2 * hostapd - IEEE 802.11i-2004 / WPA Authenticator
3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "common/defs.h"
13 #include "common/eapol_common.h"
14 #include "common/wpa_common.h"
15 #include "common/ieee802_11_defs.h"
17 struct vlan_description
;
19 #define MAX_OWN_IE_OVERRIDE 256
25 /* IEEE Std 802.11r-2008, 11A.10.3 - Remote request/response frame definition
28 u8 frame_type
; /* RSN_REMOTE_FRAME_TYPE_FT_RRB */
29 u8 packet_type
; /* FT_PACKET_REQUEST/FT_PACKET_RESPONSE */
30 le16 action_length
; /* little endian length of action_frame */
31 u8 ap_address
[ETH_ALEN
];
33 * Followed by action_length bytes of FT Action frame (from Category
34 * field to the end of Action Frame body.
38 #define RSN_REMOTE_FRAME_TYPE_FT_RRB 1
40 #define FT_PACKET_REQUEST 0
41 #define FT_PACKET_RESPONSE 1
43 /* Vendor-specific types for R0KH-R1KH protocol; not defined in 802.11r. These
44 * use OUI Extended EtherType as the encapsulating format. */
45 #define FT_PACKET_R0KH_R1KH_PULL 0x01
46 #define FT_PACKET_R0KH_R1KH_RESP 0x02
47 #define FT_PACKET_R0KH_R1KH_PUSH 0x03
48 #define FT_PACKET_R0KH_R1KH_SEQ_REQ 0x04
49 #define FT_PACKET_R0KH_R1KH_SEQ_RESP 0x05
52 * IEEE 802 extended OUI ethertype frame header
53 * u16 authlen (little endian)
54 * multiple of struct ft_rrb_tlv (authenticated only, length = authlen)
55 * multiple of struct ft_rrb_tlv (AES-SIV encrypted, AES-SIV needs an extra
59 * source MAC address (6)
60 * authenticated-only TLVs (authlen)
61 * subtype (1; FT_PACKET_*)
64 #define FT_RRB_NONCE_LEN 16
66 #define FT_RRB_LAST_EMPTY 0 /* placeholder or padding */
68 #define FT_RRB_SEQ 1 /* struct ft_rrb_seq */
69 #define FT_RRB_NONCE 2 /* size FT_RRB_NONCE_LEN */
70 #define FT_RRB_TIMESTAMP 3 /* le32 unix seconds */
72 #define FT_RRB_R0KH_ID 4 /* FT_R0KH_ID_MAX_LEN */
73 #define FT_RRB_R1KH_ID 5 /* FT_R1KH_ID_LEN */
74 #define FT_RRB_S1KH_ID 6 /* ETH_ALEN */
76 #define FT_RRB_PMK_R0_NAME 7 /* WPA_PMK_NAME_LEN */
77 #define FT_RRB_PMK_R0 8 /* PMK_LEN */
78 #define FT_RRB_PMK_R1_NAME 9 /* WPA_PMK_NAME_LEN */
79 #define FT_RRB_PMK_R1 10 /* PMK_LEN */
81 #define FT_RRB_PAIRWISE 11 /* le16 */
82 #define FT_RRB_EXPIRES_IN 12 /* le16 seconds */
84 #define FT_RRB_VLAN_UNTAGGED 13 /* le16 */
85 #define FT_RRB_VLAN_TAGGED 14 /* n times le16 */
87 #define FT_RRB_IDENTITY 15
88 #define FT_RRB_RADIUS_CUI 16
89 #define FT_RRB_SESSION_TIMEOUT 17 /* le32 seconds */
94 /* followed by data of length len */
104 * required: PMK_R1, PMK_R1_NAME, PAIRWISE
105 * optional: VLAN_UNTAGGED, VLAN_TAGGED, EXPIRES_IN, IDENTITY, RADIUS_CUI,
110 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
112 * required: PMK_R0_NAME, S1KH_ID
114 * response frame TLVs:
116 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
119 * optional: session TLVs
123 * required: SEQ, R0KH_ID, R1KH_ID
125 * required: S1KH_ID, PMK_R0_NAME, session TLVs
127 * sequence number request frame TLVs:
129 * required: R0KH_ID, R1KH_ID, NONCE
131 * sequence number response frame TLVs:
133 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
138 #endif /* _MSC_VER */
141 /* per STA state machine data */
143 struct wpa_authenticator
;
144 struct wpa_state_machine
;
145 struct rsn_pmksa_cache_entry
;
146 struct eapol_state_machine
;
147 struct ft_remote_seq
;
148 struct wpa_channel_info
;
151 struct ft_remote_r0kh
{
152 struct ft_remote_r0kh
*next
;
154 u8 id
[FT_R0KH_ID_MAX_LEN
];
157 struct ft_remote_seq
*seq
;
161 struct ft_remote_r1kh
{
162 struct ft_remote_r1kh
*next
;
164 u8 id
[FT_R1KH_ID_LEN
];
166 struct ft_remote_seq
*seq
;
170 struct wpa_auth_config
{
176 int wpa_strict_rekey
;
179 u32 wpa_group_update_count
;
180 u32 wpa_pairwise_update_count
;
181 int wpa_disable_eapol_key_retries
;
187 int disable_pmksa_caching
;
190 #ifdef CONFIG_IEEE80211W
191 enum mfp_options ieee80211w
;
192 int group_mgmt_cipher
;
194 #endif /* CONFIG_IEEE80211W */
196 int ocv
; /* Operating Channel Validation */
197 #endif /* CONFIG_OCV */
198 #ifdef CONFIG_IEEE80211R_AP
199 u8 ssid
[SSID_MAX_LEN
];
201 u8 mobility_domain
[MOBILITY_DOMAIN_ID_LEN
];
202 u8 r0_key_holder
[FT_R0KH_ID_MAX_LEN
];
203 size_t r0_key_holder_len
;
204 u8 r1_key_holder
[FT_R1KH_ID_LEN
];
205 u32 r0_key_lifetime
; /* PMK-R0 lifetime seconds */
208 int rkh_pull_timeout
; /* ms */
209 int rkh_pull_retries
;
210 int r1_max_key_lifetime
;
211 u32 reassociation_deadline
;
212 struct ft_remote_r0kh
**r0kh_list
;
213 struct ft_remote_r1kh
**r1kh_list
;
216 int ft_psk_generate_local
;
217 #endif /* CONFIG_IEEE80211R_AP */
220 #ifdef CONFIG_TESTING_OPTIONS
221 double corrupt_gtk_rekey_mic_probability
;
222 u8 own_ie_override
[MAX_OWN_IE_OVERRIDE
];
223 size_t own_ie_override_len
;
224 #endif /* CONFIG_TESTING_OPTIONS */
230 #endif /* CONFIG_P2P */
232 unsigned int fils_cache_id_set
:1;
233 u8 fils_cache_id
[FILS_CACHE_ID_LEN
];
234 #endif /* CONFIG_FILS */
238 LOGGER_DEBUG
, LOGGER_INFO
, LOGGER_WARNING
242 WPA_EAPOL_portEnabled
, WPA_EAPOL_portValid
, WPA_EAPOL_authorized
,
243 WPA_EAPOL_portControl_Auto
, WPA_EAPOL_keyRun
, WPA_EAPOL_keyAvailable
,
244 WPA_EAPOL_keyDone
, WPA_EAPOL_inc_EapolFramesTx
245 } wpa_eapol_variable
;
247 struct wpa_auth_callbacks
{
248 void (*logger
)(void *ctx
, const u8
*addr
, logger_level level
,
250 void (*disconnect
)(void *ctx
, const u8
*addr
, u16 reason
);
251 int (*mic_failure_report
)(void *ctx
, const u8
*addr
);
252 void (*psk_failure_report
)(void *ctx
, const u8
*addr
);
253 void (*set_eapol
)(void *ctx
, const u8
*addr
, wpa_eapol_variable var
,
255 int (*get_eapol
)(void *ctx
, const u8
*addr
, wpa_eapol_variable var
);
256 const u8
* (*get_psk
)(void *ctx
, const u8
*addr
, const u8
*p2p_dev_addr
,
257 const u8
*prev_psk
, size_t *psk_len
,
259 int (*get_msk
)(void *ctx
, const u8
*addr
, u8
*msk
, size_t *len
);
260 int (*set_key
)(void *ctx
, int vlan_id
, enum wpa_alg alg
,
261 const u8
*addr
, int idx
, u8
*key
, size_t key_len
);
262 int (*get_seqnum
)(void *ctx
, const u8
*addr
, int idx
, u8
*seq
);
263 int (*send_eapol
)(void *ctx
, const u8
*addr
, const u8
*data
,
264 size_t data_len
, int encrypt
);
265 int (*for_each_sta
)(void *ctx
, int (*cb
)(struct wpa_state_machine
*sm
,
266 void *ctx
), void *cb_ctx
);
267 int (*for_each_auth
)(void *ctx
, int (*cb
)(struct wpa_authenticator
*a
,
268 void *ctx
), void *cb_ctx
);
269 int (*send_ether
)(void *ctx
, const u8
*dst
, u16 proto
, const u8
*data
,
271 int (*send_oui
)(void *ctx
, const u8
*dst
, u8 oui_suffix
, const u8
*data
,
273 int (*channel_info
)(void *ctx
, struct wpa_channel_info
*ci
);
274 int (*update_vlan
)(void *ctx
, const u8
*addr
, int vlan_id
);
275 int (*get_sta_tx_params
)(void *ctx
, const u8
*addr
,
276 int ap_max_chanwidth
, int ap_seg1_idx
,
277 int *bandwidth
, int *seg1_idx
);
278 #ifdef CONFIG_IEEE80211R_AP
279 struct wpa_state_machine
* (*add_sta
)(void *ctx
, const u8
*sta_addr
);
280 int (*set_vlan
)(void *ctx
, const u8
*sta_addr
,
281 struct vlan_description
*vlan
);
282 int (*get_vlan
)(void *ctx
, const u8
*sta_addr
,
283 struct vlan_description
*vlan
);
284 int (*set_identity
)(void *ctx
, const u8
*sta_addr
,
285 const u8
*identity
, size_t identity_len
);
286 size_t (*get_identity
)(void *ctx
, const u8
*sta_addr
, const u8
**buf
);
287 int (*set_radius_cui
)(void *ctx
, const u8
*sta_addr
,
288 const u8
*radius_cui
, size_t radius_cui_len
);
289 size_t (*get_radius_cui
)(void *ctx
, const u8
*sta_addr
, const u8
**buf
);
290 void (*set_session_timeout
)(void *ctx
, const u8
*sta_addr
,
291 int session_timeout
);
292 int (*get_session_timeout
)(void *ctx
, const u8
*sta_addr
);
294 int (*send_ft_action
)(void *ctx
, const u8
*dst
,
295 const u8
*data
, size_t data_len
);
296 int (*add_tspec
)(void *ctx
, const u8
*sta_addr
, u8
*tspec_ie
,
298 #endif /* CONFIG_IEEE80211R_AP */
300 int (*start_ampe
)(void *ctx
, const u8
*sta_addr
);
301 #endif /* CONFIG_MESH */
304 struct wpa_authenticator
* wpa_init(const u8
*addr
,
305 struct wpa_auth_config
*conf
,
306 const struct wpa_auth_callbacks
*cb
,
308 int wpa_init_keys(struct wpa_authenticator
*wpa_auth
);
309 void wpa_deinit(struct wpa_authenticator
*wpa_auth
);
310 int wpa_reconfig(struct wpa_authenticator
*wpa_auth
,
311 struct wpa_auth_config
*conf
);
314 WPA_IE_OK
, WPA_INVALID_IE
, WPA_INVALID_GROUP
, WPA_INVALID_PAIRWISE
,
315 WPA_INVALID_AKMP
, WPA_NOT_ENABLED
, WPA_ALLOC_FAIL
,
316 WPA_MGMT_FRAME_PROTECTION_VIOLATION
, WPA_INVALID_MGMT_GROUP_CIPHER
,
317 WPA_INVALID_MDIE
, WPA_INVALID_PROTO
, WPA_INVALID_PMKID
320 int wpa_validate_wpa_ie(struct wpa_authenticator
*wpa_auth
,
321 struct wpa_state_machine
*sm
, int freq
,
322 const u8
*wpa_ie
, size_t wpa_ie_len
,
323 const u8
*mdie
, size_t mdie_len
,
324 const u8
*owe_dh
, size_t owe_dh_len
);
325 int wpa_validate_osen(struct wpa_authenticator
*wpa_auth
,
326 struct wpa_state_machine
*sm
,
327 const u8
*osen_ie
, size_t osen_ie_len
);
328 int wpa_auth_uses_mfp(struct wpa_state_machine
*sm
);
329 void wpa_auth_set_ocv(struct wpa_state_machine
*sm
, int ocv
);
330 int wpa_auth_uses_ocv(struct wpa_state_machine
*sm
);
331 struct wpa_state_machine
*
332 wpa_auth_sta_init(struct wpa_authenticator
*wpa_auth
, const u8
*addr
,
333 const u8
*p2p_dev_addr
);
334 int wpa_auth_sta_associated(struct wpa_authenticator
*wpa_auth
,
335 struct wpa_state_machine
*sm
);
336 void wpa_auth_sta_no_wpa(struct wpa_state_machine
*sm
);
337 void wpa_auth_sta_deinit(struct wpa_state_machine
*sm
);
338 void wpa_receive(struct wpa_authenticator
*wpa_auth
,
339 struct wpa_state_machine
*sm
,
340 u8
*data
, size_t data_len
);
342 WPA_AUTH
, WPA_ASSOC
, WPA_DISASSOC
, WPA_DEAUTH
, WPA_REAUTH
,
343 WPA_REAUTH_EAPOL
, WPA_ASSOC_FT
, WPA_ASSOC_FILS
, WPA_DRV_STA_REMOVED
345 void wpa_remove_ptk(struct wpa_state_machine
*sm
);
346 int wpa_auth_sm_event(struct wpa_state_machine
*sm
, enum wpa_event event
);
347 void wpa_auth_sm_notify(struct wpa_state_machine
*sm
);
348 void wpa_gtk_rekey(struct wpa_authenticator
*wpa_auth
);
349 int wpa_get_mib(struct wpa_authenticator
*wpa_auth
, char *buf
, size_t buflen
);
350 int wpa_get_mib_sta(struct wpa_state_machine
*sm
, char *buf
, size_t buflen
);
351 void wpa_auth_countermeasures_start(struct wpa_authenticator
*wpa_auth
);
352 int wpa_auth_pairwise_set(struct wpa_state_machine
*sm
);
353 int wpa_auth_get_pairwise(struct wpa_state_machine
*sm
);
354 const u8
* wpa_auth_get_pmk(struct wpa_state_machine
*sm
, int *len
);
355 int wpa_auth_sta_key_mgmt(struct wpa_state_machine
*sm
);
356 int wpa_auth_sta_wpa_version(struct wpa_state_machine
*sm
);
357 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine
*sm
);
358 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine
*sm
);
359 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine
*sm
,
360 struct rsn_pmksa_cache_entry
*entry
);
361 struct rsn_pmksa_cache_entry
*
362 wpa_auth_sta_get_pmksa(struct wpa_state_machine
*sm
);
363 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine
*sm
);
364 const u8
* wpa_auth_get_wpa_ie(struct wpa_authenticator
*wpa_auth
,
366 int wpa_auth_pmksa_add(struct wpa_state_machine
*sm
, const u8
*pmk
,
367 unsigned int pmk_len
,
368 int session_timeout
, struct eapol_state_machine
*eapol
);
369 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator
*wpa_auth
,
370 const u8
*pmk
, size_t len
, const u8
*sta_addr
,
372 struct eapol_state_machine
*eapol
);
373 int wpa_auth_pmksa_add_sae(struct wpa_authenticator
*wpa_auth
, const u8
*addr
,
374 const u8
*pmk
, const u8
*pmkid
);
375 void wpa_auth_add_sae_pmkid(struct wpa_state_machine
*sm
, const u8
*pmkid
);
376 int wpa_auth_pmksa_add2(struct wpa_authenticator
*wpa_auth
, const u8
*addr
,
377 const u8
*pmk
, size_t pmk_len
, const u8
*pmkid
,
378 int session_timeout
, int akmp
);
379 void wpa_auth_pmksa_remove(struct wpa_authenticator
*wpa_auth
,
381 int wpa_auth_pmksa_list(struct wpa_authenticator
*wpa_auth
, char *buf
,
383 void wpa_auth_pmksa_flush(struct wpa_authenticator
*wpa_auth
);
384 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator
*wpa_auth
, const u8
*addr
,
385 char *buf
, size_t len
);
386 struct rsn_pmksa_cache_entry
*
387 wpa_auth_pmksa_create_entry(const u8
*aa
, const u8
*spa
, const u8
*pmk
,
388 const u8
*pmkid
, int expiration
);
389 int wpa_auth_pmksa_add_entry(struct wpa_authenticator
*wpa_auth
,
390 struct rsn_pmksa_cache_entry
*entry
);
391 struct rsn_pmksa_cache_entry
*
392 wpa_auth_pmksa_get(struct wpa_authenticator
*wpa_auth
, const u8
*sta_addr
,
394 struct rsn_pmksa_cache_entry
*
395 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator
*wpa_auth
,
396 const u8
*sta_addr
, const u8
*pmkid
);
397 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry
*pmksa
,
398 struct wpa_state_machine
*sm
,
399 struct wpa_authenticator
*wpa_auth
,
401 int wpa_auth_sta_set_vlan(struct wpa_state_machine
*sm
, int vlan_id
);
402 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator
*wpa_auth
,
403 struct wpa_state_machine
*sm
, int ack
);
405 #ifdef CONFIG_IEEE80211R_AP
406 u8
* wpa_sm_write_assoc_resp_ies(struct wpa_state_machine
*sm
, u8
*pos
,
407 size_t max_len
, int auth_alg
,
408 const u8
*req_ies
, size_t req_ies_len
);
409 void wpa_ft_process_auth(struct wpa_state_machine
*sm
, const u8
*bssid
,
410 u16 auth_transaction
, const u8
*ies
, size_t ies_len
,
411 void (*cb
)(void *ctx
, const u8
*dst
, const u8
*bssid
,
412 u16 auth_transaction
, u16 resp
,
413 const u8
*ies
, size_t ies_len
),
415 u16
wpa_ft_validate_reassoc(struct wpa_state_machine
*sm
, const u8
*ies
,
417 int wpa_ft_action_rx(struct wpa_state_machine
*sm
, const u8
*data
, size_t len
);
418 int wpa_ft_rrb_rx(struct wpa_authenticator
*wpa_auth
, const u8
*src_addr
,
419 const u8
*data
, size_t data_len
);
420 void wpa_ft_rrb_oui_rx(struct wpa_authenticator
*wpa_auth
, const u8
*src_addr
,
421 const u8
*dst_addr
, u8 oui_suffix
, const u8
*data
,
423 void wpa_ft_push_pmk_r1(struct wpa_authenticator
*wpa_auth
, const u8
*addr
);
424 void wpa_ft_deinit(struct wpa_authenticator
*wpa_auth
);
425 void wpa_ft_sta_deinit(struct wpa_state_machine
*sm
);
426 #endif /* CONFIG_IEEE80211R_AP */
428 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine
*sm
);
429 void wpa_set_wnmsleep(struct wpa_state_machine
*sm
, int flag
);
430 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine
*sm
, u8
*pos
);
431 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine
*sm
, u8
*pos
);
433 int wpa_auth_uses_sae(struct wpa_state_machine
*sm
);
434 int wpa_auth_uses_ft_sae(struct wpa_state_machine
*sm
);
436 int wpa_auth_get_ip_addr(struct wpa_state_machine
*sm
, u8
*addr
);
438 struct radius_das_attrs
;
439 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator
*wpa_auth
,
440 struct radius_das_attrs
*attr
);
441 void wpa_auth_reconfig_group_keys(struct wpa_authenticator
*wpa_auth
);
443 int wpa_auth_ensure_group(struct wpa_authenticator
*wpa_auth
, int vlan_id
);
444 int wpa_auth_release_group(struct wpa_authenticator
*wpa_auth
, int vlan_id
);
445 int fils_auth_pmk_to_ptk(struct wpa_state_machine
*sm
, const u8
*pmk
,
446 size_t pmk_len
, const u8
*snonce
, const u8
*anonce
,
447 const u8
*dhss
, size_t dhss_len
,
448 struct wpabuf
*g_sta
, struct wpabuf
*g_ap
);
449 int fils_decrypt_assoc(struct wpa_state_machine
*sm
, const u8
*fils_session
,
450 const struct ieee80211_mgmt
*mgmt
, size_t frame_len
,
451 u8
*pos
, size_t left
);
452 int fils_encrypt_assoc(struct wpa_state_machine
*sm
, u8
*buf
,
453 size_t current_len
, size_t max_len
,
454 const struct wpabuf
*hlp
);
455 int fils_set_tk(struct wpa_state_machine
*sm
);
456 u8
* hostapd_eid_assoc_fils_session(struct wpa_state_machine
*sm
, u8
*eid
,
457 const u8
*fils_session
,
458 struct wpabuf
*fils_hlp_resp
);
459 const u8
* wpa_fils_validate_fils_session(struct wpa_state_machine
*sm
,
460 const u8
*ies
, size_t ies_len
,
461 const u8
*fils_session
);
462 int wpa_fils_validate_key_confirm(struct wpa_state_machine
*sm
, const u8
*ies
,
465 int get_sta_tx_parameters(struct wpa_state_machine
*sm
, int ap_max_chanwidth
,
466 int ap_seg1_idx
, int *bandwidth
, int *seg1_idx
);
468 int wpa_auth_write_fte(struct wpa_authenticator
*wpa_auth
, int use_sha384
,
469 u8
*buf
, size_t len
);
470 void wpa_auth_get_fils_aead_params(struct wpa_state_machine
*sm
,
471 u8
*fils_anonce
, u8
*fils_snonce
,
472 u8
*fils_kek
, size_t *fils_kek_len
);
473 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine
*sm
, const u8
*pmk
,
474 size_t pmk_len
, const u8
*pmkid
);
475 u8
* wpa_auth_write_assoc_resp_owe(struct wpa_state_machine
*sm
,
476 u8
*pos
, size_t max_len
,
477 const u8
*req_ies
, size_t req_ies_len
);
478 void wpa_auth_set_auth_alg(struct wpa_state_machine
*sm
, u16 auth_alg
);
479 void wpa_auth_set_dpp_z(struct wpa_state_machine
*sm
, const struct wpabuf
*z
);
481 int wpa_auth_resend_m1(struct wpa_state_machine
*sm
, int change_anonce
,
482 void (*cb
)(void *ctx1
, void *ctx2
),
483 void *ctx1
, void *ctx2
);
484 int wpa_auth_resend_m3(struct wpa_state_machine
*sm
,
485 void (*cb
)(void *ctx1
, void *ctx2
),
486 void *ctx1
, void *ctx2
);
487 int wpa_auth_resend_group_m1(struct wpa_state_machine
*sm
,
488 void (*cb
)(void *ctx1
, void *ctx2
),
489 void *ctx1
, void *ctx2
);
490 int wpa_auth_rekey_gtk(struct wpa_authenticator
*wpa_auth
);
491 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine
*sm
);
493 #endif /* WPA_AUTH_H */