicant *wpa_s)
243 eloop_cancel_timeout(pmksa_cache_expire, wpa_s, NULL);
244 if (wpa_s->pmksa == NULL)
246 sec = wpa_s->pmksa->expiration - time(NULL);
249 eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, wpa_s, NULL);
253 static void pmksa_cache_add(struct wpa_supplicant *wpa_s, u8 *pmk,
254 size_t pmk_len, u8 *aa, u8 *spa)
256 struct rsn_pmksa_cache *entry, *pos, *prev;
258 if (wpa_s->proto != WPA_PROTO_RSN || pmk_len > PMK_LEN)
261 entry = malloc(sizeof(*entry));
264 memset(entry, 0, sizeof(*entry));
265 memcpy(entry->pmk, pmk, pmk_len);
266 entry->pmk_len = pmk_len;
267 rsn_pmkid(pmk, aa, spa, entry->pmkid);
268 entry->expiration = time(NULL) + dot11RSNAConfigPMKLifetime;
269 entry->akmp = WPA_KEY_MGMT_IEEE8021X;
270 memcpy(entry->aa, aa, ETH_ALEN);
272 /* Replace an old entry for the same Authenticator (if found) with the
277 if (memcmp(aa, pos->aa, ETH_ALEN) == 0) {
279 wpa_s->pmksa = pos->next;
281 prev->next = pos->next;
282 pmksa_cache_free_entry(wpa_s, pos);
289 if (wpa_s->pmksa_count >= pmksa_cache_max_entries && wpa_s->pmksa) {
290 /* Remove the oldest entry to make room for the new entry */
292 wpa_s->pmksa = pos->next;
293 wpa_printf(MSG_DEBUG, "RSN: removed the oldest PMKSA cache "
294 "entry (for " MACSTR ") to make room for new one",
296 wpa_drv_remove_pmkid(wpa_s, pos->aa, pos->pmkid);
297 pmksa_cache_free_entry(wpa_s, pos);
300 /* Add the new entry; order by expiration time */
304 if (pos->expiration > entry->expiration)
310 entry->next = wpa_s->pmksa;
311 wpa_s->pmksa = entry;
313 entry->next = prev->next;
316 wpa_s->pmksa_count++;
317 wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
319 wpa_drv_add_pmkid(wpa_s, entry->aa, entry->pmkid);
323 void pmksa_cache_free(struct wpa_supplicant *wpa_s)
325 struct rsn_pmksa_cache *entry, *prev;
327 entry = wpa_s->pmksa;
334 pmksa_cache_set_expiration(wpa_s);
335 wpa_s->cur_pmksa = NULL;
339 struct rsn_pmksa_cache * pmksa_cache_get(struct wpa_supplicant *wpa_s,
342 struct rsn_pmksa_cache *entry = wpa_s->pmksa;
344 if ((aa == NULL || memcmp(entry->aa, aa, ETH_ALEN) == 0) &&
346 memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0))
354 int pmksa_cache_list(struct wpa_supplicant *wpa_s, char *buf, size_t len)
358 struct rsn_pmksa_cache *entry;
362 pos += snprintf(pos, buf + len - pos,
363 "Index / AA / PMKID / expiration (in seconds)\n");
365 entry = wpa_s->pmksa;
368 pos += snprintf(pos, buf + len - pos, "%d " MACSTR " ",
369 i, MAC2STR(entry->aa));
370 for (j = 0; j < PMKID_LEN; j++)
371 pos += snprintf(pos, buf + len - pos, "%02x",
373 pos += snprintf(pos, buf + len - pos, " %d\n",
374 (int) (entry->expiration - now));
381 void pmksa_candidate_free(struct wpa_supplicant *wpa_s)
383 struct rsn_pmksa_candidate *entry, *prev;
385 entry = wpa_s->pmksa_candidates;
386 wpa_s->pmksa_candidates = NULL;
395 static int wpa_parse_wpa_ie_wpa(struct wpa_supplicant *wpa_s, u8 *wpa_ie,
396 size_t wpa_ie_len, struct wpa_ie_data *data)
398 struct wpa_ie_hdr *hdr;
403 data->proto = WPA_PROTO_WPA;
404 data->pairwise_cipher = WPA_CIPHER_TKIP;
405 data->group_cipher = WPA_CIPHER_TKIP;
406 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
407 data->capabilities = 0;
411 if (wpa_ie_len == 0) {
412 /* No WPA IE - fail silently */
416 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
417 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
418 __func__, (unsigned long) wpa_ie_len);
422 hdr = (struct wpa_ie_hdr *) wpa_ie;
424 if (hdr->elem_id != GENERIC_INFO_ELEM ||
425 hdr->len != wpa_ie_len - 2 ||
426 memcmp(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN) != 0 ||
427 le_to_host16(hdr->version) != WPA_VERSION) {
428 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
433 pos = (u8 *) (hdr + 1);
434 left = wpa_ie_len - sizeof(*hdr);
436 if (left >= WPA_SELECTOR_LEN) {
437 data->group_cipher = wpa_selector_to_bitfield(pos);
438 pos += WPA_SELECTOR_LEN;
439 left -= WPA_SELECTOR_LEN;
440 } else if (left > 0) {
441 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
447 data->pairwise_cipher = 0;
448 count = pos[0] | (pos[1] << 8);
451 if (count == 0 || left < count * WPA_SELECTOR_LEN) {
452 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
453 "count %u left %u", __func__, count, left);
456 for (i = 0; i < count; i++) {
457 data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
458 pos += WPA_SELECTOR_LEN;
459 left -= WPA_SELECTOR_LEN;
461 } else if (left == 1) {
462 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
469 count = pos[0] | (pos[1] << 8);
472 if (count == 0 || left < count * WPA_SELECTOR_LEN) {
473 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
474 "count %u left %u", __func__, count, left);
477 for (i = 0; i < count; i++) {
478 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
479 pos += WPA_SELECTOR_LEN;
480 left -= WPA_SELECTOR_LEN;
482 } else if (left == 1) {
483 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
489 data->capabilities = pos[0] | (pos[1] << 8);
495 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes",
504 static int wpa_parse_wpa_ie_rsn(struct wpa_supplicant *wpa_s, u8 *rsn_ie,
505 size_t rsn_ie_len, struct wpa_ie_data *data)
507 struct rsn_ie_hdr *hdr;
512 data->proto = WPA_PROTO_RSN;
513 data->pairwise_cipher = WPA_CIPHER_CCMP;
514 data->group_cipher = WPA_CIPHER_CCMP;
515 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
516 data->capabilities = 0;
520 if (rsn_ie_len == 0) {
521 /* No RSN IE - fail silently */
525 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
526 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
527 __func__, (unsigned long) rsn_ie_len);
531 hdr = (struct rsn_ie_hdr *) rsn_ie;
533 if (hdr->elem_id != RSN_INFO_ELEM ||
534 hdr->len != rsn_ie_len - 2 ||
535 le_to_host16(hdr->version) != RSN_VERSION) {
536 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
541 pos = (u8 *) (hdr + 1);
542 left = rsn_ie_len - sizeof(*hdr);
544 if (left >= RSN_SELECTOR_LEN) {
545 data->group_cipher = rsn_selector_to_bitfield(pos);
546 pos += RSN_SELECTOR_LEN;
547 left -= RSN_SELECTOR_LEN;
548 } else if (left > 0) {
549 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
555 data->pairwise_cipher = 0;
556 count = pos[0] | (pos[1] << 8);
559 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
560 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
561 "count %u left %u", __func__, count, left);
564 for (i = 0; i < count; i++) {
565 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
566 pos += RSN_SELECTOR_LEN;
567 left -= RSN_SELECTOR_LEN;
569 } else if (left == 1) {
570 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
577 count = pos[0] | (pos[1] << 8);
580 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
581 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
582 "count %u left %u", __func__, count, left);
585 for (i = 0; i < count; i++) {
586 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
587 pos += RSN_SELECTOR_LEN;
588 left -= RSN_SELECTOR_LEN;
590 } else if (left == 1) {
591 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
597 data->capabilities = pos[0] | (pos[1] << 8);
603 data->num_pmkid = pos[0] | (pos[1] << 8);
606 if (left < data->num_pmkid * PMKID_LEN) {
607 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
608 "(num_pmkid=%d left=%d)",
609 __func__, data->num_pmkid, left);
613 pos += data->num_pmkid * PMKID_LEN;
614 left -= data->num_pmkid * PMKID_LEN;
619 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
627 int wpa_parse_wpa_ie(struct wpa_supplicant *wpa_s, u8 *wpa_ie,
628 size_t wpa_ie_len, struct wpa_ie_data *data)
630 if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM)
631 return wpa_parse_wpa_ie_rsn(wpa_s, wpa_ie, wpa_ie_len, data);
633 return wpa_parse_wpa_ie_wpa(wpa_s, wpa_ie, wpa_ie_len, data);
637 static int wpa_gen_wpa_ie_wpa(struct wpa_supplicant *wpa_s, u8 *wpa_ie)
640 struct wpa_ie_hdr *hdr;
642 hdr = (struct wpa_ie_hdr *) wpa_ie;
643 hdr->elem_id = GENERIC_INFO_ELEM;
644 memcpy(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN);
645 hdr->version = host_to_le16(WPA_VERSION);
646 pos = (u8 *) (hdr + 1);
648 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) {
649 memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN);
650 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) {
651 memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN);
652 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) {
653 memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN);
654 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) {
655 memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN);
657 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
658 wpa_s->group_cipher);
661 pos += WPA_SELECTOR_LEN;
665 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) {
666 memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN);
667 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) {
668 memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN);
669 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) {
670 memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN);
672 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
673 wpa_s->pairwise_cipher);
676 pos += WPA_SELECTOR_LEN;
680 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
681 memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN);
682 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) {
683 memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X,
685 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_WPA_NONE) {
686 memcpy(pos, WPA_AUTH_KEY_MGMT_NONE, WPA_SELECTOR_LEN);
688 wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
692 pos += WPA_SELECTOR_LEN;
694 /* WPA Capabilities; use defaults, so no need to include it */
696 hdr->len = (pos - wpa_ie) - 2;
702 static int wpa_gen_wpa_ie_rsn(struct wpa_supplicant *wpa_s, u8 *rsn_ie)
705 struct rsn_ie_hdr *hdr;
707 hdr = (struct rsn_ie_hdr *) rsn_ie;
708 hdr->elem_id = RSN_INFO_ELEM;
709 hdr->version = host_to_le16(RSN_VERSION);
710 pos = (u8 *) (hdr + 1);
712 if (wpa_s->group_cipher == WPA_CIPHER_CCMP) {
713 memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
714 } else if (wpa_s->group_cipher == WPA_CIPHER_TKIP) {
715 memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
716 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP104) {
717 memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN);
718 } else if (wpa_s->group_cipher == WPA_CIPHER_WEP40) {
719 memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN);
721 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
722 wpa_s->group_cipher);
725 pos += RSN_SELECTOR_LEN;
729 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP) {
730 memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
731 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_TKIP) {
732 memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
733 } else if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) {
734 memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN);
736 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
737 wpa_s->pairwise_cipher);
740 pos += RSN_SELECTOR_LEN;
744 if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
745 memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN);
746 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK) {
747 memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X,
750 wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
754 pos += RSN_SELECTOR_LEN;
756 /* RSN Capabilities */
760 if (wpa_s->cur_pmksa) {
761 /* PMKID Count (2 octets, little endian) */
765 memcpy(pos, wpa_s->cur_pmksa->pmkid, PMKID_LEN);
769 hdr->len = (pos - rsn_ie) - 2;
775 int wpa_gen_wpa_ie(struct wpa_supplicant *wpa_s, u8 *wpa_ie)
777 if (wpa_s->proto == WPA_PROTO_RSN)
778 return wpa_gen_wpa_ie_rsn(wpa_s, wpa_ie);
780 return wpa_gen_wpa_ie_wpa(wpa_s, wpa_ie);
784 static void wpa_pmk_to_ptk(u8 *pmk, size_t pmk_len, u8 *addr1, u8 *addr2,
785 u8 *nonce1, u8 *nonce2, u8 *ptk, size_t ptk_len)
787 u8 data[2 * ETH_ALEN + 2 * 32];
789 /* PTK = PRF-X(PMK, "Pairwise key expansion",
790 * Min(AA, SA) || Max(AA, SA) ||
791 * Min(ANonce, SNonce) || Max(ANonce, SNonce)) */
793 if (memcmp(addr1, addr2, ETH_ALEN) < 0) {
794 memcpy(data, addr1, ETH_ALEN);
795 memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
797 memcpy(data, addr2, ETH_ALEN);
798 memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
801 if (memcmp(nonce1, nonce2, 32) < 0) {
802 memcpy(data + 2 * ETH_ALEN, nonce1, 32);
803 memcpy(data + 2 * ETH_ALEN + 32, nonce2, 32);
805 memcpy(data + 2 * ETH_ALEN, nonce2, 32);
806 memcpy(data + 2 * ETH_ALEN + 32, nonce1, 32);
809 sha1_prf(pmk, pmk_len, "Pairwise key expansion", data, sizeof(data),
812 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
813 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", ptk, ptk_len);
817 struct wpa_ssid * wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s)
819 struct wpa_ssid *entry;
820 u8 ssid[MAX_SSID_LEN];
824 ssid_len = wpa_drv_get_ssid(wpa_s, ssid);
826 wpa_printf(MSG_WARNING, "Could not read SSID from driver.");
830 if (wpa_drv_get_bssid(wpa_s, bssid) < 0) {
831 wpa_printf(MSG_WARNING, "Could not read BSSID from driver.");
835 entry = wpa_s->conf->ssid;
837 if (ssid_len == entry->ssid_len &&
838 memcmp(ssid, entry->ssid, ssid_len) == 0 &&
839 (!entry->bssid_set ||
840 memcmp(bssid, entry->bssid, ETH_ALEN) == 0))
849 static void wpa_eapol_key_mic(u8 *key, int ver, u8 *buf, size_t len, u8 *mic)
851 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
852 hmac_md5(key, 16, buf, len, mic);
853 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
854 u8 hash[SHA1_MAC_LEN];
855 hmac_sha1(key, 16, buf, len, hash);
856 memcpy(mic, hash, MD5_MAC_LEN);
861 void wpa_supplicant_key_request(struct wpa_supplicant *wpa_s,
862 int error, int pairwise)
865 struct ieee802_1x_hdr *hdr;
866 struct wpa_eapol_key *reply;
868 struct l2_ethhdr *ethhdr;
872 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP)
873 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
875 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
877 if (wpa_drv_get_bssid(wpa_s, bssid) < 0) {
878 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
883 rlen = sizeof(*ethhdr) + sizeof(*hdr) + sizeof(*reply);
888 memset(rbuf, 0, rlen);
889 ethhdr = (struct l2_ethhdr *) rbuf;
890 memcpy(ethhdr->h_dest, bssid, ETH_ALEN);
891 memcpy(ethhdr->h_source, wpa_s->own_addr, ETH_ALEN);
892 ethhdr->h_proto = htons(ETH_P_EAPOL);
894 hdr = (struct ieee802_1x_hdr *) (ethhdr + 1);
895 hdr->version = wpa_s->conf->eapol_version;
896 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
897 hdr->length = htons(sizeof(*reply));
899 reply = (struct wpa_eapol_key *) (hdr + 1);
900 reply->type = wpa_s->proto == WPA_PROTO_RSN ?
901 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
902 key_info = WPA_KEY_INFO_REQUEST | ver;
904 key_info |= WPA_KEY_INFO_MIC;
906 key_info |= WPA_KEY_INFO_ERROR;
908 key_info |= WPA_KEY_INFO_KEY_TYPE;
909 reply->key_info = host_to_be16(key_info);
910 reply->key_length = 0;
911 memcpy(reply->replay_counter, wpa_s->request_counter,
912 WPA_REPLAY_COUNTER_LEN);
913 inc_byte_array(wpa_s->request_counter, WPA_REPLAY_COUNTER_LEN);
915 reply->key_data_length = host_to_be16(0);
917 if (key_info & WPA_KEY_INFO_MIC) {
918 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (u8 *) hdr,
919 rlen - sizeof(*ethhdr), reply->key_mic);
922 wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d "
923 "pairwise=%d ptk_set=%d len=%d)",
924 error, pairwise, wpa_s->ptk_set, rlen);
925 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key Request", rbuf, rlen);
926 l2_packet_send(wpa_s->l2, rbuf, rlen);
927 eapol_sm_notify_tx_eapol_key(wpa_s->eapol);
932 static void wpa_supplicant_process_1_of_4(struct wpa_supplicant *wpa_s,
933 unsigned char *src_addr,
934 struct wpa_eapol_key *key, int ver)
937 struct ieee802_1x_hdr *hdr;
938 struct wpa_eapol_key *reply;
940 struct l2_ethhdr *ethhdr;
941 struct wpa_ssid *ssid;
943 u8 buf[8], wpa_ie_buf[80], *wpa_ie, *pmkid = NULL;
945 int abort_cached = 0;
947 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE;
948 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from "
949 MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
951 ssid = wpa_supplicant_get_ssid(wpa_s);
953 wpa_printf(MSG_WARNING, "WPA: No SSID info found (msg 1 of "
958 if (wpa_s->proto == WPA_PROTO_RSN) {
959 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
960 u8 *pos = (u8 *) (key + 1);
961 u8 *end = pos + be_to_host16(key->key_data_length);
962 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
963 pos, be_to_host16(key->key_data_length));
964 while (pos + 1 < end) {
965 if (pos + 2 + pos[1] > end) {
966 wpa_printf(MSG_DEBUG, "RSN: key data "
967 "underflow (ie=%d len=%d)",
971 if (pos[0] == GENERIC_INFO_ELEM &&
972 pos + 1 + RSN_SELECTOR_LEN < end &&
973 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
974 memcmp(pos + 2, RSN_KEY_DATA_PMKID,
975 RSN_SELECTOR_LEN) == 0) {
976 pmkid = pos + 2 + RSN_SELECTOR_LEN;
977 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
978 "Authenticator", pmkid, PMKID_LEN);
980 } else if (pos[0] == GENERIC_INFO_ELEM &&
987 if (wpa_s->assoc_wpa_ie) {
988 /* The driver reported a WPA IE that may be different from the
989 * one that the Supplicant would use. Message 2/4 has to use
990 * the exact copy of the WPA IE from the Association Request,
991 * so use the value reported by the driver. */
992 wpa_ie = wpa_s->assoc_wpa_ie;
993 wpa_ie_len = wpa_s->assoc_wpa_ie_len;
996 wpa_ie_len = wpa_gen_wpa_ie(wpa_s, wpa_ie);
997 if (wpa_ie_len < 0) {
998 wpa_printf(MSG_WARNING, "WPA: Failed to generate "
999 "WPA IE (for msg 2 of 4).");
1002 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4",
1003 wpa_ie, wpa_ie_len);
1006 rlen = sizeof(*ethhdr) + sizeof(*hdr) + sizeof(*reply) + wpa_ie_len;
1007 rbuf = malloc(rlen);
1011 memset(rbuf, 0, rlen);
1012 ethhdr = (struct l2_ethhdr *) rbuf;
1013 memcpy(ethhdr->h_dest, src_addr, ETH_ALEN);
1014 memcpy(ethhdr->h_source, wpa_s->own_addr, ETH_ALEN);
1015 ethhdr->h_proto = htons(ETH_P_EAPOL);
1017 hdr = (struct ieee802_1x_hdr *) (ethhdr + 1);
1018 hdr->version = wpa_s->conf->eapol_version;
1019 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1020 hdr->length = htons(sizeof(*reply) + wpa_ie_len);
1022 reply = (struct wpa_eapol_key *) (hdr + 1);
1023 reply->type = wpa_s->proto == WPA_PROTO_RSN ?
1024 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1025 reply->key_info = host_to_be16(ver | WPA_KEY_INFO_KEY_TYPE |
1027 reply->key_length = key->key_length;
1028 memcpy(reply->replay_counter, key->replay_counter,
1029 WPA_REPLAY_COUNTER_LEN);
1031 reply->key_data_length = host_to_be16(wpa_ie_len);
1032 memcpy(reply + 1, wpa_ie, wpa_ie_len);
1034 if (wpa_s->renew_snonce) {
1035 if (hostapd_get_rand(wpa_s->snonce, WPA_NONCE_LEN)) {
1036 wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to get "
1037 "random data for SNonce");
1041 wpa_s->renew_snonce = 0;
1042 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
1043 wpa_s->snonce, WPA_NONCE_LEN);
1045 memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN);
1047 memcpy(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN);
1048 if (pmkid && !wpa_s->cur_pmksa) {
1049 /* When using drivers that generate RSN IE, wpa_supplicant may
1050 * not have enough time to get the association information
1051 * event before receiving this 1/4 message, so try to find a
1052 * matching PMKSA cache entry here. */
1053 wpa_s->cur_pmksa = pmksa_cache_get(wpa_s, src_addr, pmkid);
1054 if (wpa_s->cur_pmksa) {
1055 wpa_printf(MSG_DEBUG, "RSN: found matching PMKID from "
1058 wpa_printf(MSG_DEBUG, "RSN: no matching PMKID found");
1063 if (pmkid && wpa_s->cur_pmksa &&
1064 memcmp(pmkid, wpa_s->cur_pmksa->pmkid, PMKID_LEN) == 0) {
1065 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
1066 memcpy(wpa_s->pmk, wpa_s->cur_pmksa->pmk, PMK_LEN);
1067 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
1068 wpa_s->pmk, PMK_LEN);
1069 eapol_sm_notify_cached(wpa_s->eapol);
1070 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X && wpa_s->eapol) {
1073 res = eapol_sm_get_key(wpa_s->eapol, wpa_s->pmk, PMK_LEN);
1076 res = eapol_sm_get_key(wpa_s->eapol, wpa_s->pmk, 16);
1079 #endif /* EAP_LEAP */
1081 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
1082 "machines", wpa_s->pmk, pmk_len);
1083 wpa_s->pmk_len = pmk_len;
1084 pmksa_cache_add(wpa_s, wpa_s->pmk, pmk_len, src_addr,
1086 if (!wpa_s->cur_pmksa && pmkid &&
1087 pmksa_cache_get(wpa_s, src_addr, pmkid)) {
1088 wpa_printf(MSG_DEBUG, "RSN: the new PMK "
1089 "matches with the PMKID");
1093 wpa_msg(wpa_s, MSG_WARNING,
1094 "WPA: Failed to get master session key from "
1095 "EAPOL state machines");
1096 wpa_msg(wpa_s, MSG_WARNING,
1097 "WPA: Key handshake aborted");
1098 if (wpa_s->cur_pmksa) {
1099 wpa_printf(MSG_DEBUG, "RSN: Cancelled PMKSA "
1101 wpa_s->cur_pmksa = NULL;
1108 #ifdef CONFIG_XSUPPLICANT_IFACE
1109 } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X &&
1110 !wpa_s->ext_pmk_received) {
1111 wpa_printf(MSG_INFO, "WPA: Master session has not yet "
1112 "been received from the external IEEE "
1113 "802.1X Supplicant - ignoring WPA "
1117 #endif /* CONFIG_XSUPPLICANT_IFACE */
1120 if (abort_cached && wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
1121 /* Send EAPOL-Start to trigger full EAP authentication. */
1122 wpa_printf(MSG_DEBUG, "RSN: no PMKSA entry found - trigger "
1123 "full EAP authenication");
1124 wpa_eapol_send(wpa_s, IEEE802_1X_TYPE_EAPOL_START,
1130 wpa_pmk_to_ptk(wpa_s->pmk, wpa_s->pmk_len, wpa_s->own_addr, src_addr,
1131 wpa_s->snonce, key->key_nonce,
1132 (u8 *) ptk, sizeof(*ptk));
1133 /* Supplicant: swap tx/rx Mic keys */
1134 memcpy(buf, ptk->u.auth.tx_mic_key, 8);
1135 memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8);
1136 memcpy(ptk->u.auth.rx_mic_key, buf, 8);
1137 wpa_s->tptk_set = 1;
1138 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, (u8 *) hdr,
1139 rlen - sizeof(*ethhdr), reply->key_mic);
1140 wpa_hexdump(MSG_DEBUG, "WPA: EAPOL-Key MIC", reply->key_mic, 16);
1142 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
1143 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/4", rbuf, rlen);
1144 l2_packet_send(wpa_s->l2, rbuf, rlen);
1145 eapol_sm_notify_tx_eapol_key(wpa_s->eapol);
1150 static void wpa_supplicant_key_neg_complete(struct wpa_supplicant *wpa_s,
1151 u8 *addr, int secure)
1153 wpa_msg(wpa_s, MSG_INFO, "WPA: Key negotiation completed with "
1154 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
1155 wpa_cipher_txt(wpa_s->pairwise_cipher),
1156 wpa_cipher_txt(wpa_s->group_cipher));
1157 eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL);
1158 wpa_supplicant_cancel_auth_timeout(wpa_s);
1159 wpa_s->wpa_state = WPA_COMPLETED;
1162 /* MLME.SETPROTECTION.request(TA, Tx_Rx) */
1163 eapol_sm_notify_portValid(wpa_s->eapol, TRUE);
1164 if (wpa_s->key_mgmt == WPA_KEY_MGMT_PSK)
1165 eapol_sm_notify_eap_success(wpa_s->eapol, TRUE);
1166 rsn_preauth_candidate_process(wpa_s);
1171 static int wpa_supplicant_install_ptk(struct wpa_supplicant *wpa_s,
1172 unsigned char *src_addr,
1173 struct wpa_eapol_key *key)
1175 int alg, keylen, rsclen;
1177 u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
1179 wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver.");
1181 switch (wpa_s->pairwise_cipher) {
1182 case WPA_CIPHER_CCMP:
1187 case WPA_CIPHER_TKIP:
1192 case WPA_CIPHER_NONE:
1193 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: "
1194 "NONE - do not use pairwise keys");
1197 wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise cipher %d",
1198 wpa_s->pairwise_cipher);
1202 if (wpa_s->proto == WPA_PROTO_RSN) {
1205 key_rsc = key->key_rsc;
1206 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1209 wpa_s->keys_cleared = 0;
1210 if (wpa_drv_set_key(wpa_s, alg, src_addr, 0, 1, key_rsc, rsclen,
1211 (u8 *) &wpa_s->ptk.tk1, keylen) < 0) {
1212 wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the "
1220 static int wpa_supplicant_check_group_cipher(struct wpa_supplicant *wpa_s,
1221 int keylen, int maxkeylen,
1222 int *key_rsc_len, int *alg)
1224 switch (wpa_s->group_cipher) {
1225 case WPA_CIPHER_CCMP:
1226 if (keylen != 16 || maxkeylen < 16) {
1227 wpa_printf(MSG_WARNING, "WPA: Unsupported CCMP Group "
1228 "Cipher key length %d (%d).",
1233 *alg = WPA_ALG_CCMP;
1235 case WPA_CIPHER_TKIP:
1236 if (keylen != 32 || maxkeylen < 32) {
1237 wpa_printf(MSG_WARNING, "WPA: Unsupported TKIP Group "
1238 "Cipher key length %d (%d).",
1243 *alg = WPA_ALG_TKIP;
1245 case WPA_CIPHER_WEP104:
1246 if (keylen != 13 || maxkeylen < 13) {
1247 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP104 Group"
1248 " Cipher key length %d (%d).",
1255 case WPA_CIPHER_WEP40:
1256 if (keylen != 5 || maxkeylen < 5) {
1257 wpa_printf(MSG_WARNING, "WPA: Unsupported WEP40 Group "
1258 "Cipher key length %d (%d).",
1266 wpa_printf(MSG_WARNING, "WPA: Unsupport Group Cipher %d",
1267 wpa_s->group_cipher);
1275 static int wpa_supplicant_install_gtk(struct wpa_supplicant *wpa_s,
1276 struct wpa_eapol_key *key, int alg,
1277 u8 *gtk, int gtk_len, int keyidx,
1278 int key_rsc_len, int tx)
1280 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gtk, gtk_len);
1281 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver "
1282 "(keyidx=%d tx=%d).", keyidx, tx);
1283 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key->key_rsc, key_rsc_len);
1284 if (wpa_s->group_cipher == WPA_CIPHER_TKIP) {
1285 /* Swap Tx/Rx keys for Michael MIC */
1287 memcpy(tmpbuf, gtk + 16, 8);
1288 memcpy(gtk + 16, gtk + 24, 8);
1289 memcpy(gtk + 24, tmpbuf, 8);
1291 wpa_s->keys_cleared = 0;
1292 if (wpa_s->pairwise_cipher == WPA_CIPHER_NONE) {
1293 if (wpa_drv_set_key(wpa_s, alg,
1294 (u8 *) "\xff\xff\xff\xff\xff\xff",
1295 keyidx, 1, key->key_rsc, key_rsc_len,
1296 gtk, gtk_len) < 0) {
1297 wpa_printf(MSG_WARNING, "WPA: Failed to set "
1298 "GTK to the driver (Group only).");
1301 } else if (wpa_drv_set_key(wpa_s, alg,
1302 (u8 *) "\xff\xff\xff\xff\xff\xff",
1303 keyidx, tx, key->key_rsc, key_rsc_len,
1304 gtk, gtk_len) < 0) {
1305 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to "
1314 static int wpa_supplicant_pairwise_gtk(struct wpa_supplicant *wpa_s,
1315 unsigned char *src_addr,
1316 struct wpa_eapol_key *key,
1317 u8 *gtk, int gtk_len, int key_info)
1319 int keyidx, tx, key_rsc_len = 0, alg;
1321 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1324 keyidx = gtk[0] & 0x3;
1325 tx = !!(gtk[0] & BIT(2));
1326 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) {
1327 /* Ignore Tx bit in GTK IE if a pairwise key is used. One AP
1328 * seemed to set this bit (incorrectly, since Tx is only when
1329 * doing Group Key only APs) and without this workaround, the
1330 * data connection does not work because wpa_supplicant
1331 * configured non-zero keyidx to be used for unicast. */
1332 wpa_printf(MSG_INFO, "RSN: Tx bit set for GTK IE, but "
1333 "pairwise keys are used - ignore Tx bit");
1339 if (wpa_supplicant_check_group_cipher(wpa_s, gtk_len, gtk_len,
1340 &key_rsc_len, &alg)) {
1344 if (wpa_supplicant_install_gtk(wpa_s, key, alg, gtk, gtk_len, keyidx,
1349 wpa_supplicant_key_neg_complete(wpa_s, src_addr,
1350 key_info & WPA_KEY_INFO_SECURE);
1355 static void wpa_report_ie_mismatch(struct wpa_supplicant *wpa_s,
1356 const char *reason, const u8 *src_addr,
1357 const u8 *wpa_ie, size_t wpa_ie_len,
1358 const u8 *rsn_ie, size_t rsn_ie_len)
1360 wpa_msg(wpa_s, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1361 reason, MAC2STR(src_addr));
1363 if (wpa_s->ap_wpa_ie) {
1364 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1365 wpa_s->ap_wpa_ie, wpa_s->ap_wpa_ie_len);
1368 if (!wpa_s->ap_wpa_ie) {
1369 wpa_printf(MSG_INFO, "WPA: No WPA IE in "
1370 "Beacon/ProbeResp");
1372 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1373 wpa_ie, wpa_ie_len);
1376 if (wpa_s->ap_rsn_ie) {
1377 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1378 wpa_s->ap_rsn_ie, wpa_s->ap_rsn_ie_len);
1381 if (!wpa_s->ap_rsn_ie) {
1382 wpa_printf(MSG_INFO, "WPA: No RSN IE in "
1383 "Beacon/ProbeResp");
1385 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1386 rsn_ie, rsn_ie_len);
1389 wpa_supplicant_disassociate(wpa_s, REASON_IE_IN_4WAY_DIFFERS);
1390 wpa_supplicant_req_scan(wpa_s, 0, 0);
1394 static void wpa_supplicant_process_3_of_4(struct wpa_supplicant *wpa_s,
1395 unsigned char *src_addr,
1396 struct wpa_eapol_key *key,
1397 int extra_len, int ver)
1400 struct ieee802_1x_hdr *hdr;
1401 struct wpa_eapol_key *reply;
1402 unsigned char *rbuf;
1403 struct l2_ethhdr *ethhdr;
1404 int key_info, wpa_ie_len = 0, rsn_ie_len = 0, keylen, gtk_len = 0;
1405 u8 *wpa_ie = NULL, *rsn_ie = NULL, *gtk = NULL;
1408 struct wpa_ssid *ssid = wpa_s->current_ssid;
1410 wpa_s->wpa_state = WPA_4WAY_HANDSHAKE;
1411 wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from "
1412 MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1414 key_info = be_to_host16(key->key_info);
1416 pos = (u8 *) (key + 1);
1417 len = be_to_host16(key->key_data_length);
1419 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", pos, len);
1420 while (pos + 1 < end) {
1421 if (pos + 2 + pos[1] > end) {
1422 wpa_printf(MSG_DEBUG, "WPA: key data underflow (ie=%d "
1423 "len=%d)", pos[0], pos[1]);
1426 if (*pos == RSN_INFO_ELEM) {
1428 rsn_ie_len = pos[1] + 2;
1429 } else if (*pos == GENERIC_INFO_ELEM && pos[1] >= 6 &&
1430 memcmp(pos + 2, WPA_OUI_TYPE, WPA_SELECTOR_LEN) == 0
1431 && pos[2 + WPA_SELECTOR_LEN] == 1 &&
1432 pos[2 + WPA_SELECTOR_LEN + 1] == 0) {
1434 wpa_ie_len = pos[1] + 2;
1435 } else if (pos[0] == GENERIC_INFO_ELEM &&
1436 pos[1] > RSN_SELECTOR_LEN + 2 &&
1437 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY,
1438 RSN_SELECTOR_LEN) == 0) {
1439 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1440 wpa_printf(MSG_WARNING, "WPA: GTK IE in "
1441 "unencrypted key data");
1444 gtk = pos + 2 + RSN_SELECTOR_LEN;
1445 gtk_len = pos[1] - RSN_SELECTOR_LEN;
1446 } else if (pos[0] == GENERIC_INFO_ELEM && pos[1] == 0)
1452 if (wpa_s->ap_wpa_ie == NULL && wpa_s->ap_rsn_ie == NULL) {
1453 wpa_printf(MSG_DEBUG, "WPA: No WPA/RSN IE for this AP known. "
1454 "Trying to get from scan results");
1455 if (wpa_supplicant_get_beacon_ie(wpa_s) < 0) {
1456 wpa_printf(MSG_WARNING, "WPA: Could not find AP from "
1457 "the scan results");
1459 wpa_printf(MSG_DEBUG, "WPA: Found the current AP from "
1460 "updated scan results");
1464 if ((wpa_ie && wpa_s->ap_wpa_ie &&
1465 (wpa_ie_len != wpa_s->ap_wpa_ie_len ||
1466 memcmp(wpa_ie, wpa_s->ap_wpa_ie, wpa_ie_len) != 0)) ||
1467 (rsn_ie && wpa_s->ap_rsn_ie &&
1468 (rsn_ie_len != wpa_s->ap_rsn_ie_len ||
1469 memcmp(rsn_ie, wpa_s->ap_rsn_ie, rsn_ie_len) != 0))) {
1470 wpa_report_ie_mismatch(wpa_s, "IE in 3/4 msg does not match "
1471 "with IE in Beacon/ProbeResp",
1472 src_addr, wpa_ie, wpa_ie_len,
1473 rsn_ie, rsn_ie_len);
1477 if (wpa_s->proto == WPA_PROTO_WPA &&
1478 rsn_ie && wpa_s->ap_rsn_ie == NULL &&
1479 ssid && (ssid->proto & WPA_PROTO_RSN)) {
1480 wpa_report_ie_mismatch(wpa_s, "Possible downgrade attack "
1481 "detected - RSN was enabled and RSN IE "
1482 "was in msg 3/4, but not in "
1484 src_addr, wpa_ie, wpa_ie_len,
1485 rsn_ie, rsn_ie_len);
1489 if (memcmp(wpa_s->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1490 wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way "
1491 "Handshake differs from 3 of 4-Way Handshake - drop"
1492 " packet (src=" MACSTR ")", MAC2STR(src_addr));
1496 keylen = be_to_host16(key->key_length);
1497 switch (wpa_s->pairwise_cipher) {
1498 case WPA_CIPHER_CCMP:
1500 wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length "
1501 "%d (src=" MACSTR ")",
1502 keylen, MAC2STR(src_addr));
1506 case WPA_CIPHER_TKIP:
1508 wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length "
1509 "%d (src=" MACSTR ")",
1510 keylen, MAC2STR(src_addr));
1516 rlen = sizeof(*ethhdr) + sizeof(*hdr) + sizeof(*reply);
1517 rbuf = malloc(rlen);
1521 memset(rbuf, 0, rlen);
1522 ethhdr = (struct l2_ethhdr *) rbuf;
1523 memcpy(ethhdr->h_dest, src_addr, ETH_ALEN);
1524 memcpy(ethhdr->h_source, wpa_s->own_addr, ETH_ALEN);
1525 ethhdr->h_proto = htons(ETH_P_EAPOL);
1527 hdr = (struct ieee802_1x_hdr *) (ethhdr + 1);
1528 hdr->version = wpa_s->conf->eapol_version;
1529 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1530 hdr->length = htons(sizeof(*reply));
1532 reply = (struct wpa_eapol_key *) (hdr + 1);
1533 reply->type = wpa_s->proto == WPA_PROTO_RSN ?
1534 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1535 reply->key_info = host_to_be16(ver | WPA_KEY_INFO_KEY_TYPE |
1537 (key_info & WPA_KEY_INFO_SECURE));
1538 reply->key_length = key->key_length;
1539 memcpy(reply->replay_counter, key->replay_counter,
1540 WPA_REPLAY_COUNTER_LEN);
1542 reply->key_data_length = host_to_be16(0);
1544 memcpy(reply->key_nonce, wpa_s->snonce, WPA_NONCE_LEN);
1545 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (u8 *) hdr,
1546 rlen - sizeof(*ethhdr), reply->key_mic);
1548 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1549 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 4/4", rbuf, rlen);
1550 l2_packet_send(wpa_s->l2, rbuf, rlen);
1551 eapol_sm_notify_tx_eapol_key(wpa_s->eapol);
1554 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1555 * for the next 4-Way Handshake. If msg 3 is received again, the old
1556 * SNonce will still be used to avoid changing PTK. */
1557 wpa_s->renew_snonce = 1;
1559 if (key_info & WPA_KEY_INFO_INSTALL) {
1560 wpa_supplicant_install_ptk(wpa_s, src_addr, key);
1563 if (key_info & WPA_KEY_INFO_SECURE) {
1564 /* MLME.SETPROTECTION.request(TA, Tx_Rx) */
1565 eapol_sm_notify_portValid(wpa_s->eapol, TRUE);
1567 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE;
1570 wpa_supplicant_pairwise_gtk(wpa_s, src_addr, key,
1571 gtk, gtk_len, key_info);
1576 static void wpa_supplicant_process_1_of_2(struct wpa_supplicant *wpa_s,
1577 unsigned char *src_addr,
1578 struct wpa_eapol_key *key,
1579 int extra_len, int ver)
1582 struct ieee802_1x_hdr *hdr;
1583 struct wpa_eapol_key *reply;
1584 unsigned char *rbuf;
1585 struct l2_ethhdr *ethhdr;
1586 int key_info, keylen, keydatalen, maxkeylen, keyidx, key_rsc_len = 0;
1590 size_t gtk_ie_len = 0;
1592 rekey = wpa_s->wpa_state == WPA_COMPLETED;
1593 wpa_s->wpa_state = WPA_GROUP_HANDSHAKE;
1594 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from "
1595 MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1597 key_info = be_to_host16(key->key_info);
1598 keydatalen = be_to_host16(key->key_data_length);
1600 if (wpa_s->proto == WPA_PROTO_RSN) {
1601 u8 *pos = (u8 *) (key + 1);
1602 u8 *end = pos + keydatalen;
1603 while (pos + 1 < end) {
1604 if (pos + 2 + pos[1] > end) {
1605 wpa_printf(MSG_DEBUG, "RSN: key data "
1606 "underflow (ie=%d len=%d)",
1610 if (pos[0] == GENERIC_INFO_ELEM &&
1611 pos + 1 + RSN_SELECTOR_LEN < end &&
1612 pos[1] > RSN_SELECTOR_LEN + 2 &&
1613 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY,
1614 RSN_SELECTOR_LEN) == 0) {
1615 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1616 wpa_printf(MSG_WARNING, "WPA: GTK IE "
1617 "in unencrypted key data");
1620 gtk_ie = pos + 2 + RSN_SELECTOR_LEN;
1621 gtk_ie_len = pos[1] - RSN_SELECTOR_LEN;
1623 } else if (pos[0] == GENERIC_INFO_ELEM &&
1630 if (gtk_ie == NULL) {
1631 wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key "
1635 maxkeylen = keylen = gtk_ie_len - 2;
1637 keylen = be_to_host16(key->key_length);
1638 maxkeylen = keydatalen;
1639 if (keydatalen > extra_len) {
1640 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:"
1641 " key_data_length=%d > extra_len=%d",
1642 keydatalen, extra_len);
1645 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES)
1649 if (wpa_supplicant_check_group_cipher(wpa_s, keylen, maxkeylen,
1650 &key_rsc_len, &alg)) {
1654 if (wpa_s->proto == WPA_PROTO_RSN) {
1655 wpa_hexdump(MSG_DEBUG,
1656 "RSN: received GTK in group key handshake",
1657 gtk_ie, gtk_ie_len);
1658 keyidx = gtk_ie[0] & 0x3;
1659 tx = !!(gtk_ie[0] & BIT(2));
1660 if (gtk_ie_len - 2 > sizeof(gtk)) {
1661 wpa_printf(MSG_INFO, "RSN: Too long GTK in GTK IE "
1663 (unsigned long) gtk_ie_len - 2);
1666 memcpy(gtk, gtk_ie + 2, gtk_ie_len - 2);
1668 keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1669 WPA_KEY_INFO_KEY_INDEX_SHIFT;
1670 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
1671 memcpy(ek, key->key_iv, 16);
1672 memcpy(ek + 16, wpa_s->ptk.encr_key, 16);
1673 rc4_skip(ek, 32, 256, (u8 *) (key + 1), keydatalen);
1674 memcpy(gtk, key + 1, keylen);
1675 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1676 if (keydatalen % 8) {
1677 wpa_printf(MSG_WARNING, "WPA: Unsupported "
1678 "AES-WRAP len %d", keydatalen);
1681 if (aes_unwrap(wpa_s->ptk.encr_key, maxkeylen / 8,
1682 (u8 *) (key + 1), gtk)) {
1683 wpa_printf(MSG_WARNING, "WPA: AES unwrap "
1684 "failed - could not decrypt GTK");
1688 tx = !!(key_info & WPA_KEY_INFO_TXRX);
1691 if (tx && wpa_s->pairwise_cipher != WPA_CIPHER_NONE) {
1692 /* Ignore Tx bit in Group Key message if a pairwise key
1693 * is used. Some APs seem to setting this bit
1694 * (incorrectly, since Tx is only when doing Group Key
1695 * only APs) and without this workaround, the data
1696 * connection does not work because wpa_supplicant
1697 * configured non-zero keyidx to be used for unicast.
1699 wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but "
1700 "pairwise keys are used - ignore Tx bit");
1704 wpa_supplicant_install_gtk(wpa_s, key, alg, gtk, keylen, keyidx,
1707 rlen = sizeof(*ethhdr) + sizeof(*hdr) + sizeof(*reply);
1708 rbuf = malloc(rlen);
1712 memset(rbuf, 0, rlen);
1713 ethhdr = (struct l2_ethhdr *) rbuf;
1714 memcpy(ethhdr->h_dest, src_addr, ETH_ALEN);
1715 memcpy(ethhdr->h_source, wpa_s->own_addr, ETH_ALEN);
1716 ethhdr->h_proto = htons(ETH_P_EAPOL);
1718 hdr = (struct ieee802_1x_hdr *) (ethhdr + 1);
1719 hdr->version = wpa_s->conf->eapol_version;
1720 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1721 hdr->length = htons(sizeof(*reply));
1723 reply = (struct wpa_eapol_key *) (hdr + 1);
1724 reply->type = wpa_s->proto == WPA_PROTO_RSN ?
1725 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1727 host_to_be16(ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE |
1728 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK));
1729 reply->key_length = key->key_length;
1730 memcpy(reply->replay_counter, key->replay_counter,
1731 WPA_REPLAY_COUNTER_LEN);
1733 reply->key_data_length = host_to_be16(0);
1735 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, (u8 *) hdr,
1736 rlen - sizeof(*ethhdr), reply->key_mic);
1738 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1739 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key 2/2", rbuf, rlen);
1740 l2_packet_send(wpa_s->l2, rbuf, rlen);
1741 eapol_sm_notify_tx_eapol_key(wpa_s->eapol);
1745 wpa_msg(wpa_s, MSG_INFO, "WPA: Group rekeying completed with "
1746 MACSTR " [GTK=%s]", MAC2STR(src_addr),
1747 wpa_cipher_txt(wpa_s->group_cipher));
1748 wpa_s->wpa_state = WPA_COMPLETED;
1750 wpa_supplicant_key_neg_complete(wpa_s, src_addr,
1752 WPA_KEY_INFO_SECURE);
1757 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_supplicant *wpa_s,
1758 struct wpa_eapol_key *key,
1759 int ver, u8 *buf, size_t len)
1764 memcpy(mic, key->key_mic, 16);
1765 if (wpa_s->tptk_set) {
1766 memset(key->key_mic, 0, 16);
1767 wpa_eapol_key_mic(wpa_s->tptk.mic_key, ver, buf, len,
1769 if (memcmp(mic, key->key_mic, 16) != 0) {
1770 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC "
1771 "when using TPTK - ignoring TPTK");
1774 wpa_s->tptk_set = 0;
1776 memcpy(&wpa_s->ptk, &wpa_s->tptk, sizeof(wpa_s->ptk));
1780 if (!ok && wpa_s->ptk_set) {
1781 memset(key->key_mic, 0, 16);
1782 wpa_eapol_key_mic(wpa_s->ptk.mic_key, ver, buf, len,
1784 if (memcmp(mic, key->key_mic, 16) != 0) {
1785 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC "
1786 "- dropping packet");
1793 wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC "
1794 "- dropping packet");
1798 memcpy(wpa_s->rx_replay_counter, key->replay_counter,
1799 WPA_REPLAY_COUNTER_LEN);
1800 wpa_s->rx_replay_counter_set = 1;
1805 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1806 static int wpa_supplicant_decrypt_key_data(struct wpa_supplicant *wpa_s,
1807 struct wpa_eapol_key *key, int ver)
1809 int keydatalen = be_to_host16(key->key_data_length);
1811 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
1812 (u8 *) (key + 1), keydatalen);
1813 if (!wpa_s->ptk_set) {
1814 wpa_printf(MSG_WARNING, "WPA: PTK not available, "
1815 "cannot decrypt EAPOL-Key key data.");
1819 /* Decrypt key data here so that this operation does not need
1820 * to be implemented separately for each message type. */
1821 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
1823 memcpy(ek, key->key_iv, 16);
1824 memcpy(ek + 16, wpa_s->ptk.encr_key, 16);
1825 rc4_skip(ek, 32, 256, (u8 *) (key + 1), keydatalen);
1826 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1828 if (keydatalen % 8) {
1829 wpa_printf(MSG_WARNING, "WPA: Unsupported "
1830 "AES-WRAP len %d", keydatalen);
1833 keydatalen -= 8; /* AES-WRAP adds 8 bytes */
1834 buf = malloc(keydatalen);
1836 wpa_printf(MSG_WARNING, "WPA: No memory for "
1837 "AES-UNWRAP buffer");
1840 if (aes_unwrap(wpa_s->ptk.encr_key, keydatalen / 8,
1841 (u8 *) (key + 1), buf)) {
1843 wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - "
1844 "could not decrypt EAPOL-Key key data");
1847 memcpy(key + 1, buf, keydatalen);
1849 key->key_data_length = host_to_be16(keydatalen);
1851 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
1852 (u8 *) (key + 1), keydatalen);
1857 static void wpa_sm_rx_eapol(struct wpa_supplicant *wpa_s,
1858 unsigned char *src_addr, unsigned char *buf,
1861 size_t plen, data_len, extra_len;
1862 struct ieee802_1x_hdr *hdr;
1863 struct wpa_eapol_key *key;
1866 hdr = (struct ieee802_1x_hdr *) buf;
1867 key = (struct wpa_eapol_key *) (hdr + 1);
1868 if (len < sizeof(*hdr) + sizeof(*key)) {
1869 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short, len %lu, "
1870 "expecting at least %lu",
1871 (unsigned long) len,
1872 (unsigned long) sizeof(*hdr) + sizeof(*key));
1875 plen = ntohs(hdr->length);
1876 data_len = plen + sizeof(*hdr);
1877 wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%lu",
1878 hdr->version, hdr->type, (unsigned long) plen);
1880 wpa_drv_poll(wpa_s);
1882 if (hdr->version < EAPOL_VERSION) {
1883 /* TODO: backwards compatibility */
1885 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
1886 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, "
1887 "not a Key frame", hdr->type);
1888 if (wpa_s->cur_pmksa) {
1889 wpa_printf(MSG_DEBUG, "WPA: Cancelling PMKSA caching "
1890 "attempt - attempt full EAP "
1892 eapol_sm_notify_pmkid_attempt(wpa_s->eapol, 0);
1896 if (plen > len - sizeof(*hdr) || plen < sizeof(*key)) {
1897 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %lu "
1898 "invalid (frame size %lu)",
1899 (unsigned long) plen, (unsigned long) len);
1903 wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type);
1904 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
1906 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, "
1907 "discarded", key->type);
1911 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
1912 if (data_len < len) {
1913 wpa_printf(MSG_DEBUG, "WPA: ignoring %lu bytes after the IEEE "
1914 "802.1X data", (unsigned long) len - data_len);
1916 key_info = be_to_host16(key->key_info);
1917 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1918 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
1919 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1920 wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor "
1921 "version %d.", ver);
1925 if (wpa_s->pairwise_cipher == WPA_CIPHER_CCMP &&
1926 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1927 wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key "
1928 "descriptor version (%d) is not 2.", ver);
1929 if (wpa_s->group_cipher != WPA_CIPHER_CCMP &&
1930 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1931 /* Earlier versions of IEEE 802.11i did not explicitly
1932 * require version 2 descriptor for all EAPOL-Key
1933 * packets, so allow group keys to use version 1 if
1934 * CCMP is not used for them. */
1935 wpa_printf(MSG_INFO, "WPA: Backwards compatibility: "
1936 "allow invalid version for non-CCMP group "
1942 if (wpa_s->rx_replay_counter_set &&
1943 memcmp(key->replay_counter, wpa_s->rx_replay_counter,
1944 WPA_REPLAY_COUNTER_LEN) <= 0) {
1945 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not"
1946 " increase - dropping packet");
1950 if (!(key_info & WPA_KEY_INFO_ACK)) {
1951 wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info");
1955 if (key_info & WPA_KEY_INFO_REQUEST) {
1956 wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - "
1961 if ((key_info & WPA_KEY_INFO_MIC) &&
1962 wpa_supplicant_verify_eapol_key_mic(wpa_s, key, ver, buf,
1966 extra_len = data_len - sizeof(*hdr) - sizeof(*key);
1968 if (be_to_host16(key->key_data_length) > extra_len) {
1969 wpa_msg(wpa_s, MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
1970 "key_data overflow (%d > %lu)",
1971 be_to_host16(key->key_data_length),
1972 (unsigned long) extra_len);
1976 if (wpa_s->proto == WPA_PROTO_RSN &&
1977 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1978 wpa_supplicant_decrypt_key_data(wpa_s, key, ver))
1981 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1982 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
1983 wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key "
1984 "(Pairwise) with non-zero key index");
1987 if (key_info & WPA_KEY_INFO_MIC) {
1988 /* 3/4 4-Way Handshake */
1989 wpa_supplicant_process_3_of_4(wpa_s, src_addr, key,
1992 /* 1/4 4-Way Handshake */
1993 wpa_supplicant_process_1_of_4(wpa_s, src_addr, key,
1997 if (key_info & WPA_KEY_INFO_MIC) {
1998 /* 1/2 Group Key Handshake */
1999 wpa_supplicant_process_1_of_2(wpa_s, src_addr, key,
2002 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) "
2003 "without Mic bit - dropped");
2009 void wpa_supplicant_rx_eapol(void *ctx, unsigned char *src_addr,
2010 unsigned char *buf, size_t len)
2012 struct wpa_supplicant *wpa_s = ctx;
2014 wpa_printf(MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr));
2015 wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len);
2017 if (wpa_s->key_mgmt == WPA_KEY_MGMT_NONE) {
2018 wpa_printf(MSG_DEBUG, "Ignored received EAPOL frame since "
2019 "no key management is configured");
2023 if (wpa_s->eapol_received == 0) {
2024 /* Timeout for completing IEEE 802.1X and WPA authentication */
2025 wpa_supplicant_req_auth_timeout(
2027 (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ||
2028 wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X_NO_WPA) ?
2031 wpa_s->eapol_received++;
2033 if (wpa_s->countermeasures) {
2034 wpa_printf(MSG_INFO, "WPA: Countermeasures - dropped EAPOL "
2039 /* Source address of the incoming EAPOL frame could be compared to the
2040 * current BSSID. However, it is possible that a centralized
2041 * Authenticator could be using another MAC address than the BSSID of
2042 * an AP, so just allow any address to be used for now. The replies are
2043 * still sent to the current BSSID (if available), though. */
2045 memcpy(wpa_s->last_eapol_src, src_addr, ETH_ALEN);
2046 eapol_sm_rx_eapol(wpa_s->eapol, src_addr, buf, len);
2047 wpa_sm_rx_eapol(wpa_s, src_addr, buf, len);
2051 static int wpa_cipher_bits(int cipher)
2054 case WPA_CIPHER_CCMP:
2056 case WPA_CIPHER_TKIP:
2058 case WPA_CIPHER_WEP104:
2060 case WPA_CIPHER_WEP40:
2068 static const u8 * wpa_key_mgmt_suite(struct wpa_supplicant *wpa_s)
2070 static const u8 *dummy = (u8 *) "\x00\x00\x00\x00";
2071 switch (wpa_s->key_mgmt) {
2072 case WPA_KEY_MGMT_IEEE8021X:
2073 return (wpa_s->proto == WPA_PROTO_RSN ?
2074 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2075 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2076 case WPA_KEY_MGMT_PSK:
2077 return (wpa_s->proto == WPA_PROTO_RSN ?
2078 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2079 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2080 case WPA_KEY_MGMT_WPA_NONE:
2081 return WPA_AUTH_KEY_MGMT_NONE;
2088 static const u8 * wpa_cipher_suite(struct wpa_supplicant *wpa_s, int cipher)
2090 static const u8 *dummy = (u8 *) "\x00\x00\x00\x00";
2092 case WPA_CIPHER_CCMP:
2093 return (wpa_s->proto == WPA_PROTO_RSN ?
2094 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
2095 case WPA_CIPHER_TKIP:
2096 return (wpa_s->proto == WPA_PROTO_RSN ?
2097 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
2098 case WPA_CIPHER_WEP104:
2099 return (wpa_s->proto == WPA_PROTO_RSN ?
2100 RSN_CIPHER_SUITE_WEP104 : WPA_CIPHER_SUITE_WEP104);
2101 case WPA_CIPHER_WEP40:
2102 return (wpa_s->proto == WPA_PROTO_RSN ?
2103 RSN_CIPHER_SUITE_WEP40 : WPA_CIPHER_SUITE_WEP40);
2104 case WPA_CIPHER_NONE:
2105 return (wpa_s->proto == WPA_PROTO_RSN ?
2106 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
2113 #define RSN_SUITE "%02x-%02x-%02x-%d"
2114 #define RSN_SUITE_ARG(s) (s)[0], (s)[1], (s)[2], (s)[3]
2116 int wpa_get_mib(struct wpa_supplicant *wpa_s, char *buf, size_t buflen)
2119 char pmkid_txt[PMKID_LEN * 2 + 1];
2121 if (wpa_s->cur_pmksa) {
2122 char *pos = pmkid_txt;
2123 for (i = 0; i < PMKID_LEN; i++) {
2124 pos += sprintf(pos, "%02x",
2125 wpa_s->cur_pmksa->pmkid[i]);
2128 pmkid_txt[0] = '\0';
2130 len = snprintf(buf, buflen,
2131 "dot11RSNAConfigVersion=%d\n"
2132 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2133 "dot11RSNAConfigGroupCipherSize=%d\n"
2134 "dot11RSNAConfigPMKLifetime=%d\n"
2135 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2136 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2137 "dot11RSNAConfigSATimeout=%d\n"
2138 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2139 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2140 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2141 "dot11RSNAPMKIDUsed=%s\n"
2142 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2143 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2144 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2145 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
2147 wpa_cipher_bits(wpa_s->group_cipher),
2148 dot11RSNAConfigPMKLifetime,
2149 dot11RSNAConfigPMKReauthThreshold,
2150 dot11RSNAConfigSATimeout,
2151 RSN_SUITE_ARG(wpa_key_mgmt_suite(wpa_s)),
2152 RSN_SUITE_ARG(wpa_cipher_suite(wpa_s,
2153 wpa_s->pairwise_cipher)),
2154 RSN_SUITE_ARG(wpa_cipher_suite(wpa_s,
2155 wpa_s->group_cipher)),
2157 RSN_SUITE_ARG(wpa_key_mgmt_suite(wpa_s)),
2158 RSN_SUITE_ARG(wpa_cipher_suite(wpa_s,
2159 wpa_s->pairwise_cipher)),
2160 RSN_SUITE_ARG(wpa_cipher_suite(wpa_s,
2161 wpa_s->group_cipher)));
2166 #ifdef IEEE8021X_EAPOL
2168 static void rsn_preauth_receive(void *ctx, unsigned char *src_addr,
2169 unsigned char *buf, size_t len)
2171 struct wpa_supplicant *wpa_s = ctx;
2173 wpa_printf(MSG_DEBUG, "RX pre-auth from " MACSTR, MAC2STR(src_addr));
2174 wpa_hexdump(MSG_MSGDUMP, "RX pre-auth", buf, len);
2176 if (wpa_s->preauth_eapol == NULL ||
2177 memcmp(wpa_s->preauth_bssid, "\x00\x00\x00\x00\x00\x00",
2179 memcmp(wpa_s->preauth_bssid, src_addr, ETH_ALEN) != 0) {
2180 wpa_printf(MSG_WARNING, "RSN pre-auth frame received from "
2181 "unexpected source " MACSTR " - dropped",
2186 eapol_sm_rx_eapol(wpa_s->preauth_eapol, src_addr, buf, len);
2190 static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success,
2193 struct wpa_supplicant *wpa_s = ctx;
2196 wpa_msg(wpa_s, MSG_INFO, "RSN: pre-authentication with " MACSTR
2197 " %s", MAC2STR(wpa_s->preauth_bssid),
2198 success ? "completed successfully" : "failed");
2203 res = eapol_sm_get_key(eapol, pmk, PMK_LEN);
2206 res = eapol_sm_get_key(eapol, pmk, 16);
2209 #endif /* EAP_LEAP */
2211 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from pre-auth",
2213 wpa_s->pmk_len = pmk_len;
2214 pmksa_cache_add(wpa_s, pmk, pmk_len,
2215 wpa_s->preauth_bssid, wpa_s->own_addr);
2217 wpa_msg(wpa_s, MSG_INFO, "RSN: failed to get master "
2218 "session key from pre-auth EAPOL state "
2223 rsn_preauth_deinit(wpa_s);
2224 rsn_preauth_candidate_process(wpa_s);
2228 static void rsn_preauth_timeout(void *eloop_ctx, void *timeout_ctx)
2230 struct wpa_supplicant *wpa_s = eloop_ctx;
2231 wpa_msg(wpa_s, MSG_INFO, "RSN: pre-authentication with " MACSTR
2232 " timed out", MAC2STR(wpa_s->preauth_bssid));
2233 rsn_preauth_deinit(wpa_s);
2234 rsn_preauth_candidate_process(wpa_s);
2238 int rsn_preauth_init(struct wpa_supplicant *wpa_s, u8 *dst)
2240 struct eapol_config eapol_conf;
2241 struct eapol_ctx *ctx;
2243 if (wpa_s->preauth_eapol)
2246 wpa_msg(wpa_s, MSG_DEBUG, "RSN: starting pre-authentication with "
2247 MACSTR, MAC2STR(dst));
2249 wpa_s->l2_preauth = l2_packet_init(wpa_s->ifname,
2250 wpa_drv_get_mac_addr(wpa_s),
2252 rsn_preauth_receive, wpa_s);
2253 if (wpa_s->l2_preauth == NULL) {
2254 wpa_printf(MSG_WARNING, "RSN: Failed to initialize L2 packet "
2255 "processing for pre-authentication");
2259 ctx = malloc(sizeof(*ctx));
2261 wpa_printf(MSG_WARNING, "Failed to allocate EAPOL context.");
2264 memset(ctx, 0, sizeof(*ctx));
2266 ctx->msg_ctx = wpa_s;
2268 ctx->cb = rsn_preauth_eapol_cb;
2269 ctx->cb_ctx = wpa_s;
2270 ctx->scard_ctx = wpa_s->scard;
2271 ctx->eapol_done_cb = wpa_supplicant_notify_eapol_done;
2272 ctx->eapol_send = wpa_eapol_send_preauth;
2274 wpa_s->preauth_eapol = eapol_sm_init(ctx);
2275 if (wpa_s->preauth_eapol == NULL) {
2277 wpa_printf(MSG_WARNING, "RSN: Failed to initialize EAPOL "
2278 "state machines for pre-authentication");
2281 memset(&eapol_conf, 0, sizeof(eapol_conf));
2282 eapol_conf.accept_802_1x_keys = 0;
2283 eapol_conf.required_keys = 0;
2284 eapol_conf.fast_reauth = wpa_s->conf->fast_reauth;
2285 if (wpa_s->current_ssid)
2286 eapol_conf.workaround = wpa_s->current_ssid->eap_workaround;
2287 eapol_sm_notify_config(wpa_s->preauth_eapol, wpa_s->current_ssid,
2289 memcpy(wpa_s->preauth_bssid, dst, ETH_ALEN);
2291 eapol_sm_notify_portValid(wpa_s->preauth_eapol, TRUE);
2292 /* 802.1X::portControl = Auto */
2293 eapol_sm_notify_portEnabled(wpa_s->preauth_eapol, TRUE);
2295 eloop_register_timeout(60, 0, rsn_preauth_timeout, wpa_s, NULL);
2301 void rsn_preauth_deinit(struct wpa_supplicant *wpa_s)
2303 if (!wpa_s->preauth_eapol)
2306 eloop_cancel_timeout(rsn_preauth_timeout, wpa_s, NULL);
2307 eapol_sm_deinit(wpa_s->preauth_eapol);
2308 wpa_s->preauth_eapol = NULL;
2309 memset(wpa_s->preauth_bssid, 0, ETH_ALEN);
2311 l2_packet_deinit(wpa_s->l2_preauth);
2312 wpa_s->l2_preauth = NULL;
2316 static void rsn_preauth_candidate_process(struct wpa_supplicant *wpa_s)
2318 struct rsn_pmksa_candidate *candidate;
2320 if (wpa_s->pmksa_candidates == NULL)
2323 /* TODO: drop priority for old candidate entries */
2325 wpa_msg(wpa_s, MSG_DEBUG, "RSN: processing PMKSA candidate list");
2326 if (wpa_s->preauth_eapol ||
2327 wpa_s->proto != WPA_PROTO_RSN ||
2328 wpa_s->wpa_state != WPA_COMPLETED ||
2329 wpa_s->key_mgmt != WPA_KEY_MGMT_IEEE8021X) {
2330 wpa_msg(wpa_s, MSG_DEBUG, "RSN: not in suitable state for new "
2331 "pre-authentication");
2332 return; /* invalid state for new pre-auth */
2335 while (wpa_s->pmksa_candidates) {
2336 struct rsn_pmksa_cache *p = NULL;
2337 candidate = wpa_s->pmksa_candidates;
2338 p = pmksa_cache_get(wpa_s, candidate->bssid, NULL);
2339 if (memcmp(wpa_s->bssid, candidate->bssid, ETH_ALEN) != 0 &&
2341 wpa_msg(wpa_s, MSG_DEBUG, "RSN: PMKSA candidate "
2342 MACSTR " selected for pre-authentication",
2343 MAC2STR(candidate->bssid));
2344 wpa_s->pmksa_candidates = candidate->next;
2345 rsn_preauth_init(wpa_s, candidate->bssid);
2349 wpa_msg(wpa_s, MSG_DEBUG, "RSN: PMKSA candidate " MACSTR
2350 " does not need pre-authentication anymore",
2351 MAC2STR(candidate->bssid));
2352 /* Some drivers (e.g., NDIS) expect to get notified about the
2353 * PMKIDs again, so report the existing data now. */
2355 wpa_drv_add_pmkid(wpa_s, candidate->bssid, p->pmkid);
2357 wpa_s->pmksa_candidates = candidate->next;
2360 wpa_msg(wpa_s, MSG_DEBUG, "RSN: no more pending PMKSA candidates");
2364 void pmksa_candidate_add(struct wpa_supplicant *wpa_s, const u8 *bssid,
2367 struct rsn_pmksa_candidate *cand, *prev, *pos;
2369 /* If BSSID already on candidate list, update the priority of the old
2370 * entry. Do not override priority based on normal scan results. */
2372 cand = wpa_s->pmksa_candidates;
2374 if (memcmp(cand->bssid, bssid, ETH_ALEN) == 0) {
2376 prev->next = cand->next;
2378 wpa_s->pmksa_candidates = cand->next;
2386 if (prio < PMKID_CANDIDATE_PRIO_SCAN)
2387 cand->priority = prio;
2389 cand = malloc(sizeof(*cand));
2392 memset(cand, 0, sizeof(*cand));
2393 memcpy(cand->bssid, bssid, ETH_ALEN);
2394 cand->priority = prio;
2397 /* Add candidate to the list; order by increasing priority value. i.e.,
2398 * highest priority (smallest value) first. */
2400 pos = wpa_s->pmksa_candidates;
2402 if (cand->priority <= pos->priority)
2411 wpa_s->pmksa_candidates = cand;
2413 wpa_msg(wpa_s, MSG_DEBUG, "RSN: added PMKSA cache "
2414 "candidate " MACSTR " prio %d", MAC2STR(bssid), prio);
2415 rsn_preauth_candidate_process(wpa_s);
2419 /* TODO: schedule periodic scans if current AP supports preauth */
2420 void rsn_preauth_scan_results(struct wpa_supplicant *wpa_s,
2421 struct wpa_scan_result *results, int count)
2423 struct wpa_scan_result *r;
2424 struct wpa_ie_data ie;
2427 if (wpa_s->current_ssid == NULL)
2430 pmksa_candidate_free(wpa_s);
2432 for (i = count - 1; i >= 0; i--) {
2434 if (r->ssid_len == wpa_s->current_ssid->ssid_len &&
2435 memcmp(r->ssid, wpa_s->current_ssid->ssid, r->ssid_len) ==
2437 memcmp(r->bssid, wpa_s->bssid, ETH_ALEN) != 0 &&
2438 r->rsn_ie_len > 0 &&
2439 wpa_parse_wpa_ie(wpa_s, r->rsn_ie, r->rsn_ie_len, &ie) ==
2441 (ie.capabilities & WPA_CAPABILITY_PREAUTH) &&
2442 pmksa_cache_get(wpa_s, r->bssid, NULL) == NULL) {
2443 /* Give less priority to candidates found from normal
2445 pmksa_candidate_add(wpa_s, r->bssid,
2446 PMKID_CANDIDATE_PRIO_SCAN);
2451 #else /* IEEE8021X_EAPOL */
2453 static void rsn_preauth_candidate_process(struct wpa_supplicant *wpa_s)
2457 #endif /* IEEE8021X_EAPOL */