1 /* $OpenBSD: ieee80211_pae_input.c,v 1.18 2011/05/04 16:05:49 blambert Exp $ */ 2 3 /*- 4 * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the 4-Way Handshake and Group Key Handshake protocols 21 * (both Supplicant and Authenticator Key Receive state machines) defined in 22 * IEEE Std 802.11-2007 section 8.5. 23 */ 24 25 #include <sys/param.h> 26 #include <sys/systm.h> 27 #include <sys/mbuf.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/sockio.h> 31 #include <sys/errno.h> 32 #include <sys/proc.h> 33 34 #include <net/if.h> 35 #include <net/if_dl.h> 36 #include <net/if_media.h> 37 #include <net/if_arp.h> 38 39 #ifdef INET 40 #include <netinet/in.h> 41 #include <netinet/if_ether.h> 42 #include <netinet/in_systm.h> 43 #endif 44 45 #include <net80211/ieee80211_var.h> 46 #include <net80211/ieee80211_priv.h> 47 48 #include <dev/rndvar.h> 49 50 void ieee80211_recv_4way_msg1(struct ieee80211com *, 51 struct ieee80211_eapol_key *, struct ieee80211_node *); 52 #ifndef IEEE80211_STA_ONLY 53 void ieee80211_recv_4way_msg2(struct ieee80211com *, 54 struct ieee80211_eapol_key *, struct ieee80211_node *, 55 const u_int8_t *); 56 #endif 57 void ieee80211_recv_4way_msg3(struct ieee80211com *, 58 struct ieee80211_eapol_key *, struct ieee80211_node *); 59 #ifndef IEEE80211_STA_ONLY 60 void ieee80211_recv_4way_msg4(struct ieee80211com *, 61 struct ieee80211_eapol_key *, struct ieee80211_node *); 62 void ieee80211_recv_4way_msg2or4(struct ieee80211com *, 63 struct ieee80211_eapol_key *, struct ieee80211_node *); 64 #endif 65 void ieee80211_recv_rsn_group_msg1(struct ieee80211com *, 66 struct ieee80211_eapol_key *, struct ieee80211_node *); 67 void ieee80211_recv_wpa_group_msg1(struct ieee80211com *, 68 struct ieee80211_eapol_key *, struct ieee80211_node *); 69 #ifndef IEEE80211_STA_ONLY 70 void ieee80211_recv_group_msg2(struct ieee80211com *, 71 struct ieee80211_eapol_key *, struct ieee80211_node *); 72 void ieee80211_recv_eapol_key_req(struct ieee80211com *, 73 struct ieee80211_eapol_key *, struct ieee80211_node *); 74 #endif 75 76 /* 77 * Process an incoming EAPOL frame. Notice that we are only interested in 78 * EAPOL-Key frames with an IEEE 802.11 or WPA descriptor type. 79 */ 80 void 81 ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m, 82 struct ieee80211_node *ni) 83 { 84 struct ifnet *ifp = &ic->ic_if; 85 struct ether_header *eh; 86 struct ieee80211_eapol_key *key; 87 u_int16_t info, desc; 88 int totlen; 89 90 ifp->if_ibytes += m->m_pkthdr.len; 91 92 eh = mtod(m, struct ether_header *); 93 if (IEEE80211_IS_MULTICAST(eh->ether_dhost)) { 94 ifp->if_imcasts++; 95 goto done; 96 } 97 m_adj(m, sizeof(*eh)); 98 99 if (m->m_pkthdr.len < sizeof(*key)) 100 goto done; 101 if (m->m_len < sizeof(*key) && 102 (m = m_pullup(m, sizeof(*key))) == NULL) { 103 ic->ic_stats.is_rx_nombuf++; 104 goto done; 105 } 106 key = mtod(m, struct ieee80211_eapol_key *); 107 108 if (key->type != EAPOL_KEY) 109 goto done; 110 ic->ic_stats.is_rx_eapol_key++; 111 112 if ((ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 113 key->desc != EAPOL_KEY_DESC_IEEE80211) || 114 (ni->ni_rsnprotos == IEEE80211_PROTO_WPA && 115 key->desc != EAPOL_KEY_DESC_WPA)) 116 goto done; 117 118 /* check packet body length */ 119 if (m->m_pkthdr.len < 4 + BE_READ_2(key->len)) 120 goto done; 121 122 /* check key data length */ 123 totlen = sizeof(*key) + BE_READ_2(key->paylen); 124 if (m->m_pkthdr.len < totlen || totlen > MCLBYTES) 125 goto done; 126 127 info = BE_READ_2(key->info); 128 129 /* discard EAPOL-Key frames with an unknown descriptor version */ 130 desc = info & EAPOL_KEY_VERSION_MASK; 131 if (desc < EAPOL_KEY_DESC_V1 || desc > EAPOL_KEY_DESC_V3) 132 goto done; 133 134 if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) { 135 if (desc != EAPOL_KEY_DESC_V3) 136 goto done; 137 } else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP || 138 ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP) { 139 if (desc != EAPOL_KEY_DESC_V2) 140 goto done; 141 } 142 143 /* make sure the key data field is contiguous */ 144 if (m->m_len < totlen && (m = m_pullup(m, totlen)) == NULL) { 145 ic->ic_stats.is_rx_nombuf++; 146 goto done; 147 } 148 key = mtod(m, struct ieee80211_eapol_key *); 149 150 /* determine message type (see 8.5.3.7) */ 151 if (info & EAPOL_KEY_REQUEST) { 152 #ifndef IEEE80211_STA_ONLY 153 /* EAPOL-Key Request frame */ 154 ieee80211_recv_eapol_key_req(ic, key, ni); 155 #endif 156 } else if (info & EAPOL_KEY_PAIRWISE) { 157 /* 4-Way Handshake */ 158 if (info & EAPOL_KEY_KEYMIC) { 159 if (info & EAPOL_KEY_KEYACK) 160 ieee80211_recv_4way_msg3(ic, key, ni); 161 #ifndef IEEE80211_STA_ONLY 162 else 163 ieee80211_recv_4way_msg2or4(ic, key, ni); 164 #endif 165 } else if (info & EAPOL_KEY_KEYACK) 166 ieee80211_recv_4way_msg1(ic, key, ni); 167 } else { 168 /* Group Key Handshake */ 169 if (!(info & EAPOL_KEY_KEYMIC)) 170 goto done; 171 if (info & EAPOL_KEY_KEYACK) { 172 if (key->desc == EAPOL_KEY_DESC_WPA) 173 ieee80211_recv_wpa_group_msg1(ic, key, ni); 174 else 175 ieee80211_recv_rsn_group_msg1(ic, key, ni); 176 } 177 #ifndef IEEE80211_STA_ONLY 178 else 179 ieee80211_recv_group_msg2(ic, key, ni); 180 #endif 181 } 182 done: 183 if (m != NULL) 184 m_freem(m); 185 } 186 187 /* 188 * Process Message 1 of the 4-Way Handshake (sent by Authenticator). 189 */ 190 void 191 ieee80211_recv_4way_msg1(struct ieee80211com *ic, 192 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 193 { 194 struct ieee80211_ptk tptk; 195 struct ieee80211_pmk *pmk; 196 const u_int8_t *frm, *efrm; 197 const u_int8_t *pmkid; 198 199 #ifndef IEEE80211_STA_ONLY 200 if (ic->ic_opmode != IEEE80211_M_STA && 201 ic->ic_opmode != IEEE80211_M_IBSS) 202 return; 203 #endif 204 if (ni->ni_replaycnt_ok && 205 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 206 ic->ic_stats.is_rx_eapol_replay++; 207 return; 208 } 209 210 /* parse key data field (may contain an encapsulated PMKID) */ 211 frm = (const u_int8_t *)&key[1]; 212 efrm = frm + BE_READ_2(key->paylen); 213 214 pmkid = NULL; 215 while (frm + 2 <= efrm) { 216 if (frm + 2 + frm[1] > efrm) 217 break; 218 switch (frm[0]) { 219 case IEEE80211_ELEMID_VENDOR: 220 if (frm[1] < 4) 221 break; 222 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 223 switch (frm[5]) { 224 case IEEE80211_KDE_PMKID: 225 pmkid = frm; 226 break; 227 } 228 } 229 break; 230 } 231 frm += 2 + frm[1]; 232 } 233 /* check that the PMKID KDE is valid (if present) */ 234 if (pmkid != NULL && pmkid[1] != 4 + 16) 235 return; 236 237 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 238 /* retrieve the PMK for this (AP,PMKID) */ 239 pmk = ieee80211_pmksa_find(ic, ni, 240 (pmkid != NULL) ? &pmkid[6] : NULL); 241 if (pmk == NULL) { 242 DPRINTF(("no PMK available for %s\n", 243 ether_sprintf(ni->ni_macaddr))); 244 return; 245 } 246 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 247 } else /* use pre-shared key */ 248 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 249 ni->ni_flags |= IEEE80211_NODE_PMK; 250 251 /* save authenticator's nonce (ANonce) */ 252 memcpy(ni->ni_nonce, key->nonce, EAPOL_KEY_NONCE_LEN); 253 254 /* generate supplicant's nonce (SNonce) */ 255 arc4random_buf(ic->ic_nonce, EAPOL_KEY_NONCE_LEN); 256 257 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 258 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 259 ic->ic_myaddr, ni->ni_nonce, ic->ic_nonce, &tptk); 260 261 if (ic->ic_if.if_flags & IFF_DEBUG) 262 printf("%s: received msg %d/%d of the %s handshake from %s\n", 263 ic->ic_if.if_xname, 1, 4, "4-way", 264 ether_sprintf(ni->ni_macaddr)); 265 266 /* send message 2 to authenticator using TPTK */ 267 (void)ieee80211_send_4way_msg2(ic, ni, key->replaycnt, &tptk); 268 } 269 270 #ifndef IEEE80211_STA_ONLY 271 /* 272 * Process Message 2 of the 4-Way Handshake (sent by Supplicant). 273 */ 274 void 275 ieee80211_recv_4way_msg2(struct ieee80211com *ic, 276 struct ieee80211_eapol_key *key, struct ieee80211_node *ni, 277 const u_int8_t *rsnie) 278 { 279 struct ieee80211_ptk tptk; 280 281 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 282 ic->ic_opmode != IEEE80211_M_IBSS) 283 return; 284 285 /* discard if we're not expecting this message */ 286 if (ni->ni_rsn_state != RSNA_PTKSTART && 287 ni->ni_rsn_state != RSNA_PTKCALCNEGOTIATING) { 288 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 289 return; 290 } 291 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING; 292 293 /* NB: replay counter has already been verified by caller */ 294 295 /* PTK = CalcPTK(ANonce, SNonce) */ 296 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ic->ic_myaddr, 297 ni->ni_macaddr, ni->ni_nonce, key->nonce, &tptk); 298 299 /* check Key MIC field using KCK */ 300 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 301 DPRINTF(("key MIC failed\n")); 302 ic->ic_stats.is_rx_eapol_badmic++; 303 return; /* will timeout.. */ 304 } 305 306 timeout_del(&ni->ni_eapol_to); 307 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING_2; 308 ni->ni_rsn_retries = 0; 309 310 /* install TPTK as PTK now that MIC is verified */ 311 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 312 313 /* 314 * The RSN IE must match bit-wise with what the STA included in its 315 * (Re)Association Request. 316 */ 317 if (ni->ni_rsnie == NULL || rsnie[1] != ni->ni_rsnie[1] || 318 memcmp(rsnie, ni->ni_rsnie, 2 + rsnie[1]) != 0) { 319 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 320 IEEE80211_REASON_RSN_DIFFERENT_IE); 321 ieee80211_node_leave(ic, ni); 322 return; 323 } 324 325 if (ic->ic_if.if_flags & IFF_DEBUG) 326 printf("%s: received msg %d/%d of the %s handshake from %s\n", 327 ic->ic_if.if_xname, 2, 4, "4-way", 328 ether_sprintf(ni->ni_macaddr)); 329 330 /* send message 3 to supplicant */ 331 (void)ieee80211_send_4way_msg3(ic, ni); 332 } 333 #endif /* IEEE80211_STA_ONLY */ 334 335 /* 336 * Process Message 3 of the 4-Way Handshake (sent by Authenticator). 337 */ 338 void 339 ieee80211_recv_4way_msg3(struct ieee80211com *ic, 340 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 341 { 342 struct ieee80211_ptk tptk; 343 struct ieee80211_key *k; 344 const u_int8_t *frm, *efrm; 345 const u_int8_t *rsnie1, *rsnie2, *gtk, *igtk; 346 u_int16_t info, reason = 0; 347 int keylen; 348 349 #ifndef IEEE80211_STA_ONLY 350 if (ic->ic_opmode != IEEE80211_M_STA && 351 ic->ic_opmode != IEEE80211_M_IBSS) 352 return; 353 #endif 354 if (ni->ni_replaycnt_ok && 355 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 356 ic->ic_stats.is_rx_eapol_replay++; 357 return; 358 } 359 /* make sure that a PMK has been selected */ 360 if (!(ni->ni_flags & IEEE80211_NODE_PMK)) { 361 DPRINTF(("no PMK found for %s\n", 362 ether_sprintf(ni->ni_macaddr))); 363 return; 364 } 365 /* check that ANonce matches that of Message 1 */ 366 if (memcmp(key->nonce, ni->ni_nonce, EAPOL_KEY_NONCE_LEN) != 0) { 367 DPRINTF(("ANonce does not match msg 1/4\n")); 368 return; 369 } 370 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 371 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 372 ic->ic_myaddr, key->nonce, ic->ic_nonce, &tptk); 373 374 info = BE_READ_2(key->info); 375 376 /* check Key MIC field using KCK */ 377 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 378 DPRINTF(("key MIC failed\n")); 379 ic->ic_stats.is_rx_eapol_badmic++; 380 return; 381 } 382 /* install TPTK as PTK now that MIC is verified */ 383 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 384 385 /* if encrypted, decrypt Key Data field using KEK */ 386 if ((info & EAPOL_KEY_ENCRYPTED) && 387 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 388 DPRINTF(("decryption failed\n")); 389 return; 390 } 391 392 /* parse key data field */ 393 frm = (const u_int8_t *)&key[1]; 394 efrm = frm + BE_READ_2(key->paylen); 395 396 /* 397 * Some WPA1+WPA2 APs (like hostapd) appear to include both WPA and 398 * RSN IEs in message 3/4. We only take into account the IE of the 399 * version of the protocol we negotiated at association time. 400 */ 401 rsnie1 = rsnie2 = gtk = igtk = NULL; 402 while (frm + 2 <= efrm) { 403 if (frm + 2 + frm[1] > efrm) 404 break; 405 switch (frm[0]) { 406 case IEEE80211_ELEMID_RSN: 407 if (ni->ni_rsnprotos != IEEE80211_PROTO_RSN) 408 break; 409 if (rsnie1 == NULL) 410 rsnie1 = frm; 411 else if (rsnie2 == NULL) 412 rsnie2 = frm; 413 /* ignore others if more than two RSN IEs */ 414 break; 415 case IEEE80211_ELEMID_VENDOR: 416 if (frm[1] < 4) 417 break; 418 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 419 switch (frm[5]) { 420 case IEEE80211_KDE_GTK: 421 gtk = frm; 422 break; 423 case IEEE80211_KDE_IGTK: 424 if (ni->ni_flags & IEEE80211_NODE_MFP) 425 igtk = frm; 426 break; 427 } 428 } else if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 429 switch (frm[5]) { 430 case 1: /* WPA */ 431 if (ni->ni_rsnprotos != 432 IEEE80211_PROTO_WPA) 433 break; 434 rsnie1 = frm; 435 break; 436 } 437 } 438 break; 439 } 440 frm += 2 + frm[1]; 441 } 442 /* first WPA/RSN IE is mandatory */ 443 if (rsnie1 == NULL) { 444 DPRINTF(("missing RSN IE\n")); 445 return; 446 } 447 /* key data must be encrypted if GTK is included */ 448 if (gtk != NULL && !(info & EAPOL_KEY_ENCRYPTED)) { 449 DPRINTF(("GTK not encrypted\n")); 450 return; 451 } 452 /* GTK KDE must be included if IGTK KDE is present */ 453 if (igtk != NULL && gtk == NULL) { 454 DPRINTF(("IGTK KDE found but GTK KDE missing\n")); 455 return; 456 } 457 /* check that the Install bit is set if using pairwise keys */ 458 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && 459 !(info & EAPOL_KEY_INSTALL)) { 460 DPRINTF(("pairwise cipher but !Install\n")); 461 return; 462 } 463 464 /* 465 * Check that first WPA/RSN IE is identical to the one received in 466 * the beacon or probe response frame. 467 */ 468 if (ni->ni_rsnie == NULL || rsnie1[1] != ni->ni_rsnie[1] || 469 memcmp(rsnie1, ni->ni_rsnie, 2 + rsnie1[1]) != 0) { 470 reason = IEEE80211_REASON_RSN_DIFFERENT_IE; 471 goto deauth; 472 } 473 474 /* 475 * If a second RSN information element is present, use its pairwise 476 * cipher suite or deauthenticate. 477 */ 478 if (rsnie2 != NULL) { 479 struct ieee80211_rsnparams rsn; 480 481 if (ieee80211_parse_rsn(ic, rsnie2, &rsn) == 0) { 482 if (rsn.rsn_akms != ni->ni_rsnakms || 483 rsn.rsn_groupcipher != ni->ni_rsngroupcipher || 484 rsn.rsn_nciphers != 1 || 485 !(rsn.rsn_ciphers & ic->ic_rsnciphers)) { 486 reason = IEEE80211_REASON_BAD_PAIRWISE_CIPHER; 487 goto deauth; 488 } 489 /* use pairwise cipher suite of second RSN IE */ 490 ni->ni_rsnciphers = rsn.rsn_ciphers; 491 ni->ni_rsncipher = ni->ni_rsnciphers; 492 } 493 } 494 495 /* update the last seen value of the key replay counter field */ 496 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 497 ni->ni_replaycnt_ok = 1; 498 499 if (ic->ic_if.if_flags & IFF_DEBUG) 500 printf("%s: received msg %d/%d of the %s handshake from %s\n", 501 ic->ic_if.if_xname, 3, 4, "4-way", 502 ether_sprintf(ni->ni_macaddr)); 503 504 /* send message 4 to authenticator */ 505 if (ieee80211_send_4way_msg4(ic, ni) != 0) 506 return; /* ..authenticator will retry */ 507 508 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 509 u_int64_t prsc; 510 511 /* check that key length matches that of pairwise cipher */ 512 keylen = ieee80211_cipher_keylen(ni->ni_rsncipher); 513 if (BE_READ_2(key->keylen) != keylen) { 514 reason = IEEE80211_REASON_AUTH_LEAVE; 515 goto deauth; 516 } 517 prsc = (gtk == NULL) ? LE_READ_6(key->rsc) : 0; 518 519 /* map PTK to 802.11 key */ 520 k = &ni->ni_pairwise_key; 521 memset(k, 0, sizeof(*k)); 522 k->k_cipher = ni->ni_rsncipher; 523 k->k_rsc[0] = prsc; 524 k->k_len = keylen; 525 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 526 /* install the PTK */ 527 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 528 reason = IEEE80211_REASON_AUTH_LEAVE; 529 goto deauth; 530 } 531 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 532 ni->ni_flags |= IEEE80211_NODE_RXPROT; 533 } 534 if (gtk != NULL) { 535 u_int8_t kid; 536 537 /* check that key length matches that of group cipher */ 538 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 539 if (gtk[1] != 6 + keylen) { 540 reason = IEEE80211_REASON_AUTH_LEAVE; 541 goto deauth; 542 } 543 /* map GTK to 802.11 key */ 544 kid = gtk[6] & 3; 545 k = &ic->ic_nw_keys[kid]; 546 memset(k, 0, sizeof(*k)); 547 k->k_id = kid; /* 0-3 */ 548 k->k_cipher = ni->ni_rsngroupcipher; 549 k->k_flags = IEEE80211_KEY_GROUP; 550 if (gtk[6] & (1 << 2)) 551 k->k_flags |= IEEE80211_KEY_TX; 552 k->k_rsc[0] = LE_READ_6(key->rsc); 553 k->k_len = keylen; 554 memcpy(k->k_key, >k[8], k->k_len); 555 /* install the GTK */ 556 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 557 reason = IEEE80211_REASON_AUTH_LEAVE; 558 goto deauth; 559 } 560 } 561 if (igtk != NULL) { /* implies MFP && gtk != NULL */ 562 u_int16_t kid; 563 564 /* check that the IGTK KDE is valid */ 565 if (igtk[1] != 4 + 24) { 566 reason = IEEE80211_REASON_AUTH_LEAVE; 567 goto deauth; 568 } 569 kid = LE_READ_2(&igtk[6]); 570 if (kid != 4 && kid != 5) { 571 DPRINTF(("unsupported IGTK id %u\n", kid)); 572 reason = IEEE80211_REASON_AUTH_LEAVE; 573 goto deauth; 574 } 575 /* map IGTK to 802.11 key */ 576 k = &ic->ic_nw_keys[kid]; 577 memset(k, 0, sizeof(*k)); 578 k->k_id = kid; /* either 4 or 5 */ 579 k->k_cipher = ni->ni_rsngroupmgmtcipher; 580 k->k_flags = IEEE80211_KEY_IGTK; 581 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 582 k->k_len = 16; 583 memcpy(k->k_key, &igtk[14], k->k_len); 584 /* install the IGTK */ 585 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 586 reason = IEEE80211_REASON_AUTH_LEAVE; 587 goto deauth; 588 } 589 } 590 if (info & EAPOL_KEY_INSTALL) 591 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 592 593 if (info & EAPOL_KEY_SECURE) { 594 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 595 #ifndef IEEE80211_STA_ONLY 596 if (ic->ic_opmode != IEEE80211_M_IBSS || 597 ++ni->ni_key_count == 2) 598 #endif 599 { 600 DPRINTF(("marking port %s valid\n", 601 ether_sprintf(ni->ni_macaddr))); 602 ni->ni_port_valid = 1; 603 ieee80211_set_link_state(ic, LINK_STATE_UP); 604 } 605 } 606 deauth: 607 if (reason != 0) { 608 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 609 reason); 610 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 611 } 612 } 613 614 #ifndef IEEE80211_STA_ONLY 615 /* 616 * Process Message 4 of the 4-Way Handshake (sent by Supplicant). 617 */ 618 void 619 ieee80211_recv_4way_msg4(struct ieee80211com *ic, 620 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 621 { 622 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 623 ic->ic_opmode != IEEE80211_M_IBSS) 624 return; 625 626 /* discard if we're not expecting this message */ 627 if (ni->ni_rsn_state != RSNA_PTKINITNEGOTIATING) { 628 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 629 return; 630 } 631 632 /* NB: replay counter has already been verified by caller */ 633 634 /* check Key MIC field using KCK */ 635 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 636 DPRINTF(("key MIC failed\n")); 637 ic->ic_stats.is_rx_eapol_badmic++; 638 return; /* will timeout.. */ 639 } 640 641 timeout_del(&ni->ni_eapol_to); 642 ni->ni_rsn_state = RSNA_PTKINITDONE; 643 ni->ni_rsn_retries = 0; 644 645 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 646 struct ieee80211_key *k; 647 648 /* map PTK to 802.11 key */ 649 k = &ni->ni_pairwise_key; 650 memset(k, 0, sizeof(*k)); 651 k->k_cipher = ni->ni_rsncipher; 652 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 653 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 654 /* install the PTK */ 655 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 656 IEEE80211_SEND_MGMT(ic, ni, 657 IEEE80211_FC0_SUBTYPE_DEAUTH, 658 IEEE80211_REASON_ASSOC_TOOMANY); 659 ieee80211_node_leave(ic, ni); 660 return; 661 } 662 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 663 } 664 if (ic->ic_opmode != IEEE80211_M_IBSS || ++ni->ni_key_count == 2) { 665 DPRINTF(("marking port %s valid\n", 666 ether_sprintf(ni->ni_macaddr))); 667 ni->ni_port_valid = 1; 668 } 669 670 if (ic->ic_if.if_flags & IFF_DEBUG) 671 printf("%s: received msg %d/%d of the %s handshake from %s\n", 672 ic->ic_if.if_xname, 4, 4, "4-way", 673 ether_sprintf(ni->ni_macaddr)); 674 675 /* initiate a group key handshake for WPA */ 676 if (ni->ni_rsnprotos == IEEE80211_PROTO_WPA) 677 (void)ieee80211_send_group_msg1(ic, ni); 678 else 679 ni->ni_rsn_gstate = RSNA_IDLE; 680 } 681 682 /* 683 * Differentiate Message 2 from Message 4 of the 4-Way Handshake based on 684 * the presence of an RSN or WPA Information Element. 685 */ 686 void 687 ieee80211_recv_4way_msg2or4(struct ieee80211com *ic, 688 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 689 { 690 const u_int8_t *frm, *efrm; 691 const u_int8_t *rsnie; 692 693 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 694 ic->ic_stats.is_rx_eapol_replay++; 695 return; 696 } 697 698 /* parse key data field (check if an RSN IE is present) */ 699 frm = (const u_int8_t *)&key[1]; 700 efrm = frm + BE_READ_2(key->paylen); 701 702 rsnie = NULL; 703 while (frm + 2 <= efrm) { 704 if (frm + 2 + frm[1] > efrm) 705 break; 706 switch (frm[0]) { 707 case IEEE80211_ELEMID_RSN: 708 rsnie = frm; 709 break; 710 case IEEE80211_ELEMID_VENDOR: 711 if (frm[1] < 4) 712 break; 713 if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 714 switch (frm[5]) { 715 case 1: /* WPA */ 716 rsnie = frm; 717 break; 718 } 719 } 720 } 721 frm += 2 + frm[1]; 722 } 723 if (rsnie != NULL) 724 ieee80211_recv_4way_msg2(ic, key, ni, rsnie); 725 else 726 ieee80211_recv_4way_msg4(ic, key, ni); 727 } 728 #endif /* IEEE80211_STA_ONLY */ 729 730 /* 731 * Process Message 1 of the RSN Group Key Handshake (sent by Authenticator). 732 */ 733 void 734 ieee80211_recv_rsn_group_msg1(struct ieee80211com *ic, 735 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 736 { 737 struct ieee80211_key *k; 738 const u_int8_t *frm, *efrm; 739 const u_int8_t *gtk, *igtk; 740 u_int16_t info, kid, reason = 0; 741 int keylen; 742 743 #ifndef IEEE80211_STA_ONLY 744 if (ic->ic_opmode != IEEE80211_M_STA && 745 ic->ic_opmode != IEEE80211_M_IBSS) 746 return; 747 #endif 748 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 749 ic->ic_stats.is_rx_eapol_replay++; 750 return; 751 } 752 /* check Key MIC field using KCK */ 753 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 754 DPRINTF(("key MIC failed\n")); 755 ic->ic_stats.is_rx_eapol_badmic++; 756 return; 757 } 758 info = BE_READ_2(key->info); 759 760 /* check that encrypted and decrypt Key Data field using KEK */ 761 if (!(info & EAPOL_KEY_ENCRYPTED) || 762 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 763 DPRINTF(("decryption failed\n")); 764 return; 765 } 766 767 /* parse key data field (shall contain a GTK KDE) */ 768 frm = (const u_int8_t *)&key[1]; 769 efrm = frm + BE_READ_2(key->paylen); 770 771 gtk = igtk = NULL; 772 while (frm + 2 <= efrm) { 773 if (frm + 2 + frm[1] > efrm) 774 break; 775 switch (frm[0]) { 776 case IEEE80211_ELEMID_VENDOR: 777 if (frm[1] < 4) 778 break; 779 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 780 switch (frm[5]) { 781 case IEEE80211_KDE_GTK: 782 gtk = frm; 783 break; 784 case IEEE80211_KDE_IGTK: 785 if (ni->ni_flags & IEEE80211_NODE_MFP) 786 igtk = frm; 787 break; 788 } 789 } 790 break; 791 } 792 frm += 2 + frm[1]; 793 } 794 /* check that the GTK KDE is present */ 795 if (gtk == NULL) { 796 DPRINTF(("GTK KDE missing\n")); 797 return; 798 } 799 800 /* check that key length matches that of group cipher */ 801 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 802 if (gtk[1] != 6 + keylen) 803 return; 804 805 /* map GTK to 802.11 key */ 806 kid = gtk[6] & 3; 807 k = &ic->ic_nw_keys[kid]; 808 memset(k, 0, sizeof(*k)); 809 k->k_id = kid; /* 0-3 */ 810 k->k_cipher = ni->ni_rsngroupcipher; 811 k->k_flags = IEEE80211_KEY_GROUP; 812 if (gtk[6] & (1 << 2)) 813 k->k_flags |= IEEE80211_KEY_TX; 814 k->k_rsc[0] = LE_READ_6(key->rsc); 815 k->k_len = keylen; 816 memcpy(k->k_key, >k[8], k->k_len); 817 /* install the GTK */ 818 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 819 reason = IEEE80211_REASON_AUTH_LEAVE; 820 goto deauth; 821 } 822 if (igtk != NULL) { /* implies MFP */ 823 /* check that the IGTK KDE is valid */ 824 if (igtk[1] != 4 + 24) { 825 reason = IEEE80211_REASON_AUTH_LEAVE; 826 goto deauth; 827 } 828 kid = LE_READ_2(&igtk[6]); 829 if (kid != 4 && kid != 5) { 830 DPRINTF(("unsupported IGTK id %u\n", kid)); 831 reason = IEEE80211_REASON_AUTH_LEAVE; 832 goto deauth; 833 } 834 /* map IGTK to 802.11 key */ 835 k = &ic->ic_nw_keys[kid]; 836 memset(k, 0, sizeof(*k)); 837 k->k_id = kid; /* either 4 or 5 */ 838 k->k_cipher = ni->ni_rsngroupmgmtcipher; 839 k->k_flags = IEEE80211_KEY_IGTK; 840 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 841 k->k_len = 16; 842 memcpy(k->k_key, &igtk[14], k->k_len); 843 /* install the IGTK */ 844 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 845 reason = IEEE80211_REASON_AUTH_LEAVE; 846 goto deauth; 847 } 848 } 849 if (info & EAPOL_KEY_SECURE) { 850 #ifndef IEEE80211_STA_ONLY 851 if (ic->ic_opmode != IEEE80211_M_IBSS || 852 ++ni->ni_key_count == 2) 853 #endif 854 { 855 DPRINTF(("marking port %s valid\n", 856 ether_sprintf(ni->ni_macaddr))); 857 ni->ni_port_valid = 1; 858 ieee80211_set_link_state(ic, LINK_STATE_UP); 859 } 860 } 861 /* update the last seen value of the key replay counter field */ 862 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 863 864 if (ic->ic_if.if_flags & IFF_DEBUG) 865 printf("%s: received msg %d/%d of the %s handshake from %s\n", 866 ic->ic_if.if_xname, 1, 2, "group key", 867 ether_sprintf(ni->ni_macaddr)); 868 869 /* send message 2 to authenticator */ 870 (void)ieee80211_send_group_msg2(ic, ni, NULL); 871 return; 872 deauth: 873 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 874 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 875 } 876 877 /* 878 * Process Message 1 of the WPA Group Key Handshake (sent by Authenticator). 879 */ 880 void 881 ieee80211_recv_wpa_group_msg1(struct ieee80211com *ic, 882 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 883 { 884 struct ieee80211_key *k; 885 u_int16_t info; 886 u_int8_t kid; 887 int keylen; 888 889 #ifndef IEEE80211_STA_ONLY 890 if (ic->ic_opmode != IEEE80211_M_STA && 891 ic->ic_opmode != IEEE80211_M_IBSS) 892 return; 893 #endif 894 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 895 ic->ic_stats.is_rx_eapol_replay++; 896 return; 897 } 898 /* check Key MIC field using KCK */ 899 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 900 DPRINTF(("key MIC failed\n")); 901 ic->ic_stats.is_rx_eapol_badmic++; 902 return; 903 } 904 /* 905 * EAPOL-Key data field is encrypted even though WPA doesn't set 906 * the ENCRYPTED bit in the info field. 907 */ 908 if (ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 909 DPRINTF(("decryption failed\n")); 910 return; 911 } 912 913 /* check that key length matches that of group cipher */ 914 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 915 if (BE_READ_2(key->keylen) != keylen) 916 return; 917 918 /* check that the data length is large enough to hold the key */ 919 if (BE_READ_2(key->paylen) < keylen) 920 return; 921 922 info = BE_READ_2(key->info); 923 924 /* map GTK to 802.11 key */ 925 kid = (info >> EAPOL_KEY_WPA_KID_SHIFT) & 3; 926 k = &ic->ic_nw_keys[kid]; 927 memset(k, 0, sizeof(*k)); 928 k->k_id = kid; /* 0-3 */ 929 k->k_cipher = ni->ni_rsngroupcipher; 930 k->k_flags = IEEE80211_KEY_GROUP; 931 if (info & EAPOL_KEY_WPA_TX) 932 k->k_flags |= IEEE80211_KEY_TX; 933 k->k_rsc[0] = LE_READ_6(key->rsc); 934 k->k_len = keylen; 935 /* key data field contains the GTK */ 936 memcpy(k->k_key, &key[1], k->k_len); 937 /* install the GTK */ 938 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 939 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 940 IEEE80211_REASON_AUTH_LEAVE); 941 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 942 return; 943 } 944 if (info & EAPOL_KEY_SECURE) { 945 #ifndef IEEE80211_STA_ONLY 946 if (ic->ic_opmode != IEEE80211_M_IBSS || 947 ++ni->ni_key_count == 2) 948 #endif 949 { 950 DPRINTF(("marking port %s valid\n", 951 ether_sprintf(ni->ni_macaddr))); 952 ni->ni_port_valid = 1; 953 ieee80211_set_link_state(ic, LINK_STATE_UP); 954 } 955 } 956 /* update the last seen value of the key replay counter field */ 957 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 958 959 if (ic->ic_if.if_flags & IFF_DEBUG) 960 printf("%s: received msg %d/%d of the %s handshake from %s\n", 961 ic->ic_if.if_xname, 1, 2, "group key", 962 ether_sprintf(ni->ni_macaddr)); 963 964 /* send message 2 to authenticator */ 965 (void)ieee80211_send_group_msg2(ic, ni, k); 966 } 967 968 #ifndef IEEE80211_STA_ONLY 969 /* 970 * Process Message 2 of the Group Key Handshake (sent by Supplicant). 971 */ 972 void 973 ieee80211_recv_group_msg2(struct ieee80211com *ic, 974 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 975 { 976 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 977 ic->ic_opmode != IEEE80211_M_IBSS) 978 return; 979 980 /* discard if we're not expecting this message */ 981 if (ni->ni_rsn_gstate != RSNA_REKEYNEGOTIATING) { 982 DPRINTF(("%s: unexpected in state: %d\n", ni->ni_rsn_gstate)); 983 return; 984 } 985 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 986 ic->ic_stats.is_rx_eapol_replay++; 987 return; 988 } 989 /* check Key MIC field using KCK */ 990 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 991 DPRINTF(("key MIC failed\n")); 992 ic->ic_stats.is_rx_eapol_badmic++; 993 return; 994 } 995 996 timeout_del(&ni->ni_eapol_to); 997 ni->ni_rsn_gstate = RSNA_REKEYESTABLISHED; 998 999 if ((ni->ni_flags & IEEE80211_NODE_REKEY) && 1000 --ic->ic_rsn_keydonesta == 0) 1001 ieee80211_setkeysdone(ic); 1002 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 1003 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 1004 1005 ni->ni_rsn_gstate = RSNA_IDLE; 1006 ni->ni_rsn_retries = 0; 1007 1008 if (ic->ic_if.if_flags & IFF_DEBUG) 1009 printf("%s: received msg %d/%d of the %s handshake from %s\n", 1010 ic->ic_if.if_xname, 2, 2, "group key", 1011 ether_sprintf(ni->ni_macaddr)); 1012 } 1013 1014 /* 1015 * EAPOL-Key Request frames are sent by the supplicant to request that the 1016 * authenticator initiates either a 4-Way Handshake or Group Key Handshake, 1017 * or to report a MIC failure in a TKIP MSDU. 1018 */ 1019 void 1020 ieee80211_recv_eapol_key_req(struct ieee80211com *ic, 1021 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 1022 { 1023 u_int16_t info; 1024 1025 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 1026 ic->ic_opmode != IEEE80211_M_IBSS) 1027 return; 1028 1029 /* enforce monotonicity of key request replay counter */ 1030 if (ni->ni_reqreplaycnt_ok && 1031 BE_READ_8(key->replaycnt) <= ni->ni_reqreplaycnt) { 1032 ic->ic_stats.is_rx_eapol_replay++; 1033 return; 1034 } 1035 info = BE_READ_2(key->info); 1036 1037 if (!(info & EAPOL_KEY_KEYMIC) || 1038 ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1039 DPRINTF(("key request MIC failed\n")); 1040 ic->ic_stats.is_rx_eapol_badmic++; 1041 return; 1042 } 1043 /* update key request replay counter now that MIC is verified */ 1044 ni->ni_reqreplaycnt = BE_READ_8(key->replaycnt); 1045 ni->ni_reqreplaycnt_ok = 1; 1046 1047 if (info & EAPOL_KEY_ERROR) { /* TKIP MIC failure */ 1048 /* ignore reports from STAs not using TKIP */ 1049 if (ic->ic_bss->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP && 1050 ni->ni_rsncipher != IEEE80211_CIPHER_TKIP) { 1051 DPRINTF(("MIC failure report from !TKIP STA: %s\n", 1052 ether_sprintf(ni->ni_macaddr))); 1053 return; 1054 } 1055 ic->ic_stats.is_rx_remmicfail++; 1056 ieee80211_michael_mic_failure(ic, LE_READ_6(key->rsc)); 1057 1058 } else if (info & EAPOL_KEY_PAIRWISE) { 1059 /* initiate a 4-Way Handshake */ 1060 1061 } else { 1062 /* 1063 * Should change the GTK, initiate the 4-Way Handshake and 1064 * then execute a Group Key Handshake with all supplicants. 1065 */ 1066 } 1067 } 1068 #endif /* IEEE80211_STA_ONLY */ 1069