1 /* $OpenBSD: ieee80211_pae_input.c,v 1.15 2009/01/26 19:09:41 damien Exp $ */ 2 3 /*- 4 * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the 4-Way Handshake and Group Key Handshake protocols 21 * (both Supplicant and Authenticator Key Receive state machines) defined in 22 * IEEE Std 802.11-2007 section 8.5. 23 */ 24 25 #include <sys/param.h> 26 #include <sys/systm.h> 27 #include <sys/mbuf.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/sockio.h> 31 #include <sys/errno.h> 32 #include <sys/proc.h> 33 34 #include <net/if.h> 35 #include <net/if_dl.h> 36 #include <net/if_media.h> 37 #include <net/if_arp.h> 38 39 #ifdef INET 40 #include <netinet/in.h> 41 #include <netinet/if_ether.h> 42 #include <netinet/in_systm.h> 43 #endif 44 45 #include <net80211/ieee80211_var.h> 46 #include <net80211/ieee80211_priv.h> 47 48 #include <dev/rndvar.h> 49 50 void ieee80211_recv_4way_msg1(struct ieee80211com *, 51 struct ieee80211_eapol_key *, struct ieee80211_node *); 52 #ifndef IEEE80211_STA_ONLY 53 void ieee80211_recv_4way_msg2(struct ieee80211com *, 54 struct ieee80211_eapol_key *, struct ieee80211_node *, 55 const u_int8_t *); 56 #endif 57 void ieee80211_recv_4way_msg3(struct ieee80211com *, 58 struct ieee80211_eapol_key *, struct ieee80211_node *); 59 #ifndef IEEE80211_STA_ONLY 60 void ieee80211_recv_4way_msg4(struct ieee80211com *, 61 struct ieee80211_eapol_key *, struct ieee80211_node *); 62 void ieee80211_recv_4way_msg2or4(struct ieee80211com *, 63 struct ieee80211_eapol_key *, struct ieee80211_node *); 64 #endif 65 void ieee80211_recv_rsn_group_msg1(struct ieee80211com *, 66 struct ieee80211_eapol_key *, struct ieee80211_node *); 67 void ieee80211_recv_wpa_group_msg1(struct ieee80211com *, 68 struct ieee80211_eapol_key *, struct ieee80211_node *); 69 #ifndef IEEE80211_STA_ONLY 70 void ieee80211_recv_group_msg2(struct ieee80211com *, 71 struct ieee80211_eapol_key *, struct ieee80211_node *); 72 void ieee80211_recv_eapol_key_req(struct ieee80211com *, 73 struct ieee80211_eapol_key *, struct ieee80211_node *); 74 #endif 75 76 /* 77 * Process an incoming EAPOL frame. Notice that we are only interested in 78 * EAPOL-Key frames with an IEEE 802.11 or WPA descriptor type. 79 */ 80 void 81 ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m, 82 struct ieee80211_node *ni) 83 { 84 struct ifnet *ifp = &ic->ic_if; 85 struct ether_header *eh; 86 struct ieee80211_eapol_key *key; 87 u_int16_t info, desc; 88 int totlen; 89 90 ifp->if_ibytes += m->m_pkthdr.len; 91 92 eh = mtod(m, struct ether_header *); 93 if (IEEE80211_IS_MULTICAST(eh->ether_dhost)) { 94 ifp->if_imcasts++; 95 goto done; 96 } 97 m_adj(m, sizeof(*eh)); 98 99 if (m->m_pkthdr.len < sizeof(*key)) 100 goto done; 101 if (m->m_len < sizeof(*key) && 102 (m = m_pullup(m, sizeof(*key))) == NULL) { 103 ic->ic_stats.is_rx_nombuf++; 104 goto done; 105 } 106 key = mtod(m, struct ieee80211_eapol_key *); 107 108 if (key->type != EAPOL_KEY) 109 goto done; 110 ic->ic_stats.is_rx_eapol_key++; 111 112 if ((ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 113 key->desc != EAPOL_KEY_DESC_IEEE80211) || 114 (ni->ni_rsnprotos == IEEE80211_PROTO_WPA && 115 key->desc != EAPOL_KEY_DESC_WPA)) 116 goto done; 117 118 /* check packet body length */ 119 if (m->m_pkthdr.len < 4 + BE_READ_2(key->len)) 120 goto done; 121 122 /* check key data length */ 123 totlen = sizeof(*key) + BE_READ_2(key->paylen); 124 if (m->m_pkthdr.len < totlen || totlen > MCLBYTES) 125 goto done; 126 127 info = BE_READ_2(key->info); 128 129 /* discard EAPOL-Key frames with an unknown descriptor version */ 130 desc = info & EAPOL_KEY_VERSION_MASK; 131 if (desc < EAPOL_KEY_DESC_V1 || desc > EAPOL_KEY_DESC_V3) 132 goto done; 133 134 if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) { 135 if (desc != EAPOL_KEY_DESC_V3) 136 goto done; 137 } else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP || 138 ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP) { 139 if (desc != EAPOL_KEY_DESC_V2) 140 goto done; 141 } 142 143 /* make sure the key data field is contiguous */ 144 if (m->m_len < totlen && (m = m_pullup2(m, totlen)) == NULL) { 145 ic->ic_stats.is_rx_nombuf++; 146 goto done; 147 } 148 key = mtod(m, struct ieee80211_eapol_key *); 149 150 /* determine message type (see 8.5.3.7) */ 151 if (info & EAPOL_KEY_REQUEST) { 152 #ifndef IEEE80211_STA_ONLY 153 /* EAPOL-Key Request frame */ 154 ieee80211_recv_eapol_key_req(ic, key, ni); 155 #endif 156 } else if (info & EAPOL_KEY_PAIRWISE) { 157 /* 4-Way Handshake */ 158 if (info & EAPOL_KEY_KEYMIC) { 159 if (info & EAPOL_KEY_KEYACK) 160 ieee80211_recv_4way_msg3(ic, key, ni); 161 #ifndef IEEE80211_STA_ONLY 162 else 163 ieee80211_recv_4way_msg2or4(ic, key, ni); 164 #endif 165 } else if (info & EAPOL_KEY_KEYACK) 166 ieee80211_recv_4way_msg1(ic, key, ni); 167 } else { 168 /* Group Key Handshake */ 169 if (!(info & EAPOL_KEY_KEYMIC)) 170 goto done; 171 if (info & EAPOL_KEY_KEYACK) { 172 if (key->desc == EAPOL_KEY_DESC_WPA) 173 ieee80211_recv_wpa_group_msg1(ic, key, ni); 174 else 175 ieee80211_recv_rsn_group_msg1(ic, key, ni); 176 } 177 #ifndef IEEE80211_STA_ONLY 178 else 179 ieee80211_recv_group_msg2(ic, key, ni); 180 #endif 181 } 182 done: 183 if (m != NULL) 184 m_freem(m); 185 } 186 187 /* 188 * Process Message 1 of the 4-Way Handshake (sent by Authenticator). 189 */ 190 void 191 ieee80211_recv_4way_msg1(struct ieee80211com *ic, 192 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 193 { 194 struct ieee80211_ptk tptk; 195 struct ieee80211_pmk *pmk; 196 const u_int8_t *frm, *efrm; 197 const u_int8_t *pmkid; 198 199 #ifndef IEEE80211_STA_ONLY 200 if (ic->ic_opmode != IEEE80211_M_STA && 201 ic->ic_opmode != IEEE80211_M_IBSS) 202 return; 203 #endif 204 if (ni->ni_replaycnt_ok && 205 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 206 ic->ic_stats.is_rx_eapol_replay++; 207 return; 208 } 209 210 /* parse key data field (may contain an encapsulated PMKID) */ 211 frm = (const u_int8_t *)&key[1]; 212 efrm = frm + BE_READ_2(key->paylen); 213 214 pmkid = NULL; 215 while (frm + 2 <= efrm) { 216 if (frm + 2 + frm[1] > efrm) 217 break; 218 switch (frm[0]) { 219 case IEEE80211_ELEMID_VENDOR: 220 if (frm[1] < 4) 221 break; 222 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 223 switch (frm[5]) { 224 case IEEE80211_KDE_PMKID: 225 pmkid = frm; 226 break; 227 } 228 } 229 break; 230 } 231 frm += 2 + frm[1]; 232 } 233 /* check that the PMKID KDE is valid (if present) */ 234 if (pmkid != NULL && pmkid[1] != 4 + 16) 235 return; 236 237 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 238 /* retrieve the PMK for this (AP,PMKID) */ 239 pmk = ieee80211_pmksa_find(ic, ni, 240 (pmkid != NULL) ? &pmkid[6] : NULL); 241 if (pmk == NULL) { 242 DPRINTF(("no PMK available for %s\n", 243 ether_sprintf(ni->ni_macaddr))); 244 return; 245 } 246 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 247 } else /* use pre-shared key */ 248 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 249 ni->ni_flags |= IEEE80211_NODE_PMK; 250 251 /* save authenticator's nonce (ANonce) */ 252 memcpy(ni->ni_nonce, key->nonce, EAPOL_KEY_NONCE_LEN); 253 254 /* generate supplicant's nonce (SNonce) */ 255 arc4random_buf(ic->ic_nonce, EAPOL_KEY_NONCE_LEN); 256 257 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 258 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 259 ic->ic_myaddr, ni->ni_nonce, ic->ic_nonce, &tptk); 260 261 if (ic->ic_if.if_flags & IFF_DEBUG) 262 printf("%s: received msg %d/%d of the %s handshake from %s\n", 263 ic->ic_if.if_xname, 1, 4, "4-way", 264 ether_sprintf(ni->ni_macaddr)); 265 266 /* send message 2 to authenticator using TPTK */ 267 (void)ieee80211_send_4way_msg2(ic, ni, key->replaycnt, &tptk); 268 } 269 270 #ifndef IEEE80211_STA_ONLY 271 /* 272 * Process Message 2 of the 4-Way Handshake (sent by Supplicant). 273 */ 274 void 275 ieee80211_recv_4way_msg2(struct ieee80211com *ic, 276 struct ieee80211_eapol_key *key, struct ieee80211_node *ni, 277 const u_int8_t *rsnie) 278 { 279 struct ieee80211_ptk tptk; 280 281 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 282 ic->ic_opmode != IEEE80211_M_IBSS) 283 return; 284 285 /* discard if we're not expecting this message */ 286 if (ni->ni_rsn_state != RSNA_PTKSTART && 287 ni->ni_rsn_state != RSNA_PTKCALCNEGOTIATING) { 288 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 289 return; 290 } 291 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING; 292 293 /* NB: replay counter has already been verified by caller */ 294 295 /* PTK = CalcPTK(ANonce, SNonce) */ 296 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ic->ic_myaddr, 297 ni->ni_macaddr, ni->ni_nonce, key->nonce, &tptk); 298 299 /* check Key MIC field using KCK */ 300 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 301 DPRINTF(("key MIC failed\n")); 302 ic->ic_stats.is_rx_eapol_badmic++; 303 return; /* will timeout.. */ 304 } 305 306 timeout_del(&ni->ni_eapol_to); 307 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING_2; 308 ni->ni_rsn_retries = 0; 309 310 /* install TPTK as PTK now that MIC is verified */ 311 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 312 313 /* 314 * The RSN IE must match bit-wise with what the STA included in its 315 * (Re)Association Request. 316 */ 317 if (ni->ni_rsnie == NULL || rsnie[1] != ni->ni_rsnie[1] || 318 memcmp(rsnie, ni->ni_rsnie, 2 + rsnie[1]) != 0) { 319 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 320 IEEE80211_REASON_RSN_DIFFERENT_IE); 321 ieee80211_node_leave(ic, ni); 322 return; 323 } 324 325 if (ic->ic_if.if_flags & IFF_DEBUG) 326 printf("%s: received msg %d/%d of the %s handshake from %s\n", 327 ic->ic_if.if_xname, 2, 4, "4-way", 328 ether_sprintf(ni->ni_macaddr)); 329 330 /* send message 3 to supplicant */ 331 (void)ieee80211_send_4way_msg3(ic, ni); 332 } 333 #endif /* IEEE80211_STA_ONLY */ 334 335 /* 336 * Process Message 3 of the 4-Way Handshake (sent by Authenticator). 337 */ 338 void 339 ieee80211_recv_4way_msg3(struct ieee80211com *ic, 340 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 341 { 342 struct ieee80211_ptk tptk; 343 struct ieee80211_key *k; 344 const u_int8_t *frm, *efrm; 345 const u_int8_t *rsnie1, *rsnie2, *gtk, *igtk; 346 u_int16_t info, reason = 0; 347 int keylen; 348 349 #ifndef IEEE80211_STA_ONLY 350 if (ic->ic_opmode != IEEE80211_M_STA && 351 ic->ic_opmode != IEEE80211_M_IBSS) 352 return; 353 #endif 354 if (ni->ni_replaycnt_ok && 355 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 356 ic->ic_stats.is_rx_eapol_replay++; 357 return; 358 } 359 /* make sure that a PMK has been selected */ 360 if (!(ni->ni_flags & IEEE80211_NODE_PMK)) { 361 DPRINTF(("no PMK found for %s\n", 362 ether_sprintf(ni->ni_macaddr))); 363 return; 364 } 365 /* check that ANonce matches that of Message 1 */ 366 if (memcmp(key->nonce, ni->ni_nonce, EAPOL_KEY_NONCE_LEN) != 0) { 367 DPRINTF(("ANonce does not match msg 1/4\n")); 368 return; 369 } 370 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 371 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 372 ic->ic_myaddr, key->nonce, ic->ic_nonce, &tptk); 373 374 info = BE_READ_2(key->info); 375 376 /* check Key MIC field using KCK */ 377 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 378 DPRINTF(("key MIC failed\n")); 379 ic->ic_stats.is_rx_eapol_badmic++; 380 return; 381 } 382 /* install TPTK as PTK now that MIC is verified */ 383 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 384 385 /* if encrypted, decrypt Key Data field using KEK */ 386 if ((info & EAPOL_KEY_ENCRYPTED) && 387 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 388 DPRINTF(("decryption failed\n")); 389 return; 390 } 391 392 /* parse key data field */ 393 frm = (const u_int8_t *)&key[1]; 394 efrm = frm + BE_READ_2(key->paylen); 395 396 /* 397 * Some WPA1+WPA2 APs (like hostapd) appear to include both WPA and 398 * RSN IEs in message 3/4. We only take into account the IE of the 399 * version of the protocol we negotiated at association time. 400 */ 401 rsnie1 = rsnie2 = gtk = igtk = NULL; 402 while (frm + 2 <= efrm) { 403 if (frm + 2 + frm[1] > efrm) 404 break; 405 switch (frm[0]) { 406 case IEEE80211_ELEMID_RSN: 407 if (ni->ni_rsnprotos != IEEE80211_PROTO_RSN) 408 break; 409 if (rsnie1 == NULL) 410 rsnie1 = frm; 411 else if (rsnie2 == NULL) 412 rsnie2 = frm; 413 /* ignore others if more than two RSN IEs */ 414 break; 415 case IEEE80211_ELEMID_VENDOR: 416 if (frm[1] < 4) 417 break; 418 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 419 switch (frm[5]) { 420 case IEEE80211_KDE_GTK: 421 gtk = frm; 422 break; 423 case IEEE80211_KDE_IGTK: 424 if (ni->ni_flags & IEEE80211_NODE_MFP) 425 igtk = frm; 426 break; 427 } 428 } else if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 429 switch (frm[5]) { 430 case 1: /* WPA */ 431 if (ni->ni_rsnprotos != 432 IEEE80211_PROTO_WPA) 433 break; 434 rsnie1 = frm; 435 break; 436 } 437 } 438 break; 439 } 440 frm += 2 + frm[1]; 441 } 442 /* first WPA/RSN IE is mandatory */ 443 if (rsnie1 == NULL) { 444 DPRINTF(("missing RSN IE\n")); 445 return; 446 } 447 /* key data must be encrypted if GTK is included */ 448 if (gtk != NULL && !(info & EAPOL_KEY_ENCRYPTED)) { 449 DPRINTF(("GTK not encrypted\n")); 450 return; 451 } 452 /* GTK KDE must be included if IGTK KDE is present */ 453 if (igtk != NULL && gtk == NULL) { 454 DPRINTF(("IGTK KDE found but GTK KDE missing\n")); 455 return; 456 } 457 /* check that the Install bit is set if using pairwise keys */ 458 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && 459 !(info & EAPOL_KEY_INSTALL)) { 460 DPRINTF(("pairwise cipher but !Install\n")); 461 return; 462 } 463 464 /* 465 * Check that first WPA/RSN IE is identical to the one received in 466 * the beacon or probe response frame. 467 */ 468 if (ni->ni_rsnie == NULL || rsnie1[1] != ni->ni_rsnie[1] || 469 memcmp(rsnie1, ni->ni_rsnie, 2 + rsnie1[1]) != 0) { 470 reason = IEEE80211_REASON_RSN_DIFFERENT_IE; 471 goto deauth; 472 } 473 474 /* 475 * If a second RSN information element is present, use its pairwise 476 * cipher suite or deauthenticate. 477 */ 478 if (rsnie2 != NULL) { 479 struct ieee80211_rsnparams rsn; 480 481 if (ieee80211_parse_rsn(ic, rsnie2, &rsn) == 0) { 482 if (rsn.rsn_akms != ni->ni_rsnakms || 483 rsn.rsn_groupcipher != ni->ni_rsngroupcipher || 484 rsn.rsn_nciphers != 1 || 485 !(rsn.rsn_ciphers & ic->ic_rsnciphers)) { 486 reason = IEEE80211_REASON_BAD_PAIRWISE_CIPHER; 487 goto deauth; 488 } 489 /* use pairwise cipher suite of second RSN IE */ 490 ni->ni_rsnciphers = rsn.rsn_ciphers; 491 ni->ni_rsncipher = ni->ni_rsnciphers; 492 } 493 } 494 495 /* update the last seen value of the key replay counter field */ 496 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 497 ni->ni_replaycnt_ok = 1; 498 499 if (ic->ic_if.if_flags & IFF_DEBUG) 500 printf("%s: received msg %d/%d of the %s handshake from %s\n", 501 ic->ic_if.if_xname, 3, 4, "4-way", 502 ether_sprintf(ni->ni_macaddr)); 503 504 /* send message 4 to authenticator */ 505 if (ieee80211_send_4way_msg4(ic, ni) != 0) 506 return; /* ..authenticator will retry */ 507 508 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 509 u_int64_t prsc; 510 511 /* check that key length matches that of pairwise cipher */ 512 keylen = ieee80211_cipher_keylen(ni->ni_rsncipher); 513 if (BE_READ_2(key->keylen) != keylen) { 514 reason = IEEE80211_REASON_AUTH_LEAVE; 515 goto deauth; 516 } 517 prsc = (gtk == NULL) ? LE_READ_6(key->rsc) : 0; 518 519 /* map PTK to 802.11 key */ 520 k = &ni->ni_pairwise_key; 521 memset(k, 0, sizeof(*k)); 522 k->k_cipher = ni->ni_rsncipher; 523 k->k_rsc[0] = prsc; 524 k->k_len = keylen; 525 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 526 /* install the PTK */ 527 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 528 reason = IEEE80211_REASON_AUTH_LEAVE; 529 goto deauth; 530 } 531 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 532 ni->ni_flags |= IEEE80211_NODE_RXPROT; 533 } 534 if (gtk != NULL) { 535 u_int8_t kid; 536 537 /* check that key length matches that of group cipher */ 538 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 539 if (gtk[1] != 6 + keylen) { 540 reason = IEEE80211_REASON_AUTH_LEAVE; 541 goto deauth; 542 } 543 /* map GTK to 802.11 key */ 544 kid = gtk[6] & 3; 545 k = &ic->ic_nw_keys[kid]; 546 memset(k, 0, sizeof(*k)); 547 k->k_id = kid; /* 0-3 */ 548 k->k_cipher = ni->ni_rsngroupcipher; 549 k->k_flags = IEEE80211_KEY_GROUP; 550 if (gtk[6] & (1 << 2)) 551 k->k_flags |= IEEE80211_KEY_TX; 552 k->k_rsc[0] = LE_READ_6(key->rsc); 553 k->k_len = keylen; 554 memcpy(k->k_key, >k[8], k->k_len); 555 /* install the GTK */ 556 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 557 reason = IEEE80211_REASON_AUTH_LEAVE; 558 goto deauth; 559 } 560 } 561 if (igtk != NULL) { /* implies MFP && gtk != NULL */ 562 u_int16_t kid; 563 564 /* check that the IGTK KDE is valid */ 565 if (igtk[1] != 4 + 24) { 566 reason = IEEE80211_REASON_AUTH_LEAVE; 567 goto deauth; 568 } 569 kid = LE_READ_2(&igtk[6]); 570 if (kid != 4 && kid != 5) { 571 DPRINTF(("unsupported IGTK id %u\n", kid)); 572 reason = IEEE80211_REASON_AUTH_LEAVE; 573 goto deauth; 574 } 575 /* map IGTK to 802.11 key */ 576 k = &ic->ic_nw_keys[kid]; 577 memset(k, 0, sizeof(*k)); 578 k->k_id = kid; /* either 4 or 5 */ 579 k->k_cipher = ni->ni_rsngroupmgmtcipher; 580 k->k_flags = IEEE80211_KEY_IGTK; 581 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 582 k->k_len = 16; 583 memcpy(k->k_key, &igtk[14], k->k_len); 584 /* install the IGTK */ 585 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 586 reason = IEEE80211_REASON_AUTH_LEAVE; 587 goto deauth; 588 } 589 } 590 if (info & EAPOL_KEY_INSTALL) 591 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 592 593 if (info & EAPOL_KEY_SECURE) { 594 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 595 #ifndef IEEE80211_STA_ONLY 596 if (ic->ic_opmode != IEEE80211_M_IBSS || 597 ++ni->ni_key_count == 2) 598 #endif 599 { 600 DPRINTF(("marking port %s valid\n", 601 ether_sprintf(ni->ni_macaddr))); 602 ni->ni_port_valid = 1; 603 } 604 } 605 deauth: 606 if (reason != 0) { 607 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 608 reason); 609 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 610 } 611 } 612 613 #ifndef IEEE80211_STA_ONLY 614 /* 615 * Process Message 4 of the 4-Way Handshake (sent by Supplicant). 616 */ 617 void 618 ieee80211_recv_4way_msg4(struct ieee80211com *ic, 619 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 620 { 621 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 622 ic->ic_opmode != IEEE80211_M_IBSS) 623 return; 624 625 /* discard if we're not expecting this message */ 626 if (ni->ni_rsn_state != RSNA_PTKINITNEGOTIATING) { 627 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 628 return; 629 } 630 631 /* NB: replay counter has already been verified by caller */ 632 633 /* check Key MIC field using KCK */ 634 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 635 DPRINTF(("key MIC failed\n")); 636 ic->ic_stats.is_rx_eapol_badmic++; 637 return; /* will timeout.. */ 638 } 639 640 timeout_del(&ni->ni_eapol_to); 641 ni->ni_rsn_state = RSNA_PTKINITDONE; 642 ni->ni_rsn_retries = 0; 643 644 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 645 struct ieee80211_key *k; 646 647 /* map PTK to 802.11 key */ 648 k = &ni->ni_pairwise_key; 649 memset(k, 0, sizeof(*k)); 650 k->k_cipher = ni->ni_rsncipher; 651 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 652 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 653 /* install the PTK */ 654 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 655 IEEE80211_SEND_MGMT(ic, ni, 656 IEEE80211_FC0_SUBTYPE_DEAUTH, 657 IEEE80211_REASON_ASSOC_TOOMANY); 658 ieee80211_node_leave(ic, ni); 659 return; 660 } 661 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 662 } 663 if (ic->ic_opmode != IEEE80211_M_IBSS || ++ni->ni_key_count == 2) { 664 DPRINTF(("marking port %s valid\n", 665 ether_sprintf(ni->ni_macaddr))); 666 ni->ni_port_valid = 1; 667 } 668 669 if (ic->ic_if.if_flags & IFF_DEBUG) 670 printf("%s: received msg %d/%d of the %s handshake from %s\n", 671 ic->ic_if.if_xname, 4, 4, "4-way", 672 ether_sprintf(ni->ni_macaddr)); 673 674 /* initiate a group key handshake for WPA */ 675 if (ni->ni_rsnprotos == IEEE80211_PROTO_WPA) 676 (void)ieee80211_send_group_msg1(ic, ni); 677 else 678 ni->ni_rsn_gstate = RSNA_IDLE; 679 } 680 681 /* 682 * Differentiate Message 2 from Message 4 of the 4-Way Handshake based on 683 * the presence of an RSN or WPA Information Element. 684 */ 685 void 686 ieee80211_recv_4way_msg2or4(struct ieee80211com *ic, 687 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 688 { 689 const u_int8_t *frm, *efrm; 690 const u_int8_t *rsnie; 691 692 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 693 ic->ic_stats.is_rx_eapol_replay++; 694 return; 695 } 696 697 /* parse key data field (check if an RSN IE is present) */ 698 frm = (const u_int8_t *)&key[1]; 699 efrm = frm + BE_READ_2(key->paylen); 700 701 rsnie = NULL; 702 while (frm + 2 <= efrm) { 703 if (frm + 2 + frm[1] > efrm) 704 break; 705 switch (frm[0]) { 706 case IEEE80211_ELEMID_RSN: 707 rsnie = frm; 708 break; 709 case IEEE80211_ELEMID_VENDOR: 710 if (frm[1] < 4) 711 break; 712 if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 713 switch (frm[5]) { 714 case 1: /* WPA */ 715 rsnie = frm; 716 break; 717 } 718 } 719 } 720 frm += 2 + frm[1]; 721 } 722 if (rsnie != NULL) 723 ieee80211_recv_4way_msg2(ic, key, ni, rsnie); 724 else 725 ieee80211_recv_4way_msg4(ic, key, ni); 726 } 727 #endif /* IEEE80211_STA_ONLY */ 728 729 /* 730 * Process Message 1 of the RSN Group Key Handshake (sent by Authenticator). 731 */ 732 void 733 ieee80211_recv_rsn_group_msg1(struct ieee80211com *ic, 734 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 735 { 736 struct ieee80211_key *k; 737 const u_int8_t *frm, *efrm; 738 const u_int8_t *gtk, *igtk; 739 u_int16_t info, kid, reason = 0; 740 int keylen; 741 742 #ifndef IEEE80211_STA_ONLY 743 if (ic->ic_opmode != IEEE80211_M_STA && 744 ic->ic_opmode != IEEE80211_M_IBSS) 745 return; 746 #endif 747 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 748 ic->ic_stats.is_rx_eapol_replay++; 749 return; 750 } 751 /* check Key MIC field using KCK */ 752 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 753 DPRINTF(("key MIC failed\n")); 754 ic->ic_stats.is_rx_eapol_badmic++; 755 return; 756 } 757 info = BE_READ_2(key->info); 758 759 /* check that encrypted and decrypt Key Data field using KEK */ 760 if (!(info & EAPOL_KEY_ENCRYPTED) || 761 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 762 DPRINTF(("decryption failed\n")); 763 return; 764 } 765 766 /* parse key data field (shall contain a GTK KDE) */ 767 frm = (const u_int8_t *)&key[1]; 768 efrm = frm + BE_READ_2(key->paylen); 769 770 gtk = igtk = NULL; 771 while (frm + 2 <= efrm) { 772 if (frm + 2 + frm[1] > efrm) 773 break; 774 switch (frm[0]) { 775 case IEEE80211_ELEMID_VENDOR: 776 if (frm[1] < 4) 777 break; 778 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 779 switch (frm[5]) { 780 case IEEE80211_KDE_GTK: 781 gtk = frm; 782 break; 783 case IEEE80211_KDE_IGTK: 784 if (ni->ni_flags & IEEE80211_NODE_MFP) 785 igtk = frm; 786 break; 787 } 788 } 789 break; 790 } 791 frm += 2 + frm[1]; 792 } 793 /* check that the GTK KDE is present */ 794 if (gtk == NULL) { 795 DPRINTF(("GTK KDE missing\n")); 796 return; 797 } 798 799 /* check that key length matches that of group cipher */ 800 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 801 if (gtk[1] != 6 + keylen) 802 return; 803 804 /* map GTK to 802.11 key */ 805 kid = gtk[6] & 3; 806 k = &ic->ic_nw_keys[kid]; 807 memset(k, 0, sizeof(*k)); 808 k->k_id = kid; /* 0-3 */ 809 k->k_cipher = ni->ni_rsngroupcipher; 810 k->k_flags = IEEE80211_KEY_GROUP; 811 if (gtk[6] & (1 << 2)) 812 k->k_flags |= IEEE80211_KEY_TX; 813 k->k_rsc[0] = LE_READ_6(key->rsc); 814 k->k_len = keylen; 815 /* install the GTK */ 816 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 817 reason = IEEE80211_REASON_AUTH_LEAVE; 818 goto deauth; 819 } 820 if (igtk != NULL) { /* implies MFP */ 821 /* check that the IGTK KDE is valid */ 822 if (igtk[1] != 4 + 24) { 823 reason = IEEE80211_REASON_AUTH_LEAVE; 824 goto deauth; 825 } 826 kid = LE_READ_2(&igtk[6]); 827 if (kid != 4 && kid != 5) { 828 DPRINTF(("unsupported IGTK id %u\n", kid)); 829 reason = IEEE80211_REASON_AUTH_LEAVE; 830 goto deauth; 831 } 832 /* map IGTK to 802.11 key */ 833 k = &ic->ic_nw_keys[kid]; 834 memset(k, 0, sizeof(*k)); 835 k->k_id = kid; /* either 4 or 5 */ 836 k->k_cipher = ni->ni_rsngroupmgmtcipher; 837 k->k_flags = IEEE80211_KEY_IGTK; 838 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 839 k->k_len = 16; 840 memcpy(k->k_key, &igtk[14], k->k_len); 841 /* install the IGTK */ 842 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 843 reason = IEEE80211_REASON_AUTH_LEAVE; 844 goto deauth; 845 } 846 } 847 if (info & EAPOL_KEY_SECURE) { 848 #ifndef IEEE80211_STA_ONLY 849 if (ic->ic_opmode != IEEE80211_M_IBSS || 850 ++ni->ni_key_count == 2) 851 #endif 852 { 853 DPRINTF(("marking port %s valid\n", 854 ether_sprintf(ni->ni_macaddr))); 855 ni->ni_port_valid = 1; 856 } 857 } 858 /* update the last seen value of the key replay counter field */ 859 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 860 861 if (ic->ic_if.if_flags & IFF_DEBUG) 862 printf("%s: received msg %d/%d of the %s handshake from %s\n", 863 ic->ic_if.if_xname, 1, 2, "group key", 864 ether_sprintf(ni->ni_macaddr)); 865 866 /* send message 2 to authenticator */ 867 (void)ieee80211_send_group_msg2(ic, ni, NULL); 868 return; 869 deauth: 870 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 871 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 872 } 873 874 /* 875 * Process Message 1 of the WPA Group Key Handshake (sent by Authenticator). 876 */ 877 void 878 ieee80211_recv_wpa_group_msg1(struct ieee80211com *ic, 879 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 880 { 881 struct ieee80211_key *k; 882 u_int16_t info; 883 u_int8_t kid; 884 int keylen; 885 886 #ifndef IEEE80211_STA_ONLY 887 if (ic->ic_opmode != IEEE80211_M_STA && 888 ic->ic_opmode != IEEE80211_M_IBSS) 889 return; 890 #endif 891 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 892 ic->ic_stats.is_rx_eapol_replay++; 893 return; 894 } 895 /* check Key MIC field using KCK */ 896 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 897 DPRINTF(("key MIC failed\n")); 898 ic->ic_stats.is_rx_eapol_badmic++; 899 return; 900 } 901 /* 902 * EAPOL-Key data field is encrypted even though WPA doesn't set 903 * the ENCRYPTED bit in the info field. 904 */ 905 if (ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 906 DPRINTF(("decryption failed\n")); 907 return; 908 } 909 910 /* check that key length matches that of group cipher */ 911 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 912 if (BE_READ_2(key->keylen) != keylen) 913 return; 914 915 /* check that the data length is large enough to hold the key */ 916 if (BE_READ_2(key->paylen) < keylen) 917 return; 918 919 info = BE_READ_2(key->info); 920 921 /* map GTK to 802.11 key */ 922 kid = (info >> EAPOL_KEY_WPA_KID_SHIFT) & 3; 923 k = &ic->ic_nw_keys[kid]; 924 memset(k, 0, sizeof(*k)); 925 k->k_id = kid; /* 0-3 */ 926 k->k_cipher = ni->ni_rsngroupcipher; 927 k->k_flags = IEEE80211_KEY_GROUP; 928 if (info & EAPOL_KEY_WPA_TX) 929 k->k_flags |= IEEE80211_KEY_TX; 930 k->k_rsc[0] = LE_READ_6(key->rsc); 931 k->k_len = keylen; 932 /* key data field contains the GTK */ 933 memcpy(k->k_key, &key[1], k->k_len); 934 /* install the GTK */ 935 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 936 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 937 IEEE80211_REASON_AUTH_LEAVE); 938 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 939 return; 940 } 941 if (info & EAPOL_KEY_SECURE) { 942 #ifndef IEEE80211_STA_ONLY 943 if (ic->ic_opmode != IEEE80211_M_IBSS || 944 ++ni->ni_key_count == 2) 945 #endif 946 { 947 DPRINTF(("marking port %s valid\n", 948 ether_sprintf(ni->ni_macaddr))); 949 ni->ni_port_valid = 1; 950 } 951 } 952 /* update the last seen value of the key replay counter field */ 953 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 954 955 if (ic->ic_if.if_flags & IFF_DEBUG) 956 printf("%s: received msg %d/%d of the %s handshake from %s\n", 957 ic->ic_if.if_xname, 1, 2, "group key", 958 ether_sprintf(ni->ni_macaddr)); 959 960 /* send message 2 to authenticator */ 961 (void)ieee80211_send_group_msg2(ic, ni, k); 962 } 963 964 #ifndef IEEE80211_STA_ONLY 965 /* 966 * Process Message 2 of the Group Key Handshake (sent by Supplicant). 967 */ 968 void 969 ieee80211_recv_group_msg2(struct ieee80211com *ic, 970 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 971 { 972 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 973 ic->ic_opmode != IEEE80211_M_IBSS) 974 return; 975 976 /* discard if we're not expecting this message */ 977 if (ni->ni_rsn_gstate != RSNA_REKEYNEGOTIATING) { 978 DPRINTF(("%s: unexpected in state: %d\n", ni->ni_rsn_gstate)); 979 return; 980 } 981 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 982 ic->ic_stats.is_rx_eapol_replay++; 983 return; 984 } 985 /* check Key MIC field using KCK */ 986 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 987 DPRINTF(("key MIC failed\n")); 988 ic->ic_stats.is_rx_eapol_badmic++; 989 return; 990 } 991 992 timeout_del(&ni->ni_eapol_to); 993 ni->ni_rsn_gstate = RSNA_REKEYESTABLISHED; 994 995 if ((ni->ni_flags & IEEE80211_NODE_REKEY) && 996 --ic->ic_rsn_keydonesta == 0) 997 ieee80211_setkeysdone(ic); 998 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 999 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 1000 1001 ni->ni_rsn_gstate = RSNA_IDLE; 1002 ni->ni_rsn_retries = 0; 1003 1004 if (ic->ic_if.if_flags & IFF_DEBUG) 1005 printf("%s: received msg %d/%d of the %s handshake from %s\n", 1006 ic->ic_if.if_xname, 2, 2, "group key", 1007 ether_sprintf(ni->ni_macaddr)); 1008 } 1009 1010 /* 1011 * EAPOL-Key Request frames are sent by the supplicant to request that the 1012 * authenticator initiates either a 4-Way Handshake or Group Key Handshake, 1013 * or to report a MIC failure in a TKIP MSDU. 1014 */ 1015 void 1016 ieee80211_recv_eapol_key_req(struct ieee80211com *ic, 1017 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 1018 { 1019 u_int16_t info; 1020 1021 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 1022 ic->ic_opmode != IEEE80211_M_IBSS) 1023 return; 1024 1025 /* enforce monotonicity of key request replay counter */ 1026 if (ni->ni_reqreplaycnt_ok && 1027 BE_READ_8(key->replaycnt) <= ni->ni_reqreplaycnt) { 1028 ic->ic_stats.is_rx_eapol_replay++; 1029 return; 1030 } 1031 info = BE_READ_2(key->info); 1032 1033 if (!(info & EAPOL_KEY_KEYMIC) || 1034 ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1035 DPRINTF(("key request MIC failed\n")); 1036 ic->ic_stats.is_rx_eapol_badmic++; 1037 return; 1038 } 1039 /* update key request replay counter now that MIC is verified */ 1040 ni->ni_reqreplaycnt = BE_READ_8(key->replaycnt); 1041 ni->ni_reqreplaycnt_ok = 1; 1042 1043 if (info & EAPOL_KEY_ERROR) { /* TKIP MIC failure */ 1044 /* ignore reports from STAs not using TKIP */ 1045 if (ic->ic_bss->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP && 1046 ni->ni_rsncipher != IEEE80211_CIPHER_TKIP) { 1047 DPRINTF(("MIC failure report from !TKIP STA: %s\n", 1048 ether_sprintf(ni->ni_macaddr))); 1049 return; 1050 } 1051 ic->ic_stats.is_rx_remmicfail++; 1052 ieee80211_michael_mic_failure(ic, LE_READ_6(key->rsc)); 1053 1054 } else if (info & EAPOL_KEY_PAIRWISE) { 1055 /* initiate a 4-Way Handshake */ 1056 1057 } else { 1058 /* 1059 * Should change the GTK, initiate the 4-Way Handshake and 1060 * then execute a Group Key Handshake with all supplicants. 1061 */ 1062 } 1063 } 1064 #endif /* IEEE80211_STA_ONLY */ 1065