Line data Source code
1 : /* $OpenBSD: ieee80211_pae_input.c,v 1.31 2017/10/16 10:39:41 stsp Exp $ */
2 :
3 : /*-
4 : * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr>
5 : *
6 : * Permission to use, copy, modify, and distribute this software for any
7 : * purpose with or without fee is hereby granted, provided that the above
8 : * copyright notice and this permission notice appear in all copies.
9 : *
10 : * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 : * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 : * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 : * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 : * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 : * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 : * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 : */
18 :
19 : /*
20 : * This code implements the 4-Way Handshake and Group Key Handshake protocols
21 : * (both Supplicant and Authenticator Key Receive state machines) defined in
22 : * IEEE Std 802.11-2007 section 8.5.
23 : */
24 :
25 : #include <sys/param.h>
26 : #include <sys/systm.h>
27 : #include <sys/mbuf.h>
28 : #include <sys/kernel.h>
29 : #include <sys/socket.h>
30 : #include <sys/sockio.h>
31 : #include <sys/errno.h>
32 :
33 : #include <net/if.h>
34 : #include <net/if_dl.h>
35 : #include <net/if_media.h>
36 :
37 : #include <netinet/in.h>
38 : #include <netinet/if_ether.h>
39 :
40 : #include <net80211/ieee80211_var.h>
41 : #include <net80211/ieee80211_priv.h>
42 :
43 : void ieee80211_recv_4way_msg1(struct ieee80211com *,
44 : struct ieee80211_eapol_key *, struct ieee80211_node *);
45 : #ifndef IEEE80211_STA_ONLY
46 : void ieee80211_recv_4way_msg2(struct ieee80211com *,
47 : struct ieee80211_eapol_key *, struct ieee80211_node *,
48 : const u_int8_t *);
49 : #endif
50 : int ieee80211_must_update_group_key(struct ieee80211_key *, const uint8_t *,
51 : int);
52 : void ieee80211_recv_4way_msg3(struct ieee80211com *,
53 : struct ieee80211_eapol_key *, struct ieee80211_node *);
54 : #ifndef IEEE80211_STA_ONLY
55 : void ieee80211_recv_4way_msg4(struct ieee80211com *,
56 : struct ieee80211_eapol_key *, struct ieee80211_node *);
57 : void ieee80211_recv_4way_msg2or4(struct ieee80211com *,
58 : struct ieee80211_eapol_key *, struct ieee80211_node *);
59 : #endif
60 : void ieee80211_recv_rsn_group_msg1(struct ieee80211com *,
61 : struct ieee80211_eapol_key *, struct ieee80211_node *);
62 : void ieee80211_recv_wpa_group_msg1(struct ieee80211com *,
63 : struct ieee80211_eapol_key *, struct ieee80211_node *);
64 : #ifndef IEEE80211_STA_ONLY
65 : void ieee80211_recv_group_msg2(struct ieee80211com *,
66 : struct ieee80211_eapol_key *, struct ieee80211_node *);
67 : void ieee80211_recv_eapol_key_req(struct ieee80211com *,
68 : struct ieee80211_eapol_key *, struct ieee80211_node *);
69 : #endif
70 :
71 : /*
72 : * Process an incoming EAPOL frame. Notice that we are only interested in
73 : * EAPOL-Key frames with an IEEE 802.11 or WPA descriptor type.
74 : */
75 : void
76 0 : ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m,
77 : struct ieee80211_node *ni)
78 : {
79 0 : struct ifnet *ifp = &ic->ic_if;
80 : struct ether_header *eh;
81 : struct ieee80211_eapol_key *key;
82 : u_int16_t info, desc;
83 : int totlen, bodylen, paylen;
84 :
85 0 : ifp->if_ibytes += m->m_pkthdr.len;
86 :
87 0 : eh = mtod(m, struct ether_header *);
88 0 : if (IEEE80211_IS_MULTICAST(eh->ether_dhost)) {
89 0 : ifp->if_imcasts++;
90 0 : goto done;
91 : }
92 0 : m_adj(m, sizeof(*eh));
93 :
94 0 : if (m->m_pkthdr.len < sizeof(*key))
95 : goto done;
96 0 : if (m->m_len < sizeof(*key) &&
97 0 : (m = m_pullup(m, sizeof(*key))) == NULL) {
98 0 : ic->ic_stats.is_rx_nombuf++;
99 0 : goto done;
100 : }
101 0 : key = mtod(m, struct ieee80211_eapol_key *);
102 :
103 0 : if (key->type != EAPOL_KEY)
104 : goto done;
105 0 : ic->ic_stats.is_rx_eapol_key++;
106 :
107 0 : if ((ni->ni_rsnprotos == IEEE80211_PROTO_RSN &&
108 0 : key->desc != EAPOL_KEY_DESC_IEEE80211) ||
109 0 : (ni->ni_rsnprotos == IEEE80211_PROTO_WPA &&
110 0 : key->desc != EAPOL_KEY_DESC_WPA))
111 : goto done;
112 :
113 : /* check packet body length */
114 0 : bodylen = BE_READ_2(key->len);
115 0 : totlen = 4 + bodylen;
116 0 : if (m->m_pkthdr.len < totlen || totlen > MCLBYTES)
117 : goto done;
118 :
119 : /* check key data length */
120 0 : paylen = BE_READ_2(key->paylen);
121 0 : if (paylen > totlen - sizeof(*key))
122 : goto done;
123 :
124 0 : info = BE_READ_2(key->info);
125 :
126 : /* discard EAPOL-Key frames with an unknown descriptor version */
127 0 : desc = info & EAPOL_KEY_VERSION_MASK;
128 0 : if (desc < EAPOL_KEY_DESC_V1 || desc > EAPOL_KEY_DESC_V3)
129 : goto done;
130 :
131 0 : if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) {
132 0 : if (desc != EAPOL_KEY_DESC_V3)
133 : goto done;
134 0 : } else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP ||
135 0 : ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP) {
136 0 : if (desc != EAPOL_KEY_DESC_V2)
137 : goto done;
138 : }
139 :
140 : /* make sure the key data field is contiguous */
141 0 : if (m->m_len < totlen && (m = m_pullup(m, totlen)) == NULL) {
142 0 : ic->ic_stats.is_rx_nombuf++;
143 0 : goto done;
144 : }
145 0 : key = mtod(m, struct ieee80211_eapol_key *);
146 :
147 : /* determine message type (see 8.5.3.7) */
148 0 : if (info & EAPOL_KEY_REQUEST) {
149 : #ifndef IEEE80211_STA_ONLY
150 : /* EAPOL-Key Request frame */
151 0 : ieee80211_recv_eapol_key_req(ic, key, ni);
152 : #endif
153 0 : } else if (info & EAPOL_KEY_PAIRWISE) {
154 : /* 4-Way Handshake */
155 0 : if (info & EAPOL_KEY_KEYMIC) {
156 0 : if (info & EAPOL_KEY_KEYACK)
157 0 : ieee80211_recv_4way_msg3(ic, key, ni);
158 : #ifndef IEEE80211_STA_ONLY
159 : else
160 0 : ieee80211_recv_4way_msg2or4(ic, key, ni);
161 : #endif
162 0 : } else if (info & EAPOL_KEY_KEYACK)
163 0 : ieee80211_recv_4way_msg1(ic, key, ni);
164 : } else {
165 : /* Group Key Handshake */
166 0 : if (!(info & EAPOL_KEY_KEYMIC))
167 : goto done;
168 0 : if (info & EAPOL_KEY_KEYACK) {
169 0 : if (key->desc == EAPOL_KEY_DESC_WPA)
170 0 : ieee80211_recv_wpa_group_msg1(ic, key, ni);
171 : else
172 0 : ieee80211_recv_rsn_group_msg1(ic, key, ni);
173 : }
174 : #ifndef IEEE80211_STA_ONLY
175 : else
176 0 : ieee80211_recv_group_msg2(ic, key, ni);
177 : #endif
178 : }
179 : done:
180 0 : m_freem(m);
181 0 : }
182 :
183 : /*
184 : * Process Message 1 of the 4-Way Handshake (sent by Authenticator).
185 : */
186 : void
187 0 : ieee80211_recv_4way_msg1(struct ieee80211com *ic,
188 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
189 : {
190 0 : struct ieee80211_ptk tptk;
191 : struct ieee80211_pmk *pmk;
192 : const u_int8_t *frm, *efrm;
193 : const u_int8_t *pmkid;
194 :
195 : #ifndef IEEE80211_STA_ONLY
196 0 : if (ic->ic_opmode != IEEE80211_M_STA &&
197 0 : ic->ic_opmode != IEEE80211_M_IBSS)
198 0 : return;
199 : #endif
200 : /*
201 : * Message 1 is always expected while RSN is active since some
202 : * APs will rekey the PTK by sending Msg1/4 after some time.
203 : */
204 0 : if (ni->ni_rsn_supp_state == RSNA_SUPP_INITIALIZE) {
205 : DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state));
206 0 : return;
207 : }
208 : /* enforce monotonicity of key request replay counter */
209 0 : if (ni->ni_replaycnt_ok &&
210 0 : BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) {
211 0 : ic->ic_stats.is_rx_eapol_replay++;
212 0 : return;
213 : }
214 :
215 : /* parse key data field (may contain an encapsulated PMKID) */
216 0 : frm = (const u_int8_t *)&key[1];
217 0 : efrm = frm + BE_READ_2(key->paylen);
218 :
219 : pmkid = NULL;
220 0 : while (frm + 2 <= efrm) {
221 0 : if (frm + 2 + frm[1] > efrm)
222 : break;
223 0 : switch (frm[0]) {
224 : case IEEE80211_ELEMID_VENDOR:
225 0 : if (frm[1] < 4)
226 : break;
227 0 : if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) {
228 0 : switch (frm[5]) {
229 : case IEEE80211_KDE_PMKID:
230 : pmkid = frm;
231 0 : break;
232 : }
233 : }
234 : break;
235 : }
236 0 : frm += 2 + frm[1];
237 : }
238 : /* check that the PMKID KDE is valid (if present) */
239 0 : if (pmkid != NULL && pmkid[1] != 4 + 16)
240 0 : return;
241 :
242 0 : if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) {
243 : /* retrieve the PMK for this (AP,PMKID) */
244 0 : pmk = ieee80211_pmksa_find(ic, ni,
245 0 : (pmkid != NULL) ? &pmkid[6] : NULL);
246 0 : if (pmk == NULL) {
247 : DPRINTF(("no PMK available for %s\n",
248 : ether_sprintf(ni->ni_macaddr)));
249 0 : return;
250 : }
251 0 : memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN);
252 0 : } else /* use pre-shared key */
253 0 : memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN);
254 0 : ni->ni_flags |= IEEE80211_NODE_PMK;
255 :
256 : /* save authenticator's nonce (ANonce) */
257 0 : memcpy(ni->ni_nonce, key->nonce, EAPOL_KEY_NONCE_LEN);
258 :
259 : /* generate supplicant's nonce (SNonce) */
260 0 : arc4random_buf(ic->ic_nonce, EAPOL_KEY_NONCE_LEN);
261 :
262 : /* TPTK = CalcPTK(PMK, ANonce, SNonce) */
263 0 : ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr,
264 0 : ic->ic_myaddr, ni->ni_nonce, ic->ic_nonce, &tptk);
265 :
266 : /* We are now expecting a new pairwise key. */
267 0 : ni->ni_flags |= IEEE80211_NODE_RSN_NEW_PTK;
268 :
269 0 : if (ic->ic_if.if_flags & IFF_DEBUG)
270 0 : printf("%s: received msg %d/%d of the %s handshake from %s\n",
271 0 : ic->ic_if.if_xname, 1, 4, "4-way",
272 0 : ether_sprintf(ni->ni_macaddr));
273 :
274 : /* send message 2 to authenticator using TPTK */
275 0 : (void)ieee80211_send_4way_msg2(ic, ni, key->replaycnt, &tptk);
276 0 : }
277 :
278 : #ifndef IEEE80211_STA_ONLY
279 : /*
280 : * Process Message 2 of the 4-Way Handshake (sent by Supplicant).
281 : */
282 : void
283 0 : ieee80211_recv_4way_msg2(struct ieee80211com *ic,
284 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni,
285 : const u_int8_t *rsnie)
286 : {
287 0 : struct ieee80211_ptk tptk;
288 :
289 0 : if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
290 0 : ic->ic_opmode != IEEE80211_M_IBSS)
291 0 : return;
292 :
293 : /* discard if we're not expecting this message */
294 0 : if (ni->ni_rsn_state != RSNA_PTKSTART &&
295 0 : ni->ni_rsn_state != RSNA_PTKCALCNEGOTIATING) {
296 : DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state));
297 0 : return;
298 : }
299 0 : ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING;
300 :
301 : /* NB: replay counter has already been verified by caller */
302 :
303 : /* PTK = CalcPTK(ANonce, SNonce) */
304 0 : ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ic->ic_myaddr,
305 0 : ni->ni_macaddr, ni->ni_nonce, key->nonce, &tptk);
306 :
307 : /* check Key MIC field using KCK */
308 0 : if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) {
309 : DPRINTF(("key MIC failed\n"));
310 0 : ic->ic_stats.is_rx_eapol_badmic++;
311 0 : return; /* will timeout.. */
312 : }
313 :
314 0 : timeout_del(&ni->ni_eapol_to);
315 0 : ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING_2;
316 0 : ni->ni_rsn_retries = 0;
317 :
318 : /* install TPTK as PTK now that MIC is verified */
319 0 : memcpy(&ni->ni_ptk, &tptk, sizeof(tptk));
320 :
321 : /*
322 : * The RSN IE must match bit-wise with what the STA included in its
323 : * (Re)Association Request.
324 : */
325 0 : if (ni->ni_rsnie == NULL || rsnie[1] != ni->ni_rsnie[1] ||
326 0 : memcmp(rsnie, ni->ni_rsnie, 2 + rsnie[1]) != 0) {
327 0 : IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
328 : IEEE80211_REASON_RSN_DIFFERENT_IE);
329 0 : ieee80211_node_leave(ic, ni);
330 0 : return;
331 : }
332 :
333 0 : if (ic->ic_if.if_flags & IFF_DEBUG)
334 0 : printf("%s: received msg %d/%d of the %s handshake from %s\n",
335 0 : ic->ic_if.if_xname, 2, 4, "4-way",
336 0 : ether_sprintf(ni->ni_macaddr));
337 :
338 : /* send message 3 to supplicant */
339 0 : (void)ieee80211_send_4way_msg3(ic, ni);
340 0 : }
341 : #endif /* IEEE80211_STA_ONLY */
342 :
343 : /*
344 : * Check if a group key must be updated with a new GTK from an EAPOL frame.
345 : * Manipulated group key handshake messages could trick clients into
346 : * reinstalling an already used group key and hence lower or reset the
347 : * associated replay counter. This check prevents such attacks.
348 : */
349 : int
350 0 : ieee80211_must_update_group_key(struct ieee80211_key *k, const uint8_t *gtk,
351 : int len)
352 : {
353 0 : return (k->k_cipher == IEEE80211_CIPHER_NONE || k->k_len != len ||
354 0 : memcmp(k->k_key, gtk, len) != 0);
355 : }
356 :
357 : /*
358 : * Process Message 3 of the 4-Way Handshake (sent by Authenticator).
359 : */
360 : void
361 0 : ieee80211_recv_4way_msg3(struct ieee80211com *ic,
362 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
363 : {
364 0 : struct ieee80211_ptk tptk;
365 : struct ieee80211_key *k;
366 : const u_int8_t *frm, *efrm;
367 : const u_int8_t *rsnie1, *rsnie2, *gtk, *igtk;
368 : u_int16_t info, reason = 0;
369 : int keylen;
370 :
371 : #ifndef IEEE80211_STA_ONLY
372 0 : if (ic->ic_opmode != IEEE80211_M_STA &&
373 0 : ic->ic_opmode != IEEE80211_M_IBSS)
374 0 : return;
375 : #endif
376 : /* discard if we're not expecting this message */
377 0 : if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKNEGOTIATING &&
378 0 : ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) {
379 : DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state));
380 0 : return;
381 : }
382 : /* enforce monotonicity of key request replay counter */
383 0 : if (ni->ni_replaycnt_ok &&
384 0 : BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) {
385 0 : ic->ic_stats.is_rx_eapol_replay++;
386 0 : return;
387 : }
388 : /* make sure that a PMK has been selected */
389 0 : if (!(ni->ni_flags & IEEE80211_NODE_PMK)) {
390 : DPRINTF(("no PMK found for %s\n",
391 : ether_sprintf(ni->ni_macaddr)));
392 0 : return;
393 : }
394 : /* check that ANonce matches that of Message 1 */
395 0 : if (memcmp(key->nonce, ni->ni_nonce, EAPOL_KEY_NONCE_LEN) != 0) {
396 : DPRINTF(("ANonce does not match msg 1/4\n"));
397 0 : return;
398 : }
399 : /* TPTK = CalcPTK(PMK, ANonce, SNonce) */
400 0 : ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr,
401 0 : ic->ic_myaddr, key->nonce, ic->ic_nonce, &tptk);
402 :
403 0 : info = BE_READ_2(key->info);
404 :
405 : /* check Key MIC field using KCK */
406 0 : if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) {
407 : DPRINTF(("key MIC failed\n"));
408 0 : ic->ic_stats.is_rx_eapol_badmic++;
409 0 : return;
410 : }
411 : /* install TPTK as PTK now that MIC is verified */
412 0 : memcpy(&ni->ni_ptk, &tptk, sizeof(tptk));
413 :
414 : /* if encrypted, decrypt Key Data field using KEK */
415 0 : if ((info & EAPOL_KEY_ENCRYPTED) &&
416 0 : ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) {
417 : DPRINTF(("decryption failed\n"));
418 0 : return;
419 : }
420 :
421 : /* parse key data field */
422 0 : frm = (const u_int8_t *)&key[1];
423 0 : efrm = frm + BE_READ_2(key->paylen);
424 :
425 : /*
426 : * Some WPA1+WPA2 APs (like hostapd) appear to include both WPA and
427 : * RSN IEs in message 3/4. We only take into account the IE of the
428 : * version of the protocol we negotiated at association time.
429 : */
430 : rsnie1 = rsnie2 = gtk = igtk = NULL;
431 0 : while (frm + 2 <= efrm) {
432 0 : if (frm + 2 + frm[1] > efrm)
433 : break;
434 0 : switch (frm[0]) {
435 : case IEEE80211_ELEMID_RSN:
436 0 : if (ni->ni_rsnprotos != IEEE80211_PROTO_RSN)
437 : break;
438 0 : if (rsnie1 == NULL)
439 0 : rsnie1 = frm;
440 0 : else if (rsnie2 == NULL)
441 0 : rsnie2 = frm;
442 : /* ignore others if more than two RSN IEs */
443 : break;
444 : case IEEE80211_ELEMID_VENDOR:
445 0 : if (frm[1] < 4)
446 : break;
447 0 : if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) {
448 0 : switch (frm[5]) {
449 : case IEEE80211_KDE_GTK:
450 : gtk = frm;
451 0 : break;
452 : case IEEE80211_KDE_IGTK:
453 0 : if (ni->ni_flags & IEEE80211_NODE_MFP)
454 0 : igtk = frm;
455 : break;
456 : }
457 0 : } else if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) {
458 0 : switch (frm[5]) {
459 : case 1: /* WPA */
460 0 : if (ni->ni_rsnprotos !=
461 : IEEE80211_PROTO_WPA)
462 : break;
463 : rsnie1 = frm;
464 0 : break;
465 : }
466 : }
467 : break;
468 : }
469 0 : frm += 2 + frm[1];
470 : }
471 : /* first WPA/RSN IE is mandatory */
472 0 : if (rsnie1 == NULL) {
473 : DPRINTF(("missing RSN IE\n"));
474 0 : return;
475 : }
476 : /* key data must be encrypted if GTK is included */
477 0 : if (gtk != NULL && !(info & EAPOL_KEY_ENCRYPTED)) {
478 : DPRINTF(("GTK not encrypted\n"));
479 0 : return;
480 : }
481 : /* GTK KDE must be included if IGTK KDE is present */
482 0 : if (igtk != NULL && gtk == NULL) {
483 : DPRINTF(("IGTK KDE found but GTK KDE missing\n"));
484 0 : return;
485 : }
486 : /* check that the Install bit is set if using pairwise keys */
487 0 : if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP &&
488 0 : !(info & EAPOL_KEY_INSTALL)) {
489 : DPRINTF(("pairwise cipher but !Install\n"));
490 0 : return;
491 : }
492 :
493 : /*
494 : * Check that first WPA/RSN IE is identical to the one received in
495 : * the beacon or probe response frame.
496 : */
497 0 : if (ni->ni_rsnie == NULL || rsnie1[1] != ni->ni_rsnie[1] ||
498 0 : memcmp(rsnie1, ni->ni_rsnie, 2 + rsnie1[1]) != 0) {
499 : reason = IEEE80211_REASON_RSN_DIFFERENT_IE;
500 0 : goto deauth;
501 : }
502 :
503 : /*
504 : * If a second RSN information element is present, use its pairwise
505 : * cipher suite or deauthenticate.
506 : */
507 0 : if (rsnie2 != NULL) {
508 0 : struct ieee80211_rsnparams rsn;
509 :
510 0 : if (ieee80211_parse_rsn(ic, rsnie2, &rsn) == 0) {
511 0 : if (rsn.rsn_akms != ni->ni_rsnakms ||
512 0 : rsn.rsn_groupcipher != ni->ni_rsngroupcipher ||
513 0 : rsn.rsn_nciphers != 1 ||
514 0 : !(rsn.rsn_ciphers & ic->ic_rsnciphers)) {
515 : reason = IEEE80211_REASON_BAD_PAIRWISE_CIPHER;
516 0 : goto deauth;
517 : }
518 : /* use pairwise cipher suite of second RSN IE */
519 0 : ni->ni_rsnciphers = rsn.rsn_ciphers;
520 0 : ni->ni_rsncipher = ni->ni_rsnciphers;
521 0 : }
522 0 : }
523 :
524 : /* update the last seen value of the key replay counter field */
525 0 : ni->ni_replaycnt = BE_READ_8(key->replaycnt);
526 0 : ni->ni_replaycnt_ok = 1;
527 :
528 0 : if (ic->ic_if.if_flags & IFF_DEBUG)
529 0 : printf("%s: received msg %d/%d of the %s handshake from %s\n",
530 0 : ic->ic_if.if_xname, 3, 4, "4-way",
531 0 : ether_sprintf(ni->ni_macaddr));
532 :
533 : /* send message 4 to authenticator */
534 0 : if (ieee80211_send_4way_msg4(ic, ni) != 0)
535 0 : return; /* ..authenticator will retry */
536 :
537 : /*
538 : * Only install a new pairwise key if we are still expecting a new key,
539 : * as indicated by the NODE_RSN_NEW_PTK flag. An adversary could be
540 : * sending manipulated retransmissions of message 3 of the 4-way
541 : * handshake in an attempt to trick us into reinstalling an already
542 : * used pairwise key. If this attack succeeded, the incremental nonce
543 : * and replay counter associated with the key would be reset.
544 : * Against CCMP, the adversary could abuse this to replay and decrypt
545 : * packets. Against TKIP, it would become possible to replay, decrypt,
546 : * and forge packets.
547 : */
548 0 : if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP &&
549 0 : (ni->ni_flags & IEEE80211_NODE_RSN_NEW_PTK)) {
550 : u_int64_t prsc;
551 :
552 : /* check that key length matches that of pairwise cipher */
553 0 : keylen = ieee80211_cipher_keylen(ni->ni_rsncipher);
554 0 : if (BE_READ_2(key->keylen) != keylen) {
555 : reason = IEEE80211_REASON_AUTH_LEAVE;
556 0 : goto deauth;
557 : }
558 0 : prsc = (gtk == NULL) ? LE_READ_6(key->rsc) : 0;
559 :
560 : /* map PTK to 802.11 key */
561 0 : k = &ni->ni_pairwise_key;
562 0 : memset(k, 0, sizeof(*k));
563 0 : k->k_cipher = ni->ni_rsncipher;
564 0 : k->k_rsc[0] = prsc;
565 0 : k->k_len = keylen;
566 0 : memcpy(k->k_key, ni->ni_ptk.tk, k->k_len);
567 : /* install the PTK */
568 0 : if ((*ic->ic_set_key)(ic, ni, k) != 0) {
569 : reason = IEEE80211_REASON_AUTH_LEAVE;
570 0 : goto deauth;
571 : }
572 0 : ni->ni_flags &= ~IEEE80211_NODE_RSN_NEW_PTK;
573 0 : ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT;
574 0 : ni->ni_flags |= IEEE80211_NODE_RXPROT;
575 0 : } else if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP)
576 0 : printf("%s: unexpected pairwise key update received from %s\n",
577 0 : ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr));
578 :
579 0 : if (gtk != NULL) {
580 : u_int8_t kid;
581 :
582 : /* check that key length matches that of group cipher */
583 0 : keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher);
584 0 : if (gtk[1] != 6 + keylen) {
585 : reason = IEEE80211_REASON_AUTH_LEAVE;
586 0 : goto deauth;
587 : }
588 : /* map GTK to 802.11 key */
589 0 : kid = gtk[6] & 3;
590 0 : k = &ic->ic_nw_keys[kid];
591 0 : if (ieee80211_must_update_group_key(k, >k[8], keylen)) {
592 0 : memset(k, 0, sizeof(*k));
593 0 : k->k_id = kid; /* 0-3 */
594 0 : k->k_cipher = ni->ni_rsngroupcipher;
595 0 : k->k_flags = IEEE80211_KEY_GROUP;
596 0 : if (gtk[6] & (1 << 2))
597 0 : k->k_flags |= IEEE80211_KEY_TX;
598 0 : k->k_rsc[0] = LE_READ_6(key->rsc);
599 0 : k->k_len = keylen;
600 0 : memcpy(k->k_key, >k[8], k->k_len);
601 : /* install the GTK */
602 0 : if ((*ic->ic_set_key)(ic, ni, k) != 0) {
603 : reason = IEEE80211_REASON_AUTH_LEAVE;
604 0 : goto deauth;
605 : }
606 : } else
607 0 : printf("%s: reused group key update received from %s\n",
608 0 : ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr));
609 0 : }
610 0 : if (igtk != NULL) { /* implies MFP && gtk != NULL */
611 : u_int16_t kid;
612 :
613 : /* check that the IGTK KDE is valid */
614 0 : if (igtk[1] != 4 + 24) {
615 : reason = IEEE80211_REASON_AUTH_LEAVE;
616 0 : goto deauth;
617 : }
618 0 : kid = LE_READ_2(&igtk[6]);
619 0 : if (kid != 4 && kid != 5) {
620 : DPRINTF(("unsupported IGTK id %u\n", kid));
621 : reason = IEEE80211_REASON_AUTH_LEAVE;
622 0 : goto deauth;
623 : }
624 : /* map IGTK to 802.11 key */
625 0 : k = &ic->ic_nw_keys[kid];
626 0 : if (ieee80211_must_update_group_key(k, &igtk[14], 16)) {
627 0 : memset(k, 0, sizeof(*k));
628 0 : k->k_id = kid; /* either 4 or 5 */
629 0 : k->k_cipher = ni->ni_rsngroupmgmtcipher;
630 0 : k->k_flags = IEEE80211_KEY_IGTK;
631 0 : k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */
632 0 : k->k_len = 16;
633 0 : memcpy(k->k_key, &igtk[14], k->k_len);
634 : /* install the IGTK */
635 0 : if ((*ic->ic_set_key)(ic, ni, k) != 0) {
636 : reason = IEEE80211_REASON_AUTH_LEAVE;
637 0 : goto deauth;
638 : }
639 : } else
640 0 : printf("%s: reused group key update received from %s\n",
641 0 : ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr));
642 0 : }
643 0 : if (info & EAPOL_KEY_INSTALL)
644 0 : ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
645 :
646 0 : if (info & EAPOL_KEY_SECURE) {
647 0 : ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
648 : #ifndef IEEE80211_STA_ONLY
649 0 : if (ic->ic_opmode != IEEE80211_M_IBSS ||
650 0 : ++ni->ni_key_count == 2)
651 : #endif
652 : {
653 : DPRINTF(("marking port %s valid\n",
654 : ether_sprintf(ni->ni_macaddr)));
655 0 : ni->ni_port_valid = 1;
656 0 : ieee80211_set_link_state(ic, LINK_STATE_UP);
657 0 : }
658 : }
659 : deauth:
660 0 : if (reason != 0) {
661 0 : IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
662 : reason);
663 0 : ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
664 0 : }
665 0 : }
666 :
667 : #ifndef IEEE80211_STA_ONLY
668 : /*
669 : * Process Message 4 of the 4-Way Handshake (sent by Supplicant).
670 : */
671 : void
672 0 : ieee80211_recv_4way_msg4(struct ieee80211com *ic,
673 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
674 : {
675 0 : if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
676 0 : ic->ic_opmode != IEEE80211_M_IBSS)
677 : return;
678 :
679 : /* discard if we're not expecting this message */
680 0 : if (ni->ni_rsn_state != RSNA_PTKINITNEGOTIATING) {
681 : DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state));
682 : return;
683 : }
684 :
685 : /* NB: replay counter has already been verified by caller */
686 :
687 : /* check Key MIC field using KCK */
688 0 : if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
689 : DPRINTF(("key MIC failed\n"));
690 0 : ic->ic_stats.is_rx_eapol_badmic++;
691 0 : return; /* will timeout.. */
692 : }
693 :
694 0 : timeout_del(&ni->ni_eapol_to);
695 0 : ni->ni_rsn_state = RSNA_PTKINITDONE;
696 0 : ni->ni_rsn_retries = 0;
697 :
698 0 : if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) {
699 : struct ieee80211_key *k;
700 :
701 : /* map PTK to 802.11 key */
702 0 : k = &ni->ni_pairwise_key;
703 0 : memset(k, 0, sizeof(*k));
704 0 : k->k_cipher = ni->ni_rsncipher;
705 0 : k->k_len = ieee80211_cipher_keylen(k->k_cipher);
706 0 : memcpy(k->k_key, ni->ni_ptk.tk, k->k_len);
707 : /* install the PTK */
708 0 : if ((*ic->ic_set_key)(ic, ni, k) != 0) {
709 0 : IEEE80211_SEND_MGMT(ic, ni,
710 : IEEE80211_FC0_SUBTYPE_DEAUTH,
711 : IEEE80211_REASON_ASSOC_TOOMANY);
712 0 : ieee80211_node_leave(ic, ni);
713 0 : return;
714 : }
715 0 : ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
716 0 : }
717 0 : if (ic->ic_opmode != IEEE80211_M_IBSS || ++ni->ni_key_count == 2) {
718 : DPRINTF(("marking port %s valid\n",
719 : ether_sprintf(ni->ni_macaddr)));
720 0 : ni->ni_port_valid = 1;
721 0 : }
722 :
723 0 : if (ic->ic_if.if_flags & IFF_DEBUG)
724 0 : printf("%s: received msg %d/%d of the %s handshake from %s\n",
725 0 : ic->ic_if.if_xname, 4, 4, "4-way",
726 0 : ether_sprintf(ni->ni_macaddr));
727 :
728 : /* initiate a group key handshake for WPA */
729 0 : if (ni->ni_rsnprotos == IEEE80211_PROTO_WPA)
730 0 : (void)ieee80211_send_group_msg1(ic, ni);
731 : else
732 0 : ni->ni_rsn_gstate = RSNA_IDLE;
733 0 : }
734 :
735 : /*
736 : * Differentiate Message 2 from Message 4 of the 4-Way Handshake based on
737 : * the presence of an RSN or WPA Information Element.
738 : */
739 : void
740 0 : ieee80211_recv_4way_msg2or4(struct ieee80211com *ic,
741 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
742 : {
743 : const u_int8_t *frm, *efrm;
744 : const u_int8_t *rsnie;
745 :
746 0 : if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) {
747 0 : ic->ic_stats.is_rx_eapol_replay++;
748 0 : return;
749 : }
750 :
751 : /* parse key data field (check if an RSN IE is present) */
752 0 : frm = (const u_int8_t *)&key[1];
753 0 : efrm = frm + BE_READ_2(key->paylen);
754 :
755 : rsnie = NULL;
756 0 : while (frm + 2 <= efrm) {
757 0 : if (frm + 2 + frm[1] > efrm)
758 : break;
759 0 : switch (frm[0]) {
760 : case IEEE80211_ELEMID_RSN:
761 : rsnie = frm;
762 0 : break;
763 : case IEEE80211_ELEMID_VENDOR:
764 0 : if (frm[1] < 4)
765 : break;
766 0 : if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) {
767 0 : switch (frm[5]) {
768 : case 1: /* WPA */
769 : rsnie = frm;
770 0 : break;
771 : }
772 : }
773 : }
774 0 : frm += 2 + frm[1];
775 : }
776 0 : if (rsnie != NULL)
777 0 : ieee80211_recv_4way_msg2(ic, key, ni, rsnie);
778 : else
779 0 : ieee80211_recv_4way_msg4(ic, key, ni);
780 0 : }
781 : #endif /* IEEE80211_STA_ONLY */
782 :
783 : /*
784 : * Process Message 1 of the RSN Group Key Handshake (sent by Authenticator).
785 : */
786 : void
787 0 : ieee80211_recv_rsn_group_msg1(struct ieee80211com *ic,
788 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
789 : {
790 : struct ieee80211_key *k;
791 : const u_int8_t *frm, *efrm;
792 : const u_int8_t *gtk, *igtk;
793 : u_int16_t info, kid, reason = 0;
794 : int keylen;
795 :
796 : #ifndef IEEE80211_STA_ONLY
797 0 : if (ic->ic_opmode != IEEE80211_M_STA &&
798 0 : ic->ic_opmode != IEEE80211_M_IBSS)
799 0 : return;
800 : #endif
801 : /* discard if we're not expecting this message */
802 0 : if (ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) {
803 : DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state));
804 0 : return;
805 : }
806 : /* enforce monotonicity of key request replay counter */
807 0 : if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) {
808 0 : ic->ic_stats.is_rx_eapol_replay++;
809 0 : return;
810 : }
811 : /* check Key MIC field using KCK */
812 0 : if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
813 : DPRINTF(("key MIC failed\n"));
814 0 : ic->ic_stats.is_rx_eapol_badmic++;
815 0 : return;
816 : }
817 0 : info = BE_READ_2(key->info);
818 :
819 : /* check that encrypted and decrypt Key Data field using KEK */
820 0 : if (!(info & EAPOL_KEY_ENCRYPTED) ||
821 0 : ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) {
822 : DPRINTF(("decryption failed\n"));
823 0 : return;
824 : }
825 :
826 : /* parse key data field (shall contain a GTK KDE) */
827 0 : frm = (const u_int8_t *)&key[1];
828 0 : efrm = frm + BE_READ_2(key->paylen);
829 :
830 : gtk = igtk = NULL;
831 0 : while (frm + 2 <= efrm) {
832 0 : if (frm + 2 + frm[1] > efrm)
833 : break;
834 0 : switch (frm[0]) {
835 : case IEEE80211_ELEMID_VENDOR:
836 0 : if (frm[1] < 4)
837 : break;
838 0 : if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) {
839 0 : switch (frm[5]) {
840 : case IEEE80211_KDE_GTK:
841 : gtk = frm;
842 0 : break;
843 : case IEEE80211_KDE_IGTK:
844 0 : if (ni->ni_flags & IEEE80211_NODE_MFP)
845 0 : igtk = frm;
846 : break;
847 : }
848 : }
849 : break;
850 : }
851 0 : frm += 2 + frm[1];
852 : }
853 : /* check that the GTK KDE is present */
854 0 : if (gtk == NULL) {
855 : DPRINTF(("GTK KDE missing\n"));
856 0 : return;
857 : }
858 :
859 : /* check that key length matches that of group cipher */
860 0 : keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher);
861 0 : if (gtk[1] != 6 + keylen)
862 0 : return;
863 :
864 : /* map GTK to 802.11 key */
865 0 : kid = gtk[6] & 3;
866 0 : k = &ic->ic_nw_keys[kid];
867 0 : if (ieee80211_must_update_group_key(k, >k[8], keylen)) {
868 0 : memset(k, 0, sizeof(*k));
869 0 : k->k_id = kid; /* 0-3 */
870 0 : k->k_cipher = ni->ni_rsngroupcipher;
871 0 : k->k_flags = IEEE80211_KEY_GROUP;
872 0 : if (gtk[6] & (1 << 2))
873 0 : k->k_flags |= IEEE80211_KEY_TX;
874 0 : k->k_rsc[0] = LE_READ_6(key->rsc);
875 0 : k->k_len = keylen;
876 0 : memcpy(k->k_key, >k[8], k->k_len);
877 : /* install the GTK */
878 0 : if ((*ic->ic_set_key)(ic, ni, k) != 0) {
879 : reason = IEEE80211_REASON_AUTH_LEAVE;
880 0 : goto deauth;
881 : }
882 : } else
883 0 : printf("%s: reused group key update received from %s\n",
884 0 : ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr));
885 0 : if (igtk != NULL) { /* implies MFP */
886 : /* check that the IGTK KDE is valid */
887 0 : if (igtk[1] != 4 + 24) {
888 : reason = IEEE80211_REASON_AUTH_LEAVE;
889 0 : goto deauth;
890 : }
891 0 : kid = LE_READ_2(&igtk[6]);
892 0 : if (kid != 4 && kid != 5) {
893 : DPRINTF(("unsupported IGTK id %u\n", kid));
894 : reason = IEEE80211_REASON_AUTH_LEAVE;
895 0 : goto deauth;
896 : }
897 : /* map IGTK to 802.11 key */
898 0 : k = &ic->ic_nw_keys[kid];
899 0 : if (ieee80211_must_update_group_key(k, &igtk[14], 16)) {
900 0 : memset(k, 0, sizeof(*k));
901 0 : k->k_id = kid; /* either 4 or 5 */
902 0 : k->k_cipher = ni->ni_rsngroupmgmtcipher;
903 0 : k->k_flags = IEEE80211_KEY_IGTK;
904 0 : k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */
905 0 : k->k_len = 16;
906 0 : memcpy(k->k_key, &igtk[14], k->k_len);
907 : /* install the IGTK */
908 0 : if ((*ic->ic_set_key)(ic, ni, k) != 0) {
909 : reason = IEEE80211_REASON_AUTH_LEAVE;
910 0 : goto deauth;
911 : }
912 : } else
913 0 : printf("%s: reused group key update received from %s\n",
914 0 : ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr));
915 : }
916 0 : if (info & EAPOL_KEY_SECURE) {
917 : #ifndef IEEE80211_STA_ONLY
918 0 : if (ic->ic_opmode != IEEE80211_M_IBSS ||
919 0 : ++ni->ni_key_count == 2)
920 : #endif
921 : {
922 : DPRINTF(("marking port %s valid\n",
923 : ether_sprintf(ni->ni_macaddr)));
924 0 : ni->ni_port_valid = 1;
925 0 : ieee80211_set_link_state(ic, LINK_STATE_UP);
926 0 : }
927 : }
928 : /* update the last seen value of the key replay counter field */
929 0 : ni->ni_replaycnt = BE_READ_8(key->replaycnt);
930 :
931 0 : if (ic->ic_if.if_flags & IFF_DEBUG)
932 0 : printf("%s: received msg %d/%d of the %s handshake from %s\n",
933 0 : ic->ic_if.if_xname, 1, 2, "group key",
934 0 : ether_sprintf(ni->ni_macaddr));
935 :
936 : /* send message 2 to authenticator */
937 0 : (void)ieee80211_send_group_msg2(ic, ni, NULL);
938 0 : return;
939 : deauth:
940 0 : IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
941 0 : ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
942 0 : }
943 :
944 : /*
945 : * Process Message 1 of the WPA Group Key Handshake (sent by Authenticator).
946 : */
947 : void
948 0 : ieee80211_recv_wpa_group_msg1(struct ieee80211com *ic,
949 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
950 : {
951 : struct ieee80211_key *k;
952 : u_int16_t info;
953 : u_int8_t kid;
954 : int keylen;
955 : const uint8_t *gtk;
956 :
957 : #ifndef IEEE80211_STA_ONLY
958 0 : if (ic->ic_opmode != IEEE80211_M_STA &&
959 0 : ic->ic_opmode != IEEE80211_M_IBSS)
960 0 : return;
961 : #endif
962 : /* discard if we're not expecting this message */
963 0 : if (ni->ni_rsn_supp_state != RNSA_SUPP_PTKDONE) {
964 : DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state));
965 0 : return;
966 : }
967 : /* enforce monotonicity of key request replay counter */
968 0 : if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) {
969 0 : ic->ic_stats.is_rx_eapol_replay++;
970 0 : return;
971 : }
972 : /* check Key MIC field using KCK */
973 0 : if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
974 : DPRINTF(("key MIC failed\n"));
975 0 : ic->ic_stats.is_rx_eapol_badmic++;
976 0 : return;
977 : }
978 : /*
979 : * EAPOL-Key data field is encrypted even though WPA doesn't set
980 : * the ENCRYPTED bit in the info field.
981 : */
982 0 : if (ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) {
983 : DPRINTF(("decryption failed\n"));
984 0 : return;
985 : }
986 :
987 : /* check that key length matches that of group cipher */
988 0 : keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher);
989 0 : if (BE_READ_2(key->keylen) != keylen)
990 0 : return;
991 :
992 : /* check that the data length is large enough to hold the key */
993 0 : if (BE_READ_2(key->paylen) < keylen)
994 0 : return;
995 :
996 0 : info = BE_READ_2(key->info);
997 :
998 : /* map GTK to 802.11 key */
999 0 : kid = (info >> EAPOL_KEY_WPA_KID_SHIFT) & 3;
1000 0 : k = &ic->ic_nw_keys[kid];
1001 0 : gtk = (const uint8_t *)&key[1]; /* key data field contains the GTK */
1002 0 : if (ieee80211_must_update_group_key(k, gtk, keylen)) {
1003 0 : memset(k, 0, sizeof(*k));
1004 0 : k->k_id = kid; /* 0-3 */
1005 0 : k->k_cipher = ni->ni_rsngroupcipher;
1006 0 : k->k_flags = IEEE80211_KEY_GROUP;
1007 0 : if (info & EAPOL_KEY_WPA_TX)
1008 0 : k->k_flags |= IEEE80211_KEY_TX;
1009 0 : k->k_rsc[0] = LE_READ_6(key->rsc);
1010 0 : k->k_len = keylen;
1011 0 : memcpy(k->k_key, gtk, k->k_len);
1012 : /* install the GTK */
1013 0 : if ((*ic->ic_set_key)(ic, ni, k) != 0) {
1014 0 : IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
1015 : IEEE80211_REASON_AUTH_LEAVE);
1016 0 : ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
1017 0 : return;
1018 : }
1019 : } else
1020 0 : printf("%s: reused group key update received from %s\n",
1021 0 : ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr));
1022 0 : if (info & EAPOL_KEY_SECURE) {
1023 : #ifndef IEEE80211_STA_ONLY
1024 0 : if (ic->ic_opmode != IEEE80211_M_IBSS ||
1025 0 : ++ni->ni_key_count == 2)
1026 : #endif
1027 : {
1028 : DPRINTF(("marking port %s valid\n",
1029 : ether_sprintf(ni->ni_macaddr)));
1030 0 : ni->ni_port_valid = 1;
1031 0 : ieee80211_set_link_state(ic, LINK_STATE_UP);
1032 0 : }
1033 : }
1034 : /* update the last seen value of the key replay counter field */
1035 0 : ni->ni_replaycnt = BE_READ_8(key->replaycnt);
1036 :
1037 0 : if (ic->ic_if.if_flags & IFF_DEBUG)
1038 0 : printf("%s: received msg %d/%d of the %s handshake from %s\n",
1039 0 : ic->ic_if.if_xname, 1, 2, "group key",
1040 0 : ether_sprintf(ni->ni_macaddr));
1041 :
1042 : /* send message 2 to authenticator */
1043 0 : (void)ieee80211_send_group_msg2(ic, ni, k);
1044 0 : }
1045 :
1046 : #ifndef IEEE80211_STA_ONLY
1047 : /*
1048 : * Process Message 2 of the Group Key Handshake (sent by Supplicant).
1049 : */
1050 : void
1051 0 : ieee80211_recv_group_msg2(struct ieee80211com *ic,
1052 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
1053 : {
1054 0 : if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
1055 0 : ic->ic_opmode != IEEE80211_M_IBSS)
1056 : return;
1057 :
1058 : /* discard if we're not expecting this message */
1059 0 : if (ni->ni_rsn_gstate != RSNA_REKEYNEGOTIATING) {
1060 : DPRINTF(("%s: unexpected in state: %d\n", ic->ic_if.if_xname,
1061 : ni->ni_rsn_gstate));
1062 : return;
1063 : }
1064 : /* enforce monotonicity of key request replay counter */
1065 0 : if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) {
1066 0 : ic->ic_stats.is_rx_eapol_replay++;
1067 0 : return;
1068 : }
1069 : /* check Key MIC field using KCK */
1070 0 : if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
1071 : DPRINTF(("key MIC failed\n"));
1072 0 : ic->ic_stats.is_rx_eapol_badmic++;
1073 0 : return;
1074 : }
1075 :
1076 0 : timeout_del(&ni->ni_eapol_to);
1077 0 : ni->ni_rsn_gstate = RSNA_REKEYESTABLISHED;
1078 :
1079 0 : if (ni->ni_flags & IEEE80211_NODE_REKEY) {
1080 0 : int rekeysta = 0;
1081 0 : ni->ni_flags &= ~IEEE80211_NODE_REKEY;
1082 0 : ieee80211_iterate_nodes(ic,
1083 : ieee80211_count_rekeysta, &rekeysta);
1084 0 : if (rekeysta == 0)
1085 0 : ieee80211_setkeysdone(ic);
1086 0 : }
1087 0 : ni->ni_flags |= IEEE80211_NODE_TXRXPROT;
1088 :
1089 0 : ni->ni_rsn_gstate = RSNA_IDLE;
1090 0 : ni->ni_rsn_retries = 0;
1091 :
1092 0 : if (ic->ic_if.if_flags & IFF_DEBUG)
1093 0 : printf("%s: received msg %d/%d of the %s handshake from %s\n",
1094 0 : ic->ic_if.if_xname, 2, 2, "group key",
1095 0 : ether_sprintf(ni->ni_macaddr));
1096 0 : }
1097 :
1098 : /*
1099 : * EAPOL-Key Request frames are sent by the supplicant to request that the
1100 : * authenticator initiates either a 4-Way Handshake or Group Key Handshake,
1101 : * or to report a MIC failure in a TKIP MSDU.
1102 : */
1103 : void
1104 0 : ieee80211_recv_eapol_key_req(struct ieee80211com *ic,
1105 : struct ieee80211_eapol_key *key, struct ieee80211_node *ni)
1106 : {
1107 : u_int16_t info;
1108 :
1109 0 : if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
1110 0 : ic->ic_opmode != IEEE80211_M_IBSS)
1111 0 : return;
1112 :
1113 : /* discard if we're not expecting this message */
1114 0 : if (ni->ni_rsn_state != RSNA_PTKINITDONE) {
1115 : DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state));
1116 0 : return;
1117 : }
1118 : /* enforce monotonicity of key request replay counter */
1119 0 : if (ni->ni_reqreplaycnt_ok &&
1120 0 : BE_READ_8(key->replaycnt) <= ni->ni_reqreplaycnt) {
1121 0 : ic->ic_stats.is_rx_eapol_replay++;
1122 0 : return;
1123 : }
1124 0 : info = BE_READ_2(key->info);
1125 :
1126 0 : if (!(info & EAPOL_KEY_KEYMIC) ||
1127 0 : ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) {
1128 : DPRINTF(("key request MIC failed\n"));
1129 0 : ic->ic_stats.is_rx_eapol_badmic++;
1130 0 : return;
1131 : }
1132 : /* update key request replay counter now that MIC is verified */
1133 0 : ni->ni_reqreplaycnt = BE_READ_8(key->replaycnt);
1134 0 : ni->ni_reqreplaycnt_ok = 1;
1135 :
1136 0 : if (info & EAPOL_KEY_ERROR) { /* TKIP MIC failure */
1137 : /* ignore reports from STAs not using TKIP */
1138 0 : if (ic->ic_bss->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP &&
1139 0 : ni->ni_rsncipher != IEEE80211_CIPHER_TKIP) {
1140 : DPRINTF(("MIC failure report from !TKIP STA: %s\n",
1141 : ether_sprintf(ni->ni_macaddr)));
1142 0 : return;
1143 : }
1144 0 : ic->ic_stats.is_rx_remmicfail++;
1145 0 : ieee80211_michael_mic_failure(ic, LE_READ_6(key->rsc));
1146 :
1147 0 : } else if (info & EAPOL_KEY_PAIRWISE) {
1148 : /* initiate a 4-Way Handshake */
1149 :
1150 : } else {
1151 : /*
1152 : * Should change the GTK, initiate the 4-Way Handshake and
1153 : * then execute a Group Key Handshake with all supplicants.
1154 : */
1155 : }
1156 0 : }
1157 : #endif /* IEEE80211_STA_ONLY */
|
