1 /* $OpenBSD: ieee80211_pae_input.c,v 1.28 2017/03/01 20:20:45 stsp Exp $ */ 2 3 /*- 4 * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the 4-Way Handshake and Group Key Handshake protocols 21 * (both Supplicant and Authenticator Key Receive state machines) defined in 22 * IEEE Std 802.11-2007 section 8.5. 23 */ 24 25 #include <sys/param.h> 26 #include <sys/systm.h> 27 #include <sys/mbuf.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/sockio.h> 31 #include <sys/errno.h> 32 33 #include <net/if.h> 34 #include <net/if_dl.h> 35 #include <net/if_media.h> 36 37 #include <netinet/in.h> 38 #include <netinet/if_ether.h> 39 40 #include <net80211/ieee80211_var.h> 41 #include <net80211/ieee80211_priv.h> 42 43 void ieee80211_recv_4way_msg1(struct ieee80211com *, 44 struct ieee80211_eapol_key *, struct ieee80211_node *); 45 #ifndef IEEE80211_STA_ONLY 46 void ieee80211_recv_4way_msg2(struct ieee80211com *, 47 struct ieee80211_eapol_key *, struct ieee80211_node *, 48 const u_int8_t *); 49 #endif 50 void ieee80211_recv_4way_msg3(struct ieee80211com *, 51 struct ieee80211_eapol_key *, struct ieee80211_node *); 52 #ifndef IEEE80211_STA_ONLY 53 void ieee80211_recv_4way_msg4(struct ieee80211com *, 54 struct ieee80211_eapol_key *, struct ieee80211_node *); 55 void ieee80211_recv_4way_msg2or4(struct ieee80211com *, 56 struct ieee80211_eapol_key *, struct ieee80211_node *); 57 #endif 58 void ieee80211_recv_rsn_group_msg1(struct ieee80211com *, 59 struct ieee80211_eapol_key *, struct ieee80211_node *); 60 void ieee80211_recv_wpa_group_msg1(struct ieee80211com *, 61 struct ieee80211_eapol_key *, struct ieee80211_node *); 62 #ifndef IEEE80211_STA_ONLY 63 void ieee80211_recv_group_msg2(struct ieee80211com *, 64 struct ieee80211_eapol_key *, struct ieee80211_node *); 65 void ieee80211_recv_eapol_key_req(struct ieee80211com *, 66 struct ieee80211_eapol_key *, struct ieee80211_node *); 67 #endif 68 69 /* 70 * Process an incoming EAPOL frame. Notice that we are only interested in 71 * EAPOL-Key frames with an IEEE 802.11 or WPA descriptor type. 72 */ 73 void 74 ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m, 75 struct ieee80211_node *ni) 76 { 77 struct ifnet *ifp = &ic->ic_if; 78 struct ether_header *eh; 79 struct ieee80211_eapol_key *key; 80 u_int16_t info, desc; 81 int totlen; 82 83 ifp->if_ibytes += m->m_pkthdr.len; 84 85 eh = mtod(m, struct ether_header *); 86 if (IEEE80211_IS_MULTICAST(eh->ether_dhost)) { 87 ifp->if_imcasts++; 88 goto done; 89 } 90 m_adj(m, sizeof(*eh)); 91 92 if (m->m_pkthdr.len < sizeof(*key)) 93 goto done; 94 if (m->m_len < sizeof(*key) && 95 (m = m_pullup(m, sizeof(*key))) == NULL) { 96 ic->ic_stats.is_rx_nombuf++; 97 goto done; 98 } 99 key = mtod(m, struct ieee80211_eapol_key *); 100 101 if (key->type != EAPOL_KEY) 102 goto done; 103 ic->ic_stats.is_rx_eapol_key++; 104 105 if ((ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 106 key->desc != EAPOL_KEY_DESC_IEEE80211) || 107 (ni->ni_rsnprotos == IEEE80211_PROTO_WPA && 108 key->desc != EAPOL_KEY_DESC_WPA)) 109 goto done; 110 111 /* check packet body length */ 112 if (m->m_pkthdr.len < 4 + BE_READ_2(key->len)) 113 goto done; 114 115 /* check key data length */ 116 totlen = sizeof(*key) + BE_READ_2(key->paylen); 117 if (m->m_pkthdr.len < totlen || totlen > MCLBYTES) 118 goto done; 119 120 info = BE_READ_2(key->info); 121 122 /* discard EAPOL-Key frames with an unknown descriptor version */ 123 desc = info & EAPOL_KEY_VERSION_MASK; 124 if (desc < EAPOL_KEY_DESC_V1 || desc > EAPOL_KEY_DESC_V3) 125 goto done; 126 127 if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) { 128 if (desc != EAPOL_KEY_DESC_V3) 129 goto done; 130 } else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP || 131 ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP) { 132 if (desc != EAPOL_KEY_DESC_V2) 133 goto done; 134 } 135 136 /* make sure the key data field is contiguous */ 137 if (m->m_len < totlen && (m = m_pullup(m, totlen)) == NULL) { 138 ic->ic_stats.is_rx_nombuf++; 139 goto done; 140 } 141 key = mtod(m, struct ieee80211_eapol_key *); 142 143 /* determine message type (see 8.5.3.7) */ 144 if (info & EAPOL_KEY_REQUEST) { 145 #ifndef IEEE80211_STA_ONLY 146 /* EAPOL-Key Request frame */ 147 ieee80211_recv_eapol_key_req(ic, key, ni); 148 #endif 149 } else if (info & EAPOL_KEY_PAIRWISE) { 150 /* 4-Way Handshake */ 151 if (info & EAPOL_KEY_KEYMIC) { 152 if (info & EAPOL_KEY_KEYACK) 153 ieee80211_recv_4way_msg3(ic, key, ni); 154 #ifndef IEEE80211_STA_ONLY 155 else 156 ieee80211_recv_4way_msg2or4(ic, key, ni); 157 #endif 158 } else if (info & EAPOL_KEY_KEYACK) 159 ieee80211_recv_4way_msg1(ic, key, ni); 160 } else { 161 /* Group Key Handshake */ 162 if (!(info & EAPOL_KEY_KEYMIC)) 163 goto done; 164 if (info & EAPOL_KEY_KEYACK) { 165 if (key->desc == EAPOL_KEY_DESC_WPA) 166 ieee80211_recv_wpa_group_msg1(ic, key, ni); 167 else 168 ieee80211_recv_rsn_group_msg1(ic, key, ni); 169 } 170 #ifndef IEEE80211_STA_ONLY 171 else 172 ieee80211_recv_group_msg2(ic, key, ni); 173 #endif 174 } 175 done: 176 m_freem(m); 177 } 178 179 /* 180 * Process Message 1 of the 4-Way Handshake (sent by Authenticator). 181 */ 182 void 183 ieee80211_recv_4way_msg1(struct ieee80211com *ic, 184 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 185 { 186 struct ieee80211_ptk tptk; 187 struct ieee80211_pmk *pmk; 188 const u_int8_t *frm, *efrm; 189 const u_int8_t *pmkid; 190 191 #ifndef IEEE80211_STA_ONLY 192 if (ic->ic_opmode != IEEE80211_M_STA && 193 ic->ic_opmode != IEEE80211_M_IBSS) 194 return; 195 #endif 196 /* 197 * Message 1 is always expected while RSN is active since some 198 * APs will rekey the PTK by sending Msg1/4 after some time. 199 */ 200 if (ni->ni_rsn_supp_state == RSNA_SUPP_INITIALIZE) { 201 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 202 return; 203 } 204 /* enforce monotonicity of key request replay counter */ 205 if (ni->ni_replaycnt_ok && 206 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 207 ic->ic_stats.is_rx_eapol_replay++; 208 return; 209 } 210 211 /* parse key data field (may contain an encapsulated PMKID) */ 212 frm = (const u_int8_t *)&key[1]; 213 efrm = frm + BE_READ_2(key->paylen); 214 215 pmkid = NULL; 216 while (frm + 2 <= efrm) { 217 if (frm + 2 + frm[1] > efrm) 218 break; 219 switch (frm[0]) { 220 case IEEE80211_ELEMID_VENDOR: 221 if (frm[1] < 4) 222 break; 223 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 224 switch (frm[5]) { 225 case IEEE80211_KDE_PMKID: 226 pmkid = frm; 227 break; 228 } 229 } 230 break; 231 } 232 frm += 2 + frm[1]; 233 } 234 /* check that the PMKID KDE is valid (if present) */ 235 if (pmkid != NULL && pmkid[1] != 4 + 16) 236 return; 237 238 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 239 /* retrieve the PMK for this (AP,PMKID) */ 240 pmk = ieee80211_pmksa_find(ic, ni, 241 (pmkid != NULL) ? &pmkid[6] : NULL); 242 if (pmk == NULL) { 243 DPRINTF(("no PMK available for %s\n", 244 ether_sprintf(ni->ni_macaddr))); 245 return; 246 } 247 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 248 } else /* use pre-shared key */ 249 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 250 ni->ni_flags |= IEEE80211_NODE_PMK; 251 252 /* save authenticator's nonce (ANonce) */ 253 memcpy(ni->ni_nonce, key->nonce, EAPOL_KEY_NONCE_LEN); 254 255 /* generate supplicant's nonce (SNonce) */ 256 arc4random_buf(ic->ic_nonce, EAPOL_KEY_NONCE_LEN); 257 258 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 259 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 260 ic->ic_myaddr, ni->ni_nonce, ic->ic_nonce, &tptk); 261 262 if (ic->ic_if.if_flags & IFF_DEBUG) 263 printf("%s: received msg %d/%d of the %s handshake from %s\n", 264 ic->ic_if.if_xname, 1, 4, "4-way", 265 ether_sprintf(ni->ni_macaddr)); 266 267 /* send message 2 to authenticator using TPTK */ 268 (void)ieee80211_send_4way_msg2(ic, ni, key->replaycnt, &tptk); 269 } 270 271 #ifndef IEEE80211_STA_ONLY 272 /* 273 * Process Message 2 of the 4-Way Handshake (sent by Supplicant). 274 */ 275 void 276 ieee80211_recv_4way_msg2(struct ieee80211com *ic, 277 struct ieee80211_eapol_key *key, struct ieee80211_node *ni, 278 const u_int8_t *rsnie) 279 { 280 struct ieee80211_ptk tptk; 281 282 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 283 ic->ic_opmode != IEEE80211_M_IBSS) 284 return; 285 286 /* discard if we're not expecting this message */ 287 if (ni->ni_rsn_state != RSNA_PTKSTART && 288 ni->ni_rsn_state != RSNA_PTKCALCNEGOTIATING) { 289 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 290 return; 291 } 292 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING; 293 294 /* NB: replay counter has already been verified by caller */ 295 296 /* PTK = CalcPTK(ANonce, SNonce) */ 297 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ic->ic_myaddr, 298 ni->ni_macaddr, ni->ni_nonce, key->nonce, &tptk); 299 300 /* check Key MIC field using KCK */ 301 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 302 DPRINTF(("key MIC failed\n")); 303 ic->ic_stats.is_rx_eapol_badmic++; 304 return; /* will timeout.. */ 305 } 306 307 timeout_del(&ni->ni_eapol_to); 308 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING_2; 309 ni->ni_rsn_retries = 0; 310 311 /* install TPTK as PTK now that MIC is verified */ 312 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 313 314 /* 315 * The RSN IE must match bit-wise with what the STA included in its 316 * (Re)Association Request. 317 */ 318 if (ni->ni_rsnie == NULL || rsnie[1] != ni->ni_rsnie[1] || 319 memcmp(rsnie, ni->ni_rsnie, 2 + rsnie[1]) != 0) { 320 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 321 IEEE80211_REASON_RSN_DIFFERENT_IE); 322 ieee80211_node_leave(ic, ni); 323 return; 324 } 325 326 if (ic->ic_if.if_flags & IFF_DEBUG) 327 printf("%s: received msg %d/%d of the %s handshake from %s\n", 328 ic->ic_if.if_xname, 2, 4, "4-way", 329 ether_sprintf(ni->ni_macaddr)); 330 331 /* send message 3 to supplicant */ 332 (void)ieee80211_send_4way_msg3(ic, ni); 333 } 334 #endif /* IEEE80211_STA_ONLY */ 335 336 /* 337 * Process Message 3 of the 4-Way Handshake (sent by Authenticator). 338 */ 339 void 340 ieee80211_recv_4way_msg3(struct ieee80211com *ic, 341 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 342 { 343 struct ieee80211_ptk tptk; 344 struct ieee80211_key *k; 345 const u_int8_t *frm, *efrm; 346 const u_int8_t *rsnie1, *rsnie2, *gtk, *igtk; 347 u_int16_t info, reason = 0; 348 int keylen; 349 350 #ifndef IEEE80211_STA_ONLY 351 if (ic->ic_opmode != IEEE80211_M_STA && 352 ic->ic_opmode != IEEE80211_M_IBSS) 353 return; 354 #endif 355 /* discard if we're not expecting this message */ 356 if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKNEGOTIATING && 357 ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) { 358 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 359 return; 360 } 361 /* enforce monotonicity of key request replay counter */ 362 if (ni->ni_replaycnt_ok && 363 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 364 ic->ic_stats.is_rx_eapol_replay++; 365 return; 366 } 367 /* make sure that a PMK has been selected */ 368 if (!(ni->ni_flags & IEEE80211_NODE_PMK)) { 369 DPRINTF(("no PMK found for %s\n", 370 ether_sprintf(ni->ni_macaddr))); 371 return; 372 } 373 /* check that ANonce matches that of Message 1 */ 374 if (memcmp(key->nonce, ni->ni_nonce, EAPOL_KEY_NONCE_LEN) != 0) { 375 DPRINTF(("ANonce does not match msg 1/4\n")); 376 return; 377 } 378 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 379 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 380 ic->ic_myaddr, key->nonce, ic->ic_nonce, &tptk); 381 382 info = BE_READ_2(key->info); 383 384 /* check Key MIC field using KCK */ 385 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 386 DPRINTF(("key MIC failed\n")); 387 ic->ic_stats.is_rx_eapol_badmic++; 388 return; 389 } 390 /* install TPTK as PTK now that MIC is verified */ 391 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 392 393 /* if encrypted, decrypt Key Data field using KEK */ 394 if ((info & EAPOL_KEY_ENCRYPTED) && 395 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 396 DPRINTF(("decryption failed\n")); 397 return; 398 } 399 400 /* parse key data field */ 401 frm = (const u_int8_t *)&key[1]; 402 efrm = frm + BE_READ_2(key->paylen); 403 404 /* 405 * Some WPA1+WPA2 APs (like hostapd) appear to include both WPA and 406 * RSN IEs in message 3/4. We only take into account the IE of the 407 * version of the protocol we negotiated at association time. 408 */ 409 rsnie1 = rsnie2 = gtk = igtk = NULL; 410 while (frm + 2 <= efrm) { 411 if (frm + 2 + frm[1] > efrm) 412 break; 413 switch (frm[0]) { 414 case IEEE80211_ELEMID_RSN: 415 if (ni->ni_rsnprotos != IEEE80211_PROTO_RSN) 416 break; 417 if (rsnie1 == NULL) 418 rsnie1 = frm; 419 else if (rsnie2 == NULL) 420 rsnie2 = frm; 421 /* ignore others if more than two RSN IEs */ 422 break; 423 case IEEE80211_ELEMID_VENDOR: 424 if (frm[1] < 4) 425 break; 426 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 427 switch (frm[5]) { 428 case IEEE80211_KDE_GTK: 429 gtk = frm; 430 break; 431 case IEEE80211_KDE_IGTK: 432 if (ni->ni_flags & IEEE80211_NODE_MFP) 433 igtk = frm; 434 break; 435 } 436 } else if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 437 switch (frm[5]) { 438 case 1: /* WPA */ 439 if (ni->ni_rsnprotos != 440 IEEE80211_PROTO_WPA) 441 break; 442 rsnie1 = frm; 443 break; 444 } 445 } 446 break; 447 } 448 frm += 2 + frm[1]; 449 } 450 /* first WPA/RSN IE is mandatory */ 451 if (rsnie1 == NULL) { 452 DPRINTF(("missing RSN IE\n")); 453 return; 454 } 455 /* key data must be encrypted if GTK is included */ 456 if (gtk != NULL && !(info & EAPOL_KEY_ENCRYPTED)) { 457 DPRINTF(("GTK not encrypted\n")); 458 return; 459 } 460 /* GTK KDE must be included if IGTK KDE is present */ 461 if (igtk != NULL && gtk == NULL) { 462 DPRINTF(("IGTK KDE found but GTK KDE missing\n")); 463 return; 464 } 465 /* check that the Install bit is set if using pairwise keys */ 466 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && 467 !(info & EAPOL_KEY_INSTALL)) { 468 DPRINTF(("pairwise cipher but !Install\n")); 469 return; 470 } 471 472 /* 473 * Check that first WPA/RSN IE is identical to the one received in 474 * the beacon or probe response frame. 475 */ 476 if (ni->ni_rsnie == NULL || rsnie1[1] != ni->ni_rsnie[1] || 477 memcmp(rsnie1, ni->ni_rsnie, 2 + rsnie1[1]) != 0) { 478 reason = IEEE80211_REASON_RSN_DIFFERENT_IE; 479 goto deauth; 480 } 481 482 /* 483 * If a second RSN information element is present, use its pairwise 484 * cipher suite or deauthenticate. 485 */ 486 if (rsnie2 != NULL) { 487 struct ieee80211_rsnparams rsn; 488 489 if (ieee80211_parse_rsn(ic, rsnie2, &rsn) == 0) { 490 if (rsn.rsn_akms != ni->ni_rsnakms || 491 rsn.rsn_groupcipher != ni->ni_rsngroupcipher || 492 rsn.rsn_nciphers != 1 || 493 !(rsn.rsn_ciphers & ic->ic_rsnciphers)) { 494 reason = IEEE80211_REASON_BAD_PAIRWISE_CIPHER; 495 goto deauth; 496 } 497 /* use pairwise cipher suite of second RSN IE */ 498 ni->ni_rsnciphers = rsn.rsn_ciphers; 499 ni->ni_rsncipher = ni->ni_rsnciphers; 500 } 501 } 502 503 /* update the last seen value of the key replay counter field */ 504 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 505 ni->ni_replaycnt_ok = 1; 506 507 if (ic->ic_if.if_flags & IFF_DEBUG) 508 printf("%s: received msg %d/%d of the %s handshake from %s\n", 509 ic->ic_if.if_xname, 3, 4, "4-way", 510 ether_sprintf(ni->ni_macaddr)); 511 512 /* send message 4 to authenticator */ 513 if (ieee80211_send_4way_msg4(ic, ni) != 0) 514 return; /* ..authenticator will retry */ 515 516 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 517 u_int64_t prsc; 518 519 /* check that key length matches that of pairwise cipher */ 520 keylen = ieee80211_cipher_keylen(ni->ni_rsncipher); 521 if (BE_READ_2(key->keylen) != keylen) { 522 reason = IEEE80211_REASON_AUTH_LEAVE; 523 goto deauth; 524 } 525 prsc = (gtk == NULL) ? LE_READ_6(key->rsc) : 0; 526 527 /* map PTK to 802.11 key */ 528 k = &ni->ni_pairwise_key; 529 memset(k, 0, sizeof(*k)); 530 k->k_cipher = ni->ni_rsncipher; 531 k->k_rsc[0] = prsc; 532 k->k_len = keylen; 533 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 534 /* install the PTK */ 535 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 536 reason = IEEE80211_REASON_AUTH_LEAVE; 537 goto deauth; 538 } 539 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 540 ni->ni_flags |= IEEE80211_NODE_RXPROT; 541 } 542 if (gtk != NULL) { 543 u_int8_t kid; 544 545 /* check that key length matches that of group cipher */ 546 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 547 if (gtk[1] != 6 + keylen) { 548 reason = IEEE80211_REASON_AUTH_LEAVE; 549 goto deauth; 550 } 551 /* map GTK to 802.11 key */ 552 kid = gtk[6] & 3; 553 k = &ic->ic_nw_keys[kid]; 554 memset(k, 0, sizeof(*k)); 555 k->k_id = kid; /* 0-3 */ 556 k->k_cipher = ni->ni_rsngroupcipher; 557 k->k_flags = IEEE80211_KEY_GROUP; 558 if (gtk[6] & (1 << 2)) 559 k->k_flags |= IEEE80211_KEY_TX; 560 k->k_rsc[0] = LE_READ_6(key->rsc); 561 k->k_len = keylen; 562 memcpy(k->k_key, >k[8], k->k_len); 563 /* install the GTK */ 564 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 565 reason = IEEE80211_REASON_AUTH_LEAVE; 566 goto deauth; 567 } 568 } 569 if (igtk != NULL) { /* implies MFP && gtk != NULL */ 570 u_int16_t kid; 571 572 /* check that the IGTK KDE is valid */ 573 if (igtk[1] != 4 + 24) { 574 reason = IEEE80211_REASON_AUTH_LEAVE; 575 goto deauth; 576 } 577 kid = LE_READ_2(&igtk[6]); 578 if (kid != 4 && kid != 5) { 579 DPRINTF(("unsupported IGTK id %u\n", kid)); 580 reason = IEEE80211_REASON_AUTH_LEAVE; 581 goto deauth; 582 } 583 /* map IGTK to 802.11 key */ 584 k = &ic->ic_nw_keys[kid]; 585 memset(k, 0, sizeof(*k)); 586 k->k_id = kid; /* either 4 or 5 */ 587 k->k_cipher = ni->ni_rsngroupmgmtcipher; 588 k->k_flags = IEEE80211_KEY_IGTK; 589 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 590 k->k_len = 16; 591 memcpy(k->k_key, &igtk[14], k->k_len); 592 /* install the IGTK */ 593 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 594 reason = IEEE80211_REASON_AUTH_LEAVE; 595 goto deauth; 596 } 597 } 598 if (info & EAPOL_KEY_INSTALL) 599 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 600 601 if (info & EAPOL_KEY_SECURE) { 602 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 603 #ifndef IEEE80211_STA_ONLY 604 if (ic->ic_opmode != IEEE80211_M_IBSS || 605 ++ni->ni_key_count == 2) 606 #endif 607 { 608 DPRINTF(("marking port %s valid\n", 609 ether_sprintf(ni->ni_macaddr))); 610 ni->ni_port_valid = 1; 611 ieee80211_set_link_state(ic, LINK_STATE_UP); 612 } 613 } 614 deauth: 615 if (reason != 0) { 616 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 617 reason); 618 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 619 } 620 } 621 622 #ifndef IEEE80211_STA_ONLY 623 /* 624 * Process Message 4 of the 4-Way Handshake (sent by Supplicant). 625 */ 626 void 627 ieee80211_recv_4way_msg4(struct ieee80211com *ic, 628 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 629 { 630 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 631 ic->ic_opmode != IEEE80211_M_IBSS) 632 return; 633 634 /* discard if we're not expecting this message */ 635 if (ni->ni_rsn_state != RSNA_PTKINITNEGOTIATING) { 636 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 637 return; 638 } 639 640 /* NB: replay counter has already been verified by caller */ 641 642 /* check Key MIC field using KCK */ 643 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 644 DPRINTF(("key MIC failed\n")); 645 ic->ic_stats.is_rx_eapol_badmic++; 646 return; /* will timeout.. */ 647 } 648 649 timeout_del(&ni->ni_eapol_to); 650 ni->ni_rsn_state = RSNA_PTKINITDONE; 651 ni->ni_rsn_retries = 0; 652 653 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 654 struct ieee80211_key *k; 655 656 /* map PTK to 802.11 key */ 657 k = &ni->ni_pairwise_key; 658 memset(k, 0, sizeof(*k)); 659 k->k_cipher = ni->ni_rsncipher; 660 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 661 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 662 /* install the PTK */ 663 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 664 IEEE80211_SEND_MGMT(ic, ni, 665 IEEE80211_FC0_SUBTYPE_DEAUTH, 666 IEEE80211_REASON_ASSOC_TOOMANY); 667 ieee80211_node_leave(ic, ni); 668 return; 669 } 670 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 671 } 672 if (ic->ic_opmode != IEEE80211_M_IBSS || ++ni->ni_key_count == 2) { 673 DPRINTF(("marking port %s valid\n", 674 ether_sprintf(ni->ni_macaddr))); 675 ni->ni_port_valid = 1; 676 } 677 678 if (ic->ic_if.if_flags & IFF_DEBUG) 679 printf("%s: received msg %d/%d of the %s handshake from %s\n", 680 ic->ic_if.if_xname, 4, 4, "4-way", 681 ether_sprintf(ni->ni_macaddr)); 682 683 /* initiate a group key handshake for WPA */ 684 if (ni->ni_rsnprotos == IEEE80211_PROTO_WPA) 685 (void)ieee80211_send_group_msg1(ic, ni); 686 else 687 ni->ni_rsn_gstate = RSNA_IDLE; 688 } 689 690 /* 691 * Differentiate Message 2 from Message 4 of the 4-Way Handshake based on 692 * the presence of an RSN or WPA Information Element. 693 */ 694 void 695 ieee80211_recv_4way_msg2or4(struct ieee80211com *ic, 696 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 697 { 698 const u_int8_t *frm, *efrm; 699 const u_int8_t *rsnie; 700 701 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 702 ic->ic_stats.is_rx_eapol_replay++; 703 return; 704 } 705 706 /* parse key data field (check if an RSN IE is present) */ 707 frm = (const u_int8_t *)&key[1]; 708 efrm = frm + BE_READ_2(key->paylen); 709 710 rsnie = NULL; 711 while (frm + 2 <= efrm) { 712 if (frm + 2 + frm[1] > efrm) 713 break; 714 switch (frm[0]) { 715 case IEEE80211_ELEMID_RSN: 716 rsnie = frm; 717 break; 718 case IEEE80211_ELEMID_VENDOR: 719 if (frm[1] < 4) 720 break; 721 if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 722 switch (frm[5]) { 723 case 1: /* WPA */ 724 rsnie = frm; 725 break; 726 } 727 } 728 } 729 frm += 2 + frm[1]; 730 } 731 if (rsnie != NULL) 732 ieee80211_recv_4way_msg2(ic, key, ni, rsnie); 733 else 734 ieee80211_recv_4way_msg4(ic, key, ni); 735 } 736 #endif /* IEEE80211_STA_ONLY */ 737 738 /* 739 * Process Message 1 of the RSN Group Key Handshake (sent by Authenticator). 740 */ 741 void 742 ieee80211_recv_rsn_group_msg1(struct ieee80211com *ic, 743 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 744 { 745 struct ieee80211_key *k; 746 const u_int8_t *frm, *efrm; 747 const u_int8_t *gtk, *igtk; 748 u_int16_t info, kid, reason = 0; 749 int keylen; 750 751 #ifndef IEEE80211_STA_ONLY 752 if (ic->ic_opmode != IEEE80211_M_STA && 753 ic->ic_opmode != IEEE80211_M_IBSS) 754 return; 755 #endif 756 /* discard if we're not expecting this message */ 757 if (ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) { 758 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 759 return; 760 } 761 /* enforce monotonicity of key request replay counter */ 762 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 763 ic->ic_stats.is_rx_eapol_replay++; 764 return; 765 } 766 /* check Key MIC field using KCK */ 767 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 768 DPRINTF(("key MIC failed\n")); 769 ic->ic_stats.is_rx_eapol_badmic++; 770 return; 771 } 772 info = BE_READ_2(key->info); 773 774 /* check that encrypted and decrypt Key Data field using KEK */ 775 if (!(info & EAPOL_KEY_ENCRYPTED) || 776 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 777 DPRINTF(("decryption failed\n")); 778 return; 779 } 780 781 /* parse key data field (shall contain a GTK KDE) */ 782 frm = (const u_int8_t *)&key[1]; 783 efrm = frm + BE_READ_2(key->paylen); 784 785 gtk = igtk = NULL; 786 while (frm + 2 <= efrm) { 787 if (frm + 2 + frm[1] > efrm) 788 break; 789 switch (frm[0]) { 790 case IEEE80211_ELEMID_VENDOR: 791 if (frm[1] < 4) 792 break; 793 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 794 switch (frm[5]) { 795 case IEEE80211_KDE_GTK: 796 gtk = frm; 797 break; 798 case IEEE80211_KDE_IGTK: 799 if (ni->ni_flags & IEEE80211_NODE_MFP) 800 igtk = frm; 801 break; 802 } 803 } 804 break; 805 } 806 frm += 2 + frm[1]; 807 } 808 /* check that the GTK KDE is present */ 809 if (gtk == NULL) { 810 DPRINTF(("GTK KDE missing\n")); 811 return; 812 } 813 814 /* check that key length matches that of group cipher */ 815 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 816 if (gtk[1] != 6 + keylen) 817 return; 818 819 /* map GTK to 802.11 key */ 820 kid = gtk[6] & 3; 821 k = &ic->ic_nw_keys[kid]; 822 memset(k, 0, sizeof(*k)); 823 k->k_id = kid; /* 0-3 */ 824 k->k_cipher = ni->ni_rsngroupcipher; 825 k->k_flags = IEEE80211_KEY_GROUP; 826 if (gtk[6] & (1 << 2)) 827 k->k_flags |= IEEE80211_KEY_TX; 828 k->k_rsc[0] = LE_READ_6(key->rsc); 829 k->k_len = keylen; 830 memcpy(k->k_key, >k[8], k->k_len); 831 /* install the GTK */ 832 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 833 reason = IEEE80211_REASON_AUTH_LEAVE; 834 goto deauth; 835 } 836 if (igtk != NULL) { /* implies MFP */ 837 /* check that the IGTK KDE is valid */ 838 if (igtk[1] != 4 + 24) { 839 reason = IEEE80211_REASON_AUTH_LEAVE; 840 goto deauth; 841 } 842 kid = LE_READ_2(&igtk[6]); 843 if (kid != 4 && kid != 5) { 844 DPRINTF(("unsupported IGTK id %u\n", kid)); 845 reason = IEEE80211_REASON_AUTH_LEAVE; 846 goto deauth; 847 } 848 /* map IGTK to 802.11 key */ 849 k = &ic->ic_nw_keys[kid]; 850 memset(k, 0, sizeof(*k)); 851 k->k_id = kid; /* either 4 or 5 */ 852 k->k_cipher = ni->ni_rsngroupmgmtcipher; 853 k->k_flags = IEEE80211_KEY_IGTK; 854 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 855 k->k_len = 16; 856 memcpy(k->k_key, &igtk[14], k->k_len); 857 /* install the IGTK */ 858 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 859 reason = IEEE80211_REASON_AUTH_LEAVE; 860 goto deauth; 861 } 862 } 863 if (info & EAPOL_KEY_SECURE) { 864 #ifndef IEEE80211_STA_ONLY 865 if (ic->ic_opmode != IEEE80211_M_IBSS || 866 ++ni->ni_key_count == 2) 867 #endif 868 { 869 DPRINTF(("marking port %s valid\n", 870 ether_sprintf(ni->ni_macaddr))); 871 ni->ni_port_valid = 1; 872 ieee80211_set_link_state(ic, LINK_STATE_UP); 873 } 874 } 875 /* update the last seen value of the key replay counter field */ 876 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 877 878 if (ic->ic_if.if_flags & IFF_DEBUG) 879 printf("%s: received msg %d/%d of the %s handshake from %s\n", 880 ic->ic_if.if_xname, 1, 2, "group key", 881 ether_sprintf(ni->ni_macaddr)); 882 883 /* send message 2 to authenticator */ 884 (void)ieee80211_send_group_msg2(ic, ni, NULL); 885 return; 886 deauth: 887 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 888 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 889 } 890 891 /* 892 * Process Message 1 of the WPA Group Key Handshake (sent by Authenticator). 893 */ 894 void 895 ieee80211_recv_wpa_group_msg1(struct ieee80211com *ic, 896 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 897 { 898 struct ieee80211_key *k; 899 u_int16_t info; 900 u_int8_t kid; 901 int keylen; 902 903 #ifndef IEEE80211_STA_ONLY 904 if (ic->ic_opmode != IEEE80211_M_STA && 905 ic->ic_opmode != IEEE80211_M_IBSS) 906 return; 907 #endif 908 /* discard if we're not expecting this message */ 909 if (ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) { 910 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 911 return; 912 } 913 /* enforce monotonicity of key request replay counter */ 914 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 915 ic->ic_stats.is_rx_eapol_replay++; 916 return; 917 } 918 /* check Key MIC field using KCK */ 919 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 920 DPRINTF(("key MIC failed\n")); 921 ic->ic_stats.is_rx_eapol_badmic++; 922 return; 923 } 924 /* 925 * EAPOL-Key data field is encrypted even though WPA doesn't set 926 * the ENCRYPTED bit in the info field. 927 */ 928 if (ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 929 DPRINTF(("decryption failed\n")); 930 return; 931 } 932 933 /* check that key length matches that of group cipher */ 934 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 935 if (BE_READ_2(key->keylen) != keylen) 936 return; 937 938 /* check that the data length is large enough to hold the key */ 939 if (BE_READ_2(key->paylen) < keylen) 940 return; 941 942 info = BE_READ_2(key->info); 943 944 /* map GTK to 802.11 key */ 945 kid = (info >> EAPOL_KEY_WPA_KID_SHIFT) & 3; 946 k = &ic->ic_nw_keys[kid]; 947 memset(k, 0, sizeof(*k)); 948 k->k_id = kid; /* 0-3 */ 949 k->k_cipher = ni->ni_rsngroupcipher; 950 k->k_flags = IEEE80211_KEY_GROUP; 951 if (info & EAPOL_KEY_WPA_TX) 952 k->k_flags |= IEEE80211_KEY_TX; 953 k->k_rsc[0] = LE_READ_6(key->rsc); 954 k->k_len = keylen; 955 /* key data field contains the GTK */ 956 memcpy(k->k_key, &key[1], k->k_len); 957 /* install the GTK */ 958 if ((*ic->ic_set_key)(ic, ni, k) != 0) { 959 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 960 IEEE80211_REASON_AUTH_LEAVE); 961 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 962 return; 963 } 964 if (info & EAPOL_KEY_SECURE) { 965 #ifndef IEEE80211_STA_ONLY 966 if (ic->ic_opmode != IEEE80211_M_IBSS || 967 ++ni->ni_key_count == 2) 968 #endif 969 { 970 DPRINTF(("marking port %s valid\n", 971 ether_sprintf(ni->ni_macaddr))); 972 ni->ni_port_valid = 1; 973 ieee80211_set_link_state(ic, LINK_STATE_UP); 974 } 975 } 976 /* update the last seen value of the key replay counter field */ 977 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 978 979 if (ic->ic_if.if_flags & IFF_DEBUG) 980 printf("%s: received msg %d/%d of the %s handshake from %s\n", 981 ic->ic_if.if_xname, 1, 2, "group key", 982 ether_sprintf(ni->ni_macaddr)); 983 984 /* send message 2 to authenticator */ 985 (void)ieee80211_send_group_msg2(ic, ni, k); 986 } 987 988 #ifndef IEEE80211_STA_ONLY 989 /* 990 * Process Message 2 of the Group Key Handshake (sent by Supplicant). 991 */ 992 void 993 ieee80211_recv_group_msg2(struct ieee80211com *ic, 994 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 995 { 996 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 997 ic->ic_opmode != IEEE80211_M_IBSS) 998 return; 999 1000 /* discard if we're not expecting this message */ 1001 if (ni->ni_rsn_gstate != RSNA_REKEYNEGOTIATING) { 1002 DPRINTF(("%s: unexpected in state: %d\n", ic->ic_if.if_xname, 1003 ni->ni_rsn_gstate)); 1004 return; 1005 } 1006 /* enforce monotonicity of key request replay counter */ 1007 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 1008 ic->ic_stats.is_rx_eapol_replay++; 1009 return; 1010 } 1011 /* check Key MIC field using KCK */ 1012 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1013 DPRINTF(("key MIC failed\n")); 1014 ic->ic_stats.is_rx_eapol_badmic++; 1015 return; 1016 } 1017 1018 timeout_del(&ni->ni_eapol_to); 1019 ni->ni_rsn_gstate = RSNA_REKEYESTABLISHED; 1020 1021 if (ni->ni_flags & IEEE80211_NODE_REKEY) { 1022 int rekeysta = 0; 1023 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 1024 ieee80211_iterate_nodes(ic, 1025 ieee80211_count_rekeysta, &rekeysta); 1026 if (rekeysta == 0) 1027 ieee80211_setkeysdone(ic); 1028 } 1029 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 1030 1031 ni->ni_rsn_gstate = RSNA_IDLE; 1032 ni->ni_rsn_retries = 0; 1033 1034 if (ic->ic_if.if_flags & IFF_DEBUG) 1035 printf("%s: received msg %d/%d of the %s handshake from %s\n", 1036 ic->ic_if.if_xname, 2, 2, "group key", 1037 ether_sprintf(ni->ni_macaddr)); 1038 } 1039 1040 /* 1041 * EAPOL-Key Request frames are sent by the supplicant to request that the 1042 * authenticator initiates either a 4-Way Handshake or Group Key Handshake, 1043 * or to report a MIC failure in a TKIP MSDU. 1044 */ 1045 void 1046 ieee80211_recv_eapol_key_req(struct ieee80211com *ic, 1047 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 1048 { 1049 u_int16_t info; 1050 1051 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 1052 ic->ic_opmode != IEEE80211_M_IBSS) 1053 return; 1054 1055 /* discard if we're not expecting this message */ 1056 if (ni->ni_rsn_state != RSNA_PTKINITDONE) { 1057 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 1058 return; 1059 } 1060 /* enforce monotonicity of key request replay counter */ 1061 if (ni->ni_reqreplaycnt_ok && 1062 BE_READ_8(key->replaycnt) <= ni->ni_reqreplaycnt) { 1063 ic->ic_stats.is_rx_eapol_replay++; 1064 return; 1065 } 1066 info = BE_READ_2(key->info); 1067 1068 if (!(info & EAPOL_KEY_KEYMIC) || 1069 ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1070 DPRINTF(("key request MIC failed\n")); 1071 ic->ic_stats.is_rx_eapol_badmic++; 1072 return; 1073 } 1074 /* update key request replay counter now that MIC is verified */ 1075 ni->ni_reqreplaycnt = BE_READ_8(key->replaycnt); 1076 ni->ni_reqreplaycnt_ok = 1; 1077 1078 if (info & EAPOL_KEY_ERROR) { /* TKIP MIC failure */ 1079 /* ignore reports from STAs not using TKIP */ 1080 if (ic->ic_bss->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP && 1081 ni->ni_rsncipher != IEEE80211_CIPHER_TKIP) { 1082 DPRINTF(("MIC failure report from !TKIP STA: %s\n", 1083 ether_sprintf(ni->ni_macaddr))); 1084 return; 1085 } 1086 ic->ic_stats.is_rx_remmicfail++; 1087 ieee80211_michael_mic_failure(ic, LE_READ_6(key->rsc)); 1088 1089 } else if (info & EAPOL_KEY_PAIRWISE) { 1090 /* initiate a 4-Way Handshake */ 1091 1092 } else { 1093 /* 1094 * Should change the GTK, initiate the 4-Way Handshake and 1095 * then execute a Group Key Handshake with all supplicants. 1096 */ 1097 } 1098 } 1099 #endif /* IEEE80211_STA_ONLY */ 1100