1 /*
2 * hostapd - WPA/RSN IE and KDE definitions
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10 #include "utils/common.h"
11 #include "common/ieee802_11_defs.h"
12 #include "ap/wpa_auth.h"
13 #include "ap/wpa_auth_ie.h"
14 #include "ap/wpa_auth_i.h"
15 #include "common/wpa_common.h"
16 #include "utils/wpa_debug.h"
17 #include "ap/pmksa_cache_auth.h"
18
19 #ifdef CONFIG_RSN_TESTING
20 int rsn_testing = 0;
21 #endif /* CONFIG_RSN_TESTING */
22
23
wpa_write_wpa_ie(struct wpa_auth_config * conf,u8 * buf,size_t len)24 static int wpa_write_wpa_ie(struct wpa_auth_config *conf, u8 *buf, size_t len)
25 {
26 struct wpa_ie_hdr *hdr;
27 int num_suites;
28 u8 *pos, *count;
29 u32 suite;
30
31 hdr = (struct wpa_ie_hdr *) buf;
32 hdr->elem_id = WLAN_EID_VENDOR_SPECIFIC;
33 RSN_SELECTOR_PUT(hdr->oui, WPA_OUI_TYPE);
34 WPA_PUT_LE16(hdr->version, WPA_VERSION);
35 pos = (u8 *) (hdr + 1);
36
37 suite = wpa_cipher_to_suite(WPA_PROTO_WPA, conf->wpa_group);
38 if (suite == 0) {
39 wpa_printf( MSG_DEBUG, "Invalid group cipher (%d).",
40 conf->wpa_group);
41 return -1;
42 }
43 RSN_SELECTOR_PUT(pos, suite);
44 pos += WPA_SELECTOR_LEN;
45
46 count = pos;
47 pos += 2;
48
49 num_suites = wpa_cipher_put_suites(pos, conf->wpa_pairwise);
50 if (num_suites == 0) {
51 wpa_printf( MSG_DEBUG, "Invalid pairwise cipher (%d).",
52 conf->wpa_pairwise);
53 return -1;
54 }
55 pos += num_suites * WPA_SELECTOR_LEN;
56 WPA_PUT_LE16(count, num_suites);
57
58 num_suites = 0;
59 count = pos;
60 pos += 2;
61
62 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X) {
63 RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
64 pos += WPA_SELECTOR_LEN;
65 num_suites++;
66 }
67 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK) {
68 RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
69 pos += WPA_SELECTOR_LEN;
70 num_suites++;
71 }
72
73 if (num_suites == 0) {
74 wpa_printf( MSG_DEBUG, "Invalid key management type (%d).",
75 conf->wpa_key_mgmt);
76 return -1;
77 }
78 WPA_PUT_LE16(count, num_suites);
79
80 /* WPA Capabilities; use defaults, so no need to include it */
81
82 hdr->len = (pos - buf) - 2;
83
84 return pos - buf;
85 }
86
87
wpa_write_rsn_ie(struct wpa_auth_config * conf,u8 * buf,size_t len,const u8 * pmkid)88 int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
89 const u8 *pmkid)
90 {
91 struct rsn_ie_hdr *hdr;
92 int num_suites, res;
93 u8 *pos, *count;
94 u16 capab;
95 u32 suite;
96
97 hdr = (struct rsn_ie_hdr *) buf;
98 hdr->elem_id = WLAN_EID_RSN;
99 WPA_PUT_LE16(hdr->version, RSN_VERSION);
100 pos = (u8 *) (hdr + 1);
101
102 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, conf->wpa_group);
103 if (suite == 0) {
104 wpa_printf( MSG_DEBUG, "Invalid group cipher (%d).",
105 conf->wpa_group);
106 return -1;
107 }
108 RSN_SELECTOR_PUT(pos, suite);
109 pos += RSN_SELECTOR_LEN;
110
111 num_suites = 0;
112 count = pos;
113 pos += 2;
114
115 #ifdef CONFIG_RSN_TESTING
116 if (rsn_testing) {
117 RSN_SELECTOR_PUT(pos, RSN_SELECTOR(0x12, 0x34, 0x56, 1));
118 pos += RSN_SELECTOR_LEN;
119 num_suites++;
120 }
121 #endif /* CONFIG_RSN_TESTING */
122
123 res = rsn_cipher_put_suites(pos, conf->rsn_pairwise);
124 num_suites += res;
125 pos += res * RSN_SELECTOR_LEN;
126
127 #ifdef CONFIG_RSN_TESTING
128 if (rsn_testing) {
129 RSN_SELECTOR_PUT(pos, RSN_SELECTOR(0x12, 0x34, 0x56, 2));
130 pos += RSN_SELECTOR_LEN;
131 num_suites++;
132 }
133 #endif /* CONFIG_RSN_TESTING */
134
135 if (num_suites == 0) {
136 wpa_printf( MSG_DEBUG, "Invalid pairwise cipher (%d).",
137 conf->rsn_pairwise);
138 return -1;
139 }
140 WPA_PUT_LE16(count, num_suites);
141
142 num_suites = 0;
143 count = pos;
144 pos += 2;
145
146 #ifdef CONFIG_RSN_TESTING
147 if (rsn_testing) {
148 RSN_SELECTOR_PUT(pos, RSN_SELECTOR(0x12, 0x34, 0x56, 1));
149 pos += RSN_SELECTOR_LEN;
150 num_suites++;
151 }
152 #endif /* CONFIG_RSN_TESTING */
153
154 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X) {
155 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X);
156 pos += RSN_SELECTOR_LEN;
157 num_suites++;
158 }
159 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK) {
160 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X);
161 pos += RSN_SELECTOR_LEN;
162 num_suites++;
163 }
164 #ifdef CONFIG_IEEE80211R_AP
165 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) {
166 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
167 pos += RSN_SELECTOR_LEN;
168 num_suites++;
169 }
170 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_PSK) {
171 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
172 pos += RSN_SELECTOR_LEN;
173 num_suites++;
174 }
175 #endif /* CONFIG_IEEE80211R_AP */
176 #ifdef CONFIG_IEEE80211W
177 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) {
178 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA256);
179 pos += RSN_SELECTOR_LEN;
180 num_suites++;
181 }
182 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK_SHA256) {
183 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PSK_SHA256);
184 pos += RSN_SELECTOR_LEN;
185 num_suites++;
186 }
187 #endif /* CONFIG_IEEE80211W */
188 #ifdef CONFIG_SAE
189 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_SAE) {
190 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE);
191 pos += RSN_SELECTOR_LEN;
192 num_suites++;
193 }
194 if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) {
195 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
196 pos += RSN_SELECTOR_LEN;
197 num_suites++;
198 }
199 #endif /* CONFIG_SAE */
200
201 #ifdef CONFIG_RSN_TESTING
202 if (rsn_testing) {
203 RSN_SELECTOR_PUT(pos, RSN_SELECTOR(0x12, 0x34, 0x56, 2));
204 pos += RSN_SELECTOR_LEN;
205 num_suites++;
206 }
207 #endif /* CONFIG_RSN_TESTING */
208
209 if (num_suites == 0) {
210 wpa_printf( MSG_DEBUG, "Invalid key management type (%d).",
211 conf->wpa_key_mgmt);
212 return -1;
213 }
214 WPA_PUT_LE16(count, num_suites);
215
216 /* RSN Capabilities */
217 capab = 0;
218 if (conf->rsn_preauth)
219 capab |= WPA_CAPABILITY_PREAUTH;
220 if (conf->wmm_enabled) {
221 /* 4 PTKSA replay counters when using WMM */
222 capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2);
223 }
224
225 if (conf->spp_sup.capable) {
226 capab |= WPA_CAPABILITY_SPP_CAPABLE;
227 }
228
229 if (conf->spp_sup.require) {
230 capab |= WPA_CAPABILITY_SPP_REQUIRED;
231 }
232
233 #ifdef CONFIG_IEEE80211W
234 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
235 capab |= WPA_CAPABILITY_MFPC;
236 if (conf->ieee80211w == MGMT_FRAME_PROTECTION_REQUIRED)
237 capab |= WPA_CAPABILITY_MFPR;
238 }
239 #endif /* CONFIG_IEEE80211W */
240 #ifdef CONFIG_RSN_TESTING
241 if (rsn_testing)
242 capab |= BIT(8) | BIT(14) | BIT(15);
243 #endif /* CONFIG_RSN_TESTING */
244 WPA_PUT_LE16(pos, capab);
245 pos += 2;
246
247 if (pmkid) {
248 if (pos + 2 + PMKID_LEN > buf + len)
249 return -1;
250 /* PMKID Count */
251 WPA_PUT_LE16(pos, 1);
252 pos += 2;
253 memcpy(pos, pmkid, PMKID_LEN);
254 pos += PMKID_LEN;
255 }
256
257 #ifdef CONFIG_IEEE80211W
258 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
259 if (pos + 2 + 4 > buf + len)
260 return -1;
261 if (pmkid == NULL) {
262 /* PMKID Count */
263 WPA_PUT_LE16(pos, 0);
264 pos += 2;
265 }
266
267 /* Management Group Cipher Suite */
268 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
269 pos += RSN_SELECTOR_LEN;
270 }
271 #endif /* CONFIG_IEEE80211W */
272
273 #ifdef CONFIG_RSN_TESTING
274 if (rsn_testing) {
275 /*
276 * Fill in any defined fields and add extra data to the end of
277 * the element.
278 */
279 int pmkid_count_set = pmkid != NULL;
280 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION)
281 pmkid_count_set = 1;
282 /* PMKID Count */
283 WPA_PUT_LE16(pos, 0);
284 pos += 2;
285 if (conf->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
286 /* Management Group Cipher Suite */
287 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
288 pos += RSN_SELECTOR_LEN;
289 }
290
291 memset(pos, 0x12, 17);
292 pos += 17;
293 }
294 #endif /* CONFIG_RSN_TESTING */
295
296 hdr->len = (pos - buf) - 2;
297
298 return pos - buf;
299 }
300
301
wpa_write_rsnxe(struct wpa_auth_config * conf,u8 * buf,size_t len)302 int wpa_write_rsnxe(struct wpa_auth_config *conf, u8 *buf, size_t len)
303 {
304 u8 *pos = buf;
305 u16 capab = 0;
306 size_t flen;
307
308 if (wpa_key_mgmt_sae(conf->wpa_key_mgmt) &&
309 (conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT ||
310 conf->sae_pwe == SAE_PWE_BOTH)) {
311 capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
312 }
313
314 flen = 1;
315 if (!capab)
316 return 0; /* no supported extended RSN capabilities */
317 if (len < 2 + flen)
318 return -1;
319 capab |= flen - 1; /* bit 0-3 = Field length (n - 1) */
320
321 *pos++ = WLAN_EID_RSNX;
322 *pos++ = flen;
323 *pos++ = capab & 0x00ff;
324
325 return pos - buf;
326 }
327
328
wpa_auth_gen_wpa_ie(struct wpa_authenticator * wpa_auth)329 int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth)
330 {
331 u8 *pos, buf[128];
332 int res;
333
334 pos = buf;
335
336 if (wpa_auth->conf.wpa & WPA_PROTO_RSN) {
337 res = wpa_write_rsn_ie(&wpa_auth->conf,
338 pos, buf + sizeof(buf) - pos, NULL);
339 if (res < 0)
340 return res;
341 pos += res;
342 res = wpa_write_rsnxe(&wpa_auth->conf, pos,
343 buf + sizeof(buf) - pos);
344 if (res < 0)
345 return res;
346 pos += res;
347 }
348 #ifdef CONFIG_IEEE80211R_AP
349 if (wpa_key_mgmt_ft(wpa_auth->conf.wpa_key_mgmt)) {
350 res = wpa_write_mdie(&wpa_auth->conf, pos,
351 buf + sizeof(buf) - pos);
352 if (res < 0)
353 return res;
354 pos += res;
355 }
356 #endif /* CONFIG_IEEE80211R_AP */
357 if (wpa_auth->conf.wpa & WPA_PROTO_WPA) {
358 res = wpa_write_wpa_ie(&wpa_auth->conf,
359 pos, buf + sizeof(buf) - pos);
360 if (res < 0)
361 return res;
362 pos += res;
363 }
364
365 os_free(wpa_auth->wpa_ie);
366 wpa_auth->wpa_ie = os_malloc(pos - buf);
367 if (wpa_auth->wpa_ie == NULL)
368 return -1;
369 memcpy(wpa_auth->wpa_ie, buf, pos - buf);
370 wpa_auth->wpa_ie_len = pos - buf;
371
372 return 0;
373 }
374
wpa_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len,const u8 * data2,size_t data2_len)375 u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len,
376 const u8 *data2, size_t data2_len)
377 {
378 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
379 *pos++ = RSN_SELECTOR_LEN + data_len + data2_len;
380 RSN_SELECTOR_PUT(pos, kde);
381 pos += RSN_SELECTOR_LEN;
382 memcpy(pos, data, data_len);
383 pos += data_len;
384 if (data2) {
385 memcpy(pos, data2, data2_len);
386 pos += data2_len;
387 }
388 return pos;
389 }
390
391 enum wpa_validate_result
wpa_validate_wpa_ie(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsnxe,size_t rsnxe_len)392 wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
393 struct wpa_state_machine *sm,
394 const u8 *wpa_ie, size_t wpa_ie_len,
395 const u8 *rsnxe, size_t rsnxe_len/*,
396 const u8 *mdie, size_t mdie_len*/)
397 {
398 struct wpa_ie_data data = {0};
399 int ciphers, key_mgmt, res, version;
400 u32 selector;
401 size_t i;
402 const u8 *pmkid = NULL;
403
404 if (wpa_auth == NULL || sm == NULL)
405 return WPA_NOT_ENABLED;
406
407 if (wpa_ie == NULL || wpa_ie_len < 1)
408 return WPA_INVALID_IE;
409
410 if (wpa_ie[0] == WLAN_EID_RSN) {
411 version = WPA_PROTO_RSN;
412 } else if (wpa_ie[0] == WLAN_EID_WAPI) {
413 version = WPA_PROTO_WAPI;
414 } else {
415 version = WPA_PROTO_WPA;
416 }
417
418 if (!(wpa_auth->conf.wpa & version)) {
419 wpa_printf( MSG_DEBUG, "Invalid WPA proto (%d) from " MACSTR,
420 version, MAC2STR(sm->addr));
421 return WPA_INVALID_PROTO;
422 }
423
424 if (version == WPA_PROTO_RSN) {
425 res = wpa_parse_wpa_ie_rsn(wpa_ie, wpa_ie_len, &data);
426
427 selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
428 if (0) {
429 }
430 #ifdef CONFIG_IEEE80211R_AP
431 else if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
432 selector = RSN_AUTH_KEY_MGMT_FT_802_1X;
433 else if (data.key_mgmt & WPA_KEY_MGMT_FT_PSK)
434 selector = RSN_AUTH_KEY_MGMT_FT_PSK;
435 #endif /* CONFIG_IEEE80211R_AP */
436 #ifdef CONFIG_IEEE80211W
437 else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256)
438 selector = RSN_AUTH_KEY_MGMT_802_1X_SHA256;
439 else if (data.key_mgmt & WPA_KEY_MGMT_PSK_SHA256)
440 selector = RSN_AUTH_KEY_MGMT_PSK_SHA256;
441 #endif /* CONFIG_IEEE80211W */
442 #ifdef CONFIG_SAE
443 else if (data.key_mgmt & WPA_KEY_MGMT_SAE)
444 selector = RSN_AUTH_KEY_MGMT_SAE;
445 else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE)
446 selector = RSN_AUTH_KEY_MGMT_FT_SAE;
447 #endif /* CONFIG_SAE */
448 else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X)
449 selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
450 else if (data.key_mgmt & WPA_KEY_MGMT_PSK)
451 selector = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
452
453 selector = wpa_cipher_to_suite(WPA_PROTO_RSN,
454 data.pairwise_cipher);
455 if (!selector)
456 selector = RSN_CIPHER_SUITE_CCMP;
457
458 selector = wpa_cipher_to_suite(WPA_PROTO_RSN,
459 data.group_cipher);
460 if (!selector)
461 selector = RSN_CIPHER_SUITE_CCMP;
462 } else if (version == WPA_PROTO_WAPI) {
463 res = 0;
464 selector = WAPI_CIPHER_SUITE_SMS4;
465 } else {
466 res = wpa_parse_wpa_ie_wpa(wpa_ie, wpa_ie_len, &data);
467
468 selector = WPA_AUTH_KEY_MGMT_UNSPEC_802_1X;
469 if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X)
470 selector = WPA_AUTH_KEY_MGMT_UNSPEC_802_1X;
471 else if (data.key_mgmt & WPA_KEY_MGMT_PSK)
472 selector = WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X;
473
474 selector = wpa_cipher_to_suite(WPA_PROTO_WPA,
475 data.pairwise_cipher);
476 if (!selector)
477 selector = RSN_CIPHER_SUITE_TKIP;
478
479 selector = wpa_cipher_to_suite(WPA_PROTO_WPA,
480 data.group_cipher);
481 if (!selector)
482 selector = WPA_CIPHER_SUITE_TKIP;
483 }
484 if (res) {
485 wpa_printf( MSG_DEBUG, "Failed to parse WPA/RSN IE from "
486 MACSTR " (res=%d)", MAC2STR(sm->addr), res);
487 wpa_hexdump(MSG_DEBUG, "WPA/RSN IE", wpa_ie, wpa_ie_len);
488 return WPA_INVALID_IE;
489 }
490
491 if (data.group_cipher != wpa_auth->conf.wpa_group) {
492 wpa_printf( MSG_DEBUG, "Invalid WPA group cipher (0x%x) from "
493 MACSTR, data.group_cipher, MAC2STR(sm->addr));
494 return WPA_INVALID_GROUP;
495 }
496
497 key_mgmt = data.key_mgmt & wpa_auth->conf.wpa_key_mgmt;
498 if (!key_mgmt) {
499 wpa_printf( MSG_DEBUG, "Invalid WPA key mgmt (0x%x) from "
500 MACSTR, data.key_mgmt, MAC2STR(sm->addr));
501 return WPA_INVALID_AKMP;
502 }
503 if (0) {
504 }
505 #ifdef CONFIG_IEEE80211R_AP
506 else if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
507 sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
508 else if (key_mgmt & WPA_KEY_MGMT_FT_PSK)
509 sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK;
510 #endif /* CONFIG_IEEE80211R_AP */
511 #ifdef CONFIG_IEEE80211W
512 else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256)
513 sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256;
514 else if (key_mgmt & WPA_KEY_MGMT_PSK_SHA256)
515 sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK_SHA256;
516 #endif /* CONFIG_IEEE80211W */
517 #ifdef CONFIG_SAE
518 else if (key_mgmt & WPA_KEY_MGMT_SAE)
519 sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE;
520 else if (key_mgmt & WPA_KEY_MGMT_FT_SAE)
521 sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE;
522 #endif /* CONFIG_SAE */
523 else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X)
524 sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;
525 else
526 sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
527
528 if (version == WPA_PROTO_RSN)
529 ciphers = data.pairwise_cipher & wpa_auth->conf.rsn_pairwise;
530 else
531 ciphers = data.pairwise_cipher & wpa_auth->conf.wpa_pairwise;
532 if (!ciphers) {
533 wpa_printf( MSG_DEBUG, "Invalid %s pairwise cipher (0x%x) "
534 "from " MACSTR,
535 version == WPA_PROTO_RSN ? "RSN" : "WPA",
536 data.pairwise_cipher, MAC2STR(sm->addr));
537 return WPA_INVALID_PAIRWISE;
538 }
539
540 if (data.capabilities & WPA_CAPABILITY_SPP_CAPABLE) {
541 sm->spp_sup.capable = SPP_AMSDU_CAP_ENABLE;
542 } else {
543 sm->spp_sup.capable = SPP_AMSDU_CAP_DISABLE;
544 }
545
546 if (data.capabilities & WPA_CAPABILITY_SPP_REQUIRED) {
547 sm->spp_sup.require = SPP_AMSDU_REQ_ENABLE;
548 } else {
549 sm->spp_sup.require = SPP_AMSDU_REQ_DISABLE;
550 }
551
552 #ifdef CONFIG_IEEE80211W
553 if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_REQUIRED) {
554 if (!(data.capabilities & WPA_CAPABILITY_MFPC)) {
555 wpa_printf( MSG_DEBUG, "Management frame protection "
556 "required, but client did not enable it");
557 return WPA_MGMT_FRAME_PROTECTION_VIOLATION;
558 }
559
560 if (ciphers & WPA_CIPHER_TKIP) {
561 wpa_printf( MSG_DEBUG, "Management frame protection "
562 "cannot use TKIP");
563 return WPA_MGMT_FRAME_PROTECTION_VIOLATION;
564 }
565
566 if (data.mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC) {
567 wpa_printf( MSG_DEBUG, "Unsupported management group "
568 "cipher %d", data.mgmt_group_cipher);
569 return WPA_INVALID_MGMT_GROUP_CIPHER;
570 }
571 }
572
573 if (wpa_auth->conf.ieee80211w == NO_MGMT_FRAME_PROTECTION ||
574 !(data.capabilities & WPA_CAPABILITY_MFPC))
575 sm->mgmt_frame_prot = 0;
576 else
577 sm->mgmt_frame_prot = 1;
578 #endif /* CONFIG_IEEE80211W */
579
580 #ifdef CONFIG_IEEE80211R_AP
581 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
582 if (mdie == NULL || mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) {
583 wpa_printf( MSG_DEBUG, "RSN: Trying to use FT, but "
584 "MDIE not included");
585 return WPA_INVALID_MDIE;
586 }
587 if (memcmp(mdie, wpa_auth->conf.mobility_domain,
588 MOBILITY_DOMAIN_ID_LEN) != 0) {
589 wpa_hexdump(MSG_DEBUG, "RSN: Attempted to use unknown "
590 "MDIE", mdie, MOBILITY_DOMAIN_ID_LEN);
591 return WPA_INVALID_MDIE;
592 }
593 }
594 #endif /* CONFIG_IEEE80211R_AP */
595
596 if (ciphers & WPA_CIPHER_CCMP)
597 sm->pairwise = WPA_CIPHER_CCMP;
598 else if (ciphers & WPA_CIPHER_GCMP)
599 sm->pairwise = WPA_CIPHER_GCMP;
600 else
601 sm->pairwise = WPA_CIPHER_TKIP;
602
603 /* TODO: clear WPA/WPA2 state if STA changes from one to another */
604 if (wpa_ie[0] == WLAN_EID_RSN)
605 sm->wpa = WPA_VERSION_WPA2;
606 else
607 sm->wpa = WPA_VERSION_WPA;
608
609 sm->pmksa = NULL;
610 for (i = 0; i < data.num_pmkid; i++) {
611 wpa_hexdump(MSG_DEBUG, "RSN IE: STA PMKID",
612 &data.pmkid[i * PMKID_LEN], PMKID_LEN);
613 sm->pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sm->addr,
614 &data.pmkid[i * PMKID_LEN]);
615 if (sm->pmksa) {
616 pmkid = sm->pmksa->pmkid;
617 break;
618 }
619 }
620 if (sm->pmksa && pmkid) {
621 wpa_printf(MSG_DEBUG, "PMKID found from PMKSA cache");
622 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmkid, PMKID_LEN);
623 }
624
625 #ifdef CONFIG_SAE
626 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_SAE && data.num_pmkid &&
627 !sm->pmksa) {
628 wpa_printf(MSG_DEBUG, "No PMKSA cache entry found for SAE");
629 return WPA_INVALID_PMKID;
630 }
631 #endif /* CONFIG_SAE */
632 if (sm->wpa_ie == NULL || sm->wpa_ie_len < wpa_ie_len) {
633 os_free(sm->wpa_ie);
634 sm->wpa_ie = os_malloc(wpa_ie_len);
635 if (sm->wpa_ie == NULL)
636 return WPA_ALLOC_FAIL;
637 }
638 memcpy(sm->wpa_ie, wpa_ie, wpa_ie_len);
639 sm->wpa_ie_len = wpa_ie_len;
640 if (rsnxe && rsnxe_len) {
641 if (!sm->rsnxe || sm->rsnxe_len < rsnxe_len) {
642 os_free(sm->rsnxe);
643 sm->rsnxe = os_malloc(rsnxe_len);
644 if (!sm->rsnxe)
645 return WPA_ALLOC_FAIL;
646 }
647 os_memcpy(sm->rsnxe, rsnxe, rsnxe_len);
648 sm->rsnxe_len = rsnxe_len;
649 } else {
650 os_free(sm->rsnxe);
651 sm->rsnxe = NULL;
652 sm->rsnxe_len = 0;
653 }
654
655 return WPA_IE_OK;
656 }
657
658 /**
659 * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
660 * @pos: Pointer to the IE header
661 * @end: Pointer to the end of the Key Data buffer
662 * @ie: Pointer to parsed IE data
663 * Returns: 0 on success, 1 if end mark is found, -1 on failure
664 */
wpa_parse_generic(const u8 * pos,const u8 * end,struct wpa_eapol_ie_parse * ie)665 static int wpa_parse_generic(const u8 *pos, const u8 *end,
666 struct wpa_eapol_ie_parse *ie)
667 {
668 if (pos[1] == 0)
669 return 1;
670
671 if (pos[1] >= 6 &&
672 RSN_SELECTOR_GET(pos + 2) == WPA_OUI_TYPE &&
673 pos[2 + WPA_SELECTOR_LEN] == 1 &&
674 pos[2 + WPA_SELECTOR_LEN + 1] == 0) {
675 ie->wpa_ie = pos;
676 ie->wpa_ie_len = pos[1] + 2;
677 return 0;
678 }
679
680 if (pos + 1 + RSN_SELECTOR_LEN < end &&
681 pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
682 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
683 ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
684 return 0;
685 }
686
687 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
688 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_GROUPKEY) {
689 ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
690 ie->gtk_len = pos[1] - RSN_SELECTOR_LEN;
691 return 0;
692 }
693
694 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
695 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_MAC_ADDR) {
696 ie->mac_addr = pos + 2 + RSN_SELECTOR_LEN;
697 ie->mac_addr_len = pos[1] - RSN_SELECTOR_LEN;
698 return 0;
699 }
700
701 #ifdef CONFIG_IEEE80211W
702 if (pos[1] > RSN_SELECTOR_LEN + 2 &&
703 RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_IGTK) {
704 ie->igtk = pos + 2 + RSN_SELECTOR_LEN;
705 ie->igtk_len = pos[1] - RSN_SELECTOR_LEN;
706 return 0;
707 }
708 #endif /* CONFIG_IEEE80211W */
709
710 return 0;
711 }
712
713
714 /**
715 * wpa_parse_kde_ies - Parse EAPOL-Key Key Data IEs
716 * @buf: Pointer to the Key Data buffer
717 * @len: Key Data Length
718 * @ie: Pointer to parsed IE data
719 * Returns: 0 on success, -1 on failure
720 */
wpa_parse_kde_ies(const u8 * buf,size_t len,struct wpa_eapol_ie_parse * ie)721 int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie)
722 {
723 const u8 *pos, *end;
724 int ret = 0;
725
726 memset(ie, 0, sizeof(*ie));
727 for (pos = buf, end = pos + len; pos + 1 < end; pos += 2 + pos[1]) {
728 if (pos[0] == 0xdd &&
729 ((pos == buf + len - 1) || pos[1] == 0)) {
730 /* Ignore padding */
731 break;
732 }
733 if (pos + 2 + pos[1] > end) {
734 wpa_printf( MSG_DEBUG, "WPA: EAPOL-Key Key Data "
735 "underflow (ie=%d len=%d pos=%d)",
736 pos[0], pos[1], (int) (pos - buf));
737 wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data",
738 buf, len);
739 ret = -1;
740 break;
741 }
742 if (*pos == WLAN_EID_RSN) {
743 ie->rsn_ie = pos;
744 ie->rsn_ie_len = pos[1] + 2;
745 #ifdef CONFIG_IEEE80211R_AP
746 } else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
747 ie->mdie = pos;
748 ie->mdie_len = pos[1] + 2;
749 } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
750 ie->ftie = pos;
751 ie->ftie_len = pos[1] + 2;
752 #endif /* CONFIG_IEEE80211R_AP */
753 } else if (*pos == WLAN_EID_RSNX) {
754 ie->rsnxe = pos;
755 ie->rsnxe_len = pos[1] + 2;
756 wpa_hexdump(MSG_DEBUG, "WPA: RSNXE in EAPOL-Key",
757 ie->rsnxe, ie->rsnxe_len);
758 } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
759 ret = wpa_parse_generic(pos, end, ie);
760 if (ret < 0)
761 break;
762 if (ret > 0) {
763 ret = 0;
764 break;
765 }
766 } else {
767 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized EAPOL-Key "
768 "Key Data IE", pos, 2 + pos[1]);
769 }
770 }
771
772 return ret;
773 }
774
775
wpa_auth_uses_mfp(struct wpa_state_machine * sm)776 int wpa_auth_uses_mfp(struct wpa_state_machine *sm)
777 {
778 return sm ? sm->mgmt_frame_prot : 0;
779 }
780
