]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
WPA: Stop WPA statement on STA disassociation
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
bb05d036 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
17c2559c 16#include "common/ocv.h"
3b5b7aa8 17#include "crypto/aes.h"
03da66bd 18#include "crypto/aes_wrap.h"
3b5b7aa8 19#include "crypto/aes_siv.h"
03da66bd
JM		 20#include "crypto/crypto.h"
21#include "crypto/sha1.h"
22#include "crypto/sha256.h"
c6eb3e34 23#include "crypto/sha384.h"
3642c431 24#include "crypto/random.h"
281c950b 25#include "eapol_auth/eapol_auth_sm.h"
17c2559c 26#include "drivers/driver.h"
6226e38d 27#include "ap_config.h"
6fc6879b 28#include "ieee802_11.h"
6226e38d
JM		 29#include "wpa_auth.h"
30#include "pmksa_cache_auth.h"
6fc6879b
JM		 31#include "wpa_auth_i.h"
32#include "wpa_auth_ie.h"
33
34#define STATE_MACHINE_DATA struct wpa_state_machine
35#define STATE_MACHINE_DEBUG_PREFIX "WPA"
36#define STATE_MACHINE_ADDR sm->addr
37
38
39static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 40static int wpa_sm_step(struct wpa_state_machine *sm);
567da5bb
JM		 41static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
42 u8 *data, size_t data_len);
75c8563e
JM		 43#ifdef CONFIG_FILS
44static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
45 u8 *buf, size_t buf_len, u16 *_key_data_len);
9392859d
JM		 46static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
47 const struct wpabuf *hlp);
75c8563e 48#endif /* CONFIG_FILS */
6fc6879b
JM		 49static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
50static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
581a8cde 52static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 53static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
54 struct wpa_group *group);
1bdb7ab3
JM		 55static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
f23c5b17 57static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 58 const u8 *pmk, unsigned int pmk_len,
59 struct wpa_ptk *ptk);
a0ad9e8c
MB		 60static void wpa_group_free(struct wpa_authenticator *wpa_auth,
61 struct wpa_group *group);
62static void wpa_group_get(struct wpa_authenticator *wpa_auth,
63 struct wpa_group *group);
64static void wpa_group_put(struct wpa_authenticator *wpa_auth,
65 struct wpa_group *group);
e73ffa09 66static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 67
bae61562
JM		 68static const u32 eapol_key_timeout_first = 100; /* ms */
69static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 70static const u32 eapol_key_timeout_first_group = 500; /* ms */
6f234c1e 71static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
6fc6879b
JM		 72
73/* TODO: make these configurable */
74static const int dot11RSNAConfigPMKLifetime = 43200;
75static const int dot11RSNAConfigPMKReauthThreshold = 70;
76static const int dot11RSNAConfigSATimeout = 60;
77
78
c772d054 79static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 80 struct wpa_authenticator *wpa_auth, const u8 *addr)
81{
cef8fac0
JB		 82 if (wpa_auth->cb->mic_failure_report)
83 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 84 return 0;
6fc6879b
JM		 85}
86
87
2c502460
JM		 88static inline void wpa_auth_psk_failure_report(
89 struct wpa_authenticator *wpa_auth, const u8 *addr)
90{
cef8fac0
JB		 91 if (wpa_auth->cb->psk_failure_report)
92 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 93}
94
95
6fc6879b
JM		 96static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
97 const u8 *addr, wpa_eapol_variable var,
98 int value)
99{
cef8fac0
JB		 100 if (wpa_auth->cb->set_eapol)
101 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 102}
103
104
105static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
106 const u8 *addr, wpa_eapol_variable var)
107{
cef8fac0 108 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 109 return -1;
cef8fac0 110 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 111}
112
113
114static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 115 const u8 *addr,
116 const u8 *p2p_dev_addr,
dbfa691d
JM		 117 const u8 *prev_psk, size_t *psk_len,
118 int *vlan_id)
6fc6879b 119{
cef8fac0 120 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 121 return NULL;
cef8fac0 122 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
dbfa691d 123 prev_psk, psk_len, vlan_id);
6fc6879b
JM		 124}
125
126
127static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
128 const u8 *addr, u8 *msk, size_t *len)
129{
cef8fac0 130 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 131 return -1;
cef8fac0 132 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 133}
134
135
136static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
137 int vlan_id,
71934751 138 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 139 u8 *key, size_t key_len)
140{
cef8fac0 141 if (wpa_auth->cb->set_key == NULL)
6fc6879b 142 return -1;
cef8fac0
JB		 143 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
144 key, key_len);
6fc6879b
JM		 145}
146
147
148static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
149 const u8 *addr, int idx, u8 *seq)
150{
cef8fac0 151 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 152 return -1;
cef8fac0 153 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 154}
155
156
6fc6879b
JM		 157static inline int
158wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
159 const u8 *data, size_t data_len, int encrypt)
160{
cef8fac0 161 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 162 return -1;
cef8fac0
JB		 163 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
164 encrypt);
6fc6879b
JM		 165}
166
167
c50d94f1
BC		 168#ifdef CONFIG_MESH
169static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
170 const u8 *addr)
171{
cef8fac0 172 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 173 return -1;
cef8fac0 174 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 175}
176#endif /* CONFIG_MESH */
177
178
6fc6879b
JM		 179int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
180 int (*cb)(struct wpa_state_machine *sm, void *ctx),
181 void *cb_ctx)
182{
cef8fac0 183 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 184 return 0;
cef8fac0 185 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 186}
187
188
bf98f7f3
JM		 189int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
190 int (*cb)(struct wpa_authenticator *a, void *ctx),
191 void *cb_ctx)
192{
cef8fac0 193 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 194 return 0;
cef8fac0 195 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 196}
197
198
6fc6879b
JM		 199void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
200 logger_level level, const char *txt)
201{
cef8fac0 202 if (wpa_auth->cb->logger == NULL)
6fc6879b 203 return;
cef8fac0 204 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 205}
206
207
208void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
209 logger_level level, const char *fmt, ...)
210{
211 char *format;
212 int maxlen;
213 va_list ap;
214
cef8fac0 215 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 216 return;
217
218 maxlen = os_strlen(fmt) + 100;
219 format = os_malloc(maxlen);
220 if (!format)
221 return;
222
223 va_start(ap, fmt);
224 vsnprintf(format, maxlen, fmt, ap);
225 va_end(ap);
226
227 wpa_auth_logger(wpa_auth, addr, level, format);
228
229 os_free(format);
230}
231
232
233static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
567da5bb 234 const u8 *addr, u16 reason)
6fc6879b 235{
cef8fac0 236 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 237 return;
567da5bb
JM		 238 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
239 MAC2STR(addr), reason);
240 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
6fc6879b
JM		 241}
242
243
17c2559c
MV		 244#ifdef CONFIG_OCV
245static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
246 struct wpa_channel_info *ci)
247{
248 if (!wpa_auth->cb->channel_info)
249 return -1;
250 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
251}
252#endif /* CONFIG_OCV */
253
254
dbfa691d
JM		 255static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
256 const u8 *addr, int vlan_id)
257{
258 if (!wpa_auth->cb->update_vlan)
259 return -1;
260 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
261}
262
263
6fc6879b
JM		 264static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
265{
266 struct wpa_authenticator *wpa_auth = eloop_ctx;
267
3642c431 268 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 269 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
270 "initialization.");
271 } else {
272 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 273 wpa_hexdump_key(MSG_DEBUG, "GMK",
274 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 275 }
276
277 if (wpa_auth->conf.wpa_gmk_rekey) {
278 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
279 wpa_rekey_gmk, wpa_auth, NULL);
280 }
281}
282
283
284static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
285{
286 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 287 struct wpa_group *group, *next;
6fc6879b
JM		 288
289 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 290 group = wpa_auth->group;
291 while (group) {
292 wpa_group_get(wpa_auth, group);
293
6fc6879b
JM		 294 group->GTKReKey = TRUE;
295 do {
296 group->changed = FALSE;
297 wpa_group_sm_step(wpa_auth, group);
298 } while (group->changed);
a0ad9e8c
MB		 299
300 next = group->next;
301 wpa_group_put(wpa_auth, group);
302 group = next;
6fc6879b
JM		 303 }
304
305 if (wpa_auth->conf.wpa_group_rekey) {
306 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
307 0, wpa_rekey_gtk, wpa_auth, NULL);
308 }
309}
310
311
581a8cde
JM		 312static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
313{
314 struct wpa_authenticator *wpa_auth = eloop_ctx;
315 struct wpa_state_machine *sm = timeout_ctx;
316
317 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
318 wpa_request_new_ptk(sm);
319 wpa_sm_step(sm);
320}
321
322
a40bd06e
JM		 323void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm)
324{
325 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) {
326 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for "
327 MACSTR " (%d seconds)", MAC2STR(sm->addr),
328 sm->wpa_auth->conf.wpa_ptk_rekey);
329 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
330 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0,
331 wpa_rekey_ptk, sm->wpa_auth, sm);
332 }
333}
334
335
6fc6879b
JM		 336static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
337{
338 if (sm->pmksa == ctx)
339 sm->pmksa = NULL;
340 return 0;
341}
342
343
344static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
345 void *ctx)
346{
347 struct wpa_authenticator *wpa_auth = ctx;
348 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
349}
350
351
1bdb7ab3
JM		 352static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
353 struct wpa_group *group)
354{
559cdabb 355 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 356 u8 rkey[32];
559cdabb 357 unsigned long ptr;
1bdb7ab3 358
3642c431 359 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 360 return -1;
361 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
362
363 /*
364 * Counter = PRF-256(Random number, "Init Counter",
365 * Local MAC Address || Time)
366 */
367 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
368 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 369 ptr = (unsigned long) group;
370 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
525923b1
JM		 371#ifdef TEST_FUZZ
372 os_memset(buf + ETH_ALEN, 0xab, 8);
373 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
374#endif /* TEST_FUZZ */
3642c431 375 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 376 return -1;
377
378 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
379 group->Counter, WPA_NONCE_LEN) < 0)
380 return -1;
381 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
382 group->Counter, WPA_NONCE_LEN);
383
384 return 0;
385}
386
387
e6965d4e 388static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 389 int vlan_id, int delay_init)
e6965d4e
JM		 390{
391 struct wpa_group *group;
e6965d4e
JM		 392
393 group = os_zalloc(sizeof(struct wpa_group));
394 if (group == NULL)
395 return NULL;
396
397 group->GTKAuthenticator = TRUE;
398 group->vlan_id = vlan_id;
c3550295 399 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 400
08704cd8
JM		 401 if (random_pool_ready() != 1) {
402 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
403 "for secure operations - update keys later when "
404 "the first station connects");
405 }
406
1bdb7ab3
JM		 407 /*
408 * Set initial GMK/Counter value here. The actual values that will be
409 * used in negotiations will be set once the first station tries to
410 * connect. This allows more time for collecting additional randomness
411 * on embedded devices.
6fc6879b 412 */
1bdb7ab3 413 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 414 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
415 "initialization.");
416 os_free(group);
417 return NULL;
418 }
6fc6879b
JM		 419
420 group->GInit = TRUE;
bdffdc5d
JM		 421 if (delay_init) {
422 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
423 "until Beacon frames have been configured");
424 /* Initialization is completed in wpa_init_keys(). */
425 } else {
426 wpa_group_sm_step(wpa_auth, group);
427 group->GInit = FALSE;
428 wpa_group_sm_step(wpa_auth, group);
429 }
6fc6879b
JM		 430
431 return group;
432}
433
434
435/**
436 * wpa_init - Initialize WPA authenticator
437 * @addr: Authenticator address
438 * @conf: Configuration for WPA authenticator
a17df5fb 439 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 440 * Returns: Pointer to WPA authenticator data or %NULL on failure
441 */
442struct wpa_authenticator * wpa_init(const u8 *addr,
443 struct wpa_auth_config *conf,
cef8fac0
JB		 444 const struct wpa_auth_callbacks *cb,
445 void *cb_ctx)
6fc6879b
JM		 446{
447 struct wpa_authenticator *wpa_auth;
448
449 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
450 if (wpa_auth == NULL)
451 return NULL;
452 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
453 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 454 wpa_auth->cb = cb;
455 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 456
457 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
458 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
459 os_free(wpa_auth);
460 return NULL;
461 }
462
bdffdc5d 463 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 464 if (wpa_auth->group == NULL) {
465 os_free(wpa_auth->wpa_ie);
466 os_free(wpa_auth);
467 return NULL;
468 }
469
4bb081f1
JM		 470 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
471 wpa_auth);
6fc6879b
JM		 472 if (wpa_auth->pmksa == NULL) {
473 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 474 os_free(wpa_auth->group);
6fc6879b
JM		 475 os_free(wpa_auth->wpa_ie);
476 os_free(wpa_auth);
477 return NULL;
478 }
479
4ec1fd8e 480#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 481 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
482 if (wpa_auth->ft_pmk_cache == NULL) {
483 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 484 os_free(wpa_auth->group);
6fc6879b 485 os_free(wpa_auth->wpa_ie);
4bb081f1 486 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 487 os_free(wpa_auth);
488 return NULL;
489 }
4ec1fd8e 490#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 491
492 if (wpa_auth->conf.wpa_gmk_rekey) {
493 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
494 wpa_rekey_gmk, wpa_auth, NULL);
495 }
496
497 if (wpa_auth->conf.wpa_group_rekey) {
498 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
499 wpa_rekey_gtk, wpa_auth, NULL);
500 }
501
25ef8529
JM		 502#ifdef CONFIG_P2P
503 if (WPA_GET_BE32(conf->ip_addr_start)) {
504 int count = WPA_GET_BE32(conf->ip_addr_end) -
505 WPA_GET_BE32(conf->ip_addr_start) + 1;
506 if (count > 1000)
507 count = 1000;
508 if (count > 0)
509 wpa_auth->ip_pool = bitfield_alloc(count);
510 }
511#endif /* CONFIG_P2P */
512
6fc6879b
JM		 513 return wpa_auth;
514}
515
516
bdffdc5d
JM		 517int wpa_init_keys(struct wpa_authenticator *wpa_auth)
518{
519 struct wpa_group *group = wpa_auth->group;
520
521 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
522 "keys");
523 wpa_group_sm_step(wpa_auth, group);
524 group->GInit = FALSE;
525 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 526 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
527 return -1;
bdffdc5d
JM		 528 return 0;
529}
530
531
6fc6879b
JM		 532/**
533 * wpa_deinit - Deinitialize WPA authenticator
534 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
535 */
536void wpa_deinit(struct wpa_authenticator *wpa_auth)
537{
538 struct wpa_group *group, *prev;
539
540 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
541 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
542
4bb081f1 543 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 544
4ec1fd8e 545#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 546 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
547 wpa_auth->ft_pmk_cache = NULL;
eefe8630 548 wpa_ft_deinit(wpa_auth);
4ec1fd8e 549#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 550
25ef8529
JM		 551#ifdef CONFIG_P2P
552 bitfield_free(wpa_auth->ip_pool);
553#endif /* CONFIG_P2P */
554
555
6fc6879b
JM		 556 os_free(wpa_auth->wpa_ie);
557
558 group = wpa_auth->group;
559 while (group) {
560 prev = group;
561 group = group->next;
562 os_free(prev);
563 }
564
565 os_free(wpa_auth);
566}
567
568
569/**
570 * wpa_reconfig - Update WPA authenticator configuration
571 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
572 * @conf: Configuration for WPA authenticator
573 */
574int wpa_reconfig(struct wpa_authenticator *wpa_auth,
575 struct wpa_auth_config *conf)
576{
e6965d4e 577 struct wpa_group *group;
6fc6879b
JM		 578 if (wpa_auth == NULL)
579 return 0;
580
581 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 582 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
583 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
584 return -1;
585 }
586
e6965d4e
JM		 587 /*
588 * Reinitialize GTK to make sure it is suitable for the new
589 * configuration.
590 */
591 group = wpa_auth->group;
c3550295 592 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 593 group->GInit = TRUE;
594 wpa_group_sm_step(wpa_auth, group);
595 group->GInit = FALSE;
596 wpa_group_sm_step(wpa_auth, group);
597
6fc6879b
JM		 598 return 0;
599}
600
601
602struct wpa_state_machine *
94ddef3e
JM		 603wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
604 const u8 *p2p_dev_addr)
6fc6879b
JM		 605{
606 struct wpa_state_machine *sm;
607
7d7f7be2
JM		 608 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
609 return NULL;
610
6fc6879b
JM		 611 sm = os_zalloc(sizeof(struct wpa_state_machine));
612 if (sm == NULL)
613 return NULL;
614 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 615 if (p2p_dev_addr)
616 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 617
618 sm->wpa_auth = wpa_auth;
619 sm->group = wpa_auth->group;
a0ad9e8c 620 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 621
622 return sm;
623}
624
625
6f9b5d16
JM		 626int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
627 struct wpa_state_machine *sm)
6fc6879b
JM		 628{
629 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 630 return -1;
6fc6879b 631
4ec1fd8e 632#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 633 if (sm->ft_completed) {
634 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
635 "FT authentication already completed - do not "
636 "start 4-way handshake");
3d4d2348
JM		 637 /* Go to PTKINITDONE state to allow GTK rekeying */
638 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 639 sm->Pair = TRUE;
6f9b5d16 640 return 0;
6fc6879b 641 }
4ec1fd8e 642#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 643
07e0117d
JM		 644#ifdef CONFIG_FILS
645 if (sm->fils_completed) {
646 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
647 "FILS authentication already completed - do not start 4-way handshake");
648 /* Go to PTKINITDONE state to allow GTK rekeying */
649 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 650 sm->Pair = TRUE;
07e0117d
JM		 651 return 0;
652 }
653#endif /* CONFIG_FILS */
654
6fc6879b 655 if (sm->started) {
22a299ee 656 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 657 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 658 return wpa_sm_step(sm);
6fc6879b
JM		 659 }
660
661 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
662 "start authentication");
663 sm->started = 1;
664
665 sm->Init = TRUE;
e4a6ea1d 666 if (wpa_sm_step(sm) == 1)
6f9b5d16 667 return 1; /* should not really happen */
6fc6879b
JM		 668 sm->Init = FALSE;
669 sm->AuthenticationRequest = TRUE;
6f9b5d16 670 return wpa_sm_step(sm);
6fc6879b
JM		 671}
672
673
a8d05fca
JM		 674void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
675{
676 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
677 * reassociates back to the same AP while the previous entry for the
678 * STA has not yet been removed. */
679 if (sm == NULL)
680 return;
681
682 sm->wpa_key_mgmt = 0;
683}
684
685
6fc6879b
JM		 686static void wpa_free_sta_sm(struct wpa_state_machine *sm)
687{
25ef8529
JM		 688#ifdef CONFIG_P2P
689 if (WPA_GET_BE32(sm->ip_addr)) {
690 u32 start;
691 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
692 "address %u.%u.%u.%u from " MACSTR,
693 sm->ip_addr[0], sm->ip_addr[1],
694 sm->ip_addr[2], sm->ip_addr[3],
695 MAC2STR(sm->addr));
696 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
697 bitfield_clear(sm->wpa_auth->ip_pool,
698 WPA_GET_BE32(sm->ip_addr) - start);
699 }
700#endif /* CONFIG_P2P */
2ade8ef2
JM		 701 if (sm->GUpdateStationKeys) {
702 sm->group->GKeyDoneStations--;
703 sm->GUpdateStationKeys = FALSE;
704 }
4ec1fd8e 705#ifdef CONFIG_IEEE80211R_AP
0f857f43 706 os_free(sm->assoc_resp_ftie);
692ec305 707 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 708#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 709 os_free(sm->last_rx_eapol_key);
710 os_free(sm->wpa_ie);
a0ad9e8c 711 wpa_group_put(sm->wpa_auth, sm->group);
10ec6a5f
JM		 712#ifdef CONFIG_DPP2
713 wpabuf_clear_free(sm->dpp_z);
714#endif /* CONFIG_DPP2 */
6fc6879b
JM		 715 os_free(sm);
716}
717
718
719void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
720{
721 if (sm == NULL)
722 return;
723
724 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
725 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
726 "strict rekeying - force GTK rekey since STA "
727 "is leaving");
3f5a1860
JB		 728 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
729 sm->wpa_auth, NULL) == -1)
730 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
731 NULL);
6fc6879b
JM		 732 }
733
734 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 735 sm->pending_1_of_4_timeout = 0;
6fc6879b 736 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 737 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3a46cf93
MB		 738#ifdef CONFIG_IEEE80211R_AP
739 wpa_ft_sta_deinit(sm);
740#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 741 if (sm->in_step_loop) {
742 /* Must not free state machine while wpa_sm_step() is running.
743 * Freeing will be completed in the end of wpa_sm_step(). */
744 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
745 "machine deinit for " MACSTR, MAC2STR(sm->addr));
746 sm->pending_deinit = 1;
747 } else
748 wpa_free_sta_sm(sm);
749}
750
751
752static void wpa_request_new_ptk(struct wpa_state_machine *sm)
753{
754 if (sm == NULL)
755 return;
756
757 sm->PTKRequest = TRUE;
758 sm->PTK_valid = 0;
759}
760
761
68921e24 762static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 763 const u8 *replay_counter)
764{
765 int i;
766 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 767 if (!ctr[i].valid)
22a299ee 768 break;
68921e24 769 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 770 WPA_REPLAY_COUNTER_LEN) == 0)
771 return 1;
772 }
773 return 0;
774}
775
776
68921e24
JM		 777static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
778 const u8 *replay_counter)
779{
780 int i;
781 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
782 if (ctr[i].valid &&
783 (replay_counter == NULL ||
784 os_memcmp(replay_counter, ctr[i].counter,
785 WPA_REPLAY_COUNTER_LEN) == 0))
786 ctr[i].valid = FALSE;
787 }
788}
789
790
4ec1fd8e 791#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 792static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
793 struct wpa_state_machine *sm,
794 struct wpa_eapol_ie_parse *kde)
795{
796 struct wpa_ie_data ie;
797 struct rsn_mdie *mdie;
798
799 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
800 ie.num_pmkid != 1 || ie.pmkid == NULL) {
801 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
802 "FT 4-way handshake message 2/4");
803 return -1;
804 }
805
806 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
807 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
808 sm->sup_pmk_r1_name, PMKID_LEN);
809
810 if (!kde->mdie || !kde->ftie) {
811 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
812 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
813 return -1;
814 }
815
816 mdie = (struct rsn_mdie *) (kde->mdie + 2);
817 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
818 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
819 MOBILITY_DOMAIN_ID_LEN) != 0) {
820 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
821 return -1;
822 }
823
824 if (sm->assoc_resp_ftie &&
825 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
826 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
827 2 + sm->assoc_resp_ftie[1]) != 0)) {
828 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
829 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
830 kde->ftie, kde->ftie_len);
831 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
832 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
833 return -1;
834 }
835
836 return 0;
837}
4ec1fd8e 838#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 839
840
c772d054
JM		 841static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
842 struct wpa_state_machine *sm, int group)
ec027805
JM		 843{
844 /* Supplicant reported a Michael MIC error */
845 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
846 "received EAPOL-Key Error Request "
847 "(STA detected Michael MIC failure (group=%d))",
848 group);
fbc72d32
JM		 849
850 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
851 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
852 "ignore Michael MIC failure report since "
853 "group cipher is not TKIP");
854 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
855 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
856 "ignore Michael MIC failure report since "
857 "pairwise cipher is not TKIP");
858 } else {
c772d054
JM		 859 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
860 return 1; /* STA entry was removed */
fbc72d32
JM		 861 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
862 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
863 }
ec027805
JM		 864
865 /*
866 * Error report is not a request for a new key handshake, but since
867 * Authenticator may do it, let's change the keys now anyway.
868 */
869 wpa_request_new_ptk(sm);
c772d054 870 return 0;
ec027805
JM		 871}
872
873
f23c5b17
JM		 874static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
875 size_t data_len)
876{
877 struct wpa_ptk PTK;
878 int ok = 0;
879 const u8 *pmk = NULL;
7a12edd1 880 size_t pmk_len;
dbfa691d 881 int vlan_id = 0;
f23c5b17 882
b729fd8d 883 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17 884 for (;;) {
e61fea6b
JM		 885 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
886 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
f23c5b17 887 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
dbfa691d
JM		 888 sm->p2p_dev_addr, pmk, &pmk_len,
889 &vlan_id);
f23c5b17
JM		 890 if (pmk == NULL)
891 break;
f9854c18
MK		 892#ifdef CONFIG_IEEE80211R_AP
893 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
894 os_memcpy(sm->xxkey, pmk, pmk_len);
895 sm->xxkey_len = pmk_len;
896 }
897#endif /* CONFIG_IEEE80211R_AP */
207976f0 898 } else {
f23c5b17 899 pmk = sm->PMK;
207976f0
JM		 900 pmk_len = sm->pmk_len;
901 }
f23c5b17 902
364c064a
JM		 903 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
904 break;
f23c5b17 905
567da5bb
JM		 906 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
907 data, data_len) == 0) {
08dc8efd
JM		 908 if (sm->PMK != pmk) {
909 os_memcpy(sm->PMK, pmk, pmk_len);
910 sm->pmk_len = pmk_len;
911 }
f23c5b17
JM		 912 ok = 1;
913 break;
914 }
915
f5e0a332
JM		 916 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
917 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
f23c5b17
JM		 918 break;
919 }
920
921 if (!ok) {
922 wpa_printf(MSG_DEBUG,
923 "WPA: Earlier SNonce did not result in matching MIC");
924 return -1;
925 }
926
927 wpa_printf(MSG_DEBUG,
928 "WPA: Earlier SNonce resulted in matching MIC");
929 sm->alt_snonce_valid = 0;
dbfa691d
JM		 930
931 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
932 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
933 return -1;
934
f23c5b17
JM		 935 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
936 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
937 sm->PTK_valid = TRUE;
938
939 return 0;
940}
941
942
6fc6879b
JM		 943void wpa_receive(struct wpa_authenticator *wpa_auth,
944 struct wpa_state_machine *sm,
945 u8 *data, size_t data_len)
946{
947 struct ieee802_1x_hdr *hdr;
948 struct wpa_eapol_key *key;
949 u16 key_info, key_data_length;
a0bf1b68 950 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
6fc6879b
JM		 951 char *msgtxt;
952 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 953 const u8 *key_data;
954 size_t keyhdrlen, mic_len;
6d014ffc 955 u8 *mic;
6fc6879b
JM		 956
957 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
958 return;
dc5bad48 959 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 960
567da5bb 961 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 962 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 963
dc5bad48
JM		 964 if (data_len < sizeof(*hdr) + keyhdrlen) {
965 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 966 return;
dc5bad48 967 }
6fc6879b
JM		 968
969 hdr = (struct ieee802_1x_hdr *) data;
970 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 971 mic = (u8 *) (key + 1);
6fc6879b 972 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 973 key_data = mic + mic_len + 2;
974 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 975 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 976 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
977 MAC2STR(sm->addr), key_info, key->type,
978 (unsigned int) mic_len, key_data_length);
979 wpa_hexdump(MSG_MSGDUMP,
980 "WPA: EAPOL-Key header (ending before Key MIC)",
981 key, sizeof(*key));
982 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
983 mic, mic_len);
5e3b5197 984 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 985 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
986 "key_data overflow (%d > %lu)",
987 key_data_length,
988 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 989 keyhdrlen));
6fc6879b
JM		 990 return;
991 }
992
f8e96eb6 993 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 994 if (key->type == EAPOL_KEY_TYPE_WPA) {
995 /*
996 * Some deployed station implementations seem to send
997 * msg 4/4 with incorrect type value in WPA2 mode.
998 */
999 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
1000 "with unexpected WPA type in RSN mode");
1001 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 1002 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
1003 "unexpected type %d in RSN mode",
1004 key->type);
1005 return;
1006 }
1007 } else {
1008 if (key->type != EAPOL_KEY_TYPE_WPA) {
1009 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
1010 "unexpected type %d in WPA mode",
1011 key->type);
1012 return;
1013 }
1014 }
1015
bc8318ac
JM		 1016 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1017 WPA_NONCE_LEN);
1018 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1019 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1020
6fc6879b
JM		 1021 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1022 * are set */
1023
a0bf1b68
JM		 1024 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1025 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1026 return;
1027 }
1028
1029 if (key_info & WPA_KEY_INFO_REQUEST) {
6fc6879b
JM		 1030 msg = REQUEST;
1031 msgtxt = "Request";
1032 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1033 msg = GROUP_2;
1034 msgtxt = "2/2 Group";
3b5b7aa8
JM		 1035 } else if (key_data_length == 0 ||
1036 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1037 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 1038 msg = PAIRWISE_4;
1039 msgtxt = "4/4 Pairwise";
1040 } else {
1041 msg = PAIRWISE_2;
1042 msgtxt = "2/4 Pairwise";
1043 }
1044
6fc6879b
JM		 1045 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1046 msg == GROUP_2) {
1047 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1048 if (sm->pairwise == WPA_CIPHER_CCMP ||
1049 sm->pairwise == WPA_CIPHER_GCMP) {
4bc801ab
JM		 1050 if (wpa_use_cmac(sm->wpa_key_mgmt) &&
1051 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1052 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1053 wpa_auth_logger(wpa_auth, sm->addr,
1054 LOGGER_WARNING,
1055 "advertised support for "
1056 "AES-128-CMAC, but did not "
1057 "use it");
1058 return;
1059 }
1060
4bc801ab
JM		 1061 if (!wpa_use_cmac(sm->wpa_key_mgmt) &&
1062 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1063 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1064 wpa_auth_logger(wpa_auth, sm->addr,
1065 LOGGER_WARNING,
1066 "did not use HMAC-SHA1-AES "
eb7719ff 1067 "with CCMP/GCMP");
6fc6879b
JM		 1068 return;
1069 }
1070 }
929a2ea5 1071
4bc801ab 1072 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
929a2ea5
JM		 1073 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1074 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1075 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1076 return;
1077 }
6fc6879b
JM		 1078 }
1079
1080 if (key_info & WPA_KEY_INFO_REQUEST) {
1081 if (sm->req_replay_counter_used &&
1082 os_memcmp(key->replay_counter, sm->req_replay_counter,
1083 WPA_REPLAY_COUNTER_LEN) <= 0) {
1084 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1085 "received EAPOL-Key request with "
1086 "replayed counter");
1087 return;
1088 }
1089 }
1090
1091 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1092 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1093 int i;
68921e24
JM		 1094
1095 if (msg == PAIRWISE_2 &&
1096 wpa_replay_counter_valid(sm->prev_key_replay,
1097 key->replay_counter) &&
1098 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1099 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1100 {
1101 /*
1102 * Some supplicant implementations (e.g., Windows XP
1103 * WZC) update SNonce for each EAPOL-Key 2/4. This
1104 * breaks the workaround on accepting any of the
1105 * pending requests, so allow the SNonce to be updated
1106 * even if we have already sent out EAPOL-Key 3/4.
1107 */
1108 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1109 "Process SNonce update from STA "
1110 "based on retransmitted EAPOL-Key "
1111 "1/4");
1112 sm->update_snonce = 1;
f23c5b17
JM		 1113 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1114 sm->alt_snonce_valid = TRUE;
1115 os_memcpy(sm->alt_replay_counter,
1116 sm->key_replay[0].counter,
1117 WPA_REPLAY_COUNTER_LEN);
1118 goto continue_processing;
1119 }
1120
1121 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1122 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1123 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1124 WPA_REPLAY_COUNTER_LEN) == 0) {
1125 /*
1126 * Supplicant may still be using the old SNonce since
1127 * there was two EAPOL-Key 2/4 messages and they had
1128 * different SNonce values.
1129 */
1130 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1131 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1132 goto continue_processing;
1133 }
1134
1135 if (msg == PAIRWISE_2 &&
1136 wpa_replay_counter_valid(sm->prev_key_replay,
1137 key->replay_counter) &&
1138 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1139 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1140 "ignore retransmitted EAPOL-Key %s - "
1141 "SNonce did not change", msgtxt);
1142 } else {
1143 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1144 "received EAPOL-Key %s with "
1145 "unexpected replay counter", msgtxt);
1146 }
22a299ee
JM		 1147 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1148 if (!sm->key_replay[i].valid)
1149 break;
1150 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1151 sm->key_replay[i].counter,
1152 WPA_REPLAY_COUNTER_LEN);
1153 }
6fc6879b
JM		 1154 wpa_hexdump(MSG_DEBUG, "received replay counter",
1155 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1156 return;
1157 }
1158
68921e24 1159continue_processing:
3b5b7aa8
JM		 1160#ifdef CONFIG_FILS
1161 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1162 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1163 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1164 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1165 return;
1166 }
1167#endif /* CONFIG_FILS */
1168
6fc6879b
JM		 1169 switch (msg) {
1170 case PAIRWISE_2:
1171 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1172 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1173 (!sm->update_snonce ||
1174 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1175 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1176 "received EAPOL-Key msg 2/4 in "
1177 "invalid state (%d) - dropped",
1178 sm->wpa_ptk_state);
1179 return;
1180 }
bbb921da 1181 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1182 if (sm->group->reject_4way_hs_for_entropy) {
1183 /*
1184 * The system did not have enough entropy to generate
1185 * strong random numbers. Reject the first 4-way
1186 * handshake(s) and collect some entropy based on the
1187 * information from it. Once enough entropy is
1188 * available, the next atempt will trigger GMK/Key
1189 * Counter update and the station will be allowed to
1190 * continue.
1191 */
1192 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1193 "collect more entropy for random number "
1194 "generation");
08704cd8 1195 random_mark_pool_ready();
567da5bb
JM		 1196 wpa_sta_disconnect(wpa_auth, sm->addr,
1197 WLAN_REASON_PREV_AUTH_NOT_VALID);
08704cd8
JM		 1198 return;
1199 }
6fc6879b
JM		 1200 break;
1201 case PAIRWISE_4:
1202 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1203 !sm->PTK_valid) {
1204 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1205 "received EAPOL-Key msg 4/4 in "
1206 "invalid state (%d) - dropped",
1207 sm->wpa_ptk_state);
1208 return;
1209 }
1210 break;
1211 case GROUP_2:
1212 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1213 || !sm->PTK_valid) {
1214 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1215 "received EAPOL-Key msg 2/2 in "
1216 "invalid state (%d) - dropped",
1217 sm->wpa_ptk_group_state);
1218 return;
1219 }
1220 break;
6fc6879b
JM		 1221 case REQUEST:
1222 break;
1223 }
1224
1225 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1226 "received EAPOL-Key frame (%s)", msgtxt);
1227
1228 if (key_info & WPA_KEY_INFO_ACK) {
1229 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1230 "received invalid EAPOL-Key: Key Ack set");
1231 return;
1232 }
1233
b9866483
JM		 1234 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1235 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1236 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1237 "received invalid EAPOL-Key: Key MIC not set");
1238 return;
1239 }
1240
b9866483
JM		 1241#ifdef CONFIG_FILS
1242 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1243 (key_info & WPA_KEY_INFO_MIC)) {
1244 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1245 "received invalid EAPOL-Key: Key MIC set");
1246 return;
1247 }
1248#endif /* CONFIG_FILS */
1249
6fc6879b 1250 sm->MICVerified = FALSE;
68921e24 1251 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8 1252 if (mic_len &&
567da5bb
JM		 1253 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1254 data, data_len) &&
f23c5b17
JM		 1255 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1256 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1257 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1258 "received EAPOL-Key with invalid MIC");
525923b1
JM		 1259#ifdef TEST_FUZZ
1260 wpa_printf(MSG_INFO,
1261 "TEST: Ignore Key MIC failure for fuzz testing");
1262 goto continue_fuzz;
1263#endif /* TEST_FUZZ */
6fc6879b
JM		 1264 return;
1265 }
75c8563e
JM		 1266#ifdef CONFIG_FILS
1267 if (!mic_len &&
1268 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1269 &key_data_length) < 0) {
1270 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1271 "received EAPOL-Key with invalid MIC");
525923b1
JM		 1272#ifdef TEST_FUZZ
1273 wpa_printf(MSG_INFO,
1274 "TEST: Ignore Key MIC failure for fuzz testing");
1275 goto continue_fuzz;
1276#endif /* TEST_FUZZ */
75c8563e
JM		 1277 return;
1278 }
1279#endif /* CONFIG_FILS */
525923b1
JM		 1280#ifdef TEST_FUZZ
1281 continue_fuzz:
1282#endif /* TEST_FUZZ */
6fc6879b
JM		 1283 sm->MICVerified = TRUE;
1284 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1285 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1286 }
1287
1288 if (key_info & WPA_KEY_INFO_REQUEST) {
1289 if (sm->MICVerified) {
1290 sm->req_replay_counter_used = 1;
1291 os_memcpy(sm->req_replay_counter, key->replay_counter,
1292 WPA_REPLAY_COUNTER_LEN);
1293 } else {
1294 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1295 "received EAPOL-Key request with "
1296 "invalid MIC");
1297 return;
1298 }
1299
1300 /*
1301 * TODO: should decrypt key data field if encryption was used;
1302 * even though MAC address KDE is not normally encrypted,
1303 * supplicant is allowed to encrypt it.
1304 */
a0bf1b68 1305 if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1306 if (wpa_receive_error_report(
1307 wpa_auth, sm,
1308 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1309 return; /* STA entry was removed */
6fc6879b
JM		 1310 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1311 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1312 "received EAPOL-Key Request for new "
1313 "4-Way Handshake");
1314 wpa_request_new_ptk(sm);
6fc6879b 1315 } else if (key_data_length > 0 &&
5e3b5197
JM		 1316 wpa_parse_kde_ies(key_data, key_data_length,
1317 &kde) == 0 &&
6fc6879b
JM		 1318 kde.mac_addr) {
1319 } else {
1320 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1321 "received EAPOL-Key Request for GTK "
1322 "rekeying");
6fc6879b
JM		 1323 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1324 wpa_rekey_gtk(wpa_auth, NULL);
1325 }
1326 } else {
68921e24
JM		 1327 /* Do not allow the same key replay counter to be reused. */
1328 wpa_replay_counter_mark_invalid(sm->key_replay,
1329 key->replay_counter);
1330
1331 if (msg == PAIRWISE_2) {
1332 /*
1333 * Maintain a copy of the pending EAPOL-Key frames in
1334 * case the EAPOL-Key frame was retransmitted. This is
1335 * needed to allow EAPOL-Key msg 2/4 reply to another
1336 * pending msg 1/4 to update the SNonce to work around
1337 * unexpected supplicant behavior.
1338 */
1339 os_memcpy(sm->prev_key_replay, sm->key_replay,
1340 sizeof(sm->key_replay));
1341 } else {
1342 os_memset(sm->prev_key_replay, 0,
1343 sizeof(sm->prev_key_replay));
1344 }
1345
1346 /*
1347 * Make sure old valid counters are not accepted anymore and
1348 * do not get copied again.
1349 */
1350 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1351 }
1352
6fc6879b 1353 os_free(sm->last_rx_eapol_key);
a1f11e34 1354 sm->last_rx_eapol_key = os_memdup(data, data_len);
6fc6879b
JM		 1355 if (sm->last_rx_eapol_key == NULL)
1356 return;
6fc6879b
JM		 1357 sm->last_rx_eapol_key_len = data_len;
1358
0d442aff 1359 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1360 sm->EAPOLKeyReceived = TRUE;
1361 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1362 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1363 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1364 wpa_sm_step(sm);
1365}
1366
1367
3c7302c2
JM		 1368static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1369 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1370{
c6eb3e34 1371 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
5cb9d5c3 1372 u8 *pos;
3c7302c2 1373 int ret = 0;
6fc6879b 1374
5cb9d5c3
JM		 1375 /* GTK = PRF-X(GMK, "Group key expansion",
1376 * AA || GNonce || Time || random data)
1377 * The example described in the IEEE 802.11 standard uses only AA and
1378 * GNonce as inputs here. Add some more entropy since this derivation
1379 * is done only at the Authenticator and as such, does not need to be
1380 * exactly same.
1381 */
c6eb3e34 1382 os_memset(data, 0, sizeof(data));
6fc6879b
JM		 1383 os_memcpy(data, addr, ETH_ALEN);
1384 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1385 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1386 wpa_get_ntp_timestamp(pos);
525923b1
JM		 1387#ifdef TEST_FUZZ
1388 os_memset(pos, 0xef, 8);
1389#endif /* TEST_FUZZ */
5cb9d5c3 1390 pos += 8;
c6eb3e34 1391 if (random_get_bytes(pos, gtk_len) < 0)
3c7302c2 1392 ret = -1;
6fc6879b 1393
c6eb3e34
JM		 1394#ifdef CONFIG_SHA384
1395 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1396 gtk, gtk_len) < 0)
3c7302c2 1397 ret = -1;
c6eb3e34
JM		 1398#else /* CONFIG_SHA384 */
1399#ifdef CONFIG_SHA256
1400 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1401 gtk, gtk_len) < 0)
1402 ret = -1;
1403#else /* CONFIG_SHA256 */
1404 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1405 gtk, gtk_len) < 0)
1406 ret = -1;
1407#endif /* CONFIG_SHA256 */
1408#endif /* CONFIG_SHA384 */
3c7302c2
JM		 1409
1410 return ret;
6fc6879b
JM		 1411}
1412
1413
1414static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1415{
1416 struct wpa_authenticator *wpa_auth = eloop_ctx;
1417 struct wpa_state_machine *sm = timeout_ctx;
1418
e4bf4db9 1419 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1420 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1421 sm->TimeoutEvt = TRUE;
1422 wpa_sm_step(sm);
1423}
1424
1425
1426void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1427 struct wpa_state_machine *sm, int key_info,
1428 const u8 *key_rsc, const u8 *nonce,
1429 const u8 *kde, size_t kde_len,
1430 int keyidx, int encr, int force_version)
1431{
1432 struct ieee802_1x_hdr *hdr;
1433 struct wpa_eapol_key *key;
5e3b5197 1434 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1435 int alg;
1436 int key_data_len, pad_len = 0;
1437 u8 *buf, *pos;
1438 int version, pairwise;
22a299ee 1439 int i;
6d014ffc 1440 u8 *key_mic, *key_data;
6fc6879b 1441
567da5bb 1442 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 1443 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1444
1445 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1446
1447 if (force_version)
1448 version = force_version;
4bc801ab 1449 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
a14896e8 1450 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
4bc801ab 1451 else if (wpa_use_cmac(sm->wpa_key_mgmt))
6fc6879b 1452 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1453 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1454 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1455 else
1456 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1457
8543ed8a 1458 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1459
1460 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1461 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1462 "encr=%d)",
1463 version,
1464 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1465 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1466 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1467 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1468 pairwise, (unsigned long) kde_len, keyidx, encr);
1469
1470 key_data_len = kde_len;
1471
1472 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
4bc801ab 1473 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1474 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1475 pad_len = key_data_len % 8;
1476 if (pad_len)
1477 pad_len = 8 - pad_len;
1478 key_data_len += pad_len + 8;
1479 }
1480
1481 len += key_data_len;
b729fd8d
JM		 1482 if (!mic_len && encr)
1483 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1484
1485 hdr = os_zalloc(len);
1486 if (hdr == NULL)
1487 return;
1488 hdr->version = wpa_auth->conf.eapol_version;
1489 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1490 hdr->length = host_to_be16(len - sizeof(*hdr));
1491 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1492 key_mic = (u8 *) (key + 1);
5e3b5197 1493 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1494
1495 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1496 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1497 key_info |= version;
1498 if (encr && sm->wpa == WPA_VERSION_WPA2)
1499 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1500 if (sm->wpa != WPA_VERSION_WPA2)
1501 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1502 WPA_PUT_BE16(key->key_info, key_info);
1503
1504 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
a0bf1b68 1505 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
6fc6879b 1506 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1507 else
1508 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b 1509
22a299ee
JM		 1510 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1511 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1512 os_memcpy(sm->key_replay[i].counter,
1513 sm->key_replay[i - 1].counter,
1514 WPA_REPLAY_COUNTER_LEN);
1515 }
1516 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1517 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1518 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1519 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1520 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1521 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1522
1523 if (nonce)
1524 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1525
1526 if (key_rsc)
1527 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1528
1529 if (kde && !encr) {
5e3b5197 1530 os_memcpy(key_data, kde, kde_len);
6d014ffc 1531 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d 1532#ifdef CONFIG_FILS
c05f96a3 1533 } else if (!mic_len && kde) {
b729fd8d
JM		 1534 const u8 *aad[1];
1535 size_t aad_len[1];
1536
1537 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1538 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1539 kde, kde_len);
1540
1541 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1542 sm->PTK.kek, sm->PTK.kek_len);
1543 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1544 * to Key Data (exclusive). */
1545 aad[0] = (u8 *) hdr;
1546 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1547 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1548 1, aad, aad_len, key_mic + 2) < 0) {
1549 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1550 return;
1551 }
1552
1553 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1554 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1555#endif /* CONFIG_FILS */
6fc6879b
JM		 1556 } else if (encr && kde) {
1557 buf = os_zalloc(key_data_len);
1558 if (buf == NULL) {
1559 os_free(hdr);
1560 return;
1561 }
1562 pos = buf;
1563 os_memcpy(pos, kde, kde_len);
1564 pos += kde_len;
1565
1566 if (pad_len)
1567 *pos++ = 0xdd;
1568
1569 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1570 buf, key_data_len);
1571 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
4bc801ab 1572 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
6fc6879b 1573 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
ef9627cb
JM		 1574 wpa_printf(MSG_DEBUG,
1575 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1576 (unsigned int) sm->PTK.kek_len);
98cd3d1c 1577 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1578 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1579 os_free(hdr);
1580 os_free(buf);
1581 return;
1582 }
6d014ffc 1583 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1584#ifndef CONFIG_NO_RC4
98cd3d1c 1585 } else if (sm->PTK.kek_len == 16) {
6fc6879b 1586 u8 ek[32];
ef9627cb
JM		 1587
1588 wpa_printf(MSG_DEBUG,
1589 "WPA: Encrypt Key Data using RC4");
6fc6879b
JM		 1590 os_memcpy(key->key_iv,
1591 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1592 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1593 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1594 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1595 os_memcpy(key_data, buf, key_data_len);
1596 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1597 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1598#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1599 } else {
1600 os_free(hdr);
1601 os_free(buf);
1602 return;
6fc6879b
JM		 1603 }
1604 os_free(buf);
1605 }
1606
1607 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1608 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1609 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1610 "PTK not valid when sending EAPOL-Key "
1611 "frame");
1612 os_free(hdr);
1613 return;
1614 }
5e3b5197 1615
beae255a
JM		 1616 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1617 sm->wpa_key_mgmt, version,
1618 (u8 *) hdr, len, key_mic) < 0) {
1619 os_free(hdr);
1620 return;
1621 }
7af092a0
JB		 1622#ifdef CONFIG_TESTING_OPTIONS
1623 if (!pairwise &&
06df2aa6 1624 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1625 drand48() <
1626 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1627 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1628 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1629 key_mic[0]++;
7af092a0
JB		 1630 }
1631#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1632 }
1633
1634 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1635 1);
1636 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1637 sm->pairwise_set);
1638 os_free(hdr);
1639}
1640
1641
1642static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1643 struct wpa_state_machine *sm, int key_info,
1644 const u8 *key_rsc, const u8 *nonce,
1645 const u8 *kde, size_t kde_len,
1646 int keyidx, int encr)
1647{
1648 int timeout_ms;
1649 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
41f140d3 1650 u32 ctr;
6fc6879b
JM		 1651
1652 if (sm == NULL)
1653 return;
1654
1655 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1656 keyidx, encr, 0);
1657
bae61562 1658 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1659 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1660 timeout_ms = pairwise ? eapol_key_timeout_first :
1661 eapol_key_timeout_first_group;
bae61562
JM		 1662 else
1663 timeout_ms = eapol_key_timeout_subseq;
6f234c1e
JM		 1664 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1665 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1666 timeout_ms = eapol_key_timeout_no_retrans;
e4bf4db9
JM		 1667 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1668 sm->pending_1_of_4_timeout = 1;
525923b1
JM		 1669#ifdef TEST_FUZZ
1670 timeout_ms = 1;
1671#endif /* TEST_FUZZ */
e4bf4db9 1672 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
41f140d3 1673 "counter %u)", timeout_ms, ctr);
6fc6879b
JM		 1674 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1675 wpa_send_eapol_timeout, wpa_auth, sm);
1676}
1677
1678
567da5bb
JM		 1679static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1680 u8 *data, size_t data_len)
6fc6879b
JM		 1681{
1682 struct ieee802_1x_hdr *hdr;
1683 struct wpa_eapol_key *key;
1684 u16 key_info;
1685 int ret = 0;
6d014ffc 1686 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
567da5bb 1687 size_t mic_len = wpa_mic_len(akmp, pmk_len);
6fc6879b
JM		 1688
1689 if (data_len < sizeof(*hdr) + sizeof(*key))
1690 return -1;
1691
1692 hdr = (struct ieee802_1x_hdr *) data;
1693 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1694 mic_pos = (u8 *) (key + 1);
6fc6879b 1695 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1696 os_memcpy(mic, mic_pos, mic_len);
1697 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1698 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1699 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1700 data, data_len, mic_pos) ||
1701 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1702 ret = -1;
6d014ffc 1703 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1704 return ret;
1705}
1706
1707
1708void wpa_remove_ptk(struct wpa_state_machine *sm)
1709{
1710 sm->PTK_valid = FALSE;
1711 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1712 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1713 0))
1714 wpa_printf(MSG_DEBUG,
1715 "RSN: PTK removal from the driver failed");
6fc6879b 1716 sm->pairwise_set = FALSE;
581a8cde 1717 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1718}
1719
1720
bb119228 1721int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1722{
5d22a1d5
JM		 1723 int remove_ptk = 1;
1724
6fc6879b 1725 if (sm == NULL)
6f9b5d16 1726 return -1;
6fc6879b
JM		 1727
1728 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1729 "event %d notification", event);
1730
1731 switch (event) {
1732 case WPA_AUTH:
c50d94f1
BC		 1733#ifdef CONFIG_MESH
1734 /* PTKs are derived through AMPE */
1735 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1736 /* not mesh */
1737 break;
1738 }
1739 return 0;
1740#endif /* CONFIG_MESH */
6fc6879b
JM		 1741 case WPA_ASSOC:
1742 break;
1743 case WPA_DEAUTH:
1744 case WPA_DISASSOC:
1745 sm->DeauthenticationRequest = TRUE;
1746 break;
1747 case WPA_REAUTH:
1748 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1749 if (!sm->started) {
1750 /*
1751 * When using WPS, we may end up here if the STA
1752 * manages to re-associate without the previous STA
1753 * entry getting removed. Consequently, we need to make
1754 * sure that the WPA state machines gets initialized
1755 * properly at this point.
1756 */
1757 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1758 "started - initialize now");
1759 sm->started = 1;
1760 sm->Init = TRUE;
1761 if (wpa_sm_step(sm) == 1)
1762 return 1; /* should not really happen */
1763 sm->Init = FALSE;
1764 sm->AuthenticationRequest = TRUE;
1765 break;
1766 }
9663596f
JM		 1767 if (sm->GUpdateStationKeys) {
1768 /*
1769 * Reauthentication cancels the pending group key
1770 * update for this STA.
1771 */
1772 sm->group->GKeyDoneStations--;
1773 sm->GUpdateStationKeys = FALSE;
1774 sm->PtkGroupInit = TRUE;
1775 }
6fc6879b
JM		 1776 sm->ReAuthenticationRequest = TRUE;
1777 break;
1778 case WPA_ASSOC_FT:
4ec1fd8e 1779#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1780 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1781 "after association");
1782 wpa_ft_install_ptk(sm);
1783
6fc6879b
JM		 1784 /* Using FT protocol, not WPA auth state machine */
1785 sm->ft_completed = 1;
d178ab0d 1786 wpa_auth_set_ptk_rekey_timer(sm);
6f9b5d16 1787 return 0;
4ec1fd8e 1788#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1789 break;
4ec1fd8e 1790#endif /* CONFIG_IEEE80211R_AP */
957bff83
JM		 1791 case WPA_ASSOC_FILS:
1792#ifdef CONFIG_FILS
1793 wpa_printf(MSG_DEBUG,
1794 "FILS: TK configuration after association");
1795 fils_set_tk(sm);
1796 sm->fils_completed = 1;
1797 return 0;
1798#else /* CONFIG_FILS */
1799 break;
1800#endif /* CONFIG_FILS */
0e3bd7ac
MV		 1801 case WPA_DRV_STA_REMOVED:
1802 sm->tk_already_set = FALSE;
1803 return 0;
6fc6879b
JM		 1804 }
1805
4ec1fd8e 1806#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1807 sm->ft_completed = 0;
4ec1fd8e 1808#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1809
5d22a1d5
JM		 1810#ifdef CONFIG_IEEE80211W
1811 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1812 remove_ptk = 0;
1813#endif /* CONFIG_IEEE80211W */
78815f3d 1814#ifdef CONFIG_FILS
da24c5aa
JM		 1815 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1816 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1817 remove_ptk = 0;
1818#endif /* CONFIG_FILS */
6fc6879b 1819
5d22a1d5
JM		 1820 if (remove_ptk) {
1821 sm->PTK_valid = FALSE;
1822 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1823
1824 if (event != WPA_REAUTH_EAPOL)
1825 wpa_remove_ptk(sm);
1826 }
6fc6879b 1827
43f49c37
JM		 1828 if (sm->in_step_loop) {
1829 /*
1830 * wpa_sm_step() is already running - avoid recursive call to
1831 * it by making the existing loop process the new update.
1832 */
1833 sm->changed = TRUE;
1834 return 0;
1835 }
6f9b5d16 1836 return wpa_sm_step(sm);
6fc6879b
JM		 1837}
1838
1839
6fc6879b
JM		 1840SM_STATE(WPA_PTK, INITIALIZE)
1841{
1842 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1843 if (sm->Init) {
1844 /* Init flag is not cleared here, so avoid busy
1845 * loop by claiming nothing changed. */
1846 sm->changed = FALSE;
1847 }
1848
1849 sm->keycount = 0;
1850 if (sm->GUpdateStationKeys)
1851 sm->group->GKeyDoneStations--;
1852 sm->GUpdateStationKeys = FALSE;
1853 if (sm->wpa == WPA_VERSION_WPA)
1854 sm->PInitAKeys = FALSE;
1855 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1856 * Local AA > Remote AA)) */) {
1857 sm->Pair = TRUE;
1858 }
1859 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1860 wpa_remove_ptk(sm);
1861 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1862 sm->TimeoutCtr = 0;
a1ea1b45 1863 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 1864 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 1865 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 1866 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1867 WPA_EAPOL_authorized, 0);
1868 }
1869}
1870
1871
1872SM_STATE(WPA_PTK, DISCONNECT)
1873{
567da5bb
JM		 1874 u16 reason = sm->disconnect_reason;
1875
6fc6879b
JM		 1876 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1877 sm->Disconnect = FALSE;
567da5bb
JM		 1878 sm->disconnect_reason = 0;
1879 if (!reason)
1880 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1881 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
6fc6879b
JM		 1882}
1883
1884
1885SM_STATE(WPA_PTK, DISCONNECTED)
1886{
1887 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1888 sm->DeauthenticationRequest = FALSE;
1889}
1890
1891
1892SM_STATE(WPA_PTK, AUTHENTICATION)
1893{
1894 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1895 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1896 sm->PTK_valid = FALSE;
1897 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1898 1);
1899 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1900 sm->AuthenticationRequest = FALSE;
1901}
1902
1903
40d00d2b
NC		 1904static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1905 struct wpa_group *group)
1bdb7ab3 1906{
40d00d2b
NC		 1907 if (group->first_sta_seen)
1908 return;
1bdb7ab3
JM		 1909 /*
1910 * System has run bit further than at the time hostapd was started
1911 * potentially very early during boot up. This provides better chances
1912 * of collecting more randomness on embedded systems. Re-initialize the
1913 * GMK and Counter here to improve their strength if there was not
1914 * enough entropy available immediately after system startup.
1915 */
1916 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1917 "station");
08704cd8
JM		 1918 if (random_pool_ready() != 1) {
1919 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1920 "to proceed - reject first 4-way handshake");
1921 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1922 } else {
1923 group->first_sta_seen = TRUE;
1924 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1925 }
40d00d2b 1926
aac1efec
JM		 1927 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1928 wpa_gtk_update(wpa_auth, group) < 0 ||
1929 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1930 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1931 group->first_sta_seen = FALSE;
1932 group->reject_4way_hs_for_entropy = TRUE;
1933 }
1bdb7ab3
JM		 1934}
1935
1936
6fc6879b
JM		 1937SM_STATE(WPA_PTK, AUTHENTICATION2)
1938{
1939 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1940
40d00d2b 1941 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1942 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1943
3825a19b
JM		 1944 /*
1945 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1946 * ambiguous. The Authenticator state machine uses a counter that is
1947 * incremented by one for each 4-way handshake. However, the security
1948 * analysis of 4-way handshake points out that unpredictable nonces
1949 * help in preventing precomputation attacks. Instead of the state
1950 * machine definition, use an unpredictable nonce value here to provide
1951 * stronger protection against potential precomputation attacks.
1952 */
1953 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1954 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1955 "ANonce.");
65a32cdb 1956 sm->Disconnect = TRUE;
3825a19b
JM		 1957 return;
1958 }
bc8318ac
JM		 1959 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1960 WPA_NONCE_LEN);
6fc6879b
JM		 1961 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1962 * logical place than INITIALIZE since AUTHENTICATION2 can be
1963 * re-entered on ReAuthenticationRequest without going through
1964 * INITIALIZE. */
1965 sm->TimeoutCtr = 0;
1966}
1967
1968
0adc9b28
JM		 1969static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
1970{
1971 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1972 wpa_printf(MSG_ERROR,
1973 "WPA: Failed to get random data for ANonce");
1974 sm->Disconnect = TRUE;
1975 return -1;
1976 }
1977 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
1978 WPA_NONCE_LEN);
1979 sm->TimeoutCtr = 0;
1980 return 0;
1981}
1982
1983
6fc6879b
JM		 1984SM_STATE(WPA_PTK, INITPMK)
1985{
1986 u8 msk[2 * PMK_LEN];
1987 size_t len = 2 * PMK_LEN;
1988
1989 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1990#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1991 sm->xxkey_len = 0;
4ec1fd8e 1992#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1993 if (sm->pmksa) {
1994 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1995 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1996 sm->pmk_len = sm->pmksa->pmk_len;
567da5bb
JM		 1997#ifdef CONFIG_DPP
1998 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
1999 wpa_printf(MSG_DEBUG,
2000 "DPP: No PMKSA cache entry for STA - reject connection");
2001 sm->Disconnect = TRUE;
2002 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
2003 return;
2004#endif /* CONFIG_DPP */
6fc6879b 2005 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 2006 unsigned int pmk_len;
2007
834c5d68 2008 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
207976f0
JM		 2009 pmk_len = PMK_LEN_SUITE_B_192;
2010 else
2011 pmk_len = PMK_LEN;
6fc6879b 2012 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 2013 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
2014 pmk_len);
2015 if (len < pmk_len) {
2016 wpa_printf(MSG_DEBUG,
2017 "WPA: MSK not long enough (%u) to create PMK (%u)",
2018 (unsigned int) len, (unsigned int) pmk_len);
2019 sm->Disconnect = TRUE;
2020 return;
2021 }
2022 os_memcpy(sm->PMK, msk, pmk_len);
2023 sm->pmk_len = pmk_len;
4ec1fd8e 2024#ifdef CONFIG_IEEE80211R_AP
6fc6879b 2025 if (len >= 2 * PMK_LEN) {
9f12271b
JM		 2026 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2027 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2028 sm->xxkey_len = SHA384_MAC_LEN;
2029 } else {
2030 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2031 sm->xxkey_len = PMK_LEN;
2032 }
6fc6879b 2033 }
4ec1fd8e 2034#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2035 } else {
400de9b1 2036 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 2037 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 2038 sm->Disconnect = TRUE;
2039 return;
6fc6879b 2040 }
40aaa64f 2041 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 2042
2043 sm->req_replay_counter_used = 0;
2044 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
2045 * will break reauthentication since EAPOL state machines may not be
2046 * get into AUTHENTICATING state that clears keyRun before WPA state
2047 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2048 * state and takes PMK from the previously used AAA Key. This will
2049 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2050 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
2051 * be good workaround for this issue. */
2052 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
2053}
2054
2055
2056SM_STATE(WPA_PTK, INITPSK)
2057{
2058 const u8 *psk;
7a12edd1
JM		 2059 size_t psk_len;
2060
6fc6879b 2061 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
7a12edd1 2062 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
dbfa691d 2063 &psk_len, NULL);
6fc6879b 2064 if (psk) {
7a12edd1
JM		 2065 os_memcpy(sm->PMK, psk, psk_len);
2066 sm->pmk_len = psk_len;
4ec1fd8e 2067#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 2068 os_memcpy(sm->xxkey, psk, PMK_LEN);
2069 sm->xxkey_len = PMK_LEN;
4ec1fd8e 2070#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2071 }
e61fea6b
JM		 2072#ifdef CONFIG_SAE
2073 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2074 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2075 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2076 sm->pmk_len = sm->pmksa->pmk_len;
6fe3f0f7 2077#ifdef CONFIG_IEEE80211R_AP
2078 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len);
2079 sm->xxkey_len = sm->pmksa->pmk_len;
2080#endif /* CONFIG_IEEE80211R_AP */
e61fea6b
JM		 2081 }
2082#endif /* CONFIG_SAE */
6fc6879b
JM		 2083 sm->req_replay_counter_used = 0;
2084}
2085
2086
2087SM_STATE(WPA_PTK, PTKSTART)
2088{
2089 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2090 size_t pmkid_len = 0;
2091
2092 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2093 sm->PTKRequest = FALSE;
2094 sm->TimeoutEvt = FALSE;
f23c5b17 2095 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2096
2097 sm->TimeoutCtr++;
41f140d3 2098 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2099 /* No point in sending the EAPOL-Key - we will disconnect
2100 * immediately following this. */
2101 return;
2102 }
2103
6fc6879b
JM		 2104 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2105 "sending 1/4 msg of 4-Way Handshake");
2106 /*
c6e1a9a0
JM		 2107 * For infrastructure BSS cases, it is better for the AP not to include
2108 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2109 * offline search for the passphrase/PSK without having to be able to
2110 * capture a 4-way handshake from a STA that has access to the network.
2111 *
2112 * For IBSS cases, addition of PMKID KDE could be considered even with
2113 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2114 * possible PSK for this STA. However, this should not be done unless
2115 * there is support for using that information on the supplicant side.
2116 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2117 * cases would also apply here, but at least in the IBSS case, this
2118 * would cover a potential real use case.
6fc6879b
JM		 2119 */
2120 if (sm->wpa == WPA_VERSION_WPA2 &&
e61fea6b 2121 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
d90f10fa 2122 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
e61fea6b 2123 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
a14896e8 2124 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2125 pmkid = buf;
2126 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2127 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2128 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2129 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2130 if (sm->pmksa) {
9d94e4bb
JM		 2131 wpa_hexdump(MSG_DEBUG,
2132 "RSN: Message 1/4 PMKID from PMKSA entry",
2133 sm->pmksa->pmkid, PMKID_LEN);
6fc6879b
JM		 2134 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2135 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2136 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2137 /* No KCK available to derive PMKID */
9d94e4bb
JM		 2138 wpa_printf(MSG_DEBUG,
2139 "RSN: No KCK available to derive PMKID for message 1/4");
929a2ea5 2140 pmkid = NULL;
a40bd06e
JM		 2141#ifdef CONFIG_FILS
2142 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2143 if (sm->pmkid_set) {
2144 wpa_hexdump(MSG_DEBUG,
2145 "RSN: Message 1/4 PMKID from FILS/ERP",
2146 sm->pmkid, PMKID_LEN);
2147 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2148 sm->pmkid, PMKID_LEN);
2149 } else {
2150 /* No PMKID available */
2151 wpa_printf(MSG_DEBUG,
2152 "RSN: No FILS/ERP PMKID available for message 1/4");
2153 pmkid = NULL;
2154 }
2155#endif /* CONFIG_FILS */
9d94e4bb
JM		 2156#ifdef CONFIG_SAE
2157 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2158 if (sm->pmkid_set) {
2159 wpa_hexdump(MSG_DEBUG,
2160 "RSN: Message 1/4 PMKID from SAE",
2161 sm->pmkid, PMKID_LEN);
2162 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2163 sm->pmkid, PMKID_LEN);
2164 } else {
2165 /* No PMKID available */
2166 wpa_printf(MSG_DEBUG,
2167 "RSN: No SAE PMKID available for message 1/4");
2168 pmkid = NULL;
2169 }
2170#endif /* CONFIG_SAE */
929a2ea5 2171 } else {
6fc6879b
JM		 2172 /*
2173 * Calculate PMKID since no PMKSA cache entry was
2174 * available with pre-calculated PMKID.
2175 */
207976f0 2176 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197 2177 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
41b81914 2178 sm->wpa_key_mgmt);
9d94e4bb
JM		 2179 wpa_hexdump(MSG_DEBUG,
2180 "RSN: Message 1/4 PMKID derived from PMK",
2181 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
6fc6879b
JM		 2182 }
2183 }
2184 wpa_send_eapol(sm->wpa_auth, sm,
2185 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2186 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2187}
2188
2189
f23c5b17 2190static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2191 const u8 *pmk, unsigned int pmk_len,
2192 struct wpa_ptk *ptk)
6fc6879b 2193{
10ec6a5f
JM		 2194 const u8 *z = NULL;
2195 size_t z_len = 0;
2196
4ec1fd8e 2197#ifdef CONFIG_IEEE80211R_AP
56586197 2198 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
267c366f 2199 return wpa_auth_derive_ptk_ft(sm, ptk);
4ec1fd8e 2200#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2201
10ec6a5f
JM		 2202#ifdef CONFIG_DPP2
2203 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2204 z = wpabuf_head(sm->dpp_z);
2205 z_len = wpabuf_len(sm->dpp_z);
2206 }
2207#endif /* CONFIG_DPP2 */
2208
207976f0 2209 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c 2210 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
10ec6a5f 2211 ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len);
6fc6879b
JM		 2212}
2213
2214
3b5b7aa8 2215#ifdef CONFIG_FILS
c4fd6d8a
JM		 2216
2217int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
80ddf5d9 2218 size_t pmk_len, const u8 *snonce, const u8 *anonce,
4cada9dc 2219 const u8 *dhss, size_t dhss_len,
80ddf5d9 2220 struct wpabuf *g_sta, struct wpabuf *g_ap)
c4fd6d8a
JM		 2221{
2222 u8 ick[FILS_ICK_MAX_LEN];
2223 size_t ick_len;
2224 int res;
8fed47e0
JM		 2225 u8 fils_ft[FILS_FT_MAX_LEN];
2226 size_t fils_ft_len = 0;
c4fd6d8a
JM		 2227
2228 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
4cada9dc
JM		 2229 snonce, anonce, dhss, dhss_len,
2230 &sm->PTK, ick, &ick_len,
8fed47e0
JM		 2231 sm->wpa_key_mgmt, sm->pairwise,
2232 fils_ft, &fils_ft_len);
c4fd6d8a
JM		 2233 if (res < 0)
2234 return res;
2235 sm->PTK_valid = TRUE;
2f1357fb 2236 sm->tk_already_set = FALSE;
c4fd6d8a 2237
8fed47e0
JM		 2238#ifdef CONFIG_IEEE80211R_AP
2239 if (fils_ft_len) {
2240 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2241 struct wpa_auth_config *conf = &wpa_auth->conf;
994eac7e
JM		 2242 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
2243 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
2244 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
8fed47e0
JM		 2245
2246 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2247 conf->ssid, conf->ssid_len,
2248 conf->mobility_domain,
2249 conf->r0_key_holder,
2250 conf->r0_key_holder_len,
994eac7e
JM		 2251 sm->addr, pmk_r0, pmk_r0_name,
2252 use_sha384) < 0)
8fed47e0
JM		 2253 return -1;
2254
994eac7e
JM		 2255 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
2256 pmk_r0, pmk_r0_len);
8fed47e0
JM		 2257 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2258 pmk_r0_name, WPA_PMK_NAME_LEN);
89dea17e 2259 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
8fed47e0 2260 os_memset(fils_ft, 0, sizeof(fils_ft));
36536639
JM		 2261
2262 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
2263 sm->addr, sm->pmk_r1_name,
2264 use_sha384);
2265 os_memset(pmk_r0, 0, PMK_LEN_MAX);
2266 if (res < 0)
2267 return -1;
2268 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
2269 WPA_PMK_NAME_LEN);
2270 sm->pmk_r1_name_valid = 1;
8fed47e0
JM		 2271 }
2272#endif /* CONFIG_IEEE80211R_AP */
2273
c4fd6d8a
JM		 2274 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2275 sm->addr, sm->wpa_auth->addr,
80ddf5d9
JM		 2276 g_sta ? wpabuf_head(g_sta) : NULL,
2277 g_sta ? wpabuf_len(g_sta) : 0,
2278 g_ap ? wpabuf_head(g_ap) : NULL,
2279 g_ap ? wpabuf_len(g_ap) : 0,
c4fd6d8a
JM		 2280 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2281 sm->fils_key_auth_ap,
2282 &sm->fils_key_auth_len);
2283 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2284
2285 /* Store nonces for (Re)Association Request/Response frame processing */
2286 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2287 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2288
c4fd6d8a
JM		 2289 return res;
2290}
2291
2292
3b5b7aa8 2293static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2294 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2295{
2296 struct ieee802_1x_hdr *hdr;
2297 struct wpa_eapol_key *key;
2298 u8 *pos;
2299 u16 key_data_len;
2300 u8 *tmp;
2301 const u8 *aad[1];
2302 size_t aad_len[1];
2303
75c8563e 2304 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2305 key = (struct wpa_eapol_key *) (hdr + 1);
2306 pos = (u8 *) (key + 1);
2307 key_data_len = WPA_GET_BE16(pos);
2308 if (key_data_len < AES_BLOCK_SIZE ||
2309 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2310 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2311 "No room for AES-SIV data in the frame");
2312 return -1;
2313 }
2314 pos += 2; /* Pointing at the Encrypted Key Data field */
2315
2316 tmp = os_malloc(key_data_len);
2317 if (!tmp)
2318 return -1;
2319
2320 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2321 * to Key Data (exclusive). */
75c8563e
JM		 2322 aad[0] = buf;
2323 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2324 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2325 1, aad, aad_len, tmp) < 0) {
2326 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2327 "Invalid AES-SIV data in the frame");
2328 bin_clear_free(tmp, key_data_len);
2329 return -1;
2330 }
2331
2332 /* AEAD decryption and validation completed successfully */
2333 key_data_len -= AES_BLOCK_SIZE;
2334 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2335 tmp, key_data_len);
2336
2337 /* Replace Key Data field with the decrypted version */
2338 os_memcpy(pos, tmp, key_data_len);
2339 pos -= 2; /* Key Data Length field */
2340 WPA_PUT_BE16(pos, key_data_len);
2341 bin_clear_free(tmp, key_data_len);
2342 if (_key_data_len)
2343 *_key_data_len = key_data_len;
2344 return 0;
2345}
78815f3d
JM		 2346
2347
087631b9
JM		 2348const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2349 const u8 *ies, size_t ies_len,
2350 const u8 *fils_session)
2351{
2352 const u8 *ie, *end;
2353 const u8 *session = NULL;
2354
2355 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2356 wpa_printf(MSG_DEBUG,
2357 "FILS: Not a FILS AKM - reject association");
2358 return NULL;
2359 }
2360
2361 /* Verify Session element */
2362 ie = ies;
2363 end = ((const u8 *) ie) + ies_len;
2364 while (ie + 1 < end) {
2365 if (ie + 2 + ie[1] > end)
2366 break;
2367 if (ie[0] == WLAN_EID_EXTENSION &&
2368 ie[1] >= 1 + FILS_SESSION_LEN &&
2369 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2370 session = ie;
2371 break;
2372 }
2373 ie += 2 + ie[1];
2374 }
2375
2376 if (!session) {
2377 wpa_printf(MSG_DEBUG,
2378 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2379 __func__);
2380 return NULL;
2381 }
2382
2383 if (!fils_session) {
2384 wpa_printf(MSG_DEBUG,
2385 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2386 __func__);
2387 return NULL;
2388 }
2389
2390 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2391 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2392 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2393 fils_session, FILS_SESSION_LEN);
2394 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2395 session + 3, FILS_SESSION_LEN);
2396 return NULL;
2397 }
2398 return session;
2399}
2400
2401
bd599353
JM		 2402int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2403 size_t ies_len)
2404{
2405 struct ieee802_11_elems elems;
2406
2407 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2408 wpa_printf(MSG_DEBUG,
2409 "FILS: Failed to parse decrypted elements");
2410 return -1;
2411 }
2412
8b5ddda5
JM		 2413 if (!elems.fils_session) {
2414 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2415 return -1;
2416 }
2417
bd599353
JM		 2418 if (!elems.fils_key_confirm) {
2419 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2420 return -1;
2421 }
2422
2423 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2424 wpa_printf(MSG_DEBUG,
2425 "FILS: Unexpected Key-Auth length %d (expected %d)",
2426 elems.fils_key_confirm_len,
2427 (int) sm->fils_key_auth_len);
2428 return -1;
2429 }
2430
2431 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2432 sm->fils_key_auth_len) != 0) {
2433 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2434 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2435 elems.fils_key_confirm, elems.fils_key_confirm_len);
2436 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2437 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2438 return -1;
2439 }
2440
2441 return 0;
2442}
2443
2444
78815f3d
JM		 2445int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2446 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2447 u8 *pos, size_t left)
2448{
2449 u16 fc, stype;
2450 const u8 *end, *ie_start, *ie, *session, *crypt;
78815f3d
JM		 2451 const u8 *aad[5];
2452 size_t aad_len[5];
2453
2454 if (!sm || !sm->PTK_valid) {
2455 wpa_printf(MSG_DEBUG,
2456 "FILS: No KEK to decrypt Assocication Request frame");
2457 return -1;
2458 }
2459
2460 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2461 wpa_printf(MSG_DEBUG,
2462 "FILS: Not a FILS AKM - reject association");
2463 return -1;
2464 }
2465
2466 end = ((const u8 *) mgmt) + frame_len;
2467 fc = le_to_host16(mgmt->frame_control);
2468 stype = WLAN_FC_GET_STYPE(fc);
2469 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2470 ie_start = mgmt->u.reassoc_req.variable;
2471 else
2472 ie_start = mgmt->u.assoc_req.variable;
2473 ie = ie_start;
2474
2475 /*
2476 * Find FILS Session element which is the last unencrypted element in
2477 * the frame.
2478 */
087631b9
JM		 2479 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2480 fils_session);
78815f3d 2481 if (!session) {
087631b9 2482 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
78815f3d
JM		 2483 return -1;
2484 }
087631b9 2485
78815f3d
JM		 2486 crypt = session + 2 + session[1];
2487
2488 if (end - crypt < AES_BLOCK_SIZE) {
2489 wpa_printf(MSG_DEBUG,
2490 "FILS: Too short frame to include AES-SIV data");
2491 return -1;
2492 }
2493
2494 /* AES-SIV AAD vectors */
2495
2496 /* The STA's MAC address */
2497 aad[0] = mgmt->sa;
2498 aad_len[0] = ETH_ALEN;
2499 /* The AP's BSSID */
2500 aad[1] = mgmt->da;
2501 aad_len[1] = ETH_ALEN;
2502 /* The STA's nonce */
2503 aad[2] = sm->SNonce;
2504 aad_len[2] = FILS_NONCE_LEN;
2505 /* The AP's nonce */
2506 aad[3] = sm->ANonce;
2507 aad_len[3] = FILS_NONCE_LEN;
2508 /*
2509 * The (Re)Association Request frame from the Capability Information
2510 * field to the FILS Session element (both inclusive).
2511 */
2512 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2513 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2514
2515 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2516 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2517 wpa_printf(MSG_DEBUG,
2518 "FILS: Invalid AES-SIV data in the frame");
2519 return -1;
2520 }
2521 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2522 pos, left - AES_BLOCK_SIZE);
2523
bd599353
JM		 2524 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2525 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
78815f3d
JM		 2526 return -1;
2527 }
2528
2529 return left - AES_BLOCK_SIZE;
2530}
2531
e73ffa09
JM		 2532
2533int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2534 size_t current_len, size_t max_len,
2535 const struct wpabuf *hlp)
e73ffa09
JM		 2536{
2537 u8 *end = buf + max_len;
2538 u8 *pos = buf + current_len;
2539 struct ieee80211_mgmt *mgmt;
2540 struct wpabuf *plain;
e73ffa09
JM		 2541 const u8 *aad[5];
2542 size_t aad_len[5];
2543
2544 if (!sm || !sm->PTK_valid)
2545 return -1;
2546
2547 wpa_hexdump(MSG_DEBUG,
2548 "FILS: Association Response frame before FILS processing",
2549 buf, current_len);
2550
2551 mgmt = (struct ieee80211_mgmt *) buf;
2552
2553 /* AES-SIV AAD vectors */
2554
2555 /* The AP's BSSID */
2556 aad[0] = mgmt->sa;
2557 aad_len[0] = ETH_ALEN;
2558 /* The STA's MAC address */
2559 aad[1] = mgmt->da;
2560 aad_len[1] = ETH_ALEN;
2561 /* The AP's nonce */
2562 aad[2] = sm->ANonce;
2563 aad_len[2] = FILS_NONCE_LEN;
2564 /* The STA's nonce */
2565 aad[3] = sm->SNonce;
2566 aad_len[3] = FILS_NONCE_LEN;
2567 /*
2568 * The (Re)Association Response frame from the Capability Information
2569 * field (the same offset in both Association and Reassociation
2570 * Response frames) to the FILS Session element (both inclusive).
2571 */
2572 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2573 aad_len[4] = pos - aad[4];
2574
2575 /* The following elements will be encrypted with AES-SIV */
9392859d
JM		 2576 plain = fils_prepare_plainbuf(sm, hlp);
2577 if (!plain) {
2578 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2579 return -1;
2580 }
2581
2582 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2583 wpa_printf(MSG_DEBUG,
2584 "FILS: Not enough room for FILS elements");
2585 wpabuf_free(plain);
2586 return -1;
2587 }
2588
2589 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2590 plain);
2591
2592 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2593 wpabuf_head(plain), wpabuf_len(plain),
2594 5, aad, aad_len, pos) < 0) {
2595 wpabuf_free(plain);
2596 return -1;
2597 }
2598
2599 wpa_hexdump(MSG_DEBUG,
2600 "FILS: Encrypted Association Response elements",
2601 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2602 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2603 wpabuf_free(plain);
2604
2605 sm->fils_completed = 1;
2606
2607 return current_len;
2608}
2609
2610
2611static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2612 const struct wpabuf *hlp)
2613{
2614 struct wpabuf *plain;
2615 u8 *len, *tmp, *tmp2;
2616 u8 hdr[2];
2617 u8 *gtk, dummy_gtk[32];
2618 size_t gtk_len;
2619 struct wpa_group *gsm;
e73ffa09
JM		 2620
2621 plain = wpabuf_alloc(1000);
2622 if (!plain)
9392859d 2623 return NULL;
e73ffa09
JM		 2624
2625 /* TODO: FILS Public Key */
2626
2627 /* FILS Key Confirmation */
2628 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2629 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2630 /* Element ID Extension */
2631 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2632 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2633
91d91abf
JM		 2634 /* FILS HLP Container */
2635 if (hlp)
2636 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2637
2638 /* TODO: FILS IP Address Assignment */
2639
2640 /* Key Delivery */
2641 gsm = sm->group;
2642 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2643 len = wpabuf_put(plain, 1);
2644 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2645 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2646 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2647 /* GTK KDE */
2648 gtk = gsm->GTK[gsm->GN - 1];
2649 gtk_len = gsm->GTK_len;
8d660a4b
JM		 2650 if (sm->wpa_auth->conf.disable_gtk ||
2651 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
e73ffa09
JM		 2652 /*
2653 * Provide unique random GTK to each STA to prevent use
2654 * of GTK in the BSS.
2655 */
2656 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2657 wpabuf_free(plain);
9392859d 2658 return NULL;
e73ffa09
JM		 2659 }
2660 gtk = dummy_gtk;
2661 }
2662 hdr[0] = gsm->GN & 0x03;
2663 hdr[1] = 0;
2664 tmp = wpabuf_put(plain, 0);
2665 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2666 gtk, gtk_len);
2667 wpabuf_put(plain, tmp2 - tmp);
2668
2669 /* IGTK KDE */
2670 tmp = wpabuf_put(plain, 0);
2671 tmp2 = ieee80211w_kde_add(sm, tmp);
2672 wpabuf_put(plain, tmp2 - tmp);
2673
2674 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
99621dc1
MV		 2675
2676#ifdef CONFIG_OCV
2677 if (wpa_auth_uses_ocv(sm)) {
2678 struct wpa_channel_info ci;
2679 u8 *pos;
2680
2681 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
2682 wpa_printf(MSG_WARNING,
2683 "FILS: Failed to get channel info for OCI element");
2684 wpabuf_free(plain);
2685 return NULL;
2686 }
2687
2688 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
2689 if (ocv_insert_extended_oci(&ci, pos) < 0) {
2690 wpabuf_free(plain);
2691 return NULL;
2692 }
2693 }
2694#endif /* CONFIG_OCV */
2695
9392859d 2696 return plain;
e73ffa09
JM		 2697}
2698
da24c5aa
JM		 2699
2700int fils_set_tk(struct wpa_state_machine *sm)
2701{
2702 enum wpa_alg alg;
2703 int klen;
2704
2f1357fb
JM		 2705 if (!sm || !sm->PTK_valid) {
2706 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
2707 return -1;
2708 }
2709 if (sm->tk_already_set) {
2710 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
da24c5aa 2711 return -1;
2f1357fb 2712 }
da24c5aa
JM		 2713
2714 alg = wpa_cipher_to_alg(sm->pairwise);
2715 klen = wpa_cipher_key_len(sm->pairwise);
2716
2717 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2718 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2719 sm->PTK.tk, klen)) {
2720 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2721 return -1;
2722 }
2f1357fb 2723 sm->tk_already_set = TRUE;
da24c5aa
JM		 2724
2725 return 0;
2726}
2727
fa61bff6
JM		 2728
2729u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
8b5ddda5 2730 const u8 *fils_session, struct wpabuf *hlp)
fa61bff6
JM		 2731{
2732 struct wpabuf *plain;
2733 u8 *pos = buf;
2734
2735 /* FILS Session */
2736 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2737 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2738 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2739 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2740 pos += FILS_SESSION_LEN;
2741
8b5ddda5 2742 plain = fils_prepare_plainbuf(sm, hlp);
fa61bff6
JM		 2743 if (!plain) {
2744 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2745 return NULL;
2746 }
2747
2748 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2749 pos += wpabuf_len(plain);
2750
2751 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2752 (unsigned int) wpabuf_len(plain));
2753 wpabuf_free(plain);
2754 sm->fils_completed = 1;
2755 return pos;
2756}
2757
3b5b7aa8
JM		 2758#endif /* CONFIG_FILS */
2759
2760
1034f67b
MV		 2761#ifdef CONFIG_OCV
2762int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
2763 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
2764{
2765 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2766
2767 if (!wpa_auth->cb->get_sta_tx_params)
2768 return -1;
2769 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
2770 ap_max_chanwidth, ap_seg1_idx,
2771 bandwidth, seg1_idx);
2772}
2773#endif /* CONFIG_OCV */
2774
2775
6fc6879b
JM		 2776SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2777{
3b5b7aa8 2778 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2779 struct wpa_ptk PTK;
2c502460 2780 int ok = 0, psk_found = 0;
6fc6879b 2781 const u8 *pmk = NULL;
7a12edd1 2782 size_t pmk_len;
3b5b7aa8
JM		 2783 int ft;
2784 const u8 *eapol_key_ie, *key_data, *mic;
2785 u16 key_data_length;
2786 size_t mic_len, eapol_key_ie_len;
2787 struct ieee802_1x_hdr *hdr;
2788 struct wpa_eapol_key *key;
2789 struct wpa_eapol_ie_parse kde;
bb05d036 2790 int vlan_id = 0;
6fc6879b
JM		 2791
2792 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2793 sm->EAPOLKeyReceived = FALSE;
68921e24 2794 sm->update_snonce = FALSE;
b729fd8d 2795 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2796
567da5bb 2797 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3b5b7aa8 2798
6fc6879b
JM		 2799 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2800 * WPA-PSK: iterate through possible PSKs and select the one matching
2801 * the packet */
2802 for (;;) {
e61fea6b
JM		 2803 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2804 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
759fd76b 2805 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
dbfa691d
JM		 2806 sm->p2p_dev_addr, pmk, &pmk_len,
2807 &vlan_id);
6fc6879b
JM		 2808 if (pmk == NULL)
2809 break;
2c502460 2810 psk_found = 1;
f9854c18
MK		 2811#ifdef CONFIG_IEEE80211R_AP
2812 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
2813 os_memcpy(sm->xxkey, pmk, pmk_len);
2814 sm->xxkey_len = pmk_len;
2815 }
2816#endif /* CONFIG_IEEE80211R_AP */
207976f0 2817 } else {
6fc6879b 2818 pmk = sm->PMK;
207976f0
JM		 2819 pmk_len = sm->pmk_len;
2820 }
6fc6879b 2821
a40bd06e
JM		 2822 if ((!pmk || !pmk_len) && sm->pmksa) {
2823 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache");
2824 pmk = sm->pmksa->pmk;
2825 pmk_len = sm->pmksa->pmk_len;
2826 }
2827
364c064a
JM		 2828 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2829 break;
6fc6879b 2830
3b5b7aa8 2831 if (mic_len &&
567da5bb 2832 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
929a2ea5 2833 sm->last_rx_eapol_key,
6fc6879b 2834 sm->last_rx_eapol_key_len) == 0) {
08dc8efd
JM		 2835 if (sm->PMK != pmk) {
2836 os_memcpy(sm->PMK, pmk, pmk_len);
2837 sm->pmk_len = pmk_len;
2838 }
6fc6879b
JM		 2839 ok = 1;
2840 break;
2841 }
2842
3b5b7aa8 2843#ifdef CONFIG_FILS
75c8563e
JM		 2844 if (!mic_len &&
2845 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2846 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2847 ok = 1;
2848 break;
2849 }
2850#endif /* CONFIG_FILS */
2851
f5e0a332
JM		 2852 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2853 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
6fc6879b
JM		 2854 break;
2855 }
2856
2857 if (!ok) {
2858 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2859 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2860 if (psk_found)
2861 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2862 return;
2863 }
2864
3b5b7aa8
JM		 2865 /*
2866 * Note: last_rx_eapol_key length fields have already been validated in
2867 * wpa_receive().
2868 */
2869 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2870 key = (struct wpa_eapol_key *) (hdr + 1);
2871 mic = (u8 *) (key + 1);
2872 key_data = mic + mic_len + 2;
2873 key_data_length = WPA_GET_BE16(mic + mic_len);
2874 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2875 sizeof(*key) - mic_len - 2)
2876 return;
2877
2878 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2879 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2880 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2881 return;
2882 }
2883 if (kde.rsn_ie) {
2884 eapol_key_ie = kde.rsn_ie;
2885 eapol_key_ie_len = kde.rsn_ie_len;
2886 } else if (kde.osen) {
2887 eapol_key_ie = kde.osen;
2888 eapol_key_ie_len = kde.osen_len;
2889 } else {
2890 eapol_key_ie = kde.wpa_ie;
2891 eapol_key_ie_len = kde.wpa_ie_len;
2892 }
2893 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2894 if (sm->wpa_ie == NULL ||
2895 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2896 eapol_key_ie, eapol_key_ie_len)) {
2897 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2898 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2899 if (sm->wpa_ie) {
2900 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2901 sm->wpa_ie, sm->wpa_ie_len);
2902 }
2903 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2904 eapol_key_ie, eapol_key_ie_len);
2905 /* MLME-DEAUTHENTICATE.request */
567da5bb
JM		 2906 wpa_sta_disconnect(wpa_auth, sm->addr,
2907 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2908 return;
2909 }
aed61c4e
MV		 2910#ifdef CONFIG_OCV
2911 if (wpa_auth_uses_ocv(sm)) {
2912 struct wpa_channel_info ci;
2913 int tx_chanwidth;
2914 int tx_seg1_idx;
2915
2916 if (wpa_channel_info(wpa_auth, &ci) != 0) {
2917 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2918 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
2919 return;
2920 }
2921
2922 if (get_sta_tx_parameters(sm,
2923 channel_width_to_int(ci.chanwidth),
2924 ci.seg1_idx, &tx_chanwidth,
2925 &tx_seg1_idx) < 0)
2926 return;
2927
2928 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
2929 tx_chanwidth, tx_seg1_idx) != 0) {
2930 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2931 ocv_errorstr);
2932 return;
2933 }
2934 }
2935#endif /* CONFIG_OCV */
4ec1fd8e 2936#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8 2937 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
567da5bb
JM		 2938 wpa_sta_disconnect(wpa_auth, sm->addr,
2939 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2940 return;
2941 }
4ec1fd8e 2942#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2943#ifdef CONFIG_P2P
2944 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2945 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2946 int idx;
2947 wpa_printf(MSG_DEBUG,
2948 "P2P: IP address requested in EAPOL-Key exchange");
2949 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2950 if (idx >= 0) {
2951 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2952 bitfield_set(wpa_auth->ip_pool, idx);
2953 WPA_PUT_BE32(sm->ip_addr, start + idx);
2954 wpa_printf(MSG_DEBUG,
2955 "P2P: Assigned IP address %u.%u.%u.%u to "
2956 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2957 sm->ip_addr[2], sm->ip_addr[3],
2958 MAC2STR(sm->addr));
2959 }
2960 }
2961#endif /* CONFIG_P2P */
2962
4ec1fd8e 2963#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2964 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2965 /*
2966 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2967 * with the value we derived.
2968 */
870834a1
JM		 2969 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2970 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2971 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2972 "PMKR1Name mismatch in FT 4-way "
2973 "handshake");
2974 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2975 "Supplicant",
2976 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2977 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2978 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2979 return;
2980 }
2981 }
4ec1fd8e 2982#endif /* CONFIG_IEEE80211R_AP */
26e23750 2983
dbfa691d
JM		 2984 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2985 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
2986 wpa_sta_disconnect(wpa_auth, sm->addr,
2987 WLAN_REASON_PREV_AUTH_NOT_VALID);
2988 return;
2989 }
2990
e4bf4db9 2991 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2992 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2993
56586197 2994 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2995 /* PSK may have changed from the previous choice, so update
2996 * state machine data based on whatever PSK was selected here.
2997 */
2998 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2999 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 3000 }
3001
3002 sm->MICVerified = TRUE;
3003
3004 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
3005 sm->PTK_valid = TRUE;
3006}
3007
3008
3009SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
3010{
3011 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
3012 sm->TimeoutCtr = 0;
3013}
3014
3015
3016#ifdef CONFIG_IEEE80211W
3017
3018static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3019{
3020 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 3021 size_t len;
3022 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3023 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 3024 }
3025
3026 return 0;
3027}
3028
3029
3030static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3031{
3032 struct wpa_igtk_kde igtk;
3033 struct wpa_group *gsm = sm->group;
03610ad2 3034 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 3035 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 3036
3037 if (!sm->mgmt_frame_prot)
3038 return pos;
3039
3040 igtk.keyid[0] = gsm->GN_igtk;
3041 igtk.keyid[1] = 0;
7b1080da 3042 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 3043 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 3044 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 3045 else
3046 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 3047 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
8d660a4b
JM		 3048 if (sm->wpa_auth->conf.disable_gtk ||
3049 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3050 /*
3051 * Provide unique random IGTK to each STA to prevent use of
3052 * IGTK in the BSS.
3053 */
8dd9f9cd 3054 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 3055 return pos;
3056 }
6fc6879b 3057 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 3058 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
3059 NULL, 0);
6fc6879b
JM		 3060
3061 return pos;
3062}
3063
3064#else /* CONFIG_IEEE80211W */
3065
3066static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3067{
3068 return 0;
3069}
3070
3071
3072static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3073{
3074 return pos;
3075}
3076
3077#endif /* CONFIG_IEEE80211W */
3078
3079
17c2559c
MV		 3080static int ocv_oci_len(struct wpa_state_machine *sm)
3081{
3082#ifdef CONFIG_OCV
3083 if (wpa_auth_uses_ocv(sm))
3084 return OCV_OCI_KDE_LEN;
3085#endif /* CONFIG_OCV */
3086 return 0;
3087}
3088
3089static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos)
3090{
3091#ifdef CONFIG_OCV
3092 struct wpa_channel_info ci;
3093
3094 if (!wpa_auth_uses_ocv(sm))
3095 return 0;
3096
3097 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3098 wpa_printf(MSG_WARNING,
3099 "Failed to get channel info for OCI element");
3100 return -1;
3101 }
3102
3103 return ocv_insert_oci_kde(&ci, argpos);
3104#else /* CONFIG_OCV */
3105 return 0;
3106#endif /* CONFIG_OCV */
3107}
3108
3109
6fc6879b
JM		 3110SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
3111{
83421850 3112 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 3113 size_t gtk_len, kde_len;
3114 struct wpa_group *gsm = sm->group;
3115 u8 *wpa_ie;
3116 int wpa_ie_len, secure, keyidx, encr = 0;
3117
3118 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
3119 sm->TimeoutEvt = FALSE;
bae61562
JM		 3120
3121 sm->TimeoutCtr++;
6f234c1e
JM		 3122 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3123 sm->TimeoutCtr > 1) {
3124 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
3125 return;
3126 }
41f140d3 3127 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 3128 /* No point in sending the EAPOL-Key - we will disconnect
3129 * immediately following this. */
3130 return;
3131 }
3132
86dfabb8
JM		 3133 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
3134 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 3135 */
3136 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3137 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 3138 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 3139 wpa_ie = sm->wpa_auth->wpa_ie;
3140 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
3141 if (sm->wpa == WPA_VERSION_WPA &&
3142 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
3143 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 3144 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 3145 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 3146 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
3147 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 3148 wpa_ie_len = wpa_ie[1] + 2;
3149 }
3150 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3151 "sending 3/4 msg of 4-Way Handshake");
3152 if (sm->wpa == WPA_VERSION_WPA2) {
3153 /* WPA2 send GTK in the 4-way handshake */
3154 secure = 1;
3155 gtk = gsm->GTK[gsm->GN - 1];
3156 gtk_len = gsm->GTK_len;
8d660a4b
JM		 3157 if (sm->wpa_auth->conf.disable_gtk ||
3158 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3159 /*
3160 * Provide unique random GTK to each STA to prevent use
3161 * of GTK in the BSS.
3162 */
3163 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
3164 return;
3165 gtk = dummy_gtk;
3166 }
6fc6879b
JM		 3167 keyidx = gsm->GN;
3168 _rsc = rsc;
3169 encr = 1;
3170 } else {
3171 /* WPA does not include GTK in msg 3/4 */
3172 secure = 0;
3173 gtk = NULL;
3174 gtk_len = 0;
3175 keyidx = 0;
3176 _rsc = NULL;
0d442aff
JM		 3177 if (sm->rx_eapol_key_secure) {
3178 /*
3179 * It looks like Windows 7 supplicant tries to use
3180 * Secure bit in msg 2/4 after having reported Michael
3181 * MIC failure and it then rejects the 4-way handshake
3182 * if msg 3/4 does not set Secure bit. Work around this
3183 * by setting the Secure bit here even in the case of
3184 * WPA if the supplicant used it first.
3185 */
3186 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 3187 "STA used Secure bit in WPA msg 2/4 - "
3188 "set Secure for 3/4 as workaround");
0d442aff
JM		 3189 secure = 1;
3190 }
6fc6879b
JM		 3191 }
3192
17c2559c 3193 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
6fc6879b
JM		 3194 if (gtk)
3195 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 3196#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 3197 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3198 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
3199 kde_len += 300; /* FTIE + 2 * TIE */
3200 }
4ec1fd8e 3201#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3202#ifdef CONFIG_P2P
3203 if (WPA_GET_BE32(sm->ip_addr) > 0)
3204 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
3205#endif /* CONFIG_P2P */
6fc6879b
JM		 3206 kde = os_malloc(kde_len);
3207 if (kde == NULL)
3208 return;
3209
3210 pos = kde;
3211 os_memcpy(pos, wpa_ie, wpa_ie_len);
3212 pos += wpa_ie_len;
4ec1fd8e 3213#ifdef CONFIG_IEEE80211R_AP
26e23750 3214 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 3215 int res;
3216 size_t elen;
3217
3218 elen = pos - kde;
3219 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 3220 if (res < 0) {
3221 wpa_printf(MSG_ERROR, "FT: Failed to insert "
3222 "PMKR1Name into RSN IE in EAPOL-Key data");
3223 os_free(kde);
3224 return;
3225 }
59e78c24
JM		 3226 pos -= wpa_ie_len;
3227 pos += elen;
26e23750 3228 }
4ec1fd8e 3229#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3230 if (gtk) {
3231 u8 hdr[2];
3232 hdr[0] = keyidx & 0x03;
3233 hdr[1] = 0;
3234 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3235 gtk, gtk_len);
3236 }
3237 pos = ieee80211w_kde_add(sm, pos);
17c2559c
MV		 3238 if (ocv_oci_add(sm, &pos) < 0) {
3239 os_free(kde);
3240 return;
3241 }
6fc6879b 3242
4ec1fd8e 3243#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 3244 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3245 int res;
3246 struct wpa_auth_config *conf;
3247
3248 conf = &sm->wpa_auth->conf;
9257610a
JM		 3249 if (sm->assoc_resp_ftie &&
3250 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3251 os_memcpy(pos, sm->assoc_resp_ftie,
3252 2 + sm->assoc_resp_ftie[1]);
3253 res = 2 + sm->assoc_resp_ftie[1];
3254 } else {
a7968ea5
JM		 3255 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
3256
3257 res = wpa_write_ftie(conf, use_sha384,
3258 conf->r0_key_holder,
9257610a
JM		 3259 conf->r0_key_holder_len,
3260 NULL, NULL, pos,
3261 kde + kde_len - pos,
3262 NULL, 0);
3263 }
86dfabb8
JM		 3264 if (res < 0) {
3265 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
3266 "into EAPOL-Key Key Data");
3267 os_free(kde);
3268 return;
3269 }
3270 pos += res;
3271
3272 /* TIE[ReassociationDeadline] (TU) */
3273 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3274 *pos++ = 5;
3275 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3276 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3277 pos += 4;
3278
3279 /* TIE[KeyLifetime] (seconds) */
3280 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3281 *pos++ = 5;
3282 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
83fe4bd3 3283 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
86dfabb8
JM		 3284 pos += 4;
3285 }
4ec1fd8e 3286#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3287#ifdef CONFIG_P2P
3288 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3289 u8 addr[3 * 4];
3290 os_memcpy(addr, sm->ip_addr, 4);
3291 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3292 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3293 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3294 addr, sizeof(addr), NULL, 0);
3295 }
3296#endif /* CONFIG_P2P */
86dfabb8 3297
6fc6879b 3298 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3299 (secure ? WPA_KEY_INFO_SECURE : 0) |
567da5bb
JM		 3300 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3301 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3302 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3303 WPA_KEY_INFO_KEY_TYPE,
3304 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
3305 os_free(kde);
6fc6879b
JM		 3306}
3307
3308
3309SM_STATE(WPA_PTK, PTKINITDONE)
3310{
3311 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3312 sm->EAPOLKeyReceived = FALSE;
3313 if (sm->Pair) {
c3550295
JM		 3314 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3315 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 3316 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 3317 sm->PTK.tk, klen)) {
567da5bb
JM		 3318 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3319 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 3320 return;
3321 }
3322 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3323 sm->pairwise_set = TRUE;
3324
a40bd06e 3325 wpa_auth_set_ptk_rekey_timer(sm);
581a8cde 3326
a1ea1b45 3327 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 3328 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 3329 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 3330 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3331 WPA_EAPOL_authorized, 1);
3332 }
3333 }
3334
3335 if (0 /* IBSS == TRUE */) {
3336 sm->keycount++;
3337 if (sm->keycount == 2) {
3338 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3339 WPA_EAPOL_portValid, 1);
3340 }
3341 } else {
3342 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3343 1);
3344 }
3345 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3346 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3347 if (sm->wpa == WPA_VERSION_WPA)
3348 sm->PInitAKeys = TRUE;
3349 else
3350 sm->has_GTK = TRUE;
3351 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3352 "pairwise key handshake completed (%s)",
3353 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3354
4ec1fd8e 3355#ifdef CONFIG_IEEE80211R_AP
6fc6879b 3356 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 3357#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3358}
3359
3360
3361SM_STEP(WPA_PTK)
3362{
3363 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3364
3365 if (sm->Init)
3366 SM_ENTER(WPA_PTK, INITIALIZE);
3367 else if (sm->Disconnect
1aae01fc
BG		 3368 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3369 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3370 "WPA_PTK: sm->Disconnect");
6fc6879b 3371 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 3372 }
6fc6879b
JM		 3373 else if (sm->DeauthenticationRequest)
3374 SM_ENTER(WPA_PTK, DISCONNECTED);
3375 else if (sm->AuthenticationRequest)
3376 SM_ENTER(WPA_PTK, AUTHENTICATION);
3377 else if (sm->ReAuthenticationRequest)
3378 SM_ENTER(WPA_PTK, AUTHENTICATION2);
0adc9b28
JM		 3379 else if (sm->PTKRequest) {
3380 if (wpa_auth_sm_ptk_update(sm) < 0)
3381 SM_ENTER(WPA_PTK, DISCONNECTED);
3382 else
3383 SM_ENTER(WPA_PTK, PTKSTART);
3384 } else switch (sm->wpa_ptk_state) {
6fc6879b
JM		 3385 case WPA_PTK_INITIALIZE:
3386 break;
3387 case WPA_PTK_DISCONNECT:
3388 SM_ENTER(WPA_PTK, DISCONNECTED);
3389 break;
3390 case WPA_PTK_DISCONNECTED:
3391 SM_ENTER(WPA_PTK, INITIALIZE);
3392 break;
3393 case WPA_PTK_AUTHENTICATION:
3394 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3395 break;
3396 case WPA_PTK_AUTHENTICATION2:
56586197 3397 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 3398 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3399 WPA_EAPOL_keyRun) > 0)
3400 SM_ENTER(WPA_PTK, INITPMK);
a1ea1b45
JM		 3401 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3402 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
6fc6879b
JM		 3403 /* FIX: && 802.1X::keyRun */)
3404 SM_ENTER(WPA_PTK, INITPSK);
567da5bb
JM		 3405 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3406 SM_ENTER(WPA_PTK, INITPMK);
6fc6879b
JM		 3407 break;
3408 case WPA_PTK_INITPMK:
3409 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
567da5bb 3410 WPA_EAPOL_keyAvailable) > 0) {
6fc6879b 3411 SM_ENTER(WPA_PTK, PTKSTART);
567da5bb
JM		 3412#ifdef CONFIG_DPP
3413 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3414 SM_ENTER(WPA_PTK, PTKSTART);
3415#endif /* CONFIG_DPP */
3416 } else {
6fc6879b 3417 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 3418 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3419 "INITPMK - keyAvailable = false");
6fc6879b
JM		 3420 SM_ENTER(WPA_PTK, DISCONNECT);
3421 }
3422 break;
3423 case WPA_PTK_INITPSK:
759fd76b 3424 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
dbfa691d 3425 NULL, NULL, NULL)) {
6fc6879b 3426 SM_ENTER(WPA_PTK, PTKSTART);
e61fea6b
JM		 3427#ifdef CONFIG_SAE
3428 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3429 SM_ENTER(WPA_PTK, PTKSTART);
3430#endif /* CONFIG_SAE */
3431 } else {
6fc6879b
JM		 3432 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3433 "no PSK configured for the STA");
3434 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3435 SM_ENTER(WPA_PTK, DISCONNECT);
3436 }
3437 break;
3438 case WPA_PTK_PTKSTART:
3439 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3440 sm->EAPOLKeyPairwise)
3441 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3442 else if (sm->TimeoutCtr >
41f140d3 3443 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3444 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3445 wpa_auth_vlogger(
3446 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3447 "PTKSTART: Retry limit %u reached",
3448 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3449 SM_ENTER(WPA_PTK, DISCONNECT);
3450 } else if (sm->TimeoutEvt)
3451 SM_ENTER(WPA_PTK, PTKSTART);
3452 break;
3453 case WPA_PTK_PTKCALCNEGOTIATING:
3454 if (sm->MICVerified)
3455 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3456 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3457 sm->EAPOLKeyPairwise)
3458 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3459 else if (sm->TimeoutEvt)
3460 SM_ENTER(WPA_PTK, PTKSTART);
3461 break;
3462 case WPA_PTK_PTKCALCNEGOTIATING2:
3463 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3464 break;
3465 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3466 if (sm->update_snonce)
3467 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3468 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3469 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3470 SM_ENTER(WPA_PTK, PTKINITDONE);
3471 else if (sm->TimeoutCtr >
6f234c1e
JM		 3472 sm->wpa_auth->conf.wpa_pairwise_update_count ||
3473 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3474 sm->TimeoutCtr > 1)) {
6fc6879b 3475 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3476 wpa_auth_vlogger(
3477 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3478 "PTKINITNEGOTIATING: Retry limit %u reached",
3479 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3480 SM_ENTER(WPA_PTK, DISCONNECT);
3481 } else if (sm->TimeoutEvt)
3482 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3483 break;
3484 case WPA_PTK_PTKINITDONE:
3485 break;
3486 }
3487}
3488
3489
3490SM_STATE(WPA_PTK_GROUP, IDLE)
3491{
3492 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3493 if (sm->Init) {
3494 /* Init flag is not cleared here, so avoid busy
3495 * loop by claiming nothing changed. */
3496 sm->changed = FALSE;
3497 }
3498 sm->GTimeoutCtr = 0;
3499}
3500
3501
3502SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3503{
3504 u8 rsc[WPA_KEY_RSC_LEN];
3505 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3506 const u8 *kde;
3507 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3508 size_t kde_len;
83421850 3509 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3510
3511 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3512
3513 sm->GTimeoutCtr++;
6f234c1e
JM		 3514 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3515 sm->GTimeoutCtr > 1) {
3516 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
3517 return;
3518 }
41f140d3 3519 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
bae61562
JM		 3520 /* No point in sending the EAPOL-Key - we will disconnect
3521 * immediately following this. */
3522 return;
3523 }
3524
6fc6879b
JM		 3525 if (sm->wpa == WPA_VERSION_WPA)
3526 sm->PInitAKeys = FALSE;
3527 sm->TimeoutEvt = FALSE;
3528 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3529 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3530 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3531 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3532 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3533 "sending 1/2 msg of Group Key Handshake");
3534
83421850 3535 gtk = gsm->GTK[gsm->GN - 1];
8d660a4b
JM		 3536 if (sm->wpa_auth->conf.disable_gtk ||
3537 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3538 /*
3539 * Provide unique random GTK to each STA to prevent use
3540 * of GTK in the BSS.
3541 */
3542 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3543 return;
3544 gtk = dummy_gtk;
3545 }
6fc6879b
JM		 3546 if (sm->wpa == WPA_VERSION_WPA2) {
3547 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
17c2559c 3548 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
e41e4f9e
JM		 3549 kde_buf = os_malloc(kde_len);
3550 if (kde_buf == NULL)
6fc6879b
JM		 3551 return;
3552
e41e4f9e 3553 kde = pos = kde_buf;
6fc6879b
JM		 3554 hdr[0] = gsm->GN & 0x03;
3555 hdr[1] = 0;
3556 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3557 gtk, gsm->GTK_len);
6fc6879b 3558 pos = ieee80211w_kde_add(sm, pos);
17c2559c
MV		 3559 if (ocv_oci_add(sm, &pos) < 0) {
3560 os_free(kde_buf);
3561 return;
3562 }
e41e4f9e 3563 kde_len = pos - kde;
6fc6879b 3564 } else {
83421850 3565 kde = gtk;
e41e4f9e 3566 kde_len = gsm->GTK_len;
6fc6879b
JM		 3567 }
3568
3569 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3570 WPA_KEY_INFO_SECURE |
567da5bb
JM		 3571 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3572 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3573 WPA_KEY_INFO_ACK |
3574 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3575 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3576
3577 os_free(kde_buf);
6fc6879b
JM		 3578}
3579
3580
3581SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3582{
aed61c4e
MV		 3583#ifdef CONFIG_OCV
3584 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3585 const u8 *key_data, *mic;
3586 struct ieee802_1x_hdr *hdr;
3587 struct wpa_eapol_key *key;
3588 struct wpa_eapol_ie_parse kde;
3589 size_t mic_len;
3590 u16 key_data_length;
3591#endif /* CONFIG_OCV */
3592
6fc6879b
JM		 3593 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3594 sm->EAPOLKeyReceived = FALSE;
aed61c4e
MV		 3595
3596#ifdef CONFIG_OCV
3597 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3598
3599 /*
3600 * Note: last_rx_eapol_key length fields have already been validated in
3601 * wpa_receive().
3602 */
3603 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3604 key = (struct wpa_eapol_key *) (hdr + 1);
3605 mic = (u8 *) (key + 1);
3606 key_data = mic + mic_len + 2;
3607 key_data_length = WPA_GET_BE16(mic + mic_len);
3608 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3609 sizeof(*key) - mic_len - 2)
3610 return;
3611
3612 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3613 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
3614 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
3615 return;
3616 }
3617
3618 if (wpa_auth_uses_ocv(sm)) {
3619 struct wpa_channel_info ci;
3620 int tx_chanwidth;
3621 int tx_seg1_idx;
3622
3623 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3624 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3625 "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2");
3626 return;
3627 }
3628
3629 if (get_sta_tx_parameters(sm,
3630 channel_width_to_int(ci.chanwidth),
3631 ci.seg1_idx, &tx_chanwidth,
3632 &tx_seg1_idx) < 0)
3633 return;
3634
3635 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3636 tx_chanwidth, tx_seg1_idx) != 0) {
3637 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3638 ocv_errorstr);
3639 return;
3640 }
3641 }
3642#endif /* CONFIG_OCV */
3643
6fc6879b
JM		 3644 if (sm->GUpdateStationKeys)
3645 sm->group->GKeyDoneStations--;
3646 sm->GUpdateStationKeys = FALSE;
3647 sm->GTimeoutCtr = 0;
3648 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3649 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3650 "group key handshake completed (%s)",
3651 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3652 sm->has_GTK = TRUE;
3653}
3654
3655
3656SM_STATE(WPA_PTK_GROUP, KEYERROR)
3657{
3658 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3659 if (sm->GUpdateStationKeys)
3660 sm->group->GKeyDoneStations--;
3661 sm->GUpdateStationKeys = FALSE;
3662 sm->Disconnect = TRUE;
4bb9b674
GK		 3663 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3664 "group key handshake failed (%s) after %u tries",
3665 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3666 sm->wpa_auth->conf.wpa_group_update_count);
6fc6879b
JM		 3667}
3668
3669
3670SM_STEP(WPA_PTK_GROUP)
3671{
9663596f 3672 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3673 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3674 sm->PtkGroupInit = FALSE;
3675 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3676 case WPA_PTK_GROUP_IDLE:
3677 if (sm->GUpdateStationKeys ||
3678 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3679 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3680 break;
3681 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3682 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3683 !sm->EAPOLKeyPairwise && sm->MICVerified)
3684 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3685 else if (sm->GTimeoutCtr >
6f234c1e
JM		 3686 sm->wpa_auth->conf.wpa_group_update_count ||
3687 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3688 sm->GTimeoutCtr > 1))
6fc6879b
JM		 3689 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3690 else if (sm->TimeoutEvt)
3691 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3692 break;
3693 case WPA_PTK_GROUP_KEYERROR:
3694 SM_ENTER(WPA_PTK_GROUP, IDLE);
3695 break;
3696 case WPA_PTK_GROUP_REKEYESTABLISHED:
3697 SM_ENTER(WPA_PTK_GROUP, IDLE);
3698 break;
3699 }
3700}
3701
3702
3703static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3704 struct wpa_group *group)
3705{
3706 int ret = 0;
3707
6fc6879b
JM		 3708 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3709 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3710 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3711 wpa_auth->addr, group->GNonce,
3712 group->GTK[group->GN - 1], group->GTK_len) < 0)
3713 ret = -1;
5cb9d5c3
JM		 3714 wpa_hexdump_key(MSG_DEBUG, "GTK",
3715 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3716
3717#ifdef CONFIG_IEEE80211W
70f8cc8e 3718 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3719 size_t len;
3720 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3721 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3722 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3723 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3724 wpa_auth->addr, group->GNonce,
8dd9f9cd 3725 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3726 ret = -1;
6fc6879b 3727 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3728 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3729 }
3730#endif /* CONFIG_IEEE80211W */
3731
3732 return ret;
3733}
3734
3735
3736static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3737 struct wpa_group *group)
3738{
3739 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3740 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3741 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3742 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3743
3744 /* GTK[0..N] = 0 */
3745 os_memset(group->GTK, 0, sizeof(group->GTK));
3746 group->GN = 1;
3747 group->GM = 2;
3748#ifdef CONFIG_IEEE80211W
3749 group->GN_igtk = 4;
3750 group->GM_igtk = 5;
3751#endif /* CONFIG_IEEE80211W */
3752 /* GTK[GN] = CalcGTK() */
3753 wpa_gtk_update(wpa_auth, group);
3754}
3755
3756
3757static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3758{
473b6f22
MB		 3759 if (ctx != NULL && ctx != sm->group)
3760 return 0;
3761
6fc6879b
JM		 3762 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3763 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3764 "Not in PTKINITDONE; skip Group Key update");
3c183894 3765 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3766 return 0;
3767 }
9663596f
JM		 3768 if (sm->GUpdateStationKeys) {
3769 /*
3c183894
JM		 3770 * This should not really happen, so add a debug log entry.
3771 * Since we clear the GKeyDoneStations before the loop, the
3772 * station needs to be counted here anyway.
9663596f
JM		 3773 */
3774 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3775 "GUpdateStationKeys was already set when "
3776 "marking station for GTK rekeying");
9663596f 3777 }
3c183894 3778
ad3872a3 3779 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3780 if (sm->is_wnmsleep)
3781 return 0;
d32d94db 3782
3c183894
JM		 3783 sm->group->GKeyDoneStations++;
3784 sm->GUpdateStationKeys = TRUE;
3785
6fc6879b
JM		 3786 wpa_sm_step(sm);
3787 return 0;
3788}
3789
3790
b5bf84ba 3791#ifdef CONFIG_WNM_AP
ad3872a3 3792/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3793void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3794{
629edfef 3795 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3796 return;
3797
3798 wpa_group_update_sta(sm, NULL);
3799}
3800
3801
3802void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3803{
629edfef
JM		 3804 if (sm)
3805 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3806}
3807
3808
3809int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3810{
d32d94db 3811 struct wpa_group *gsm = sm->group;
835822d4 3812 u8 *start = pos;
d32d94db
XC		 3813
3814 /*
835822d4 3815 * GTK subelement:
d32d94db 3816 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3817 * Key[5..32]
d32d94db 3818 */
835822d4
JM		 3819 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3820 *pos++ = 11 + gsm->GTK_len;
d32d94db 3821 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3822 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3823 pos += 2;
3824 *pos++ = gsm->GTK_len;
3825 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3826 return 0;
835822d4
JM		 3827 pos += 8;
3828 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3829 pos += gsm->GTK_len;
d32d94db 3830
835822d4
JM		 3831 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3832 gsm->GN);
3833 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3834 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3835
835822d4 3836 return pos - start;
d32d94db
XC		 3837}
3838
3839
3840#ifdef CONFIG_IEEE80211W
3841int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3842{
d32d94db 3843 struct wpa_group *gsm = sm->group;
835822d4 3844 u8 *start = pos;
8dd9f9cd 3845 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3846
835822d4
JM		 3847 /*
3848 * IGTK subelement:
3849 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3850 */
3851 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3852 *pos++ = 2 + 6 + len;
835822d4
JM		 3853 WPA_PUT_LE16(pos, gsm->GN_igtk);
3854 pos += 2;
3855 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3856 return 0;
835822d4 3857 pos += 6;
d32d94db 3858
8dd9f9cd
JM		 3859 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3860 pos += len;
d32d94db 3861
835822d4
JM		 3862 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3863 gsm->GN_igtk);
3864 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3865 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3866
835822d4 3867 return pos - start;
d32d94db
XC		 3868}
3869#endif /* CONFIG_IEEE80211W */
b5bf84ba 3870#endif /* CONFIG_WNM_AP */
d32d94db
XC		 3871
3872
6fc6879b
JM		 3873static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3874 struct wpa_group *group)
3875{
3876 int tmp;
3877
3878 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3879 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3880 group->changed = TRUE;
3881 group->wpa_group_state = WPA_GROUP_SETKEYS;
3882 group->GTKReKey = FALSE;
3883 tmp = group->GM;
3884 group->GM = group->GN;
3885 group->GN = tmp;
3886#ifdef CONFIG_IEEE80211W
3887 tmp = group->GM_igtk;
3888 group->GM_igtk = group->GN_igtk;
3889 group->GN_igtk = tmp;
3890#endif /* CONFIG_IEEE80211W */
3891 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3892 * counting the STAs that are marked with GUpdateStationKeys instead of
3893 * including all STAs that could be in not-yet-completed state. */
3894 wpa_gtk_update(wpa_auth, group);
3895
3c183894
JM		 3896 if (group->GKeyDoneStations) {
3897 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3898 "GKeyDoneStations=%d when starting new GTK rekey",
3899 group->GKeyDoneStations);
3900 group->GKeyDoneStations = 0;
3901 }
473b6f22 3902 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3903 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3904 group->GKeyDoneStations);
3905}
3906
3907
1bdb7ab3
JM		 3908static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3909 struct wpa_group *group)
6fc6879b 3910{
3c7302c2
JM		 3911 int ret = 0;
3912
3c7302c2 3913 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3914 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3915 broadcast_ether_addr, group->GN,
3916 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3917 ret = -1;
6fc6879b
JM		 3918
3919#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3920 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3921 enum wpa_alg alg;
3922 size_t len;
3923
3924 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3925 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3926
3927 if (ret == 0 &&
3928 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3929 broadcast_ether_addr, group->GN_igtk,
3930 group->IGTK[group->GN_igtk - 4], len) < 0)
3931 ret = -1;
3932 }
6fc6879b 3933#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3934
3935 return ret;
6fc6879b
JM		 3936}
3937
3938
7d7f7be2
JM		 3939static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3940{
3941 if (sm->group == ctx) {
3942 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3943 " for discconnection due to fatal failure",
3944 MAC2STR(sm->addr));
3945 sm->Disconnect = TRUE;
3946 }
3947
3948 return 0;
3949}
3950
3951
3952static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3953 struct wpa_group *group)
3954{
3955 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3956 group->changed = TRUE;
3957 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3958 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3959}
3960
3961
1bdb7ab3
JM		 3962static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3963 struct wpa_group *group)
3964{
3965 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3966 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3967 group->changed = TRUE;
3968 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3969
7d7f7be2
JM		 3970 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3971 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3972 return -1;
7d7f7be2 3973 }
1bdb7ab3
JM		 3974
3975 return 0;
3976}
3977
3978
6fc6879b
JM		 3979static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3980 struct wpa_group *group)
3981{
3982 if (group->GInit) {
3983 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3984 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3985 /* Do not allow group operations */
6fc6879b
JM		 3986 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3987 group->GTKAuthenticator) {
3988 wpa_group_setkeysdone(wpa_auth, group);
3989 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3990 group->GTKReKey) {
3991 wpa_group_setkeys(wpa_auth, group);
3992 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3993 if (group->GKeyDoneStations == 0)
3994 wpa_group_setkeysdone(wpa_auth, group);
3995 else if (group->GTKReKey)
3996 wpa_group_setkeys(wpa_auth, group);
3997 }
3998}
3999
4000
e4a6ea1d 4001static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 4002{
4003 if (sm == NULL)
e4a6ea1d 4004 return 0;
6fc6879b
JM		 4005
4006 if (sm->in_step_loop) {
4007 /* This should not happen, but if it does, make sure we do not
4008 * end up freeing the state machine too early by exiting the
4009 * recursive call. */
4010 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 4011 return 0;
6fc6879b
JM		 4012 }
4013
4014 sm->in_step_loop = 1;
4015 do {
4016 if (sm->pending_deinit)
4017 break;
4018
4019 sm->changed = FALSE;
4020 sm->wpa_auth->group->changed = FALSE;
4021
4022 SM_STEP_RUN(WPA_PTK);
4023 if (sm->pending_deinit)
4024 break;
4025 SM_STEP_RUN(WPA_PTK_GROUP);
4026 if (sm->pending_deinit)
4027 break;
4028 wpa_group_sm_step(sm->wpa_auth, sm->group);
4029 } while (sm->changed || sm->wpa_auth->group->changed);
4030 sm->in_step_loop = 0;
4031
4032 if (sm->pending_deinit) {
4033 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
4034 "machine deinit for " MACSTR, MAC2STR(sm->addr));
4035 wpa_free_sta_sm(sm);
e4a6ea1d 4036 return 1;
6fc6879b 4037 }
e4a6ea1d 4038 return 0;
6fc6879b
JM		 4039}
4040
4041
4042static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
4043{
4044 struct wpa_state_machine *sm = eloop_ctx;
4045 wpa_sm_step(sm);
4046}
4047
4048
4049void wpa_auth_sm_notify(struct wpa_state_machine *sm)
4050{
4051 if (sm == NULL)
4052 return;
4053 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
4054}
4055
4056
4057void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
4058{
4059 int tmp, i;
4060 struct wpa_group *group;
4061
4062 if (wpa_auth == NULL)
4063 return;
4064
4065 group = wpa_auth->group;
4066
4067 for (i = 0; i < 2; i++) {
4068 tmp = group->GM;
4069 group->GM = group->GN;
4070 group->GN = tmp;
4071#ifdef CONFIG_IEEE80211W
4072 tmp = group->GM_igtk;
4073 group->GM_igtk = group->GN_igtk;
4074 group->GN_igtk = tmp;
4075#endif /* CONFIG_IEEE80211W */
4076 wpa_gtk_update(wpa_auth, group);
9354e594 4077 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 4078 }
4079}
4080
4081
a6da824b 4082static const char * wpa_bool_txt(int val)
6fc6879b 4083{
a6da824b 4084 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 4085}
4086
4087
6fc6879b
JM		 4088#define RSN_SUITE "%02x-%02x-%02x-%d"
4089#define RSN_SUITE_ARG(s) \
4090((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4091
4092int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
4093{
4094 int len = 0, ret;
4095 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 4096#ifdef CONFIG_RSN_PREAUTH
4097 const int preauth = 1;
4098#else /* CONFIG_RSN_PREAUTH */
4099 const int preauth = 0;
4100#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 4101
4102 if (wpa_auth == NULL)
4103 return len;
4104
4105 ret = os_snprintf(buf + len, buflen - len,
4106 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 4107 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 4108 "dot11RSNAEnabled=%s\n"
4109 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 4110 wpa_bool_txt(preauth),
6fc6879b
JM		 4111 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
4112 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 4113 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4114 return len;
4115 len += ret;
4116
4117 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4118 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
4119
4120 ret = os_snprintf(
4121 buf + len, buflen - len,
4122 "dot11RSNAConfigVersion=%u\n"
4123 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
4124 /* FIX: dot11RSNAConfigGroupCipher */
4125 /* FIX: dot11RSNAConfigGroupRekeyMethod */
4126 /* FIX: dot11RSNAConfigGroupRekeyTime */
4127 /* FIX: dot11RSNAConfigGroupRekeyPackets */
4128 "dot11RSNAConfigGroupRekeyStrict=%u\n"
4129 "dot11RSNAConfigGroupUpdateCount=%u\n"
4130 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
4131 "dot11RSNAConfigGroupCipherSize=%u\n"
4132 "dot11RSNAConfigPMKLifetime=%u\n"
4133 "dot11RSNAConfigPMKReauthThreshold=%u\n"
4134 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
4135 "dot11RSNAConfigSATimeout=%u\n"
4136 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4137 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4138 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4139 "dot11RSNAPMKIDUsed=%s\n"
4140 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4141 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4142 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4143 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
4144 "dot11RSNA4WayHandshakeFailures=%u\n"
4145 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
4146 RSN_VERSION,
4147 !!wpa_auth->conf.wpa_strict_rekey,
41f140d3
GK		 4148 wpa_auth->conf.wpa_group_update_count,
4149 wpa_auth->conf.wpa_pairwise_update_count,
c3550295 4150 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 4151 dot11RSNAConfigPMKLifetime,
4152 dot11RSNAConfigPMKReauthThreshold,
4153 dot11RSNAConfigSATimeout,
4154 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
4155 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
4156 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
4157 pmkid_txt,
4158 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
4159 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
4160 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
4161 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
4162 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 4163 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4164 return len;
4165 len += ret;
4166
4167 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
4168 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
4169
4170 /* Private MIB */
4171 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
4172 wpa_auth->group->wpa_group_state);
d85e1fc8 4173 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4174 return len;
4175 len += ret;
4176
4177 return len;
4178}
4179
4180
4181int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
4182{
4183 int len = 0, ret;
4184 u32 pairwise = 0;
4185
4186 if (sm == NULL)
4187 return 0;
4188
4189 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
4190
4191 /* dot11RSNAStatsEntry */
4192
c3550295
JM		 4193 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
4194 WPA_PROTO_RSN : WPA_PROTO_WPA,
4195 sm->pairwise);
4196 if (pairwise == 0)
6fc6879b
JM		 4197 return 0;
4198
4199 ret = os_snprintf(
4200 buf + len, buflen - len,
4201 /* TODO: dot11RSNAStatsIndex */
4202 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
4203 "dot11RSNAStatsVersion=1\n"
4204 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
4205 /* TODO: dot11RSNAStatsTKIPICVErrors */
4206 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 4207 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 4208 /* TODO: dot11RSNAStatsCCMPReplays */
4209 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
4210 /* TODO: dot11RSNAStatsTKIPReplays */,
4211 MAC2STR(sm->addr),
4212 RSN_SUITE_ARG(pairwise),
4213 sm->dot11RSNAStatsTKIPLocalMICFailures,
4214 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 4215 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4216 return len;
4217 len += ret;
4218
4219 /* Private MIB */
4220 ret = os_snprintf(buf + len, buflen - len,
4221 "hostapdWPAPTKState=%d\n"
4222 "hostapdWPAPTKGroupState=%d\n",
4223 sm->wpa_ptk_state,
4224 sm->wpa_ptk_group_state);
d85e1fc8 4225 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4226 return len;
4227 len += ret;
4228
4229 return len;
4230}
4231
4232
4233void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
4234{
4235 if (wpa_auth)
4236 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
4237}
4238
4239
4240int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
4241{
4242 return sm && sm->pairwise_set;
4243}
4244
4245
ff36ff00
JM		 4246int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
4247{
4248 return sm->pairwise;
4249}
4250
4251
b08c9ad0
MK		 4252const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
4253{
4254 if (!sm)
4255 return NULL;
4256 *len = sm->pmk_len;
4257 return sm->PMK;
4258}
4259
4260
6fc6879b
JM		 4261int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
4262{
4263 if (sm == NULL)
4264 return -1;
4265 return sm->wpa_key_mgmt;
4266}
4267
4268
4269int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
4270{
4271 if (sm == NULL)
4272 return 0;
4273 return sm->wpa;
4274}
4275
4276
0e3bd7ac
MV		 4277int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
4278{
4279 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
4280 return 0;
4281 return sm->tk_already_set;
4282}
4283
4284
2f1357fb
JM		 4285int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
4286{
4287 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
4288 return 0;
4289 return sm->tk_already_set;
4290}
4291
4292
6fc6879b
JM		 4293int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
4294 struct rsn_pmksa_cache_entry *entry)
4295{
4296 if (sm == NULL || sm->pmksa != entry)
4297 return -1;
4298 sm->pmksa = NULL;
4299 return 0;
4300}
4301
4302
4303struct rsn_pmksa_cache_entry *
4304wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
4305{
4306 return sm ? sm->pmksa : NULL;
4307}
4308
4309
4310void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
4311{
4312 if (sm)
4313 sm->dot11RSNAStatsTKIPLocalMICFailures++;
4314}
4315
4316
4317const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
4318{
4319 if (wpa_auth == NULL)
4320 return NULL;
4321 *len = wpa_auth->wpa_ie_len;
4322 return wpa_auth->wpa_ie;
4323}
4324
4325
4326int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 4327 unsigned int pmk_len,
6fc6879b
JM		 4328 int session_timeout, struct eapol_state_machine *eapol)
4329{
cb465555
JM		 4330 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
4331 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 4332 return -1;
4333
834c5d68 4334 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
207976f0
JM		 4335 if (pmk_len > PMK_LEN_SUITE_B_192)
4336 pmk_len = PMK_LEN_SUITE_B_192;
4337 } else if (pmk_len > PMK_LEN) {
4338 pmk_len = PMK_LEN;
4339 }
4340
70c93963 4341 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 4342 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 4343 sm->wpa_auth->addr, sm->addr, session_timeout,
4344 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 4345 return 0;
4346
4347 return -1;
4348}
4349
4350
4351int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4352 const u8 *pmk, size_t len, const u8 *sta_addr,
4353 int session_timeout,
4354 struct eapol_state_machine *eapol)
4355{
4356 if (wpa_auth == NULL)
4357 return -1;
4358
70c93963 4359 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 4360 NULL, 0,
4361 wpa_auth->addr,
4bb081f1
JM		 4362 sta_addr, session_timeout, eapol,
4363 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 4364 return 0;
4365
4366 return -1;
4367}
4368
4369
f2991170 4370int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 4371 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 4372{
4373 if (wpa_auth->conf.disable_pmksa_caching)
4374 return -1;
4375
70c93963 4376 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 4377 NULL, 0,
f2991170
JM		 4378 wpa_auth->addr, addr, 0, NULL,
4379 WPA_KEY_MGMT_SAE))
4380 return 0;
4381
4382 return -1;
4383}
4384
4385
9d94e4bb
JM		 4386void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
4387{
4388 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4389 sm->pmkid_set = 1;
4390}
4391
4392
0c52953b
JM		 4393int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4394 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4395 int session_timeout, int akmp)
4396{
4397 if (wpa_auth->conf.disable_pmksa_caching)
4398 return -1;
4399
4400 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4401 NULL, 0, wpa_auth->addr, addr, session_timeout,
4402 NULL, akmp))
4403 return 0;
4404
4405 return -1;
4406}
4407
4408
901d1fe1
JM		 4409void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4410 const u8 *sta_addr)
4411{
4412 struct rsn_pmksa_cache_entry *pmksa;
4413
4414 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4415 return;
4416 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4417 if (pmksa) {
4418 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4419 MACSTR " based on request", MAC2STR(sta_addr));
4420 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4421 }
4422}
4423
4424
b8daac18
MH		 4425int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4426 size_t len)
4427{
4428 if (!wpa_auth || !wpa_auth->pmksa)
4429 return 0;
4430 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4431}
4432
4433
4c522c77
MH		 4434void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4435{
4436 if (wpa_auth && wpa_auth->pmksa)
4437 pmksa_cache_auth_flush(wpa_auth->pmksa);
4438}
4439
4440
4d77d80e
MH		 4441#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4442#ifdef CONFIG_MESH
4443
4444int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4445 char *buf, size_t len)
4446{
4447 if (!wpa_auth || !wpa_auth->pmksa)
4448 return 0;
4449
4450 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4451}
4452
4453
4454struct rsn_pmksa_cache_entry *
4455wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4456 const u8 *pmkid, int expiration)
4457{
4458 struct rsn_pmksa_cache_entry *entry;
4459 struct os_reltime now;
4460
4461 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4462 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4463 if (!entry)
4464 return NULL;
4465
4466 os_get_reltime(&now);
4467 entry->expiration = now.sec + expiration;
4468 return entry;
4469}
4470
4471
4472int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4473 struct rsn_pmksa_cache_entry *entry)
4474{
4475 int ret;
4476
4477 if (!wpa_auth || !wpa_auth->pmksa)
4478 return -1;
4479
4480 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4481 if (ret < 0)
4482 wpa_printf(MSG_DEBUG,
4483 "RSN: Failed to store external PMKSA cache for "
4484 MACSTR, MAC2STR(entry->spa));
4485
4486 return ret;
4487}
4488
4489#endif /* CONFIG_MESH */
4490#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4491
4492
9f2cf23e 4493struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 4494wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4495 const u8 *pmkid)
9f2cf23e
MH		 4496{
4497 if (!wpa_auth || !wpa_auth->pmksa)
4498 return NULL;
c1bd4bac 4499 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 4500}
4501
4502
4503void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4504 struct wpa_state_machine *sm,
4505 struct wpa_authenticator *wpa_auth,
4506 u8 *pmkid, u8 *pmk)
4507{
4508 if (!sm)
4509 return;
4510
4511 sm->pmksa = pmksa;
8854f90b
JM		 4512 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4513 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4514 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 4515}
4516
4517
a0ad9e8c
MB		 4518/*
4519 * Remove and free the group from wpa_authenticator. This is triggered by a
4520 * callback to make sure nobody is currently iterating the group list while it
4521 * gets modified.
4522 */
4523static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4524 struct wpa_group *group)
4525{
4526 struct wpa_group *prev = wpa_auth->group;
4527
4528 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4529 group->vlan_id);
4530
4531 while (prev) {
4532 if (prev->next == group) {
4533 /* This never frees the special first group as needed */
4534 prev->next = group->next;
4535 os_free(group);
4536 break;
4537 }
4538 prev = prev->next;
4539 }
4540
4541}
4542
4543
4544/* Increase the reference counter for group */
4545static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4546 struct wpa_group *group)
4547{
4548 /* Skip the special first group */
4549 if (wpa_auth->group == group)
4550 return;
4551
4552 group->references++;
4553}
4554
4555
4556/* Decrease the reference counter and maybe free the group */
4557static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4558 struct wpa_group *group)
4559{
4560 /* Skip the special first group */
4561 if (wpa_auth->group == group)
4562 return;
4563
4564 group->references--;
4565 if (group->references)
4566 return;
4567 wpa_group_free(wpa_auth, group);
4568}
4569
4570
4571/*
4572 * Add a group that has its references counter set to zero. Caller needs to
4573 * call wpa_group_get() on the return value to mark the entry in use.
4574 */
6fc6879b
JM		 4575static struct wpa_group *
4576wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4577{
4578 struct wpa_group *group;
4579
4580 if (wpa_auth == NULL || wpa_auth->group == NULL)
4581 return NULL;
4582
4583 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4584 vlan_id);
bdffdc5d 4585 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4586 if (group == NULL)
4587 return NULL;
4588
4589 group->next = wpa_auth->group->next;
4590 wpa_auth->group->next = group;
4591
4592 return group;
4593}
4594
4595
7cebc8e2
MB		 4596/*
4597 * Enforce that the group state machine for the VLAN is running, increase
4598 * reference counter as interface is up. References might have been increased
4599 * even if a negative value is returned.
4600 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4601 */
4602int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4603{
4604 struct wpa_group *group;
4605
4606 if (wpa_auth == NULL)
4607 return 0;
4608
4609 group = wpa_auth->group;
4610 while (group) {
4611 if (group->vlan_id == vlan_id)
4612 break;
4613 group = group->next;
4614 }
4615
4616 if (group == NULL) {
4617 group = wpa_auth_add_group(wpa_auth, vlan_id);
4618 if (group == NULL)
4619 return -1;
4620 }
4621
4622 wpa_printf(MSG_DEBUG,
4623 "WPA: Ensure group state machine running for VLAN ID %d",
4624 vlan_id);
4625
4626 wpa_group_get(wpa_auth, group);
4627 group->num_setup_iface++;
4628
4629 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4630 return -1;
4631
4632 return 0;
4633}
4634
4635
4636/*
4637 * Decrease reference counter, expected to be zero afterwards.
4638 * returns: -1 on error (group not found, group in fail state)
4639 * -2 if wpa_group is still referenced
4640 * 0 else
4641 */
4642int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4643{
4644 struct wpa_group *group;
4645 int ret = 0;
4646
4647 if (wpa_auth == NULL)
4648 return 0;
4649
4650 group = wpa_auth->group;
4651 while (group) {
4652 if (group->vlan_id == vlan_id)
4653 break;
4654 group = group->next;
4655 }
4656
4657 if (group == NULL)
4658 return -1;
4659
4660 wpa_printf(MSG_DEBUG,
4661 "WPA: Try stopping group state machine for VLAN ID %d",
4662 vlan_id);
4663
4664 if (group->num_setup_iface <= 0) {
4665 wpa_printf(MSG_ERROR,
4666 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4667 vlan_id);
4668 return -1;
4669 }
4670 group->num_setup_iface--;
4671
4672 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4673 ret = -1;
4674
4675 if (group->references > 1) {
4676 wpa_printf(MSG_DEBUG,
4677 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4678 vlan_id);
4679 ret = -2;
4680 }
4681
4682 wpa_group_put(wpa_auth, group);
4683
4684 return ret;
4685}
4686
4687
6fc6879b
JM		 4688int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4689{
4690 struct wpa_group *group;
4691
4692 if (sm == NULL || sm->wpa_auth == NULL)
4693 return 0;
4694
4695 group = sm->wpa_auth->group;
4696 while (group) {
4697 if (group->vlan_id == vlan_id)
4698 break;
4699 group = group->next;
4700 }
4701
4702 if (group == NULL) {
4703 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4704 if (group == NULL)
4705 return -1;
4706 }
4707
4708 if (sm->group == group)
4709 return 0;
4710
7d7f7be2
JM		 4711 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4712 return -1;
4713
6fc6879b
JM		 4714 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4715 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4716
a0ad9e8c
MB		 4717 wpa_group_get(sm->wpa_auth, group);
4718 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4719 sm->group = group;
a0ad9e8c 4720
6fc6879b
JM		 4721 return 0;
4722}
e4bf4db9
JM		 4723
4724
4725void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4726 struct wpa_state_machine *sm, int ack)
4727{
4728 if (wpa_auth == NULL || sm == NULL)
4729 return;
4730 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4731 " ack=%d", MAC2STR(sm->addr), ack);
4732 if (sm->pending_1_of_4_timeout && ack) {
4733 /*
4734 * Some deployed supplicant implementations update their SNonce
4735 * for each EAPOL-Key 2/4 message even within the same 4-way
4736 * handshake and then fail to use the first SNonce when
4737 * deriving the PTK. This results in unsuccessful 4-way
4738 * handshake whenever the relatively short initial timeout is
4739 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4740 * around this by increasing the timeout now that we know that
4741 * the station has received the frame.
4742 */
4743 int timeout_ms = eapol_key_timeout_subseq;
4744 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4745 "timeout by %u ms because of acknowledged frame",
4746 timeout_ms);
4747 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4748 eloop_register_timeout(timeout_ms / 1000,
4749 (timeout_ms % 1000) * 1000,
4750 wpa_send_eapol_timeout, wpa_auth, sm);
4751 }
3d695328
JM		 4752
4753#ifdef CONFIG_TESTING_OPTIONS
4754 if (sm->eapol_status_cb) {
4755 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
4756 sm->eapol_status_cb_ctx2);
4757 sm->eapol_status_cb = NULL;
4758 }
4759#endif /* CONFIG_TESTING_OPTIONS */
e4bf4db9 4760}
c10347f2
JM		 4761
4762
4763int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4764{
4765 if (sm == NULL)
4766 return 0;
4767 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4768}
aa189ac9
JM		 4769
4770
4771int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4772{
4773 if (sm == NULL)
4774 return 0;
4775 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4776}
25ef8529
JM		 4777
4778
4779#ifdef CONFIG_P2P
4780int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4781{
4782 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4783 return -1;
4784 os_memcpy(addr, sm->ip_addr, 4);
4785 return 0;
4786}
4787#endif /* CONFIG_P2P */
cbc210de
JM		 4788
4789
4790int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4791 struct radius_das_attrs *attr)
4792{
4793 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4794}
34782730
JM		 4795
4796
4797void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4798{
4799 struct wpa_group *group;
4800
4801 if (!wpa_auth)
4802 return;
4803 for (group = wpa_auth->group; group; group = group->next)
4804 wpa_group_config_group_keys(wpa_auth, group);
4805}
7eace378
JM		 4806
4807
4808#ifdef CONFIG_FILS
4809
4810struct wpa_auth_fils_iter_data {
4811 struct wpa_authenticator *auth;
4812 const u8 *cache_id;
4813 struct rsn_pmksa_cache_entry *pmksa;
4814 const u8 *spa;
4815 const u8 *pmkid;
4816};
4817
4818
4819static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4820{
4821 struct wpa_auth_fils_iter_data *data = ctx;
4822
4cc6574d 4823 if (a == data->auth || !a->conf.fils_cache_id_set ||
7eace378
JM		 4824 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4825 FILS_CACHE_ID_LEN) != 0)
4826 return 0;
4827 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4828 return data->pmksa != NULL;
4829}
4830
4831
4832struct rsn_pmksa_cache_entry *
4833wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4834 const u8 *sta_addr, const u8 *pmkid)
4835{
4836 struct wpa_auth_fils_iter_data idata;
4837
4838 if (!wpa_auth->conf.fils_cache_id_set)
4839 return NULL;
4840 idata.auth = wpa_auth;
4841 idata.cache_id = wpa_auth->conf.fils_cache_id;
4842 idata.pmksa = NULL;
4843 idata.spa = sta_addr;
4844 idata.pmkid = pmkid;
4845 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4846 return idata.pmksa;
4847}
4848
5db997e3
JM		 4849
4850#ifdef CONFIG_IEEE80211R_AP
a7968ea5
JM		 4851int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384,
4852 u8 *buf, size_t len)
5db997e3
JM		 4853{
4854 struct wpa_auth_config *conf = &wpa_auth->conf;
4855
a7968ea5 4856 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder,
5db997e3
JM		 4857 conf->r0_key_holder_len,
4858 NULL, NULL, buf, len, NULL, 0);
4859}
4860#endif /* CONFIG_IEEE80211R_AP */
4861
8acbf85f
JM		 4862
4863void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4864 u8 *fils_anonce, u8 *fils_snonce,
4865 u8 *fils_kek, size_t *fils_kek_len)
4866{
4867 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4868 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4869 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4870 *fils_kek_len = sm->PTK.kek_len;
4871}
4872
a40bd06e
JM		 4873
4874void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
4875 size_t pmk_len, const u8 *pmkid)
4876{
4877 os_memcpy(sm->PMK, pmk, pmk_len);
4878 sm->pmk_len = pmk_len;
4879 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4880 sm->pmkid_set = 1;
4881}
4882
7eace378 4883#endif /* CONFIG_FILS */
6bc2f00f
JM		 4884
4885
36536639
JM		 4886void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
4887{
4888 if (sm)
4889 sm->auth_alg = auth_alg;
4890}
4891
4892
10ec6a5f
JM		 4893#ifdef CONFIG_DPP2
4894void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
4895{
4896 if (sm) {
4897 wpabuf_clear_free(sm->dpp_z);
4898 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
4899 }
4900}
4901#endif /* CONFIG_DPP2 */
4902
4903
82424732 4904#ifdef CONFIG_TESTING_OPTIONS
d8afdb21 4905
3d695328
JM		 4906int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
4907 void (*cb)(void *ctx1, void *ctx2),
4908 void *ctx1, void *ctx2)
d8afdb21
JM		 4909{
4910 const u8 *anonce = sm->ANonce;
4911 u8 anonce_buf[WPA_NONCE_LEN];
4912
4913 if (change_anonce) {
4914 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
4915 return -1;
4916 anonce = anonce_buf;
4917 }
4918
4919 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4920 "sending 1/4 msg of 4-Way Handshake (TESTING)");
4921 wpa_send_eapol(sm->wpa_auth, sm,
4922 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
4923 anonce, NULL, 0, 0, 0);
4924 return 0;
4925}
4926
4927
3d695328
JM		 4928int wpa_auth_resend_m3(struct wpa_state_machine *sm,
4929 void (*cb)(void *ctx1, void *ctx2),
4930 void *ctx1, void *ctx2)
d8afdb21 4931{
0c3bc1be
LD		 4932 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
4933#ifdef CONFIG_IEEE80211W
4934 u8 *opos;
4935#endif /* CONFIG_IEEE80211W */
d8afdb21
JM		 4936 size_t gtk_len, kde_len;
4937 struct wpa_group *gsm = sm->group;
4938 u8 *wpa_ie;
4939 int wpa_ie_len, secure, keyidx, encr = 0;
4940
4941 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4942 GTK[GN], IGTK, [FTIE], [TIE * 2])
4943 */
4944
4945 /* Use 0 RSC */
4946 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4947 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4948 wpa_ie = sm->wpa_auth->wpa_ie;
4949 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4950 if (sm->wpa == WPA_VERSION_WPA &&
4951 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
4952 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
4953 /* WPA-only STA, remove RSN IE and possible MDIE */
4954 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4955 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4956 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4957 wpa_ie_len = wpa_ie[1] + 2;
4958 }
4959 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4960 "sending 3/4 msg of 4-Way Handshake (TESTING)");
4961 if (sm->wpa == WPA_VERSION_WPA2) {
4962 /* WPA2 send GTK in the 4-way handshake */
4963 secure = 1;
4964 gtk = gsm->GTK[gsm->GN - 1];
4965 gtk_len = gsm->GTK_len;
4966 keyidx = gsm->GN;
4967 _rsc = rsc;
4968 encr = 1;
4969 } else {
4970 /* WPA does not include GTK in msg 3/4 */
4971 secure = 0;
4972 gtk = NULL;
4973 gtk_len = 0;
4974 keyidx = 0;
4975 _rsc = NULL;
4976 if (sm->rx_eapol_key_secure) {
4977 /*
4978 * It looks like Windows 7 supplicant tries to use
4979 * Secure bit in msg 2/4 after having reported Michael
4980 * MIC failure and it then rejects the 4-way handshake
4981 * if msg 3/4 does not set Secure bit. Work around this
4982 * by setting the Secure bit here even in the case of
4983 * WPA if the supplicant used it first.
4984 */
4985 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4986 "STA used Secure bit in WPA msg 2/4 - "
4987 "set Secure for 3/4 as workaround");
4988 secure = 1;
4989 }
4990 }
4991
17c2559c 4992 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
d8afdb21
JM		 4993 if (gtk)
4994 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4995#ifdef CONFIG_IEEE80211R_AP
4996 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4997 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4998 kde_len += 300; /* FTIE + 2 * TIE */
4999 }
5000#endif /* CONFIG_IEEE80211R_AP */
5001 kde = os_malloc(kde_len);
5002 if (kde == NULL)
5003 return -1;
5004
5005 pos = kde;
5006 os_memcpy(pos, wpa_ie, wpa_ie_len);
5007 pos += wpa_ie_len;
5008#ifdef CONFIG_IEEE80211R_AP
5009 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5010 int res;
5011 size_t elen;
5012
5013 elen = pos - kde;
5014 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
5015 if (res < 0) {
5016 wpa_printf(MSG_ERROR, "FT: Failed to insert "
5017 "PMKR1Name into RSN IE in EAPOL-Key data");
5018 os_free(kde);
5019 return -1;
5020 }
5021 pos -= wpa_ie_len;
5022 pos += elen;
5023 }
5024#endif /* CONFIG_IEEE80211R_AP */
5025 if (gtk) {
5026 u8 hdr[2];
5027 hdr[0] = keyidx & 0x03;
5028 hdr[1] = 0;
5029 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5030 gtk, gtk_len);
5031 }
0c3bc1be 5032#ifdef CONFIG_IEEE80211W
d8afdb21
JM		 5033 opos = pos;
5034 pos = ieee80211w_kde_add(sm, pos);
9f917339
MV		 5035 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5036 /* skip KDE header and keyid */
5037 opos += 2 + RSN_SELECTOR_LEN + 2;
d8afdb21
JM		 5038 os_memset(opos, 0, 6); /* clear PN */
5039 }
0c3bc1be 5040#endif /* CONFIG_IEEE80211W */
17c2559c
MV		 5041 if (ocv_oci_add(sm, &pos) < 0) {
5042 os_free(kde);
5043 return -1;
5044 }
d8afdb21
JM		 5045
5046#ifdef CONFIG_IEEE80211R_AP
5047 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5048 int res;
5049 struct wpa_auth_config *conf;
5050
5051 conf = &sm->wpa_auth->conf;
5052 if (sm->assoc_resp_ftie &&
5053 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
5054 os_memcpy(pos, sm->assoc_resp_ftie,
5055 2 + sm->assoc_resp_ftie[1]);
5056 res = 2 + sm->assoc_resp_ftie[1];
5057 } else {
a7968ea5
JM		 5058 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
5059
5060 res = wpa_write_ftie(conf, use_sha384,
5061 conf->r0_key_holder,
d8afdb21
JM		 5062 conf->r0_key_holder_len,
5063 NULL, NULL, pos,
5064 kde + kde_len - pos,
5065 NULL, 0);
5066 }
5067 if (res < 0) {
5068 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
5069 "into EAPOL-Key Key Data");
5070 os_free(kde);
5071 return -1;
5072 }
5073 pos += res;
5074
5075 /* TIE[ReassociationDeadline] (TU) */
5076 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5077 *pos++ = 5;
5078 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
5079 WPA_PUT_LE32(pos, conf->reassociation_deadline);
5080 pos += 4;
5081
5082 /* TIE[KeyLifetime] (seconds) */
5083 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5084 *pos++ = 5;
5085 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
83fe4bd3 5086 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
d8afdb21
JM		 5087 pos += 4;
5088 }
5089#endif /* CONFIG_IEEE80211R_AP */
5090
5091 wpa_send_eapol(sm->wpa_auth, sm,
5092 (secure ? WPA_KEY_INFO_SECURE : 0) |
5093 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5094 WPA_KEY_INFO_MIC : 0) |
5095 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
5096 WPA_KEY_INFO_KEY_TYPE,
5097 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
5098 os_free(kde);
5099 return 0;
5100}
5101
5102
3d695328
JM		 5103int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
5104 void (*cb)(void *ctx1, void *ctx2),
5105 void *ctx1, void *ctx2)
6bc2f00f
JM		 5106{
5107 u8 rsc[WPA_KEY_RSC_LEN];
5108 struct wpa_group *gsm = sm->group;
5109 const u8 *kde;
0c3bc1be
LD		 5110 u8 *kde_buf = NULL, *pos, hdr[2];
5111#ifdef CONFIG_IEEE80211W
5112 u8 *opos;
5113#endif /* CONFIG_IEEE80211W */
6bc2f00f
JM		 5114 size_t kde_len;
5115 u8 *gtk;
5116
5117 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5118 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5119 /* Use 0 RSC */
5120 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5121 "sending 1/2 msg of Group Key Handshake (TESTING)");
5122
5123 gtk = gsm->GTK[gsm->GN - 1];
5124 if (sm->wpa == WPA_VERSION_WPA2) {
5125 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
17c2559c 5126 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
6bc2f00f
JM		 5127 kde_buf = os_malloc(kde_len);
5128 if (kde_buf == NULL)
5129 return -1;
5130
5131 kde = pos = kde_buf;
5132 hdr[0] = gsm->GN & 0x03;
5133 hdr[1] = 0;
5134 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5135 gtk, gsm->GTK_len);
0c3bc1be 5136#ifdef CONFIG_IEEE80211W
6bc2f00f
JM		 5137 opos = pos;
5138 pos = ieee80211w_kde_add(sm, pos);
9f917339
MV		 5139 if (pos - opos >=
5140 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5141 /* skip KDE header and keyid */
5142 opos += 2 + RSN_SELECTOR_LEN + 2;
6bc2f00f
JM		 5143 os_memset(opos, 0, 6); /* clear PN */
5144 }
0c3bc1be 5145#endif /* CONFIG_IEEE80211W */
17c2559c
MV		 5146 if (ocv_oci_add(sm, &pos) < 0) {
5147 os_free(kde_buf);
5148 return -1;
5149 }
6bc2f00f
JM		 5150 kde_len = pos - kde;
5151 } else {
5152 kde = gtk;
5153 kde_len = gsm->GTK_len;
5154 }
5155
3d695328
JM		 5156 sm->eapol_status_cb = cb;
5157 sm->eapol_status_cb_ctx1 = ctx1;
5158 sm->eapol_status_cb_ctx2 = ctx2;
5159
6bc2f00f
JM		 5160 wpa_send_eapol(sm->wpa_auth, sm,
5161 WPA_KEY_INFO_SECURE |
5162 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5163 WPA_KEY_INFO_MIC : 0) |
5164 WPA_KEY_INFO_ACK |
5165 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5166 rsc, NULL, kde, kde_len, gsm->GN, 1);
5167
5168 os_free(kde_buf);
5169 return 0;
5170}
d8afdb21 5171
92662fb2
JB		 5172
5173int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
5174{
5175 if (!wpa_auth)
5176 return -1;
5177 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
5178 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL);
5179}
5180
6bc2f00f 5181#endif /* CONFIG_TESTING_OPTIONS */
Unnamed repository; edit this file 'description' to name the repository.