src/ap/wpa_auth.h

   1 /*
   2  * hostapd - IEEE 802.11i-2004 / WPA Authenticator
   3  * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #ifndef WPA_AUTH_H
  10 #define WPA_AUTH_H
  11
  12 #include "common/defs.h"
  13 #include "common/eapol_common.h"
  14 #include "common/wpa_common.h"
  15 #include "common/ieee802_11_defs.h"
  16
  17 #define MAX_OWN_IE_OVERRIDE 256
  18
  19 #ifdef _MSC_VER
  20 #pragma pack(push, 1)
  21 #endif /* _MSC_VER */
  22
  23 /* IEEE Std 802.11r-2008, 11A.10.3 - Remote request/response frame definition
  24  */
  25 struct ft_rrb_frame {
  26         u8 frame_type; /* RSN_REMOTE_FRAME_TYPE_FT_RRB */
  27         u8 packet_type; /* FT_PACKET_REQUEST/FT_PACKET_RESPONSE */
  28         le16 action_length; /* little endian length of action_frame */
  29         u8 ap_address[ETH_ALEN];
  30         /*
  31          * Followed by action_length bytes of FT Action frame (from Category
  32          * field to the end of Action Frame body.
  33          */
  34 } STRUCT_PACKED;
  35
  36 #define RSN_REMOTE_FRAME_TYPE_FT_RRB 1
  37
  38 #define FT_PACKET_REQUEST 0
  39 #define FT_PACKET_RESPONSE 1
  40
  41 /* Vendor-specific types for R0KH-R1KH protocol; not defined in 802.11r. These
  42  * use OUI Extended EtherType as the encapsulating format. */
  43 #define FT_PACKET_R0KH_R1KH_PULL 0x01
  44 #define FT_PACKET_R0KH_R1KH_RESP 0x02
  45 #define FT_PACKET_R0KH_R1KH_PUSH 0x03
  46 #define FT_PACKET_R0KH_R1KH_SEQ_REQ 0x04
  47 #define FT_PACKET_R0KH_R1KH_SEQ_RESP 0x05
  48
  49 /* packet layout
  50  *  IEEE 802 extended OUI ethertype frame header
  51  *  u16 authlen (little endian)
  52  *  multiple of struct ft_rrb_tlv (authenticated only, length = authlen)
  53  *  multiple of struct ft_rrb_tlv (AES-SIV encrypted, AES-SIV needs an extra
  54  *                                 blocksize length)
  55  *
  56  * AES-SIV AAD;
  57  *  source MAC address (6)
  58  *  authenticated-only TLVs (authlen)
  59  *  subtype (1; FT_PACKET_*)
  60  */
  61
  62 #define FT_RRB_NONCE_LEN 16
  63
  64 #define FT_RRB_LAST_EMPTY     0 /* placeholder or padding */
  65
  66 #define FT_RRB_SEQ            1 /* struct ft_rrb_seq */
  67 #define FT_RRB_NONCE          2 /* size FT_RRB_NONCE_LEN */
  68 #define FT_RRB_TIMESTAMP      3 /* le32 unix seconds */
  69
  70 #define FT_RRB_R0KH_ID        4 /* FT_R0KH_ID_MAX_LEN */
  71 #define FT_RRB_R1KH_ID        5 /* FT_R1KH_ID_LEN */
  72 #define FT_RRB_S1KH_ID        6 /* ETH_ALEN */
  73
  74 #define FT_RRB_PMK_R0_NAME    7 /* WPA_PMK_NAME_LEN */
  75 #define FT_RRB_PMK_R0         8 /* PMK_LEN */
  76 #define FT_RRB_PMK_R1_NAME    9 /* WPA_PMK_NAME_LEN */
  77 #define FT_RRB_PMK_R1        10 /* PMK_LEN */
  78
  79 #define FT_RRB_PAIRWISE      11 /* le16 */
  80
  81 struct ft_rrb_tlv {
  82         le16 type;
  83         le16 len;
  84         /* followed by data of length len */
  85 } STRUCT_PACKED;
  86
  87 struct ft_rrb_seq {
  88         le32 dom;
  89         le32 seq;
  90         le32 ts;
  91 } STRUCT_PACKED;
  92
  93 /* session TLVs:
  94  *   required: PMK_R1, PMK_R1_NAME, PAIRWISE
  95  *
  96  * pull frame TLVs:
  97  *   auth:
  98  *     required: SEQ, NONCE, R0KH_ID, R1KH_ID
  99  *   encrypted:
 100  *     required: PMK_R0_NAME, S1KH_ID
 101  *
 102  * response frame TLVs:
 103  *   auth:
 104  *     required: SEQ, NONCE, R0KH_ID, R1KH_ID
 105  *   encrypted:
 106  *     required: S1KH_ID
 107  *     optional: session TLVs
 108  *
 109  * push frame TLVs:
 110  *   auth:
 111  *     required: SEQ, R0KH_ID, R1KH_ID
 112  *   encrypted:
 113  *     required: S1KH_ID, PMK_R0_NAME, session TLVs
 114  *
 115  * sequence number request frame TLVs:
 116  *   auth:
 117  *     required: R0KH_ID, R1KH_ID, NONCE
 118  *
 119  * sequence number response frame TLVs:
 120  *   auth:
 121  *     required: SEQ, NONCE, R0KH_ID, R1KH_ID
 122  */
 123
 124 #ifdef _MSC_VER
 125 #pragma pack(pop)
 126 #endif /* _MSC_VER */
 127
 128
 129 /* per STA state machine data */
 130
 131 struct wpa_authenticator;
 132 struct wpa_state_machine;
 133 struct rsn_pmksa_cache_entry;
 134 struct eapol_state_machine;
 135 struct ft_remote_seq;
 136
 137
 138 struct ft_remote_r0kh {
 139         struct ft_remote_r0kh *next;
 140         u8 addr[ETH_ALEN];
 141         u8 id[FT_R0KH_ID_MAX_LEN];
 142         size_t id_len;
 143         u8 key[32];
 144         struct ft_remote_seq *seq;
 145 };
 146
 147
 148 struct ft_remote_r1kh {
 149         struct ft_remote_r1kh *next;
 150         u8 addr[ETH_ALEN];
 151         u8 id[FT_R1KH_ID_LEN];
 152         u8 key[32];
 153         struct ft_remote_seq *seq;
 154 };
 155
 156
 157 struct wpa_auth_config {
 158         int wpa;
 159         int wpa_key_mgmt;
 160         int wpa_pairwise;
 161         int wpa_group;
 162         int wpa_group_rekey;
 163         int wpa_strict_rekey;
 164         int wpa_gmk_rekey;
 165         int wpa_ptk_rekey;
 166         u32 wpa_group_update_count;
 167         u32 wpa_pairwise_update_count;
 168         int rsn_pairwise;
 169         int rsn_preauth;
 170         int eapol_version;
 171         int wmm_enabled;
 172         int wmm_uapsd;
 173         int disable_pmksa_caching;
 174         int okc;
 175         int tx_status;
 176 #ifdef CONFIG_IEEE80211W
 177         enum mfp_options ieee80211w;
 178         int group_mgmt_cipher;
 179 #endif /* CONFIG_IEEE80211W */
 180 #ifdef CONFIG_IEEE80211R_AP
 181         u8 ssid[SSID_MAX_LEN];
 182         size_t ssid_len;
 183         u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];
 184         u8 r0_key_holder[FT_R0KH_ID_MAX_LEN];
 185         size_t r0_key_holder_len;
 186         u8 r1_key_holder[FT_R1KH_ID_LEN];
 187         u32 r0_key_lifetime;
 188         int rkh_pos_timeout;
 189         int rkh_neg_timeout;
 190         int rkh_pull_timeout; /* ms */
 191         int rkh_pull_retries;
 192         u32 reassociation_deadline;
 193         struct ft_remote_r0kh **r0kh_list;
 194         struct ft_remote_r1kh **r1kh_list;
 195         int pmk_r1_push;
 196         int ft_over_ds;
 197         int ft_psk_generate_local;
 198 #endif /* CONFIG_IEEE80211R_AP */
 199         int disable_gtk;
 200         int ap_mlme;
 201 #ifdef CONFIG_TESTING_OPTIONS
 202         double corrupt_gtk_rekey_mic_probability;
 203         u8 own_ie_override[MAX_OWN_IE_OVERRIDE];
 204         size_t own_ie_override_len;
 205 #endif /* CONFIG_TESTING_OPTIONS */
 206 #ifdef CONFIG_P2P
 207         u8 ip_addr_go[4];
 208         u8 ip_addr_mask[4];
 209         u8 ip_addr_start[4];
 210         u8 ip_addr_end[4];
 211 #endif /* CONFIG_P2P */
 212 #ifdef CONFIG_FILS
 213         unsigned int fils_cache_id_set:1;
 214         u8 fils_cache_id[FILS_CACHE_ID_LEN];
 215 #endif /* CONFIG_FILS */
 216 };
 217
 218 typedef enum {
 219         LOGGER_DEBUG, LOGGER_INFO, LOGGER_WARNING
 220 } logger_level;
 221
 222 typedef enum {
 223         WPA_EAPOL_portEnabled, WPA_EAPOL_portValid, WPA_EAPOL_authorized,
 224         WPA_EAPOL_portControl_Auto, WPA_EAPOL_keyRun, WPA_EAPOL_keyAvailable,
 225         WPA_EAPOL_keyDone, WPA_EAPOL_inc_EapolFramesTx
 226 } wpa_eapol_variable;
 227
 228 struct wpa_auth_callbacks {
 229         void (*logger)(void *ctx, const u8 *addr, logger_level level,
 230                        const char *txt);
 231         void (*disconnect)(void *ctx, const u8 *addr, u16 reason);
 232         int (*mic_failure_report)(void *ctx, const u8 *addr);
 233         void (*psk_failure_report)(void *ctx, const u8 *addr);
 234         void (*set_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var,
 235                           int value);
 236         int (*get_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var);
 237         const u8 * (*get_psk)(void *ctx, const u8 *addr, const u8 *p2p_dev_addr,
 238                               const u8 *prev_psk, size_t *psk_len);
 239         int (*get_msk)(void *ctx, const u8 *addr, u8 *msk, size_t *len);
 240         int (*set_key)(void *ctx, int vlan_id, enum wpa_alg alg,
 241                        const u8 *addr, int idx, u8 *key, size_t key_len);
 242         int (*get_seqnum)(void *ctx, const u8 *addr, int idx, u8 *seq);
 243         int (*send_eapol)(void *ctx, const u8 *addr, const u8 *data,
 244                           size_t data_len, int encrypt);
 245         int (*for_each_sta)(void *ctx, int (*cb)(struct wpa_state_machine *sm,
 246                                                  void *ctx), void *cb_ctx);
 247         int (*for_each_auth)(void *ctx, int (*cb)(struct wpa_authenticator *a,
 248                                                   void *ctx), void *cb_ctx);
 249         int (*send_ether)(void *ctx, const u8 *dst, u16 proto, const u8 *data,
 250                           size_t data_len);
 251         int (*send_oui)(void *ctx, const u8 *dst, u8 oui_suffix, const u8 *data,
 252                         size_t data_len);
 253 #ifdef CONFIG_IEEE80211R_AP
 254         struct wpa_state_machine * (*add_sta)(void *ctx, const u8 *sta_addr);
 255         int (*send_ft_action)(void *ctx, const u8 *dst,
 256                               const u8 *data, size_t data_len);
 257         int (*add_tspec)(void *ctx, const u8 *sta_addr, u8 *tspec_ie,
 258                          size_t tspec_ielen);
 259 #endif /* CONFIG_IEEE80211R_AP */
 260 #ifdef CONFIG_MESH
 261         int (*start_ampe)(void *ctx, const u8 *sta_addr);
 262 #endif /* CONFIG_MESH */
 263 };
 264
 265 struct wpa_authenticator * wpa_init(const u8 *addr,
 266                                     struct wpa_auth_config *conf,
 267                                     const struct wpa_auth_callbacks *cb,
 268                                     void *cb_ctx);
 269 int wpa_init_keys(struct wpa_authenticator *wpa_auth);
 270 void wpa_deinit(struct wpa_authenticator *wpa_auth);
 271 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
 272                  struct wpa_auth_config *conf);
 273
 274 enum {
 275         WPA_IE_OK, WPA_INVALID_IE, WPA_INVALID_GROUP, WPA_INVALID_PAIRWISE,
 276         WPA_INVALID_AKMP, WPA_NOT_ENABLED, WPA_ALLOC_FAIL,
 277         WPA_MGMT_FRAME_PROTECTION_VIOLATION, WPA_INVALID_MGMT_GROUP_CIPHER,
 278         WPA_INVALID_MDIE, WPA_INVALID_PROTO, WPA_INVALID_PMKID
 279 };
 280
 281 int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 282                         struct wpa_state_machine *sm,
 283                         const u8 *wpa_ie, size_t wpa_ie_len,
 284                         const u8 *mdie, size_t mdie_len,
 285                         const u8 *owe_dh, size_t owe_dh_len);
 286 int wpa_validate_osen(struct wpa_authenticator *wpa_auth,
 287                       struct wpa_state_machine *sm,
 288                       const u8 *osen_ie, size_t osen_ie_len);
 289 int wpa_auth_uses_mfp(struct wpa_state_machine *sm);
 290 struct wpa_state_machine *
 291 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
 292                   const u8 *p2p_dev_addr);
 293 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
 294                             struct wpa_state_machine *sm);
 295 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm);
 296 void wpa_auth_sta_deinit(struct wpa_state_machine *sm);
 297 void wpa_receive(struct wpa_authenticator *wpa_auth,
 298                  struct wpa_state_machine *sm,
 299                  u8 *data, size_t data_len);
 300 enum wpa_event {
 301         WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
 302         WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS, WPA_DRV_STA_REMOVED
 303 };
 304 void wpa_remove_ptk(struct wpa_state_machine *sm);
 305 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
 306 void wpa_auth_sm_notify(struct wpa_state_machine *sm);
 307 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth);
 308 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen);
 309 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen);
 310 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth);
 311 int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
 312 int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
 313 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
 314 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
 315 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
 316 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm);
 317 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
 318                              struct rsn_pmksa_cache_entry *entry);
 319 struct rsn_pmksa_cache_entry *
 320 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm);
 321 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm);
 322 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth,
 323                                size_t *len);
 324 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
 325                        unsigned int pmk_len,
 326                        int session_timeout, struct eapol_state_machine *eapol);
 327 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
 328                                const u8 *pmk, size_t len, const u8 *sta_addr,
 329                                int session_timeout,
 330                                struct eapol_state_machine *eapol);
 331 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
 332                            const u8 *pmk, const u8 *pmkid);
 333 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
 334                         const u8 *pmk, size_t pmk_len, const u8 *pmkid,
 335                         int session_timeout, int akmp);
 336 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
 337                            const u8 *sta_addr);
 338 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
 339                         size_t len);
 340 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth);
 341 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
 342                              char *buf, size_t len);
 343 struct rsn_pmksa_cache_entry *
 344 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
 345                             const u8 *pmkid, int expiration);
 346 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
 347                              struct rsn_pmksa_cache_entry *entry);
 348 struct rsn_pmksa_cache_entry *
 349 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
 350                    const u8 *pmkid);
 351 struct rsn_pmksa_cache_entry *
 352 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
 353                                  const u8 *sta_addr, const u8 *pmkid);
 354 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
 355                               struct wpa_state_machine *sm,
 356                               struct wpa_authenticator *wpa_auth,
 357                               u8 *pmkid, u8 *pmk);
 358 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id);
 359 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
 360                                   struct wpa_state_machine *sm, int ack);
 361
 362 #ifdef CONFIG_IEEE80211R_AP
 363 u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
 364                                  size_t max_len, int auth_alg,
 365                                  const u8 *req_ies, size_t req_ies_len);
 366 void wpa_ft_process_auth(struct wpa_state_machine *sm, const u8 *bssid,
 367                          u16 auth_transaction, const u8 *ies, size_t ies_len,
 368                          void (*cb)(void *ctx, const u8 *dst, const u8 *bssid,
 369                                     u16 auth_transaction, u16 resp,
 370                                     const u8 *ies, size_t ies_len),
 371                          void *ctx);
 372 u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
 373                             size_t ies_len);
 374 int wpa_ft_action_rx(struct wpa_state_machine *sm, const u8 *data, size_t len);
 375 int wpa_ft_rrb_rx(struct wpa_authenticator *wpa_auth, const u8 *src_addr,
 376                   const u8 *data, size_t data_len);
 377 void wpa_ft_rrb_oui_rx(struct wpa_authenticator *wpa_auth, const u8 *src_addr,
 378                        const u8 *dst_addr, u8 oui_suffix, const u8 *data,
 379                        size_t data_len);
 380 void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr);
 381 void wpa_ft_deinit(struct wpa_authenticator *wpa_auth);
 382 void wpa_ft_sta_deinit(struct wpa_state_machine *sm);
 383 #endif /* CONFIG_IEEE80211R_AP */
 384
 385 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm);
 386 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag);
 387 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos);
 388 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos);
 389
 390 int wpa_auth_uses_sae(struct wpa_state_machine *sm);
 391 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm);
 392
 393 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr);
 394
 395 struct radius_das_attrs;
 396 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
 397                                          struct radius_das_attrs *attr);
 398 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth);
 399
 400 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id);
 401 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id);
 402 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
 403                          size_t pmk_len, const u8 *snonce, const u8 *anonce,
 404                          const u8 *dhss, size_t dhss_len,
 405                          struct wpabuf *g_sta, struct wpabuf *g_ap);
 406 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
 407                        const struct ieee80211_mgmt *mgmt, size_t frame_len,
 408                        u8 *pos, size_t left);
 409 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
 410                        size_t current_len, size_t max_len,
 411                        const struct wpabuf *hlp);
 412 int fils_set_tk(struct wpa_state_machine *sm);
 413 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *eid,
 414                                     const u8 *fils_session,
 415                                     struct wpabuf *fils_hlp_resp);
 416 const u8 *  wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
 417                                            const u8 *ies, size_t ies_len,
 418                                            const u8 *fils_session);
 419 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
 420                                   size_t ies_len);
 421
 422 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len);
 423 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
 424                                    u8 *fils_anonce, u8 *fils_snonce,
 425                                    u8 *fils_kek, size_t *fils_kek_len);
 426 u8 * wpa_auth_write_assoc_resp_owe(struct wpa_state_machine *sm,
 427                                    u8 *pos, size_t max_len,
 428                                    const u8 *req_ies, size_t req_ies_len);
 429
 430 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm);
 431
 432 #endif /* WPA_AUTH_H */