]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/wpa_auth.h
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
FT: Add support for wildcard R0KH/R1KH
[thirdparty/hostap.git] / src / ap / wpa_auth.h
1 /*
2 * hostapd - IEEE 802.11i-2004 / WPA Authenticator
3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #ifndef WPA_AUTH_H
10 #define WPA_AUTH_H
11
12 #include "common/defs.h"
13 #include "common/eapol_common.h"
14 #include "common/wpa_common.h"
15 #include "common/ieee802_11_defs.h"
16
17 #define MAX_OWN_IE_OVERRIDE 256
18
19 #ifdef _MSC_VER
20 #pragma pack(push, 1)
21 #endif /* _MSC_VER */
22
23 /* IEEE Std 802.11r-2008, 11A.10.3 - Remote request/response frame definition
24 */
25 struct ft_rrb_frame {
26 u8 frame_type; /* RSN_REMOTE_FRAME_TYPE_FT_RRB */
27 u8 packet_type; /* FT_PACKET_REQUEST/FT_PACKET_RESPONSE */
28 le16 action_length; /* little endian length of action_frame */
29 u8 ap_address[ETH_ALEN];
30 /*
31 * Followed by action_length bytes of FT Action frame (from Category
32 * field to the end of Action Frame body.
33 */
34 } STRUCT_PACKED;
35
36 #define RSN_REMOTE_FRAME_TYPE_FT_RRB 1
37
38 #define FT_PACKET_REQUEST 0
39 #define FT_PACKET_RESPONSE 1
40
41 /* Vendor-specific types for R0KH-R1KH protocol; not defined in 802.11r. These
42 * use OUI Extended EtherType as the encapsulating format. */
43 #define FT_PACKET_R0KH_R1KH_PULL 0x01
44 #define FT_PACKET_R0KH_R1KH_RESP 0x02
45 #define FT_PACKET_R0KH_R1KH_PUSH 0x03
46 #define FT_PACKET_R0KH_R1KH_SEQ_REQ 0x04
47 #define FT_PACKET_R0KH_R1KH_SEQ_RESP 0x05
48
49 /* packet layout
50 * IEEE 802 extended OUI ethertype frame header
51 * u16 authlen (little endian)
52 * multiple of struct ft_rrb_tlv (authenticated only, length = authlen)
53 * multiple of struct ft_rrb_tlv (AES-SIV encrypted, AES-SIV needs an extra
54 * blocksize length)
55 *
56 * AES-SIV AAD;
57 * source MAC address (6)
58 * authenticated-only TLVs (authlen)
59 * subtype (1; FT_PACKET_*)
60 */
61
62 #define FT_RRB_NONCE_LEN 16
63
64 #define FT_RRB_LAST_EMPTY 0 /* placeholder or padding */
65
66 #define FT_RRB_SEQ 1 /* struct ft_rrb_seq */
67 #define FT_RRB_NONCE 2 /* size FT_RRB_NONCE_LEN */
68 #define FT_RRB_TIMESTAMP 3 /* le32 unix seconds */
69
70 #define FT_RRB_R0KH_ID 4 /* FT_R0KH_ID_MAX_LEN */
71 #define FT_RRB_R1KH_ID 5 /* FT_R1KH_ID_LEN */
72 #define FT_RRB_S1KH_ID 6 /* ETH_ALEN */
73
74 #define FT_RRB_PMK_R0_NAME 7 /* WPA_PMK_NAME_LEN */
75 #define FT_RRB_PMK_R0 8 /* PMK_LEN */
76 #define FT_RRB_PMK_R1_NAME 9 /* WPA_PMK_NAME_LEN */
77 #define FT_RRB_PMK_R1 10 /* PMK_LEN */
78
79 #define FT_RRB_PAIRWISE 11 /* le16 */
80
81 struct ft_rrb_tlv {
82 le16 type;
83 le16 len;
84 /* followed by data of length len */
85 } STRUCT_PACKED;
86
87 struct ft_rrb_seq {
88 le32 dom;
89 le32 seq;
90 le32 ts;
91 } STRUCT_PACKED;
92
93 /* session TLVs:
94 * required: PMK_R1, PMK_R1_NAME, PAIRWISE
95 *
96 * pull frame TLVs:
97 * auth:
98 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
99 * encrypted:
100 * required: PMK_R0_NAME, S1KH_ID
101 *
102 * response frame TLVs:
103 * auth:
104 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
105 * encrypted:
106 * required: S1KH_ID
107 * optional: session TLVs
108 *
109 * push frame TLVs:
110 * auth:
111 * required: SEQ, R0KH_ID, R1KH_ID
112 * encrypted:
113 * required: S1KH_ID, PMK_R0_NAME, session TLVs
114 *
115 * sequence number request frame TLVs:
116 * auth:
117 * required: R0KH_ID, R1KH_ID, NONCE
118 *
119 * sequence number response frame TLVs:
120 * auth:
121 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
122 */
123
124 #ifdef _MSC_VER
125 #pragma pack(pop)
126 #endif /* _MSC_VER */
127
128
129 /* per STA state machine data */
130
131 struct wpa_authenticator;
132 struct wpa_state_machine;
133 struct rsn_pmksa_cache_entry;
134 struct eapol_state_machine;
135 struct ft_remote_seq;
136
137
138 struct ft_remote_r0kh {
139 struct ft_remote_r0kh *next;
140 u8 addr[ETH_ALEN];
141 u8 id[FT_R0KH_ID_MAX_LEN];
142 size_t id_len;
143 u8 key[32];
144 struct ft_remote_seq *seq;
145 };
146
147
148 struct ft_remote_r1kh {
149 struct ft_remote_r1kh *next;
150 u8 addr[ETH_ALEN];
151 u8 id[FT_R1KH_ID_LEN];
152 u8 key[32];
153 struct ft_remote_seq *seq;
154 };
155
156
157 struct wpa_auth_config {
158 int wpa;
159 int wpa_key_mgmt;
160 int wpa_pairwise;
161 int wpa_group;
162 int wpa_group_rekey;
163 int wpa_strict_rekey;
164 int wpa_gmk_rekey;
165 int wpa_ptk_rekey;
166 u32 wpa_group_update_count;
167 u32 wpa_pairwise_update_count;
168 int rsn_pairwise;
169 int rsn_preauth;
170 int eapol_version;
171 int peerkey;
172 int wmm_enabled;
173 int wmm_uapsd;
174 int disable_pmksa_caching;
175 int okc;
176 int tx_status;
177 #ifdef CONFIG_IEEE80211W
178 enum mfp_options ieee80211w;
179 int group_mgmt_cipher;
180 #endif /* CONFIG_IEEE80211W */
181 #ifdef CONFIG_IEEE80211R_AP
182 u8 ssid[SSID_MAX_LEN];
183 size_t ssid_len;
184 u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];
185 u8 r0_key_holder[FT_R0KH_ID_MAX_LEN];
186 size_t r0_key_holder_len;
187 u8 r1_key_holder[FT_R1KH_ID_LEN];
188 u32 r0_key_lifetime;
189 int rkh_pos_timeout;
190 int rkh_neg_timeout;
191 int rkh_pull_timeout; /* ms */
192 int rkh_pull_retries;
193 u32 reassociation_deadline;
194 struct ft_remote_r0kh **r0kh_list;
195 struct ft_remote_r1kh **r1kh_list;
196 int pmk_r1_push;
197 int ft_over_ds;
198 int ft_psk_generate_local;
199 #endif /* CONFIG_IEEE80211R_AP */
200 int disable_gtk;
201 int ap_mlme;
202 #ifdef CONFIG_TESTING_OPTIONS
203 double corrupt_gtk_rekey_mic_probability;
204 u8 own_ie_override[MAX_OWN_IE_OVERRIDE];
205 size_t own_ie_override_len;
206 #endif /* CONFIG_TESTING_OPTIONS */
207 #ifdef CONFIG_P2P
208 u8 ip_addr_go[4];
209 u8 ip_addr_mask[4];
210 u8 ip_addr_start[4];
211 u8 ip_addr_end[4];
212 #endif /* CONFIG_P2P */
213 #ifdef CONFIG_FILS
214 unsigned int fils_cache_id_set:1;
215 u8 fils_cache_id[FILS_CACHE_ID_LEN];
216 #endif /* CONFIG_FILS */
217 };
218
219 typedef enum {
220 LOGGER_DEBUG, LOGGER_INFO, LOGGER_WARNING
221 } logger_level;
222
223 typedef enum {
224 WPA_EAPOL_portEnabled, WPA_EAPOL_portValid, WPA_EAPOL_authorized,
225 WPA_EAPOL_portControl_Auto, WPA_EAPOL_keyRun, WPA_EAPOL_keyAvailable,
226 WPA_EAPOL_keyDone, WPA_EAPOL_inc_EapolFramesTx
227 } wpa_eapol_variable;
228
229 struct wpa_auth_callbacks {
230 void (*logger)(void *ctx, const u8 *addr, logger_level level,
231 const char *txt);
232 void (*disconnect)(void *ctx, const u8 *addr, u16 reason);
233 int (*mic_failure_report)(void *ctx, const u8 *addr);
234 void (*psk_failure_report)(void *ctx, const u8 *addr);
235 void (*set_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var,
236 int value);
237 int (*get_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var);
238 const u8 * (*get_psk)(void *ctx, const u8 *addr, const u8 *p2p_dev_addr,
239 const u8 *prev_psk);
240 int (*get_msk)(void *ctx, const u8 *addr, u8 *msk, size_t *len);
241 int (*set_key)(void *ctx, int vlan_id, enum wpa_alg alg,
242 const u8 *addr, int idx, u8 *key, size_t key_len);
243 int (*get_seqnum)(void *ctx, const u8 *addr, int idx, u8 *seq);
244 int (*send_eapol)(void *ctx, const u8 *addr, const u8 *data,
245 size_t data_len, int encrypt);
246 int (*for_each_sta)(void *ctx, int (*cb)(struct wpa_state_machine *sm,
247 void *ctx), void *cb_ctx);
248 int (*for_each_auth)(void *ctx, int (*cb)(struct wpa_authenticator *a,
249 void *ctx), void *cb_ctx);
250 int (*send_ether)(void *ctx, const u8 *dst, u16 proto, const u8 *data,
251 size_t data_len);
252 int (*send_oui)(void *ctx, const u8 *dst, u8 oui_suffix, const u8 *data,
253 size_t data_len);
254 #ifdef CONFIG_IEEE80211R_AP
255 struct wpa_state_machine * (*add_sta)(void *ctx, const u8 *sta_addr);
256 int (*send_ft_action)(void *ctx, const u8 *dst,
257 const u8 *data, size_t data_len);
258 int (*add_tspec)(void *ctx, const u8 *sta_addr, u8 *tspec_ie,
259 size_t tspec_ielen);
260 #endif /* CONFIG_IEEE80211R_AP */
261 #ifdef CONFIG_MESH
262 int (*start_ampe)(void *ctx, const u8 *sta_addr);
263 #endif /* CONFIG_MESH */
264 };
265
266 struct wpa_authenticator * wpa_init(const u8 *addr,
267 struct wpa_auth_config *conf,
268 const struct wpa_auth_callbacks *cb,
269 void *cb_ctx);
270 int wpa_init_keys(struct wpa_authenticator *wpa_auth);
271 void wpa_deinit(struct wpa_authenticator *wpa_auth);
272 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
273 struct wpa_auth_config *conf);
274
275 enum {
276 WPA_IE_OK, WPA_INVALID_IE, WPA_INVALID_GROUP, WPA_INVALID_PAIRWISE,
277 WPA_INVALID_AKMP, WPA_NOT_ENABLED, WPA_ALLOC_FAIL,
278 WPA_MGMT_FRAME_PROTECTION_VIOLATION, WPA_INVALID_MGMT_GROUP_CIPHER,
279 WPA_INVALID_MDIE, WPA_INVALID_PROTO
280 };
281
282 int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
283 struct wpa_state_machine *sm,
284 const u8 *wpa_ie, size_t wpa_ie_len,
285 const u8 *mdie, size_t mdie_len,
286 const u8 *owe_dh, size_t owe_dh_len);
287 int wpa_validate_osen(struct wpa_authenticator *wpa_auth,
288 struct wpa_state_machine *sm,
289 const u8 *osen_ie, size_t osen_ie_len);
290 int wpa_auth_uses_mfp(struct wpa_state_machine *sm);
291 struct wpa_state_machine *
292 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
293 const u8 *p2p_dev_addr);
294 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
295 struct wpa_state_machine *sm);
296 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm);
297 void wpa_auth_sta_deinit(struct wpa_state_machine *sm);
298 void wpa_receive(struct wpa_authenticator *wpa_auth,
299 struct wpa_state_machine *sm,
300 u8 *data, size_t data_len);
301 enum wpa_event {
302 WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
303 WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS
304 };
305 void wpa_remove_ptk(struct wpa_state_machine *sm);
306 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
307 void wpa_auth_sm_notify(struct wpa_state_machine *sm);
308 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth);
309 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen);
310 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen);
311 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth);
312 int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
313 int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
314 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
315 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
316 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
317 struct rsn_pmksa_cache_entry *entry);
318 struct rsn_pmksa_cache_entry *
319 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm);
320 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm);
321 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth,
322 size_t *len);
323 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
324 unsigned int pmk_len,
325 int session_timeout, struct eapol_state_machine *eapol);
326 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
327 const u8 *pmk, size_t len, const u8 *sta_addr,
328 int session_timeout,
329 struct eapol_state_machine *eapol);
330 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
331 const u8 *pmk, const u8 *pmkid);
332 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
333 const u8 *sta_addr);
334 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
335 size_t len);
336 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth);
337 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
338 char *buf, size_t len);
339 struct rsn_pmksa_cache_entry *
340 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
341 const u8 *pmkid, int expiration);
342 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
343 struct rsn_pmksa_cache_entry *entry);
344 struct rsn_pmksa_cache_entry *
345 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
346 const u8 *pmkid);
347 struct rsn_pmksa_cache_entry *
348 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
349 const u8 *sta_addr, const u8 *pmkid);
350 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
351 struct wpa_state_machine *sm,
352 struct wpa_authenticator *wpa_auth,
353 u8 *pmkid, u8 *pmk);
354 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id);
355 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
356 struct wpa_state_machine *sm, int ack);
357
358 #ifdef CONFIG_IEEE80211R_AP
359 u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
360 size_t max_len, int auth_alg,
361 const u8 *req_ies, size_t req_ies_len);
362 void wpa_ft_process_auth(struct wpa_state_machine *sm, const u8 *bssid,
363 u16 auth_transaction, const u8 *ies, size_t ies_len,
364 void (*cb)(void *ctx, const u8 *dst, const u8 *bssid,
365 u16 auth_transaction, u16 resp,
366 const u8 *ies, size_t ies_len),
367 void *ctx);
368 u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
369 size_t ies_len);
370 int wpa_ft_action_rx(struct wpa_state_machine *sm, const u8 *data, size_t len);
371 int wpa_ft_rrb_rx(struct wpa_authenticator *wpa_auth, const u8 *src_addr,
372 const u8 *data, size_t data_len);
373 void wpa_ft_rrb_oui_rx(struct wpa_authenticator *wpa_auth, const u8 *src_addr,
374 const u8 *dst_addr, u8 oui_suffix, const u8 *data,
375 size_t data_len);
376 void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr);
377 void wpa_ft_deinit(struct wpa_authenticator *wpa_auth);
378 void wpa_ft_sta_deinit(struct wpa_state_machine *sm);
379 #endif /* CONFIG_IEEE80211R_AP */
380
381 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm);
382 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag);
383 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos);
384 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos);
385
386 int wpa_auth_uses_sae(struct wpa_state_machine *sm);
387 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm);
388
389 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr);
390
391 struct radius_das_attrs;
392 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
393 struct radius_das_attrs *attr);
394 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth);
395
396 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id);
397 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id);
398 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
399 size_t pmk_len, const u8 *snonce, const u8 *anonce);
400 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
401 const struct ieee80211_mgmt *mgmt, size_t frame_len,
402 u8 *pos, size_t left);
403 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
404 size_t current_len, size_t max_len,
405 const struct wpabuf *hlp);
406 int fils_set_tk(struct wpa_state_machine *sm);
407 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *eid,
408 const u8 *fils_session);
409 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
410 const u8 *ies, size_t ies_len,
411 const u8 *fils_session);
412 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
413 size_t ies_len);
414
415 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len);
416 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
417 u8 *fils_anonce, u8 *fils_snonce,
418 u8 *fils_kek, size_t *fils_kek_len);
419
420 #endif /* WPA_AUTH_H */
Unnamed repository; edit this file 'description' to name the repository.