00001
00016 #include <stdlib.h>
00017 #include <stdio.h>
00018 #ifndef CONFIG_NATIVE_WINDOWS
00019 #include <netinet/in.h>
00020 #endif
00021 #include <string.h>
00022
00023 #include "common.h"
00024 #include "md5.h"
00025 #include "sha1.h"
00026 #include "rc4.h"
00027 #include "aes_wrap.h"
00028 #include "wpa.h"
00029 #include "eloop.h"
00030 #include "wpa_supplicant.h"
00031 #include "config.h"
00032 #include "l2_packet.h"
00033 #include "eapol_sm.h"
00034 #include "preauth.h"
00035 #include "wpa_i.h"
00036
00037
00038 static const int WPA_SELECTOR_LEN = 4;
00039 static const u8 WPA_OUI_TYPE[] = { 0x00, 0x50, 0xf2, 1 };
00040 static const u16 WPA_VERSION = 1;
00041 static const u8 WPA_AUTH_KEY_MGMT_NONE[] = { 0x00, 0x50, 0xf2, 0 };
00042 static const u8 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x50, 0xf2, 1 };
00043 static const u8 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x50, 0xf2, 2 };
00044 static const u8 WPA_CIPHER_SUITE_NONE[] = { 0x00, 0x50, 0xf2, 0 };
00045 static const u8 WPA_CIPHER_SUITE_WEP40[] = { 0x00, 0x50, 0xf2, 1 };
00046 static const u8 WPA_CIPHER_SUITE_TKIP[] = { 0x00, 0x50, 0xf2, 2 };
00047 static const u8 WPA_CIPHER_SUITE_WRAP[] = { 0x00, 0x50, 0xf2, 3 };
00048 static const u8 WPA_CIPHER_SUITE_CCMP[] = { 0x00, 0x50, 0xf2, 4 };
00049 static const u8 WPA_CIPHER_SUITE_WEP104[] = { 0x00, 0x50, 0xf2, 5 };
00050
00051
00052
00053
00054
00055
00056
00057
00058
00059
00060
00061
00062
00063
00064
00065 struct wpa_ie_hdr {
00066 u8 elem_id;
00067 u8 len;
00068 u8 oui[3];
00069 u8 oui_type;
00070 u8 version[2];
00071 } __attribute__ ((packed));
00072
00073
00074 static const int RSN_SELECTOR_LEN = 4;
00075 static const u16 RSN_VERSION = 1;
00076 static const u8 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X[] = { 0x00, 0x0f, 0xac, 1 };
00077 static const u8 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X[] = { 0x00, 0x0f, 0xac, 2 };
00078 static const u8 RSN_CIPHER_SUITE_NONE[] = { 0x00, 0x0f, 0xac, 0 };
00079 static const u8 RSN_CIPHER_SUITE_WEP40[] = { 0x00, 0x0f, 0xac, 1 };
00080 static const u8 RSN_CIPHER_SUITE_TKIP[] = { 0x00, 0x0f, 0xac, 2 };
00081 static const u8 RSN_CIPHER_SUITE_WRAP[] = { 0x00, 0x0f, 0xac, 3 };
00082 static const u8 RSN_CIPHER_SUITE_CCMP[] = { 0x00, 0x0f, 0xac, 4 };
00083 static const u8 RSN_CIPHER_SUITE_WEP104[] = { 0x00, 0x0f, 0xac, 5 };
00084
00085
00086
00087
00088 static const u8 RSN_KEY_DATA_GROUPKEY[] = { 0x00, 0x0f, 0xac, 1 };
00089 static const u8 RSN_KEY_DATA_STAKEY[] = { 0x00, 0x0f, 0xac, 2 };
00090 static const u8 RSN_KEY_DATA_MAC_ADDR[] = { 0x00, 0x0f, 0xac, 3 };
00091 static const u8 RSN_KEY_DATA_PMKID[] = { 0x00, 0x0f, 0xac, 4 };
00092
00093
00094
00095
00096
00097
00098
00099
00100
00101
00102
00103
00104
00105
00106
00107
00108
00109
00110
00111
00112
00113
00114
00115
00116 struct rsn_ie_hdr {
00117 u8 elem_id;
00118 u8 len;
00119 u8 version[2];
00120 } __attribute__ ((packed));
00121
00122
00123 struct wpa_eapol_key {
00124 u8 type;
00125
00126 u8 key_info[2];
00127 u8 key_length[2];
00128 u8 replay_counter[WPA_REPLAY_COUNTER_LEN];
00129 u8 key_nonce[WPA_NONCE_LEN];
00130 u8 key_iv[16];
00131 u8 key_rsc[8];
00132 u8 key_id[8];
00133 u8 key_mic[16];
00134 u8 key_data_length[2];
00135
00136 } __attribute__ ((packed));
00137
00138 #define WPA_KEY_INFO_TYPE_MASK (BIT(0) | BIT(1) | BIT(2))
00139 #define WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 BIT(0)
00140 #define WPA_KEY_INFO_TYPE_HMAC_SHA1_AES BIT(1)
00141 #define WPA_KEY_INFO_KEY_TYPE BIT(3)
00142
00143 #define WPA_KEY_INFO_KEY_INDEX_MASK (BIT(4) | BIT(5))
00144 #define WPA_KEY_INFO_KEY_INDEX_SHIFT 4
00145 #define WPA_KEY_INFO_INSTALL BIT(6)
00146 #define WPA_KEY_INFO_TXRX BIT(6)
00147 #define WPA_KEY_INFO_ACK BIT(7)
00148 #define WPA_KEY_INFO_MIC BIT(8)
00149 #define WPA_KEY_INFO_SECURE BIT(9)
00150 #define WPA_KEY_INFO_ERROR BIT(10)
00151 #define WPA_KEY_INFO_REQUEST BIT(11)
00152 #define WPA_KEY_INFO_ENCR_KEY_DATA BIT(12)
00153
00154
00155
00162 static const char * wpa_cipher_txt(int cipher)
00163 {
00164 switch (cipher) {
00165 case WPA_CIPHER_NONE:
00166 return "NONE";
00167 case WPA_CIPHER_WEP40:
00168 return "WEP-40";
00169 case WPA_CIPHER_WEP104:
00170 return "WEP-104";
00171 case WPA_CIPHER_TKIP:
00172 return "TKIP";
00173 case WPA_CIPHER_CCMP:
00174 return "CCMP";
00175 default:
00176 return "UNKNOWN";
00177 }
00178 }
00179
00180
00188 static const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
00189 {
00190 switch (key_mgmt) {
00191 case WPA_KEY_MGMT_IEEE8021X:
00192 return proto == WPA_PROTO_RSN ?
00193 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
00194 case WPA_KEY_MGMT_PSK:
00195 return proto == WPA_PROTO_RSN ?
00196 "WPA2-PSK" : "WPA-PSK";
00197 case WPA_KEY_MGMT_NONE:
00198 return "NONE";
00199 case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
00200 return "IEEE 802.1X (no WPA)";
00201 default:
00202 return "UNKNOWN";
00203 }
00204 }
00205
00206
00207 static int wpa_selector_to_bitfield(const u8 *s)
00208 {
00209 if (memcmp(s, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN) == 0)
00210 return WPA_CIPHER_NONE;
00211 if (memcmp(s, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN) == 0)
00212 return WPA_CIPHER_WEP40;
00213 if (memcmp(s, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN) == 0)
00214 return WPA_CIPHER_TKIP;
00215 if (memcmp(s, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN) == 0)
00216 return WPA_CIPHER_CCMP;
00217 if (memcmp(s, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN) == 0)
00218 return WPA_CIPHER_WEP104;
00219 return 0;
00220 }
00221
00222
00223 static int wpa_key_mgmt_to_bitfield(const u8 *s)
00224 {
00225 if (memcmp(s, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN) == 0)
00226 return WPA_KEY_MGMT_IEEE8021X;
00227 if (memcmp(s, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X, WPA_SELECTOR_LEN) ==
00228 0)
00229 return WPA_KEY_MGMT_PSK;
00230 if (memcmp(s, WPA_AUTH_KEY_MGMT_NONE, WPA_SELECTOR_LEN) == 0)
00231 return WPA_KEY_MGMT_WPA_NONE;
00232 return 0;
00233 }
00234
00235
00236 static int rsn_selector_to_bitfield(const u8 *s)
00237 {
00238 if (memcmp(s, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN) == 0)
00239 return WPA_CIPHER_NONE;
00240 if (memcmp(s, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN) == 0)
00241 return WPA_CIPHER_WEP40;
00242 if (memcmp(s, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN) == 0)
00243 return WPA_CIPHER_TKIP;
00244 if (memcmp(s, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN) == 0)
00245 return WPA_CIPHER_CCMP;
00246 if (memcmp(s, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN) == 0)
00247 return WPA_CIPHER_WEP104;
00248 return 0;
00249 }
00250
00251
00252 static int rsn_key_mgmt_to_bitfield(const u8 *s)
00253 {
00254 if (memcmp(s, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN) == 0)
00255 return WPA_KEY_MGMT_IEEE8021X;
00256 if (memcmp(s, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X, RSN_SELECTOR_LEN) ==
00257 0)
00258 return WPA_KEY_MGMT_PSK;
00259 return 0;
00260 }
00261
00262
00263 static int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
00264 struct wpa_ie_data *data)
00265 {
00266 const struct wpa_ie_hdr *hdr;
00267 const u8 *pos;
00268 int left;
00269 int i, count;
00270
00271 data->proto = WPA_PROTO_WPA;
00272 data->pairwise_cipher = WPA_CIPHER_TKIP;
00273 data->group_cipher = WPA_CIPHER_TKIP;
00274 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
00275 data->capabilities = 0;
00276 data->pmkid = NULL;
00277 data->num_pmkid = 0;
00278
00279 if (wpa_ie_len == 0) {
00280
00281 return -1;
00282 }
00283
00284 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
00285 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
00286 __func__, (unsigned long) wpa_ie_len);
00287 return -1;
00288 }
00289
00290 hdr = (const struct wpa_ie_hdr *) wpa_ie;
00291
00292 if (hdr->elem_id != GENERIC_INFO_ELEM ||
00293 hdr->len != wpa_ie_len - 2 ||
00294 memcmp(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN) != 0 ||
00295 WPA_GET_LE16(hdr->version) != WPA_VERSION) {
00296 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
00297 __func__);
00298 return -1;
00299 }
00300
00301 pos = (const u8 *) (hdr + 1);
00302 left = wpa_ie_len - sizeof(*hdr);
00303
00304 if (left >= WPA_SELECTOR_LEN) {
00305 data->group_cipher = wpa_selector_to_bitfield(pos);
00306 pos += WPA_SELECTOR_LEN;
00307 left -= WPA_SELECTOR_LEN;
00308 } else if (left > 0) {
00309 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
00310 __func__, left);
00311 return -1;
00312 }
00313
00314 if (left >= 2) {
00315 data->pairwise_cipher = 0;
00316 count = WPA_GET_LE16(pos);
00317 pos += 2;
00318 left -= 2;
00319 if (count == 0 || left < count * WPA_SELECTOR_LEN) {
00320 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
00321 "count %u left %u", __func__, count, left);
00322 return -1;
00323 }
00324 for (i = 0; i < count; i++) {
00325 data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
00326 pos += WPA_SELECTOR_LEN;
00327 left -= WPA_SELECTOR_LEN;
00328 }
00329 } else if (left == 1) {
00330 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
00331 __func__);
00332 return -1;
00333 }
00334
00335 if (left >= 2) {
00336 data->key_mgmt = 0;
00337 count = WPA_GET_LE16(pos);
00338 pos += 2;
00339 left -= 2;
00340 if (count == 0 || left < count * WPA_SELECTOR_LEN) {
00341 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
00342 "count %u left %u", __func__, count, left);
00343 return -1;
00344 }
00345 for (i = 0; i < count; i++) {
00346 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
00347 pos += WPA_SELECTOR_LEN;
00348 left -= WPA_SELECTOR_LEN;
00349 }
00350 } else if (left == 1) {
00351 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
00352 __func__);
00353 return -1;
00354 }
00355
00356 if (left >= 2) {
00357 data->capabilities = WPA_GET_LE16(pos);
00358 pos += 2;
00359 left -= 2;
00360 }
00361
00362 if (left > 0) {
00363 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
00364 __func__, left);
00365 }
00366
00367 return 0;
00368 }
00369
00370
00371 static int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
00372 struct wpa_ie_data *data)
00373 {
00374 const struct rsn_ie_hdr *hdr;
00375 const u8 *pos;
00376 int left;
00377 int i, count;
00378
00379 data->proto = WPA_PROTO_RSN;
00380 data->pairwise_cipher = WPA_CIPHER_CCMP;
00381 data->group_cipher = WPA_CIPHER_CCMP;
00382 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
00383 data->capabilities = 0;
00384 data->pmkid = NULL;
00385 data->num_pmkid = 0;
00386
00387 if (rsn_ie_len == 0) {
00388
00389 return -1;
00390 }
00391
00392 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
00393 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
00394 __func__, (unsigned long) rsn_ie_len);
00395 return -1;
00396 }
00397
00398 hdr = (const struct rsn_ie_hdr *) rsn_ie;
00399
00400 if (hdr->elem_id != RSN_INFO_ELEM ||
00401 hdr->len != rsn_ie_len - 2 ||
00402 WPA_GET_LE16(hdr->version) != RSN_VERSION) {
00403 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
00404 __func__);
00405 return -1;
00406 }
00407
00408 pos = (const u8 *) (hdr + 1);
00409 left = rsn_ie_len - sizeof(*hdr);
00410
00411 if (left >= RSN_SELECTOR_LEN) {
00412 data->group_cipher = rsn_selector_to_bitfield(pos);
00413 pos += RSN_SELECTOR_LEN;
00414 left -= RSN_SELECTOR_LEN;
00415 } else if (left > 0) {
00416 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
00417 __func__, left);
00418 return -1;
00419 }
00420
00421 if (left >= 2) {
00422 data->pairwise_cipher = 0;
00423 count = WPA_GET_LE16(pos);
00424 pos += 2;
00425 left -= 2;
00426 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
00427 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
00428 "count %u left %u", __func__, count, left);
00429 return -1;
00430 }
00431 for (i = 0; i < count; i++) {
00432 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
00433 pos += RSN_SELECTOR_LEN;
00434 left -= RSN_SELECTOR_LEN;
00435 }
00436 } else if (left == 1) {
00437 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
00438 __func__);
00439 return -1;
00440 }
00441
00442 if (left >= 2) {
00443 data->key_mgmt = 0;
00444 count = WPA_GET_LE16(pos);
00445 pos += 2;
00446 left -= 2;
00447 if (count == 0 || left < count * RSN_SELECTOR_LEN) {
00448 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
00449 "count %u left %u", __func__, count, left);
00450 return -1;
00451 }
00452 for (i = 0; i < count; i++) {
00453 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
00454 pos += RSN_SELECTOR_LEN;
00455 left -= RSN_SELECTOR_LEN;
00456 }
00457 } else if (left == 1) {
00458 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
00459 __func__);
00460 return -1;
00461 }
00462
00463 if (left >= 2) {
00464 data->capabilities = WPA_GET_LE16(pos);
00465 pos += 2;
00466 left -= 2;
00467 }
00468
00469 if (left >= 2) {
00470 data->num_pmkid = WPA_GET_LE16(pos);
00471 pos += 2;
00472 left -= 2;
00473 if (left < data->num_pmkid * PMKID_LEN) {
00474 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
00475 "(num_pmkid=%d left=%d)",
00476 __func__, data->num_pmkid, left);
00477 data->num_pmkid = 0;
00478 } else {
00479 data->pmkid = pos;
00480 pos += data->num_pmkid * PMKID_LEN;
00481 left -= data->num_pmkid * PMKID_LEN;
00482 }
00483 }
00484
00485 if (left > 0) {
00486 wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
00487 __func__, left);
00488 }
00489
00490 return 0;
00491 }
00492
00493
00504 int wpa_parse_wpa_ie(const u8 *wpa_ie, size_t wpa_ie_len,
00505 struct wpa_ie_data *data)
00506 {
00507 if (wpa_ie_len >= 1 && wpa_ie[0] == RSN_INFO_ELEM)
00508 return wpa_parse_wpa_ie_rsn(wpa_ie, wpa_ie_len, data);
00509 else
00510 return wpa_parse_wpa_ie_wpa(wpa_ie, wpa_ie_len, data);
00511 }
00512
00513
00514 static int wpa_gen_wpa_ie_wpa(u8 *wpa_ie, size_t wpa_ie_len,
00515 int pairwise_cipher, int group_cipher,
00516 int key_mgmt)
00517 {
00518 u8 *pos;
00519 struct wpa_ie_hdr *hdr;
00520
00521 if (wpa_ie_len < sizeof(*hdr) + WPA_SELECTOR_LEN +
00522 2 + WPA_SELECTOR_LEN + 2 + WPA_SELECTOR_LEN)
00523 return -1;
00524
00525 hdr = (struct wpa_ie_hdr *) wpa_ie;
00526 hdr->elem_id = GENERIC_INFO_ELEM;
00527 memcpy(&hdr->oui, WPA_OUI_TYPE, WPA_SELECTOR_LEN);
00528 WPA_PUT_LE16(hdr->version, WPA_VERSION);
00529 pos = (u8 *) (hdr + 1);
00530
00531 if (group_cipher == WPA_CIPHER_CCMP) {
00532 memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN);
00533 } else if (group_cipher == WPA_CIPHER_TKIP) {
00534 memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN);
00535 } else if (group_cipher == WPA_CIPHER_WEP104) {
00536 memcpy(pos, WPA_CIPHER_SUITE_WEP104, WPA_SELECTOR_LEN);
00537 } else if (group_cipher == WPA_CIPHER_WEP40) {
00538 memcpy(pos, WPA_CIPHER_SUITE_WEP40, WPA_SELECTOR_LEN);
00539 } else {
00540 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
00541 group_cipher);
00542 return -1;
00543 }
00544 pos += WPA_SELECTOR_LEN;
00545
00546 *pos++ = 1;
00547 *pos++ = 0;
00548 if (pairwise_cipher == WPA_CIPHER_CCMP) {
00549 memcpy(pos, WPA_CIPHER_SUITE_CCMP, WPA_SELECTOR_LEN);
00550 } else if (pairwise_cipher == WPA_CIPHER_TKIP) {
00551 memcpy(pos, WPA_CIPHER_SUITE_TKIP, WPA_SELECTOR_LEN);
00552 } else if (pairwise_cipher == WPA_CIPHER_NONE) {
00553 memcpy(pos, WPA_CIPHER_SUITE_NONE, WPA_SELECTOR_LEN);
00554 } else {
00555 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
00556 pairwise_cipher);
00557 return -1;
00558 }
00559 pos += WPA_SELECTOR_LEN;
00560
00561 *pos++ = 1;
00562 *pos++ = 0;
00563 if (key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
00564 memcpy(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X, WPA_SELECTOR_LEN);
00565 } else if (key_mgmt == WPA_KEY_MGMT_PSK) {
00566 memcpy(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X,
00567 WPA_SELECTOR_LEN);
00568 } else if (key_mgmt == WPA_KEY_MGMT_WPA_NONE) {
00569 memcpy(pos, WPA_AUTH_KEY_MGMT_NONE, WPA_SELECTOR_LEN);
00570 } else {
00571 wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
00572 key_mgmt);
00573 return -1;
00574 }
00575 pos += WPA_SELECTOR_LEN;
00576
00577
00578
00579 hdr->len = (pos - wpa_ie) - 2;
00580
00581 WPA_ASSERT(pos - wpa_ie <= wpa_ie_len);
00582
00583 return pos - wpa_ie;
00584 }
00585
00586
00587 static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
00588 int pairwise_cipher, int group_cipher,
00589 int key_mgmt, struct wpa_sm *sm)
00590 {
00591 u8 *pos;
00592 struct rsn_ie_hdr *hdr;
00593
00594 if (rsn_ie_len < sizeof(*hdr) + RSN_SELECTOR_LEN +
00595 2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN + 2 +
00596 (sm->cur_pmksa ? 2 + PMKID_LEN : 0))
00597 return -1;
00598
00599 hdr = (struct rsn_ie_hdr *) rsn_ie;
00600 hdr->elem_id = RSN_INFO_ELEM;
00601 WPA_PUT_LE16(hdr->version, RSN_VERSION);
00602 pos = (u8 *) (hdr + 1);
00603
00604 if (group_cipher == WPA_CIPHER_CCMP) {
00605 memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
00606 } else if (group_cipher == WPA_CIPHER_TKIP) {
00607 memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
00608 } else if (group_cipher == WPA_CIPHER_WEP104) {
00609 memcpy(pos, RSN_CIPHER_SUITE_WEP104, RSN_SELECTOR_LEN);
00610 } else if (group_cipher == WPA_CIPHER_WEP40) {
00611 memcpy(pos, RSN_CIPHER_SUITE_WEP40, RSN_SELECTOR_LEN);
00612 } else {
00613 wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
00614 group_cipher);
00615 return -1;
00616 }
00617 pos += RSN_SELECTOR_LEN;
00618
00619 *pos++ = 1;
00620 *pos++ = 0;
00621 if (pairwise_cipher == WPA_CIPHER_CCMP) {
00622 memcpy(pos, RSN_CIPHER_SUITE_CCMP, RSN_SELECTOR_LEN);
00623 } else if (pairwise_cipher == WPA_CIPHER_TKIP) {
00624 memcpy(pos, RSN_CIPHER_SUITE_TKIP, RSN_SELECTOR_LEN);
00625 } else if (pairwise_cipher == WPA_CIPHER_NONE) {
00626 memcpy(pos, RSN_CIPHER_SUITE_NONE, RSN_SELECTOR_LEN);
00627 } else {
00628 wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
00629 pairwise_cipher);
00630 return -1;
00631 }
00632 pos += RSN_SELECTOR_LEN;
00633
00634 *pos++ = 1;
00635 *pos++ = 0;
00636 if (key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
00637 memcpy(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X, RSN_SELECTOR_LEN);
00638 } else if (key_mgmt == WPA_KEY_MGMT_PSK) {
00639 memcpy(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X,
00640 RSN_SELECTOR_LEN);
00641 } else {
00642 wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
00643 key_mgmt);
00644 return -1;
00645 }
00646 pos += RSN_SELECTOR_LEN;
00647
00648
00649 *pos++ = 0;
00650 *pos++ = 0;
00651
00652 if (sm->cur_pmksa) {
00653
00654 *pos++ = 1;
00655 *pos++ = 0;
00656
00657 memcpy(pos, sm->cur_pmksa->pmkid, PMKID_LEN);
00658 pos += PMKID_LEN;
00659 }
00660
00661 hdr->len = (pos - rsn_ie) - 2;
00662
00663 WPA_ASSERT(pos - rsn_ie <= rsn_ie_len);
00664
00665 return pos - rsn_ie;
00666 }
00667
00668
00677 static int wpa_gen_wpa_ie(struct wpa_sm *sm, u8 *wpa_ie, size_t wpa_ie_len)
00678 {
00679 if (sm->proto == WPA_PROTO_RSN)
00680 return wpa_gen_wpa_ie_rsn(wpa_ie, wpa_ie_len,
00681 sm->pairwise_cipher,
00682 sm->group_cipher,
00683 sm->key_mgmt, sm);
00684 else
00685 return wpa_gen_wpa_ie_wpa(wpa_ie, wpa_ie_len,
00686 sm->pairwise_cipher,
00687 sm->group_cipher,
00688 sm->key_mgmt);
00689 }
00690
00691
00708 static void wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
00709 const u8 *addr1, const u8 *addr2,
00710 const u8 *nonce1, const u8 *nonce2,
00711 u8 *ptk, size_t ptk_len)
00712 {
00713 u8 data[2 * ETH_ALEN + 2 * 32];
00714
00715 if (memcmp(addr1, addr2, ETH_ALEN) < 0) {
00716 memcpy(data, addr1, ETH_ALEN);
00717 memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
00718 } else {
00719 memcpy(data, addr2, ETH_ALEN);
00720 memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
00721 }
00722
00723 if (memcmp(nonce1, nonce2, 32) < 0) {
00724 memcpy(data + 2 * ETH_ALEN, nonce1, 32);
00725 memcpy(data + 2 * ETH_ALEN + 32, nonce2, 32);
00726 } else {
00727 memcpy(data + 2 * ETH_ALEN, nonce2, 32);
00728 memcpy(data + 2 * ETH_ALEN + 32, nonce1, 32);
00729 }
00730
00731 sha1_prf(pmk, pmk_len, "Pairwise key expansion", data, sizeof(data),
00732 ptk, ptk_len);
00733
00734 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
00735 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", ptk, ptk_len);
00736 }
00737
00738
00757 static void wpa_eapol_key_mic(const u8 *key, int ver,
00758 const u8 *buf, size_t len, u8 *mic)
00759 {
00760 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
00761 hmac_md5(key, 16, buf, len, mic);
00762 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
00763 u8 hash[SHA1_MAC_LEN];
00764 hmac_sha1(key, 16, buf, len, hash);
00765 memcpy(mic, hash, MD5_MAC_LEN);
00766 }
00767 }
00768
00769
00770 static void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck,
00771 int ver, const u8 *dest, u16 proto,
00772 u8 *msg, size_t msg_len, u8 *key_mic)
00773 {
00774 if (key_mic) {
00775 wpa_eapol_key_mic(kck, ver, msg, msg_len, key_mic);
00776 }
00777 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
00778 wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
00779 eapol_sm_notify_tx_eapol_key(sm->eapol);
00780 free(msg);
00781 }
00782
00783
00796 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
00797 {
00798 size_t rlen;
00799 struct wpa_eapol_key *reply;
00800 int key_info, ver;
00801 u8 bssid[ETH_ALEN], *rbuf;
00802
00803 if (sm->pairwise_cipher == WPA_CIPHER_CCMP)
00804 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
00805 else
00806 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
00807
00808 if (wpa_sm_get_bssid(sm, bssid) < 0) {
00809 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
00810 "request");
00811 return;
00812 }
00813
00814 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
00815 sizeof(*reply), &rlen, (void *) &reply);
00816 if (rbuf == NULL)
00817 return;
00818
00819 reply->type = sm->proto == WPA_PROTO_RSN ?
00820 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
00821 key_info = WPA_KEY_INFO_REQUEST | ver;
00822 if (sm->ptk_set)
00823 key_info |= WPA_KEY_INFO_MIC;
00824 if (error)
00825 key_info |= WPA_KEY_INFO_ERROR;
00826 if (pairwise)
00827 key_info |= WPA_KEY_INFO_KEY_TYPE;
00828 WPA_PUT_BE16(reply->key_info, key_info);
00829 WPA_PUT_BE16(reply->key_length, 0);
00830 memcpy(reply->replay_counter, sm->request_counter,
00831 WPA_REPLAY_COUNTER_LEN);
00832 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
00833
00834 WPA_PUT_BE16(reply->key_data_length, 0);
00835
00836 wpa_printf(MSG_INFO, "WPA: Sending EAPOL-Key Request (error=%d "
00837 "pairwise=%d ptk_set=%d len=%lu)",
00838 error, pairwise, sm->ptk_set, (unsigned long) rlen);
00839 wpa_eapol_key_send(sm, sm->ptk.kck, ver, bssid, ETH_P_EAPOL,
00840 rbuf, rlen, key_info & WPA_KEY_INFO_MIC ?
00841 reply->key_mic : NULL);
00842 }
00843
00844
00845 struct wpa_eapol_ie_parse {
00846 const u8 *wpa_ie;
00847 size_t wpa_ie_len;
00848 const u8 *rsn_ie;
00849 size_t rsn_ie_len;
00850 const u8 *pmkid;
00851 const u8 *gtk;
00852 size_t gtk_len;
00853 };
00854
00855
00864 static int wpa_supplicant_parse_generic(const u8 *pos, const u8 *end,
00865 struct wpa_eapol_ie_parse *ie)
00866 {
00867 if (pos[1] == 0)
00868 return 1;
00869
00870 if (pos[1] >= 6 &&
00871 memcmp(pos + 2, WPA_OUI_TYPE, WPA_SELECTOR_LEN) == 0 &&
00872 pos[2 + WPA_SELECTOR_LEN] == 1 &&
00873 pos[2 + WPA_SELECTOR_LEN + 1] == 0) {
00874 ie->wpa_ie = pos;
00875 ie->wpa_ie_len = pos[1] + 2;
00876 return 0;
00877 }
00878
00879 if (pos + 1 + RSN_SELECTOR_LEN < end &&
00880 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
00881 memcmp(pos + 2, RSN_KEY_DATA_PMKID, RSN_SELECTOR_LEN) == 0) {
00882 ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
00883 return 0;
00884 }
00885
00886 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
00887 memcmp(pos + 2, RSN_KEY_DATA_GROUPKEY, RSN_SELECTOR_LEN) == 0) {
00888 ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
00889 ie->gtk_len = pos[1] - RSN_SELECTOR_LEN;
00890 }
00891
00892 return 0;
00893 }
00894
00895
00904 static int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
00905 struct wpa_eapol_ie_parse *ie)
00906 {
00907 const u8 *pos, *end;
00908 int ret = 0;
00909
00910 memset(ie, 0, sizeof(*ie));
00911 for (pos = buf, end = pos + len; pos + 1 < end; pos += 2 + pos[1]) {
00912 if (pos + 2 + pos[1] > end) {
00913 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Key Data "
00914 "underflow (ie=%d len=%d)", pos[0], pos[1]);
00915 ret = -1;
00916 break;
00917 }
00918 if (*pos == RSN_INFO_ELEM) {
00919 ie->rsn_ie = pos;
00920 ie->rsn_ie_len = pos[1] + 2;
00921 } else if (*pos == GENERIC_INFO_ELEM) {
00922 ret = wpa_supplicant_parse_generic(pos, end, ie);
00923 if (ret < 0)
00924 break;
00925 if (ret > 0) {
00926 ret = 0;
00927 break;
00928 }
00929 } else {
00930 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized EAPOL-Key "
00931 "Key Data IE", pos, 2 + pos[1]);
00932 }
00933 }
00934
00935 return ret;
00936 }
00937
00938
00939 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
00940 const unsigned char *src_addr,
00941 const u8 *pmkid)
00942 {
00943 int abort_cached = 0;
00944
00945 if (pmkid && !sm->cur_pmksa) {
00946
00947
00948
00949
00950 sm->cur_pmksa = pmksa_cache_get(sm, src_addr, pmkid);
00951 if (sm->cur_pmksa) {
00952 wpa_printf(MSG_DEBUG, "RSN: found matching PMKID from "
00953 "PMKSA cache");
00954 } else {
00955 wpa_printf(MSG_DEBUG, "RSN: no matching PMKID found");
00956 abort_cached = 1;
00957 }
00958 }
00959
00960 if (pmkid && sm->cur_pmksa &&
00961 memcmp(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
00962 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
00963 wpa_sm_set_pmk_from_pmksa(sm);
00964 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
00965 sm->pmk, sm->pmk_len);
00966 eapol_sm_notify_cached(sm->eapol);
00967 } else if (sm->key_mgmt == WPA_KEY_MGMT_IEEE8021X && sm->eapol) {
00968 int res, pmk_len;
00969 pmk_len = PMK_LEN;
00970 res = eapol_sm_get_key(sm->eapol, sm->pmk, PMK_LEN);
00971 #ifdef EAP_LEAP
00972 if (res) {
00973 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
00974 pmk_len = 16;
00975 }
00976 #endif
00977 if (res == 0) {
00978 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
00979 "machines", sm->pmk, pmk_len);
00980 sm->pmk_len = pmk_len;
00981 pmksa_cache_add(sm, sm->pmk, pmk_len, src_addr,
00982 sm->own_addr, sm->cur_ssid);
00983 if (!sm->cur_pmksa && pmkid &&
00984 pmksa_cache_get(sm, src_addr, pmkid)) {
00985 wpa_printf(MSG_DEBUG, "RSN: the new PMK "
00986 "matches with the PMKID");
00987 abort_cached = 0;
00988 }
00989 } else {
00990 wpa_msg(sm->ctx->ctx, MSG_WARNING,
00991 "WPA: Failed to get master session key from "
00992 "EAPOL state machines");
00993 wpa_msg(sm->ctx->ctx, MSG_WARNING,
00994 "WPA: Key handshake aborted");
00995 if (sm->cur_pmksa) {
00996 wpa_printf(MSG_DEBUG, "RSN: Cancelled PMKSA "
00997 "caching attempt");
00998 sm->cur_pmksa = NULL;
00999 abort_cached = 1;
01000 } else {
01001 return -1;
01002 }
01003 }
01004 }
01005
01006 if (abort_cached && sm->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
01007
01008 u8 *buf;
01009 size_t buflen;
01010
01011 wpa_printf(MSG_DEBUG, "RSN: no PMKSA entry found - trigger "
01012 "full EAP authentication");
01013 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
01014 NULL, 0, &buflen, NULL);
01015 if (buf) {
01016 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
01017 buf, buflen);
01018 free(buf);
01019 }
01020
01021 return -1;
01022 }
01023
01024 return 0;
01025 }
01026
01027
01028 static int wpa_supplicant_send_2_of_4(struct wpa_sm *sm,
01029 const unsigned char *src_addr,
01030 const struct wpa_eapol_key *key,
01031 int ver)
01032 {
01033 size_t rlen;
01034 struct wpa_eapol_key *reply;
01035 struct wpa_ptk *ptk;
01036 u8 buf[8], *rbuf, *wpa_ie;
01037 int wpa_ie_len;
01038
01039 if (sm->assoc_wpa_ie == NULL) {
01040 wpa_printf(MSG_WARNING, "WPA: No assoc_wpa_ie set - cannot "
01041 "generate msg 2/4");
01042 return -1;
01043 }
01044
01045 wpa_ie = sm->assoc_wpa_ie;
01046 wpa_ie_len = sm->assoc_wpa_ie_len;
01047 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
01048
01049 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
01050 NULL, sizeof(*reply) + wpa_ie_len,
01051 &rlen, (void *) &reply);
01052 if (rbuf == NULL)
01053 return -1;
01054
01055 reply->type = sm->proto == WPA_PROTO_RSN ?
01056 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
01057 WPA_PUT_BE16(reply->key_info,
01058 ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC);
01059 if (sm->proto == WPA_PROTO_RSN)
01060 WPA_PUT_BE16(reply->key_length, 0);
01061 else
01062 memcpy(reply->key_length, key->key_length, 2);
01063 memcpy(reply->replay_counter, key->replay_counter,
01064 WPA_REPLAY_COUNTER_LEN);
01065
01066 WPA_PUT_BE16(reply->key_data_length, wpa_ie_len);
01067 memcpy(reply + 1, wpa_ie, wpa_ie_len);
01068
01069 if (sm->renew_snonce) {
01070 if (hostapd_get_rand(sm->snonce, WPA_NONCE_LEN)) {
01071 wpa_msg(sm->ctx->ctx, MSG_WARNING,
01072 "WPA: Failed to get random data for SNonce");
01073 free(rbuf);
01074 return -1;
01075 }
01076 sm->renew_snonce = 0;
01077 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
01078 sm->snonce, WPA_NONCE_LEN);
01079 }
01080 memcpy(reply->key_nonce, sm->snonce, WPA_NONCE_LEN);
01081
01082
01083
01084 ptk = &sm->tptk;
01085 wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, src_addr,
01086 sm->snonce, key->key_nonce,
01087 (u8 *) ptk, sizeof(*ptk));
01088
01089 memcpy(buf, ptk->u.auth.tx_mic_key, 8);
01090 memcpy(ptk->u.auth.tx_mic_key, ptk->u.auth.rx_mic_key, 8);
01091 memcpy(ptk->u.auth.rx_mic_key, buf, 8);
01092 sm->tptk_set = 1;
01093
01094 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
01095 wpa_eapol_key_send(sm, ptk->kck, ver, src_addr, ETH_P_EAPOL,
01096 rbuf, rlen, reply->key_mic);
01097
01098 return 0;
01099 }
01100
01101
01102 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
01103 const unsigned char *src_addr,
01104 const struct wpa_eapol_key *key,
01105 u16 ver)
01106 {
01107 struct wpa_eapol_ie_parse ie;
01108
01109 if (wpa_sm_get_ssid(sm) == NULL) {
01110 wpa_printf(MSG_WARNING, "WPA: No SSID info found (msg 1 of "
01111 "4).");
01112 return;
01113 }
01114
01115 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
01116 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of 4-Way Handshake from "
01117 MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
01118
01119 memset(&ie, 0, sizeof(ie));
01120
01121 if (sm->proto == WPA_PROTO_RSN) {
01122
01123 const u8 *buf = (const u8 *) (key + 1);
01124 size_t len = WPA_GET_BE16(key->key_data_length);
01125 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", buf, len);
01126 wpa_supplicant_parse_ies(buf, len, &ie);
01127 if (ie.pmkid) {
01128 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
01129 "Authenticator", ie.pmkid, PMKID_LEN);
01130 }
01131 }
01132
01133 if (wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid))
01134 return;
01135
01136 if (wpa_supplicant_send_2_of_4(sm, src_addr, key, ver))
01137 return;
01138
01139 memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
01140 }
01141
01142
01143 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
01144 {
01145 struct wpa_sm *sm = eloop_ctx;
01146 rsn_preauth_candidate_process(sm);
01147 }
01148
01149
01150 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
01151 const u8 *addr, int secure)
01152 {
01153 wpa_msg(sm->ctx->ctx, MSG_INFO, "WPA: Key negotiation completed with "
01154 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
01155 wpa_cipher_txt(sm->pairwise_cipher),
01156 wpa_cipher_txt(sm->group_cipher));
01157 eloop_cancel_timeout(sm->ctx->scan, sm->ctx->ctx, NULL);
01158 wpa_sm_cancel_auth_timeout(sm);
01159 wpa_sm_set_state(sm, WPA_COMPLETED);
01160
01161 if (secure) {
01162
01163 eapol_sm_notify_portValid(sm->eapol, TRUE);
01164 if (sm->key_mgmt == WPA_KEY_MGMT_PSK)
01165 eapol_sm_notify_eap_success(sm->eapol, TRUE);
01166
01167
01168
01169
01170
01171
01172
01173 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL);
01174 }
01175
01176 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
01177 wpa_printf(MSG_DEBUG, "RSN: Authenticator accepted "
01178 "opportunistic PMKSA entry - marking it valid");
01179 sm->cur_pmksa->opportunistic = 0;
01180 }
01181 }
01182
01183
01184 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
01185 const unsigned char *src_addr,
01186 const struct wpa_eapol_key *key)
01187 {
01188 int alg, keylen, rsclen;
01189 const u8 *key_rsc;
01190 u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
01191
01192 wpa_printf(MSG_DEBUG, "WPA: Installing PTK to the driver.");
01193
01194 switch (sm->pairwise_cipher) {
01195 case WPA_CIPHER_CCMP:
01196 alg = WPA_ALG_CCMP;
01197 keylen = 16;
01198 rsclen = 6;
01199 break;
01200 case WPA_CIPHER_TKIP:
01201 alg = WPA_ALG_TKIP;
01202 keylen = 32;
01203 rsclen = 6;
01204 break;
01205 case WPA_CIPHER_NONE:
01206 wpa_printf(MSG_DEBUG, "WPA: Pairwise Cipher Suite: "
01207 "NONE - do not use pairwise keys");
01208 return 0;
01209 default:
01210 wpa_printf(MSG_WARNING, "WPA: Unsupported pairwise cipher %d",
01211 sm->pairwise_cipher);
01212 return -1;
01213 }
01214
01215 if (sm->proto == WPA_PROTO_RSN) {
01216 key_rsc = null_rsc;
01217 } else {
01218 key_rsc = key->key_rsc;
01219 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
01220 }
01221
01222 if (wpa_sm_set_key(sm, alg, src_addr, 0, 1, key_rsc, rsclen,
01223 (u8 *) &sm->ptk.tk1, keylen) < 0) {
01224 wpa_printf(MSG_WARNING, "WPA: Failed to set PTK to the "
01225 "driver.");
01226 return -1;
01227 }
01228 return 0;
01229 }
01230
01231
01232 static int wpa_supplicant_check_group_cipher(int group_cipher,
01233 int keylen, int maxkeylen,
01234 int *key_rsc_len, int *alg)
01235 {
01236 int ret = 0;
01237
01238 switch (group_cipher) {
01239 case WPA_CIPHER_CCMP:
01240 if (keylen != 16 || maxkeylen < 16) {
01241 ret = -1;
01242 break;
01243 }
01244 *key_rsc_len = 6;
01245 *alg = WPA_ALG_CCMP;
01246 break;
01247 case WPA_CIPHER_TKIP:
01248 if (keylen != 32 || maxkeylen < 32) {
01249 ret = -1;
01250 break;
01251 }
01252 *key_rsc_len = 6;
01253 *alg = WPA_ALG_TKIP;
01254 break;
01255 case WPA_CIPHER_WEP104:
01256 if (keylen != 13 || maxkeylen < 13) {
01257 ret = -1;
01258 break;
01259 }
01260 *key_rsc_len = 0;
01261 *alg = WPA_ALG_WEP;
01262 break;
01263 case WPA_CIPHER_WEP40:
01264 if (keylen != 5 || maxkeylen < 5) {
01265 ret = -1;
01266 break;
01267 }
01268 *key_rsc_len = 0;
01269 *alg = WPA_ALG_WEP;
01270 break;
01271 default:
01272 wpa_printf(MSG_WARNING, "WPA: Unsupported Group Cipher %d",
01273 group_cipher);
01274 return -1;
01275 }
01276
01277 if (ret < 0 ) {
01278 wpa_printf(MSG_WARNING, "WPA: Unsupported %s Group Cipher key "
01279 "length %d (%d).",
01280 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
01281 }
01282
01283 return ret;
01284 }
01285
01286
01287 struct wpa_gtk_data {
01288 int alg, tx, key_rsc_len, keyidx;
01289 u8 gtk[32];
01290 int gtk_len;
01291 };
01292
01293
01294 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
01295 const struct wpa_gtk_data *gd,
01296 const u8 *key_rsc)
01297 {
01298 const u8 *_gtk = gd->gtk;
01299 u8 gtk_buf[32];
01300
01301 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
01302 wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver "
01303 "(keyidx=%d tx=%d).", gd->keyidx, gd->tx);
01304 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
01305 if (sm->group_cipher == WPA_CIPHER_TKIP) {
01306
01307 memcpy(gtk_buf, gd->gtk, 16);
01308 memcpy(gtk_buf + 16, gd->gtk + 24, 8);
01309 memcpy(gtk_buf + 24, gd->gtk + 16, 8);
01310 _gtk = gtk_buf;
01311 }
01312 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
01313 if (wpa_sm_set_key(sm, gd->alg,
01314 (u8 *) "\xff\xff\xff\xff\xff\xff",
01315 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
01316 _gtk, gd->gtk_len) < 0) {
01317 wpa_printf(MSG_WARNING, "WPA: Failed to set "
01318 "GTK to the driver (Group only).");
01319 return -1;
01320 }
01321 } else if (wpa_sm_set_key(sm, gd->alg,
01322 (u8 *) "\xff\xff\xff\xff\xff\xff",
01323 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
01324 _gtk, gd->gtk_len) < 0) {
01325 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to "
01326 "the driver.");
01327 return -1;
01328 }
01329
01330 return 0;
01331 }
01332
01333
01334 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
01335 int tx)
01336 {
01337 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
01338
01339
01340
01341
01342
01343 wpa_printf(MSG_INFO, "WPA: Tx bit set for GTK, but pairwise "
01344 "keys are used - ignore Tx bit");
01345 return 0;
01346 }
01347 return tx;
01348 }
01349
01350
01351 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
01352 const unsigned char *src_addr,
01353 const struct wpa_eapol_key *key,
01354 const u8 *gtk, int gtk_len,
01355 int key_info)
01356 {
01357 struct wpa_gtk_data gd;
01358
01359
01360
01361
01362
01363
01364
01365
01366
01367 memset(&gd, 0, sizeof(gd));
01368 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
01369 gtk, gtk_len);
01370
01371 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
01372 return -1;
01373
01374 gd.keyidx = gtk[0] & 0x3;
01375 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
01376 !!(gtk[0] & BIT(2)));
01377 gtk += 2;
01378 gtk_len -= 2;
01379
01380 memcpy(gd.gtk, gtk, gtk_len);
01381 gd.gtk_len = gtk_len;
01382
01383 if (wpa_supplicant_check_group_cipher(sm->group_cipher,
01384 gtk_len, gtk_len,
01385 &gd.key_rsc_len, &gd.alg) ||
01386 wpa_supplicant_install_gtk(sm, &gd, key->key_rsc)) {
01387 wpa_printf(MSG_DEBUG, "RSN: Failed to install GTK");
01388 return -1;
01389 }
01390
01391 wpa_supplicant_key_neg_complete(sm, src_addr,
01392 key_info & WPA_KEY_INFO_SECURE);
01393 return 0;
01394 }
01395
01396
01397 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
01398 const char *reason, const u8 *src_addr,
01399 const u8 *wpa_ie, size_t wpa_ie_len,
01400 const u8 *rsn_ie, size_t rsn_ie_len)
01401 {
01402 wpa_msg(sm->ctx->ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
01403 reason, MAC2STR(src_addr));
01404
01405 if (sm->ap_wpa_ie) {
01406 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
01407 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
01408 }
01409 if (wpa_ie) {
01410 if (!sm->ap_wpa_ie) {
01411 wpa_printf(MSG_INFO, "WPA: No WPA IE in "
01412 "Beacon/ProbeResp");
01413 }
01414 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
01415 wpa_ie, wpa_ie_len);
01416 }
01417
01418 if (sm->ap_rsn_ie) {
01419 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
01420 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
01421 }
01422 if (rsn_ie) {
01423 if (!sm->ap_rsn_ie) {
01424 wpa_printf(MSG_INFO, "WPA: No RSN IE in "
01425 "Beacon/ProbeResp");
01426 }
01427 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
01428 rsn_ie, rsn_ie_len);
01429 }
01430
01431 wpa_sm_disassociate(sm, REASON_IE_IN_4WAY_DIFFERS);
01432 wpa_sm_req_scan(sm, 0, 0);
01433 }
01434
01435
01436 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
01437 const unsigned char *src_addr,
01438 struct wpa_eapol_ie_parse *ie)
01439 {
01440 struct wpa_ssid *ssid = sm->cur_ssid;
01441
01442 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
01443 wpa_printf(MSG_DEBUG, "WPA: No WPA/RSN IE for this AP known. "
01444 "Trying to get from scan results");
01445 if (wpa_sm_get_beacon_ie(sm) < 0) {
01446 wpa_printf(MSG_WARNING, "WPA: Could not find AP from "
01447 "the scan results");
01448 } else {
01449 wpa_printf(MSG_DEBUG, "WPA: Found the current AP from "
01450 "updated scan results");
01451 }
01452 }
01453
01454 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
01455 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
01456 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
01457 "with IE in Beacon/ProbeResp (no IE?)",
01458 src_addr, ie->wpa_ie, ie->wpa_ie_len,
01459 ie->rsn_ie, ie->rsn_ie_len);
01460 return -1;
01461 }
01462
01463 if ((ie->wpa_ie && sm->ap_wpa_ie &&
01464 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
01465 memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
01466 (ie->rsn_ie && sm->ap_rsn_ie &&
01467 (ie->rsn_ie_len != sm->ap_rsn_ie_len ||
01468 memcmp(ie->rsn_ie, sm->ap_rsn_ie, ie->rsn_ie_len) != 0))) {
01469 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
01470 "with IE in Beacon/ProbeResp",
01471 src_addr, ie->wpa_ie, ie->wpa_ie_len,
01472 ie->rsn_ie, ie->rsn_ie_len);
01473 return -1;
01474 }
01475
01476 if (sm->proto == WPA_PROTO_WPA &&
01477 ie->rsn_ie && sm->ap_rsn_ie == NULL &&
01478 ssid && (ssid->proto & WPA_PROTO_RSN)) {
01479 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
01480 "detected - RSN was enabled and RSN IE "
01481 "was in msg 3/4, but not in "
01482 "Beacon/ProbeResp",
01483 src_addr, ie->wpa_ie, ie->wpa_ie_len,
01484 ie->rsn_ie, ie->rsn_ie_len);
01485 return -1;
01486 }
01487
01488 return 0;
01489 }
01490
01491
01492 static int wpa_supplicant_send_4_of_4(struct wpa_sm *sm,
01493 const unsigned char *src_addr,
01494 const struct wpa_eapol_key *key,
01495 u16 ver, u16 key_info)
01496 {
01497 size_t rlen;
01498 struct wpa_eapol_key *reply;
01499 u8 *rbuf;
01500
01501 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
01502 sizeof(*reply), &rlen, (void *) &reply);
01503 if (rbuf == NULL)
01504 return -1;
01505
01506 reply->type = sm->proto == WPA_PROTO_RSN ?
01507 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
01508 key_info &= WPA_KEY_INFO_SECURE;
01509 key_info |= ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_MIC;
01510 WPA_PUT_BE16(reply->key_info, key_info);
01511 if (sm->proto == WPA_PROTO_RSN)
01512 WPA_PUT_BE16(reply->key_length, 0);
01513 else
01514 memcpy(reply->key_length, key->key_length, 2);
01515 memcpy(reply->replay_counter, key->replay_counter,
01516 WPA_REPLAY_COUNTER_LEN);
01517
01518 WPA_PUT_BE16(reply->key_data_length, 0);
01519
01520 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
01521 wpa_eapol_key_send(sm, sm->ptk.kck, ver, src_addr, ETH_P_EAPOL,
01522 rbuf, rlen, reply->key_mic);
01523
01524 return 0;
01525 }
01526
01527
01528 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
01529 const unsigned char *src_addr,
01530 const struct wpa_eapol_key *key,
01531 int extra_len, u16 ver)
01532 {
01533 u16 key_info, keylen, len;
01534 const u8 *pos;
01535 struct wpa_eapol_ie_parse ie;
01536
01537 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
01538 wpa_printf(MSG_DEBUG, "WPA: RX message 3 of 4-Way Handshake from "
01539 MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
01540
01541 key_info = WPA_GET_BE16(key->key_info);
01542
01543 pos = (const u8 *) (key + 1);
01544 len = WPA_GET_BE16(key->key_data_length);
01545 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", pos, len);
01546 wpa_supplicant_parse_ies(pos, len, &ie);
01547 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
01548 wpa_printf(MSG_WARNING, "WPA: GTK IE in unencrypted key data");
01549 return;
01550 }
01551
01552 if (wpa_supplicant_validate_ie(sm, src_addr, &ie) < 0)
01553 return;
01554
01555 if (memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
01556 wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way "
01557 "Handshake differs from 3 of 4-Way Handshake - drop"
01558 " packet (src=" MACSTR ")", MAC2STR(src_addr));
01559 return;
01560 }
01561
01562 keylen = WPA_GET_BE16(key->key_length);
01563 switch (sm->pairwise_cipher) {
01564 case WPA_CIPHER_CCMP:
01565 if (keylen != 16) {
01566 wpa_printf(MSG_WARNING, "WPA: Invalid CCMP key length "
01567 "%d (src=" MACSTR ")",
01568 keylen, MAC2STR(src_addr));
01569 return;
01570 }
01571 break;
01572 case WPA_CIPHER_TKIP:
01573 if (keylen != 32) {
01574 wpa_printf(MSG_WARNING, "WPA: Invalid TKIP key length "
01575 "%d (src=" MACSTR ")",
01576 keylen, MAC2STR(src_addr));
01577 return;
01578 }
01579 break;
01580 }
01581
01582 if (wpa_supplicant_send_4_of_4(sm, src_addr, key, ver, key_info))
01583 return;
01584
01585
01586
01587
01588 sm->renew_snonce = 1;
01589
01590 if (key_info & WPA_KEY_INFO_INSTALL) {
01591 wpa_supplicant_install_ptk(sm, src_addr, key);
01592 }
01593
01594 if (key_info & WPA_KEY_INFO_SECURE) {
01595
01596 eapol_sm_notify_portValid(sm->eapol, TRUE);
01597 }
01598 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
01599
01600 if (ie.gtk &&
01601 wpa_supplicant_pairwise_gtk(sm, src_addr, key,
01602 ie.gtk, ie.gtk_len, key_info) < 0) {
01603 wpa_printf(MSG_INFO, "RSN: Failed to configure GTK");
01604 }
01605 }
01606
01607
01608 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
01609 const u8 *keydata,
01610 size_t keydatalen,
01611 int key_info,
01612 struct wpa_gtk_data *gd)
01613 {
01614 int maxkeylen;
01615 struct wpa_eapol_ie_parse ie;
01616
01617 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/2 key data", keydata, keydatalen);
01618 wpa_supplicant_parse_ies(keydata, keydatalen, &ie);
01619 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
01620 wpa_printf(MSG_WARNING, "WPA: GTK IE in unencrypted key data");
01621 return -1;
01622 }
01623 if (ie.gtk == NULL) {
01624 wpa_printf(MSG_INFO, "WPA: No GTK IE in Group Key msg 1/2");
01625 return -1;
01626 }
01627 maxkeylen = gd->gtk_len = ie.gtk_len - 2;
01628
01629 if (wpa_supplicant_check_group_cipher(sm->group_cipher,
01630 gd->gtk_len, maxkeylen,
01631 &gd->key_rsc_len, &gd->alg))
01632 return -1;
01633
01634 wpa_hexdump(MSG_DEBUG, "RSN: received GTK in group key handshake",
01635 ie.gtk, ie.gtk_len);
01636 gd->keyidx = ie.gtk[0] & 0x3;
01637 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
01638 !!(ie.gtk[0] & BIT(2)));
01639 if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
01640 wpa_printf(MSG_INFO, "RSN: Too long GTK in GTK IE "
01641 "(len=%lu)", (unsigned long) ie.gtk_len - 2);
01642 return -1;
01643 }
01644 memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
01645
01646 return 0;
01647 }
01648
01649
01650 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
01651 const struct wpa_eapol_key *key,
01652 size_t keydatalen, int key_info,
01653 int extra_len, u16 ver,
01654 struct wpa_gtk_data *gd)
01655 {
01656 int maxkeylen;
01657 u8 ek[32];
01658
01659 gd->gtk_len = WPA_GET_BE16(key->key_length);
01660 maxkeylen = keydatalen;
01661 if (keydatalen > extra_len) {
01662 wpa_printf(MSG_INFO, "WPA: Truncated EAPOL-Key packet:"
01663 " key_data_length=%lu > extra_len=%d",
01664 (unsigned long) keydatalen, extra_len);
01665 return -1;
01666 }
01667 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES)
01668 maxkeylen -= 8;
01669
01670 if (wpa_supplicant_check_group_cipher(sm->group_cipher,
01671 gd->gtk_len, maxkeylen,
01672 &gd->key_rsc_len, &gd->alg))
01673 return -1;
01674
01675 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
01676 WPA_KEY_INFO_KEY_INDEX_SHIFT;
01677 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
01678 memcpy(ek, key->key_iv, 16);
01679 memcpy(ek + 16, sm->ptk.kek, 16);
01680 if (keydatalen > sizeof(gd->gtk)) {
01681 wpa_printf(MSG_WARNING, "WPA: RC4 key data "
01682 "too long (%lu)",
01683 (unsigned long) keydatalen);
01684 return -1;
01685 }
01686 memcpy(gd->gtk, key + 1, keydatalen);
01687 rc4_skip(ek, 32, 256, gd->gtk, keydatalen);
01688 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
01689 if (keydatalen % 8) {
01690 wpa_printf(MSG_WARNING, "WPA: Unsupported AES-WRAP "
01691 "len %lu", (unsigned long) keydatalen);
01692 return -1;
01693 }
01694 if (maxkeylen > sizeof(gd->gtk)) {
01695 wpa_printf(MSG_WARNING, "WPA: AES-WRAP key data "
01696 "too long (keydatalen=%lu maxkeylen=%lu)",
01697 (unsigned long) keydatalen,
01698 (unsigned long) maxkeylen);
01699 return -1;
01700 }
01701 if (aes_unwrap(sm->ptk.kek, maxkeylen / 8,
01702 (const u8 *) (key + 1), gd->gtk)) {
01703 wpa_printf(MSG_WARNING, "WPA: AES unwrap "
01704 "failed - could not decrypt GTK");
01705 return -1;
01706 }
01707 }
01708 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
01709 sm, !!(key_info & WPA_KEY_INFO_TXRX));
01710 return 0;
01711 }
01712
01713
01714 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
01715 const unsigned char *src_addr,
01716 const struct wpa_eapol_key *key,
01717 int ver, u16 key_info)
01718 {
01719 size_t rlen;
01720 struct wpa_eapol_key *reply;
01721 u8 *rbuf;
01722
01723 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
01724 sizeof(*reply), &rlen, (void *) &reply);
01725 if (rbuf == NULL)
01726 return -1;
01727
01728 reply->type = sm->proto == WPA_PROTO_RSN ?
01729 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
01730 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
01731 key_info |= ver | WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
01732 WPA_PUT_BE16(reply->key_info, key_info);
01733 if (sm->proto == WPA_PROTO_RSN)
01734 WPA_PUT_BE16(reply->key_length, 0);
01735 else
01736 memcpy(reply->key_length, key->key_length, 2);
01737 memcpy(reply->replay_counter, key->replay_counter,
01738 WPA_REPLAY_COUNTER_LEN);
01739
01740 WPA_PUT_BE16(reply->key_data_length, 0);
01741
01742 wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
01743 wpa_eapol_key_send(sm, sm->ptk.kck, ver, src_addr, ETH_P_EAPOL,
01744 rbuf, rlen, reply->key_mic);
01745
01746 return 0;
01747 }
01748
01749
01750 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
01751 const unsigned char *src_addr,
01752 const struct wpa_eapol_key *key,
01753 int extra_len, u16 ver)
01754 {
01755 u16 key_info, keydatalen;
01756 int rekey;
01757 struct wpa_gtk_data gd;
01758
01759 memset(&gd, 0, sizeof(gd));
01760
01761 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
01762 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
01763 wpa_printf(MSG_DEBUG, "WPA: RX message 1 of Group Key Handshake from "
01764 MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
01765
01766 key_info = WPA_GET_BE16(key->key_info);
01767 keydatalen = WPA_GET_BE16(key->key_data_length);
01768
01769 if (sm->proto == WPA_PROTO_RSN) {
01770 if (wpa_supplicant_process_1_of_2_rsn(sm,
01771 (const u8 *) (key + 1),
01772 keydatalen, key_info,
01773 &gd))
01774 return;
01775 } else {
01776 if (wpa_supplicant_process_1_of_2_wpa(sm, key, keydatalen,
01777 key_info, extra_len,
01778 ver, &gd))
01779 return;
01780 }
01781
01782 if (wpa_supplicant_install_gtk(sm, &gd, key->key_rsc) ||
01783 wpa_supplicant_send_2_of_2(sm, src_addr, key, ver, key_info))
01784 return;
01785
01786 if (rekey) {
01787 wpa_msg(sm->ctx->ctx, MSG_INFO, "WPA: Group rekeying "
01788 "completed with " MACSTR " [GTK=%s]",
01789 MAC2STR(src_addr), wpa_cipher_txt(sm->group_cipher));
01790 wpa_sm_set_state(sm, WPA_COMPLETED);
01791 } else {
01792 wpa_supplicant_key_neg_complete(sm, src_addr,
01793 key_info &
01794 WPA_KEY_INFO_SECURE);
01795 }
01796 }
01797
01798
01799 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
01800 struct wpa_eapol_key *key,
01801 u16 ver,
01802 const u8 *buf, size_t len)
01803 {
01804 u8 mic[16];
01805 int ok = 0;
01806
01807 memcpy(mic, key->key_mic, 16);
01808 if (sm->tptk_set) {
01809 memset(key->key_mic, 0, 16);
01810 wpa_eapol_key_mic(sm->tptk.kck, ver, buf, len,
01811 key->key_mic);
01812 if (memcmp(mic, key->key_mic, 16) != 0) {
01813 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC "
01814 "when using TPTK - ignoring TPTK");
01815 } else {
01816 ok = 1;
01817 sm->tptk_set = 0;
01818 sm->ptk_set = 1;
01819 memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
01820 }
01821 }
01822
01823 if (!ok && sm->ptk_set) {
01824 memset(key->key_mic, 0, 16);
01825 wpa_eapol_key_mic(sm->ptk.kck, ver, buf, len,
01826 key->key_mic);
01827 if (memcmp(mic, key->key_mic, 16) != 0) {
01828 wpa_printf(MSG_WARNING, "WPA: Invalid EAPOL-Key MIC "
01829 "- dropping packet");
01830 return -1;
01831 }
01832 ok = 1;
01833 }
01834
01835 if (!ok) {
01836 wpa_printf(MSG_WARNING, "WPA: Could not verify EAPOL-Key MIC "
01837 "- dropping packet");
01838 return -1;
01839 }
01840
01841 memcpy(sm->rx_replay_counter, key->replay_counter,
01842 WPA_REPLAY_COUNTER_LEN);
01843 sm->rx_replay_counter_set = 1;
01844 return 0;
01845 }
01846
01847
01848
01849 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
01850 struct wpa_eapol_key *key, u16 ver)
01851 {
01852 u16 keydatalen = WPA_GET_BE16(key->key_data_length);
01853
01854 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
01855 (u8 *) (key + 1), keydatalen);
01856 if (!sm->ptk_set) {
01857 wpa_printf(MSG_WARNING, "WPA: PTK not available, "
01858 "cannot decrypt EAPOL-Key key data.");
01859 return -1;
01860 }
01861
01862
01863
01864 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
01865 u8 ek[32];
01866 memcpy(ek, key->key_iv, 16);
01867 memcpy(ek + 16, sm->ptk.kek, 16);
01868 rc4_skip(ek, 32, 256, (u8 *) (key + 1), keydatalen);
01869 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
01870 u8 *buf;
01871 if (keydatalen % 8) {
01872 wpa_printf(MSG_WARNING, "WPA: Unsupported "
01873 "AES-WRAP len %d", keydatalen);
01874 return -1;
01875 }
01876 keydatalen -= 8;
01877 buf = malloc(keydatalen);
01878 if (buf == NULL) {
01879 wpa_printf(MSG_WARNING, "WPA: No memory for "
01880 "AES-UNWRAP buffer");
01881 return -1;
01882 }
01883 if (aes_unwrap(sm->ptk.kek, keydatalen / 8,
01884 (u8 *) (key + 1), buf)) {
01885 free(buf);
01886 wpa_printf(MSG_WARNING, "WPA: AES unwrap failed - "
01887 "could not decrypt EAPOL-Key key data");
01888 return -1;
01889 }
01890 memcpy(key + 1, buf, keydatalen);
01891 free(buf);
01892 WPA_PUT_BE16(key->key_data_length, keydatalen);
01893 }
01894 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
01895 (u8 *) (key + 1), keydatalen);
01896 return 0;
01897 }
01898
01899
01905 void wpa_sm_aborted_cached(struct wpa_sm *sm)
01906 {
01907 if (sm && sm->cur_pmksa) {
01908 wpa_printf(MSG_DEBUG, "RSN: Cancelling PMKSA caching attempt");
01909 sm->cur_pmksa = NULL;
01910 }
01911 }
01912
01913
01914 static void wpa_eapol_key_dump(const struct wpa_eapol_key *key)
01915 {
01916 #ifndef CONFIG_NO_STDOUT_DEBUG
01917 u16 key_info = WPA_GET_BE16(key->key_info);
01918
01919 wpa_printf(MSG_DEBUG, " EAPOL-Key type=%d", key->type);
01920 wpa_printf(MSG_DEBUG, " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s"
01921 "%s%s%s%s%s%s%s)",
01922 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
01923 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
01924 WPA_KEY_INFO_KEY_INDEX_SHIFT,
01925 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
01926 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
01927 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
01928 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
01929 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
01930 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
01931 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
01932 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
01933 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
01934 wpa_printf(MSG_DEBUG, " key_length=%u key_data_length=%u",
01935 WPA_GET_BE16(key->key_length),
01936 WPA_GET_BE16(key->key_data_length));
01937 wpa_hexdump(MSG_DEBUG, " replay_counter",
01938 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
01939 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
01940 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
01941 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
01942 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
01943 wpa_hexdump(MSG_DEBUG, " key_mic", key->key_mic, 16);
01944 #endif
01945 }
01946
01947
01965 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
01966 const u8 *buf, size_t len)
01967 {
01968 size_t plen, data_len, extra_len;
01969 struct ieee802_1x_hdr *hdr;
01970 struct wpa_eapol_key *key;
01971 u16 key_info, ver;
01972 u8 *tmp;
01973 int ret = -1;
01974
01975 if (len < sizeof(*hdr) + sizeof(*key)) {
01976 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short to be a WPA "
01977 "EAPOL-Key (len %lu, expecting at least %lu)",
01978 (unsigned long) len,
01979 (unsigned long) sizeof(*hdr) + sizeof(*key));
01980 return 0;
01981 }
01982
01983 tmp = malloc(len);
01984 if (tmp == NULL)
01985 return -1;
01986 memcpy(tmp, buf, len);
01987
01988 hdr = (struct ieee802_1x_hdr *) tmp;
01989 key = (struct wpa_eapol_key *) (hdr + 1);
01990 plen = ntohs(hdr->length);
01991 data_len = plen + sizeof(*hdr);
01992 wpa_printf(MSG_DEBUG, "IEEE 802.1X RX: version=%d type=%d length=%lu",
01993 hdr->version, hdr->type, (unsigned long) plen);
01994
01995 if (hdr->version < EAPOL_VERSION) {
01996
01997 }
01998 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
01999 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame (type %u) discarded, "
02000 "not a Key frame", hdr->type);
02001 ret = 0;
02002 goto out;
02003 }
02004 if (plen > len - sizeof(*hdr) || plen < sizeof(*key)) {
02005 wpa_printf(MSG_DEBUG, "WPA: EAPOL frame payload size %lu "
02006 "invalid (frame size %lu)",
02007 (unsigned long) plen, (unsigned long) len);
02008 ret = 0;
02009 goto out;
02010 }
02011
02012 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
02013 {
02014 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key type (%d) unknown, "
02015 "discarded", key->type);
02016 ret = 0;
02017 goto out;
02018 }
02019 wpa_eapol_key_dump(key);
02020
02021 eapol_sm_notify_lower_layer_success(sm->eapol);
02022 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", tmp, len);
02023 if (data_len < len) {
02024 wpa_printf(MSG_DEBUG, "WPA: ignoring %lu bytes after the IEEE "
02025 "802.1X data", (unsigned long) len - data_len);
02026 }
02027 key_info = WPA_GET_BE16(key->key_info);
02028 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
02029 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
02030 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
02031 wpa_printf(MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor "
02032 "version %d.", ver);
02033 goto out;
02034 }
02035
02036 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
02037 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
02038 wpa_printf(MSG_INFO, "WPA: CCMP is used, but EAPOL-Key "
02039 "descriptor version (%d) is not 2.", ver);
02040 if (sm->group_cipher != WPA_CIPHER_CCMP &&
02041 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
02042
02043
02044
02045
02046 wpa_printf(MSG_INFO, "WPA: Backwards compatibility: "
02047 "allow invalid version for non-CCMP group "
02048 "keys");
02049 } else
02050 goto out;
02051 }
02052
02053 if (sm->rx_replay_counter_set &&
02054 memcmp(key->replay_counter, sm->rx_replay_counter,
02055 WPA_REPLAY_COUNTER_LEN) <= 0) {
02056 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not"
02057 " increase - dropping packet");
02058 goto out;
02059 }
02060
02061 if (!(key_info & WPA_KEY_INFO_ACK)) {
02062 wpa_printf(MSG_INFO, "WPA: No Ack bit in key_info");
02063 goto out;
02064 }
02065
02066 if (key_info & WPA_KEY_INFO_REQUEST) {
02067 wpa_printf(MSG_INFO, "WPA: EAPOL-Key with Request bit - "
02068 "dropped");
02069 goto out;
02070 }
02071
02072 if ((key_info & WPA_KEY_INFO_MIC) &&
02073 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
02074 goto out;
02075
02076 extra_len = data_len - sizeof(*hdr) - sizeof(*key);
02077
02078 if (WPA_GET_BE16(key->key_data_length) > extra_len) {
02079 wpa_msg(sm->ctx->ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
02080 "frame - key_data overflow (%d > %lu)",
02081 WPA_GET_BE16(key->key_data_length),
02082 (unsigned long) extra_len);
02083 goto out;
02084 }
02085
02086 if (sm->proto == WPA_PROTO_RSN &&
02087 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
02088 wpa_supplicant_decrypt_key_data(sm, key, ver))
02089 goto out;
02090
02091 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
02092 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
02093 wpa_printf(MSG_WARNING, "WPA: Ignored EAPOL-Key "
02094 "(Pairwise) with non-zero key index");
02095 goto out;
02096 }
02097 if (key_info & WPA_KEY_INFO_MIC) {
02098
02099 wpa_supplicant_process_3_of_4(sm, src_addr, key,
02100 extra_len, ver);
02101 } else {
02102
02103 wpa_supplicant_process_1_of_4(sm, src_addr, key,
02104 ver);
02105 }
02106 } else {
02107 if (key_info & WPA_KEY_INFO_MIC) {
02108
02109 wpa_supplicant_process_1_of_2(sm, src_addr, key,
02110 extra_len, ver);
02111 } else {
02112 wpa_printf(MSG_WARNING, "WPA: EAPOL-Key (Group) "
02113 "without Mic bit - dropped");
02114 }
02115 }
02116
02117 ret = 1;
02118
02119 out:
02120 free(tmp);
02121 return ret;
02122 }
02123
02124
02125 static int wpa_cipher_bits(int cipher)
02126 {
02127 switch (cipher) {
02128 case WPA_CIPHER_CCMP:
02129 return 128;
02130 case WPA_CIPHER_TKIP:
02131 return 256;
02132 case WPA_CIPHER_WEP104:
02133 return 104;
02134 case WPA_CIPHER_WEP40:
02135 return 40;
02136 default:
02137 return 0;
02138 }
02139 }
02140
02141
02142 static const u8 * wpa_key_mgmt_suite(struct wpa_sm *sm)
02143 {
02144 static const u8 *dummy = (u8 *) "\x00\x00\x00\x00";
02145 switch (sm->key_mgmt) {
02146 case WPA_KEY_MGMT_IEEE8021X:
02147 return (sm->proto == WPA_PROTO_RSN ?
02148 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
02149 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
02150 case WPA_KEY_MGMT_PSK:
02151 return (sm->proto == WPA_PROTO_RSN ?
02152 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
02153 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
02154 case WPA_KEY_MGMT_WPA_NONE:
02155 return WPA_AUTH_KEY_MGMT_NONE;
02156 default:
02157 return dummy;
02158 }
02159 }
02160
02161
02162 static const u8 * wpa_cipher_suite(struct wpa_sm *sm, int cipher)
02163 {
02164 static const u8 *dummy = (u8 *) "\x00\x00\x00\x00";
02165 switch (cipher) {
02166 case WPA_CIPHER_CCMP:
02167 return (sm->proto == WPA_PROTO_RSN ?
02168 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
02169 case WPA_CIPHER_TKIP:
02170 return (sm->proto == WPA_PROTO_RSN ?
02171 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
02172 case WPA_CIPHER_WEP104:
02173 return (sm->proto == WPA_PROTO_RSN ?
02174 RSN_CIPHER_SUITE_WEP104 : WPA_CIPHER_SUITE_WEP104);
02175 case WPA_CIPHER_WEP40:
02176 return (sm->proto == WPA_PROTO_RSN ?
02177 RSN_CIPHER_SUITE_WEP40 : WPA_CIPHER_SUITE_WEP40);
02178 case WPA_CIPHER_NONE:
02179 return (sm->proto == WPA_PROTO_RSN ?
02180 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
02181 default:
02182 return dummy;
02183 }
02184 }
02185
02186
02187 #define RSN_SUITE "%02x-%02x-%02x-%d"
02188 #define RSN_SUITE_ARG(s) (s)[0], (s)[1], (s)[2], (s)[3]
02189
02200 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
02201 {
02202 int len, i;
02203 char pmkid_txt[PMKID_LEN * 2 + 1];
02204 int rsna;
02205
02206 if (sm->cur_pmksa) {
02207 char *pos = pmkid_txt;
02208 for (i = 0; i < PMKID_LEN; i++) {
02209 pos += sprintf(pos, "%02x", sm->cur_pmksa->pmkid[i]);
02210 }
02211 } else
02212 pmkid_txt[0] = '\0';
02213
02214 if ((sm->key_mgmt == WPA_KEY_MGMT_PSK ||
02215 sm->key_mgmt == WPA_KEY_MGMT_IEEE8021X) &&
02216 sm->proto == WPA_PROTO_RSN)
02217 rsna = 1;
02218 else
02219 rsna = 0;
02220
02221 len = snprintf(buf, buflen,
02222 "dot11RSNAOptionImplemented=TRUE\n"
02223 "dot11RSNAPreauthenticationImplemented=TRUE\n"
02224 "dot11RSNAEnabled=%s\n"
02225 "dot11RSNAPreauthenticationEnabled=%s\n"
02226 "dot11RSNAConfigVersion=%d\n"
02227 "dot11RSNAConfigPairwiseKeysSupported=5\n"
02228 "dot11RSNAConfigGroupCipherSize=%d\n"
02229 "dot11RSNAConfigPMKLifetime=%d\n"
02230 "dot11RSNAConfigPMKReauthThreshold=%d\n"
02231 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
02232 "dot11RSNAConfigSATimeout=%d\n"
02233 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
02234 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
02235 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
02236 "dot11RSNAPMKIDUsed=%s\n"
02237 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
02238 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
02239 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
02240 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
02241 "dot11RSNA4WayHandshakeFailures=%u\n",
02242 rsna ? "TRUE" : "FALSE",
02243 rsna ? "TRUE" : "FALSE",
02244 RSN_VERSION,
02245 wpa_cipher_bits(sm->group_cipher),
02246 sm->dot11RSNAConfigPMKLifetime,
02247 sm->dot11RSNAConfigPMKReauthThreshold,
02248 sm->dot11RSNAConfigSATimeout,
02249 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
02250 RSN_SUITE_ARG(wpa_cipher_suite(sm,
02251 sm->pairwise_cipher)),
02252 RSN_SUITE_ARG(wpa_cipher_suite(sm, sm->group_cipher)),
02253 pmkid_txt,
02254 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
02255 RSN_SUITE_ARG(wpa_cipher_suite(sm,
02256 sm->pairwise_cipher)),
02257 RSN_SUITE_ARG(wpa_cipher_suite(sm, sm->group_cipher)),
02258 sm->dot11RSNA4WayHandshakeFailures);
02259 return len;
02260 }
02261
02262
02272 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
02273 {
02274 struct wpa_sm *sm;
02275
02276 sm = malloc(sizeof(*sm));
02277 if (sm == NULL)
02278 return NULL;
02279 memset(sm, 0, sizeof(*sm));
02280 sm->renew_snonce = 1;
02281 sm->ctx = ctx;
02282
02283 sm->dot11RSNAConfigPMKLifetime = 43200;
02284 sm->dot11RSNAConfigPMKReauthThreshold = 70;
02285 sm->dot11RSNAConfigSATimeout = 60;
02286
02287 return sm;
02288 }
02289
02290
02296 void wpa_sm_deinit(struct wpa_sm *sm)
02297 {
02298 if (sm == NULL)
02299 return;
02300 eloop_cancel_timeout(wpa_sm_start_preauth, sm, 0);
02301 free(sm->assoc_wpa_ie);
02302 free(sm->ap_wpa_ie);
02303 free(sm->ap_rsn_ie);
02304 free(sm->ctx);
02305 free(sm);
02306 }
02307
02308
02318 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
02319 {
02320 if (sm == NULL)
02321 return;
02322
02323 wpa_printf(MSG_DEBUG, "WPA: Association event - clear replay counter");
02324 memcpy(sm->bssid, bssid, ETH_ALEN);
02325 memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
02326 sm->rx_replay_counter_set = 0;
02327 sm->renew_snonce = 1;
02328 if (memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
02329 rsn_preauth_deinit(sm);
02330 }
02331
02332
02341 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
02342 {
02343 rsn_preauth_deinit(sm);
02344 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
02345 sm->dot11RSNA4WayHandshakeFailures++;
02346 }
02347
02348
02358 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len)
02359 {
02360 if (sm == NULL)
02361 return;
02362
02363 sm->pmk_len = pmk_len;
02364 memcpy(sm->pmk, pmk, pmk_len);
02365 }
02366
02367
02376 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
02377 {
02378 if (sm == NULL)
02379 return;
02380
02381 if (sm->cur_pmksa) {
02382 sm->pmk_len = sm->cur_pmksa->pmk_len;
02383 memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
02384 } else {
02385 sm->pmk_len = PMK_LEN;
02386 memset(sm->pmk, 0, PMK_LEN);
02387 }
02388 }
02389
02390
02397 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
02398 {
02399 if (sm)
02400 sm->fast_reauth = fast_reauth;
02401 }
02402
02403
02410 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
02411 {
02412 if (sm == NULL)
02413 return;
02414 sm->scard_ctx = scard_ctx;
02415 if (sm->preauth_eapol)
02416 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
02417 }
02418
02419
02430 void wpa_sm_set_config(struct wpa_sm *sm, struct wpa_ssid *config)
02431 {
02432 if (sm)
02433 sm->cur_ssid = config;
02434 }
02435
02436
02443 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
02444 {
02445 if (sm)
02446 memcpy(sm->own_addr, addr, ETH_ALEN);
02447 }
02448
02449
02456 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname)
02457 {
02458 if (sm)
02459 sm->ifname = ifname;
02460 }
02461
02462
02469 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
02470 {
02471 if (sm)
02472 sm->eapol = eapol;
02473 }
02474
02475
02484 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
02485 unsigned int value)
02486 {
02487 int ret = 0;
02488
02489 if (sm == NULL)
02490 return -1;
02491
02492 switch (param) {
02493 case RSNA_PMK_LIFETIME:
02494 if (value > 0)
02495 sm->dot11RSNAConfigPMKLifetime = value;
02496 else
02497 ret = -1;
02498 break;
02499 case RSNA_PMK_REAUTH_THRESHOLD:
02500 if (value > 0 && value <= 100)
02501 sm->dot11RSNAConfigPMKReauthThreshold = value;
02502 else
02503 ret = -1;
02504 break;
02505 case RSNA_SA_TIMEOUT:
02506 if (value > 0)
02507 sm->dot11RSNAConfigSATimeout = value;
02508 else
02509 ret = -1;
02510 break;
02511 case WPA_PARAM_PROTO:
02512 sm->proto = value;
02513 break;
02514 case WPA_PARAM_PAIRWISE:
02515 sm->pairwise_cipher = value;
02516 break;
02517 case WPA_PARAM_GROUP:
02518 sm->group_cipher = value;
02519 break;
02520 case WPA_PARAM_KEY_MGMT:
02521 sm->key_mgmt = value;
02522 break;
02523 }
02524
02525 return ret;
02526 }
02527
02528
02536 unsigned int wpa_sm_get_param(struct wpa_sm *sm, enum wpa_sm_conf_params param)
02537 {
02538 if (sm == NULL)
02539 return 0;
02540
02541 switch (param) {
02542 case RSNA_PMK_LIFETIME:
02543 return sm->dot11RSNAConfigPMKLifetime;
02544 case RSNA_PMK_REAUTH_THRESHOLD:
02545 return sm->dot11RSNAConfigPMKReauthThreshold;
02546 case RSNA_SA_TIMEOUT:
02547 return sm->dot11RSNAConfigSATimeout;
02548 case WPA_PARAM_PROTO:
02549 return sm->proto;
02550 case WPA_PARAM_PAIRWISE:
02551 return sm->pairwise_cipher;
02552 case WPA_PARAM_GROUP:
02553 return sm->group_cipher;
02554 case WPA_PARAM_KEY_MGMT:
02555 return sm->key_mgmt;
02556 default:
02557 return 0;
02558 }
02559 }
02560
02561
02575 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
02576 int verbose)
02577 {
02578 char *pos = buf, *end = buf + buflen;
02579
02580 pos += snprintf(pos, end - pos,
02581 "pairwise_cipher=%s\n"
02582 "group_cipher=%s\n"
02583 "key_mgmt=%s\n",
02584 wpa_cipher_txt(sm->pairwise_cipher),
02585 wpa_cipher_txt(sm->group_cipher),
02586 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
02587 return pos - buf;
02588 }
02589
02590
02603 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
02604 size_t *wpa_ie_len)
02605 {
02606 int res;
02607
02608 if (sm == NULL)
02609 return -1;
02610
02611 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
02612 if (res < 0)
02613 return -1;
02614 *wpa_ie_len = res;
02615
02616 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
02617 wpa_ie, *wpa_ie_len);
02618
02619 if (sm->assoc_wpa_ie == NULL) {
02620
02621
02622
02623
02624
02625 sm->assoc_wpa_ie = malloc(*wpa_ie_len);
02626 if (sm->assoc_wpa_ie == NULL)
02627 return -1;
02628
02629 memcpy(sm->assoc_wpa_ie, wpa_ie, *wpa_ie_len);
02630 sm->assoc_wpa_ie_len = *wpa_ie_len;
02631 }
02632
02633 return 0;
02634 }
02635
02636
02649 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
02650 {
02651 if (sm == NULL)
02652 return -1;
02653
02654 free(sm->assoc_wpa_ie);
02655 if (ie == NULL || len == 0) {
02656 wpa_printf(MSG_DEBUG, "WPA: clearing own WPA/RSN IE");
02657 sm->assoc_wpa_ie = NULL;
02658 sm->assoc_wpa_ie_len = 0;
02659 } else {
02660 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
02661 sm->assoc_wpa_ie = malloc(len);
02662 if (sm->assoc_wpa_ie == NULL)
02663 return -1;
02664
02665 memcpy(sm->assoc_wpa_ie, ie, len);
02666 sm->assoc_wpa_ie_len = len;
02667 }
02668
02669 return 0;
02670 }
02671
02672
02684 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
02685 {
02686 if (sm == NULL)
02687 return -1;
02688
02689 free(sm->ap_wpa_ie);
02690 if (ie == NULL || len == 0) {
02691 wpa_printf(MSG_DEBUG, "WPA: clearing AP WPA IE");
02692 sm->ap_wpa_ie = NULL;
02693 sm->ap_wpa_ie_len = 0;
02694 } else {
02695 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
02696 sm->ap_wpa_ie = malloc(len);
02697 if (sm->ap_wpa_ie == NULL)
02698 return -1;
02699
02700 memcpy(sm->ap_wpa_ie, ie, len);
02701 sm->ap_wpa_ie_len = len;
02702 }
02703
02704 return 0;
02705 }
02706
02707
02719 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
02720 {
02721 if (sm == NULL)
02722 return -1;
02723
02724 free(sm->ap_rsn_ie);
02725 if (ie == NULL || len == 0) {
02726 wpa_printf(MSG_DEBUG, "WPA: clearing AP RSN IE");
02727 sm->ap_rsn_ie = NULL;
02728 sm->ap_rsn_ie_len = 0;
02729 } else {
02730 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
02731 sm->ap_rsn_ie = malloc(len);
02732 if (sm->ap_rsn_ie == NULL)
02733 return -1;
02734
02735 memcpy(sm->ap_rsn_ie, ie, len);
02736 sm->ap_rsn_ie_len = len;
02737 }
02738
02739 return 0;
02740 }
02741
02742
02753 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
02754 {
02755 if (sm == NULL || sm->assoc_wpa_ie == NULL) {
02756 wpa_printf(MSG_DEBUG, "WPA: No WPA/RSN IE available from "
02757 "association info");
02758 return -1;
02759 }
02760 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
02761 return -2;
02762 return 0;
02763 }
02764
