2 * hostapd - IEEE 802.11i-2004 / WPA Authenticator
3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "common/defs.h"
13 #include "common/eapol_common.h"
14 #include "common/wpa_common.h"
15 #include "common/ieee802_11_defs.h"
17 struct vlan_description
;
19 #define MAX_OWN_IE_OVERRIDE 256
25 /* IEEE Std 802.11r-2008, 11A.10.3 - Remote request/response frame definition
28 u8 frame_type
; /* RSN_REMOTE_FRAME_TYPE_FT_RRB */
29 u8 packet_type
; /* FT_PACKET_REQUEST/FT_PACKET_RESPONSE */
30 le16 action_length
; /* little endian length of action_frame */
31 u8 ap_address
[ETH_ALEN
];
33 * Followed by action_length bytes of FT Action frame (from Category
34 * field to the end of Action Frame body.
38 #define RSN_REMOTE_FRAME_TYPE_FT_RRB 1
40 #define FT_PACKET_REQUEST 0
41 #define FT_PACKET_RESPONSE 1
43 /* Vendor-specific types for R0KH-R1KH protocol; not defined in 802.11r. These
44 * use OUI Extended EtherType as the encapsulating format. */
45 #define FT_PACKET_R0KH_R1KH_PULL 0x01
46 #define FT_PACKET_R0KH_R1KH_RESP 0x02
47 #define FT_PACKET_R0KH_R1KH_PUSH 0x03
48 #define FT_PACKET_R0KH_R1KH_SEQ_REQ 0x04
49 #define FT_PACKET_R0KH_R1KH_SEQ_RESP 0x05
52 * IEEE 802 extended OUI ethertype frame header
53 * u16 authlen (little endian)
54 * multiple of struct ft_rrb_tlv (authenticated only, length = authlen)
55 * multiple of struct ft_rrb_tlv (AES-SIV encrypted, AES-SIV needs an extra
59 * source MAC address (6)
60 * authenticated-only TLVs (authlen)
61 * subtype (1; FT_PACKET_*)
64 #define FT_RRB_NONCE_LEN 16
66 #define FT_RRB_LAST_EMPTY 0 /* placeholder or padding */
68 #define FT_RRB_SEQ 1 /* struct ft_rrb_seq */
69 #define FT_RRB_NONCE 2 /* size FT_RRB_NONCE_LEN */
70 #define FT_RRB_TIMESTAMP 3 /* le32 unix seconds */
72 #define FT_RRB_R0KH_ID 4 /* FT_R0KH_ID_MAX_LEN */
73 #define FT_RRB_R1KH_ID 5 /* FT_R1KH_ID_LEN */
74 #define FT_RRB_S1KH_ID 6 /* ETH_ALEN */
76 #define FT_RRB_PMK_R0_NAME 7 /* WPA_PMK_NAME_LEN */
77 #define FT_RRB_PMK_R0 8 /* PMK_LEN */
78 #define FT_RRB_PMK_R1_NAME 9 /* WPA_PMK_NAME_LEN */
79 #define FT_RRB_PMK_R1 10 /* PMK_LEN */
81 #define FT_RRB_PAIRWISE 11 /* le16 */
82 #define FT_RRB_EXPIRES_IN 12 /* le16 seconds */
84 #define FT_RRB_VLAN_UNTAGGED 13 /* le16 */
85 #define FT_RRB_VLAN_TAGGED 14 /* n times le16 */
87 #define FT_RRB_IDENTITY 15
88 #define FT_RRB_RADIUS_CUI 16
89 #define FT_RRB_SESSION_TIMEOUT 17 /* le32 seconds */
94 /* followed by data of length len */
104 * required: PMK_R1, PMK_R1_NAME, PAIRWISE
105 * optional: VLAN_UNTAGGED, VLAN_TAGGED, EXPIRES_IN, IDENTITY, RADIUS_CUI,
110 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
112 * required: PMK_R0_NAME, S1KH_ID
114 * response frame TLVs:
116 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
119 * optional: session TLVs
123 * required: SEQ, R0KH_ID, R1KH_ID
125 * required: S1KH_ID, PMK_R0_NAME, session TLVs
127 * sequence number request frame TLVs:
129 * required: R0KH_ID, R1KH_ID, NONCE
131 * sequence number response frame TLVs:
133 * required: SEQ, NONCE, R0KH_ID, R1KH_ID
138 #endif /* _MSC_VER */
141 /* per STA state machine data */
143 struct wpa_authenticator
;
144 struct wpa_state_machine
;
145 struct rsn_pmksa_cache_entry
;
146 struct eapol_state_machine
;
147 struct ft_remote_seq
;
150 struct ft_remote_r0kh
{
151 struct ft_remote_r0kh
*next
;
153 u8 id
[FT_R0KH_ID_MAX_LEN
];
156 struct ft_remote_seq
*seq
;
160 struct ft_remote_r1kh
{
161 struct ft_remote_r1kh
*next
;
163 u8 id
[FT_R1KH_ID_LEN
];
165 struct ft_remote_seq
*seq
;
169 struct wpa_auth_config
{
175 int wpa_strict_rekey
;
178 u32 wpa_group_update_count
;
179 u32 wpa_pairwise_update_count
;
180 int wpa_disable_eapol_key_retries
;
186 int disable_pmksa_caching
;
189 #ifdef CONFIG_IEEE80211W
190 enum mfp_options ieee80211w
;
191 int group_mgmt_cipher
;
193 #endif /* CONFIG_IEEE80211W */
194 #ifdef CONFIG_IEEE80211R_AP
195 u8 ssid
[SSID_MAX_LEN
];
197 u8 mobility_domain
[MOBILITY_DOMAIN_ID_LEN
];
198 u8 r0_key_holder
[FT_R0KH_ID_MAX_LEN
];
199 size_t r0_key_holder_len
;
200 u8 r1_key_holder
[FT_R1KH_ID_LEN
];
201 u32 r0_key_lifetime
; /* PMK-R0 lifetime seconds */
204 int rkh_pull_timeout
; /* ms */
205 int rkh_pull_retries
;
206 int r1_max_key_lifetime
;
207 u32 reassociation_deadline
;
208 struct ft_remote_r0kh
**r0kh_list
;
209 struct ft_remote_r1kh
**r1kh_list
;
212 int ft_psk_generate_local
;
213 #endif /* CONFIG_IEEE80211R_AP */
216 #ifdef CONFIG_TESTING_OPTIONS
217 double corrupt_gtk_rekey_mic_probability
;
218 u8 own_ie_override
[MAX_OWN_IE_OVERRIDE
];
219 size_t own_ie_override_len
;
220 #endif /* CONFIG_TESTING_OPTIONS */
226 #endif /* CONFIG_P2P */
228 unsigned int fils_cache_id_set
:1;
229 u8 fils_cache_id
[FILS_CACHE_ID_LEN
];
230 #endif /* CONFIG_FILS */
234 LOGGER_DEBUG
, LOGGER_INFO
, LOGGER_WARNING
238 WPA_EAPOL_portEnabled
, WPA_EAPOL_portValid
, WPA_EAPOL_authorized
,
239 WPA_EAPOL_portControl_Auto
, WPA_EAPOL_keyRun
, WPA_EAPOL_keyAvailable
,
240 WPA_EAPOL_keyDone
, WPA_EAPOL_inc_EapolFramesTx
241 } wpa_eapol_variable
;
243 struct wpa_auth_callbacks
{
244 void (*logger
)(void *ctx
, const u8
*addr
, logger_level level
,
246 void (*disconnect
)(void *ctx
, const u8
*addr
, u16 reason
);
247 int (*mic_failure_report
)(void *ctx
, const u8
*addr
);
248 void (*psk_failure_report
)(void *ctx
, const u8
*addr
);
249 void (*set_eapol
)(void *ctx
, const u8
*addr
, wpa_eapol_variable var
,
251 int (*get_eapol
)(void *ctx
, const u8
*addr
, wpa_eapol_variable var
);
252 const u8
* (*get_psk
)(void *ctx
, const u8
*addr
, const u8
*p2p_dev_addr
,
253 const u8
*prev_psk
, size_t *psk_len
);
254 int (*get_msk
)(void *ctx
, const u8
*addr
, u8
*msk
, size_t *len
);
255 int (*set_key
)(void *ctx
, int vlan_id
, enum wpa_alg alg
,
256 const u8
*addr
, int idx
, u8
*key
, size_t key_len
);
257 int (*get_seqnum
)(void *ctx
, const u8
*addr
, int idx
, u8
*seq
);
258 int (*send_eapol
)(void *ctx
, const u8
*addr
, const u8
*data
,
259 size_t data_len
, int encrypt
);
260 int (*for_each_sta
)(void *ctx
, int (*cb
)(struct wpa_state_machine
*sm
,
261 void *ctx
), void *cb_ctx
);
262 int (*for_each_auth
)(void *ctx
, int (*cb
)(struct wpa_authenticator
*a
,
263 void *ctx
), void *cb_ctx
);
264 int (*send_ether
)(void *ctx
, const u8
*dst
, u16 proto
, const u8
*data
,
266 int (*send_oui
)(void *ctx
, const u8
*dst
, u8 oui_suffix
, const u8
*data
,
268 #ifdef CONFIG_IEEE80211R_AP
269 struct wpa_state_machine
* (*add_sta
)(void *ctx
, const u8
*sta_addr
);
270 int (*set_vlan
)(void *ctx
, const u8
*sta_addr
,
271 struct vlan_description
*vlan
);
272 int (*get_vlan
)(void *ctx
, const u8
*sta_addr
,
273 struct vlan_description
*vlan
);
274 int (*set_identity
)(void *ctx
, const u8
*sta_addr
,
275 const u8
*identity
, size_t identity_len
);
276 size_t (*get_identity
)(void *ctx
, const u8
*sta_addr
, const u8
**buf
);
277 int (*set_radius_cui
)(void *ctx
, const u8
*sta_addr
,
278 const u8
*radius_cui
, size_t radius_cui_len
);
279 size_t (*get_radius_cui
)(void *ctx
, const u8
*sta_addr
, const u8
**buf
);
280 void (*set_session_timeout
)(void *ctx
, const u8
*sta_addr
,
281 int session_timeout
);
282 int (*get_session_timeout
)(void *ctx
, const u8
*sta_addr
);
284 int (*send_ft_action
)(void *ctx
, const u8
*dst
,
285 const u8
*data
, size_t data_len
);
286 int (*add_tspec
)(void *ctx
, const u8
*sta_addr
, u8
*tspec_ie
,
288 #endif /* CONFIG_IEEE80211R_AP */
290 int (*start_ampe
)(void *ctx
, const u8
*sta_addr
);
291 #endif /* CONFIG_MESH */
294 struct wpa_authenticator
* wpa_init(const u8
*addr
,
295 struct wpa_auth_config
*conf
,
296 const struct wpa_auth_callbacks
*cb
,
298 int wpa_init_keys(struct wpa_authenticator
*wpa_auth
);
299 void wpa_deinit(struct wpa_authenticator
*wpa_auth
);
300 int wpa_reconfig(struct wpa_authenticator
*wpa_auth
,
301 struct wpa_auth_config
*conf
);
304 WPA_IE_OK
, WPA_INVALID_IE
, WPA_INVALID_GROUP
, WPA_INVALID_PAIRWISE
,
305 WPA_INVALID_AKMP
, WPA_NOT_ENABLED
, WPA_ALLOC_FAIL
,
306 WPA_MGMT_FRAME_PROTECTION_VIOLATION
, WPA_INVALID_MGMT_GROUP_CIPHER
,
307 WPA_INVALID_MDIE
, WPA_INVALID_PROTO
, WPA_INVALID_PMKID
310 int wpa_validate_wpa_ie(struct wpa_authenticator
*wpa_auth
,
311 struct wpa_state_machine
*sm
,
312 const u8
*wpa_ie
, size_t wpa_ie_len
,
313 const u8
*mdie
, size_t mdie_len
,
314 const u8
*owe_dh
, size_t owe_dh_len
);
315 int wpa_validate_osen(struct wpa_authenticator
*wpa_auth
,
316 struct wpa_state_machine
*sm
,
317 const u8
*osen_ie
, size_t osen_ie_len
);
318 int wpa_auth_uses_mfp(struct wpa_state_machine
*sm
);
319 struct wpa_state_machine
*
320 wpa_auth_sta_init(struct wpa_authenticator
*wpa_auth
, const u8
*addr
,
321 const u8
*p2p_dev_addr
);
322 int wpa_auth_sta_associated(struct wpa_authenticator
*wpa_auth
,
323 struct wpa_state_machine
*sm
);
324 void wpa_auth_sta_no_wpa(struct wpa_state_machine
*sm
);
325 void wpa_auth_sta_deinit(struct wpa_state_machine
*sm
);
326 void wpa_receive(struct wpa_authenticator
*wpa_auth
,
327 struct wpa_state_machine
*sm
,
328 u8
*data
, size_t data_len
);
330 WPA_AUTH
, WPA_ASSOC
, WPA_DISASSOC
, WPA_DEAUTH
, WPA_REAUTH
,
331 WPA_REAUTH_EAPOL
, WPA_ASSOC_FT
, WPA_ASSOC_FILS
, WPA_DRV_STA_REMOVED
333 void wpa_remove_ptk(struct wpa_state_machine
*sm
);
334 int wpa_auth_sm_event(struct wpa_state_machine
*sm
, enum wpa_event event
);
335 void wpa_auth_sm_notify(struct wpa_state_machine
*sm
);
336 void wpa_gtk_rekey(struct wpa_authenticator
*wpa_auth
);
337 int wpa_get_mib(struct wpa_authenticator
*wpa_auth
, char *buf
, size_t buflen
);
338 int wpa_get_mib_sta(struct wpa_state_machine
*sm
, char *buf
, size_t buflen
);
339 void wpa_auth_countermeasures_start(struct wpa_authenticator
*wpa_auth
);
340 int wpa_auth_pairwise_set(struct wpa_state_machine
*sm
);
341 int wpa_auth_get_pairwise(struct wpa_state_machine
*sm
);
342 int wpa_auth_sta_key_mgmt(struct wpa_state_machine
*sm
);
343 int wpa_auth_sta_wpa_version(struct wpa_state_machine
*sm
);
344 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine
*sm
);
345 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine
*sm
);
346 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine
*sm
,
347 struct rsn_pmksa_cache_entry
*entry
);
348 struct rsn_pmksa_cache_entry
*
349 wpa_auth_sta_get_pmksa(struct wpa_state_machine
*sm
);
350 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine
*sm
);
351 const u8
* wpa_auth_get_wpa_ie(struct wpa_authenticator
*wpa_auth
,
353 int wpa_auth_pmksa_add(struct wpa_state_machine
*sm
, const u8
*pmk
,
354 unsigned int pmk_len
,
355 int session_timeout
, struct eapol_state_machine
*eapol
);
356 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator
*wpa_auth
,
357 const u8
*pmk
, size_t len
, const u8
*sta_addr
,
359 struct eapol_state_machine
*eapol
);
360 int wpa_auth_pmksa_add_sae(struct wpa_authenticator
*wpa_auth
, const u8
*addr
,
361 const u8
*pmk
, const u8
*pmkid
);
362 void wpa_auth_add_sae_pmkid(struct wpa_state_machine
*sm
, const u8
*pmkid
);
363 int wpa_auth_pmksa_add2(struct wpa_authenticator
*wpa_auth
, const u8
*addr
,
364 const u8
*pmk
, size_t pmk_len
, const u8
*pmkid
,
365 int session_timeout
, int akmp
);
366 void wpa_auth_pmksa_remove(struct wpa_authenticator
*wpa_auth
,
368 int wpa_auth_pmksa_list(struct wpa_authenticator
*wpa_auth
, char *buf
,
370 void wpa_auth_pmksa_flush(struct wpa_authenticator
*wpa_auth
);
371 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator
*wpa_auth
, const u8
*addr
,
372 char *buf
, size_t len
);
373 struct rsn_pmksa_cache_entry
*
374 wpa_auth_pmksa_create_entry(const u8
*aa
, const u8
*spa
, const u8
*pmk
,
375 const u8
*pmkid
, int expiration
);
376 int wpa_auth_pmksa_add_entry(struct wpa_authenticator
*wpa_auth
,
377 struct rsn_pmksa_cache_entry
*entry
);
378 struct rsn_pmksa_cache_entry
*
379 wpa_auth_pmksa_get(struct wpa_authenticator
*wpa_auth
, const u8
*sta_addr
,
381 struct rsn_pmksa_cache_entry
*
382 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator
*wpa_auth
,
383 const u8
*sta_addr
, const u8
*pmkid
);
384 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry
*pmksa
,
385 struct wpa_state_machine
*sm
,
386 struct wpa_authenticator
*wpa_auth
,
388 int wpa_auth_sta_set_vlan(struct wpa_state_machine
*sm
, int vlan_id
);
389 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator
*wpa_auth
,
390 struct wpa_state_machine
*sm
, int ack
);
392 #ifdef CONFIG_IEEE80211R_AP
393 u8
* wpa_sm_write_assoc_resp_ies(struct wpa_state_machine
*sm
, u8
*pos
,
394 size_t max_len
, int auth_alg
,
395 const u8
*req_ies
, size_t req_ies_len
);
396 void wpa_ft_process_auth(struct wpa_state_machine
*sm
, const u8
*bssid
,
397 u16 auth_transaction
, const u8
*ies
, size_t ies_len
,
398 void (*cb
)(void *ctx
, const u8
*dst
, const u8
*bssid
,
399 u16 auth_transaction
, u16 resp
,
400 const u8
*ies
, size_t ies_len
),
402 u16
wpa_ft_validate_reassoc(struct wpa_state_machine
*sm
, const u8
*ies
,
404 int wpa_ft_action_rx(struct wpa_state_machine
*sm
, const u8
*data
, size_t len
);
405 int wpa_ft_rrb_rx(struct wpa_authenticator
*wpa_auth
, const u8
*src_addr
,
406 const u8
*data
, size_t data_len
);
407 void wpa_ft_rrb_oui_rx(struct wpa_authenticator
*wpa_auth
, const u8
*src_addr
,
408 const u8
*dst_addr
, u8 oui_suffix
, const u8
*data
,
410 void wpa_ft_push_pmk_r1(struct wpa_authenticator
*wpa_auth
, const u8
*addr
);
411 void wpa_ft_deinit(struct wpa_authenticator
*wpa_auth
);
412 void wpa_ft_sta_deinit(struct wpa_state_machine
*sm
);
413 #endif /* CONFIG_IEEE80211R_AP */
415 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine
*sm
);
416 void wpa_set_wnmsleep(struct wpa_state_machine
*sm
, int flag
);
417 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine
*sm
, u8
*pos
);
418 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine
*sm
, u8
*pos
);
420 int wpa_auth_uses_sae(struct wpa_state_machine
*sm
);
421 int wpa_auth_uses_ft_sae(struct wpa_state_machine
*sm
);
423 int wpa_auth_get_ip_addr(struct wpa_state_machine
*sm
, u8
*addr
);
425 struct radius_das_attrs
;
426 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator
*wpa_auth
,
427 struct radius_das_attrs
*attr
);
428 void wpa_auth_reconfig_group_keys(struct wpa_authenticator
*wpa_auth
);
430 int wpa_auth_ensure_group(struct wpa_authenticator
*wpa_auth
, int vlan_id
);
431 int wpa_auth_release_group(struct wpa_authenticator
*wpa_auth
, int vlan_id
);
432 int fils_auth_pmk_to_ptk(struct wpa_state_machine
*sm
, const u8
*pmk
,
433 size_t pmk_len
, const u8
*snonce
, const u8
*anonce
,
434 const u8
*dhss
, size_t dhss_len
,
435 struct wpabuf
*g_sta
, struct wpabuf
*g_ap
);
436 int fils_decrypt_assoc(struct wpa_state_machine
*sm
, const u8
*fils_session
,
437 const struct ieee80211_mgmt
*mgmt
, size_t frame_len
,
438 u8
*pos
, size_t left
);
439 int fils_encrypt_assoc(struct wpa_state_machine
*sm
, u8
*buf
,
440 size_t current_len
, size_t max_len
,
441 const struct wpabuf
*hlp
);
442 int fils_set_tk(struct wpa_state_machine
*sm
);
443 u8
* hostapd_eid_assoc_fils_session(struct wpa_state_machine
*sm
, u8
*eid
,
444 const u8
*fils_session
,
445 struct wpabuf
*fils_hlp_resp
);
446 const u8
* wpa_fils_validate_fils_session(struct wpa_state_machine
*sm
,
447 const u8
*ies
, size_t ies_len
,
448 const u8
*fils_session
);
449 int wpa_fils_validate_key_confirm(struct wpa_state_machine
*sm
, const u8
*ies
,
452 int wpa_auth_write_fte(struct wpa_authenticator
*wpa_auth
, int use_sha384
,
453 u8
*buf
, size_t len
);
454 void wpa_auth_get_fils_aead_params(struct wpa_state_machine
*sm
,
455 u8
*fils_anonce
, u8
*fils_snonce
,
456 u8
*fils_kek
, size_t *fils_kek_len
);
457 u8
* wpa_auth_write_assoc_resp_owe(struct wpa_state_machine
*sm
,
458 u8
*pos
, size_t max_len
,
459 const u8
*req_ies
, size_t req_ies_len
);
461 int wpa_auth_resend_m1(struct wpa_state_machine
*sm
, int change_anonce
,
462 void (*cb
)(void *ctx1
, void *ctx2
),
463 void *ctx1
, void *ctx2
);
464 int wpa_auth_resend_m3(struct wpa_state_machine
*sm
,
465 void (*cb
)(void *ctx1
, void *ctx2
),
466 void *ctx1
, void *ctx2
);
467 int wpa_auth_resend_group_m1(struct wpa_state_machine
*sm
,
468 void (*cb
)(void *ctx1
, void *ctx2
),
469 void *ctx1
, void *ctx2
);
470 int wpa_auth_rekey_gtk(struct wpa_authenticator
*wpa_auth
);
472 #endif /* WPA_AUTH_H */