]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/rsn_supp/wpa.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
OWE: Process Diffie-Hellman Parameter element in AP mode
[thirdparty/hostap.git] / src / rsn_supp / wpa.c
CommitLineData
6fc6879b
JM		 1/*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
98cd3d1c 3 * Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi>
73ed03f3 4 * Copyright(c) 2015 Intel Deutschland GmbH
6fc6879b 5 *
0f3d578e
JM		 6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
6fc6879b
JM		 8 */
9
10#include "includes.h"
11
12#include "common.h"
2022f1d0 13#include "crypto/aes.h"
03da66bd
JM		 14#include "crypto/aes_wrap.h"
15#include "crypto/crypto.h"
3642c431 16#include "crypto/random.h"
2022f1d0 17#include "crypto/aes_siv.h"
03da66bd 18#include "common/ieee802_11_defs.h"
a6609937 19#include "common/ieee802_11_common.h"
fcd3d6ce 20#include "eap_common/eap_defs.h"
03da66bd 21#include "eapol_supp/eapol_supp_sm.h"
6fc6879b
JM		 22#include "wpa.h"
23#include "eloop.h"
6fc6879b
JM		 24#include "preauth.h"
25#include "pmksa_cache.h"
26#include "wpa_i.h"
27#include "wpa_ie.h"
28#include "peerkey.h"
6fc6879b
JM		 29
30
73ed03f3
MS		 31static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
32
33
6fc6879b
JM		 34/**
35 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
36 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1049af7e 37 * @ptk: PTK for Key Confirmation/Encryption Key
6fc6879b
JM		 38 * @ver: Version field from Key Info
39 * @dest: Destination address for the frame
40 * @proto: Ethertype (usually ETH_P_EAPOL)
41 * @msg: EAPOL-Key message
42 * @msg_len: Length of message
43 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
c93b7e18 44 * Returns: >= 0 on success, < 0 on failure
6fc6879b 45 */
1049af7e 46int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
c93b7e18
AA		 47 int ver, const u8 *dest, u16 proto,
48 u8 *msg, size_t msg_len, u8 *key_mic)
6fc6879b 49{
c93b7e18 50 int ret = -1;
5e3b5197 51 size_t mic_len = wpa_mic_len(sm->key_mgmt);
98cd3d1c 52
a8e16edc 53 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
6fc6879b
JM		 54 /*
55 * Association event was not yet received; try to fetch
56 * BSSID from the driver.
57 */
58 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
f049052b
BG		 59 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
60 "WPA: Failed to read BSSID for "
61 "EAPOL-Key destination address");
6fc6879b
JM		 62 } else {
63 dest = sm->bssid;
f049052b
BG		 64 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
65 "WPA: Use BSSID (" MACSTR
66 ") as the destination for EAPOL-Key",
67 MAC2STR(dest));
6fc6879b
JM		 68 }
69 }
2022f1d0
JM		 70
71 if (mic_len) {
72 if (key_mic && (!ptk || !ptk->kck_len))
73 goto out;
74
75 if (key_mic &&
76 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
77 msg, msg_len, key_mic)) {
78 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
79 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
80 ver, sm->key_mgmt);
81 goto out;
82 }
28fb9bb1
JM		 83 if (ptk)
84 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
85 ptk->kck, ptk->kck_len);
2022f1d0
JM		 86 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
87 key_mic, mic_len);
88 } else {
89#ifdef CONFIG_FILS
90 /* AEAD cipher - Key MIC field not used */
91 struct ieee802_1x_hdr *s_hdr, *hdr;
92 struct wpa_eapol_key *s_key, *key;
93 u8 *buf, *s_key_data, *key_data;
94 size_t buf_len = msg_len + AES_BLOCK_SIZE;
95 size_t key_data_len;
96 u16 eapol_len;
97 const u8 *aad[1];
98 size_t aad_len[1];
99
100 if (!ptk || !ptk->kek_len)
101 goto out;
102
103 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
104 sizeof(struct wpa_eapol_key) - 2;
105
106 buf = os_malloc(buf_len);
107 if (!buf)
108 goto out;
109
110 os_memcpy(buf, msg, msg_len);
111 hdr = (struct ieee802_1x_hdr *) buf;
112 key = (struct wpa_eapol_key *) (hdr + 1);
113 key_data = ((u8 *) (key + 1)) + 2;
114
115 /* Update EAPOL header to include AES-SIV overhead */
116 eapol_len = be_to_host16(hdr->length);
117 eapol_len += AES_BLOCK_SIZE;
118 hdr->length = host_to_be16(eapol_len);
119
120 /* Update Key Data Length field to include AES-SIV overhead */
121 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
122
123 s_hdr = (struct ieee802_1x_hdr *) msg;
124 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
125 s_key_data = ((u8 *) (s_key + 1)) + 2;
126
127 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
128 s_key_data, key_data_len);
129
130 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
131 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
132 * to Key Data (exclusive). */
133 aad[0] = buf;
134 aad_len[0] = key_data - buf;
135 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
136 s_key_data, key_data_len,
137 1, aad, aad_len, key_data) < 0) {
138 os_free(buf);
139 goto out;
140 }
141
142 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
143 key_data, AES_BLOCK_SIZE + key_data_len);
144
145 os_free(msg);
146 msg = buf;
147 msg_len = buf_len;
148#else /* CONFIG_FILS */
04b6b3ed 149 goto out;
2022f1d0 150#endif /* CONFIG_FILS */
04b6b3ed 151 }
2022f1d0 152
6fc6879b 153 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
c93b7e18 154 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
6fc6879b 155 eapol_sm_notify_tx_eapol_key(sm->eapol);
04b6b3ed 156out:
6fc6879b 157 os_free(msg);
c93b7e18 158 return ret;
6fc6879b
JM		 159}
160
161
162/**
163 * wpa_sm_key_request - Send EAPOL-Key Request
164 * @sm: Pointer to WPA state machine data from wpa_sm_init()
165 * @error: Indicate whether this is an Michael MIC error report
166 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
6fc6879b
JM		 167 *
168 * Send an EAPOL-Key Request to the current authenticator. This function is
169 * used to request rekeying and it is usually called when a local Michael MIC
170 * failure is detected.
171 */
172void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
173{
5e3b5197 174 size_t mic_len, hdrlen, rlen;
6fc6879b
JM		 175 struct wpa_eapol_key *reply;
176 int key_info, ver;
6d014ffc 177 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
6fc6879b 178
929a2ea5
JM		 179 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN ||
180 wpa_key_mgmt_suite_b(sm->key_mgmt))
df0f01d9
JM		 181 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
182 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
183 wpa_key_mgmt_sha256(sm->key_mgmt))
6fc6879b 184 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 185 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
6fc6879b
JM		 186 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
187 else
188 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
189
190 if (wpa_sm_get_bssid(sm, bssid) < 0) {
f049052b
BG		 191 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
192 "Failed to read BSSID for EAPOL-Key request");
6fc6879b
JM		 193 return;
194 }
195
5e3b5197 196 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 197 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 198 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 199 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 200 if (rbuf == NULL)
201 return;
202
a14896e8
JM		 203 reply->type = (sm->proto == WPA_PROTO_RSN ||
204 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 205 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
206 key_info = WPA_KEY_INFO_REQUEST | ver;
207 if (sm->ptk_set)
4a26ccda
JM		 208 key_info |= WPA_KEY_INFO_SECURE;
209 if (sm->ptk_set && mic_len)
210 key_info |= WPA_KEY_INFO_MIC;
6fc6879b
JM		 211 if (error)
212 key_info |= WPA_KEY_INFO_ERROR;
213 if (pairwise)
214 key_info |= WPA_KEY_INFO_KEY_TYPE;
215 WPA_PUT_BE16(reply->key_info, key_info);
216 WPA_PUT_BE16(reply->key_length, 0);
217 os_memcpy(reply->replay_counter, sm->request_counter,
218 WPA_REPLAY_COUNTER_LEN);
219 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
220
6d014ffc
JM		 221 mic = (u8 *) (reply + 1);
222 WPA_PUT_BE16(mic + mic_len, 0);
5e3b5197
JM		 223 if (!(key_info & WPA_KEY_INFO_MIC))
224 key_mic = NULL;
225 else
6d014ffc 226 key_mic = mic;
6fc6879b 227
f049052b
BG		 228 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
229 "WPA: Sending EAPOL-Key Request (error=%d "
230 "pairwise=%d ptk_set=%d len=%lu)",
231 error, pairwise, sm->ptk_set, (unsigned long) rlen);
1049af7e
JM		 232 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
233 key_mic);
6fc6879b
JM		 234}
235
236
b41f2684
CL		 237static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
238{
239#ifdef CONFIG_IEEE80211R
240 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
241 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
242 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
243 "RSN: Cannot set low order 256 bits of MSK for key management offload");
244 } else {
245#endif /* CONFIG_IEEE80211R */
246 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
247 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
248 "RSN: Cannot set PMK for key management offload");
249#ifdef CONFIG_IEEE80211R
250 }
251#endif /* CONFIG_IEEE80211R */
252}
253
254
6fc6879b
JM		 255static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
256 const unsigned char *src_addr,
257 const u8 *pmkid)
258{
259 int abort_cached = 0;
260
261 if (pmkid && !sm->cur_pmksa) {
262 /* When using drivers that generate RSN IE, wpa_supplicant may
263 * not have enough time to get the association information
264 * event before receiving this 1/4 message, so try to find a
265 * matching PMKSA cache entry here. */
96efeeb6
JM		 266 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
267 NULL);
6fc6879b 268 if (sm->cur_pmksa) {
f049052b
BG		 269 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
270 "RSN: found matching PMKID from PMKSA cache");
6fc6879b 271 } else {
f049052b
BG		 272 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
273 "RSN: no matching PMKID found");
6fc6879b
JM		 274 abort_cached = 1;
275 }
276 }
277
278 if (pmkid && sm->cur_pmksa &&
0d15b69f 279 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
6fc6879b
JM		 280 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
281 wpa_sm_set_pmk_from_pmksa(sm);
282 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
283 sm->pmk, sm->pmk_len);
284 eapol_sm_notify_cached(sm->eapol);
285#ifdef CONFIG_IEEE80211R
286 sm->xxkey_len = 0;
287#endif /* CONFIG_IEEE80211R */
56586197 288 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
6fc6879b 289 int res, pmk_len;
207976f0 290
834c5d68 291 if (wpa_key_mgmt_sha384(sm->key_mgmt))
207976f0
JM		 292 pmk_len = PMK_LEN_SUITE_B_192;
293 else
294 pmk_len = PMK_LEN;
295 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
6fc6879b 296 if (res) {
207976f0
JM		 297 if (pmk_len == PMK_LEN) {
298 /*
299 * EAP-LEAP is an exception from other EAP
300 * methods: it uses only 16-byte PMK.
301 */
302 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
303 pmk_len = 16;
304 }
6fc6879b
JM		 305 } else {
306#ifdef CONFIG_IEEE80211R
307 u8 buf[2 * PMK_LEN];
308 if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0)
309 {
310 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
311 sm->xxkey_len = PMK_LEN;
312 os_memset(buf, 0, sizeof(buf));
313 }
314#endif /* CONFIG_IEEE80211R */
315 }
316 if (res == 0) {
a7f10d65 317 struct rsn_pmksa_cache_entry *sa = NULL;
869af307
JM		 318 const u8 *fils_cache_id = NULL;
319
320#ifdef CONFIG_FILS
321 if (sm->fils_cache_id_set)
322 fils_cache_id = sm->fils_cache_id;
323#endif /* CONFIG_FILS */
324
6fc6879b
JM		 325 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
326 "machines", sm->pmk, pmk_len);
327 sm->pmk_len = pmk_len;
b41f2684 328 wpa_supplicant_key_mgmt_set_pmk(sm);
715ed737 329 if (sm->proto == WPA_PROTO_RSN &&
087a1f4e 330 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
715ed737 331 !wpa_key_mgmt_ft(sm->key_mgmt)) {
a7f10d65 332 sa = pmksa_cache_add(sm->pmksa,
70c93963 333 sm->pmk, pmk_len, NULL,
087a1f4e 334 NULL, 0,
a7f10d65
JM		 335 src_addr, sm->own_addr,
336 sm->network_ctx,
869af307
JM		 337 sm->key_mgmt,
338 fils_cache_id);
f5a51b58 339 }
6fc6879b 340 if (!sm->cur_pmksa && pmkid &&
96efeeb6
JM		 341 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL))
342 {
f049052b
BG		 343 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
344 "RSN: the new PMK matches with the "
345 "PMKID");
6fc6879b 346 abort_cached = 0;
bddc51e8
JM		 347 } else if (sa && !sm->cur_pmksa && pmkid) {
348 /*
349 * It looks like the authentication server
350 * derived mismatching MSK. This should not
351 * really happen, but bugs happen.. There is not
352 * much we can do here without knowing what
353 * exactly caused the server to misbehave.
354 */
62417667 355 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
bddc51e8
JM		 356 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
357 return -1;
6fc6879b 358 }
a7f10d65
JM		 359
360 if (!sm->cur_pmksa)
361 sm->cur_pmksa = sa;
6fc6879b 362 } else {
0f057fb2 363 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6fc6879b 364 "WPA: Failed to get master session key from "
f049052b
BG		 365 "EAPOL state machines - key handshake "
366 "aborted");
6fc6879b 367 if (sm->cur_pmksa) {
f049052b
BG		 368 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
369 "RSN: Cancelled PMKSA caching "
370 "attempt");
6fc6879b
JM		 371 sm->cur_pmksa = NULL;
372 abort_cached = 1;
1ac2d4a9 373 } else if (!abort_cached) {
6fc6879b
JM		 374 return -1;
375 }
376 }
377 }
378
715ed737 379 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
087a1f4e 380 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
a14896e8
JM		 381 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
382 {
6fc6879b
JM		 383 /* Send EAPOL-Start to trigger full EAP authentication. */
384 u8 *buf;
385 size_t buflen;
386
f049052b
BG		 387 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
388 "RSN: no PMKSA entry found - trigger "
389 "full EAP authentication");
6fc6879b
JM		 390 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
391 NULL, 0, &buflen, NULL);
392 if (buf) {
393 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
394 buf, buflen);
395 os_free(buf);
b4a1256d 396 return -2;
6fc6879b
JM		 397 }
398
399 return -1;
400 }
401
402 return 0;
403}
404
405
406/**
407 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
408 * @sm: Pointer to WPA state machine data from wpa_sm_init()
409 * @dst: Destination address for the frame
410 * @key: Pointer to the EAPOL-Key frame header
411 * @ver: Version bits from EAPOL-Key Key Info
412 * @nonce: Nonce value for the EAPOL-Key frame
413 * @wpa_ie: WPA/RSN IE
414 * @wpa_ie_len: Length of the WPA/RSN IE
415 * @ptk: PTK to use for keyed hash and encryption
c93b7e18 416 * Returns: >= 0 on success, < 0 on failure
6fc6879b
JM		 417 */
418int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
419 const struct wpa_eapol_key *key,
420 int ver, const u8 *nonce,
421 const u8 *wpa_ie, size_t wpa_ie_len,
422 struct wpa_ptk *ptk)
423{
5e3b5197 424 size_t mic_len, hdrlen, rlen;
6fc6879b 425 struct wpa_eapol_key *reply;
5e3b5197 426 u8 *rbuf, *key_mic;
26e23750 427 u8 *rsn_ie_buf = NULL;
4a26ccda 428 u16 key_info;
6fc6879b
JM		 429
430 if (wpa_ie == NULL) {
f049052b
BG		 431 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
432 "cannot generate msg 2/4");
6fc6879b
JM		 433 return -1;
434 }
435
26e23750
JM		 436#ifdef CONFIG_IEEE80211R
437 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
438 int res;
439
55046414
JM		 440 /*
441 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
442 * FTIE from (Re)Association Response.
443 */
444 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
445 sm->assoc_resp_ies_len);
26e23750
JM		 446 if (rsn_ie_buf == NULL)
447 return -1;
448 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
59e78c24 449 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
26e23750
JM		 450 sm->pmk_r1_name);
451 if (res < 0) {
452 os_free(rsn_ie_buf);
453 return -1;
454 }
55046414
JM		 455
456 if (sm->assoc_resp_ies) {
457 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
458 sm->assoc_resp_ies_len);
459 wpa_ie_len += sm->assoc_resp_ies_len;
460 }
26e23750
JM		 461
462 wpa_ie = rsn_ie_buf;
26e23750
JM		 463 }
464#endif /* CONFIG_IEEE80211R */
465
6fc6879b
JM		 466 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
467
5e3b5197 468 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 469 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 470 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
5e3b5197 471 NULL, hdrlen + wpa_ie_len,
6fc6879b 472 &rlen, (void *) &reply);
26e23750
JM		 473 if (rbuf == NULL) {
474 os_free(rsn_ie_buf);
6fc6879b 475 return -1;
26e23750 476 }
6fc6879b 477
a14896e8
JM		 478 reply->type = (sm->proto == WPA_PROTO_RSN ||
479 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b 480 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
4a26ccda
JM		 481 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
482 if (mic_len)
483 key_info |= WPA_KEY_INFO_MIC;
2022f1d0
JM		 484 else
485 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
4a26ccda 486 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 487 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 488 WPA_PUT_BE16(reply->key_length, 0);
489 else
490 os_memcpy(reply->key_length, key->key_length, 2);
491 os_memcpy(reply->replay_counter, key->replay_counter,
492 WPA_REPLAY_COUNTER_LEN);
bc8318ac
JM		 493 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
494 WPA_REPLAY_COUNTER_LEN);
6fc6879b 495
6d014ffc
JM		 496 key_mic = (u8 *) (reply + 1);
497 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
498 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
26e23750 499 os_free(rsn_ie_buf);
6fc6879b
JM		 500
501 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
502
f049052b 503 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
1049af7e
JM		 504 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
505 key_mic);
6fc6879b
JM		 506}
507
508
509static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
98cd3d1c 510 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
6fc6879b
JM		 511{
512#ifdef CONFIG_IEEE80211R
56586197 513 if (wpa_key_mgmt_ft(sm->key_mgmt))
98cd3d1c 514 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
6fc6879b
JM		 515#endif /* CONFIG_IEEE80211R */
516
98cd3d1c
JM		 517 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
518 sm->own_addr, sm->bssid, sm->snonce,
519 key->key_nonce, ptk, sm->key_mgmt,
520 sm->pairwise_cipher);
6fc6879b
JM		 521}
522
523
524static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
525 const unsigned char *src_addr,
526 const struct wpa_eapol_key *key,
e6270129
JM		 527 u16 ver, const u8 *key_data,
528 size_t key_data_len)
6fc6879b
JM		 529{
530 struct wpa_eapol_ie_parse ie;
531 struct wpa_ptk *ptk;
b4a1256d 532 int res;
25ef8529
JM		 533 u8 *kde, *kde_buf = NULL;
534 size_t kde_len;
6fc6879b
JM		 535
536 if (wpa_sm_get_network_ctx(sm) == NULL) {
f049052b
BG		 537 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
538 "found (msg 1 of 4)");
6fc6879b
JM		 539 return;
540 }
541
542 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
f049052b
BG		 543 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
544 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
6fc6879b
JM		 545
546 os_memset(&ie, 0, sizeof(ie));
547
a14896e8 548 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
6fc6879b 549 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
e6270129
JM		 550 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
551 key_data, key_data_len);
552 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
d627a939 553 goto failed;
6fc6879b
JM		 554 if (ie.pmkid) {
555 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
556 "Authenticator", ie.pmkid, PMKID_LEN);
557 }
558 }
6fc6879b 559
b4a1256d
JM		 560 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
561 if (res == -2) {
f049052b
BG		 562 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
563 "msg 1/4 - requesting full EAP authentication");
b4a1256d
JM		 564 return;
565 }
566 if (res)
83935317 567 goto failed;
6fc6879b
JM		 568
569 if (sm->renew_snonce) {
3642c431 570 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
0f057fb2 571 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6fc6879b 572 "WPA: Failed to get random data for SNonce");
83935317 573 goto failed;
6fc6879b
JM		 574 }
575 sm->renew_snonce = 0;
576 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
577 sm->snonce, WPA_NONCE_LEN);
578 }
579
580 /* Calculate PTK which will be stored as a temporary PTK until it has
581 * been verified when processing message 3/4. */
582 ptk = &sm->tptk;
583 wpa_derive_ptk(sm, src_addr, key, ptk);
3b9c5176 584 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
d2c33b91 585 u8 buf[8];
3b9c5176 586 /* Supplicant: swap tx/rx Mic keys */
98cd3d1c
JM		 587 os_memcpy(buf, &ptk->tk[16], 8);
588 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
589 os_memcpy(&ptk->tk[24], buf, 8);
d2c33b91 590 os_memset(buf, 0, sizeof(buf));
3b9c5176 591 }
6fc6879b 592 sm->tptk_set = 1;
ad00d64e 593 sm->tk_to_set = 1;
6fc6879b 594
25ef8529
JM		 595 kde = sm->assoc_wpa_ie;
596 kde_len = sm->assoc_wpa_ie_len;
597
598#ifdef CONFIG_P2P
599 if (sm->p2p) {
600 kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1);
601 if (kde_buf) {
602 u8 *pos;
603 wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE "
604 "into EAPOL-Key 2/4");
605 os_memcpy(kde_buf, kde, kde_len);
606 kde = kde_buf;
607 pos = kde + kde_len;
608 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
609 *pos++ = RSN_SELECTOR_LEN + 1;
610 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
611 pos += RSN_SELECTOR_LEN;
612 *pos++ = 0x01;
613 kde_len = pos - kde;
614 }
615 }
616#endif /* CONFIG_P2P */
617
6fc6879b 618 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
c93b7e18 619 kde, kde_len, ptk) < 0)
83935317 620 goto failed;
6fc6879b 621
25ef8529 622 os_free(kde_buf);
6fc6879b 623 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
83935317
JM		 624 return;
625
626failed:
25ef8529 627 os_free(kde_buf);
83935317 628 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 629}
630
631
632static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
633{
634 struct wpa_sm *sm = eloop_ctx;
635 rsn_preauth_candidate_process(sm);
636}
637
638
639static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
640 const u8 *addr, int secure)
641{
0f057fb2
JM		 642 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
643 "WPA: Key negotiation completed with "
6fc6879b
JM		 644 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
645 wpa_cipher_txt(sm->pairwise_cipher),
646 wpa_cipher_txt(sm->group_cipher));
6fc6879b
JM		 647 wpa_sm_cancel_auth_timeout(sm);
648 wpa_sm_set_state(sm, WPA_COMPLETED);
649
650 if (secure) {
651 wpa_sm_mlme_setprotection(
652 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
653 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
654 eapol_sm_notify_portValid(sm->eapol, TRUE);
a1ea1b45
JM		 655 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
656 sm->key_mgmt == WPA_KEY_MGMT_OWE)
6fc6879b
JM		 657 eapol_sm_notify_eap_success(sm->eapol, TRUE);
658 /*
659 * Start preauthentication after a short wait to avoid a
660 * possible race condition between the data receive and key
661 * configuration after the 4-Way Handshake. This increases the
ffbf1eaa 662 * likelihood of the first preauth EAPOL-Start frame getting to
6fc6879b
JM		 663 * the target AP.
664 */
665 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL);
666 }
667
668 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
f049052b
BG		 669 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
670 "RSN: Authenticator accepted "
671 "opportunistic PMKSA entry - marking it valid");
6fc6879b
JM		 672 sm->cur_pmksa->opportunistic = 0;
673 }
674
675#ifdef CONFIG_IEEE80211R
56586197 676 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6fc6879b 677 /* Prepare for the next transition */
76b7981d 678 wpa_ft_prepare_auth_request(sm, NULL);
6fc6879b
JM		 679 }
680#endif /* CONFIG_IEEE80211R */
681}
682
683
581a8cde
JM		 684static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
685{
686 struct wpa_sm *sm = eloop_ctx;
f049052b 687 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
581a8cde
JM		 688 wpa_sm_key_request(sm, 0, 1);
689}
690
691
6fc6879b
JM		 692static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
693 const struct wpa_eapol_key *key)
694{
695 int keylen, rsclen;
71934751 696 enum wpa_alg alg;
6fc6879b 697 const u8 *key_rsc;
6fc6879b 698
ad00d64e
JM		 699 if (!sm->tk_to_set) {
700 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
701 "WPA: Do not re-install same PTK to the driver");
702 return 0;
703 }
704
f049052b
BG		 705 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
706 "WPA: Installing PTK to the driver");
6fc6879b 707
c3550295 708 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
f049052b
BG		 709 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
710 "Suite: NONE - do not use pairwise keys");
6fc6879b 711 return 0;
c3550295
JM		 712 }
713
714 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
f049052b
BG		 715 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
716 "WPA: Unsupported pairwise cipher %d",
717 sm->pairwise_cipher);
6fc6879b
JM		 718 return -1;
719 }
720
c3550295
JM		 721 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
722 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
723 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
724
a14896e8 725 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
6fc6879b
JM		 726 key_rsc = null_rsc;
727 } else {
728 key_rsc = key->key_rsc;
729 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
730 }
731
732 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
98cd3d1c 733 sm->ptk.tk, keylen) < 0) {
f049052b
BG		 734 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
735 "WPA: Failed to set PTK to the "
736 "driver (alg=%d keylen=%d bssid=" MACSTR ")",
737 alg, keylen, MAC2STR(sm->bssid));
6fc6879b
JM		 738 return -1;
739 }
581a8cde 740
7d711541 741 /* TK is not needed anymore in supplicant */
98cd3d1c 742 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
ad00d64e 743 sm->tk_to_set = 0;
7d711541 744
581a8cde
JM		 745 if (sm->wpa_ptk_rekey) {
746 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
747 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
748 sm, NULL);
749 }
750
6fc6879b
JM		 751 return 0;
752}
753
754
f049052b
BG		 755static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
756 int group_cipher,
6fc6879b 757 int keylen, int maxkeylen,
71934751
JM		 758 int *key_rsc_len,
759 enum wpa_alg *alg)
6fc6879b 760{
c3550295 761 int klen;
6fc6879b 762
c3550295
JM		 763 *alg = wpa_cipher_to_alg(group_cipher);
764 if (*alg == WPA_ALG_NONE) {
f049052b
BG		 765 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
766 "WPA: Unsupported Group Cipher %d",
767 group_cipher);
6fc6879b
JM		 768 return -1;
769 }
c3550295 770 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
6fc6879b 771
c3550295
JM		 772 klen = wpa_cipher_key_len(group_cipher);
773 if (keylen != klen || maxkeylen < klen) {
f049052b
BG		 774 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
775 "WPA: Unsupported %s Group Cipher key length %d (%d)",
776 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
c3550295 777 return -1;
6fc6879b 778 }
c3550295 779 return 0;
6fc6879b
JM		 780}
781
782
783struct wpa_gtk_data {
71934751 784 enum wpa_alg alg;
6fc6879b
JM		 785 int tx, key_rsc_len, keyidx;
786 u8 gtk[32];
787 int gtk_len;
788};
789
790
791static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
792 const struct wpa_gtk_data *gd,
793 const u8 *key_rsc)
794{
795 const u8 *_gtk = gd->gtk;
796 u8 gtk_buf[32];
797
798 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
f049052b
BG		 799 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
800 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
801 gd->keyidx, gd->tx, gd->gtk_len);
6fc6879b
JM		 802 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
803 if (sm->group_cipher == WPA_CIPHER_TKIP) {
804 /* Swap Tx/Rx keys for Michael MIC */
805 os_memcpy(gtk_buf, gd->gtk, 16);
806 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
807 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
808 _gtk = gtk_buf;
809 }
810 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
0382097e 811 if (wpa_sm_set_key(sm, gd->alg, NULL,
6fc6879b
JM		 812 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
813 _gtk, gd->gtk_len) < 0) {
f049052b
BG		 814 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
815 "WPA: Failed to set GTK to the driver "
816 "(Group only)");
d2c33b91 817 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 818 return -1;
819 }
0382097e 820 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
6fc6879b
JM		 821 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
822 _gtk, gd->gtk_len) < 0) {
f049052b
BG		 823 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
824 "WPA: Failed to set GTK to "
825 "the driver (alg=%d keylen=%d keyidx=%d)",
826 gd->alg, gd->gtk_len, gd->keyidx);
d2c33b91 827 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 828 return -1;
829 }
d2c33b91 830 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 831
832 return 0;
833}
834
835
836static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
837 int tx)
838{
839 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
840 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
841 * seemed to set this bit (incorrectly, since Tx is only when
842 * doing Group Key only APs) and without this workaround, the
843 * data connection does not work because wpa_supplicant
844 * configured non-zero keyidx to be used for unicast. */
f049052b
BG		 845 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
846 "WPA: Tx bit set for GTK, but pairwise "
847 "keys are used - ignore Tx bit");
6fc6879b
JM		 848 return 0;
849 }
850 return tx;
851}
852
853
73ed03f3
MS		 854static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
855 const u8 *rsc)
856{
857 int rsclen;
858
859 if (!sm->wpa_rsc_relaxation)
860 return 0;
861
862 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
863
864 /*
865 * Try to detect RSC (endian) corruption issue where the AP sends
866 * the RSC bytes in EAPOL-Key message in the wrong order, both if
867 * it's actually a 6-byte field (as it should be) and if it treats
868 * it as an 8-byte field.
869 * An AP model known to have this bug is the Sapido RB-1632.
870 */
871 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
872 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
873 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
874 rsc[0], rsc[1], rsc[2], rsc[3],
875 rsc[4], rsc[5], rsc[6], rsc[7]);
876
877 return 1;
878 }
879
880 return 0;
881}
882
883
6fc6879b
JM		 884static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
885 const struct wpa_eapol_key *key,
886 const u8 *gtk, size_t gtk_len,
887 int key_info)
888{
6fc6879b 889 struct wpa_gtk_data gd;
73ed03f3 890 const u8 *key_rsc;
6fc6879b
JM		 891
892 /*
893 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
894 * GTK KDE format:
895 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
896 * Reserved [bits 0-7]
897 * GTK
898 */
899
900 os_memset(&gd, 0, sizeof(gd));
901 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
902 gtk, gtk_len);
903
904 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
905 return -1;
906
907 gd.keyidx = gtk[0] & 0x3;
908 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
909 !!(gtk[0] & BIT(2)));
910 gtk += 2;
911 gtk_len -= 2;
912
913 os_memcpy(gd.gtk, gtk, gtk_len);
914 gd.gtk_len = gtk_len;
915
73ed03f3
MS		 916 key_rsc = key->key_rsc;
917 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
918 key_rsc = null_rsc;
919
dff1e285
JM		 920 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
921 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
922 gtk_len, gtk_len,
923 &gd.key_rsc_len, &gd.alg) ||
73ed03f3 924 wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
f049052b
BG		 925 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
926 "RSN: Failed to install GTK");
d2c33b91 927 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 928 return -1;
929 }
d2c33b91 930 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 931
932 wpa_supplicant_key_neg_complete(sm, sm->bssid,
933 key_info & WPA_KEY_INFO_SECURE);
934 return 0;
6fc6879b
JM		 935}
936
937
938static int ieee80211w_set_keys(struct wpa_sm *sm,
939 struct wpa_eapol_ie_parse *ie)
940{
941#ifdef CONFIG_IEEE80211W
8dd9f9cd 942 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
6fc6879b
JM		 943 return 0;
944
945 if (ie->igtk) {
8dd9f9cd 946 size_t len;
6fc6879b
JM		 947 const struct wpa_igtk_kde *igtk;
948 u16 keyidx;
8dd9f9cd
JM		 949 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
950 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
6fc6879b
JM		 951 return -1;
952 igtk = (const struct wpa_igtk_kde *) ie->igtk;
953 keyidx = WPA_GET_LE16(igtk->keyid);
f049052b
BG		 954 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
955 "pn %02x%02x%02x%02x%02x%02x",
956 keyidx, MAC2STR(igtk->pn));
6fc6879b 957 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
8dd9f9cd 958 igtk->igtk, len);
6fc6879b 959 if (keyidx > 4095) {
f049052b
BG		 960 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
961 "WPA: Invalid IGTK KeyID %d", keyidx);
6fc6879b
JM		 962 return -1;
963 }
8dd9f9cd
JM		 964 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
965 broadcast_ether_addr,
6fc6879b 966 keyidx, 0, igtk->pn, sizeof(igtk->pn),
8dd9f9cd 967 igtk->igtk, len) < 0) {
f049052b
BG		 968 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
969 "WPA: Failed to configure IGTK to the driver");
6fc6879b
JM		 970 return -1;
971 }
972 }
973
974 return 0;
975#else /* CONFIG_IEEE80211W */
976 return 0;
977#endif /* CONFIG_IEEE80211W */
978}
979
980
981static void wpa_report_ie_mismatch(struct wpa_sm *sm,
982 const char *reason, const u8 *src_addr,
983 const u8 *wpa_ie, size_t wpa_ie_len,
984 const u8 *rsn_ie, size_t rsn_ie_len)
985{
0f057fb2 986 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
6fc6879b
JM		 987 reason, MAC2STR(src_addr));
988
989 if (sm->ap_wpa_ie) {
990 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
991 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
992 }
993 if (wpa_ie) {
994 if (!sm->ap_wpa_ie) {
f049052b
BG		 995 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
996 "WPA: No WPA IE in Beacon/ProbeResp");
6fc6879b
JM		 997 }
998 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
999 wpa_ie, wpa_ie_len);
1000 }
1001
1002 if (sm->ap_rsn_ie) {
1003 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1004 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1005 }
1006 if (rsn_ie) {
1007 if (!sm->ap_rsn_ie) {
f049052b
BG		 1008 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1009 "WPA: No RSN IE in Beacon/ProbeResp");
6fc6879b
JM		 1010 }
1011 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1012 rsn_ie, rsn_ie_len);
1013 }
1014
3da372fa 1015 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
6fc6879b
JM		 1016}
1017
1018
5af8187e
JM		 1019#ifdef CONFIG_IEEE80211R
1020
1021static int ft_validate_mdie(struct wpa_sm *sm,
1022 const unsigned char *src_addr,
3b4f6dac
JM		 1023 struct wpa_eapol_ie_parse *ie,
1024 const u8 *assoc_resp_mdie)
5af8187e
JM		 1025{
1026 struct rsn_mdie *mdie;
1027
5af8187e
JM		 1028 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1029 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1030 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1031 MOBILITY_DOMAIN_ID_LEN) != 0) {
f049052b
BG		 1032 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1033 "not match with the current mobility domain");
5af8187e
JM		 1034 return -1;
1035 }
1036
3b4f6dac
JM		 1037 if (assoc_resp_mdie &&
1038 (assoc_resp_mdie[1] != ie->mdie[1] ||
1039 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
f049052b 1040 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
3b4f6dac
JM		 1041 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1042 ie->mdie, 2 + ie->mdie[1]);
1043 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1044 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1045 return -1;
1046 }
1047
1048 return 0;
1049}
1050
1051
1052static int ft_validate_ftie(struct wpa_sm *sm,
1053 const unsigned char *src_addr,
1054 struct wpa_eapol_ie_parse *ie,
1055 const u8 *assoc_resp_ftie)
1056{
1057 if (ie->ftie == NULL) {
f049052b
BG		 1058 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1059 "FT: No FTIE in EAPOL-Key msg 3/4");
3b4f6dac
JM		 1060 return -1;
1061 }
1062
1063 if (assoc_resp_ftie == NULL)
1064 return 0;
1065
1066 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1067 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
f049052b 1068 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
3b4f6dac
JM		 1069 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1070 ie->ftie, 2 + ie->ftie[1]);
1071 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1072 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1073 return -1;
1074 }
1075
5af8187e
JM		 1076 return 0;
1077}
1078
1079
1080static int ft_validate_rsnie(struct wpa_sm *sm,
1081 const unsigned char *src_addr,
1082 struct wpa_eapol_ie_parse *ie)
1083{
1084 struct wpa_ie_data rsn;
1085
1086 if (!ie->rsn_ie)
1087 return 0;
1088
1089 /*
1090 * Verify that PMKR1Name from EAPOL-Key message 3/4
1091 * matches with the value we derived.
1092 */
1093 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1094 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
f049052b
BG		 1095 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1096 "FT 4-way handshake message 3/4");
5af8187e
JM		 1097 return -1;
1098 }
1099
0d15b69f
JM		 1100 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1101 {
f049052b
BG		 1102 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1103 "FT: PMKR1Name mismatch in "
1104 "FT 4-way handshake message 3/4");
5af8187e
JM		 1105 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1106 rsn.pmkid, WPA_PMK_NAME_LEN);
1107 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1108 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1109 return -1;
1110 }
1111
1112 return 0;
1113}
1114
1115
1116static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1117 const unsigned char *src_addr,
1118 struct wpa_eapol_ie_parse *ie)
1119{
3b4f6dac
JM		 1120 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1121
1122 if (sm->assoc_resp_ies) {
1123 pos = sm->assoc_resp_ies;
1124 end = pos + sm->assoc_resp_ies_len;
2461724c
JM		 1125 while (end - pos > 2) {
1126 if (2 + pos[1] > end - pos)
3b4f6dac
JM		 1127 break;
1128 switch (*pos) {
1129 case WLAN_EID_MOBILITY_DOMAIN:
1130 mdie = pos;
1131 break;
1132 case WLAN_EID_FAST_BSS_TRANSITION:
1133 ftie = pos;
1134 break;
1135 }
1136 pos += 2 + pos[1];
1137 }
1138 }
1139
1140 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1141 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
5af8187e
JM		 1142 ft_validate_rsnie(sm, src_addr, ie) < 0)
1143 return -1;
1144
1145 return 0;
1146}
1147
1148#endif /* CONFIG_IEEE80211R */
1149
1150
6fc6879b
JM		 1151static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1152 const unsigned char *src_addr,
1153 struct wpa_eapol_ie_parse *ie)
1154{
1155 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
f049052b
BG		 1156 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1157 "WPA: No WPA/RSN IE for this AP known. "
1158 "Trying to get from scan results");
6fc6879b 1159 if (wpa_sm_get_beacon_ie(sm) < 0) {
f049052b
BG		 1160 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1161 "WPA: Could not find AP from "
1162 "the scan results");
6fc6879b 1163 } else {
f049052b
BG		 1164 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1165 "WPA: Found the current AP from "
1166 "updated scan results");
6fc6879b
JM		 1167 }
1168 }
1169
1170 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1171 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1172 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1173 "with IE in Beacon/ProbeResp (no IE?)",
1174 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1175 ie->rsn_ie, ie->rsn_ie_len);
1176 return -1;
1177 }
1178
1179 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1180 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1181 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1182 (ie->rsn_ie && sm->ap_rsn_ie &&
26e23750
JM		 1183 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1184 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1185 ie->rsn_ie, ie->rsn_ie_len))) {
6fc6879b
JM		 1186 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1187 "with IE in Beacon/ProbeResp",
1188 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1189 ie->rsn_ie, ie->rsn_ie_len);
1190 return -1;
1191 }
1192
1193 if (sm->proto == WPA_PROTO_WPA &&
1194 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1195 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1196 "detected - RSN was enabled and RSN IE "
1197 "was in msg 3/4, but not in "
1198 "Beacon/ProbeResp",
1199 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1200 ie->rsn_ie, ie->rsn_ie_len);
1201 return -1;
1202 }
1203
1204#ifdef CONFIG_IEEE80211R
5af8187e
JM		 1205 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1206 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1207 return -1;
6fc6879b
JM		 1208#endif /* CONFIG_IEEE80211R */
1209
1210 return 0;
1211}
1212
1213
1214/**
1215 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1216 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1217 * @dst: Destination address for the frame
1218 * @key: Pointer to the EAPOL-Key frame header
1219 * @ver: Version bits from EAPOL-Key Key Info
1220 * @key_info: Key Info
6fc6879b 1221 * @ptk: PTK to use for keyed hash and encryption
c93b7e18 1222 * Returns: >= 0 on success, < 0 on failure
6fc6879b
JM		 1223 */
1224int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1225 const struct wpa_eapol_key *key,
1226 u16 ver, u16 key_info,
6fc6879b
JM		 1227 struct wpa_ptk *ptk)
1228{
5e3b5197 1229 size_t mic_len, hdrlen, rlen;
6fc6879b 1230 struct wpa_eapol_key *reply;
5e3b5197 1231 u8 *rbuf, *key_mic;
6fc6879b 1232
5e3b5197 1233 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1234 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 1235 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 1236 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 1237 if (rbuf == NULL)
1238 return -1;
1239
a14896e8
JM		 1240 reply->type = (sm->proto == WPA_PROTO_RSN ||
1241 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 1242 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1243 key_info &= WPA_KEY_INFO_SECURE;
4a26ccda
JM		 1244 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1245 if (mic_len)
1246 key_info |= WPA_KEY_INFO_MIC;
2022f1d0
JM		 1247 else
1248 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
6fc6879b 1249 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 1250 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 1251 WPA_PUT_BE16(reply->key_length, 0);
1252 else
1253 os_memcpy(reply->key_length, key->key_length, 2);
1254 os_memcpy(reply->replay_counter, key->replay_counter,
1255 WPA_REPLAY_COUNTER_LEN);
1256
6d014ffc
JM		 1257 key_mic = (u8 *) (reply + 1);
1258 WPA_PUT_BE16(key_mic + mic_len, 0);
6fc6879b 1259
f049052b 1260 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1049af7e
JM		 1261 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1262 key_mic);
6fc6879b
JM		 1263}
1264
1265
1266static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1267 const struct wpa_eapol_key *key,
e6270129
JM		 1268 u16 ver, const u8 *key_data,
1269 size_t key_data_len)
6fc6879b 1270{
e6270129 1271 u16 key_info, keylen;
6fc6879b
JM		 1272 struct wpa_eapol_ie_parse ie;
1273
1274 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
f049052b
BG		 1275 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
1276 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
6fc6879b
JM		 1277
1278 key_info = WPA_GET_BE16(key->key_info);
1279
e6270129
JM		 1280 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1281 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
d627a939 1282 goto failed;
6fc6879b 1283 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1284 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1285 "WPA: GTK IE in unencrypted key data");
83935317 1286 goto failed;
6fc6879b
JM		 1287 }
1288#ifdef CONFIG_IEEE80211W
1289 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1290 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1291 "WPA: IGTK KDE in unencrypted key data");
83935317 1292 goto failed;
6fc6879b
JM		 1293 }
1294
8dd9f9cd
JM		 1295 if (ie.igtk &&
1296 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1297 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1298 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
f049052b
BG		 1299 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1300 "WPA: Invalid IGTK KDE length %lu",
1301 (unsigned long) ie.igtk_len);
83935317 1302 goto failed;
6fc6879b
JM		 1303 }
1304#endif /* CONFIG_IEEE80211W */
1305
1306 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
83935317 1307 goto failed;
6fc6879b
JM		 1308
1309 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
f049052b
BG		 1310 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1311 "WPA: ANonce from message 1 of 4-Way Handshake "
1312 "differs from 3 of 4-Way Handshake - drop packet (src="
1313 MACSTR ")", MAC2STR(sm->bssid));
83935317 1314 goto failed;
6fc6879b
JM		 1315 }
1316
1317 keylen = WPA_GET_BE16(key->key_length);
c3550295
JM		 1318 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1319 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1320 "WPA: Invalid %s key length %d (src=" MACSTR
1321 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1322 MAC2STR(sm->bssid));
1323 goto failed;
6fc6879b
JM		 1324 }
1325
25ef8529
JM		 1326#ifdef CONFIG_P2P
1327 if (ie.ip_addr_alloc) {
1328 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1329 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1330 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1331 }
1332#endif /* CONFIG_P2P */
1333
6fc6879b 1334 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
c93b7e18 1335 &sm->ptk) < 0) {
83935317
JM		 1336 goto failed;
1337 }
6fc6879b
JM		 1338
1339 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1340 * for the next 4-Way Handshake. If msg 3 is received again, the old
1341 * SNonce will still be used to avoid changing PTK. */
1342 sm->renew_snonce = 1;
1343
1344 if (key_info & WPA_KEY_INFO_INSTALL) {
83935317
JM		 1345 if (wpa_supplicant_install_ptk(sm, key))
1346 goto failed;
6fc6879b
JM		 1347 }
1348
1349 if (key_info & WPA_KEY_INFO_SECURE) {
1350 wpa_sm_mlme_setprotection(
1351 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1352 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1353 eapol_sm_notify_portValid(sm->eapol, TRUE);
1354 }
1355 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1356
dff1e285
JM		 1357 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1358 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1359 key_info & WPA_KEY_INFO_SECURE);
1360 } else if (ie.gtk &&
6fc6879b
JM		 1361 wpa_supplicant_pairwise_gtk(sm, key,
1362 ie.gtk, ie.gtk_len, key_info) < 0) {
f049052b
BG		 1363 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1364 "RSN: Failed to configure GTK");
83935317 1365 goto failed;
6fc6879b
JM		 1366 }
1367
83935317 1368 if (ieee80211w_set_keys(sm, &ie) < 0) {
f049052b
BG		 1369 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1370 "RSN: Failed to configure IGTK");
83935317
JM		 1371 goto failed;
1372 }
1373
392e68e8
SD		 1374 if (ie.gtk)
1375 wpa_sm_set_rekey_offload(sm);
b14a210c 1376
087a1f4e
JM		 1377 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt)) {
1378 struct rsn_pmksa_cache_entry *sa;
1379
70c93963 1380 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
98cd3d1c 1381 sm->ptk.kck, sm->ptk.kck_len,
087a1f4e 1382 sm->bssid, sm->own_addr,
869af307 1383 sm->network_ctx, sm->key_mgmt, NULL);
087a1f4e
JM		 1384 if (!sm->cur_pmksa)
1385 sm->cur_pmksa = sa;
1386 }
1387
761396e4 1388 sm->msg_3_of_4_ok = 1;
83935317
JM		 1389 return;
1390
1391failed:
1392 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 1393}
1394
1395
1396static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1397 const u8 *keydata,
1398 size_t keydatalen,
1399 u16 key_info,
1400 struct wpa_gtk_data *gd)
1401{
1402 int maxkeylen;
1403 struct wpa_eapol_ie_parse ie;
1404
ecbdc1a1
JM		 1405 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1406 keydata, keydatalen);
d627a939
JM		 1407 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1408 return -1;
6fc6879b 1409 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1410 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1411 "WPA: GTK IE in unencrypted key data");
6fc6879b
JM		 1412 return -1;
1413 }
1414 if (ie.gtk == NULL) {
f049052b
BG		 1415 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1416 "WPA: No GTK IE in Group Key msg 1/2");
6fc6879b
JM		 1417 return -1;
1418 }
1419 maxkeylen = gd->gtk_len = ie.gtk_len - 2;
1420
f049052b 1421 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6fc6879b
JM		 1422 gd->gtk_len, maxkeylen,
1423 &gd->key_rsc_len, &gd->alg))
1424 return -1;
1425
7cb9bb4d
JM		 1426 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1427 ie.gtk, ie.gtk_len);
6fc6879b
JM		 1428 gd->keyidx = ie.gtk[0] & 0x3;
1429 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1430 !!(ie.gtk[0] & BIT(2)));
1431 if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
f049052b
BG		 1432 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1433 "RSN: Too long GTK in GTK IE (len=%lu)",
1434 (unsigned long) ie.gtk_len - 2);
6fc6879b
JM		 1435 return -1;
1436 }
1437 os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
1438
1439 if (ieee80211w_set_keys(sm, &ie) < 0)
f049052b
BG		 1440 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1441 "RSN: Failed to configure IGTK");
6fc6879b
JM		 1442
1443 return 0;
1444}
1445
1446
1447static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1448 const struct wpa_eapol_key *key,
e6270129
JM		 1449 const u8 *key_data,
1450 size_t key_data_len, u16 key_info,
1451 u16 ver, struct wpa_gtk_data *gd)
6fc6879b
JM		 1452{
1453 size_t maxkeylen;
c397eff8 1454 u16 gtk_len;
6fc6879b 1455
c397eff8 1456 gtk_len = WPA_GET_BE16(key->key_length);
e6270129 1457 maxkeylen = key_data_len;
6fc6879b
JM		 1458 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1459 if (maxkeylen < 8) {
f049052b
BG		 1460 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1461 "WPA: Too short maxkeylen (%lu)",
1462 (unsigned long) maxkeylen);
6fc6879b
JM		 1463 return -1;
1464 }
1465 maxkeylen -= 8;
1466 }
1467
c397eff8
JM		 1468 if (gtk_len > maxkeylen ||
1469 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1470 gtk_len, maxkeylen,
6fc6879b
JM		 1471 &gd->key_rsc_len, &gd->alg))
1472 return -1;
1473
c397eff8 1474 gd->gtk_len = gtk_len;
6fc6879b
JM		 1475 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1476 WPA_KEY_INFO_KEY_INDEX_SHIFT;
98cd3d1c 1477 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
7cb53ded
JM		 1478#ifdef CONFIG_NO_RC4
1479 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1480 "WPA: RC4 not supported in the build");
1481 return -1;
1482#else /* CONFIG_NO_RC4 */
d2c33b91 1483 u8 ek[32];
e6270129 1484 if (key_data_len > sizeof(gd->gtk)) {
f049052b
BG		 1485 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1486 "WPA: RC4 key data too long (%lu)",
e6270129 1487 (unsigned long) key_data_len);
6fc6879b
JM		 1488 return -1;
1489 }
d2c33b91 1490 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1491 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
e6270129
JM		 1492 os_memcpy(gd->gtk, key_data, key_data_len);
1493 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
d2c33b91 1494 os_memset(ek, 0, sizeof(ek));
f049052b
BG		 1495 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1496 "WPA: RC4 failed");
7a215dfc
JM		 1497 return -1;
1498 }
d2c33b91 1499 os_memset(ek, 0, sizeof(ek));
7cb53ded 1500#endif /* CONFIG_NO_RC4 */
6fc6879b 1501 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
e6270129 1502 if (maxkeylen % 8) {
f049052b
BG		 1503 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1504 "WPA: Unsupported AES-WRAP len %lu",
e6270129 1505 (unsigned long) maxkeylen);
6fc6879b
JM		 1506 return -1;
1507 }
1508 if (maxkeylen > sizeof(gd->gtk)) {
f049052b
BG		 1509 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1510 "WPA: AES-WRAP key data "
1511 "too long (keydatalen=%lu maxkeylen=%lu)",
e6270129 1512 (unsigned long) key_data_len,
f049052b 1513 (unsigned long) maxkeylen);
6fc6879b
JM		 1514 return -1;
1515 }
98cd3d1c
JM		 1516 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
1517 key_data, gd->gtk)) {
f049052b
BG		 1518 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1519 "WPA: AES unwrap failed - could not decrypt "
1520 "GTK");
6fc6879b
JM		 1521 return -1;
1522 }
1523 } else {
f049052b
BG		 1524 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1525 "WPA: Unsupported key_info type %d", ver);
6fc6879b
JM		 1526 return -1;
1527 }
1528 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
1529 sm, !!(key_info & WPA_KEY_INFO_TXRX));
1530 return 0;
1531}
1532
1533
1534static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
1535 const struct wpa_eapol_key *key,
1536 int ver, u16 key_info)
1537{
5e3b5197 1538 size_t mic_len, hdrlen, rlen;
6fc6879b 1539 struct wpa_eapol_key *reply;
5e3b5197 1540 u8 *rbuf, *key_mic;
6fc6879b 1541
5e3b5197 1542 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1543 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 1544 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 1545 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 1546 if (rbuf == NULL)
1547 return -1;
1548
a14896e8
JM		 1549 reply->type = (sm->proto == WPA_PROTO_RSN ||
1550 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 1551 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1552 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
4a26ccda
JM		 1553 key_info |= ver | WPA_KEY_INFO_SECURE;
1554 if (mic_len)
1555 key_info |= WPA_KEY_INFO_MIC;
6fc6879b 1556 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 1557 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 1558 WPA_PUT_BE16(reply->key_length, 0);
1559 else
1560 os_memcpy(reply->key_length, key->key_length, 2);
1561 os_memcpy(reply->replay_counter, key->replay_counter,
1562 WPA_REPLAY_COUNTER_LEN);
1563
6d014ffc
JM		 1564 key_mic = (u8 *) (reply + 1);
1565 WPA_PUT_BE16(key_mic + mic_len, 0);
6fc6879b 1566
f049052b 1567 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1049af7e
JM		 1568 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
1569 rbuf, rlen, key_mic);
6fc6879b
JM		 1570}
1571
1572
1573static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
1574 const unsigned char *src_addr,
1575 const struct wpa_eapol_key *key,
e6270129
JM		 1576 const u8 *key_data,
1577 size_t key_data_len, u16 ver)
6fc6879b 1578{
e6270129 1579 u16 key_info;
6fc6879b
JM		 1580 int rekey, ret;
1581 struct wpa_gtk_data gd;
73ed03f3 1582 const u8 *key_rsc;
6fc6879b 1583
761396e4
JM		 1584 if (!sm->msg_3_of_4_ok) {
1585 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1586 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
1587 goto failed;
1588 }
1589
6fc6879b
JM		 1590 os_memset(&gd, 0, sizeof(gd));
1591
1592 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
f049052b
BG		 1593 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
1594 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
6fc6879b
JM		 1595
1596 key_info = WPA_GET_BE16(key->key_info);
6fc6879b 1597
a14896e8 1598 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
e6270129
JM		 1599 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
1600 key_data_len, key_info,
6fc6879b
JM		 1601 &gd);
1602 } else {
e6270129
JM		 1603 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
1604 key_data_len,
1605 key_info, ver, &gd);
6fc6879b
JM		 1606 }
1607
1608 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1609
1610 if (ret)
83935317 1611 goto failed;
6fc6879b 1612
73ed03f3
MS		 1613 key_rsc = key->key_rsc;
1614 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1615 key_rsc = null_rsc;
1616
1617 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
c93b7e18 1618 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
83935317 1619 goto failed;
fbfc974c 1620 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 1621
1622 if (rekey) {
0f057fb2 1623 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
6fc6879b
JM		 1624 "completed with " MACSTR " [GTK=%s]",
1625 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
1626 wpa_sm_cancel_auth_timeout(sm);
1627 wpa_sm_set_state(sm, WPA_COMPLETED);
1628 } else {
1629 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1630 key_info &
1631 WPA_KEY_INFO_SECURE);
1632 }
392e68e8
SD		 1633
1634 wpa_sm_set_rekey_offload(sm);
1635
83935317
JM		 1636 return;
1637
1638failed:
fbfc974c 1639 os_memset(&gd, 0, sizeof(gd));
83935317 1640 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 1641}
1642
1643
1644static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
6d014ffc 1645 struct wpa_eapol_key *key,
6fc6879b
JM		 1646 u16 ver,
1647 const u8 *buf, size_t len)
1648{
98cd3d1c 1649 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
6fc6879b 1650 int ok = 0;
5e3b5197 1651 size_t mic_len = wpa_mic_len(sm->key_mgmt);
6fc6879b 1652
6d014ffc 1653 os_memcpy(mic, key + 1, mic_len);
6fc6879b 1654 if (sm->tptk_set) {
6d014ffc 1655 os_memset(key + 1, 0, mic_len);
98cd3d1c 1656 wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt,
6d014ffc
JM		 1657 ver, buf, len, (u8 *) (key + 1));
1658 if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
f049052b
BG		 1659 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1660 "WPA: Invalid EAPOL-Key MIC "
1661 "when using TPTK - ignoring TPTK");
6fc6879b
JM		 1662 } else {
1663 ok = 1;
1664 sm->tptk_set = 0;
1665 sm->ptk_set = 1;
1666 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
d2c33b91 1667 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
6fc6879b
JM		 1668 }
1669 }
1670
1671 if (!ok && sm->ptk_set) {
6d014ffc 1672 os_memset(key + 1, 0, mic_len);
98cd3d1c 1673 wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt,
6d014ffc
JM		 1674 ver, buf, len, (u8 *) (key + 1));
1675 if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
f049052b
BG		 1676 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1677 "WPA: Invalid EAPOL-Key MIC - "
1678 "dropping packet");
6fc6879b
JM		 1679 return -1;
1680 }
1681 ok = 1;
1682 }
1683
1684 if (!ok) {
f049052b
BG		 1685 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1686 "WPA: Could not verify EAPOL-Key MIC - "
1687 "dropping packet");
6fc6879b
JM		 1688 return -1;
1689 }
1690
1691 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1692 WPA_REPLAY_COUNTER_LEN);
1693 sm->rx_replay_counter_set = 1;
1694 return 0;
1695}
1696
1697
1698/* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1699static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
6d014ffc
JM		 1700 struct wpa_eapol_key *key,
1701 size_t mic_len, u16 ver,
e6270129 1702 u8 *key_data, size_t *key_data_len)
6fc6879b 1703{
6fc6879b 1704 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
e6270129 1705 key_data, *key_data_len);
6fc6879b 1706 if (!sm->ptk_set) {
f049052b
BG		 1707 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1708 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1709 "Data");
6fc6879b
JM		 1710 return -1;
1711 }
1712
1713 /* Decrypt key data here so that this operation does not need
1714 * to be implemented separately for each message type. */
98cd3d1c 1715 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
7cb53ded
JM		 1716#ifdef CONFIG_NO_RC4
1717 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1718 "WPA: RC4 not supported in the build");
1719 return -1;
1720#else /* CONFIG_NO_RC4 */
6fc6879b
JM		 1721 u8 ek[32];
1722 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1723 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
e6270129 1724 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
d2c33b91 1725 os_memset(ek, 0, sizeof(ek));
f049052b
BG		 1726 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1727 "WPA: RC4 failed");
7a215dfc
JM		 1728 return -1;
1729 }
d2c33b91 1730 os_memset(ek, 0, sizeof(ek));
7cb53ded 1731#endif /* CONFIG_NO_RC4 */
6fc6879b 1732 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
df0f01d9 1733 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
929a2ea5
JM		 1734 sm->key_mgmt == WPA_KEY_MGMT_OSEN ||
1735 wpa_key_mgmt_suite_b(sm->key_mgmt)) {
6fc6879b 1736 u8 *buf;
e6270129 1737 if (*key_data_len < 8 || *key_data_len % 8) {
f049052b 1738 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
e6270129
JM		 1739 "WPA: Unsupported AES-WRAP len %u",
1740 (unsigned int) *key_data_len);
6fc6879b
JM		 1741 return -1;
1742 }
e6270129
JM		 1743 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
1744 buf = os_malloc(*key_data_len);
6fc6879b 1745 if (buf == NULL) {
f049052b
BG		 1746 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1747 "WPA: No memory for AES-UNWRAP buffer");
6fc6879b
JM		 1748 return -1;
1749 }
98cd3d1c 1750 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
e6270129 1751 key_data, buf)) {
cd5895e8 1752 bin_clear_free(buf, *key_data_len);
f049052b
BG		 1753 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1754 "WPA: AES unwrap failed - "
1755 "could not decrypt EAPOL-Key key data");
6fc6879b
JM		 1756 return -1;
1757 }
e6270129 1758 os_memcpy(key_data, buf, *key_data_len);
cd5895e8 1759 bin_clear_free(buf, *key_data_len);
6d014ffc 1760 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
6fc6879b 1761 } else {
f049052b
BG		 1762 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1763 "WPA: Unsupported key_info type %d", ver);
6fc6879b
JM		 1764 return -1;
1765 }
1766 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
e6270129 1767 key_data, *key_data_len);
6fc6879b
JM		 1768 return 0;
1769}
1770
1771
1772/**
1773 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
1774 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1775 */
1776void wpa_sm_aborted_cached(struct wpa_sm *sm)
1777{
1778 if (sm && sm->cur_pmksa) {
f049052b
BG		 1779 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1780 "RSN: Cancelling PMKSA caching attempt");
6fc6879b
JM		 1781 sm->cur_pmksa = NULL;
1782 }
1783}
1784
1785
f049052b 1786static void wpa_eapol_key_dump(struct wpa_sm *sm,
5e3b5197
JM		 1787 const struct wpa_eapol_key *key,
1788 unsigned int key_data_len,
1789 const u8 *mic, unsigned int mic_len)
6fc6879b
JM		 1790{
1791#ifndef CONFIG_NO_STDOUT_DEBUG
1792 u16 key_info = WPA_GET_BE16(key->key_info);
1793
f049052b
BG		 1794 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
1795 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1796 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
1797 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
1798 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1799 WPA_KEY_INFO_KEY_INDEX_SHIFT,
1800 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
1801 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
1802 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
1803 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
1804 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
1805 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
1806 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
1807 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
1808 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
1809 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1810 " key_length=%u key_data_length=%u",
5e3b5197 1811 WPA_GET_BE16(key->key_length), key_data_len);
6fc6879b
JM		 1812 wpa_hexdump(MSG_DEBUG, " replay_counter",
1813 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1814 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
1815 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
1816 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
1817 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
5e3b5197 1818 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
6fc6879b
JM		 1819#endif /* CONFIG_NO_STDOUT_DEBUG */
1820}
1821
1822
0ab1dd01
JM		 1823#ifdef CONFIG_FILS
1824static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
1825 size_t *key_data_len)
1826{
1827 struct wpa_ptk *ptk;
1828 struct ieee802_1x_hdr *hdr;
1829 struct wpa_eapol_key *key;
1830 u8 *pos, *tmp;
1831 const u8 *aad[1];
1832 size_t aad_len[1];
1833
1834 if (*key_data_len < AES_BLOCK_SIZE) {
1835 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
1836 return -1;
1837 }
1838
1839 if (sm->tptk_set)
1840 ptk = &sm->tptk;
1841 else if (sm->ptk_set)
1842 ptk = &sm->ptk;
1843 else
1844 return -1;
1845
1846 hdr = (struct ieee802_1x_hdr *) buf;
1847 key = (struct wpa_eapol_key *) (hdr + 1);
1848 pos = (u8 *) (key + 1);
1849 pos += 2; /* Pointing at the Encrypted Key Data field */
1850
1851 tmp = os_malloc(*key_data_len);
1852 if (!tmp)
1853 return -1;
1854
1855 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1856 * to Key Data (exclusive). */
1857 aad[0] = buf;
1858 aad_len[0] = pos - buf;
1859 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
1860 1, aad, aad_len, tmp) < 0) {
1861 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
1862 bin_clear_free(tmp, *key_data_len);
1863 return -1;
1864 }
1865
1866 /* AEAD decryption and validation completed successfully */
1867 (*key_data_len) -= AES_BLOCK_SIZE;
1868 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
1869 tmp, *key_data_len);
1870
1871 /* Replace Key Data field with the decrypted version */
1872 os_memcpy(pos, tmp, *key_data_len);
1873 pos -= 2; /* Key Data Length field */
1874 WPA_PUT_BE16(pos, *key_data_len);
1875 bin_clear_free(tmp, *key_data_len);
1876
1877 if (sm->tptk_set) {
1878 sm->tptk_set = 0;
1879 sm->ptk_set = 1;
1880 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1881 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1882 }
1883
1884 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1885 WPA_REPLAY_COUNTER_LEN);
1886 sm->rx_replay_counter_set = 1;
1887
1888 return 0;
1889}
1890#endif /* CONFIG_FILS */
1891
1892
6fc6879b
JM		 1893/**
1894 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
1895 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1896 * @src_addr: Source MAC address of the EAPOL packet
1897 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
1898 * @len: Length of the EAPOL frame
1899 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
1900 *
1901 * This function is called for each received EAPOL frame. Other than EAPOL-Key
1902 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
1903 * only processing WPA and WPA2 EAPOL-Key frames.
1904 *
1905 * The received EAPOL-Key packets are validated and valid packets are replied
1906 * to. In addition, key material (PTK, GTK) is configured at the end of a
1907 * successful key handshake.
1908 */
1909int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
1910 const u8 *buf, size_t len)
1911{
e6270129 1912 size_t plen, data_len, key_data_len;
d56d7e56 1913 const struct ieee802_1x_hdr *hdr;
6fc6879b
JM		 1914 struct wpa_eapol_key *key;
1915 u16 key_info, ver;
d56d7e56 1916 u8 *tmp = NULL;
6fc6879b
JM		 1917 int ret = -1;
1918 struct wpa_peerkey *peerkey = NULL;
6d014ffc 1919 u8 *mic, *key_data;
5e3b5197 1920 size_t mic_len, keyhdrlen;
6fc6879b
JM		 1921
1922#ifdef CONFIG_IEEE80211R
1923 sm->ft_completed = 0;
1924#endif /* CONFIG_IEEE80211R */
1925
5e3b5197 1926 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1927 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1928
1929 if (len < sizeof(*hdr) + keyhdrlen) {
f049052b
BG		 1930 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1931 "WPA: EAPOL frame too short to be a WPA "
1932 "EAPOL-Key (len %lu, expecting at least %lu)",
1933 (unsigned long) len,
5e3b5197 1934 (unsigned long) sizeof(*hdr) + keyhdrlen);
6fc6879b
JM		 1935 return 0;
1936 }
1937
d56d7e56 1938 hdr = (const struct ieee802_1x_hdr *) buf;
6fc6879b
JM		 1939 plen = be_to_host16(hdr->length);
1940 data_len = plen + sizeof(*hdr);
f049052b
BG		 1941 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1942 "IEEE 802.1X RX: version=%d type=%d length=%lu",
1943 hdr->version, hdr->type, (unsigned long) plen);
6fc6879b
JM		 1944
1945 if (hdr->version < EAPOL_VERSION) {
1946 /* TODO: backwards compatibility */
1947 }
1948 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
f049052b
BG		 1949 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1950 "WPA: EAPOL frame (type %u) discarded, "
6fc6879b
JM		 1951 "not a Key frame", hdr->type);
1952 ret = 0;
1953 goto out;
1954 }
d56d7e56 1955 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
5e3b5197 1956 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
f049052b
BG		 1957 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1958 "WPA: EAPOL frame payload size %lu "
1959 "invalid (frame size %lu)",
1960 (unsigned long) plen, (unsigned long) len);
6fc6879b
JM		 1961 ret = 0;
1962 goto out;
1963 }
d56d7e56
JM		 1964 if (data_len < len) {
1965 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1966 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
1967 (unsigned long) len - data_len);
1968 }
1969
1970 /*
1971 * Make a copy of the frame since we need to modify the buffer during
1972 * MAC validation and Key Data decryption.
1973 */
a1f11e34 1974 tmp = os_memdup(buf, data_len);
d56d7e56
JM		 1975 if (tmp == NULL)
1976 goto out;
d56d7e56 1977 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
6d014ffc
JM		 1978 mic = (u8 *) (key + 1);
1979 key_data = mic + mic_len + 2;
6fc6879b
JM		 1980
1981 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
1982 {
f049052b
BG		 1983 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1984 "WPA: EAPOL-Key type (%d) unknown, discarded",
1985 key->type);
6fc6879b
JM		 1986 ret = 0;
1987 goto out;
1988 }
6fc6879b 1989
6d014ffc
JM		 1990 key_data_len = WPA_GET_BE16(mic + mic_len);
1991 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
5e3b5197
JM		 1992
1993 if (key_data_len > plen - keyhdrlen) {
d56d7e56
JM		 1994 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
1995 "frame - key_data overflow (%u > %u)",
e6270129 1996 (unsigned int) key_data_len,
5e3b5197 1997 (unsigned int) (plen - keyhdrlen));
d56d7e56 1998 goto out;
6fc6879b 1999 }
d56d7e56
JM		 2000
2001 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
6fc6879b
JM		 2002 key_info = WPA_GET_BE16(key->key_info);
2003 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2004 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
a20088e5 2005#if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
6fc6879b 2006 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
a20088e5 2007#endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
df0f01d9 2008 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
929a2ea5 2009 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
352caf00 2010 !wpa_key_mgmt_fils(sm->key_mgmt) &&
df0f01d9 2011 sm->key_mgmt != WPA_KEY_MGMT_OSEN) {
f049052b
BG		 2012 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2013 "WPA: Unsupported EAPOL-Key descriptor version %d",
2014 ver);
6fc6879b
JM		 2015 goto out;
2016 }
2017
df0f01d9
JM		 2018 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN &&
2019 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2020 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2021 "OSEN: Unsupported EAPOL-Key descriptor version %d",
2022 ver);
2023 goto out;
2024 }
2025
352caf00
JM		 2026 if ((wpa_key_mgmt_suite_b(sm->key_mgmt) ||
2027 wpa_key_mgmt_fils(sm->key_mgmt)) &&
929a2ea5
JM		 2028 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2029 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2030 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2031 ver);
2032 goto out;
2033 }
2034
6fc6879b 2035#ifdef CONFIG_IEEE80211R
56586197 2036 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6fc6879b
JM		 2037 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2038 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
f049052b
BG		 2039 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2040 "FT: AP did not use AES-128-CMAC");
6fc6879b
JM		 2041 goto out;
2042 }
2043 } else
2044#endif /* CONFIG_IEEE80211R */
56586197
JM		 2045#ifdef CONFIG_IEEE80211W
2046 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
df0f01d9 2047 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
929a2ea5 2048 sm->key_mgmt != WPA_KEY_MGMT_OSEN &&
352caf00 2049 !wpa_key_mgmt_fils(sm->key_mgmt) &&
929a2ea5 2050 !wpa_key_mgmt_suite_b(sm->key_mgmt)) {
f049052b
BG		 2051 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2052 "WPA: AP did not use the "
2053 "negotiated AES-128-CMAC");
56586197
JM		 2054 goto out;
2055 }
2056 } else
2057#endif /* CONFIG_IEEE80211W */
6fc6879b 2058 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
929a2ea5 2059 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
352caf00 2060 !wpa_key_mgmt_fils(sm->key_mgmt) &&
6fc6879b 2061 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
f049052b
BG		 2062 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2063 "WPA: CCMP is used, but EAPOL-Key "
2064 "descriptor version (%d) is not 2", ver);
6fc6879b
JM		 2065 if (sm->group_cipher != WPA_CIPHER_CCMP &&
2066 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2067 /* Earlier versions of IEEE 802.11i did not explicitly
2068 * require version 2 descriptor for all EAPOL-Key
2069 * packets, so allow group keys to use version 1 if
2070 * CCMP is not used for them. */
f049052b
BG		 2071 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2072 "WPA: Backwards compatibility: allow invalid "
2073 "version for non-CCMP group keys");
9f6a7cdd
JM		 2074 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2075 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2076 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
6fc6879b
JM		 2077 } else
2078 goto out;
801e1173 2079 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
929a2ea5 2080 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
801e1173 2081 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
eb7719ff
JM		 2082 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2083 "WPA: GCMP is used, but EAPOL-Key "
2084 "descriptor version (%d) is not 2", ver);
2085 goto out;
2086 }
6fc6879b
JM		 2087
2088#ifdef CONFIG_PEERKEY
2089 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
2090 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
2091 break;
2092 }
2093
2094 if (!(key_info & WPA_KEY_INFO_SMK_MESSAGE) && peerkey) {
2095 if (!peerkey->initiator && peerkey->replay_counter_set &&
2096 os_memcmp(key->replay_counter, peerkey->replay_counter,
2097 WPA_REPLAY_COUNTER_LEN) <= 0) {
f049052b
BG		 2098 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2099 "RSN: EAPOL-Key Replay Counter did not "
2100 "increase (STK) - dropping packet");
6fc6879b
JM		 2101 goto out;
2102 } else if (peerkey->initiator) {
2103 u8 _tmp[WPA_REPLAY_COUNTER_LEN];
2104 os_memcpy(_tmp, key->replay_counter,
2105 WPA_REPLAY_COUNTER_LEN);
2106 inc_byte_array(_tmp, WPA_REPLAY_COUNTER_LEN);
2107 if (os_memcmp(_tmp, peerkey->replay_counter,
2108 WPA_REPLAY_COUNTER_LEN) != 0) {
f049052b
BG		 2109 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2110 "RSN: EAPOL-Key Replay "
2111 "Counter did not match (STK) - "
2112 "dropping packet");
6fc6879b
JM		 2113 goto out;
2114 }
2115 }
2116 }
2117
2118 if (peerkey && peerkey->initiator && (key_info & WPA_KEY_INFO_ACK)) {
f049052b
BG		 2119 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2120 "RSN: Ack bit in key_info from STK peer");
6fc6879b
JM		 2121 goto out;
2122 }
2123#endif /* CONFIG_PEERKEY */
2124
2125 if (!peerkey && sm->rx_replay_counter_set &&
2126 os_memcmp(key->replay_counter, sm->rx_replay_counter,
2127 WPA_REPLAY_COUNTER_LEN) <= 0) {
f049052b
BG		 2128 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2129 "WPA: EAPOL-Key Replay Counter did not increase - "
2130 "dropping packet");
6fc6879b
JM		 2131 goto out;
2132 }
2133
2134 if (!(key_info & (WPA_KEY_INFO_ACK | WPA_KEY_INFO_SMK_MESSAGE))
2135#ifdef CONFIG_PEERKEY
2136 && (peerkey == NULL || !peerkey->initiator)
2137#endif /* CONFIG_PEERKEY */
2138 ) {
f049052b
BG		 2139 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2140 "WPA: No Ack bit in key_info");
6fc6879b
JM		 2141 goto out;
2142 }
2143
2144 if (key_info & WPA_KEY_INFO_REQUEST) {
f049052b
BG		 2145 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2146 "WPA: EAPOL-Key with Request bit - dropped");
6fc6879b
JM		 2147 goto out;
2148 }
2149
2150 if ((key_info & WPA_KEY_INFO_MIC) && !peerkey &&
6d014ffc 2151 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
6fc6879b
JM		 2152 goto out;
2153
2154#ifdef CONFIG_PEERKEY
2155 if ((key_info & WPA_KEY_INFO_MIC) && peerkey &&
6d014ffc 2156 peerkey_verify_eapol_key_mic(sm, peerkey, key, ver, tmp,
5e3b5197 2157 data_len))
6fc6879b
JM		 2158 goto out;
2159#endif /* CONFIG_PEERKEY */
2160
0ab1dd01
JM		 2161#ifdef CONFIG_FILS
2162 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2163 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2164 goto out;
2165 }
2166#endif /* CONFIG_FILS */
2167
a14896e8 2168 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
0ab1dd01 2169 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
6d014ffc
JM		 2170 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2171 ver, key_data,
e6270129 2172 &key_data_len))
d56d7e56 2173 goto out;
6fc6879b
JM		 2174 }
2175
2176 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2177 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
f049052b
BG		 2178 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2179 "WPA: Ignored EAPOL-Key (Pairwise) with "
2180 "non-zero key index");
6fc6879b
JM		 2181 goto out;
2182 }
2183 if (peerkey) {
2184 /* PeerKey 4-Way Handshake */
f107d00c
JM		 2185 peerkey_rx_eapol_4way(sm, peerkey, key, key_info, ver,
2186 key_data, key_data_len);
0ab1dd01
JM		 2187 } else if (key_info & (WPA_KEY_INFO_MIC |
2188 WPA_KEY_INFO_ENCR_KEY_DATA)) {
6fc6879b 2189 /* 3/4 4-Way Handshake */
e6270129
JM		 2190 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2191 key_data_len);
6fc6879b
JM		 2192 } else {
2193 /* 1/4 4-Way Handshake */
2194 wpa_supplicant_process_1_of_4(sm, src_addr, key,
e6270129
JM		 2195 ver, key_data,
2196 key_data_len);
6fc6879b
JM		 2197 }
2198 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2199 /* PeerKey SMK Handshake */
28fb9bb1
JM		 2200 peerkey_rx_eapol_smk(sm, src_addr, key, key_data, key_data_len,
2201 key_info, ver);
6fc6879b 2202 } else {
16eb4858
JM		 2203 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2204 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
6fc6879b
JM		 2205 /* 1/2 Group Key Handshake */
2206 wpa_supplicant_process_1_of_2(sm, src_addr, key,
e6270129
JM		 2207 key_data, key_data_len,
2208 ver);
6fc6879b 2209 } else {
f049052b 2210 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
16eb4858 2211 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
f049052b 2212 "dropped");
6fc6879b
JM		 2213 }
2214 }
2215
2216 ret = 1;
2217
2218out:
fbfc974c 2219 bin_clear_free(tmp, data_len);
6fc6879b
JM		 2220 return ret;
2221}
2222
2223
2224#ifdef CONFIG_CTRL_IFACE
6fc6879b
JM		 2225static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2226{
2227 switch (sm->key_mgmt) {
2228 case WPA_KEY_MGMT_IEEE8021X:
a14896e8
JM		 2229 return ((sm->proto == WPA_PROTO_RSN ||
2230 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 2231 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2232 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2233 case WPA_KEY_MGMT_PSK:
2234 return (sm->proto == WPA_PROTO_RSN ?
2235 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2236 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2237#ifdef CONFIG_IEEE80211R
2238 case WPA_KEY_MGMT_FT_IEEE8021X:
2239 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2240 case WPA_KEY_MGMT_FT_PSK:
2241 return RSN_AUTH_KEY_MGMT_FT_PSK;
2242#endif /* CONFIG_IEEE80211R */
56586197
JM		 2243#ifdef CONFIG_IEEE80211W
2244 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2245 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2246 case WPA_KEY_MGMT_PSK_SHA256:
2247 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2248#endif /* CONFIG_IEEE80211W */
369c8d7b
JM		 2249 case WPA_KEY_MGMT_CCKM:
2250 return (sm->proto == WPA_PROTO_RSN ?
2251 RSN_AUTH_KEY_MGMT_CCKM:
2252 WPA_AUTH_KEY_MGMT_CCKM);
6fc6879b
JM		 2253 case WPA_KEY_MGMT_WPA_NONE:
2254 return WPA_AUTH_KEY_MGMT_NONE;
666497c8
JM		 2255 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2256 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
5e3b5197
JM		 2257 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2258 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
6fc6879b
JM		 2259 default:
2260 return 0;
2261 }
2262}
2263
2264
6fc6879b
JM		 2265#define RSN_SUITE "%02x-%02x-%02x-%d"
2266#define RSN_SUITE_ARG(s) \
2267((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2268
2269/**
2270 * wpa_sm_get_mib - Dump text list of MIB entries
2271 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2272 * @buf: Buffer for the list
2273 * @buflen: Length of the buffer
2274 * Returns: Number of bytes written to buffer
2275 *
2276 * This function is used fetch dot11 MIB variables.
2277 */
2278int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2279{
2280 char pmkid_txt[PMKID_LEN * 2 + 1];
2281 int rsna, ret;
2282 size_t len;
2283
2284 if (sm->cur_pmksa) {
2285 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2286 sm->cur_pmksa->pmkid, PMKID_LEN);
2287 } else
2288 pmkid_txt[0] = '\0';
2289
56586197
JM		 2290 if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2291 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
6fc6879b
JM		 2292 sm->proto == WPA_PROTO_RSN)
2293 rsna = 1;
2294 else
2295 rsna = 0;
2296
2297 ret = os_snprintf(buf, buflen,
2298 "dot11RSNAOptionImplemented=TRUE\n"
2299 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2300 "dot11RSNAEnabled=%s\n"
2301 "dot11RSNAPreauthenticationEnabled=%s\n"
2302 "dot11RSNAConfigVersion=%d\n"
2303 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2304 "dot11RSNAConfigGroupCipherSize=%d\n"
2305 "dot11RSNAConfigPMKLifetime=%d\n"
2306 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2307 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2308 "dot11RSNAConfigSATimeout=%d\n",
2309 rsna ? "TRUE" : "FALSE",
2310 rsna ? "TRUE" : "FALSE",
2311 RSN_VERSION,
c3550295 2312 wpa_cipher_key_len(sm->group_cipher) * 8,
6fc6879b
JM		 2313 sm->dot11RSNAConfigPMKLifetime,
2314 sm->dot11RSNAConfigPMKReauthThreshold,
2315 sm->dot11RSNAConfigSATimeout);
d85e1fc8 2316 if (os_snprintf_error(buflen, ret))
6fc6879b
JM		 2317 return 0;
2318 len = ret;
2319
2320 ret = os_snprintf(
2321 buf + len, buflen - len,
2322 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2323 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2324 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2325 "dot11RSNAPMKIDUsed=%s\n"
2326 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2327 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2328 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2329 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2330 "dot11RSNA4WayHandshakeFailures=%u\n",
2331 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
c3550295
JM		 2332 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2333 sm->pairwise_cipher)),
2334 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2335 sm->group_cipher)),
6fc6879b
JM		 2336 pmkid_txt,
2337 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
c3550295
JM		 2338 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2339 sm->pairwise_cipher)),
2340 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2341 sm->group_cipher)),
6fc6879b 2342 sm->dot11RSNA4WayHandshakeFailures);
1f102d3b 2343 if (!os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 2344 len += ret;
2345
2346 return (int) len;
2347}
2348#endif /* CONFIG_CTRL_IFACE */
2349
2350
2351static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
6aaac006 2352 void *ctx, enum pmksa_free_reason reason)
6fc6879b
JM		 2353{
2354 struct wpa_sm *sm = ctx;
6aaac006 2355 int deauth = 0;
6fc6879b 2356
6aaac006
DW		 2357 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2358 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2359
2360 if (sm->cur_pmksa == entry) {
2361 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2362 "RSN: %s current PMKSA entry",
2363 reason == PMKSA_REPLACE ? "replaced" : "removed");
2364 pmksa_cache_clear_current(sm);
2365
2366 /*
2367 * If an entry is simply being replaced, there's no need to
2368 * deauthenticate because it will be immediately re-added.
2369 * This happens when EAP authentication is completed again
2370 * (reauth or failed PMKSA caching attempt).
2371 */
2372 if (reason != PMKSA_REPLACE)
2373 deauth = 1;
2374 }
2375
2376 if (reason == PMKSA_EXPIRE &&
6fc6879b
JM		 2377 (sm->pmk_len == entry->pmk_len &&
2378 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
f049052b 2379 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
6aaac006
DW		 2380 "RSN: deauthenticating due to expired PMK");
2381 pmksa_cache_clear_current(sm);
2382 deauth = 1;
2383 }
6fc6879b 2384
6aaac006 2385 if (deauth) {
6fc6879b
JM		 2386 os_memset(sm->pmk, 0, sizeof(sm->pmk));
2387 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 2388 }
2389}
2390
2391
2392/**
2393 * wpa_sm_init - Initialize WPA state machine
2394 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2395 * Returns: Pointer to the allocated WPA state machine data
2396 *
2397 * This function is used to allocate a new WPA state machine and the returned
2398 * value is passed to all WPA state machine calls.
2399 */
2400struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2401{
2402 struct wpa_sm *sm;
2403
2404 sm = os_zalloc(sizeof(*sm));
2405 if (sm == NULL)
2406 return NULL;
c5b26e33 2407 dl_list_init(&sm->pmksa_candidates);
6fc6879b
JM		 2408 sm->renew_snonce = 1;
2409 sm->ctx = ctx;
2410
2411 sm->dot11RSNAConfigPMKLifetime = 43200;
2412 sm->dot11RSNAConfigPMKReauthThreshold = 70;
2413 sm->dot11RSNAConfigSATimeout = 60;
2414
2415 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2416 if (sm->pmksa == NULL) {
f049052b
BG		 2417 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2418 "RSN: PMKSA cache initialization failed");
6fc6879b
JM		 2419 os_free(sm);
2420 return NULL;
2421 }
2422
2423 return sm;
2424}
2425
2426
2427/**
2428 * wpa_sm_deinit - Deinitialize WPA state machine
2429 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2430 */
2431void wpa_sm_deinit(struct wpa_sm *sm)
2432{
2433 if (sm == NULL)
2434 return;
2435 pmksa_cache_deinit(sm->pmksa);
2436 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
581a8cde 2437 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
6fc6879b
JM		 2438 os_free(sm->assoc_wpa_ie);
2439 os_free(sm->ap_wpa_ie);
2440 os_free(sm->ap_rsn_ie);
71932544 2441 wpa_sm_drop_sa(sm);
6fc6879b
JM		 2442 os_free(sm->ctx);
2443 peerkey_deinit(sm);
55046414
JM		 2444#ifdef CONFIG_IEEE80211R
2445 os_free(sm->assoc_resp_ies);
2446#endif /* CONFIG_IEEE80211R */
651c6a84
JM		 2447#ifdef CONFIG_TESTING_OPTIONS
2448 wpabuf_free(sm->test_assoc_ie);
2449#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 2450 os_free(sm);
2451}
2452
2453
2454/**
2455 * wpa_sm_notify_assoc - Notify WPA state machine about association
2456 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2457 * @bssid: The BSSID of the new association
2458 *
2459 * This function is called to let WPA state machine know that the connection
2460 * was established.
2461 */
2462void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2463{
58a98fb0
JM		 2464 int clear_ptk = 1;
2465
6fc6879b
JM		 2466 if (sm == NULL)
2467 return;
2468
f049052b
BG		 2469 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2470 "WPA: Association event - clear replay counter");
6fc6879b
JM		 2471 os_memcpy(sm->bssid, bssid, ETH_ALEN);
2472 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2473 sm->rx_replay_counter_set = 0;
2474 sm->renew_snonce = 1;
2475 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
2476 rsn_preauth_deinit(sm);
2477
2478#ifdef CONFIG_IEEE80211R
58a98fb0 2479 if (wpa_ft_is_completed(sm)) {
5d5a9f00
JM		 2480 /*
2481 * Clear portValid to kick EAPOL state machine to re-enter
2482 * AUTHENTICATED state to get the EAPOL port Authorized.
2483 */
2484 eapol_sm_notify_portValid(sm->eapol, FALSE);
6fc6879b
JM		 2485 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2486
2487 /* Prepare for the next transition */
76b7981d 2488 wpa_ft_prepare_auth_request(sm, NULL);
58a98fb0
JM		 2489
2490 clear_ptk = 0;
6fc6879b
JM		 2491 }
2492#endif /* CONFIG_IEEE80211R */
706df429
JM		 2493#ifdef CONFIG_FILS
2494 if (sm->fils_completed) {
2495 /*
2496 * Clear portValid to kick EAPOL state machine to re-enter
2497 * AUTHENTICATED state to get the EAPOL port Authorized.
2498 */
2499 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2500 clear_ptk = 0;
2501 }
2502#endif /* CONFIG_FILS */
58a98fb0
JM		 2503
2504 if (clear_ptk) {
2505 /*
2506 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2507 * this is not part of a Fast BSS Transition.
2508 */
f049052b 2509 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
58a98fb0 2510 sm->ptk_set = 0;
d2c33b91 2511 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
58a98fb0 2512 sm->tptk_set = 0;
d2c33b91 2513 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
58a98fb0 2514 }
40cf22e6
JM		 2515
2516#ifdef CONFIG_TDLS
2517 wpa_tdls_assoc(sm);
2518#endif /* CONFIG_TDLS */
25ef8529
JM		 2519
2520#ifdef CONFIG_P2P
2521 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
2522#endif /* CONFIG_P2P */
6fc6879b
JM		 2523}
2524
2525
2526/**
2527 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2528 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2529 *
2530 * This function is called to let WPA state machine know that the connection
2531 * was lost. This will abort any existing pre-authentication session.
2532 */
2533void wpa_sm_notify_disassoc(struct wpa_sm *sm)
2534{
ac8e074e
JM		 2535 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2536 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
77327298 2537 peerkey_deinit(sm);
6fc6879b 2538 rsn_preauth_deinit(sm);
0639970d 2539 pmksa_cache_clear_current(sm);
6fc6879b
JM		 2540 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
2541 sm->dot11RSNA4WayHandshakeFailures++;
40cf22e6
JM		 2542#ifdef CONFIG_TDLS
2543 wpa_tdls_disassoc(sm);
2544#endif /* CONFIG_TDLS */
706df429
JM		 2545#ifdef CONFIG_FILS
2546 sm->fils_completed = 0;
2547#endif /* CONFIG_FILS */
71932544
JM		 2548
2549 /* Keys are not needed in the WPA state machine anymore */
2550 wpa_sm_drop_sa(sm);
761396e4
JM		 2551
2552 sm->msg_3_of_4_ok = 0;
6fc6879b
JM		 2553}
2554
2555
2556/**
2557 * wpa_sm_set_pmk - Set PMK
2558 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2559 * @pmk: The new PMK
2560 * @pmk_len: The length of the new PMK in bytes
70c93963 2561 * @pmkid: Calculated PMKID
bc26ac50 2562 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
6fc6879b
JM		 2563 *
2564 * Configure the PMK for WPA state machine.
2565 */
bc26ac50 2566void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
70c93963 2567 const u8 *pmkid, const u8 *bssid)
6fc6879b
JM		 2568{
2569 if (sm == NULL)
2570 return;
2571
2572 sm->pmk_len = pmk_len;
2573 os_memcpy(sm->pmk, pmk, pmk_len);
2574
2575#ifdef CONFIG_IEEE80211R
2576 /* Set XXKey to be PSK for FT key derivation */
2577 sm->xxkey_len = pmk_len;
2578 os_memcpy(sm->xxkey, pmk, pmk_len);
2579#endif /* CONFIG_IEEE80211R */
bc26ac50
JM		 2580
2581 if (bssid) {
70c93963 2582 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
087a1f4e 2583 bssid, sm->own_addr,
869af307 2584 sm->network_ctx, sm->key_mgmt, NULL);
bc26ac50 2585 }
6fc6879b
JM		 2586}
2587
2588
2589/**
2590 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2591 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2592 *
2593 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2594 * will be cleared.
2595 */
2596void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
2597{
2598 if (sm == NULL)
2599 return;
2600
2601 if (sm->cur_pmksa) {
2602 sm->pmk_len = sm->cur_pmksa->pmk_len;
2603 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
2604 } else {
2605 sm->pmk_len = PMK_LEN;
2606 os_memset(sm->pmk, 0, PMK_LEN);
2607 }
2608}
2609
2610
2611/**
2612 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2613 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2614 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2615 */
2616void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
2617{
2618 if (sm)
2619 sm->fast_reauth = fast_reauth;
2620}
2621
2622
2623/**
2624 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2625 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2626 * @scard_ctx: Context pointer for smartcard related callback functions
2627 */
2628void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
2629{
2630 if (sm == NULL)
2631 return;
2632 sm->scard_ctx = scard_ctx;
2633 if (sm->preauth_eapol)
2634 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
2635}
2636
2637
2638/**
2639 * wpa_sm_set_config - Notification of current configration change
2640 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2641 * @config: Pointer to current network configuration
2642 *
2643 * Notify WPA state machine that configuration has changed. config will be
2644 * stored as a backpointer to network configuration. This can be %NULL to clear
2645 * the stored pointed.
2646 */
2647void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
2648{
2649 if (!sm)
2650 return;
2651
6fc6879b 2652 if (config) {
886a807f 2653 sm->network_ctx = config->network_ctx;
6fc6879b
JM		 2654 sm->peerkey_enabled = config->peerkey_enabled;
2655 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
2656 sm->proactive_key_caching = config->proactive_key_caching;
2657 sm->eap_workaround = config->eap_workaround;
2658 sm->eap_conf_ctx = config->eap_conf_ctx;
2659 if (config->ssid) {
2660 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
2661 sm->ssid_len = config->ssid_len;
2662 } else
2663 sm->ssid_len = 0;
581a8cde 2664 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
25ef8529 2665 sm->p2p = config->p2p;
73ed03f3 2666 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
869af307
JM		 2667#ifdef CONFIG_FILS
2668 if (config->fils_cache_id) {
2669 sm->fils_cache_id_set = 1;
2670 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
2671 FILS_CACHE_ID_LEN);
2672 } else {
2673 sm->fils_cache_id_set = 0;
2674 }
2675#endif /* CONFIG_FILS */
6fc6879b 2676 } else {
886a807f 2677 sm->network_ctx = NULL;
6fc6879b
JM		 2678 sm->peerkey_enabled = 0;
2679 sm->allowed_pairwise_cipher = 0;
2680 sm->proactive_key_caching = 0;
2681 sm->eap_workaround = 0;
2682 sm->eap_conf_ctx = NULL;
2683 sm->ssid_len = 0;
581a8cde 2684 sm->wpa_ptk_rekey = 0;
25ef8529 2685 sm->p2p = 0;
73ed03f3 2686 sm->wpa_rsc_relaxation = 0;
6fc6879b 2687 }
6fc6879b
JM		 2688}
2689
2690
2691/**
2692 * wpa_sm_set_own_addr - Set own MAC address
2693 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2694 * @addr: Own MAC address
2695 */
2696void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
2697{
2698 if (sm)
2699 os_memcpy(sm->own_addr, addr, ETH_ALEN);
2700}
2701
2702
2703/**
2704 * wpa_sm_set_ifname - Set network interface name
2705 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2706 * @ifname: Interface name
2707 * @bridge_ifname: Optional bridge interface name (for pre-auth)
2708 */
2709void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
2710 const char *bridge_ifname)
2711{
2712 if (sm) {
2713 sm->ifname = ifname;
2714 sm->bridge_ifname = bridge_ifname;
2715 }
2716}
2717
2718
2719/**
2720 * wpa_sm_set_eapol - Set EAPOL state machine pointer
2721 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2722 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2723 */
2724void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
2725{
2726 if (sm)
2727 sm->eapol = eapol;
2728}
2729
2730
2731/**
2732 * wpa_sm_set_param - Set WPA state machine parameters
2733 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2734 * @param: Parameter field
2735 * @value: Parameter value
2736 * Returns: 0 on success, -1 on failure
2737 */
2738int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
2739 unsigned int value)
2740{
2741 int ret = 0;
2742
2743 if (sm == NULL)
2744 return -1;
2745
2746 switch (param) {
2747 case RSNA_PMK_LIFETIME:
2748 if (value > 0)
2749 sm->dot11RSNAConfigPMKLifetime = value;
2750 else
2751 ret = -1;
2752 break;
2753 case RSNA_PMK_REAUTH_THRESHOLD:
2754 if (value > 0 && value <= 100)
2755 sm->dot11RSNAConfigPMKReauthThreshold = value;
2756 else
2757 ret = -1;
2758 break;
2759 case RSNA_SA_TIMEOUT:
2760 if (value > 0)
2761 sm->dot11RSNAConfigSATimeout = value;
2762 else
2763 ret = -1;
2764 break;
2765 case WPA_PARAM_PROTO:
2766 sm->proto = value;
2767 break;
2768 case WPA_PARAM_PAIRWISE:
2769 sm->pairwise_cipher = value;
2770 break;
2771 case WPA_PARAM_GROUP:
2772 sm->group_cipher = value;
2773 break;
2774 case WPA_PARAM_KEY_MGMT:
2775 sm->key_mgmt = value;
2776 break;
2777#ifdef CONFIG_IEEE80211W
2778 case WPA_PARAM_MGMT_GROUP:
2779 sm->mgmt_group_cipher = value;
2780 break;
2781#endif /* CONFIG_IEEE80211W */
2782 case WPA_PARAM_RSN_ENABLED:
2783 sm->rsn_enabled = value;
2784 break;
e820cf95
JM		 2785 case WPA_PARAM_MFP:
2786 sm->mfp = value;
2787 break;
6fc6879b
JM		 2788 default:
2789 break;
2790 }
2791
2792 return ret;
2793}
2794
2795
6fc6879b
JM		 2796/**
2797 * wpa_sm_get_status - Get WPA state machine
2798 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2799 * @buf: Buffer for status information
2800 * @buflen: Maximum buffer length
2801 * @verbose: Whether to include verbose status information
2802 * Returns: Number of bytes written to buf.
2803 *
2804 * Query WPA state machine for status information. This function fills in
2805 * a text area with current status information. If the buffer (buf) is not
2806 * large enough, status information will be truncated to fit the buffer.
2807 */
2808int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
2809 int verbose)
2810{
2811 char *pos = buf, *end = buf + buflen;
2812 int ret;
2813
2814 ret = os_snprintf(pos, end - pos,
2815 "pairwise_cipher=%s\n"
2816 "group_cipher=%s\n"
2817 "key_mgmt=%s\n",
2818 wpa_cipher_txt(sm->pairwise_cipher),
2819 wpa_cipher_txt(sm->group_cipher),
2820 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
d85e1fc8 2821 if (os_snprintf_error(end - pos, ret))
6fc6879b
JM		 2822 return pos - buf;
2823 pos += ret;
13e1d2e2
JM		 2824
2825 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
2826 struct wpa_ie_data rsn;
2827 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
2828 >= 0 &&
2829 rsn.capabilities & (WPA_CAPABILITY_MFPR |
2830 WPA_CAPABILITY_MFPC)) {
2831 ret = os_snprintf(pos, end - pos, "pmf=%d\n",
2832 (rsn.capabilities &
2833 WPA_CAPABILITY_MFPR) ? 2 : 1);
d85e1fc8 2834 if (os_snprintf_error(end - pos, ret))
13e1d2e2
JM		 2835 return pos - buf;
2836 pos += ret;
2837 }
2838 }
2839
6fc6879b
JM		 2840 return pos - buf;
2841}
2842
2843
ae8535b6
JM		 2844int wpa_sm_pmf_enabled(struct wpa_sm *sm)
2845{
2846 struct wpa_ie_data rsn;
2847
2848 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
2849 return 0;
2850
2851 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
2852 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
2853 return 1;
2854
2855 return 0;
2856}
2857
2858
6fc6879b
JM		 2859/**
2860 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
2861 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2862 * @wpa_ie: Pointer to buffer for WPA/RSN IE
2863 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
2864 * Returns: 0 on success, -1 on failure
2865 */
2866int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
2867 size_t *wpa_ie_len)
2868{
2869 int res;
2870
2871 if (sm == NULL)
2872 return -1;
2873
651c6a84
JM		 2874#ifdef CONFIG_TESTING_OPTIONS
2875 if (sm->test_assoc_ie) {
2876 wpa_printf(MSG_DEBUG,
2877 "TESTING: Replace association WPA/RSN IE");
2878 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
2879 return -1;
2880 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
2881 wpabuf_len(sm->test_assoc_ie));
2882 res = wpabuf_len(sm->test_assoc_ie);
2883 } else
2884#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 2885 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
2886 if (res < 0)
2887 return -1;
2888 *wpa_ie_len = res;
2889
2890 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
2891 wpa_ie, *wpa_ie_len);
2892
2893 if (sm->assoc_wpa_ie == NULL) {
2894 /*
2895 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
2896 * the correct version of the IE even if PMKSA caching is
2897 * aborted (which would remove PMKID from IE generation).
2898 */
a1f11e34 2899 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
6fc6879b
JM		 2900 if (sm->assoc_wpa_ie == NULL)
2901 return -1;
2902
6fc6879b 2903 sm->assoc_wpa_ie_len = *wpa_ie_len;
0866ed00
JM		 2904 } else {
2905 wpa_hexdump(MSG_DEBUG,
2906 "WPA: Leave previously set WPA IE default",
2907 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
6fc6879b
JM		 2908 }
2909
2910 return 0;
2911}
2912
2913
2914/**
2915 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
2916 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2917 * @ie: Pointer to IE data (starting from id)
2918 * @len: IE length
2919 * Returns: 0 on success, -1 on failure
2920 *
2921 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
2922 * Request frame. The IE will be used to override the default value generated
2923 * with wpa_sm_set_assoc_wpa_ie_default().
2924 */
2925int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
2926{
2927 if (sm == NULL)
2928 return -1;
2929
2930 os_free(sm->assoc_wpa_ie);
2931 if (ie == NULL || len == 0) {
f049052b
BG		 2932 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2933 "WPA: clearing own WPA/RSN IE");
6fc6879b
JM		 2934 sm->assoc_wpa_ie = NULL;
2935 sm->assoc_wpa_ie_len = 0;
2936 } else {
2937 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
a1f11e34 2938 sm->assoc_wpa_ie = os_memdup(ie, len);
6fc6879b
JM		 2939 if (sm->assoc_wpa_ie == NULL)
2940 return -1;
2941
6fc6879b
JM		 2942 sm->assoc_wpa_ie_len = len;
2943 }
2944
2945 return 0;
2946}
2947
2948
2949/**
2950 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
2951 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2952 * @ie: Pointer to IE data (starting from id)
2953 * @len: IE length
2954 * Returns: 0 on success, -1 on failure
2955 *
2956 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
2957 * frame.
2958 */
2959int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
2960{
2961 if (sm == NULL)
2962 return -1;
2963
2964 os_free(sm->ap_wpa_ie);
2965 if (ie == NULL || len == 0) {
f049052b
BG		 2966 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2967 "WPA: clearing AP WPA IE");
6fc6879b
JM		 2968 sm->ap_wpa_ie = NULL;
2969 sm->ap_wpa_ie_len = 0;
2970 } else {
2971 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
a1f11e34 2972 sm->ap_wpa_ie = os_memdup(ie, len);
6fc6879b
JM		 2973 if (sm->ap_wpa_ie == NULL)
2974 return -1;
2975
6fc6879b
JM		 2976 sm->ap_wpa_ie_len = len;
2977 }
2978
2979 return 0;
2980}
2981
2982
2983/**
2984 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
2985 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2986 * @ie: Pointer to IE data (starting from id)
2987 * @len: IE length
2988 * Returns: 0 on success, -1 on failure
2989 *
2990 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
2991 * frame.
2992 */
2993int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
2994{
2995 if (sm == NULL)
2996 return -1;
2997
2998 os_free(sm->ap_rsn_ie);
2999 if (ie == NULL || len == 0) {
f049052b
BG		 3000 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3001 "WPA: clearing AP RSN IE");
6fc6879b
JM		 3002 sm->ap_rsn_ie = NULL;
3003 sm->ap_rsn_ie_len = 0;
3004 } else {
3005 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
a1f11e34 3006 sm->ap_rsn_ie = os_memdup(ie, len);
6fc6879b
JM		 3007 if (sm->ap_rsn_ie == NULL)
3008 return -1;
3009
6fc6879b
JM		 3010 sm->ap_rsn_ie_len = len;
3011 }
3012
3013 return 0;
3014}
3015
3016
3017/**
3018 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3019 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3020 * @data: Pointer to data area for parsing results
3021 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3022 *
3023 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3024 * parsed data into data.
3025 */
3026int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3027{
2a522e71
JM		 3028 if (sm == NULL)
3029 return -1;
3030
3031 if (sm->assoc_wpa_ie == NULL) {
f049052b
BG		 3032 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3033 "WPA: No WPA/RSN IE available from association info");
6fc6879b
JM		 3034 return -1;
3035 }
3036 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3037 return -2;
3038 return 0;
3039}
540264a7
JM		 3040
3041
3042int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3043{
540264a7 3044 return pmksa_cache_list(sm->pmksa, buf, len);
540264a7 3045}
32d5295f
JM		 3046
3047
3459381d
JM		 3048struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3049{
3050 return pmksa_cache_head(sm->pmksa);
3051}
3052
3053
3054struct rsn_pmksa_cache_entry *
3055wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3056 struct rsn_pmksa_cache_entry * entry)
3057{
3058 return pmksa_cache_add_entry(sm->pmksa, entry);
3059}
3060
3061
32d5295f
JM		 3062void wpa_sm_drop_sa(struct wpa_sm *sm)
3063{
f049052b 3064 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
32d5295f
JM		 3065 sm->ptk_set = 0;
3066 sm->tptk_set = 0;
3067 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3068 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3069 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
71932544
JM		 3070#ifdef CONFIG_IEEE80211R
3071 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3072 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3073 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3074#endif /* CONFIG_IEEE80211R */
32d5295f 3075}
0d7b4409
JM		 3076
3077
3078int wpa_sm_has_ptk(struct wpa_sm *sm)
3079{
3080 if (sm == NULL)
3081 return 0;
3082 return sm->ptk_set;
3083}
b14a210c
JB		 3084
3085
3086void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3087{
3088 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3089}
d8a790b9
JM		 3090
3091
3092void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3093{
4033935d 3094 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
d8a790b9 3095}
75cad1a0
XC		 3096
3097
ad3872a3 3098#ifdef CONFIG_WNM
75cad1a0
XC		 3099int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3100{
75cad1a0
XC		 3101 u16 keyinfo;
3102 u8 keylen; /* plaintext key len */
75cad1a0
XC		 3103 u8 *key_rsc;
3104
75cad1a0 3105 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
d2c33b91
JM		 3106 struct wpa_gtk_data gd;
3107
3108 os_memset(&gd, 0, sizeof(gd));
3109 keylen = wpa_cipher_key_len(sm->group_cipher);
3110 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3111 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3112 if (gd.alg == WPA_ALG_NONE) {
3113 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3114 return -1;
3115 }
3116
75cad1a0 3117 key_rsc = buf + 5;
68db9ab0 3118 keyinfo = WPA_GET_LE16(buf + 2);
75cad1a0
XC		 3119 gd.gtk_len = keylen;
3120 if (gd.gtk_len != buf[4]) {
3121 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3122 gd.gtk_len, buf[4]);
3123 return -1;
3124 }
3125 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3126 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3127 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3128
68db9ab0 3129 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
75cad1a0
XC		 3130
3131 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3132 gd.gtk, gd.gtk_len);
3133 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
d2c33b91 3134 os_memset(&gd, 0, sizeof(gd));
75cad1a0
XC		 3135 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3136 "WNM mode");
3137 return -1;
3138 }
d2c33b91 3139 os_memset(&gd, 0, sizeof(gd));
75cad1a0
XC		 3140#ifdef CONFIG_IEEE80211W
3141 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
d2c33b91
JM		 3142 struct wpa_igtk_kde igd;
3143 u16 keyidx;
3144
3145 os_memset(&igd, 0, sizeof(igd));
8dd9f9cd 3146 keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
75cad1a0
XC		 3147 os_memcpy(igd.keyid, buf + 2, 2);
3148 os_memcpy(igd.pn, buf + 4, 6);
3149
3150 keyidx = WPA_GET_LE16(igd.keyid);
8dd9f9cd 3151 os_memcpy(igd.igtk, buf + 10, keylen);
75cad1a0
XC		 3152
3153 wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
8dd9f9cd
JM		 3154 igd.igtk, keylen);
3155 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
3156 broadcast_ether_addr,
75cad1a0 3157 keyidx, 0, igd.pn, sizeof(igd.pn),
8dd9f9cd 3158 igd.igtk, keylen) < 0) {
75cad1a0
XC		 3159 wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
3160 "WNM mode");
d2c33b91 3161 os_memset(&igd, 0, sizeof(igd));
75cad1a0
XC		 3162 return -1;
3163 }
d2c33b91 3164 os_memset(&igd, 0, sizeof(igd));
75cad1a0
XC		 3165#endif /* CONFIG_IEEE80211W */
3166 } else {
3167 wpa_printf(MSG_DEBUG, "Unknown element id");
3168 return -1;
3169 }
3170
3171 return 0;
3172}
ad3872a3 3173#endif /* CONFIG_WNM */
db76aa64
JM		 3174
3175
3176#ifdef CONFIG_PEERKEY
3177int wpa_sm_rx_eapol_peerkey(struct wpa_sm *sm, const u8 *src_addr,
3178 const u8 *buf, size_t len)
3179{
3180 struct wpa_peerkey *peerkey;
3181
3182 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
3183 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
3184 break;
3185 }
3186
3187 if (!peerkey)
3188 return 0;
3189
3190 wpa_sm_rx_eapol(sm, src_addr, buf, len);
3191
3192 return 1;
3193}
3194#endif /* CONFIG_PEERKEY */
25ef8529
JM		 3195
3196
3197#ifdef CONFIG_P2P
3198
3199int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3200{
3201 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3202 return -1;
3203 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3204 return 0;
3205}
3206
3207#endif /* CONFIG_P2P */
b41f2684
CL		 3208
3209
3210void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3211{
3212 if (rx_replay_counter == NULL)
3213 return;
3214
3215 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3216 WPA_REPLAY_COUNTER_LEN);
3217 sm->rx_replay_counter_set = 1;
3218 wpa_printf(MSG_DEBUG, "Updated key replay counter");
3219}
3220
3221
98cd3d1c
JM		 3222void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
3223 const u8 *ptk_kck, size_t ptk_kck_len,
3224 const u8 *ptk_kek, size_t ptk_kek_len)
b41f2684 3225{
98cd3d1c
JM		 3226 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
3227 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
3228 sm->ptk.kck_len = ptk_kck_len;
b41f2684
CL		 3229 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
3230 }
98cd3d1c
JM		 3231 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
3232 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
3233 sm->ptk.kek_len = ptk_kek_len;
b41f2684
CL		 3234 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
3235 }
3236 sm->ptk_set = 1;
3237}
651c6a84
JM		 3238
3239
3240#ifdef CONFIG_TESTING_OPTIONS
3241void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
3242{
3243 wpabuf_free(sm->test_assoc_ie);
3244 sm->test_assoc_ie = buf;
3245}
3246#endif /* CONFIG_TESTING_OPTIONS */
f00b9b88
JM		 3247
3248
3249#ifdef CONFIG_FILS
3250
3251struct wpabuf * fils_build_auth(struct wpa_sm *sm)
3252{
3253 struct wpabuf *buf = NULL;
3254 struct wpabuf *erp_msg;
3255
3256 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
3257 if (!erp_msg && !sm->cur_pmksa) {
3258 wpa_printf(MSG_DEBUG,
3259 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3260 goto fail;
3261 }
3262
3263 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3264 erp_msg != NULL, sm->cur_pmksa != NULL);
3265
706df429
JM		 3266 sm->fils_completed = 0;
3267
f00b9b88
JM		 3268 if (!sm->assoc_wpa_ie) {
3269 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
3270 goto fail;
3271 }
3272
3273 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
3274 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
3275 goto fail;
3276
3277 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
3278 sm->fils_nonce, FILS_NONCE_LEN);
3279 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
3280 sm->fils_session, FILS_SESSION_LEN);
3281
3282 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len);
3283 if (!buf)
3284 goto fail;
3285
3286 /* Fields following the Authentication algorithm number field */
3287
3288 /* Authentication Transaction seq# */
3289 wpabuf_put_le16(buf, 1);
3290
3291 /* Status Code */
3292 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
3293
3294 /* TODO: Finite Cyclic Group when using PK or PFS */
3295 /* TODO: Element when using PK or PFS */
3296
3297 /* RSNE */
3298 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
3299 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3300 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3301
3302 /* TODO: MDE when using FILS for FT initial association */
3303 /* TODO: FTE when using FILS for FT initial association */
3304
3305 /* FILS Nonce */
3306 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3307 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
3308 /* Element ID Extension */
3309 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
3310 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
3311
3312 /* FILS Session */
3313 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3314 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3315 /* Element ID Extension */
3316 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3317 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3318
3319 /* FILS Wrapped Data */
fcd3d6ce 3320 sm->fils_erp_pmkid_set = 0;
f00b9b88
JM		 3321 if (erp_msg) {
3322 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3323 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
3324 /* Element ID Extension */
3325 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA);
3326 wpabuf_put_buf(buf, erp_msg);
fcd3d6ce
JM		 3327 /* Calculate pending PMKID here so that we do not need to
3328 * maintain a copy of the EAP-Initiate/Reauth message. */
3329 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
3330 wpabuf_len(erp_msg),
3331 sm->fils_erp_pmkid) == 0)
3332 sm->fils_erp_pmkid_set = 1;
f00b9b88
JM		 3333 }
3334
3335 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
3336 buf);
3337
3338fail:
3339 wpabuf_free(erp_msg);
3340 return buf;
3341}
3342
a6609937 3343
ba9774bd
JM		 3344int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
3345 size_t len)
a6609937
JM		 3346{
3347 const u8 *pos, *end;
3348 struct ieee802_11_elems elems;
3349 struct wpa_ie_data rsn;
3350 int pmkid_match = 0;
3351 u8 ick[FILS_ICK_MAX_LEN];
3352 size_t ick_len;
3353 int res;
3354
ba9774bd
JM		 3355 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3356
a6609937
JM		 3357 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
3358 data, len);
3359 pos = data;
3360 end = data + len;
3361
3362 /* TODO: Finite Cyclic Group when using PK or PFS */
3363 /* TODO: Element when using PK or PFS */
3364
3365 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
3366 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
3367 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
3368 return -1;
3369 }
3370
3371 /* RSNE */
3372 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
3373 elems.rsn_ie_len);
3374 if (!elems.rsn_ie ||
3375 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3376 &rsn) < 0) {
3377 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
3378 return -1;
3379 }
3380
3381 if (!elems.fils_nonce) {
3382 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
3383 return -1;
3384 }
3385 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
3386 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
3387
3388 /* TODO: MDE when using FILS+FT */
3389 /* TODO: FTE when using FILS+FT */
3390
3391 /* PMKID List */
3392 if (rsn.pmkid && rsn.num_pmkid > 0) {
3393 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
3394 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
3395
3396 if (rsn.num_pmkid != 1) {
3397 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
3398 return -1;
3399 }
3400 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
3401 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
3402 {
3403 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
3404 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
3405 sm->cur_pmksa->pmkid, PMKID_LEN);
3406 return -1;
3407 }
3408 wpa_printf(MSG_DEBUG,
3409 "FILS: Matching PMKID - continue using PMKSA caching");
3410 pmkid_match = 1;
3411 }
3412 if (!pmkid_match && sm->cur_pmksa) {
3413 wpa_printf(MSG_DEBUG,
3414 "FILS: No PMKID match - cannot use cached PMKSA entry");
3415 sm->cur_pmksa = NULL;
3416 }
3417
3418 /* FILS Session */
3419 if (!elems.fils_session) {
3420 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3421 return -1;
3422 }
3423 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
3424 FILS_SESSION_LEN);
3425 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
3426 != 0) {
3427 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3428 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3429 sm->fils_session, FILS_SESSION_LEN);
3430 return -1;
3431 }
3432
3433 /* FILS Wrapped Data */
3434 if (!sm->cur_pmksa && elems.fils_wrapped_data) {
fcd3d6ce
JM		 3435 u8 rmsk[ERP_MAX_KEY_LEN];
3436 size_t rmsk_len;
3437
a6609937
JM		 3438 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
3439 elems.fils_wrapped_data,
3440 elems.fils_wrapped_data_len);
3441 eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data,
3442 elems.fils_wrapped_data_len);
3443 if (eapol_sm_failed(sm->eapol))
3444 return -1;
3445
fcd3d6ce
JM		 3446 rmsk_len = ERP_MAX_KEY_LEN;
3447 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3448 if (res == PMK_LEN) {
3449 rmsk_len = PMK_LEN;
3450 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3451 }
a6609937
JM		 3452 if (res)
3453 return -1;
3454
fcd3d6ce
JM		 3455 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
3456 sm->fils_nonce, sm->fils_anonce, NULL, 0,
3457 sm->pmk, &sm->pmk_len);
3458 os_memset(rmsk, 0, sizeof(rmsk));
275cc942
JM		 3459 if (res)
3460 return -1;
fcd3d6ce
JM		 3461
3462 if (!sm->fils_erp_pmkid_set) {
3463 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
3464 return -1;
3465 }
3466 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
3467 PMKID_LEN);
a6609937 3468 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
fcd3d6ce
JM		 3469 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
3470 sm->fils_erp_pmkid, NULL, 0,
3471 sm->bssid, sm->own_addr,
869af307
JM		 3472 sm->network_ctx, sm->key_mgmt,
3473 NULL);
a6609937
JM		 3474 }
3475
3476 if (!sm->cur_pmksa) {
3477 wpa_printf(MSG_DEBUG,
3478 "FILS: No remaining options to continue FILS authentication");
3479 return -1;
3480 }
3481
3482 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
3483 sm->fils_nonce, sm->fils_anonce, &sm->ptk,
3484 ick, &ick_len, sm->key_mgmt, sm->pairwise_cipher) <
3485 0) {
3486 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
3487 return -1;
3488 }
3489 sm->ptk_set = 1;
3490 sm->tptk_set = 0;
3491 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3492
3493 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
3494 sm->fils_anonce, sm->own_addr, sm->bssid,
3495 NULL, 0, NULL, 0, /* TODO: SK+PFS */
3496 sm->key_mgmt, sm->fils_key_auth_sta,
3497 sm->fils_key_auth_ap,
3498 &sm->fils_key_auth_len);
3499 os_memset(ick, 0, sizeof(ick));
3500 return res;
3501}
3502
86cd6928
JM		 3503
3504struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
3505 size_t *kek_len, const u8 **snonce,
5732b770
JM		 3506 const u8 **anonce,
3507 const struct wpabuf **hlp,
3508 unsigned int num_hlp)
86cd6928
JM		 3509{
3510 struct wpabuf *buf;
5732b770
JM		 3511 size_t len;
3512 unsigned int i;
86cd6928 3513
5732b770
JM		 3514 len = 1000;
3515 for (i = 0; hlp && i < num_hlp; i++)
3516 len += 10 + wpabuf_len(hlp[i]);
3517 buf = wpabuf_alloc(len);
86cd6928
JM		 3518 if (!buf)
3519 return NULL;
3520
3521 /* FILS Session */
3522 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3523 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3524 /* Element ID Extension */
3525 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3526 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3527
3528 /* Everything after FILS Session element gets encrypted in the driver
3529 * with KEK. The buffer returned from here is the plaintext version. */
3530
3531 /* TODO: FILS Public Key */
3532
3533 /* FILS Key Confirm */
3534 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3535 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
3536 /* Element ID Extension */
3537 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
3538 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
3539
5732b770
JM		 3540 /* FILS HLP Container */
3541 for (i = 0; hlp && i < num_hlp; i++) {
3542 const u8 *pos = wpabuf_head(hlp[i]);
3543 size_t left = wpabuf_len(hlp[i]);
3544
3545 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3546 if (left <= 254)
3547 len = 1 + left;
3548 else
3549 len = 255;
3550 wpabuf_put_u8(buf, len); /* Length */
3551 /* Element ID Extension */
3552 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
3553 /* Destination MAC Address, Source MAC Address, HLP Packet.
3554 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
3555 * header when LPD is used). */
3556 wpabuf_put_data(buf, pos, len - 1);
3557 pos += len - 1;
3558 left -= len - 1;
3559 while (left) {
3560 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
3561 len = left > 255 ? 255 : left;
3562 wpabuf_put_u8(buf, len);
3563 wpabuf_put_data(buf, pos, len);
3564 pos += len;
3565 left -= len;
3566 }
3567 }
86cd6928
JM		 3568
3569 /* TODO: FILS IP Address Assignment */
3570
3571 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
3572
3573 *kek = sm->ptk.kek;
3574 *kek_len = sm->ptk.kek_len;
3575 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
3576 *snonce = sm->fils_nonce;
3577 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
3578 *snonce, FILS_NONCE_LEN);
3579 *anonce = sm->fils_anonce;
3580 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
3581 *anonce, FILS_NONCE_LEN);
3582
3583 return buf;
3584}
3585
706df429 3586
124ddfa1
JM		 3587static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3588{
3589 const u8 *pos, *end;
3590
3591 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
3592 if (len < 2 * ETH_ALEN)
3593 return;
3594 pos = resp + 2 * ETH_ALEN;
3595 end = resp + len;
3596 if (end - pos >= 6 &&
3597 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
3598 pos += 6; /* Remove SNAP/LLC header */
3599 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
3600}
3601
3602
3603static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
3604 size_t len)
3605{
3606 const u8 *end = pos + len;
3607 u8 *tmp, *tmp_pos;
3608
3609 /* Check if there are any FILS HLP Container elements */
3610 while (end - pos >= 2) {
3611 if (2 + pos[1] > end - pos)
3612 return;
3613 if (pos[0] == WLAN_EID_EXTENSION &&
3614 pos[1] >= 1 + 2 * ETH_ALEN &&
3615 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
3616 break;
3617 pos += 2 + pos[1];
3618 }
3619 if (end - pos < 2)
3620 return; /* No FILS HLP Container elements */
3621
3622 tmp = os_malloc(end - pos);
3623 if (!tmp)
3624 return;
3625
3626 while (end - pos >= 2) {
3627 if (2 + pos[1] > end - pos ||
3628 pos[0] != WLAN_EID_EXTENSION ||
3629 pos[1] < 1 + 2 * ETH_ALEN ||
3630 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
3631 break;
3632 tmp_pos = tmp;
3633 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
3634 tmp_pos += pos[1] - 1;
3635 pos += 2 + pos[1];
3636
3637 /* Add possible fragments */
3638 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
3639 2 + pos[1] <= end - pos) {
3640 os_memcpy(tmp_pos, pos + 2, pos[1]);
3641 tmp_pos += pos[1];
3642 pos += 2 + pos[1];
3643 }
3644
3645 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
3646 }
3647
3648 os_free(tmp);
3649}
3650
3651
706df429
JM		 3652int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3653{
3654 const struct ieee80211_mgmt *mgmt;
3655 const u8 *end, *ie_start;
3656 struct ieee802_11_elems elems;
3657 int keylen, rsclen;
3658 enum wpa_alg alg;
3659 struct wpa_gtk_data gd;
3660 int maxkeylen;
3661 struct wpa_eapol_ie_parse kde;
3662
3663 if (!sm || !sm->ptk_set) {
3664 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
3665 return -1;
3666 }
3667
3668 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
3669 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
3670 return -1;
3671 }
3672
3673 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
3674 resp, len);
3675
3676 mgmt = (const struct ieee80211_mgmt *) resp;
3677 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
3678 return -1;
3679
3680 end = resp + len;
3681 /* Same offset for Association Response and Reassociation Response */
3682 ie_start = mgmt->u.assoc_resp.variable;
3683
3684 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
3685 ParseFailed) {
3686 wpa_printf(MSG_DEBUG,
3687 "FILS: Failed to parse decrypted elements");
3688 goto fail;
3689 }
3690
3691 if (!elems.fils_session) {
3692 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3693 return -1;
3694 }
3695 if (os_memcmp(elems.fils_session, sm->fils_session,
3696 FILS_SESSION_LEN) != 0) {
3697 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
3698 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
3699 elems.fils_session, FILS_SESSION_LEN);
3700 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3701 sm->fils_session, FILS_SESSION_LEN);
3702 }
3703
3704 /* TODO: FILS Public Key */
3705
3706 if (!elems.fils_key_confirm) {
3707 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
3708 goto fail;
3709 }
3710 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
3711 wpa_printf(MSG_DEBUG,
3712 "FILS: Unexpected Key-Auth length %d (expected %d)",
3713 elems.fils_key_confirm_len,
3714 (int) sm->fils_key_auth_len);
3715 goto fail;
3716 }
3717 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
3718 sm->fils_key_auth_len) != 0) {
3719 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
3720 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
3721 elems.fils_key_confirm,
3722 elems.fils_key_confirm_len);
3723 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
3724 sm->fils_key_auth_ap, sm->fils_key_auth_len);
3725 goto fail;
3726 }
3727
3728 /* Key Delivery */
3729 if (!elems.key_delivery) {
3730 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
3731 goto fail;
3732 }
3733
3734 /* Parse GTK and set the key to the driver */
3735 os_memset(&gd, 0, sizeof(gd));
3736 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
3737 elems.key_delivery_len - WPA_KEY_RSC_LEN,
3738 &kde) < 0) {
3739 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
3740 goto fail;
3741 }
3742 if (!kde.gtk) {
3743 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
3744 goto fail;
3745 }
3746 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
3747 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3748 gd.gtk_len, maxkeylen,
3749 &gd.key_rsc_len, &gd.alg))
3750 goto fail;
3751
3752 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
3753 gd.keyidx = kde.gtk[0] & 0x3;
3754 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3755 !!(kde.gtk[0] & BIT(2)));
3756 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
3757 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
3758 (unsigned long) kde.gtk_len - 2);
3759 goto fail;
3760 }
3761 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
3762
3763 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
3764 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) {
3765 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
3766 goto fail;
3767 }
3768
3769 if (ieee80211w_set_keys(sm, &kde) < 0) {
3770 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
3771 goto fail;
3772 }
3773
3774 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
3775 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
3776 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
3777 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
3778 sm->ptk.tk, keylen);
3779 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
3780 sm->ptk.tk, keylen) < 0) {
3781 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3782 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
3783 MACSTR ")",
3784 alg, keylen, MAC2STR(sm->bssid));
3785 goto fail;
3786 }
3787
3788 /* TODO: TK could be cleared after auth frame exchange now that driver
3789 * takes care of association frame encryption/decryption. */
3790 /* TK is not needed anymore in supplicant */
3791 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
3792
124ddfa1
JM		 3793 /* FILS HLP Container */
3794 fils_process_hlp_container(sm, ie_start, end - ie_start);
706df429
JM		 3795
3796 /* TODO: FILS IP Address Assignment */
3797
3798 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
3799 sm->fils_completed = 1;
3800
3801 return 0;
3802fail:
3803 return -1;
3804}
3805
3806#endif /* CONFIG_FILS */
3807
3808
3809int wpa_fils_is_completed(struct wpa_sm *sm)
3810{
3811#ifdef CONFIG_FILS
3812 return sm && sm->fils_completed;
3813#else /* CONFIG_FILS */
3814 return 0;
f00b9b88 3815#endif /* CONFIG_FILS */
706df429 3816}
Unnamed repository; edit this file 'description' to name the repository.