1 /* $OpenBSD: ieee80211_pae_input.c,v 1.37 2020/11/19 20:03:33 krw Exp $ */ 2 3 /*- 4 * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the 4-Way Handshake and Group Key Handshake protocols 21 * (both Supplicant and Authenticator Key Receive state machines) defined in 22 * IEEE Std 802.11-2007 section 8.5. 23 */ 24 25 #include <sys/param.h> 26 #include <sys/systm.h> 27 #include <sys/mbuf.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/sockio.h> 31 #include <sys/errno.h> 32 33 #include <net/if.h> 34 #include <net/if_dl.h> 35 #include <net/if_media.h> 36 37 #include <netinet/in.h> 38 #include <netinet/if_ether.h> 39 40 #include <net80211/ieee80211_var.h> 41 #include <net80211/ieee80211_priv.h> 42 43 void ieee80211_recv_4way_msg1(struct ieee80211com *, 44 struct ieee80211_eapol_key *, struct ieee80211_node *); 45 #ifndef IEEE80211_STA_ONLY 46 void ieee80211_recv_4way_msg2(struct ieee80211com *, 47 struct ieee80211_eapol_key *, struct ieee80211_node *, 48 const u_int8_t *); 49 #endif 50 int ieee80211_must_update_group_key(struct ieee80211_key *, const uint8_t *, 51 int); 52 void ieee80211_recv_4way_msg3(struct ieee80211com *, 53 struct ieee80211_eapol_key *, struct ieee80211_node *); 54 #ifndef IEEE80211_STA_ONLY 55 void ieee80211_recv_4way_msg4(struct ieee80211com *, 56 struct ieee80211_eapol_key *, struct ieee80211_node *); 57 void ieee80211_recv_4way_msg2or4(struct ieee80211com *, 58 struct ieee80211_eapol_key *, struct ieee80211_node *); 59 #endif 60 void ieee80211_recv_rsn_group_msg1(struct ieee80211com *, 61 struct ieee80211_eapol_key *, struct ieee80211_node *); 62 void ieee80211_recv_wpa_group_msg1(struct ieee80211com *, 63 struct ieee80211_eapol_key *, struct ieee80211_node *); 64 #ifndef IEEE80211_STA_ONLY 65 void ieee80211_recv_group_msg2(struct ieee80211com *, 66 struct ieee80211_eapol_key *, struct ieee80211_node *); 67 void ieee80211_recv_eapol_key_req(struct ieee80211com *, 68 struct ieee80211_eapol_key *, struct ieee80211_node *); 69 #endif 70 71 /* 72 * Process an incoming EAPOL frame. Notice that we are only interested in 73 * EAPOL-Key frames with an IEEE 802.11 or WPA descriptor type. 74 */ 75 void 76 ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m, 77 struct ieee80211_node *ni) 78 { 79 struct ifnet *ifp = &ic->ic_if; 80 struct ether_header *eh; 81 struct ieee80211_eapol_key *key; 82 u_int16_t info, desc; 83 int totlen, bodylen, paylen; 84 85 ifp->if_ibytes += m->m_pkthdr.len; 86 87 eh = mtod(m, struct ether_header *); 88 if (IEEE80211_IS_MULTICAST(eh->ether_dhost)) { 89 ifp->if_imcasts++; 90 goto done; 91 } 92 m_adj(m, sizeof(*eh)); 93 94 if (m->m_pkthdr.len < sizeof(*key)) 95 goto done; 96 if (m->m_len < sizeof(*key) && 97 (m = m_pullup(m, sizeof(*key))) == NULL) { 98 ic->ic_stats.is_rx_nombuf++; 99 goto done; 100 } 101 key = mtod(m, struct ieee80211_eapol_key *); 102 103 if (key->type != EAPOL_KEY) 104 goto done; 105 ic->ic_stats.is_rx_eapol_key++; 106 107 if ((ni->ni_rsnprotos == IEEE80211_PROTO_RSN && 108 key->desc != EAPOL_KEY_DESC_IEEE80211) || 109 (ni->ni_rsnprotos == IEEE80211_PROTO_WPA && 110 key->desc != EAPOL_KEY_DESC_WPA)) 111 goto done; 112 113 /* check packet body length */ 114 bodylen = BE_READ_2(key->len); 115 totlen = 4 + bodylen; 116 if (m->m_pkthdr.len < totlen || totlen > MCLBYTES) 117 goto done; 118 119 /* check key data length */ 120 paylen = BE_READ_2(key->paylen); 121 if (paylen > totlen - sizeof(*key)) 122 goto done; 123 124 info = BE_READ_2(key->info); 125 126 /* discard EAPOL-Key frames with an unknown descriptor version */ 127 desc = info & EAPOL_KEY_VERSION_MASK; 128 if (desc < EAPOL_KEY_DESC_V1 || desc > EAPOL_KEY_DESC_V3) 129 goto done; 130 131 if (ieee80211_is_sha256_akm(ni->ni_rsnakms)) { 132 if (desc != EAPOL_KEY_DESC_V3) 133 goto done; 134 } else if (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP || 135 ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP) { 136 if (desc != EAPOL_KEY_DESC_V2) 137 goto done; 138 } 139 140 /* make sure the key data field is contiguous */ 141 if (m->m_len < totlen && (m = m_pullup(m, totlen)) == NULL) { 142 ic->ic_stats.is_rx_nombuf++; 143 goto done; 144 } 145 key = mtod(m, struct ieee80211_eapol_key *); 146 147 /* determine message type (see 8.5.3.7) */ 148 if (info & EAPOL_KEY_REQUEST) { 149 #ifndef IEEE80211_STA_ONLY 150 /* EAPOL-Key Request frame */ 151 ieee80211_recv_eapol_key_req(ic, key, ni); 152 #endif 153 } else if (info & EAPOL_KEY_PAIRWISE) { 154 /* 4-Way Handshake */ 155 if (info & EAPOL_KEY_KEYMIC) { 156 if (info & EAPOL_KEY_KEYACK) 157 ieee80211_recv_4way_msg3(ic, key, ni); 158 #ifndef IEEE80211_STA_ONLY 159 else 160 ieee80211_recv_4way_msg2or4(ic, key, ni); 161 #endif 162 } else if (info & EAPOL_KEY_KEYACK) 163 ieee80211_recv_4way_msg1(ic, key, ni); 164 } else { 165 /* Group Key Handshake */ 166 if (!(info & EAPOL_KEY_KEYMIC)) 167 goto done; 168 if (info & EAPOL_KEY_KEYACK) { 169 if (key->desc == EAPOL_KEY_DESC_WPA) 170 ieee80211_recv_wpa_group_msg1(ic, key, ni); 171 else 172 ieee80211_recv_rsn_group_msg1(ic, key, ni); 173 } 174 #ifndef IEEE80211_STA_ONLY 175 else 176 ieee80211_recv_group_msg2(ic, key, ni); 177 #endif 178 } 179 done: 180 m_freem(m); 181 } 182 183 /* 184 * Process Message 1 of the 4-Way Handshake (sent by Authenticator). 185 */ 186 void 187 ieee80211_recv_4way_msg1(struct ieee80211com *ic, 188 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 189 { 190 struct ieee80211_ptk tptk; 191 struct ieee80211_pmk *pmk; 192 const u_int8_t *frm, *efrm; 193 const u_int8_t *pmkid; 194 195 #ifndef IEEE80211_STA_ONLY 196 if (ic->ic_opmode != IEEE80211_M_STA && 197 ic->ic_opmode != IEEE80211_M_IBSS) 198 return; 199 #endif 200 /* 201 * Message 1 is always expected while RSN is active since some 202 * APs will rekey the PTK by sending Msg1/4 after some time. 203 */ 204 if (ni->ni_rsn_supp_state == RSNA_SUPP_INITIALIZE) { 205 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 206 return; 207 } 208 /* enforce monotonicity of key request replay counter */ 209 if (ni->ni_replaycnt_ok && 210 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 211 ic->ic_stats.is_rx_eapol_replay++; 212 return; 213 } 214 215 /* parse key data field (may contain an encapsulated PMKID) */ 216 frm = (const u_int8_t *)&key[1]; 217 efrm = frm + BE_READ_2(key->paylen); 218 219 pmkid = NULL; 220 while (frm + 2 <= efrm) { 221 if (frm + 2 + frm[1] > efrm) 222 break; 223 switch (frm[0]) { 224 case IEEE80211_ELEMID_VENDOR: 225 if (frm[1] < 4) 226 break; 227 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 228 switch (frm[5]) { 229 case IEEE80211_KDE_PMKID: 230 pmkid = frm; 231 break; 232 } 233 } 234 break; 235 } 236 frm += 2 + frm[1]; 237 } 238 /* check that the PMKID KDE is valid (if present) */ 239 if (pmkid != NULL && pmkid[1] != 4 + 16) 240 return; 241 242 if (ieee80211_is_8021x_akm(ni->ni_rsnakms)) { 243 /* retrieve the PMK for this (AP,PMKID) */ 244 pmk = ieee80211_pmksa_find(ic, ni, 245 (pmkid != NULL) ? &pmkid[6] : NULL); 246 if (pmk == NULL) { 247 DPRINTF(("no PMK available for %s\n", 248 ether_sprintf(ni->ni_macaddr))); 249 return; 250 } 251 memcpy(ni->ni_pmk, pmk->pmk_key, IEEE80211_PMK_LEN); 252 } else /* use pre-shared key */ 253 memcpy(ni->ni_pmk, ic->ic_psk, IEEE80211_PMK_LEN); 254 ni->ni_flags |= IEEE80211_NODE_PMK; 255 256 /* save authenticator's nonce (ANonce) */ 257 memcpy(ni->ni_nonce, key->nonce, EAPOL_KEY_NONCE_LEN); 258 259 /* generate supplicant's nonce (SNonce) */ 260 arc4random_buf(ic->ic_nonce, EAPOL_KEY_NONCE_LEN); 261 262 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 263 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 264 ic->ic_myaddr, ni->ni_nonce, ic->ic_nonce, &tptk); 265 266 /* We are now expecting a new pairwise key. */ 267 ni->ni_flags |= IEEE80211_NODE_RSN_NEW_PTK; 268 269 if (ic->ic_if.if_flags & IFF_DEBUG) 270 printf("%s: received msg %d/%d of the %s handshake from %s\n", 271 ic->ic_if.if_xname, 1, 4, "4-way", 272 ether_sprintf(ni->ni_macaddr)); 273 274 /* send message 2 to authenticator using TPTK */ 275 (void)ieee80211_send_4way_msg2(ic, ni, key->replaycnt, &tptk); 276 } 277 278 #ifndef IEEE80211_STA_ONLY 279 /* 280 * Process Message 2 of the 4-Way Handshake (sent by Supplicant). 281 */ 282 void 283 ieee80211_recv_4way_msg2(struct ieee80211com *ic, 284 struct ieee80211_eapol_key *key, struct ieee80211_node *ni, 285 const u_int8_t *rsnie) 286 { 287 struct ieee80211_ptk tptk; 288 289 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 290 ic->ic_opmode != IEEE80211_M_IBSS) 291 return; 292 293 /* discard if we're not expecting this message */ 294 if (ni->ni_rsn_state != RSNA_PTKSTART && 295 ni->ni_rsn_state != RSNA_PTKCALCNEGOTIATING) { 296 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 297 return; 298 } 299 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING; 300 301 /* NB: replay counter has already been verified by caller */ 302 303 /* PTK = CalcPTK(ANonce, SNonce) */ 304 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ic->ic_myaddr, 305 ni->ni_macaddr, ni->ni_nonce, key->nonce, &tptk); 306 307 /* check Key MIC field using KCK */ 308 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 309 DPRINTF(("key MIC failed\n")); 310 ic->ic_stats.is_rx_eapol_badmic++; 311 return; /* will timeout.. */ 312 } 313 314 timeout_del(&ni->ni_eapol_to); 315 ni->ni_rsn_state = RSNA_PTKCALCNEGOTIATING_2; 316 ni->ni_rsn_retries = 0; 317 318 /* install TPTK as PTK now that MIC is verified */ 319 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 320 321 /* 322 * The RSN IE must match bit-wise with what the STA included in its 323 * (Re)Association Request. 324 */ 325 if (ni->ni_rsnie == NULL || rsnie[1] != ni->ni_rsnie[1] || 326 memcmp(rsnie, ni->ni_rsnie, 2 + rsnie[1]) != 0) { 327 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 328 IEEE80211_REASON_RSN_DIFFERENT_IE); 329 ieee80211_node_leave(ic, ni); 330 return; 331 } 332 333 if (ic->ic_if.if_flags & IFF_DEBUG) 334 printf("%s: received msg %d/%d of the %s handshake from %s\n", 335 ic->ic_if.if_xname, 2, 4, "4-way", 336 ether_sprintf(ni->ni_macaddr)); 337 338 /* send message 3 to supplicant */ 339 (void)ieee80211_send_4way_msg3(ic, ni); 340 } 341 #endif /* IEEE80211_STA_ONLY */ 342 343 /* 344 * Check if a group key must be updated with a new GTK from an EAPOL frame. 345 * Manipulated group key handshake messages could trick clients into 346 * reinstalling an already used group key and hence lower or reset the 347 * associated replay counter. This check prevents such attacks. 348 */ 349 int 350 ieee80211_must_update_group_key(struct ieee80211_key *k, const uint8_t *gtk, 351 int len) 352 { 353 return (k->k_cipher == IEEE80211_CIPHER_NONE || k->k_len != len || 354 memcmp(k->k_key, gtk, len) != 0); 355 } 356 357 /* 358 * Process Message 3 of the 4-Way Handshake (sent by Authenticator). 359 */ 360 void 361 ieee80211_recv_4way_msg3(struct ieee80211com *ic, 362 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 363 { 364 struct ieee80211_ptk tptk; 365 struct ieee80211_key *k; 366 const u_int8_t *frm, *efrm; 367 const u_int8_t *rsnie1, *rsnie2, *gtk, *igtk; 368 u_int16_t info, reason = 0; 369 int keylen, deferlink = 0; 370 371 #ifndef IEEE80211_STA_ONLY 372 if (ic->ic_opmode != IEEE80211_M_STA && 373 ic->ic_opmode != IEEE80211_M_IBSS) 374 return; 375 #endif 376 /* discard if we're not expecting this message */ 377 if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKNEGOTIATING && 378 ni->ni_rsn_supp_state != RSNA_SUPP_PTKDONE) { 379 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 380 return; 381 } 382 /* enforce monotonicity of key request replay counter */ 383 if (ni->ni_replaycnt_ok && 384 BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 385 ic->ic_stats.is_rx_eapol_replay++; 386 return; 387 } 388 /* make sure that a PMK has been selected */ 389 if (!(ni->ni_flags & IEEE80211_NODE_PMK)) { 390 DPRINTF(("no PMK found for %s\n", 391 ether_sprintf(ni->ni_macaddr))); 392 return; 393 } 394 /* check that ANonce matches that of Message 1 */ 395 if (memcmp(key->nonce, ni->ni_nonce, EAPOL_KEY_NONCE_LEN) != 0) { 396 DPRINTF(("ANonce does not match msg 1/4\n")); 397 return; 398 } 399 /* TPTK = CalcPTK(PMK, ANonce, SNonce) */ 400 ieee80211_derive_ptk(ni->ni_rsnakms, ni->ni_pmk, ni->ni_macaddr, 401 ic->ic_myaddr, key->nonce, ic->ic_nonce, &tptk); 402 403 info = BE_READ_2(key->info); 404 405 /* check Key MIC field using KCK */ 406 if (ieee80211_eapol_key_check_mic(key, tptk.kck) != 0) { 407 DPRINTF(("key MIC failed\n")); 408 ic->ic_stats.is_rx_eapol_badmic++; 409 return; 410 } 411 /* install TPTK as PTK now that MIC is verified */ 412 memcpy(&ni->ni_ptk, &tptk, sizeof(tptk)); 413 414 /* if encrypted, decrypt Key Data field using KEK */ 415 if ((info & EAPOL_KEY_ENCRYPTED) && 416 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 417 DPRINTF(("decryption failed\n")); 418 return; 419 } 420 421 /* parse key data field */ 422 frm = (const u_int8_t *)&key[1]; 423 efrm = frm + BE_READ_2(key->paylen); 424 425 /* 426 * Some WPA1+WPA2 APs (like hostapd) appear to include both WPA and 427 * RSN IEs in message 3/4. We only take into account the IE of the 428 * version of the protocol we negotiated at association time. 429 */ 430 rsnie1 = rsnie2 = gtk = igtk = NULL; 431 while (frm + 2 <= efrm) { 432 if (frm + 2 + frm[1] > efrm) 433 break; 434 switch (frm[0]) { 435 case IEEE80211_ELEMID_RSN: 436 if (ni->ni_rsnprotos != IEEE80211_PROTO_RSN) 437 break; 438 if (rsnie1 == NULL) 439 rsnie1 = frm; 440 else if (rsnie2 == NULL) 441 rsnie2 = frm; 442 /* ignore others if more than two RSN IEs */ 443 break; 444 case IEEE80211_ELEMID_VENDOR: 445 if (frm[1] < 4) 446 break; 447 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 448 switch (frm[5]) { 449 case IEEE80211_KDE_GTK: 450 gtk = frm; 451 break; 452 case IEEE80211_KDE_IGTK: 453 if (ni->ni_flags & IEEE80211_NODE_MFP) 454 igtk = frm; 455 break; 456 } 457 } else if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 458 switch (frm[5]) { 459 case 1: /* WPA */ 460 if (ni->ni_rsnprotos != 461 IEEE80211_PROTO_WPA) 462 break; 463 rsnie1 = frm; 464 break; 465 } 466 } 467 break; 468 } 469 frm += 2 + frm[1]; 470 } 471 /* first WPA/RSN IE is mandatory */ 472 if (rsnie1 == NULL) { 473 DPRINTF(("missing RSN IE\n")); 474 return; 475 } 476 /* key data must be encrypted if GTK is included */ 477 if (gtk != NULL && !(info & EAPOL_KEY_ENCRYPTED)) { 478 DPRINTF(("GTK not encrypted\n")); 479 return; 480 } 481 /* GTK KDE must be included if IGTK KDE is present */ 482 if (igtk != NULL && gtk == NULL) { 483 DPRINTF(("IGTK KDE found but GTK KDE missing\n")); 484 return; 485 } 486 /* check that the Install bit is set if using pairwise keys */ 487 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && 488 !(info & EAPOL_KEY_INSTALL)) { 489 DPRINTF(("pairwise cipher but !Install\n")); 490 return; 491 } 492 493 /* 494 * Check that first WPA/RSN IE is identical to the one received in 495 * the beacon or probe response frame. 496 */ 497 if (ni->ni_rsnie == NULL || rsnie1[1] != ni->ni_rsnie[1] || 498 memcmp(rsnie1, ni->ni_rsnie, 2 + rsnie1[1]) != 0) { 499 reason = IEEE80211_REASON_RSN_DIFFERENT_IE; 500 goto deauth; 501 } 502 503 /* 504 * If a second RSN information element is present, use its pairwise 505 * cipher suite or deauthenticate. 506 */ 507 if (rsnie2 != NULL) { 508 struct ieee80211_rsnparams rsn; 509 510 if (ieee80211_parse_rsn(ic, rsnie2, &rsn) == 0) { 511 if (rsn.rsn_akms != ni->ni_rsnakms || 512 rsn.rsn_groupcipher != ni->ni_rsngroupcipher || 513 rsn.rsn_nciphers != 1 || 514 !(rsn.rsn_ciphers & ic->ic_rsnciphers)) { 515 reason = IEEE80211_REASON_BAD_PAIRWISE_CIPHER; 516 goto deauth; 517 } 518 /* use pairwise cipher suite of second RSN IE */ 519 ni->ni_rsnciphers = rsn.rsn_ciphers; 520 ni->ni_rsncipher = ni->ni_rsnciphers; 521 } 522 } 523 524 /* update the last seen value of the key replay counter field */ 525 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 526 ni->ni_replaycnt_ok = 1; 527 528 if (ic->ic_if.if_flags & IFF_DEBUG) 529 printf("%s: received msg %d/%d of the %s handshake from %s\n", 530 ic->ic_if.if_xname, 3, 4, "4-way", 531 ether_sprintf(ni->ni_macaddr)); 532 533 /* send message 4 to authenticator */ 534 if (ieee80211_send_4way_msg4(ic, ni) != 0) 535 return; /* ..authenticator will retry */ 536 537 /* 538 * Only install a new pairwise key if we are still expecting a new key, 539 * as indicated by the NODE_RSN_NEW_PTK flag. An adversary could be 540 * sending manipulated retransmissions of message 3 of the 4-way 541 * handshake in an attempt to trick us into reinstalling an already 542 * used pairwise key. If this attack succeeded, the incremental nonce 543 * and replay counter associated with the key would be reset. 544 * Against CCMP, the adversary could abuse this to replay and decrypt 545 * packets. Against TKIP, it would become possible to replay, decrypt, 546 * and forge packets. 547 */ 548 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && 549 (ni->ni_flags & IEEE80211_NODE_RSN_NEW_PTK)) { 550 u_int64_t prsc; 551 552 /* check that key length matches that of pairwise cipher */ 553 keylen = ieee80211_cipher_keylen(ni->ni_rsncipher); 554 if (BE_READ_2(key->keylen) != keylen) { 555 reason = IEEE80211_REASON_AUTH_LEAVE; 556 goto deauth; 557 } 558 prsc = (gtk == NULL) ? LE_READ_6(key->rsc) : 0; 559 560 /* map PTK to 802.11 key */ 561 k = &ni->ni_pairwise_key; 562 memset(k, 0, sizeof(*k)); 563 k->k_cipher = ni->ni_rsncipher; 564 k->k_rsc[0] = prsc; 565 k->k_len = keylen; 566 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 567 /* install the PTK */ 568 switch ((*ic->ic_set_key)(ic, ni, k)) { 569 case 0: 570 break; 571 case EBUSY: 572 deferlink = 1; 573 break; 574 default: 575 reason = IEEE80211_REASON_AUTH_LEAVE; 576 goto deauth; 577 } 578 ni->ni_flags &= ~IEEE80211_NODE_RSN_NEW_PTK; 579 ni->ni_flags &= ~IEEE80211_NODE_TXRXPROT; 580 ni->ni_flags |= IEEE80211_NODE_RXPROT; 581 } else if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) 582 printf("%s: unexpected pairwise key update received from %s\n", 583 ic->ic_if.if_xname, ether_sprintf(ni->ni_macaddr)); 584 585 if (gtk != NULL) { 586 u_int8_t kid; 587 588 /* check that key length matches that of group cipher */ 589 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 590 if (gtk[1] != 6 + keylen) { 591 reason = IEEE80211_REASON_AUTH_LEAVE; 592 goto deauth; 593 } 594 /* map GTK to 802.11 key */ 595 kid = gtk[6] & 3; 596 k = &ic->ic_nw_keys[kid]; 597 if (ieee80211_must_update_group_key(k, >k[8], keylen)) { 598 memset(k, 0, sizeof(*k)); 599 k->k_id = kid; /* 0-3 */ 600 k->k_cipher = ni->ni_rsngroupcipher; 601 k->k_flags = IEEE80211_KEY_GROUP; 602 if (gtk[6] & (1 << 2)) 603 k->k_flags |= IEEE80211_KEY_TX; 604 k->k_rsc[0] = LE_READ_6(key->rsc); 605 k->k_len = keylen; 606 memcpy(k->k_key, >k[8], k->k_len); 607 /* install the GTK */ 608 switch ((*ic->ic_set_key)(ic, ni, k)) { 609 case 0: 610 break; 611 case EBUSY: 612 deferlink = 1; 613 break; 614 default: 615 reason = IEEE80211_REASON_AUTH_LEAVE; 616 goto deauth; 617 } 618 } 619 } 620 if (igtk != NULL) { /* implies MFP && gtk != NULL */ 621 u_int16_t kid; 622 623 /* check that the IGTK KDE is valid */ 624 if (igtk[1] != 4 + 24) { 625 reason = IEEE80211_REASON_AUTH_LEAVE; 626 goto deauth; 627 } 628 kid = LE_READ_2(&igtk[6]); 629 if (kid != 4 && kid != 5) { 630 DPRINTF(("unsupported IGTK id %u\n", kid)); 631 reason = IEEE80211_REASON_AUTH_LEAVE; 632 goto deauth; 633 } 634 /* map IGTK to 802.11 key */ 635 k = &ic->ic_nw_keys[kid]; 636 if (ieee80211_must_update_group_key(k, &igtk[14], 16)) { 637 memset(k, 0, sizeof(*k)); 638 k->k_id = kid; /* either 4 or 5 */ 639 k->k_cipher = ni->ni_rsngroupmgmtcipher; 640 k->k_flags = IEEE80211_KEY_IGTK; 641 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 642 k->k_len = 16; 643 memcpy(k->k_key, &igtk[14], k->k_len); 644 /* install the IGTK */ 645 switch ((*ic->ic_set_key)(ic, ni, k)) { 646 case 0: 647 break; 648 case EBUSY: 649 deferlink = 1; 650 break; 651 default: 652 reason = IEEE80211_REASON_AUTH_LEAVE; 653 goto deauth; 654 } 655 } 656 } 657 if (info & EAPOL_KEY_INSTALL) 658 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 659 660 if (info & EAPOL_KEY_SECURE) { 661 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 662 #ifndef IEEE80211_STA_ONLY 663 if (ic->ic_opmode != IEEE80211_M_IBSS || 664 ++ni->ni_key_count == 2) 665 #endif 666 { 667 if (deferlink == 0) { 668 DPRINTF(("marking port %s valid\n", 669 ether_sprintf(ni->ni_macaddr))); 670 ni->ni_port_valid = 1; 671 ieee80211_set_link_state(ic, LINK_STATE_UP); 672 } 673 ni->ni_assoc_fail = 0; 674 if (ic->ic_opmode == IEEE80211_M_STA) 675 ic->ic_rsngroupcipher = ni->ni_rsngroupcipher; 676 } 677 } 678 deauth: 679 if (reason != 0) { 680 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 681 reason); 682 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 683 } 684 } 685 686 #ifndef IEEE80211_STA_ONLY 687 /* 688 * Process Message 4 of the 4-Way Handshake (sent by Supplicant). 689 */ 690 void 691 ieee80211_recv_4way_msg4(struct ieee80211com *ic, 692 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 693 { 694 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 695 ic->ic_opmode != IEEE80211_M_IBSS) 696 return; 697 698 /* discard if we're not expecting this message */ 699 if (ni->ni_rsn_state != RSNA_PTKINITNEGOTIATING) { 700 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 701 return; 702 } 703 704 /* NB: replay counter has already been verified by caller */ 705 706 /* check Key MIC field using KCK */ 707 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 708 DPRINTF(("key MIC failed\n")); 709 ic->ic_stats.is_rx_eapol_badmic++; 710 return; /* will timeout.. */ 711 } 712 713 timeout_del(&ni->ni_eapol_to); 714 ni->ni_rsn_state = RSNA_PTKINITDONE; 715 ni->ni_rsn_retries = 0; 716 717 if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) { 718 struct ieee80211_key *k; 719 720 /* map PTK to 802.11 key */ 721 k = &ni->ni_pairwise_key; 722 memset(k, 0, sizeof(*k)); 723 k->k_cipher = ni->ni_rsncipher; 724 k->k_len = ieee80211_cipher_keylen(k->k_cipher); 725 memcpy(k->k_key, ni->ni_ptk.tk, k->k_len); 726 /* install the PTK */ 727 switch ((*ic->ic_set_key)(ic, ni, k)) { 728 case 0: 729 case EBUSY: 730 break; 731 default: 732 IEEE80211_SEND_MGMT(ic, ni, 733 IEEE80211_FC0_SUBTYPE_DEAUTH, 734 IEEE80211_REASON_ASSOC_TOOMANY); 735 ieee80211_node_leave(ic, ni); 736 return; 737 } 738 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 739 } 740 if (ic->ic_opmode != IEEE80211_M_IBSS || ++ni->ni_key_count == 2) { 741 DPRINTF(("marking port %s valid\n", 742 ether_sprintf(ni->ni_macaddr))); 743 ni->ni_port_valid = 1; 744 } 745 746 if (ic->ic_if.if_flags & IFF_DEBUG) 747 printf("%s: received msg %d/%d of the %s handshake from %s\n", 748 ic->ic_if.if_xname, 4, 4, "4-way", 749 ether_sprintf(ni->ni_macaddr)); 750 751 /* initiate a group key handshake for WPA */ 752 if (ni->ni_rsnprotos == IEEE80211_PROTO_WPA) 753 (void)ieee80211_send_group_msg1(ic, ni); 754 else 755 ni->ni_rsn_gstate = RSNA_IDLE; 756 } 757 758 /* 759 * Differentiate Message 2 from Message 4 of the 4-Way Handshake based on 760 * the presence of an RSN or WPA Information Element. 761 */ 762 void 763 ieee80211_recv_4way_msg2or4(struct ieee80211com *ic, 764 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 765 { 766 const u_int8_t *frm, *efrm; 767 const u_int8_t *rsnie; 768 769 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 770 ic->ic_stats.is_rx_eapol_replay++; 771 return; 772 } 773 774 /* parse key data field (check if an RSN IE is present) */ 775 frm = (const u_int8_t *)&key[1]; 776 efrm = frm + BE_READ_2(key->paylen); 777 778 rsnie = NULL; 779 while (frm + 2 <= efrm) { 780 if (frm + 2 + frm[1] > efrm) 781 break; 782 switch (frm[0]) { 783 case IEEE80211_ELEMID_RSN: 784 rsnie = frm; 785 break; 786 case IEEE80211_ELEMID_VENDOR: 787 if (frm[1] < 4) 788 break; 789 if (memcmp(&frm[2], MICROSOFT_OUI, 3) == 0) { 790 switch (frm[5]) { 791 case 1: /* WPA */ 792 rsnie = frm; 793 break; 794 } 795 } 796 } 797 frm += 2 + frm[1]; 798 } 799 if (rsnie != NULL) 800 ieee80211_recv_4way_msg2(ic, key, ni, rsnie); 801 else 802 ieee80211_recv_4way_msg4(ic, key, ni); 803 } 804 #endif /* IEEE80211_STA_ONLY */ 805 806 /* 807 * Process Message 1 of the RSN Group Key Handshake (sent by Authenticator). 808 */ 809 void 810 ieee80211_recv_rsn_group_msg1(struct ieee80211com *ic, 811 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 812 { 813 struct ieee80211_key *k; 814 const u_int8_t *frm, *efrm; 815 const u_int8_t *gtk, *igtk; 816 u_int16_t info, kid, reason = 0; 817 int keylen; 818 819 #ifndef IEEE80211_STA_ONLY 820 if (ic->ic_opmode != IEEE80211_M_STA && 821 ic->ic_opmode != IEEE80211_M_IBSS) 822 return; 823 #endif 824 /* discard if we're not expecting this message */ 825 if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKDONE) { 826 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 827 return; 828 } 829 /* enforce monotonicity of key request replay counter */ 830 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 831 ic->ic_stats.is_rx_eapol_replay++; 832 return; 833 } 834 /* check Key MIC field using KCK */ 835 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 836 DPRINTF(("key MIC failed\n")); 837 ic->ic_stats.is_rx_eapol_badmic++; 838 return; 839 } 840 info = BE_READ_2(key->info); 841 842 /* check that encrypted and decrypt Key Data field using KEK */ 843 if (!(info & EAPOL_KEY_ENCRYPTED) || 844 ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 845 DPRINTF(("decryption failed\n")); 846 return; 847 } 848 849 /* parse key data field (shall contain a GTK KDE) */ 850 frm = (const u_int8_t *)&key[1]; 851 efrm = frm + BE_READ_2(key->paylen); 852 853 gtk = igtk = NULL; 854 while (frm + 2 <= efrm) { 855 if (frm + 2 + frm[1] > efrm) 856 break; 857 switch (frm[0]) { 858 case IEEE80211_ELEMID_VENDOR: 859 if (frm[1] < 4) 860 break; 861 if (memcmp(&frm[2], IEEE80211_OUI, 3) == 0) { 862 switch (frm[5]) { 863 case IEEE80211_KDE_GTK: 864 gtk = frm; 865 break; 866 case IEEE80211_KDE_IGTK: 867 if (ni->ni_flags & IEEE80211_NODE_MFP) 868 igtk = frm; 869 break; 870 } 871 } 872 break; 873 } 874 frm += 2 + frm[1]; 875 } 876 /* check that the GTK KDE is present */ 877 if (gtk == NULL) { 878 DPRINTF(("GTK KDE missing\n")); 879 return; 880 } 881 882 /* check that key length matches that of group cipher */ 883 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 884 if (gtk[1] != 6 + keylen) 885 return; 886 887 /* map GTK to 802.11 key */ 888 kid = gtk[6] & 3; 889 k = &ic->ic_nw_keys[kid]; 890 if (ieee80211_must_update_group_key(k, >k[8], keylen)) { 891 memset(k, 0, sizeof(*k)); 892 k->k_id = kid; /* 0-3 */ 893 k->k_cipher = ni->ni_rsngroupcipher; 894 k->k_flags = IEEE80211_KEY_GROUP; 895 if (gtk[6] & (1 << 2)) 896 k->k_flags |= IEEE80211_KEY_TX; 897 k->k_rsc[0] = LE_READ_6(key->rsc); 898 k->k_len = keylen; 899 memcpy(k->k_key, >k[8], k->k_len); 900 /* install the GTK */ 901 switch ((*ic->ic_set_key)(ic, ni, k)) { 902 case 0: 903 case EBUSY: 904 break; 905 default: 906 reason = IEEE80211_REASON_AUTH_LEAVE; 907 goto deauth; 908 } 909 } 910 if (igtk != NULL) { /* implies MFP */ 911 /* check that the IGTK KDE is valid */ 912 if (igtk[1] != 4 + 24) { 913 reason = IEEE80211_REASON_AUTH_LEAVE; 914 goto deauth; 915 } 916 kid = LE_READ_2(&igtk[6]); 917 if (kid != 4 && kid != 5) { 918 DPRINTF(("unsupported IGTK id %u\n", kid)); 919 reason = IEEE80211_REASON_AUTH_LEAVE; 920 goto deauth; 921 } 922 /* map IGTK to 802.11 key */ 923 k = &ic->ic_nw_keys[kid]; 924 if (ieee80211_must_update_group_key(k, &igtk[14], 16)) { 925 memset(k, 0, sizeof(*k)); 926 k->k_id = kid; /* either 4 or 5 */ 927 k->k_cipher = ni->ni_rsngroupmgmtcipher; 928 k->k_flags = IEEE80211_KEY_IGTK; 929 k->k_mgmt_rsc = LE_READ_6(&igtk[8]); /* IPN */ 930 k->k_len = 16; 931 memcpy(k->k_key, &igtk[14], k->k_len); 932 /* install the IGTK */ 933 switch ((*ic->ic_set_key)(ic, ni, k)) { 934 case 0: 935 case EBUSY: 936 break; 937 default: 938 reason = IEEE80211_REASON_AUTH_LEAVE; 939 goto deauth; 940 } 941 } 942 } 943 if (info & EAPOL_KEY_SECURE) { 944 #ifndef IEEE80211_STA_ONLY 945 if (ic->ic_opmode != IEEE80211_M_IBSS || 946 ++ni->ni_key_count == 2) 947 #endif 948 { 949 DPRINTF(("marking port %s valid\n", 950 ether_sprintf(ni->ni_macaddr))); 951 ni->ni_port_valid = 1; 952 ieee80211_set_link_state(ic, LINK_STATE_UP); 953 ni->ni_assoc_fail = 0; 954 } 955 } 956 /* update the last seen value of the key replay counter field */ 957 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 958 959 if (ic->ic_if.if_flags & IFF_DEBUG) 960 printf("%s: received msg %d/%d of the %s handshake from %s\n", 961 ic->ic_if.if_xname, 1, 2, "group key", 962 ether_sprintf(ni->ni_macaddr)); 963 964 /* send message 2 to authenticator */ 965 (void)ieee80211_send_group_msg2(ic, ni, NULL); 966 return; 967 deauth: 968 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, reason); 969 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 970 } 971 972 /* 973 * Process Message 1 of the WPA Group Key Handshake (sent by Authenticator). 974 */ 975 void 976 ieee80211_recv_wpa_group_msg1(struct ieee80211com *ic, 977 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 978 { 979 struct ieee80211_key *k; 980 u_int16_t info; 981 u_int8_t kid; 982 int keylen; 983 const uint8_t *gtk; 984 985 #ifndef IEEE80211_STA_ONLY 986 if (ic->ic_opmode != IEEE80211_M_STA && 987 ic->ic_opmode != IEEE80211_M_IBSS) 988 return; 989 #endif 990 /* discard if we're not expecting this message */ 991 if (ni->ni_rsn_supp_state != RSNA_SUPP_PTKDONE) { 992 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_supp_state)); 993 return; 994 } 995 /* enforce monotonicity of key request replay counter */ 996 if (BE_READ_8(key->replaycnt) <= ni->ni_replaycnt) { 997 ic->ic_stats.is_rx_eapol_replay++; 998 return; 999 } 1000 /* check Key MIC field using KCK */ 1001 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1002 DPRINTF(("key MIC failed\n")); 1003 ic->ic_stats.is_rx_eapol_badmic++; 1004 return; 1005 } 1006 /* 1007 * EAPOL-Key data field is encrypted even though WPA doesn't set 1008 * the ENCRYPTED bit in the info field. 1009 */ 1010 if (ieee80211_eapol_key_decrypt(key, ni->ni_ptk.kek) != 0) { 1011 DPRINTF(("decryption failed\n")); 1012 return; 1013 } 1014 1015 /* check that key length matches that of group cipher */ 1016 keylen = ieee80211_cipher_keylen(ni->ni_rsngroupcipher); 1017 if (BE_READ_2(key->keylen) != keylen) 1018 return; 1019 1020 /* check that the data length is large enough to hold the key */ 1021 if (BE_READ_2(key->paylen) < keylen) 1022 return; 1023 1024 info = BE_READ_2(key->info); 1025 1026 /* map GTK to 802.11 key */ 1027 kid = (info >> EAPOL_KEY_WPA_KID_SHIFT) & 3; 1028 k = &ic->ic_nw_keys[kid]; 1029 gtk = (const uint8_t *)&key[1]; /* key data field contains the GTK */ 1030 if (ieee80211_must_update_group_key(k, gtk, keylen)) { 1031 memset(k, 0, sizeof(*k)); 1032 k->k_id = kid; /* 0-3 */ 1033 k->k_cipher = ni->ni_rsngroupcipher; 1034 k->k_flags = IEEE80211_KEY_GROUP; 1035 if (info & EAPOL_KEY_WPA_TX) 1036 k->k_flags |= IEEE80211_KEY_TX; 1037 k->k_rsc[0] = LE_READ_6(key->rsc); 1038 k->k_len = keylen; 1039 memcpy(k->k_key, gtk, k->k_len); 1040 /* install the GTK */ 1041 switch ((*ic->ic_set_key)(ic, ni, k)) { 1042 case 0: 1043 case EBUSY: 1044 break; 1045 default: 1046 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 1047 IEEE80211_REASON_AUTH_LEAVE); 1048 ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 1049 return; 1050 } 1051 } 1052 if (info & EAPOL_KEY_SECURE) { 1053 #ifndef IEEE80211_STA_ONLY 1054 if (ic->ic_opmode != IEEE80211_M_IBSS || 1055 ++ni->ni_key_count == 2) 1056 #endif 1057 { 1058 DPRINTF(("marking port %s valid\n", 1059 ether_sprintf(ni->ni_macaddr))); 1060 ni->ni_port_valid = 1; 1061 ieee80211_set_link_state(ic, LINK_STATE_UP); 1062 ni->ni_assoc_fail = 0; 1063 } 1064 } 1065 /* update the last seen value of the key replay counter field */ 1066 ni->ni_replaycnt = BE_READ_8(key->replaycnt); 1067 1068 if (ic->ic_if.if_flags & IFF_DEBUG) 1069 printf("%s: received msg %d/%d of the %s handshake from %s\n", 1070 ic->ic_if.if_xname, 1, 2, "group key", 1071 ether_sprintf(ni->ni_macaddr)); 1072 1073 /* send message 2 to authenticator */ 1074 (void)ieee80211_send_group_msg2(ic, ni, k); 1075 } 1076 1077 #ifndef IEEE80211_STA_ONLY 1078 /* 1079 * Process Message 2 of the Group Key Handshake (sent by Supplicant). 1080 */ 1081 void 1082 ieee80211_recv_group_msg2(struct ieee80211com *ic, 1083 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 1084 { 1085 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 1086 ic->ic_opmode != IEEE80211_M_IBSS) 1087 return; 1088 1089 /* discard if we're not expecting this message */ 1090 if (ni->ni_rsn_gstate != RSNA_REKEYNEGOTIATING) { 1091 DPRINTF(("%s: unexpected in state: %d\n", ic->ic_if.if_xname, 1092 ni->ni_rsn_gstate)); 1093 return; 1094 } 1095 /* enforce monotonicity of key request replay counter */ 1096 if (BE_READ_8(key->replaycnt) != ni->ni_replaycnt) { 1097 ic->ic_stats.is_rx_eapol_replay++; 1098 return; 1099 } 1100 /* check Key MIC field using KCK */ 1101 if (ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1102 DPRINTF(("key MIC failed\n")); 1103 ic->ic_stats.is_rx_eapol_badmic++; 1104 return; 1105 } 1106 1107 timeout_del(&ni->ni_eapol_to); 1108 ni->ni_rsn_gstate = RSNA_REKEYESTABLISHED; 1109 1110 if (ni->ni_flags & IEEE80211_NODE_REKEY) { 1111 int rekeysta = 0; 1112 ni->ni_flags &= ~IEEE80211_NODE_REKEY; 1113 ieee80211_iterate_nodes(ic, 1114 ieee80211_count_rekeysta, &rekeysta); 1115 if (rekeysta == 0) 1116 ieee80211_setkeysdone(ic); 1117 } 1118 ni->ni_flags |= IEEE80211_NODE_TXRXPROT; 1119 1120 ni->ni_rsn_gstate = RSNA_IDLE; 1121 ni->ni_rsn_retries = 0; 1122 1123 if (ic->ic_if.if_flags & IFF_DEBUG) 1124 printf("%s: received msg %d/%d of the %s handshake from %s\n", 1125 ic->ic_if.if_xname, 2, 2, "group key", 1126 ether_sprintf(ni->ni_macaddr)); 1127 } 1128 1129 /* 1130 * EAPOL-Key Request frames are sent by the supplicant to request that the 1131 * authenticator initiates either a 4-Way Handshake or Group Key Handshake, 1132 * or to report a MIC failure in a TKIP MSDU. 1133 */ 1134 void 1135 ieee80211_recv_eapol_key_req(struct ieee80211com *ic, 1136 struct ieee80211_eapol_key *key, struct ieee80211_node *ni) 1137 { 1138 u_int16_t info; 1139 1140 if (ic->ic_opmode != IEEE80211_M_HOSTAP && 1141 ic->ic_opmode != IEEE80211_M_IBSS) 1142 return; 1143 1144 /* discard if we're not expecting this message */ 1145 if (ni->ni_rsn_state != RSNA_PTKINITDONE) { 1146 DPRINTF(("unexpected in state: %d\n", ni->ni_rsn_state)); 1147 return; 1148 } 1149 /* enforce monotonicity of key request replay counter */ 1150 if (ni->ni_reqreplaycnt_ok && 1151 BE_READ_8(key->replaycnt) <= ni->ni_reqreplaycnt) { 1152 ic->ic_stats.is_rx_eapol_replay++; 1153 return; 1154 } 1155 info = BE_READ_2(key->info); 1156 1157 if (!(info & EAPOL_KEY_KEYMIC) || 1158 ieee80211_eapol_key_check_mic(key, ni->ni_ptk.kck) != 0) { 1159 DPRINTF(("key request MIC failed\n")); 1160 ic->ic_stats.is_rx_eapol_badmic++; 1161 return; 1162 } 1163 /* update key request replay counter now that MIC is verified */ 1164 ni->ni_reqreplaycnt = BE_READ_8(key->replaycnt); 1165 ni->ni_reqreplaycnt_ok = 1; 1166 1167 if (info & EAPOL_KEY_ERROR) { /* TKIP MIC failure */ 1168 /* ignore reports from STAs not using TKIP */ 1169 if (ic->ic_bss->ni_rsngroupcipher != IEEE80211_CIPHER_TKIP && 1170 ni->ni_rsncipher != IEEE80211_CIPHER_TKIP) { 1171 DPRINTF(("MIC failure report from !TKIP STA: %s\n", 1172 ether_sprintf(ni->ni_macaddr))); 1173 return; 1174 } 1175 ic->ic_stats.is_rx_remmicfail++; 1176 ieee80211_michael_mic_failure(ic, LE_READ_6(key->rsc)); 1177 1178 } else if (info & EAPOL_KEY_PAIRWISE) { 1179 /* initiate a 4-Way Handshake */ 1180 1181 } else { 1182 /* 1183 * Should change the GTK, initiate the 4-Way Handshake and 1184 * then execute a Group Key Handshake with all supplicants. 1185 */ 1186 } 1187 } 1188 #endif /* IEEE80211_STA_ONLY */ 1189