1 /* $OpenBSD: ieee80211_pae_input.c,v 1.31 2017/10/16 10:39:41 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the 4-Way Handshake and Group Key Handshake protocols 21 * (both Supplicant and Authenticator Key Receive state machines) defined in 22 * IEEE Std 802.11-2007 section 8.5. 23 */ 24 25 #include <sys/param.h> 26 #include <sys/systm.h> 27 #include <sys/mbuf.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/sockio.h> 31 #include <sys/errno.h> 32 33 #include <net/if.h> 34 #include <net/if_dl.h> 35 #include <net/if_media.h> 36 37 #include <netinet/in.h> 38 #include <netinet/if_ether.h> 39 40 #include <net80211/ieee80211_var.h> 41 #include <net80211/ieee80211_priv.h> 42 43 void ieee80211_recv_4way_msg1(struct ieee80211com *, 44 struct ieee80211_eapol_key *, struct ieee80211_node *); 45 #ifndef IEEE80211_STA_ONLY 46 void ieee80211_recv_4way_msg2(struct ieee80211com *, 47 struct ieee80211_eapol_key *, struct ieee80211_node *, 48 const u_int8_t *); 49 #endif 50 int ieee80211_must_update_group_key(struct ieee80211_key *, const uint8_t *, 51 int); 52 void ieee80211_recv_4way_msg3(struct ieee80211com *, 53 struct ieee80211_eapol_key *, struct ieee80211_node *); 54 #ifndef IEEE80211_STA_ONLY 55 void ieee80211_recv_4way_msg4(struct ieee80211com *, 56 struct ieee80211_eapol_key *, struct ieee80211_node *); 57 void ieee80211_recv_4way_msg2or4(struct ieee80211com *, 58 struct ieee80211_eapol_key *, struct ieee80211_node *); 59 #endif 60 void ieee80211_recv_rsn_group_msg1(struct ieee80211com *, 61 struct ieee80211_eapol_key *, struct ieee80211_node *); 62 void ieee80211_recv_wpa_group_msg1(struct ieee80211com *, 63 struct ieee80211_eapol_key *, struct ieee80211_node *); 64 #ifndef IEEE80211_STA_ONLY 65 void ieee80211_recv_group_msg2(struct ieee80211com *, 66 struct ieee80211_eapol_key *, struct ieee80211_node *); 67 void ieee80211_recv_eapol_key_req(struct ieee80211com *, 68 struct ieee80211_eapol_key *, struct ieee80211_node *); 69 #endif 70 71 /* 72 * Process an incoming EAPOL frame. Notice that we are only interested in 73 * EAPOL-Key frames with an IEEE 802.11 or WPA descriptor type. 74 */ 75 void 76 ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m, 77 struct ieee80211_node *ni) 78 { 79 struct ifnet *ifp = &ic->ic_if; 80 struct ether_header *eh; 81 struct ieee80211_eapol_key *key; 82 u_int16_t info, desc; 83 int totlen, bodylen, paylen; 84 85 ifp->if_ibytes += m->m_pkthdr.len; 86 87 eh = mtod(m, struct ether_header *); 88 if (IEEE80211_IS_MULTICAST(eh->ether_dhost)) { 89 ifp->if_imcasts++; 90 goto done; 91 } 92 m_adj(m, sizeof(*eh)); 93 94 if (m->m_pkthdr.len < sizeof(*key)) 95 goto done; 96 if (m->m_len < sizeof(*key) && 97 (m = m_pullup(m, sizeof(*key))) == NULL) { 98 ic->ic_stats.is_rx_nombuf++; 99 goto done; 100 } 101 key = mtod(m, struct ieee80211_eapol_key *); 102 103 if (key->type != EAPOL_KEY) 104 goto done; 105 ic->ic_stats.is_rx_eapol_key++; 106 107 if ((ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 108 key->desc != EAPOL_KEY_DESC_IEEE80211) || 109 (ni->ni_rsnprotos == IEEE80211_PROTO_WPA && 110 key->desc != EAPOL_KEY_DESC_WPA)) 111 goto done; 112 113 /* check packet body length */ 114 bodylen = BE_READ_2(key->len); 115 totlen = 4 + bodylen; 116 if (m->m_pkthdr.len < totlen || totlen > MCLBYTES) 117 goto done; 118 119 /* check key data length */ 120 paylen = BE_READ_2(key->paylen); 121 if (paylen > totlen - sizeof(*key)) 122 goto done; 123 124 info = BE_READ_2(key->info); 125 126 /* discard EAPOL-Key frames with an unknown descriptor version */ 127 desc = info & EAPOL_KEY_VERSION_MASK; 128 if (desc < EAPOL_KEY_DESC_V1 || desc > EAPOL_KEY_DESC_V3) 129 goto done; 130 131 if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) { 132 if (desc != EAPOL_KEY_DESC_V3) 133 goto done; 134 } else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP || 135 ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP) { 136 if (desc != EAPOL_KEY_DESC_V2) 137 goto done; 138 } 139 140 /* make sure the key data field is contiguous */ 141 if (m->m_len < totlen && (m = m_pullup(m, totlen)) == NULL) { 142 ic->ic_stats.is_rx_nombuf++; 143 goto done; 144 } 145 key = mtod(m, struct ieee80211_eapol_key *); 146 147 /* determine message type (see 8.5.3.7) */ 148 if (info & EAPOL_KEY_REQUEST) { 149 #ifndef IEEE80211_STA_ONLY 150 /* EAPOL-Key Request frame */ 151 ieee80211_recv_eapol_key_req(ic, key, ni); 152 #endif 153 } else if (info & EAPOL_KEY_PAIRWISE) { 154 /* 4-Way Handshake */ 155 if (info & EAPOL_KEY_KEYMIC) { 156 if (info & EAPOL_KEY_KEYACK) 157 ieee80211_recv_4way_msg3(ic, key, ni); 158 #ifndef IEEE80211_STA_ONLY 159 else 160 ieee80211_recv_4way_msg2or4(ic, key, ni); 161 #endif 162 } else if (info & EAPOL_KEY_KEYACK) 163 ieee80211_recv_4way_msg1(ic, key, ni); 164 } else { 165 /* Group Key Handshake */ 166 if (!(info & EAPOL_KEY_KEYMIC)) 167 goto done; 168 if (info & EAPOL_KEY_KEYACK) { 169 if (key->desc == EAPOL_KEY_DESC_WPA) 170 ieee80211_recv_wpa_group_msg1(ic, key, ni); 171 else 172 ieee80211_recv_rsn_group_msg1(ic, key, ni); 173 } 174 #ifndef IEEE80211_STA_ONLY 175 else 176 ieee80211_recv_group_msg2(ic, key, ni); 177 #endif 178 } 179 done: 180 m_freem(m); 181 } 182 183 /* 184 * Process Message 1 of the 4-Way Handshake (sent by Authenticator). 185 */ 186 void 187 ieee80211_recv_4way_msg1(struct ieee80211com *ic, 188 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 189 { 190 struct ieee80211_ptk tptk; 191 struct ieee80211_pmk *pmk; 192 const u_int8_t *frm, *efrm; 193 const u_int8_t *pmkid; 194 195 #ifndef IEEE80211_STA_ONLY 196 if (ic->ic_opmode != IEEE80211_M_STA && 197 ic->ic_opmode != IEEE80211_M_IBSS) 198 return; 199 #endif 200 /* 201 * Message 1 is always expected while RSN is active since some 202 * APs will rekey the PTK by sending Msg1/4 after some time. 203 */ 204 if (ni->ni_rsn_supp_state == RSNA_SUPP_INITIALIZE) { 205 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 206 return; 207 } 208 /* enforce monotonicity of key request replay counter */ 209 if (ni->ni_replaycnt_ok && 210 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 211 ic->ic_stats.is_rx_eapol_replay++; 212 return; 213 } 214 215 /* parse key data field (may contain an encapsulated PMKID) */ 216 frm = (const u_int8_t *)&key[1]; 217 efrm = frm + BE_READ_2(key->paylen); 218 219 pmkid = NULL; 220 while (frm + 2 <= efrm) { 221 if (frm + 2 + frm[1] > efrm) 222 break; 223 switch (frm[0]) { 224 case IEEE80211_ELEMID_VENDOR: 225 if (frm[1] < 4) 226 break; 227 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 228 switch (frm[5]) { 229 case IEEE80211_KDE_PMKID: 230 pmkid = frm; 231 break; 232 } 233 } 234 break; 235 } 236 frm += 2 + frm[1]; 237 } 238 /* check that the PMKID KDE is valid (if present) */ 239 if (pmkid != NULL && pmkid[1] != 4 + 16) 240 return; 241 242 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 243 /* retrieve the PMK for this (AP,PMKID) */ 244 pmk = ieee80211_pmksa_find(ic, ni, 245 (pmkid != NULL) ? &pmkid[6] : NULL); 246 if (pmk == NULL) { 247 DPRINTF(("no PMK available for %s\n", 248 ether_sprintf(ni->ni_macaddr))); 249 return; 250 } 251 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 252 } else /* use pre-shared key */ 253 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 254 ni->ni_flags |= IEEE80211_NODE_PMK; 255 256 /* save authenticator's nonce (ANonce) */ 257 memcpy(ni->ni_nonce, key->nonce, EAPOL_KEY_NONCE_LEN); 258 259 /* generate supplicant's nonce (SNonce) */ 260 arc4random_buf(ic->ic_nonce, EAPOL_KEY_NONCE_LEN); 261 262 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 263 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 264 ic->ic_myaddr, ni->ni_nonce, ic->ic_nonce, &tptk); 265 266 /* We are now expecting a new pairwise key. */ 267 ni->ni_flags |= IEEE80211_NODE_RSN_NEW_PTK; 268 269 if (ic->ic_if.if_flags & IFF_DEBUG) 270 printf("%s: received msg %d/%d of the %s handshake from %s\n", 271 ic->ic_if.if_xname, 1, 4, "4-way", 272 ether_sprintf(ni->ni_macaddr)); 273 274 /* send message 2 to authenticator using TPTK */ 275 (void)ieee80211_send_4way_msg2(ic, ni, key->replaycnt, &tptk); 276 } 277 278 #ifndef IEEE80211_STA_ONLY 279 /* 280 * Process Message 2 of the 4-Way Handshake (sent by Supplicant). 281 */ 282 void 283 ieee80211_recv_4way_msg2(struct ieee80211com *ic, 284 struct ieee80211_eapol_key *key, struct ieee80211_node *ni, 285 const u_int8_t *rsnie) 286 { 287 struct ieee80211_ptk tptk; 288 289 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 290 ic->ic_opmode != IEEE80211_M_IBSS) 291 return; 292 293 /* discard if we're not expecting this message */ 294 if (ni->ni_rsn_state != RSNA_PTKSTART && 295 ni->ni_rsn_state != RSNA_PTKCALCNEGOTIATING) { 296 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 297 return; 298 } 299 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING; 300 301 /* NB: replay counter has already been verified by caller */ 302 303 /* PTK = CalcPTK(ANonce, SNonce) */ 304 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ic->ic_myaddr, 305 ni->ni_macaddr, ni->ni_nonce, key->nonce, &tptk); 306 307 /* check Key MIC field using KCK */ 308 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 309 DPRINTF(("key MIC failed\n")); 310 ic->ic_stats.is_rx_eapol_badmic++; 311 return; /* will timeout.. */ 312 } 313 314 timeout_del(&ni->ni_eapol_to); 315 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING_2; 316 ni->ni_rsn_retries = 0; 317 318 /* install TPTK as PTK now that MIC is verified */ 319 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 320 321 /* 322 * The RSN IE must match bit-wise with what the STA included in its 323 * (Re)Association Request. 324 */ 325 if (ni->ni_rsnie == NULL || rsnie[1] != ni->ni_rsnie[1] || 326 memcmp(rsnie, ni->ni_rsnie, 2 + rsnie[1]) != 0) { 327 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 328 IEEE80211_REASON_RSN_DIFFERENT_IE); 329 ieee80211_node_leave(ic, ni); 330 return; 331 } 332 333 if (ic->ic_if.if_flags & IFF_DEBUG) 334 printf("%s: received msg %d/%d of the %s handshake from %s\n", 335 ic->ic_if.if_xname, 2, 4, "4-way", 336 ether_sprintf(ni->ni_macaddr)); 337 338 /* send message 3 to supplicant */ 339 (void)ieee80211_send_4way_msg3(ic, ni); 340 } 341 #endif /* IEEE80211_STA_ONLY */ 342 343 /* 344 * Check if a group key must be updated with a new GTK from an EAPOL frame. 345 * Manipulated group key handshake messages could trick clients into 346 * reinstalling an already used group key and hence lower or reset the 347 * associated replay counter. This check prevents such attacks. 348 */ 349 int 350 ieee80211_must_update_group_key(struct ieee80211_key *k, const uint8_t *gtk, 351 int len) 352 { 353 return (k->k_cipher == IEEE80211_CIPHER_NONE || k->k_len != len || 354 memcmp(k->k_key, gtk, len) != 0); 355 } 356 357 /* 358 * Process Message 3 of the 4-Way Handshake (sent by Authenticator). 359 */ 360 void 361 ieee80211_recv_4way_msg3(struct ieee80211com *ic, 362 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 363 { 364 struct ieee80211_ptk tptk; 365 struct ieee80211_key *k; 366 const u_int8_t *frm, *efrm; 367 const u_int8_t *rsnie1, *rsnie2, *gtk, *igtk; 368 u_int16_t info, reason = 0; 369 int keylen; 370 371 #ifndef IEEE80211_STA_ONLY 372 if (ic->ic_opmode != IEEE80211_M_STA && 373 ic->ic_opmode != IEEE80211_M_IBSS) 374 return; 375 #endif 376 /* discard if we're not expecting this message */ 377 if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKNEGOTIATING && 378 ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) { 379 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 380 return; 381 } 382 /* enforce monotonicity of key request replay counter */ 383 if (ni->ni_replaycnt_ok && 384 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 385 ic->ic_stats.is_rx_eapol_replay++; 386 return; 387 } 388 /* make sure that a PMK has been selected */ 389 if (!(ni->ni_flags & IEEE80211_NODE_PMK)) { 390 DPRINTF(("no PMK found for %s\n", 391 ether_sprintf(ni->ni_macaddr))); 392 return; 393 } 394 /* check that ANonce matches that of Message 1 */ 395 if (memcmp(key->nonce, ni->ni_nonce, EAPOL_KEY_NONCE_LEN) != 0) { 396 DPRINTF(("ANonce does not match msg 1/4\n")); 397 return; 398 } 399 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 400 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 401 ic->ic_myaddr, key->nonce, ic->ic_nonce, &tptk); 402 403 info = BE_READ_2(key->info); 404 405 /* check Key MIC field using KCK */ 406 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 407 DPRINTF(("key MIC failed\n")); 408 ic->ic_stats.is_rx_eapol_badmic++; 409 return; 410 } 411 /* install TPTK as PTK now that MIC is verified */ 412 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 413 414 /* if encrypted, decrypt Key Data field using KEK */ 415 if ((info & EAPOL_KEY_ENCRYPTED) && 416 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 417 DPRINTF(("decryption failed\n")); 418 return; 419 } 420 421 /* parse key data field */ 422 frm = (const u_int8_t *)&key[1]; 423 efrm = frm + BE_READ_2(key->paylen); 424 425 /* 426 * Some WPA1+WPA2 APs (like hostapd) appear to include both WPA and 427 * RSN IEs in message 3/4. We only take into account the IE of the 428 * version of the protocol we negotiated at association time. 429 */ 430 rsnie1 = rsnie2 = gtk = igtk = NULL; 431 while (frm + 2 <= efrm) { 432 if (frm + 2 + frm[1] > efrm) 433 break; 434 switch (frm[0]) { 435 case IEEE80211_ELEMID_RSN: 436 if (ni->ni_rsnprotos != IEEE80211_PROTO_RSN) 437 break; 438 if (rsnie1 == NULL) 439 rsnie1 = frm; 440 else if (rsnie2 == NULL) 441 rsnie2 = frm; 442 /* ignore others if more than two RSN IEs */ 443 break; 444 case IEEE80211_ELEMID_VENDOR: 445 if (frm[1] < 4) 446 break; 447 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 448 switch (frm[5]) { 449 case IEEE80211_KDE_GTK: 450 gtk = frm; 451 break; 452 case IEEE80211_KDE_IGTK: 453 if (ni->ni_flags & IEEE80211_NODE_MFP) 454 igtk = frm; 455 break; 456 } 457 } else if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 458 switch (frm[5]) { 459 case 1: /* WPA */ 460 if (ni->ni_rsnprotos != 461 IEEE80211_PROTO_WPA) 462 break; 463 rsnie1 = frm; 464 break; 465 } 466 } 467 break; 468 } 469 frm += 2 + frm[1]; 470 } 471 /* first WPA/RSN IE is mandatory */ 472 if (rsnie1 == NULL) { 473 DPRINTF(("missing RSN IE\n")); 474 return; 475 } 476 /* key data must be encrypted if GTK is included */ 477 if (gtk != NULL && !(info & EAPOL_KEY_ENCRYPTED)) { 478 DPRINTF(("GTK not encrypted\n")); 479 return; 480 } 481 /* GTK KDE must be included if IGTK KDE is present */ 482 if (igtk != NULL && gtk == NULL) { 483 DPRINTF(("IGTK KDE found but GTK KDE missing\n")); 484 return; 485 } 486 /* check that the Install bit is set if using pairwise keys */ 487 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && 488 !(info & EAPOL_KEY_INSTALL)) { 489 DPRINTF(("pairwise cipher but !Install\n")); 490 return; 491 } 492 493 /* 494 * Check that first WPA/RSN IE is identical to the one received in 495 * the beacon or probe response frame. 496 */ 497 if (ni->ni_rsnie == NULL || rsnie1[1] != ni->ni_rsnie[1] || 498 memcmp(rsnie1, ni->ni_rsnie, 2 + rsnie1[1]) != 0) { 499 reason = IEEE80211_REASON_RSN_DIFFERENT_IE; 500 goto deauth; 501 } 502 503 /* 504 * If a second RSN information element is present, use its pairwise 505 * cipher suite or deauthenticate. 506 */ 507 if (rsnie2 != NULL) { 508 struct ieee80211_rsnparams rsn; 509 510 if (ieee80211_parse_rsn(ic, rsnie2, &rsn) == 0) { 511 if (rsn.rsn_akms != ni->ni_rsnakms || 512 rsn.rsn_groupcipher != ni->ni_rsngroupcipher || 513 rsn.rsn_nciphers != 1 || 514 !(rsn.rsn_ciphers & ic->ic_rsnciphers)) { 515 reason = IEEE80211_REASON_BAD_PAIRWISE_CIPHER; 516 goto deauth; 517 } 518 /* use pairwise cipher suite of second RSN IE */ 519 ni->ni_rsnciphers = rsn.rsn_ciphers; 520 ni->ni_rsncipher = ni->ni_rsnciphers; 521 } 522 } 523 524 /* update the last seen value of the key replay counter field */ 525 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 526 ni->ni_replaycnt_ok = 1; 527 528 if (ic->ic_if.if_flags & IFF_DEBUG) 529 printf("%s: received msg %d/%d of the %s handshake from %s\n", 530 ic->ic_if.if_xname, 3, 4, "4-way", 531 ether_sprintf(ni->ni_macaddr)); 532 533 /* send message 4 to authenticator */ 534 if (ieee80211_send_4way_msg4(ic, ni) != 0) 535 return; /* ..authenticator will retry */ 536 537 /* 538 * Only install a new pairwise key if we are still expecting a new key, 539 * as indicated by the NODE_RSN_NEW_PTK flag. An adversary could be 540 * sending manipulated retransmissions of message 3 of the 4-way 541 * handshake in an attempt to trick us into reinstalling an already 542 * used pairwise key. If this attack succeeded, the incremental nonce 543 * and replay counter associated with the key would be reset. 544 * Against CCMP, the adversary could abuse this to replay and decrypt 545 * packets. Against TKIP, it would become possible to replay, decrypt, 546 * and forge packets. 547 */ 548 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && 549 (ni->ni_flags & IEEE80211_NODE_RSN_NEW_PTK)) { 550 u_int64_t prsc; 551 552 /* check that key length matches that of pairwise cipher */ 553 keylen = ieee80211_cipher_keylen(ni->ni_rsncipher); 554 if (BE_READ_2(key->keylen) != keylen) { 555 reason = IEEE80211_REASON_AUTH_LEAVE; 556 goto deauth; 557 } 558 prsc = (gtk == NULL) ? LE_READ_6(key->rsc) : 0; 559 560 /* map PTK to 802.11 key */ 561 k = &ni->ni_pairwise_key; 562 memset(k, 0, sizeof(*k)); 563 k->k_cipher = ni->ni_rsncipher; 564 k->k_rsc[0] = prsc; 565 k->k_len = keylen; 566 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 567 /* install the PTK */ 568 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 569 reason = IEEE80211_REASON_AUTH_LEAVE; 570 goto deauth; 571 } 572 ni->ni_flags &= ~IEEE80211_NODE_RSN_NEW_PTK; 573 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 574 ni->ni_flags |= IEEE80211_NODE_RXPROT; 575 } else if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) 576 printf("%s: unexpected pairwise key update received from %s\n", 577 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 578 579 if (gtk != NULL) { 580 u_int8_t kid; 581 582 /* check that key length matches that of group cipher */ 583 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 584 if (gtk[1] != 6 + keylen) { 585 reason = IEEE80211_REASON_AUTH_LEAVE; 586 goto deauth; 587 } 588 /* map GTK to 802.11 key */ 589 kid = gtk[6] & 3; 590 k = &ic->ic_nw_keys[kid]; 591 if (ieee80211_must_update_group_key(k, >k[8], keylen)) { 592 memset(k, 0, sizeof(*k)); 593 k->k_id = kid; /* 0-3 */ 594 k->k_cipher = ni->ni_rsngroupcipher; 595 k->k_flags = IEEE80211_KEY_GROUP; 596 if (gtk[6] & (1 << 2)) 597 k->k_flags |= IEEE80211_KEY_TX; 598 k->k_rsc[0] = LE_READ_6(key->rsc); 599 k->k_len = keylen; 600 memcpy(k->k_key, >k[8], k->k_len); 601 /* install the GTK */ 602 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 603 reason = IEEE80211_REASON_AUTH_LEAVE; 604 goto deauth; 605 } 606 } else 607 printf("%s: reused group key update received from %s\n", 608 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 609 } 610 if (igtk != NULL) { /* implies MFP && gtk != NULL */ 611 u_int16_t kid; 612 613 /* check that the IGTK KDE is valid */ 614 if (igtk[1] != 4 + 24) { 615 reason = IEEE80211_REASON_AUTH_LEAVE; 616 goto deauth; 617 } 618 kid = LE_READ_2(&igtk[6]); 619 if (kid != 4 && kid != 5) { 620 DPRINTF(("unsupported IGTK id %u\n", kid)); 621 reason = IEEE80211_REASON_AUTH_LEAVE; 622 goto deauth; 623 } 624 /* map IGTK to 802.11 key */ 625 k = &ic->ic_nw_keys[kid]; 626 if (ieee80211_must_update_group_key(k, &igtk[14], 16)) { 627 memset(k, 0, sizeof(*k)); 628 k->k_id = kid; /* either 4 or 5 */ 629 k->k_cipher = ni->ni_rsngroupmgmtcipher; 630 k->k_flags = IEEE80211_KEY_IGTK; 631 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 632 k->k_len = 16; 633 memcpy(k->k_key, &igtk[14], k->k_len); 634 /* install the IGTK */ 635 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 636 reason = IEEE80211_REASON_AUTH_LEAVE; 637 goto deauth; 638 } 639 } else 640 printf("%s: reused group key update received from %s\n", 641 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 642 } 643 if (info & EAPOL_KEY_INSTALL) 644 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 645 646 if (info & EAPOL_KEY_SECURE) { 647 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 648 #ifndef IEEE80211_STA_ONLY 649 if (ic->ic_opmode != IEEE80211_M_IBSS || 650 ++ni->ni_key_count == 2) 651 #endif 652 { 653 DPRINTF(("marking port %s valid\n", 654 ether_sprintf(ni->ni_macaddr))); 655 ni->ni_port_valid = 1; 656 ieee80211_set_link_state(ic, LINK_STATE_UP); 657 } 658 } 659 deauth: 660 if (reason != 0) { 661 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 662 reason); 663 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 664 } 665 } 666 667 #ifndef IEEE80211_STA_ONLY 668 /* 669 * Process Message 4 of the 4-Way Handshake (sent by Supplicant). 670 */ 671 void 672 ieee80211_recv_4way_msg4(struct ieee80211com *ic, 673 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 674 { 675 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 676 ic->ic_opmode != IEEE80211_M_IBSS) 677 return; 678 679 /* discard if we're not expecting this message */ 680 if (ni->ni_rsn_state != RSNA_PTKINITNEGOTIATING) { 681 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 682 return; 683 } 684 685 /* NB: replay counter has already been verified by caller */ 686 687 /* check Key MIC field using KCK */ 688 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 689 DPRINTF(("key MIC failed\n")); 690 ic->ic_stats.is_rx_eapol_badmic++; 691 return; /* will timeout.. */ 692 } 693 694 timeout_del(&ni->ni_eapol_to); 695 ni->ni_rsn_state = RSNA_PTKINITDONE; 696 ni->ni_rsn_retries = 0; 697 698 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 699 struct ieee80211_key *k; 700 701 /* map PTK to 802.11 key */ 702 k = &ni->ni_pairwise_key; 703 memset(k, 0, sizeof(*k)); 704 k->k_cipher = ni->ni_rsncipher; 705 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 706 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 707 /* install the PTK */ 708 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 709 IEEE80211_SEND_MGMT(ic, ni, 710 IEEE80211_FC0_SUBTYPE_DEAUTH, 711 IEEE80211_REASON_ASSOC_TOOMANY); 712 ieee80211_node_leave(ic, ni); 713 return; 714 } 715 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 716 } 717 if (ic->ic_opmode != IEEE80211_M_IBSS || ++ni->ni_key_count == 2) { 718 DPRINTF(("marking port %s valid\n", 719 ether_sprintf(ni->ni_macaddr))); 720 ni->ni_port_valid = 1; 721 } 722 723 if (ic->ic_if.if_flags & IFF_DEBUG) 724 printf("%s: received msg %d/%d of the %s handshake from %s\n", 725 ic->ic_if.if_xname, 4, 4, "4-way", 726 ether_sprintf(ni->ni_macaddr)); 727 728 /* initiate a group key handshake for WPA */ 729 if (ni->ni_rsnprotos == IEEE80211_PROTO_WPA) 730 (void)ieee80211_send_group_msg1(ic, ni); 731 else 732 ni->ni_rsn_gstate = RSNA_IDLE; 733 } 734 735 /* 736 * Differentiate Message 2 from Message 4 of the 4-Way Handshake based on 737 * the presence of an RSN or WPA Information Element. 738 */ 739 void 740 ieee80211_recv_4way_msg2or4(struct ieee80211com *ic, 741 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 742 { 743 const u_int8_t *frm, *efrm; 744 const u_int8_t *rsnie; 745 746 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 747 ic->ic_stats.is_rx_eapol_replay++; 748 return; 749 } 750 751 /* parse key data field (check if an RSN IE is present) */ 752 frm = (const u_int8_t *)&key[1]; 753 efrm = frm + BE_READ_2(key->paylen); 754 755 rsnie = NULL; 756 while (frm + 2 <= efrm) { 757 if (frm + 2 + frm[1] > efrm) 758 break; 759 switch (frm[0]) { 760 case IEEE80211_ELEMID_RSN: 761 rsnie = frm; 762 break; 763 case IEEE80211_ELEMID_VENDOR: 764 if (frm[1] < 4) 765 break; 766 if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 767 switch (frm[5]) { 768 case 1: /* WPA */ 769 rsnie = frm; 770 break; 771 } 772 } 773 } 774 frm += 2 + frm[1]; 775 } 776 if (rsnie != NULL) 777 ieee80211_recv_4way_msg2(ic, key, ni, rsnie); 778 else 779 ieee80211_recv_4way_msg4(ic, key, ni); 780 } 781 #endif /* IEEE80211_STA_ONLY */ 782 783 /* 784 * Process Message 1 of the RSN Group Key Handshake (sent by Authenticator). 785 */ 786 void 787 ieee80211_recv_rsn_group_msg1(struct ieee80211com *ic, 788 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 789 { 790 struct ieee80211_key *k; 791 const u_int8_t *frm, *efrm; 792 const u_int8_t *gtk, *igtk; 793 u_int16_t info, kid, reason = 0; 794 int keylen; 795 796 #ifndef IEEE80211_STA_ONLY 797 if (ic->ic_opmode != IEEE80211_M_STA && 798 ic->ic_opmode != IEEE80211_M_IBSS) 799 return; 800 #endif 801 /* discard if we're not expecting this message */ 802 if (ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) { 803 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 804 return; 805 } 806 /* enforce monotonicity of key request replay counter */ 807 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 808 ic->ic_stats.is_rx_eapol_replay++; 809 return; 810 } 811 /* check Key MIC field using KCK */ 812 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 813 DPRINTF(("key MIC failed\n")); 814 ic->ic_stats.is_rx_eapol_badmic++; 815 return; 816 } 817 info = BE_READ_2(key->info); 818 819 /* check that encrypted and decrypt Key Data field using KEK */ 820 if (!(info & EAPOL_KEY_ENCRYPTED) || 821 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 822 DPRINTF(("decryption failed\n")); 823 return; 824 } 825 826 /* parse key data field (shall contain a GTK KDE) */ 827 frm = (const u_int8_t *)&key[1]; 828 efrm = frm + BE_READ_2(key->paylen); 829 830 gtk = igtk = NULL; 831 while (frm + 2 <= efrm) { 832 if (frm + 2 + frm[1] > efrm) 833 break; 834 switch (frm[0]) { 835 case IEEE80211_ELEMID_VENDOR: 836 if (frm[1] < 4) 837 break; 838 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 839 switch (frm[5]) { 840 case IEEE80211_KDE_GTK: 841 gtk = frm; 842 break; 843 case IEEE80211_KDE_IGTK: 844 if (ni->ni_flags & IEEE80211_NODE_MFP) 845 igtk = frm; 846 break; 847 } 848 } 849 break; 850 } 851 frm += 2 + frm[1]; 852 } 853 /* check that the GTK KDE is present */ 854 if (gtk == NULL) { 855 DPRINTF(("GTK KDE missing\n")); 856 return; 857 } 858 859 /* check that key length matches that of group cipher */ 860 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 861 if (gtk[1] != 6 + keylen) 862 return; 863 864 /* map GTK to 802.11 key */ 865 kid = gtk[6] & 3; 866 k = &ic->ic_nw_keys[kid]; 867 if (ieee80211_must_update_group_key(k, >k[8], keylen)) { 868 memset(k, 0, sizeof(*k)); 869 k->k_id = kid; /* 0-3 */ 870 k->k_cipher = ni->ni_rsngroupcipher; 871 k->k_flags = IEEE80211_KEY_GROUP; 872 if (gtk[6] & (1 << 2)) 873 k->k_flags |= IEEE80211_KEY_TX; 874 k->k_rsc[0] = LE_READ_6(key->rsc); 875 k->k_len = keylen; 876 memcpy(k->k_key, >k[8], k->k_len); 877 /* install the GTK */ 878 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 879 reason = IEEE80211_REASON_AUTH_LEAVE; 880 goto deauth; 881 } 882 } else 883 printf("%s: reused group key update received from %s\n", 884 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 885 if (igtk != NULL) { /* implies MFP */ 886 /* check that the IGTK KDE is valid */ 887 if (igtk[1] != 4 + 24) { 888 reason = IEEE80211_REASON_AUTH_LEAVE; 889 goto deauth; 890 } 891 kid = LE_READ_2(&igtk[6]); 892 if (kid != 4 && kid != 5) { 893 DPRINTF(("unsupported IGTK id %u\n", kid)); 894 reason = IEEE80211_REASON_AUTH_LEAVE; 895 goto deauth; 896 } 897 /* map IGTK to 802.11 key */ 898 k = &ic->ic_nw_keys[kid]; 899 if (ieee80211_must_update_group_key(k, &igtk[14], 16)) { 900 memset(k, 0, sizeof(*k)); 901 k->k_id = kid; /* either 4 or 5 */ 902 k->k_cipher = ni->ni_rsngroupmgmtcipher; 903 k->k_flags = IEEE80211_KEY_IGTK; 904 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 905 k->k_len = 16; 906 memcpy(k->k_key, &igtk[14], k->k_len); 907 /* install the IGTK */ 908 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 909 reason = IEEE80211_REASON_AUTH_LEAVE; 910 goto deauth; 911 } 912 } else 913 printf("%s: reused group key update received from %s\n", 914 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 915 } 916 if (info & EAPOL_KEY_SECURE) { 917 #ifndef IEEE80211_STA_ONLY 918 if (ic->ic_opmode != IEEE80211_M_IBSS || 919 ++ni->ni_key_count == 2) 920 #endif 921 { 922 DPRINTF(("marking port %s valid\n", 923 ether_sprintf(ni->ni_macaddr))); 924 ni->ni_port_valid = 1; 925 ieee80211_set_link_state(ic, LINK_STATE_UP); 926 } 927 } 928 /* update the last seen value of the key replay counter field */ 929 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 930 931 if (ic->ic_if.if_flags & IFF_DEBUG) 932 printf("%s: received msg %d/%d of the %s handshake from %s\n", 933 ic->ic_if.if_xname, 1, 2, "group key", 934 ether_sprintf(ni->ni_macaddr)); 935 936 /* send message 2 to authenticator */ 937 (void)ieee80211_send_group_msg2(ic, ni, NULL); 938 return; 939 deauth: 940 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 941 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 942 } 943 944 /* 945 * Process Message 1 of the WPA Group Key Handshake (sent by Authenticator). 946 */ 947 void 948 ieee80211_recv_wpa_group_msg1(struct ieee80211com *ic, 949 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 950 { 951 struct ieee80211_key *k; 952 u_int16_t info; 953 u_int8_t kid; 954 int keylen; 955 const uint8_t *gtk; 956 957 #ifndef IEEE80211_STA_ONLY 958 if (ic->ic_opmode != IEEE80211_M_STA && 959 ic->ic_opmode != IEEE80211_M_IBSS) 960 return; 961 #endif 962 /* discard if we're not expecting this message */ 963 if (ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) { 964 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 965 return; 966 } 967 /* enforce monotonicity of key request replay counter */ 968 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 969 ic->ic_stats.is_rx_eapol_replay++; 970 return; 971 } 972 /* check Key MIC field using KCK */ 973 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 974 DPRINTF(("key MIC failed\n")); 975 ic->ic_stats.is_rx_eapol_badmic++; 976 return; 977 } 978 /* 979 * EAPOL-Key data field is encrypted even though WPA doesn't set 980 * the ENCRYPTED bit in the info field. 981 */ 982 if (ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 983 DPRINTF(("decryption failed\n")); 984 return; 985 } 986 987 /* check that key length matches that of group cipher */ 988 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 989 if (BE_READ_2(key->keylen) != keylen) 990 return; 991 992 /* check that the data length is large enough to hold the key */ 993 if (BE_READ_2(key->paylen) < keylen) 994 return; 995 996 info = BE_READ_2(key->info); 997 998 /* map GTK to 802.11 key */ 999 kid = (info >> EAPOL_KEY_WPA_KID_SHIFT) & 3; 1000 k = &ic->ic_nw_keys[kid]; 1001 gtk = (const uint8_t *)&key[1]; /* key data field contains the GTK */ 1002 if (ieee80211_must_update_group_key(k, gtk, keylen)) { 1003 memset(k, 0, sizeof(*k)); 1004 k->k_id = kid; /* 0-3 */ 1005 k->k_cipher = ni->ni_rsngroupcipher; 1006 k->k_flags = IEEE80211_KEY_GROUP; 1007 if (info & EAPOL_KEY_WPA_TX) 1008 k->k_flags |= IEEE80211_KEY_TX; 1009 k->k_rsc[0] = LE_READ_6(key->rsc); 1010 k->k_len = keylen; 1011 memcpy(k->k_key, gtk, k->k_len); 1012 /* install the GTK */ 1013 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 1014 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 1015 IEEE80211_REASON_AUTH_LEAVE); 1016 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 1017 return; 1018 } 1019 } else 1020 printf("%s: reused group key update received from %s\n", 1021 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 1022 if (info & EAPOL_KEY_SECURE) { 1023 #ifndef IEEE80211_STA_ONLY 1024 if (ic->ic_opmode != IEEE80211_M_IBSS || 1025 ++ni->ni_key_count == 2) 1026 #endif 1027 { 1028 DPRINTF(("marking port %s valid\n", 1029 ether_sprintf(ni->ni_macaddr))); 1030 ni->ni_port_valid = 1; 1031 ieee80211_set_link_state(ic, LINK_STATE_UP); 1032 } 1033 } 1034 /* update the last seen value of the key replay counter field */ 1035 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 1036 1037 if (ic->ic_if.if_flags & IFF_DEBUG) 1038 printf("%s: received msg %d/%d of the %s handshake from %s\n", 1039 ic->ic_if.if_xname, 1, 2, "group key", 1040 ether_sprintf(ni->ni_macaddr)); 1041 1042 /* send message 2 to authenticator */ 1043 (void)ieee80211_send_group_msg2(ic, ni, k); 1044 } 1045 1046 #ifndef IEEE80211_STA_ONLY 1047 /* 1048 * Process Message 2 of the Group Key Handshake (sent by Supplicant). 1049 */ 1050 void 1051 ieee80211_recv_group_msg2(struct ieee80211com *ic, 1052 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 1053 { 1054 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 1055 ic->ic_opmode != IEEE80211_M_IBSS) 1056 return; 1057 1058 /* discard if we're not expecting this message */ 1059 if (ni->ni_rsn_gstate != RSNA_REKEYNEGOTIATING) { 1060 DPRINTF(("%s: unexpected in state: %d\n", ic->ic_if.if_xname, 1061 ni->ni_rsn_gstate)); 1062 return; 1063 } 1064 /* enforce monotonicity of key request replay counter */ 1065 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 1066 ic->ic_stats.is_rx_eapol_replay++; 1067 return; 1068 } 1069 /* check Key MIC field using KCK */ 1070 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1071 DPRINTF(("key MIC failed\n")); 1072 ic->ic_stats.is_rx_eapol_badmic++; 1073 return; 1074 } 1075 1076 timeout_del(&ni->ni_eapol_to); 1077 ni->ni_rsn_gstate = RSNA_REKEYESTABLISHED; 1078 1079 if (ni->ni_flags & IEEE80211_NODE_REKEY) { 1080 int rekeysta = 0; 1081 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 1082 ieee80211_iterate_nodes(ic, 1083 ieee80211_count_rekeysta, &rekeysta); 1084 if (rekeysta == 0) 1085 ieee80211_setkeysdone(ic); 1086 } 1087 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 1088 1089 ni->ni_rsn_gstate = RSNA_IDLE; 1090 ni->ni_rsn_retries = 0; 1091 1092 if (ic->ic_if.if_flags & IFF_DEBUG) 1093 printf("%s: received msg %d/%d of the %s handshake from %s\n", 1094 ic->ic_if.if_xname, 2, 2, "group key", 1095 ether_sprintf(ni->ni_macaddr)); 1096 } 1097 1098 /* 1099 * EAPOL-Key Request frames are sent by the supplicant to request that the 1100 * authenticator initiates either a 4-Way Handshake or Group Key Handshake, 1101 * or to report a MIC failure in a TKIP MSDU. 1102 */ 1103 void 1104 ieee80211_recv_eapol_key_req(struct ieee80211com *ic, 1105 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 1106 { 1107 u_int16_t info; 1108 1109 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 1110 ic->ic_opmode != IEEE80211_M_IBSS) 1111 return; 1112 1113 /* discard if we're not expecting this message */ 1114 if (ni->ni_rsn_state != RSNA_PTKINITDONE) { 1115 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 1116 return; 1117 } 1118 /* enforce monotonicity of key request replay counter */ 1119 if (ni->ni_reqreplaycnt_ok && 1120 BE_READ_8(key->replaycnt) <= ni->ni_reqreplaycnt) { 1121 ic->ic_stats.is_rx_eapol_replay++; 1122 return; 1123 } 1124 info = BE_READ_2(key->info); 1125 1126 if (!(info & EAPOL_KEY_KEYMIC) || 1127 ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1128 DPRINTF(("key request MIC failed\n")); 1129 ic->ic_stats.is_rx_eapol_badmic++; 1130 return; 1131 } 1132 /* update key request replay counter now that MIC is verified */ 1133 ni->ni_reqreplaycnt = BE_READ_8(key->replaycnt); 1134 ni->ni_reqreplaycnt_ok = 1; 1135 1136 if (info & EAPOL_KEY_ERROR) { /* TKIP MIC failure */ 1137 /* ignore reports from STAs not using TKIP */ 1138 if (ic->ic_bss->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP && 1139 ni->ni_rsncipher != IEEE80211_CIPHER_TKIP) { 1140 DPRINTF(("MIC failure report from !TKIP STA: %s\n", 1141 ether_sprintf(ni->ni_macaddr))); 1142 return; 1143 } 1144 ic->ic_stats.is_rx_remmicfail++; 1145 ieee80211_michael_mic_failure(ic, LE_READ_6(key->rsc)); 1146 1147 } else if (info & EAPOL_KEY_PAIRWISE) { 1148 /* initiate a 4-Way Handshake */ 1149 1150 } else { 1151 /* 1152 * Should change the GTK, initiate the 4-Way Handshake and 1153 * then execute a Group Key Handshake with all supplicants. 1154 */ 1155 } 1156 } 1157 #endif /* IEEE80211_STA_ONLY */ 1158