]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/rsn_supp/wpa.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FILS: Add FILS SK auth PFS support in AP mode
[thirdparty/hostap.git] / src / rsn_supp / wpa.c
CommitLineData
6fc6879b
JM		 1/*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
0a614799 3 * Copyright (c) 2003-2017, Jouni Malinen <j@w1.fi>
73ed03f3 4 * Copyright(c) 2015 Intel Deutschland GmbH
6fc6879b 5 *
0f3d578e
JM		 6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
6fc6879b
JM		 8 */
9
10#include "includes.h"
11
12#include "common.h"
2022f1d0 13#include "crypto/aes.h"
03da66bd
JM		 14#include "crypto/aes_wrap.h"
15#include "crypto/crypto.h"
3642c431 16#include "crypto/random.h"
2022f1d0 17#include "crypto/aes_siv.h"
0a614799 18#include "crypto/sha256.h"
03da66bd 19#include "common/ieee802_11_defs.h"
a6609937 20#include "common/ieee802_11_common.h"
fcd3d6ce 21#include "eap_common/eap_defs.h"
03da66bd 22#include "eapol_supp/eapol_supp_sm.h"
6fc6879b
JM		 23#include "wpa.h"
24#include "eloop.h"
6fc6879b
JM		 25#include "preauth.h"
26#include "pmksa_cache.h"
27#include "wpa_i.h"
28#include "wpa_ie.h"
29#include "peerkey.h"
6fc6879b
JM		 30
31
73ed03f3
MS		 32static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
33
34
6fc6879b
JM		 35/**
36 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
37 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1049af7e 38 * @ptk: PTK for Key Confirmation/Encryption Key
6fc6879b
JM		 39 * @ver: Version field from Key Info
40 * @dest: Destination address for the frame
41 * @proto: Ethertype (usually ETH_P_EAPOL)
42 * @msg: EAPOL-Key message
43 * @msg_len: Length of message
44 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
c93b7e18 45 * Returns: >= 0 on success, < 0 on failure
6fc6879b 46 */
1049af7e 47int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
c93b7e18
AA		 48 int ver, const u8 *dest, u16 proto,
49 u8 *msg, size_t msg_len, u8 *key_mic)
6fc6879b 50{
c93b7e18 51 int ret = -1;
5e3b5197 52 size_t mic_len = wpa_mic_len(sm->key_mgmt);
98cd3d1c 53
ef9627cb
JM		 54 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
55 " ver=%d mic_len=%d key_mgmt=0x%x",
56 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
a8e16edc 57 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
6fc6879b
JM		 58 /*
59 * Association event was not yet received; try to fetch
60 * BSSID from the driver.
61 */
62 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
f049052b
BG		 63 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
64 "WPA: Failed to read BSSID for "
65 "EAPOL-Key destination address");
6fc6879b
JM		 66 } else {
67 dest = sm->bssid;
f049052b
BG		 68 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
69 "WPA: Use BSSID (" MACSTR
70 ") as the destination for EAPOL-Key",
71 MAC2STR(dest));
6fc6879b
JM		 72 }
73 }
2022f1d0
JM		 74
75 if (mic_len) {
76 if (key_mic && (!ptk || !ptk->kck_len))
77 goto out;
78
79 if (key_mic &&
80 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
81 msg, msg_len, key_mic)) {
82 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
83 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
84 ver, sm->key_mgmt);
85 goto out;
86 }
28fb9bb1
JM		 87 if (ptk)
88 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
89 ptk->kck, ptk->kck_len);
2022f1d0
JM		 90 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
91 key_mic, mic_len);
92 } else {
93#ifdef CONFIG_FILS
94 /* AEAD cipher - Key MIC field not used */
95 struct ieee802_1x_hdr *s_hdr, *hdr;
96 struct wpa_eapol_key *s_key, *key;
97 u8 *buf, *s_key_data, *key_data;
98 size_t buf_len = msg_len + AES_BLOCK_SIZE;
99 size_t key_data_len;
100 u16 eapol_len;
101 const u8 *aad[1];
102 size_t aad_len[1];
103
104 if (!ptk || !ptk->kek_len)
105 goto out;
106
107 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
108 sizeof(struct wpa_eapol_key) - 2;
109
110 buf = os_malloc(buf_len);
111 if (!buf)
112 goto out;
113
114 os_memcpy(buf, msg, msg_len);
115 hdr = (struct ieee802_1x_hdr *) buf;
116 key = (struct wpa_eapol_key *) (hdr + 1);
117 key_data = ((u8 *) (key + 1)) + 2;
118
119 /* Update EAPOL header to include AES-SIV overhead */
120 eapol_len = be_to_host16(hdr->length);
121 eapol_len += AES_BLOCK_SIZE;
122 hdr->length = host_to_be16(eapol_len);
123
124 /* Update Key Data Length field to include AES-SIV overhead */
125 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
126
127 s_hdr = (struct ieee802_1x_hdr *) msg;
128 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
129 s_key_data = ((u8 *) (s_key + 1)) + 2;
130
131 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
132 s_key_data, key_data_len);
133
134 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
135 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
136 * to Key Data (exclusive). */
137 aad[0] = buf;
138 aad_len[0] = key_data - buf;
139 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
140 s_key_data, key_data_len,
141 1, aad, aad_len, key_data) < 0) {
142 os_free(buf);
143 goto out;
144 }
145
146 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
147 key_data, AES_BLOCK_SIZE + key_data_len);
148
149 os_free(msg);
150 msg = buf;
151 msg_len = buf_len;
152#else /* CONFIG_FILS */
04b6b3ed 153 goto out;
2022f1d0 154#endif /* CONFIG_FILS */
04b6b3ed 155 }
2022f1d0 156
6fc6879b 157 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
c93b7e18 158 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
6fc6879b 159 eapol_sm_notify_tx_eapol_key(sm->eapol);
04b6b3ed 160out:
6fc6879b 161 os_free(msg);
c93b7e18 162 return ret;
6fc6879b
JM		 163}
164
165
166/**
167 * wpa_sm_key_request - Send EAPOL-Key Request
168 * @sm: Pointer to WPA state machine data from wpa_sm_init()
169 * @error: Indicate whether this is an Michael MIC error report
170 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
6fc6879b
JM		 171 *
172 * Send an EAPOL-Key Request to the current authenticator. This function is
173 * used to request rekeying and it is usually called when a local Michael MIC
174 * failure is detected.
175 */
176void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
177{
5e3b5197 178 size_t mic_len, hdrlen, rlen;
6fc6879b
JM		 179 struct wpa_eapol_key *reply;
180 int key_info, ver;
6d014ffc 181 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
6fc6879b 182
929a2ea5
JM		 183 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN ||
184 wpa_key_mgmt_suite_b(sm->key_mgmt))
df0f01d9
JM		 185 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
186 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
187 wpa_key_mgmt_sha256(sm->key_mgmt))
6fc6879b 188 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 189 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
6fc6879b
JM		 190 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
191 else
192 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
193
194 if (wpa_sm_get_bssid(sm, bssid) < 0) {
f049052b
BG		 195 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
196 "Failed to read BSSID for EAPOL-Key request");
6fc6879b
JM		 197 return;
198 }
199
5e3b5197 200 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 201 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 202 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 203 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 204 if (rbuf == NULL)
205 return;
206
a14896e8
JM		 207 reply->type = (sm->proto == WPA_PROTO_RSN ||
208 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 209 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
210 key_info = WPA_KEY_INFO_REQUEST | ver;
211 if (sm->ptk_set)
4a26ccda
JM		 212 key_info |= WPA_KEY_INFO_SECURE;
213 if (sm->ptk_set && mic_len)
214 key_info |= WPA_KEY_INFO_MIC;
6fc6879b
JM		 215 if (error)
216 key_info |= WPA_KEY_INFO_ERROR;
217 if (pairwise)
218 key_info |= WPA_KEY_INFO_KEY_TYPE;
219 WPA_PUT_BE16(reply->key_info, key_info);
220 WPA_PUT_BE16(reply->key_length, 0);
221 os_memcpy(reply->replay_counter, sm->request_counter,
222 WPA_REPLAY_COUNTER_LEN);
223 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
224
6d014ffc
JM		 225 mic = (u8 *) (reply + 1);
226 WPA_PUT_BE16(mic + mic_len, 0);
5e3b5197
JM		 227 if (!(key_info & WPA_KEY_INFO_MIC))
228 key_mic = NULL;
229 else
6d014ffc 230 key_mic = mic;
6fc6879b 231
f049052b
BG		 232 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
233 "WPA: Sending EAPOL-Key Request (error=%d "
234 "pairwise=%d ptk_set=%d len=%lu)",
235 error, pairwise, sm->ptk_set, (unsigned long) rlen);
1049af7e
JM		 236 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
237 key_mic);
6fc6879b
JM		 238}
239
240
b41f2684
CL		 241static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
242{
243#ifdef CONFIG_IEEE80211R
244 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
245 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
246 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
247 "RSN: Cannot set low order 256 bits of MSK for key management offload");
248 } else {
249#endif /* CONFIG_IEEE80211R */
250 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
251 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
252 "RSN: Cannot set PMK for key management offload");
253#ifdef CONFIG_IEEE80211R
254 }
255#endif /* CONFIG_IEEE80211R */
256}
257
258
6fc6879b
JM		 259static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
260 const unsigned char *src_addr,
261 const u8 *pmkid)
262{
263 int abort_cached = 0;
264
265 if (pmkid && !sm->cur_pmksa) {
266 /* When using drivers that generate RSN IE, wpa_supplicant may
267 * not have enough time to get the association information
268 * event before receiving this 1/4 message, so try to find a
269 * matching PMKSA cache entry here. */
96efeeb6
JM		 270 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
271 NULL);
6fc6879b 272 if (sm->cur_pmksa) {
f049052b
BG		 273 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
274 "RSN: found matching PMKID from PMKSA cache");
6fc6879b 275 } else {
f049052b
BG		 276 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
277 "RSN: no matching PMKID found");
6fc6879b
JM		 278 abort_cached = 1;
279 }
280 }
281
282 if (pmkid && sm->cur_pmksa &&
0d15b69f 283 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
6fc6879b
JM		 284 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
285 wpa_sm_set_pmk_from_pmksa(sm);
286 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
287 sm->pmk, sm->pmk_len);
288 eapol_sm_notify_cached(sm->eapol);
289#ifdef CONFIG_IEEE80211R
290 sm->xxkey_len = 0;
291#endif /* CONFIG_IEEE80211R */
56586197 292 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
6fc6879b 293 int res, pmk_len;
207976f0 294
834c5d68 295 if (wpa_key_mgmt_sha384(sm->key_mgmt))
207976f0
JM		 296 pmk_len = PMK_LEN_SUITE_B_192;
297 else
298 pmk_len = PMK_LEN;
299 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
6fc6879b 300 if (res) {
207976f0
JM		 301 if (pmk_len == PMK_LEN) {
302 /*
303 * EAP-LEAP is an exception from other EAP
304 * methods: it uses only 16-byte PMK.
305 */
306 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
307 pmk_len = 16;
308 }
6fc6879b
JM		 309 } else {
310#ifdef CONFIG_IEEE80211R
311 u8 buf[2 * PMK_LEN];
312 if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0)
313 {
314 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
315 sm->xxkey_len = PMK_LEN;
316 os_memset(buf, 0, sizeof(buf));
317 }
318#endif /* CONFIG_IEEE80211R */
319 }
320 if (res == 0) {
a7f10d65 321 struct rsn_pmksa_cache_entry *sa = NULL;
869af307
JM		 322 const u8 *fils_cache_id = NULL;
323
324#ifdef CONFIG_FILS
325 if (sm->fils_cache_id_set)
326 fils_cache_id = sm->fils_cache_id;
327#endif /* CONFIG_FILS */
328
6fc6879b
JM		 329 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
330 "machines", sm->pmk, pmk_len);
331 sm->pmk_len = pmk_len;
b41f2684 332 wpa_supplicant_key_mgmt_set_pmk(sm);
715ed737 333 if (sm->proto == WPA_PROTO_RSN &&
087a1f4e 334 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
715ed737 335 !wpa_key_mgmt_ft(sm->key_mgmt)) {
a7f10d65 336 sa = pmksa_cache_add(sm->pmksa,
70c93963 337 sm->pmk, pmk_len, NULL,
087a1f4e 338 NULL, 0,
a7f10d65
JM		 339 src_addr, sm->own_addr,
340 sm->network_ctx,
869af307
JM		 341 sm->key_mgmt,
342 fils_cache_id);
f5a51b58 343 }
6fc6879b 344 if (!sm->cur_pmksa && pmkid &&
96efeeb6
JM		 345 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL))
346 {
f049052b
BG		 347 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
348 "RSN: the new PMK matches with the "
349 "PMKID");
6fc6879b 350 abort_cached = 0;
bddc51e8
JM		 351 } else if (sa && !sm->cur_pmksa && pmkid) {
352 /*
353 * It looks like the authentication server
354 * derived mismatching MSK. This should not
355 * really happen, but bugs happen.. There is not
356 * much we can do here without knowing what
357 * exactly caused the server to misbehave.
358 */
62417667 359 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
bddc51e8
JM		 360 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
361 return -1;
6fc6879b 362 }
a7f10d65
JM		 363
364 if (!sm->cur_pmksa)
365 sm->cur_pmksa = sa;
6fc6879b 366 } else {
0f057fb2 367 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6fc6879b 368 "WPA: Failed to get master session key from "
f049052b
BG		 369 "EAPOL state machines - key handshake "
370 "aborted");
6fc6879b 371 if (sm->cur_pmksa) {
f049052b
BG		 372 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
373 "RSN: Cancelled PMKSA caching "
374 "attempt");
6fc6879b
JM		 375 sm->cur_pmksa = NULL;
376 abort_cached = 1;
1ac2d4a9 377 } else if (!abort_cached) {
6fc6879b
JM		 378 return -1;
379 }
380 }
381 }
382
715ed737 383 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
087a1f4e 384 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
a14896e8
JM		 385 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
386 {
6fc6879b
JM		 387 /* Send EAPOL-Start to trigger full EAP authentication. */
388 u8 *buf;
389 size_t buflen;
390
f049052b
BG		 391 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
392 "RSN: no PMKSA entry found - trigger "
393 "full EAP authentication");
6fc6879b
JM		 394 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
395 NULL, 0, &buflen, NULL);
396 if (buf) {
397 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
398 buf, buflen);
399 os_free(buf);
b4a1256d 400 return -2;
6fc6879b
JM		 401 }
402
403 return -1;
404 }
405
406 return 0;
407}
408
409
410/**
411 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
412 * @sm: Pointer to WPA state machine data from wpa_sm_init()
413 * @dst: Destination address for the frame
414 * @key: Pointer to the EAPOL-Key frame header
415 * @ver: Version bits from EAPOL-Key Key Info
416 * @nonce: Nonce value for the EAPOL-Key frame
417 * @wpa_ie: WPA/RSN IE
418 * @wpa_ie_len: Length of the WPA/RSN IE
419 * @ptk: PTK to use for keyed hash and encryption
c93b7e18 420 * Returns: >= 0 on success, < 0 on failure
6fc6879b
JM		 421 */
422int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
423 const struct wpa_eapol_key *key,
424 int ver, const u8 *nonce,
425 const u8 *wpa_ie, size_t wpa_ie_len,
426 struct wpa_ptk *ptk)
427{
5e3b5197 428 size_t mic_len, hdrlen, rlen;
6fc6879b 429 struct wpa_eapol_key *reply;
5e3b5197 430 u8 *rbuf, *key_mic;
26e23750 431 u8 *rsn_ie_buf = NULL;
4a26ccda 432 u16 key_info;
6fc6879b
JM		 433
434 if (wpa_ie == NULL) {
f049052b
BG		 435 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
436 "cannot generate msg 2/4");
6fc6879b
JM		 437 return -1;
438 }
439
26e23750
JM		 440#ifdef CONFIG_IEEE80211R
441 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
442 int res;
443
55046414
JM		 444 /*
445 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
446 * FTIE from (Re)Association Response.
447 */
448 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
449 sm->assoc_resp_ies_len);
26e23750
JM		 450 if (rsn_ie_buf == NULL)
451 return -1;
452 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
59e78c24 453 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
26e23750
JM		 454 sm->pmk_r1_name);
455 if (res < 0) {
456 os_free(rsn_ie_buf);
457 return -1;
458 }
55046414
JM		 459
460 if (sm->assoc_resp_ies) {
461 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
462 sm->assoc_resp_ies_len);
463 wpa_ie_len += sm->assoc_resp_ies_len;
464 }
26e23750
JM		 465
466 wpa_ie = rsn_ie_buf;
26e23750
JM		 467 }
468#endif /* CONFIG_IEEE80211R */
469
6fc6879b
JM		 470 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
471
5e3b5197 472 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 473 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 474 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
5e3b5197 475 NULL, hdrlen + wpa_ie_len,
6fc6879b 476 &rlen, (void *) &reply);
26e23750
JM		 477 if (rbuf == NULL) {
478 os_free(rsn_ie_buf);
6fc6879b 479 return -1;
26e23750 480 }
6fc6879b 481
a14896e8
JM		 482 reply->type = (sm->proto == WPA_PROTO_RSN ||
483 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b 484 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
4a26ccda
JM		 485 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
486 if (mic_len)
487 key_info |= WPA_KEY_INFO_MIC;
2022f1d0
JM		 488 else
489 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
4a26ccda 490 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 491 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 492 WPA_PUT_BE16(reply->key_length, 0);
493 else
494 os_memcpy(reply->key_length, key->key_length, 2);
495 os_memcpy(reply->replay_counter, key->replay_counter,
496 WPA_REPLAY_COUNTER_LEN);
bc8318ac
JM		 497 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
498 WPA_REPLAY_COUNTER_LEN);
6fc6879b 499
6d014ffc
JM		 500 key_mic = (u8 *) (reply + 1);
501 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
502 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
26e23750 503 os_free(rsn_ie_buf);
6fc6879b
JM		 504
505 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
506
f049052b 507 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
1049af7e
JM		 508 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
509 key_mic);
6fc6879b
JM		 510}
511
512
513static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
98cd3d1c 514 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
6fc6879b
JM		 515{
516#ifdef CONFIG_IEEE80211R
56586197 517 if (wpa_key_mgmt_ft(sm->key_mgmt))
98cd3d1c 518 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
6fc6879b
JM		 519#endif /* CONFIG_IEEE80211R */
520
98cd3d1c
JM		 521 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
522 sm->own_addr, sm->bssid, sm->snonce,
523 key->key_nonce, ptk, sm->key_mgmt,
524 sm->pairwise_cipher);
6fc6879b
JM		 525}
526
527
528static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
529 const unsigned char *src_addr,
530 const struct wpa_eapol_key *key,
e6270129
JM		 531 u16 ver, const u8 *key_data,
532 size_t key_data_len)
6fc6879b
JM		 533{
534 struct wpa_eapol_ie_parse ie;
535 struct wpa_ptk *ptk;
b4a1256d 536 int res;
25ef8529
JM		 537 u8 *kde, *kde_buf = NULL;
538 size_t kde_len;
6fc6879b
JM		 539
540 if (wpa_sm_get_network_ctx(sm) == NULL) {
f049052b
BG		 541 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
542 "found (msg 1 of 4)");
6fc6879b
JM		 543 return;
544 }
545
546 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
f049052b
BG		 547 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
548 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
6fc6879b
JM		 549
550 os_memset(&ie, 0, sizeof(ie));
551
a14896e8 552 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
6fc6879b 553 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
e6270129
JM		 554 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
555 key_data, key_data_len);
556 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
d627a939 557 goto failed;
6fc6879b
JM		 558 if (ie.pmkid) {
559 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
560 "Authenticator", ie.pmkid, PMKID_LEN);
561 }
562 }
6fc6879b 563
b4a1256d
JM		 564 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
565 if (res == -2) {
f049052b
BG		 566 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
567 "msg 1/4 - requesting full EAP authentication");
b4a1256d
JM		 568 return;
569 }
570 if (res)
83935317 571 goto failed;
6fc6879b
JM		 572
573 if (sm->renew_snonce) {
3642c431 574 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
0f057fb2 575 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6fc6879b 576 "WPA: Failed to get random data for SNonce");
83935317 577 goto failed;
6fc6879b
JM		 578 }
579 sm->renew_snonce = 0;
580 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
581 sm->snonce, WPA_NONCE_LEN);
582 }
583
584 /* Calculate PTK which will be stored as a temporary PTK until it has
585 * been verified when processing message 3/4. */
586 ptk = &sm->tptk;
587 wpa_derive_ptk(sm, src_addr, key, ptk);
3b9c5176 588 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
d2c33b91 589 u8 buf[8];
3b9c5176 590 /* Supplicant: swap tx/rx Mic keys */
98cd3d1c
JM		 591 os_memcpy(buf, &ptk->tk[16], 8);
592 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
593 os_memcpy(&ptk->tk[24], buf, 8);
d2c33b91 594 os_memset(buf, 0, sizeof(buf));
3b9c5176 595 }
6fc6879b 596 sm->tptk_set = 1;
ad00d64e 597 sm->tk_to_set = 1;
6fc6879b 598
25ef8529
JM		 599 kde = sm->assoc_wpa_ie;
600 kde_len = sm->assoc_wpa_ie_len;
601
602#ifdef CONFIG_P2P
603 if (sm->p2p) {
604 kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1);
605 if (kde_buf) {
606 u8 *pos;
607 wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE "
608 "into EAPOL-Key 2/4");
609 os_memcpy(kde_buf, kde, kde_len);
610 kde = kde_buf;
611 pos = kde + kde_len;
612 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
613 *pos++ = RSN_SELECTOR_LEN + 1;
614 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
615 pos += RSN_SELECTOR_LEN;
616 *pos++ = 0x01;
617 kde_len = pos - kde;
618 }
619 }
620#endif /* CONFIG_P2P */
621
6fc6879b 622 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
c93b7e18 623 kde, kde_len, ptk) < 0)
83935317 624 goto failed;
6fc6879b 625
25ef8529 626 os_free(kde_buf);
6fc6879b 627 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
83935317
JM		 628 return;
629
630failed:
25ef8529 631 os_free(kde_buf);
83935317 632 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 633}
634
635
636static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
637{
638 struct wpa_sm *sm = eloop_ctx;
639 rsn_preauth_candidate_process(sm);
640}
641
642
643static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
644 const u8 *addr, int secure)
645{
0f057fb2
JM		 646 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
647 "WPA: Key negotiation completed with "
6fc6879b
JM		 648 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
649 wpa_cipher_txt(sm->pairwise_cipher),
650 wpa_cipher_txt(sm->group_cipher));
6fc6879b
JM		 651 wpa_sm_cancel_auth_timeout(sm);
652 wpa_sm_set_state(sm, WPA_COMPLETED);
653
654 if (secure) {
655 wpa_sm_mlme_setprotection(
656 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
657 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
658 eapol_sm_notify_portValid(sm->eapol, TRUE);
a1ea1b45
JM		 659 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
660 sm->key_mgmt == WPA_KEY_MGMT_OWE)
6fc6879b
JM		 661 eapol_sm_notify_eap_success(sm->eapol, TRUE);
662 /*
663 * Start preauthentication after a short wait to avoid a
664 * possible race condition between the data receive and key
665 * configuration after the 4-Way Handshake. This increases the
ffbf1eaa 666 * likelihood of the first preauth EAPOL-Start frame getting to
6fc6879b
JM		 667 * the target AP.
668 */
669 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL);
670 }
671
672 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
f049052b
BG		 673 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
674 "RSN: Authenticator accepted "
675 "opportunistic PMKSA entry - marking it valid");
6fc6879b
JM		 676 sm->cur_pmksa->opportunistic = 0;
677 }
678
679#ifdef CONFIG_IEEE80211R
56586197 680 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6fc6879b 681 /* Prepare for the next transition */
76b7981d 682 wpa_ft_prepare_auth_request(sm, NULL);
6fc6879b
JM		 683 }
684#endif /* CONFIG_IEEE80211R */
685}
686
687
581a8cde
JM		 688static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
689{
690 struct wpa_sm *sm = eloop_ctx;
f049052b 691 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
581a8cde
JM		 692 wpa_sm_key_request(sm, 0, 1);
693}
694
695
6fc6879b
JM		 696static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
697 const struct wpa_eapol_key *key)
698{
699 int keylen, rsclen;
71934751 700 enum wpa_alg alg;
6fc6879b 701 const u8 *key_rsc;
6fc6879b 702
ad00d64e
JM		 703 if (!sm->tk_to_set) {
704 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
705 "WPA: Do not re-install same PTK to the driver");
706 return 0;
707 }
708
f049052b
BG		 709 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
710 "WPA: Installing PTK to the driver");
6fc6879b 711
c3550295 712 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
f049052b
BG		 713 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
714 "Suite: NONE - do not use pairwise keys");
6fc6879b 715 return 0;
c3550295
JM		 716 }
717
718 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
f049052b
BG		 719 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
720 "WPA: Unsupported pairwise cipher %d",
721 sm->pairwise_cipher);
6fc6879b
JM		 722 return -1;
723 }
724
c3550295
JM		 725 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
726 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
727 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
728
a14896e8 729 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
6fc6879b
JM		 730 key_rsc = null_rsc;
731 } else {
732 key_rsc = key->key_rsc;
733 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
734 }
735
736 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
98cd3d1c 737 sm->ptk.tk, keylen) < 0) {
f049052b
BG		 738 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
739 "WPA: Failed to set PTK to the "
740 "driver (alg=%d keylen=%d bssid=" MACSTR ")",
741 alg, keylen, MAC2STR(sm->bssid));
6fc6879b
JM		 742 return -1;
743 }
581a8cde 744
7d711541 745 /* TK is not needed anymore in supplicant */
98cd3d1c 746 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
ad00d64e 747 sm->tk_to_set = 0;
7d711541 748
581a8cde
JM		 749 if (sm->wpa_ptk_rekey) {
750 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
751 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
752 sm, NULL);
753 }
754
6fc6879b
JM		 755 return 0;
756}
757
758
f049052b
BG		 759static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
760 int group_cipher,
6fc6879b 761 int keylen, int maxkeylen,
71934751
JM		 762 int *key_rsc_len,
763 enum wpa_alg *alg)
6fc6879b 764{
c3550295 765 int klen;
6fc6879b 766
c3550295
JM		 767 *alg = wpa_cipher_to_alg(group_cipher);
768 if (*alg == WPA_ALG_NONE) {
f049052b
BG		 769 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
770 "WPA: Unsupported Group Cipher %d",
771 group_cipher);
6fc6879b
JM		 772 return -1;
773 }
c3550295 774 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
6fc6879b 775
c3550295
JM		 776 klen = wpa_cipher_key_len(group_cipher);
777 if (keylen != klen || maxkeylen < klen) {
f049052b
BG		 778 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
779 "WPA: Unsupported %s Group Cipher key length %d (%d)",
780 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
c3550295 781 return -1;
6fc6879b 782 }
c3550295 783 return 0;
6fc6879b
JM		 784}
785
786
787struct wpa_gtk_data {
71934751 788 enum wpa_alg alg;
6fc6879b
JM		 789 int tx, key_rsc_len, keyidx;
790 u8 gtk[32];
791 int gtk_len;
792};
793
794
795static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
796 const struct wpa_gtk_data *gd,
797 const u8 *key_rsc)
798{
799 const u8 *_gtk = gd->gtk;
800 u8 gtk_buf[32];
801
802 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
f049052b
BG		 803 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
804 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
805 gd->keyidx, gd->tx, gd->gtk_len);
6fc6879b
JM		 806 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
807 if (sm->group_cipher == WPA_CIPHER_TKIP) {
808 /* Swap Tx/Rx keys for Michael MIC */
809 os_memcpy(gtk_buf, gd->gtk, 16);
810 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
811 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
812 _gtk = gtk_buf;
813 }
814 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
0382097e 815 if (wpa_sm_set_key(sm, gd->alg, NULL,
6fc6879b
JM		 816 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
817 _gtk, gd->gtk_len) < 0) {
f049052b
BG		 818 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
819 "WPA: Failed to set GTK to the driver "
820 "(Group only)");
d2c33b91 821 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 822 return -1;
823 }
0382097e 824 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
6fc6879b
JM		 825 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
826 _gtk, gd->gtk_len) < 0) {
f049052b
BG		 827 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
828 "WPA: Failed to set GTK to "
829 "the driver (alg=%d keylen=%d keyidx=%d)",
830 gd->alg, gd->gtk_len, gd->keyidx);
d2c33b91 831 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 832 return -1;
833 }
d2c33b91 834 os_memset(gtk_buf, 0, sizeof(gtk_buf));
6fc6879b
JM		 835
836 return 0;
837}
838
839
840static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
841 int tx)
842{
843 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
844 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
845 * seemed to set this bit (incorrectly, since Tx is only when
846 * doing Group Key only APs) and without this workaround, the
847 * data connection does not work because wpa_supplicant
848 * configured non-zero keyidx to be used for unicast. */
f049052b
BG		 849 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
850 "WPA: Tx bit set for GTK, but pairwise "
851 "keys are used - ignore Tx bit");
6fc6879b
JM		 852 return 0;
853 }
854 return tx;
855}
856
857
73ed03f3
MS		 858static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
859 const u8 *rsc)
860{
861 int rsclen;
862
863 if (!sm->wpa_rsc_relaxation)
864 return 0;
865
866 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
867
868 /*
869 * Try to detect RSC (endian) corruption issue where the AP sends
870 * the RSC bytes in EAPOL-Key message in the wrong order, both if
871 * it's actually a 6-byte field (as it should be) and if it treats
872 * it as an 8-byte field.
873 * An AP model known to have this bug is the Sapido RB-1632.
874 */
875 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
876 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
877 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
878 rsc[0], rsc[1], rsc[2], rsc[3],
879 rsc[4], rsc[5], rsc[6], rsc[7]);
880
881 return 1;
882 }
883
884 return 0;
885}
886
887
6fc6879b
JM		 888static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
889 const struct wpa_eapol_key *key,
890 const u8 *gtk, size_t gtk_len,
891 int key_info)
892{
6fc6879b 893 struct wpa_gtk_data gd;
73ed03f3 894 const u8 *key_rsc;
6fc6879b
JM		 895
896 /*
897 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
898 * GTK KDE format:
899 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
900 * Reserved [bits 0-7]
901 * GTK
902 */
903
904 os_memset(&gd, 0, sizeof(gd));
905 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
906 gtk, gtk_len);
907
908 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
909 return -1;
910
911 gd.keyidx = gtk[0] & 0x3;
912 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
913 !!(gtk[0] & BIT(2)));
914 gtk += 2;
915 gtk_len -= 2;
916
917 os_memcpy(gd.gtk, gtk, gtk_len);
918 gd.gtk_len = gtk_len;
919
73ed03f3
MS		 920 key_rsc = key->key_rsc;
921 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
922 key_rsc = null_rsc;
923
dff1e285
JM		 924 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
925 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
926 gtk_len, gtk_len,
927 &gd.key_rsc_len, &gd.alg) ||
73ed03f3 928 wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
f049052b
BG		 929 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
930 "RSN: Failed to install GTK");
d2c33b91 931 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 932 return -1;
933 }
d2c33b91 934 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 935
936 wpa_supplicant_key_neg_complete(sm, sm->bssid,
937 key_info & WPA_KEY_INFO_SECURE);
938 return 0;
6fc6879b
JM		 939}
940
941
942static int ieee80211w_set_keys(struct wpa_sm *sm,
943 struct wpa_eapol_ie_parse *ie)
944{
945#ifdef CONFIG_IEEE80211W
8dd9f9cd 946 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
6fc6879b
JM		 947 return 0;
948
949 if (ie->igtk) {
8dd9f9cd 950 size_t len;
6fc6879b
JM		 951 const struct wpa_igtk_kde *igtk;
952 u16 keyidx;
8dd9f9cd
JM		 953 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
954 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
6fc6879b
JM		 955 return -1;
956 igtk = (const struct wpa_igtk_kde *) ie->igtk;
957 keyidx = WPA_GET_LE16(igtk->keyid);
f049052b
BG		 958 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
959 "pn %02x%02x%02x%02x%02x%02x",
960 keyidx, MAC2STR(igtk->pn));
6fc6879b 961 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
8dd9f9cd 962 igtk->igtk, len);
6fc6879b 963 if (keyidx > 4095) {
f049052b
BG		 964 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
965 "WPA: Invalid IGTK KeyID %d", keyidx);
6fc6879b
JM		 966 return -1;
967 }
8dd9f9cd
JM		 968 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
969 broadcast_ether_addr,
6fc6879b 970 keyidx, 0, igtk->pn, sizeof(igtk->pn),
8dd9f9cd 971 igtk->igtk, len) < 0) {
f049052b
BG		 972 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
973 "WPA: Failed to configure IGTK to the driver");
6fc6879b
JM		 974 return -1;
975 }
976 }
977
978 return 0;
979#else /* CONFIG_IEEE80211W */
980 return 0;
981#endif /* CONFIG_IEEE80211W */
982}
983
984
985static void wpa_report_ie_mismatch(struct wpa_sm *sm,
986 const char *reason, const u8 *src_addr,
987 const u8 *wpa_ie, size_t wpa_ie_len,
988 const u8 *rsn_ie, size_t rsn_ie_len)
989{
0f057fb2 990 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
6fc6879b
JM		 991 reason, MAC2STR(src_addr));
992
993 if (sm->ap_wpa_ie) {
994 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
995 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
996 }
997 if (wpa_ie) {
998 if (!sm->ap_wpa_ie) {
f049052b
BG		 999 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1000 "WPA: No WPA IE in Beacon/ProbeResp");
6fc6879b
JM		 1001 }
1002 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1003 wpa_ie, wpa_ie_len);
1004 }
1005
1006 if (sm->ap_rsn_ie) {
1007 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1008 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1009 }
1010 if (rsn_ie) {
1011 if (!sm->ap_rsn_ie) {
f049052b
BG		 1012 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1013 "WPA: No RSN IE in Beacon/ProbeResp");
6fc6879b
JM		 1014 }
1015 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1016 rsn_ie, rsn_ie_len);
1017 }
1018
3da372fa 1019 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
6fc6879b
JM		 1020}
1021
1022
5af8187e
JM		 1023#ifdef CONFIG_IEEE80211R
1024
1025static int ft_validate_mdie(struct wpa_sm *sm,
1026 const unsigned char *src_addr,
3b4f6dac
JM		 1027 struct wpa_eapol_ie_parse *ie,
1028 const u8 *assoc_resp_mdie)
5af8187e
JM		 1029{
1030 struct rsn_mdie *mdie;
1031
5af8187e
JM		 1032 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1033 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1034 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1035 MOBILITY_DOMAIN_ID_LEN) != 0) {
f049052b
BG		 1036 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1037 "not match with the current mobility domain");
5af8187e
JM		 1038 return -1;
1039 }
1040
3b4f6dac
JM		 1041 if (assoc_resp_mdie &&
1042 (assoc_resp_mdie[1] != ie->mdie[1] ||
1043 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
f049052b 1044 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
3b4f6dac
JM		 1045 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1046 ie->mdie, 2 + ie->mdie[1]);
1047 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1048 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1049 return -1;
1050 }
1051
1052 return 0;
1053}
1054
1055
1056static int ft_validate_ftie(struct wpa_sm *sm,
1057 const unsigned char *src_addr,
1058 struct wpa_eapol_ie_parse *ie,
1059 const u8 *assoc_resp_ftie)
1060{
1061 if (ie->ftie == NULL) {
f049052b
BG		 1062 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1063 "FT: No FTIE in EAPOL-Key msg 3/4");
3b4f6dac
JM		 1064 return -1;
1065 }
1066
1067 if (assoc_resp_ftie == NULL)
1068 return 0;
1069
1070 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1071 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
f049052b 1072 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
3b4f6dac
JM		 1073 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1074 ie->ftie, 2 + ie->ftie[1]);
1075 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1076 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1077 return -1;
1078 }
1079
5af8187e
JM		 1080 return 0;
1081}
1082
1083
1084static int ft_validate_rsnie(struct wpa_sm *sm,
1085 const unsigned char *src_addr,
1086 struct wpa_eapol_ie_parse *ie)
1087{
1088 struct wpa_ie_data rsn;
1089
1090 if (!ie->rsn_ie)
1091 return 0;
1092
1093 /*
1094 * Verify that PMKR1Name from EAPOL-Key message 3/4
1095 * matches with the value we derived.
1096 */
1097 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1098 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
f049052b
BG		 1099 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1100 "FT 4-way handshake message 3/4");
5af8187e
JM		 1101 return -1;
1102 }
1103
0d15b69f
JM		 1104 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1105 {
f049052b
BG		 1106 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1107 "FT: PMKR1Name mismatch in "
1108 "FT 4-way handshake message 3/4");
5af8187e
JM		 1109 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1110 rsn.pmkid, WPA_PMK_NAME_LEN);
1111 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1112 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1113 return -1;
1114 }
1115
1116 return 0;
1117}
1118
1119
1120static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1121 const unsigned char *src_addr,
1122 struct wpa_eapol_ie_parse *ie)
1123{
3b4f6dac
JM		 1124 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1125
1126 if (sm->assoc_resp_ies) {
1127 pos = sm->assoc_resp_ies;
1128 end = pos + sm->assoc_resp_ies_len;
2461724c
JM		 1129 while (end - pos > 2) {
1130 if (2 + pos[1] > end - pos)
3b4f6dac
JM		 1131 break;
1132 switch (*pos) {
1133 case WLAN_EID_MOBILITY_DOMAIN:
1134 mdie = pos;
1135 break;
1136 case WLAN_EID_FAST_BSS_TRANSITION:
1137 ftie = pos;
1138 break;
1139 }
1140 pos += 2 + pos[1];
1141 }
1142 }
1143
1144 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1145 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
5af8187e
JM		 1146 ft_validate_rsnie(sm, src_addr, ie) < 0)
1147 return -1;
1148
1149 return 0;
1150}
1151
1152#endif /* CONFIG_IEEE80211R */
1153
1154
6fc6879b
JM		 1155static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1156 const unsigned char *src_addr,
1157 struct wpa_eapol_ie_parse *ie)
1158{
1159 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
f049052b
BG		 1160 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1161 "WPA: No WPA/RSN IE for this AP known. "
1162 "Trying to get from scan results");
6fc6879b 1163 if (wpa_sm_get_beacon_ie(sm) < 0) {
f049052b
BG		 1164 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1165 "WPA: Could not find AP from "
1166 "the scan results");
6fc6879b 1167 } else {
f049052b
BG		 1168 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1169 "WPA: Found the current AP from "
1170 "updated scan results");
6fc6879b
JM		 1171 }
1172 }
1173
1174 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1175 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1176 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1177 "with IE in Beacon/ProbeResp (no IE?)",
1178 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1179 ie->rsn_ie, ie->rsn_ie_len);
1180 return -1;
1181 }
1182
1183 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1184 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1185 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1186 (ie->rsn_ie && sm->ap_rsn_ie &&
26e23750
JM		 1187 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1188 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1189 ie->rsn_ie, ie->rsn_ie_len))) {
6fc6879b
JM		 1190 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1191 "with IE in Beacon/ProbeResp",
1192 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1193 ie->rsn_ie, ie->rsn_ie_len);
1194 return -1;
1195 }
1196
1197 if (sm->proto == WPA_PROTO_WPA &&
1198 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1199 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1200 "detected - RSN was enabled and RSN IE "
1201 "was in msg 3/4, but not in "
1202 "Beacon/ProbeResp",
1203 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1204 ie->rsn_ie, ie->rsn_ie_len);
1205 return -1;
1206 }
1207
1208#ifdef CONFIG_IEEE80211R
5af8187e
JM		 1209 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1210 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1211 return -1;
6fc6879b
JM		 1212#endif /* CONFIG_IEEE80211R */
1213
1214 return 0;
1215}
1216
1217
1218/**
1219 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1220 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1221 * @dst: Destination address for the frame
1222 * @key: Pointer to the EAPOL-Key frame header
1223 * @ver: Version bits from EAPOL-Key Key Info
1224 * @key_info: Key Info
6fc6879b 1225 * @ptk: PTK to use for keyed hash and encryption
c93b7e18 1226 * Returns: >= 0 on success, < 0 on failure
6fc6879b
JM		 1227 */
1228int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1229 const struct wpa_eapol_key *key,
1230 u16 ver, u16 key_info,
6fc6879b
JM		 1231 struct wpa_ptk *ptk)
1232{
5e3b5197 1233 size_t mic_len, hdrlen, rlen;
6fc6879b 1234 struct wpa_eapol_key *reply;
5e3b5197 1235 u8 *rbuf, *key_mic;
6fc6879b 1236
5e3b5197 1237 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1238 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 1239 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 1240 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 1241 if (rbuf == NULL)
1242 return -1;
1243
a14896e8
JM		 1244 reply->type = (sm->proto == WPA_PROTO_RSN ||
1245 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 1246 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1247 key_info &= WPA_KEY_INFO_SECURE;
4a26ccda
JM		 1248 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1249 if (mic_len)
1250 key_info |= WPA_KEY_INFO_MIC;
2022f1d0
JM		 1251 else
1252 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
6fc6879b 1253 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 1254 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 1255 WPA_PUT_BE16(reply->key_length, 0);
1256 else
1257 os_memcpy(reply->key_length, key->key_length, 2);
1258 os_memcpy(reply->replay_counter, key->replay_counter,
1259 WPA_REPLAY_COUNTER_LEN);
1260
6d014ffc
JM		 1261 key_mic = (u8 *) (reply + 1);
1262 WPA_PUT_BE16(key_mic + mic_len, 0);
6fc6879b 1263
f049052b 1264 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1049af7e
JM		 1265 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1266 key_mic);
6fc6879b
JM		 1267}
1268
1269
1270static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1271 const struct wpa_eapol_key *key,
e6270129
JM		 1272 u16 ver, const u8 *key_data,
1273 size_t key_data_len)
6fc6879b 1274{
e6270129 1275 u16 key_info, keylen;
6fc6879b
JM		 1276 struct wpa_eapol_ie_parse ie;
1277
1278 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
f049052b
BG		 1279 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
1280 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
6fc6879b
JM		 1281
1282 key_info = WPA_GET_BE16(key->key_info);
1283
e6270129
JM		 1284 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1285 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
d627a939 1286 goto failed;
6fc6879b 1287 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1288 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1289 "WPA: GTK IE in unencrypted key data");
83935317 1290 goto failed;
6fc6879b
JM		 1291 }
1292#ifdef CONFIG_IEEE80211W
1293 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1294 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1295 "WPA: IGTK KDE in unencrypted key data");
83935317 1296 goto failed;
6fc6879b
JM		 1297 }
1298
8dd9f9cd
JM		 1299 if (ie.igtk &&
1300 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1301 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1302 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
f049052b
BG		 1303 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1304 "WPA: Invalid IGTK KDE length %lu",
1305 (unsigned long) ie.igtk_len);
83935317 1306 goto failed;
6fc6879b
JM		 1307 }
1308#endif /* CONFIG_IEEE80211W */
1309
1310 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
83935317 1311 goto failed;
6fc6879b
JM		 1312
1313 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
f049052b
BG		 1314 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1315 "WPA: ANonce from message 1 of 4-Way Handshake "
1316 "differs from 3 of 4-Way Handshake - drop packet (src="
1317 MACSTR ")", MAC2STR(sm->bssid));
83935317 1318 goto failed;
6fc6879b
JM		 1319 }
1320
1321 keylen = WPA_GET_BE16(key->key_length);
c3550295
JM		 1322 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1323 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1324 "WPA: Invalid %s key length %d (src=" MACSTR
1325 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1326 MAC2STR(sm->bssid));
1327 goto failed;
6fc6879b
JM		 1328 }
1329
25ef8529
JM		 1330#ifdef CONFIG_P2P
1331 if (ie.ip_addr_alloc) {
1332 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1333 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1334 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1335 }
1336#endif /* CONFIG_P2P */
1337
6fc6879b 1338 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
c93b7e18 1339 &sm->ptk) < 0) {
83935317
JM		 1340 goto failed;
1341 }
6fc6879b
JM		 1342
1343 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1344 * for the next 4-Way Handshake. If msg 3 is received again, the old
1345 * SNonce will still be used to avoid changing PTK. */
1346 sm->renew_snonce = 1;
1347
1348 if (key_info & WPA_KEY_INFO_INSTALL) {
83935317
JM		 1349 if (wpa_supplicant_install_ptk(sm, key))
1350 goto failed;
6fc6879b
JM		 1351 }
1352
1353 if (key_info & WPA_KEY_INFO_SECURE) {
1354 wpa_sm_mlme_setprotection(
1355 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1356 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1357 eapol_sm_notify_portValid(sm->eapol, TRUE);
1358 }
1359 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1360
dff1e285
JM		 1361 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1362 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1363 key_info & WPA_KEY_INFO_SECURE);
1364 } else if (ie.gtk &&
6fc6879b
JM		 1365 wpa_supplicant_pairwise_gtk(sm, key,
1366 ie.gtk, ie.gtk_len, key_info) < 0) {
f049052b
BG		 1367 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1368 "RSN: Failed to configure GTK");
83935317 1369 goto failed;
6fc6879b
JM		 1370 }
1371
83935317 1372 if (ieee80211w_set_keys(sm, &ie) < 0) {
f049052b
BG		 1373 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1374 "RSN: Failed to configure IGTK");
83935317
JM		 1375 goto failed;
1376 }
1377
392e68e8
SD		 1378 if (ie.gtk)
1379 wpa_sm_set_rekey_offload(sm);
b14a210c 1380
087a1f4e
JM		 1381 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt)) {
1382 struct rsn_pmksa_cache_entry *sa;
1383
70c93963 1384 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
98cd3d1c 1385 sm->ptk.kck, sm->ptk.kck_len,
087a1f4e 1386 sm->bssid, sm->own_addr,
869af307 1387 sm->network_ctx, sm->key_mgmt, NULL);
087a1f4e
JM		 1388 if (!sm->cur_pmksa)
1389 sm->cur_pmksa = sa;
1390 }
1391
761396e4 1392 sm->msg_3_of_4_ok = 1;
83935317
JM		 1393 return;
1394
1395failed:
1396 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 1397}
1398
1399
1400static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1401 const u8 *keydata,
1402 size_t keydatalen,
1403 u16 key_info,
1404 struct wpa_gtk_data *gd)
1405{
1406 int maxkeylen;
1407 struct wpa_eapol_ie_parse ie;
1408
ecbdc1a1
JM		 1409 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1410 keydata, keydatalen);
d627a939
JM		 1411 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1412 return -1;
6fc6879b 1413 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
f049052b
BG		 1414 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1415 "WPA: GTK IE in unencrypted key data");
6fc6879b
JM		 1416 return -1;
1417 }
1418 if (ie.gtk == NULL) {
f049052b
BG		 1419 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1420 "WPA: No GTK IE in Group Key msg 1/2");
6fc6879b
JM		 1421 return -1;
1422 }
1423 maxkeylen = gd->gtk_len = ie.gtk_len - 2;
1424
f049052b 1425 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6fc6879b
JM		 1426 gd->gtk_len, maxkeylen,
1427 &gd->key_rsc_len, &gd->alg))
1428 return -1;
1429
7cb9bb4d
JM		 1430 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1431 ie.gtk, ie.gtk_len);
6fc6879b
JM		 1432 gd->keyidx = ie.gtk[0] & 0x3;
1433 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1434 !!(ie.gtk[0] & BIT(2)));
1435 if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
f049052b
BG		 1436 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1437 "RSN: Too long GTK in GTK IE (len=%lu)",
1438 (unsigned long) ie.gtk_len - 2);
6fc6879b
JM		 1439 return -1;
1440 }
1441 os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
1442
1443 if (ieee80211w_set_keys(sm, &ie) < 0)
f049052b
BG		 1444 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1445 "RSN: Failed to configure IGTK");
6fc6879b
JM		 1446
1447 return 0;
1448}
1449
1450
1451static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1452 const struct wpa_eapol_key *key,
e6270129
JM		 1453 const u8 *key_data,
1454 size_t key_data_len, u16 key_info,
1455 u16 ver, struct wpa_gtk_data *gd)
6fc6879b
JM		 1456{
1457 size_t maxkeylen;
c397eff8 1458 u16 gtk_len;
6fc6879b 1459
c397eff8 1460 gtk_len = WPA_GET_BE16(key->key_length);
e6270129 1461 maxkeylen = key_data_len;
6fc6879b
JM		 1462 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1463 if (maxkeylen < 8) {
f049052b
BG		 1464 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1465 "WPA: Too short maxkeylen (%lu)",
1466 (unsigned long) maxkeylen);
6fc6879b
JM		 1467 return -1;
1468 }
1469 maxkeylen -= 8;
1470 }
1471
c397eff8
JM		 1472 if (gtk_len > maxkeylen ||
1473 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1474 gtk_len, maxkeylen,
6fc6879b
JM		 1475 &gd->key_rsc_len, &gd->alg))
1476 return -1;
1477
c397eff8 1478 gd->gtk_len = gtk_len;
6fc6879b
JM		 1479 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1480 WPA_KEY_INFO_KEY_INDEX_SHIFT;
98cd3d1c 1481 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
7cb53ded
JM		 1482#ifdef CONFIG_NO_RC4
1483 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1484 "WPA: RC4 not supported in the build");
1485 return -1;
1486#else /* CONFIG_NO_RC4 */
d2c33b91 1487 u8 ek[32];
e6270129 1488 if (key_data_len > sizeof(gd->gtk)) {
f049052b
BG		 1489 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1490 "WPA: RC4 key data too long (%lu)",
e6270129 1491 (unsigned long) key_data_len);
6fc6879b
JM		 1492 return -1;
1493 }
d2c33b91 1494 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1495 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
e6270129
JM		 1496 os_memcpy(gd->gtk, key_data, key_data_len);
1497 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
d2c33b91 1498 os_memset(ek, 0, sizeof(ek));
f049052b
BG		 1499 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1500 "WPA: RC4 failed");
7a215dfc
JM		 1501 return -1;
1502 }
d2c33b91 1503 os_memset(ek, 0, sizeof(ek));
7cb53ded 1504#endif /* CONFIG_NO_RC4 */
6fc6879b 1505 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
e6270129 1506 if (maxkeylen % 8) {
f049052b
BG		 1507 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1508 "WPA: Unsupported AES-WRAP len %lu",
e6270129 1509 (unsigned long) maxkeylen);
6fc6879b
JM		 1510 return -1;
1511 }
1512 if (maxkeylen > sizeof(gd->gtk)) {
f049052b
BG		 1513 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1514 "WPA: AES-WRAP key data "
1515 "too long (keydatalen=%lu maxkeylen=%lu)",
e6270129 1516 (unsigned long) key_data_len,
f049052b 1517 (unsigned long) maxkeylen);
6fc6879b
JM		 1518 return -1;
1519 }
98cd3d1c
JM		 1520 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
1521 key_data, gd->gtk)) {
f049052b
BG		 1522 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1523 "WPA: AES unwrap failed - could not decrypt "
1524 "GTK");
6fc6879b
JM		 1525 return -1;
1526 }
1527 } else {
f049052b
BG		 1528 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1529 "WPA: Unsupported key_info type %d", ver);
6fc6879b
JM		 1530 return -1;
1531 }
1532 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
1533 sm, !!(key_info & WPA_KEY_INFO_TXRX));
1534 return 0;
1535}
1536
1537
1538static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
1539 const struct wpa_eapol_key *key,
1540 int ver, u16 key_info)
1541{
5e3b5197 1542 size_t mic_len, hdrlen, rlen;
6fc6879b 1543 struct wpa_eapol_key *reply;
5e3b5197 1544 u8 *rbuf, *key_mic;
6fc6879b 1545
5e3b5197 1546 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1547 hdrlen = sizeof(*reply) + mic_len + 2;
6fc6879b 1548 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
5e3b5197 1549 hdrlen, &rlen, (void *) &reply);
6fc6879b
JM		 1550 if (rbuf == NULL)
1551 return -1;
1552
a14896e8
JM		 1553 reply->type = (sm->proto == WPA_PROTO_RSN ||
1554 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 1555 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1556 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
4a26ccda
JM		 1557 key_info |= ver | WPA_KEY_INFO_SECURE;
1558 if (mic_len)
1559 key_info |= WPA_KEY_INFO_MIC;
6fc6879b 1560 WPA_PUT_BE16(reply->key_info, key_info);
a14896e8 1561 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
6fc6879b
JM		 1562 WPA_PUT_BE16(reply->key_length, 0);
1563 else
1564 os_memcpy(reply->key_length, key->key_length, 2);
1565 os_memcpy(reply->replay_counter, key->replay_counter,
1566 WPA_REPLAY_COUNTER_LEN);
1567
6d014ffc
JM		 1568 key_mic = (u8 *) (reply + 1);
1569 WPA_PUT_BE16(key_mic + mic_len, 0);
6fc6879b 1570
f049052b 1571 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1049af7e
JM		 1572 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
1573 rbuf, rlen, key_mic);
6fc6879b
JM		 1574}
1575
1576
1577static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
1578 const unsigned char *src_addr,
1579 const struct wpa_eapol_key *key,
e6270129
JM		 1580 const u8 *key_data,
1581 size_t key_data_len, u16 ver)
6fc6879b 1582{
e6270129 1583 u16 key_info;
6fc6879b
JM		 1584 int rekey, ret;
1585 struct wpa_gtk_data gd;
73ed03f3 1586 const u8 *key_rsc;
6fc6879b 1587
761396e4
JM		 1588 if (!sm->msg_3_of_4_ok) {
1589 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1590 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
1591 goto failed;
1592 }
1593
6fc6879b
JM		 1594 os_memset(&gd, 0, sizeof(gd));
1595
1596 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
f049052b
BG		 1597 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
1598 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
6fc6879b
JM		 1599
1600 key_info = WPA_GET_BE16(key->key_info);
6fc6879b 1601
a14896e8 1602 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
e6270129
JM		 1603 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
1604 key_data_len, key_info,
6fc6879b
JM		 1605 &gd);
1606 } else {
e6270129
JM		 1607 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
1608 key_data_len,
1609 key_info, ver, &gd);
6fc6879b
JM		 1610 }
1611
1612 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1613
1614 if (ret)
83935317 1615 goto failed;
6fc6879b 1616
73ed03f3
MS		 1617 key_rsc = key->key_rsc;
1618 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1619 key_rsc = null_rsc;
1620
1621 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
c93b7e18 1622 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
83935317 1623 goto failed;
fbfc974c 1624 os_memset(&gd, 0, sizeof(gd));
6fc6879b
JM		 1625
1626 if (rekey) {
0f057fb2 1627 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
6fc6879b
JM		 1628 "completed with " MACSTR " [GTK=%s]",
1629 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
1630 wpa_sm_cancel_auth_timeout(sm);
1631 wpa_sm_set_state(sm, WPA_COMPLETED);
1632 } else {
1633 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1634 key_info &
1635 WPA_KEY_INFO_SECURE);
1636 }
392e68e8
SD		 1637
1638 wpa_sm_set_rekey_offload(sm);
1639
83935317
JM		 1640 return;
1641
1642failed:
fbfc974c 1643 os_memset(&gd, 0, sizeof(gd));
83935317 1644 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 1645}
1646
1647
1648static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
6d014ffc 1649 struct wpa_eapol_key *key,
6fc6879b
JM		 1650 u16 ver,
1651 const u8 *buf, size_t len)
1652{
98cd3d1c 1653 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
6fc6879b 1654 int ok = 0;
5e3b5197 1655 size_t mic_len = wpa_mic_len(sm->key_mgmt);
6fc6879b 1656
6d014ffc 1657 os_memcpy(mic, key + 1, mic_len);
6fc6879b 1658 if (sm->tptk_set) {
6d014ffc 1659 os_memset(key + 1, 0, mic_len);
98cd3d1c 1660 wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt,
6d014ffc
JM		 1661 ver, buf, len, (u8 *) (key + 1));
1662 if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
f049052b
BG		 1663 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1664 "WPA: Invalid EAPOL-Key MIC "
1665 "when using TPTK - ignoring TPTK");
6fc6879b
JM		 1666 } else {
1667 ok = 1;
1668 sm->tptk_set = 0;
1669 sm->ptk_set = 1;
1670 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
d2c33b91 1671 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
6fc6879b
JM		 1672 }
1673 }
1674
1675 if (!ok && sm->ptk_set) {
6d014ffc 1676 os_memset(key + 1, 0, mic_len);
98cd3d1c 1677 wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt,
6d014ffc
JM		 1678 ver, buf, len, (u8 *) (key + 1));
1679 if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
f049052b
BG		 1680 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1681 "WPA: Invalid EAPOL-Key MIC - "
1682 "dropping packet");
6fc6879b
JM		 1683 return -1;
1684 }
1685 ok = 1;
1686 }
1687
1688 if (!ok) {
f049052b
BG		 1689 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1690 "WPA: Could not verify EAPOL-Key MIC - "
1691 "dropping packet");
6fc6879b
JM		 1692 return -1;
1693 }
1694
1695 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1696 WPA_REPLAY_COUNTER_LEN);
1697 sm->rx_replay_counter_set = 1;
1698 return 0;
1699}
1700
1701
1702/* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1703static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
6d014ffc
JM		 1704 struct wpa_eapol_key *key,
1705 size_t mic_len, u16 ver,
e6270129 1706 u8 *key_data, size_t *key_data_len)
6fc6879b 1707{
6fc6879b 1708 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
e6270129 1709 key_data, *key_data_len);
6fc6879b 1710 if (!sm->ptk_set) {
f049052b
BG		 1711 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1712 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1713 "Data");
6fc6879b
JM		 1714 return -1;
1715 }
1716
1717 /* Decrypt key data here so that this operation does not need
1718 * to be implemented separately for each message type. */
98cd3d1c 1719 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
7cb53ded
JM		 1720#ifdef CONFIG_NO_RC4
1721 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1722 "WPA: RC4 not supported in the build");
1723 return -1;
1724#else /* CONFIG_NO_RC4 */
6fc6879b 1725 u8 ek[32];
ef9627cb
JM		 1726
1727 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
6fc6879b 1728 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1729 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
e6270129 1730 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
d2c33b91 1731 os_memset(ek, 0, sizeof(ek));
f049052b
BG		 1732 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1733 "WPA: RC4 failed");
7a215dfc
JM		 1734 return -1;
1735 }
d2c33b91 1736 os_memset(ek, 0, sizeof(ek));
7cb53ded 1737#endif /* CONFIG_NO_RC4 */
6fc6879b 1738 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
df0f01d9 1739 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
07a5fe82 1740 sm->key_mgmt == WPA_KEY_MGMT_OWE ||
929a2ea5
JM		 1741 sm->key_mgmt == WPA_KEY_MGMT_OSEN ||
1742 wpa_key_mgmt_suite_b(sm->key_mgmt)) {
6fc6879b 1743 u8 *buf;
ef9627cb
JM		 1744
1745 wpa_printf(MSG_DEBUG,
1746 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
1747 (unsigned int) sm->ptk.kek_len);
e6270129 1748 if (*key_data_len < 8 || *key_data_len % 8) {
f049052b 1749 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
e6270129
JM		 1750 "WPA: Unsupported AES-WRAP len %u",
1751 (unsigned int) *key_data_len);
6fc6879b
JM		 1752 return -1;
1753 }
e6270129
JM		 1754 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
1755 buf = os_malloc(*key_data_len);
6fc6879b 1756 if (buf == NULL) {
f049052b
BG		 1757 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1758 "WPA: No memory for AES-UNWRAP buffer");
6fc6879b
JM		 1759 return -1;
1760 }
98cd3d1c 1761 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
e6270129 1762 key_data, buf)) {
cd5895e8 1763 bin_clear_free(buf, *key_data_len);
f049052b
BG		 1764 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1765 "WPA: AES unwrap failed - "
1766 "could not decrypt EAPOL-Key key data");
6fc6879b
JM		 1767 return -1;
1768 }
e6270129 1769 os_memcpy(key_data, buf, *key_data_len);
cd5895e8 1770 bin_clear_free(buf, *key_data_len);
6d014ffc 1771 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
6fc6879b 1772 } else {
f049052b
BG		 1773 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1774 "WPA: Unsupported key_info type %d", ver);
6fc6879b
JM		 1775 return -1;
1776 }
1777 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
e6270129 1778 key_data, *key_data_len);
6fc6879b
JM		 1779 return 0;
1780}
1781
1782
1783/**
1784 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
1785 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1786 */
1787void wpa_sm_aborted_cached(struct wpa_sm *sm)
1788{
1789 if (sm && sm->cur_pmksa) {
f049052b
BG		 1790 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1791 "RSN: Cancelling PMKSA caching attempt");
6fc6879b
JM		 1792 sm->cur_pmksa = NULL;
1793 }
1794}
1795
1796
f049052b 1797static void wpa_eapol_key_dump(struct wpa_sm *sm,
5e3b5197
JM		 1798 const struct wpa_eapol_key *key,
1799 unsigned int key_data_len,
1800 const u8 *mic, unsigned int mic_len)
6fc6879b
JM		 1801{
1802#ifndef CONFIG_NO_STDOUT_DEBUG
1803 u16 key_info = WPA_GET_BE16(key->key_info);
1804
f049052b
BG		 1805 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
1806 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1807 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
1808 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
1809 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1810 WPA_KEY_INFO_KEY_INDEX_SHIFT,
1811 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
1812 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
1813 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
1814 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
1815 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
1816 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
1817 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
1818 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
1819 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
1820 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1821 " key_length=%u key_data_length=%u",
5e3b5197 1822 WPA_GET_BE16(key->key_length), key_data_len);
6fc6879b
JM		 1823 wpa_hexdump(MSG_DEBUG, " replay_counter",
1824 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1825 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
1826 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
1827 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
1828 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
5e3b5197 1829 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
6fc6879b
JM		 1830#endif /* CONFIG_NO_STDOUT_DEBUG */
1831}
1832
1833
0ab1dd01
JM		 1834#ifdef CONFIG_FILS
1835static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
1836 size_t *key_data_len)
1837{
1838 struct wpa_ptk *ptk;
1839 struct ieee802_1x_hdr *hdr;
1840 struct wpa_eapol_key *key;
1841 u8 *pos, *tmp;
1842 const u8 *aad[1];
1843 size_t aad_len[1];
1844
1845 if (*key_data_len < AES_BLOCK_SIZE) {
1846 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
1847 return -1;
1848 }
1849
1850 if (sm->tptk_set)
1851 ptk = &sm->tptk;
1852 else if (sm->ptk_set)
1853 ptk = &sm->ptk;
1854 else
1855 return -1;
1856
1857 hdr = (struct ieee802_1x_hdr *) buf;
1858 key = (struct wpa_eapol_key *) (hdr + 1);
1859 pos = (u8 *) (key + 1);
1860 pos += 2; /* Pointing at the Encrypted Key Data field */
1861
1862 tmp = os_malloc(*key_data_len);
1863 if (!tmp)
1864 return -1;
1865
1866 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1867 * to Key Data (exclusive). */
1868 aad[0] = buf;
1869 aad_len[0] = pos - buf;
1870 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
1871 1, aad, aad_len, tmp) < 0) {
1872 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
1873 bin_clear_free(tmp, *key_data_len);
1874 return -1;
1875 }
1876
1877 /* AEAD decryption and validation completed successfully */
1878 (*key_data_len) -= AES_BLOCK_SIZE;
1879 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
1880 tmp, *key_data_len);
1881
1882 /* Replace Key Data field with the decrypted version */
1883 os_memcpy(pos, tmp, *key_data_len);
1884 pos -= 2; /* Key Data Length field */
1885 WPA_PUT_BE16(pos, *key_data_len);
1886 bin_clear_free(tmp, *key_data_len);
1887
1888 if (sm->tptk_set) {
1889 sm->tptk_set = 0;
1890 sm->ptk_set = 1;
1891 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1892 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1893 }
1894
1895 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1896 WPA_REPLAY_COUNTER_LEN);
1897 sm->rx_replay_counter_set = 1;
1898
1899 return 0;
1900}
1901#endif /* CONFIG_FILS */
1902
1903
6fc6879b
JM		 1904/**
1905 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
1906 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1907 * @src_addr: Source MAC address of the EAPOL packet
1908 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
1909 * @len: Length of the EAPOL frame
1910 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
1911 *
1912 * This function is called for each received EAPOL frame. Other than EAPOL-Key
1913 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
1914 * only processing WPA and WPA2 EAPOL-Key frames.
1915 *
1916 * The received EAPOL-Key packets are validated and valid packets are replied
1917 * to. In addition, key material (PTK, GTK) is configured at the end of a
1918 * successful key handshake.
1919 */
1920int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
1921 const u8 *buf, size_t len)
1922{
e6270129 1923 size_t plen, data_len, key_data_len;
d56d7e56 1924 const struct ieee802_1x_hdr *hdr;
6fc6879b
JM		 1925 struct wpa_eapol_key *key;
1926 u16 key_info, ver;
d56d7e56 1927 u8 *tmp = NULL;
6fc6879b
JM		 1928 int ret = -1;
1929 struct wpa_peerkey *peerkey = NULL;
6d014ffc 1930 u8 *mic, *key_data;
5e3b5197 1931 size_t mic_len, keyhdrlen;
6fc6879b
JM		 1932
1933#ifdef CONFIG_IEEE80211R
1934 sm->ft_completed = 0;
1935#endif /* CONFIG_IEEE80211R */
1936
5e3b5197 1937 mic_len = wpa_mic_len(sm->key_mgmt);
6d014ffc 1938 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1939
1940 if (len < sizeof(*hdr) + keyhdrlen) {
f049052b
BG		 1941 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1942 "WPA: EAPOL frame too short to be a WPA "
1943 "EAPOL-Key (len %lu, expecting at least %lu)",
1944 (unsigned long) len,
5e3b5197 1945 (unsigned long) sizeof(*hdr) + keyhdrlen);
6fc6879b
JM		 1946 return 0;
1947 }
1948
d56d7e56 1949 hdr = (const struct ieee802_1x_hdr *) buf;
6fc6879b
JM		 1950 plen = be_to_host16(hdr->length);
1951 data_len = plen + sizeof(*hdr);
f049052b
BG		 1952 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1953 "IEEE 802.1X RX: version=%d type=%d length=%lu",
1954 hdr->version, hdr->type, (unsigned long) plen);
6fc6879b
JM		 1955
1956 if (hdr->version < EAPOL_VERSION) {
1957 /* TODO: backwards compatibility */
1958 }
1959 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
f049052b
BG		 1960 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1961 "WPA: EAPOL frame (type %u) discarded, "
6fc6879b
JM		 1962 "not a Key frame", hdr->type);
1963 ret = 0;
1964 goto out;
1965 }
d56d7e56 1966 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
5e3b5197 1967 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
f049052b
BG		 1968 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1969 "WPA: EAPOL frame payload size %lu "
1970 "invalid (frame size %lu)",
1971 (unsigned long) plen, (unsigned long) len);
6fc6879b
JM		 1972 ret = 0;
1973 goto out;
1974 }
d56d7e56
JM		 1975 if (data_len < len) {
1976 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1977 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
1978 (unsigned long) len - data_len);
1979 }
1980
1981 /*
1982 * Make a copy of the frame since we need to modify the buffer during
1983 * MAC validation and Key Data decryption.
1984 */
a1f11e34 1985 tmp = os_memdup(buf, data_len);
d56d7e56
JM		 1986 if (tmp == NULL)
1987 goto out;
d56d7e56 1988 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
6d014ffc
JM		 1989 mic = (u8 *) (key + 1);
1990 key_data = mic + mic_len + 2;
6fc6879b
JM		 1991
1992 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
1993 {
f049052b
BG		 1994 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1995 "WPA: EAPOL-Key type (%d) unknown, discarded",
1996 key->type);
6fc6879b
JM		 1997 ret = 0;
1998 goto out;
1999 }
6fc6879b 2000
6d014ffc
JM		 2001 key_data_len = WPA_GET_BE16(mic + mic_len);
2002 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
5e3b5197
JM		 2003
2004 if (key_data_len > plen - keyhdrlen) {
d56d7e56
JM		 2005 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2006 "frame - key_data overflow (%u > %u)",
e6270129 2007 (unsigned int) key_data_len,
5e3b5197 2008 (unsigned int) (plen - keyhdrlen));
d56d7e56 2009 goto out;
6fc6879b 2010 }
d56d7e56
JM		 2011
2012 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
6fc6879b
JM		 2013 key_info = WPA_GET_BE16(key->key_info);
2014 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2015 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
a20088e5 2016#if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
6fc6879b 2017 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
a20088e5 2018#endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
df0f01d9 2019 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
929a2ea5 2020 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
352caf00 2021 !wpa_key_mgmt_fils(sm->key_mgmt) &&
07a5fe82 2022 sm->key_mgmt != WPA_KEY_MGMT_OWE &&
df0f01d9 2023 sm->key_mgmt != WPA_KEY_MGMT_OSEN) {
f049052b
BG		 2024 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2025 "WPA: Unsupported EAPOL-Key descriptor version %d",
2026 ver);
6fc6879b
JM		 2027 goto out;
2028 }
2029
df0f01d9
JM		 2030 if (sm->key_mgmt == WPA_KEY_MGMT_OSEN &&
2031 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2032 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2033 "OSEN: Unsupported EAPOL-Key descriptor version %d",
2034 ver);
2035 goto out;
2036 }
2037
352caf00 2038 if ((wpa_key_mgmt_suite_b(sm->key_mgmt) ||
07a5fe82
JM		 2039 wpa_key_mgmt_fils(sm->key_mgmt) ||
2040 sm->key_mgmt == WPA_KEY_MGMT_OWE) &&
929a2ea5
JM		 2041 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2042 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2043 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2044 ver);
2045 goto out;
2046 }
2047
6fc6879b 2048#ifdef CONFIG_IEEE80211R
56586197 2049 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6fc6879b
JM		 2050 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2051 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
f049052b
BG		 2052 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2053 "FT: AP did not use AES-128-CMAC");
6fc6879b
JM		 2054 goto out;
2055 }
2056 } else
2057#endif /* CONFIG_IEEE80211R */
56586197
JM		 2058#ifdef CONFIG_IEEE80211W
2059 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
df0f01d9 2060 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
929a2ea5 2061 sm->key_mgmt != WPA_KEY_MGMT_OSEN &&
352caf00 2062 !wpa_key_mgmt_fils(sm->key_mgmt) &&
929a2ea5 2063 !wpa_key_mgmt_suite_b(sm->key_mgmt)) {
f049052b
BG		 2064 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2065 "WPA: AP did not use the "
2066 "negotiated AES-128-CMAC");
56586197
JM		 2067 goto out;
2068 }
2069 } else
2070#endif /* CONFIG_IEEE80211W */
6fc6879b 2071 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
929a2ea5 2072 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
352caf00 2073 !wpa_key_mgmt_fils(sm->key_mgmt) &&
07a5fe82 2074 sm->key_mgmt != WPA_KEY_MGMT_OWE &&
6fc6879b 2075 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
f049052b
BG		 2076 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2077 "WPA: CCMP is used, but EAPOL-Key "
2078 "descriptor version (%d) is not 2", ver);
6fc6879b
JM		 2079 if (sm->group_cipher != WPA_CIPHER_CCMP &&
2080 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2081 /* Earlier versions of IEEE 802.11i did not explicitly
2082 * require version 2 descriptor for all EAPOL-Key
2083 * packets, so allow group keys to use version 1 if
2084 * CCMP is not used for them. */
f049052b
BG		 2085 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2086 "WPA: Backwards compatibility: allow invalid "
2087 "version for non-CCMP group keys");
9f6a7cdd
JM		 2088 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2089 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2090 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
6fc6879b
JM		 2091 } else
2092 goto out;
801e1173 2093 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
929a2ea5 2094 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
801e1173 2095 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
eb7719ff
JM		 2096 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2097 "WPA: GCMP is used, but EAPOL-Key "
2098 "descriptor version (%d) is not 2", ver);
2099 goto out;
2100 }
6fc6879b
JM		 2101
2102#ifdef CONFIG_PEERKEY
2103 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
2104 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
2105 break;
2106 }
2107
2108 if (!(key_info & WPA_KEY_INFO_SMK_MESSAGE) && peerkey) {
2109 if (!peerkey->initiator && peerkey->replay_counter_set &&
2110 os_memcmp(key->replay_counter, peerkey->replay_counter,
2111 WPA_REPLAY_COUNTER_LEN) <= 0) {
f049052b
BG		 2112 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2113 "RSN: EAPOL-Key Replay Counter did not "
2114 "increase (STK) - dropping packet");
6fc6879b
JM		 2115 goto out;
2116 } else if (peerkey->initiator) {
2117 u8 _tmp[WPA_REPLAY_COUNTER_LEN];
2118 os_memcpy(_tmp, key->replay_counter,
2119 WPA_REPLAY_COUNTER_LEN);
2120 inc_byte_array(_tmp, WPA_REPLAY_COUNTER_LEN);
2121 if (os_memcmp(_tmp, peerkey->replay_counter,
2122 WPA_REPLAY_COUNTER_LEN) != 0) {
f049052b
BG		 2123 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2124 "RSN: EAPOL-Key Replay "
2125 "Counter did not match (STK) - "
2126 "dropping packet");
6fc6879b
JM		 2127 goto out;
2128 }
2129 }
2130 }
2131
2132 if (peerkey && peerkey->initiator && (key_info & WPA_KEY_INFO_ACK)) {
f049052b
BG		 2133 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2134 "RSN: Ack bit in key_info from STK peer");
6fc6879b
JM		 2135 goto out;
2136 }
2137#endif /* CONFIG_PEERKEY */
2138
2139 if (!peerkey && sm->rx_replay_counter_set &&
2140 os_memcmp(key->replay_counter, sm->rx_replay_counter,
2141 WPA_REPLAY_COUNTER_LEN) <= 0) {
f049052b
BG		 2142 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2143 "WPA: EAPOL-Key Replay Counter did not increase - "
2144 "dropping packet");
6fc6879b
JM		 2145 goto out;
2146 }
2147
2148 if (!(key_info & (WPA_KEY_INFO_ACK | WPA_KEY_INFO_SMK_MESSAGE))
2149#ifdef CONFIG_PEERKEY
2150 && (peerkey == NULL || !peerkey->initiator)
2151#endif /* CONFIG_PEERKEY */
2152 ) {
f049052b
BG		 2153 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2154 "WPA: No Ack bit in key_info");
6fc6879b
JM		 2155 goto out;
2156 }
2157
2158 if (key_info & WPA_KEY_INFO_REQUEST) {
f049052b
BG		 2159 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2160 "WPA: EAPOL-Key with Request bit - dropped");
6fc6879b
JM		 2161 goto out;
2162 }
2163
2164 if ((key_info & WPA_KEY_INFO_MIC) && !peerkey &&
6d014ffc 2165 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
6fc6879b
JM		 2166 goto out;
2167
2168#ifdef CONFIG_PEERKEY
2169 if ((key_info & WPA_KEY_INFO_MIC) && peerkey &&
6d014ffc 2170 peerkey_verify_eapol_key_mic(sm, peerkey, key, ver, tmp,
5e3b5197 2171 data_len))
6fc6879b
JM		 2172 goto out;
2173#endif /* CONFIG_PEERKEY */
2174
0ab1dd01
JM		 2175#ifdef CONFIG_FILS
2176 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2177 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2178 goto out;
2179 }
2180#endif /* CONFIG_FILS */
2181
a14896e8 2182 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
0ab1dd01 2183 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
6d014ffc
JM		 2184 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2185 ver, key_data,
e6270129 2186 &key_data_len))
d56d7e56 2187 goto out;
6fc6879b
JM		 2188 }
2189
2190 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2191 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
f049052b
BG		 2192 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2193 "WPA: Ignored EAPOL-Key (Pairwise) with "
2194 "non-zero key index");
6fc6879b
JM		 2195 goto out;
2196 }
2197 if (peerkey) {
2198 /* PeerKey 4-Way Handshake */
f107d00c
JM		 2199 peerkey_rx_eapol_4way(sm, peerkey, key, key_info, ver,
2200 key_data, key_data_len);
0ab1dd01
JM		 2201 } else if (key_info & (WPA_KEY_INFO_MIC |
2202 WPA_KEY_INFO_ENCR_KEY_DATA)) {
6fc6879b 2203 /* 3/4 4-Way Handshake */
e6270129
JM		 2204 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2205 key_data_len);
6fc6879b
JM		 2206 } else {
2207 /* 1/4 4-Way Handshake */
2208 wpa_supplicant_process_1_of_4(sm, src_addr, key,
e6270129
JM		 2209 ver, key_data,
2210 key_data_len);
6fc6879b
JM		 2211 }
2212 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2213 /* PeerKey SMK Handshake */
28fb9bb1
JM		 2214 peerkey_rx_eapol_smk(sm, src_addr, key, key_data, key_data_len,
2215 key_info, ver);
6fc6879b 2216 } else {
16eb4858
JM		 2217 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2218 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
6fc6879b
JM		 2219 /* 1/2 Group Key Handshake */
2220 wpa_supplicant_process_1_of_2(sm, src_addr, key,
e6270129
JM		 2221 key_data, key_data_len,
2222 ver);
6fc6879b 2223 } else {
f049052b 2224 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
16eb4858 2225 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
f049052b 2226 "dropped");
6fc6879b
JM		 2227 }
2228 }
2229
2230 ret = 1;
2231
2232out:
fbfc974c 2233 bin_clear_free(tmp, data_len);
6fc6879b
JM		 2234 return ret;
2235}
2236
2237
2238#ifdef CONFIG_CTRL_IFACE
6fc6879b
JM		 2239static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2240{
2241 switch (sm->key_mgmt) {
2242 case WPA_KEY_MGMT_IEEE8021X:
a14896e8
JM		 2243 return ((sm->proto == WPA_PROTO_RSN ||
2244 sm->proto == WPA_PROTO_OSEN) ?
6fc6879b
JM		 2245 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2246 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2247 case WPA_KEY_MGMT_PSK:
2248 return (sm->proto == WPA_PROTO_RSN ?
2249 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2250 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2251#ifdef CONFIG_IEEE80211R
2252 case WPA_KEY_MGMT_FT_IEEE8021X:
2253 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2254 case WPA_KEY_MGMT_FT_PSK:
2255 return RSN_AUTH_KEY_MGMT_FT_PSK;
2256#endif /* CONFIG_IEEE80211R */
56586197
JM		 2257#ifdef CONFIG_IEEE80211W
2258 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2259 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2260 case WPA_KEY_MGMT_PSK_SHA256:
2261 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2262#endif /* CONFIG_IEEE80211W */
369c8d7b
JM		 2263 case WPA_KEY_MGMT_CCKM:
2264 return (sm->proto == WPA_PROTO_RSN ?
2265 RSN_AUTH_KEY_MGMT_CCKM:
2266 WPA_AUTH_KEY_MGMT_CCKM);
6fc6879b
JM		 2267 case WPA_KEY_MGMT_WPA_NONE:
2268 return WPA_AUTH_KEY_MGMT_NONE;
666497c8
JM		 2269 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2270 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
5e3b5197
JM		 2271 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2272 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
6fc6879b
JM		 2273 default:
2274 return 0;
2275 }
2276}
2277
2278
6fc6879b
JM		 2279#define RSN_SUITE "%02x-%02x-%02x-%d"
2280#define RSN_SUITE_ARG(s) \
2281((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2282
2283/**
2284 * wpa_sm_get_mib - Dump text list of MIB entries
2285 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2286 * @buf: Buffer for the list
2287 * @buflen: Length of the buffer
2288 * Returns: Number of bytes written to buffer
2289 *
2290 * This function is used fetch dot11 MIB variables.
2291 */
2292int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2293{
2294 char pmkid_txt[PMKID_LEN * 2 + 1];
2295 int rsna, ret;
2296 size_t len;
2297
2298 if (sm->cur_pmksa) {
2299 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2300 sm->cur_pmksa->pmkid, PMKID_LEN);
2301 } else
2302 pmkid_txt[0] = '\0';
2303
56586197
JM		 2304 if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2305 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
6fc6879b
JM		 2306 sm->proto == WPA_PROTO_RSN)
2307 rsna = 1;
2308 else
2309 rsna = 0;
2310
2311 ret = os_snprintf(buf, buflen,
2312 "dot11RSNAOptionImplemented=TRUE\n"
2313 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2314 "dot11RSNAEnabled=%s\n"
2315 "dot11RSNAPreauthenticationEnabled=%s\n"
2316 "dot11RSNAConfigVersion=%d\n"
2317 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2318 "dot11RSNAConfigGroupCipherSize=%d\n"
2319 "dot11RSNAConfigPMKLifetime=%d\n"
2320 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2321 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2322 "dot11RSNAConfigSATimeout=%d\n",
2323 rsna ? "TRUE" : "FALSE",
2324 rsna ? "TRUE" : "FALSE",
2325 RSN_VERSION,
c3550295 2326 wpa_cipher_key_len(sm->group_cipher) * 8,
6fc6879b
JM		 2327 sm->dot11RSNAConfigPMKLifetime,
2328 sm->dot11RSNAConfigPMKReauthThreshold,
2329 sm->dot11RSNAConfigSATimeout);
d85e1fc8 2330 if (os_snprintf_error(buflen, ret))
6fc6879b
JM		 2331 return 0;
2332 len = ret;
2333
2334 ret = os_snprintf(
2335 buf + len, buflen - len,
2336 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2337 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2338 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2339 "dot11RSNAPMKIDUsed=%s\n"
2340 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2341 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2342 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2343 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2344 "dot11RSNA4WayHandshakeFailures=%u\n",
2345 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
c3550295
JM		 2346 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2347 sm->pairwise_cipher)),
2348 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2349 sm->group_cipher)),
6fc6879b
JM		 2350 pmkid_txt,
2351 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
c3550295
JM		 2352 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2353 sm->pairwise_cipher)),
2354 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2355 sm->group_cipher)),
6fc6879b 2356 sm->dot11RSNA4WayHandshakeFailures);
1f102d3b 2357 if (!os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 2358 len += ret;
2359
2360 return (int) len;
2361}
2362#endif /* CONFIG_CTRL_IFACE */
2363
2364
2365static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
6aaac006 2366 void *ctx, enum pmksa_free_reason reason)
6fc6879b
JM		 2367{
2368 struct wpa_sm *sm = ctx;
6aaac006 2369 int deauth = 0;
6fc6879b 2370
6aaac006
DW		 2371 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2372 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2373
2374 if (sm->cur_pmksa == entry) {
2375 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2376 "RSN: %s current PMKSA entry",
2377 reason == PMKSA_REPLACE ? "replaced" : "removed");
2378 pmksa_cache_clear_current(sm);
2379
2380 /*
2381 * If an entry is simply being replaced, there's no need to
2382 * deauthenticate because it will be immediately re-added.
2383 * This happens when EAP authentication is completed again
2384 * (reauth or failed PMKSA caching attempt).
2385 */
2386 if (reason != PMKSA_REPLACE)
2387 deauth = 1;
2388 }
2389
2390 if (reason == PMKSA_EXPIRE &&
6fc6879b
JM		 2391 (sm->pmk_len == entry->pmk_len &&
2392 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
f049052b 2393 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
6aaac006
DW		 2394 "RSN: deauthenticating due to expired PMK");
2395 pmksa_cache_clear_current(sm);
2396 deauth = 1;
2397 }
6fc6879b 2398
6aaac006 2399 if (deauth) {
6fc6879b
JM		 2400 os_memset(sm->pmk, 0, sizeof(sm->pmk));
2401 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
6fc6879b
JM		 2402 }
2403}
2404
2405
2406/**
2407 * wpa_sm_init - Initialize WPA state machine
2408 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2409 * Returns: Pointer to the allocated WPA state machine data
2410 *
2411 * This function is used to allocate a new WPA state machine and the returned
2412 * value is passed to all WPA state machine calls.
2413 */
2414struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2415{
2416 struct wpa_sm *sm;
2417
2418 sm = os_zalloc(sizeof(*sm));
2419 if (sm == NULL)
2420 return NULL;
c5b26e33 2421 dl_list_init(&sm->pmksa_candidates);
6fc6879b
JM		 2422 sm->renew_snonce = 1;
2423 sm->ctx = ctx;
2424
2425 sm->dot11RSNAConfigPMKLifetime = 43200;
2426 sm->dot11RSNAConfigPMKReauthThreshold = 70;
2427 sm->dot11RSNAConfigSATimeout = 60;
2428
2429 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2430 if (sm->pmksa == NULL) {
f049052b
BG		 2431 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2432 "RSN: PMKSA cache initialization failed");
6fc6879b
JM		 2433 os_free(sm);
2434 return NULL;
2435 }
2436
2437 return sm;
2438}
2439
2440
2441/**
2442 * wpa_sm_deinit - Deinitialize WPA state machine
2443 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2444 */
2445void wpa_sm_deinit(struct wpa_sm *sm)
2446{
2447 if (sm == NULL)
2448 return;
2449 pmksa_cache_deinit(sm->pmksa);
2450 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
581a8cde 2451 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
6fc6879b
JM		 2452 os_free(sm->assoc_wpa_ie);
2453 os_free(sm->ap_wpa_ie);
2454 os_free(sm->ap_rsn_ie);
71932544 2455 wpa_sm_drop_sa(sm);
6fc6879b
JM		 2456 os_free(sm->ctx);
2457 peerkey_deinit(sm);
55046414
JM		 2458#ifdef CONFIG_IEEE80211R
2459 os_free(sm->assoc_resp_ies);
2460#endif /* CONFIG_IEEE80211R */
651c6a84
JM		 2461#ifdef CONFIG_TESTING_OPTIONS
2462 wpabuf_free(sm->test_assoc_ie);
2463#endif /* CONFIG_TESTING_OPTIONS */
0a614799
JM		 2464#ifdef CONFIG_OWE
2465 crypto_ecdh_deinit(sm->owe_ecdh);
2466#endif /* CONFIG_OWE */
6fc6879b
JM		 2467 os_free(sm);
2468}
2469
2470
2471/**
2472 * wpa_sm_notify_assoc - Notify WPA state machine about association
2473 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2474 * @bssid: The BSSID of the new association
2475 *
2476 * This function is called to let WPA state machine know that the connection
2477 * was established.
2478 */
2479void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2480{
58a98fb0
JM		 2481 int clear_ptk = 1;
2482
6fc6879b
JM		 2483 if (sm == NULL)
2484 return;
2485
f049052b
BG		 2486 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2487 "WPA: Association event - clear replay counter");
6fc6879b
JM		 2488 os_memcpy(sm->bssid, bssid, ETH_ALEN);
2489 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2490 sm->rx_replay_counter_set = 0;
2491 sm->renew_snonce = 1;
2492 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
2493 rsn_preauth_deinit(sm);
2494
2495#ifdef CONFIG_IEEE80211R
58a98fb0 2496 if (wpa_ft_is_completed(sm)) {
5d5a9f00
JM		 2497 /*
2498 * Clear portValid to kick EAPOL state machine to re-enter
2499 * AUTHENTICATED state to get the EAPOL port Authorized.
2500 */
2501 eapol_sm_notify_portValid(sm->eapol, FALSE);
6fc6879b
JM		 2502 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2503
2504 /* Prepare for the next transition */
76b7981d 2505 wpa_ft_prepare_auth_request(sm, NULL);
58a98fb0
JM		 2506
2507 clear_ptk = 0;
6fc6879b
JM		 2508 }
2509#endif /* CONFIG_IEEE80211R */
706df429
JM		 2510#ifdef CONFIG_FILS
2511 if (sm->fils_completed) {
2512 /*
2513 * Clear portValid to kick EAPOL state machine to re-enter
2514 * AUTHENTICATED state to get the EAPOL port Authorized.
2515 */
2516 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2517 clear_ptk = 0;
2518 }
2519#endif /* CONFIG_FILS */
58a98fb0
JM		 2520
2521 if (clear_ptk) {
2522 /*
2523 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2524 * this is not part of a Fast BSS Transition.
2525 */
f049052b 2526 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
58a98fb0 2527 sm->ptk_set = 0;
d2c33b91 2528 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
58a98fb0 2529 sm->tptk_set = 0;
d2c33b91 2530 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
58a98fb0 2531 }
40cf22e6
JM		 2532
2533#ifdef CONFIG_TDLS
2534 wpa_tdls_assoc(sm);
2535#endif /* CONFIG_TDLS */
25ef8529
JM		 2536
2537#ifdef CONFIG_P2P
2538 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
2539#endif /* CONFIG_P2P */
6fc6879b
JM		 2540}
2541
2542
2543/**
2544 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2545 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2546 *
2547 * This function is called to let WPA state machine know that the connection
2548 * was lost. This will abort any existing pre-authentication session.
2549 */
2550void wpa_sm_notify_disassoc(struct wpa_sm *sm)
2551{
ac8e074e
JM		 2552 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2553 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
77327298 2554 peerkey_deinit(sm);
6fc6879b 2555 rsn_preauth_deinit(sm);
0639970d 2556 pmksa_cache_clear_current(sm);
6fc6879b
JM		 2557 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
2558 sm->dot11RSNA4WayHandshakeFailures++;
40cf22e6
JM		 2559#ifdef CONFIG_TDLS
2560 wpa_tdls_disassoc(sm);
2561#endif /* CONFIG_TDLS */
706df429
JM		 2562#ifdef CONFIG_FILS
2563 sm->fils_completed = 0;
2564#endif /* CONFIG_FILS */
71932544
JM		 2565
2566 /* Keys are not needed in the WPA state machine anymore */
2567 wpa_sm_drop_sa(sm);
761396e4
JM		 2568
2569 sm->msg_3_of_4_ok = 0;
6fc6879b
JM		 2570}
2571
2572
2573/**
2574 * wpa_sm_set_pmk - Set PMK
2575 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2576 * @pmk: The new PMK
2577 * @pmk_len: The length of the new PMK in bytes
70c93963 2578 * @pmkid: Calculated PMKID
bc26ac50 2579 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
6fc6879b
JM		 2580 *
2581 * Configure the PMK for WPA state machine.
2582 */
bc26ac50 2583void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
70c93963 2584 const u8 *pmkid, const u8 *bssid)
6fc6879b
JM		 2585{
2586 if (sm == NULL)
2587 return;
2588
2589 sm->pmk_len = pmk_len;
2590 os_memcpy(sm->pmk, pmk, pmk_len);
2591
2592#ifdef CONFIG_IEEE80211R
2593 /* Set XXKey to be PSK for FT key derivation */
2594 sm->xxkey_len = pmk_len;
2595 os_memcpy(sm->xxkey, pmk, pmk_len);
2596#endif /* CONFIG_IEEE80211R */
bc26ac50
JM		 2597
2598 if (bssid) {
70c93963 2599 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
087a1f4e 2600 bssid, sm->own_addr,
869af307 2601 sm->network_ctx, sm->key_mgmt, NULL);
bc26ac50 2602 }
6fc6879b
JM		 2603}
2604
2605
2606/**
2607 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2608 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2609 *
2610 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2611 * will be cleared.
2612 */
2613void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
2614{
2615 if (sm == NULL)
2616 return;
2617
2618 if (sm->cur_pmksa) {
2619 sm->pmk_len = sm->cur_pmksa->pmk_len;
2620 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
2621 } else {
2622 sm->pmk_len = PMK_LEN;
2623 os_memset(sm->pmk, 0, PMK_LEN);
2624 }
2625}
2626
2627
2628/**
2629 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2630 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2631 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2632 */
2633void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
2634{
2635 if (sm)
2636 sm->fast_reauth = fast_reauth;
2637}
2638
2639
2640/**
2641 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2642 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2643 * @scard_ctx: Context pointer for smartcard related callback functions
2644 */
2645void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
2646{
2647 if (sm == NULL)
2648 return;
2649 sm->scard_ctx = scard_ctx;
2650 if (sm->preauth_eapol)
2651 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
2652}
2653
2654
2655/**
2656 * wpa_sm_set_config - Notification of current configration change
2657 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2658 * @config: Pointer to current network configuration
2659 *
2660 * Notify WPA state machine that configuration has changed. config will be
2661 * stored as a backpointer to network configuration. This can be %NULL to clear
2662 * the stored pointed.
2663 */
2664void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
2665{
2666 if (!sm)
2667 return;
2668
6fc6879b 2669 if (config) {
886a807f 2670 sm->network_ctx = config->network_ctx;
6fc6879b
JM		 2671 sm->peerkey_enabled = config->peerkey_enabled;
2672 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
2673 sm->proactive_key_caching = config->proactive_key_caching;
2674 sm->eap_workaround = config->eap_workaround;
2675 sm->eap_conf_ctx = config->eap_conf_ctx;
2676 if (config->ssid) {
2677 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
2678 sm->ssid_len = config->ssid_len;
2679 } else
2680 sm->ssid_len = 0;
581a8cde 2681 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
25ef8529 2682 sm->p2p = config->p2p;
73ed03f3 2683 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
869af307
JM		 2684#ifdef CONFIG_FILS
2685 if (config->fils_cache_id) {
2686 sm->fils_cache_id_set = 1;
2687 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
2688 FILS_CACHE_ID_LEN);
2689 } else {
2690 sm->fils_cache_id_set = 0;
2691 }
2692#endif /* CONFIG_FILS */
6fc6879b 2693 } else {
886a807f 2694 sm->network_ctx = NULL;
6fc6879b
JM		 2695 sm->peerkey_enabled = 0;
2696 sm->allowed_pairwise_cipher = 0;
2697 sm->proactive_key_caching = 0;
2698 sm->eap_workaround = 0;
2699 sm->eap_conf_ctx = NULL;
2700 sm->ssid_len = 0;
581a8cde 2701 sm->wpa_ptk_rekey = 0;
25ef8529 2702 sm->p2p = 0;
73ed03f3 2703 sm->wpa_rsc_relaxation = 0;
6fc6879b 2704 }
6fc6879b
JM		 2705}
2706
2707
2708/**
2709 * wpa_sm_set_own_addr - Set own MAC address
2710 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2711 * @addr: Own MAC address
2712 */
2713void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
2714{
2715 if (sm)
2716 os_memcpy(sm->own_addr, addr, ETH_ALEN);
2717}
2718
2719
2720/**
2721 * wpa_sm_set_ifname - Set network interface name
2722 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2723 * @ifname: Interface name
2724 * @bridge_ifname: Optional bridge interface name (for pre-auth)
2725 */
2726void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
2727 const char *bridge_ifname)
2728{
2729 if (sm) {
2730 sm->ifname = ifname;
2731 sm->bridge_ifname = bridge_ifname;
2732 }
2733}
2734
2735
2736/**
2737 * wpa_sm_set_eapol - Set EAPOL state machine pointer
2738 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2739 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2740 */
2741void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
2742{
2743 if (sm)
2744 sm->eapol = eapol;
2745}
2746
2747
2748/**
2749 * wpa_sm_set_param - Set WPA state machine parameters
2750 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2751 * @param: Parameter field
2752 * @value: Parameter value
2753 * Returns: 0 on success, -1 on failure
2754 */
2755int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
2756 unsigned int value)
2757{
2758 int ret = 0;
2759
2760 if (sm == NULL)
2761 return -1;
2762
2763 switch (param) {
2764 case RSNA_PMK_LIFETIME:
2765 if (value > 0)
2766 sm->dot11RSNAConfigPMKLifetime = value;
2767 else
2768 ret = -1;
2769 break;
2770 case RSNA_PMK_REAUTH_THRESHOLD:
2771 if (value > 0 && value <= 100)
2772 sm->dot11RSNAConfigPMKReauthThreshold = value;
2773 else
2774 ret = -1;
2775 break;
2776 case RSNA_SA_TIMEOUT:
2777 if (value > 0)
2778 sm->dot11RSNAConfigSATimeout = value;
2779 else
2780 ret = -1;
2781 break;
2782 case WPA_PARAM_PROTO:
2783 sm->proto = value;
2784 break;
2785 case WPA_PARAM_PAIRWISE:
2786 sm->pairwise_cipher = value;
2787 break;
2788 case WPA_PARAM_GROUP:
2789 sm->group_cipher = value;
2790 break;
2791 case WPA_PARAM_KEY_MGMT:
2792 sm->key_mgmt = value;
2793 break;
2794#ifdef CONFIG_IEEE80211W
2795 case WPA_PARAM_MGMT_GROUP:
2796 sm->mgmt_group_cipher = value;
2797 break;
2798#endif /* CONFIG_IEEE80211W */
2799 case WPA_PARAM_RSN_ENABLED:
2800 sm->rsn_enabled = value;
2801 break;
e820cf95
JM		 2802 case WPA_PARAM_MFP:
2803 sm->mfp = value;
2804 break;
6fc6879b
JM		 2805 default:
2806 break;
2807 }
2808
2809 return ret;
2810}
2811
2812
6fc6879b
JM		 2813/**
2814 * wpa_sm_get_status - Get WPA state machine
2815 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2816 * @buf: Buffer for status information
2817 * @buflen: Maximum buffer length
2818 * @verbose: Whether to include verbose status information
2819 * Returns: Number of bytes written to buf.
2820 *
2821 * Query WPA state machine for status information. This function fills in
2822 * a text area with current status information. If the buffer (buf) is not
2823 * large enough, status information will be truncated to fit the buffer.
2824 */
2825int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
2826 int verbose)
2827{
2828 char *pos = buf, *end = buf + buflen;
2829 int ret;
2830
2831 ret = os_snprintf(pos, end - pos,
2832 "pairwise_cipher=%s\n"
2833 "group_cipher=%s\n"
2834 "key_mgmt=%s\n",
2835 wpa_cipher_txt(sm->pairwise_cipher),
2836 wpa_cipher_txt(sm->group_cipher),
2837 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
d85e1fc8 2838 if (os_snprintf_error(end - pos, ret))
6fc6879b
JM		 2839 return pos - buf;
2840 pos += ret;
13e1d2e2
JM		 2841
2842 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
2843 struct wpa_ie_data rsn;
2844 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
2845 >= 0 &&
2846 rsn.capabilities & (WPA_CAPABILITY_MFPR |
2847 WPA_CAPABILITY_MFPC)) {
2848 ret = os_snprintf(pos, end - pos, "pmf=%d\n",
2849 (rsn.capabilities &
2850 WPA_CAPABILITY_MFPR) ? 2 : 1);
d85e1fc8 2851 if (os_snprintf_error(end - pos, ret))
13e1d2e2
JM		 2852 return pos - buf;
2853 pos += ret;
2854 }
2855 }
2856
6fc6879b
JM		 2857 return pos - buf;
2858}
2859
2860
ae8535b6
JM		 2861int wpa_sm_pmf_enabled(struct wpa_sm *sm)
2862{
2863 struct wpa_ie_data rsn;
2864
2865 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
2866 return 0;
2867
2868 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
2869 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
2870 return 1;
2871
2872 return 0;
2873}
2874
2875
6fc6879b
JM		 2876/**
2877 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
2878 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2879 * @wpa_ie: Pointer to buffer for WPA/RSN IE
2880 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
2881 * Returns: 0 on success, -1 on failure
2882 */
2883int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
2884 size_t *wpa_ie_len)
2885{
2886 int res;
2887
2888 if (sm == NULL)
2889 return -1;
2890
651c6a84
JM		 2891#ifdef CONFIG_TESTING_OPTIONS
2892 if (sm->test_assoc_ie) {
2893 wpa_printf(MSG_DEBUG,
2894 "TESTING: Replace association WPA/RSN IE");
2895 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
2896 return -1;
2897 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
2898 wpabuf_len(sm->test_assoc_ie));
2899 res = wpabuf_len(sm->test_assoc_ie);
2900 } else
2901#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 2902 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
2903 if (res < 0)
2904 return -1;
2905 *wpa_ie_len = res;
2906
2907 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
2908 wpa_ie, *wpa_ie_len);
2909
2910 if (sm->assoc_wpa_ie == NULL) {
2911 /*
2912 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
2913 * the correct version of the IE even if PMKSA caching is
2914 * aborted (which would remove PMKID from IE generation).
2915 */
a1f11e34 2916 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
6fc6879b
JM		 2917 if (sm->assoc_wpa_ie == NULL)
2918 return -1;
2919
6fc6879b 2920 sm->assoc_wpa_ie_len = *wpa_ie_len;
0866ed00
JM		 2921 } else {
2922 wpa_hexdump(MSG_DEBUG,
2923 "WPA: Leave previously set WPA IE default",
2924 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
6fc6879b
JM		 2925 }
2926
2927 return 0;
2928}
2929
2930
2931/**
2932 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
2933 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2934 * @ie: Pointer to IE data (starting from id)
2935 * @len: IE length
2936 * Returns: 0 on success, -1 on failure
2937 *
2938 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
2939 * Request frame. The IE will be used to override the default value generated
2940 * with wpa_sm_set_assoc_wpa_ie_default().
2941 */
2942int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
2943{
2944 if (sm == NULL)
2945 return -1;
2946
2947 os_free(sm->assoc_wpa_ie);
2948 if (ie == NULL || len == 0) {
f049052b
BG		 2949 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2950 "WPA: clearing own WPA/RSN IE");
6fc6879b
JM		 2951 sm->assoc_wpa_ie = NULL;
2952 sm->assoc_wpa_ie_len = 0;
2953 } else {
2954 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
a1f11e34 2955 sm->assoc_wpa_ie = os_memdup(ie, len);
6fc6879b
JM		 2956 if (sm->assoc_wpa_ie == NULL)
2957 return -1;
2958
6fc6879b
JM		 2959 sm->assoc_wpa_ie_len = len;
2960 }
2961
2962 return 0;
2963}
2964
2965
2966/**
2967 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
2968 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2969 * @ie: Pointer to IE data (starting from id)
2970 * @len: IE length
2971 * Returns: 0 on success, -1 on failure
2972 *
2973 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
2974 * frame.
2975 */
2976int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
2977{
2978 if (sm == NULL)
2979 return -1;
2980
2981 os_free(sm->ap_wpa_ie);
2982 if (ie == NULL || len == 0) {
f049052b
BG		 2983 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2984 "WPA: clearing AP WPA IE");
6fc6879b
JM		 2985 sm->ap_wpa_ie = NULL;
2986 sm->ap_wpa_ie_len = 0;
2987 } else {
2988 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
a1f11e34 2989 sm->ap_wpa_ie = os_memdup(ie, len);
6fc6879b
JM		 2990 if (sm->ap_wpa_ie == NULL)
2991 return -1;
2992
6fc6879b
JM		 2993 sm->ap_wpa_ie_len = len;
2994 }
2995
2996 return 0;
2997}
2998
2999
3000/**
3001 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3002 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3003 * @ie: Pointer to IE data (starting from id)
3004 * @len: IE length
3005 * Returns: 0 on success, -1 on failure
3006 *
3007 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3008 * frame.
3009 */
3010int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3011{
3012 if (sm == NULL)
3013 return -1;
3014
3015 os_free(sm->ap_rsn_ie);
3016 if (ie == NULL || len == 0) {
f049052b
BG		 3017 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3018 "WPA: clearing AP RSN IE");
6fc6879b
JM		 3019 sm->ap_rsn_ie = NULL;
3020 sm->ap_rsn_ie_len = 0;
3021 } else {
3022 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
a1f11e34 3023 sm->ap_rsn_ie = os_memdup(ie, len);
6fc6879b
JM		 3024 if (sm->ap_rsn_ie == NULL)
3025 return -1;
3026
6fc6879b
JM		 3027 sm->ap_rsn_ie_len = len;
3028 }
3029
3030 return 0;
3031}
3032
3033
3034/**
3035 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3036 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3037 * @data: Pointer to data area for parsing results
3038 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3039 *
3040 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3041 * parsed data into data.
3042 */
3043int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3044{
2a522e71
JM		 3045 if (sm == NULL)
3046 return -1;
3047
3048 if (sm->assoc_wpa_ie == NULL) {
f049052b
BG		 3049 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3050 "WPA: No WPA/RSN IE available from association info");
6fc6879b
JM		 3051 return -1;
3052 }
3053 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3054 return -2;
3055 return 0;
3056}
540264a7
JM		 3057
3058
3059int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3060{
540264a7 3061 return pmksa_cache_list(sm->pmksa, buf, len);
540264a7 3062}
32d5295f
JM		 3063
3064
3459381d
JM		 3065struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3066{
3067 return pmksa_cache_head(sm->pmksa);
3068}
3069
3070
3071struct rsn_pmksa_cache_entry *
3072wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3073 struct rsn_pmksa_cache_entry * entry)
3074{
3075 return pmksa_cache_add_entry(sm->pmksa, entry);
3076}
3077
3078
32d5295f
JM		 3079void wpa_sm_drop_sa(struct wpa_sm *sm)
3080{
f049052b 3081 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
32d5295f
JM		 3082 sm->ptk_set = 0;
3083 sm->tptk_set = 0;
3084 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3085 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3086 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
71932544
JM		 3087#ifdef CONFIG_IEEE80211R
3088 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3089 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3090 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3091#endif /* CONFIG_IEEE80211R */
32d5295f 3092}
0d7b4409
JM		 3093
3094
3095int wpa_sm_has_ptk(struct wpa_sm *sm)
3096{
3097 if (sm == NULL)
3098 return 0;
3099 return sm->ptk_set;
3100}
b14a210c
JB		 3101
3102
3103void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3104{
3105 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3106}
d8a790b9
JM		 3107
3108
3109void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3110{
4033935d 3111 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
d8a790b9 3112}
75cad1a0
XC		 3113
3114
ad3872a3 3115#ifdef CONFIG_WNM
75cad1a0
XC		 3116int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3117{
75cad1a0
XC		 3118 u16 keyinfo;
3119 u8 keylen; /* plaintext key len */
75cad1a0
XC		 3120 u8 *key_rsc;
3121
75cad1a0 3122 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
d2c33b91
JM		 3123 struct wpa_gtk_data gd;
3124
3125 os_memset(&gd, 0, sizeof(gd));
3126 keylen = wpa_cipher_key_len(sm->group_cipher);
3127 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3128 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3129 if (gd.alg == WPA_ALG_NONE) {
3130 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3131 return -1;
3132 }
3133
75cad1a0 3134 key_rsc = buf + 5;
68db9ab0 3135 keyinfo = WPA_GET_LE16(buf + 2);
75cad1a0
XC		 3136 gd.gtk_len = keylen;
3137 if (gd.gtk_len != buf[4]) {
3138 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3139 gd.gtk_len, buf[4]);
3140 return -1;
3141 }
3142 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3143 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3144 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3145
68db9ab0 3146 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
75cad1a0
XC		 3147
3148 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3149 gd.gtk, gd.gtk_len);
3150 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
d2c33b91 3151 os_memset(&gd, 0, sizeof(gd));
75cad1a0
XC		 3152 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3153 "WNM mode");
3154 return -1;
3155 }
d2c33b91 3156 os_memset(&gd, 0, sizeof(gd));
75cad1a0
XC		 3157#ifdef CONFIG_IEEE80211W
3158 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
d2c33b91
JM		 3159 struct wpa_igtk_kde igd;
3160 u16 keyidx;
3161
3162 os_memset(&igd, 0, sizeof(igd));
8dd9f9cd 3163 keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
75cad1a0
XC		 3164 os_memcpy(igd.keyid, buf + 2, 2);
3165 os_memcpy(igd.pn, buf + 4, 6);
3166
3167 keyidx = WPA_GET_LE16(igd.keyid);
8dd9f9cd 3168 os_memcpy(igd.igtk, buf + 10, keylen);
75cad1a0
XC		 3169
3170 wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
8dd9f9cd
JM		 3171 igd.igtk, keylen);
3172 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
3173 broadcast_ether_addr,
75cad1a0 3174 keyidx, 0, igd.pn, sizeof(igd.pn),
8dd9f9cd 3175 igd.igtk, keylen) < 0) {
75cad1a0
XC		 3176 wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
3177 "WNM mode");
d2c33b91 3178 os_memset(&igd, 0, sizeof(igd));
75cad1a0
XC		 3179 return -1;
3180 }
d2c33b91 3181 os_memset(&igd, 0, sizeof(igd));
75cad1a0
XC		 3182#endif /* CONFIG_IEEE80211W */
3183 } else {
3184 wpa_printf(MSG_DEBUG, "Unknown element id");
3185 return -1;
3186 }
3187
3188 return 0;
3189}
ad3872a3 3190#endif /* CONFIG_WNM */
db76aa64
JM		 3191
3192
3193#ifdef CONFIG_PEERKEY
3194int wpa_sm_rx_eapol_peerkey(struct wpa_sm *sm, const u8 *src_addr,
3195 const u8 *buf, size_t len)
3196{
3197 struct wpa_peerkey *peerkey;
3198
3199 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
3200 if (os_memcmp(peerkey->addr, src_addr, ETH_ALEN) == 0)
3201 break;
3202 }
3203
3204 if (!peerkey)
3205 return 0;
3206
3207 wpa_sm_rx_eapol(sm, src_addr, buf, len);
3208
3209 return 1;
3210}
3211#endif /* CONFIG_PEERKEY */
25ef8529
JM		 3212
3213
3214#ifdef CONFIG_P2P
3215
3216int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3217{
3218 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3219 return -1;
3220 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3221 return 0;
3222}
3223
3224#endif /* CONFIG_P2P */
b41f2684
CL		 3225
3226
3227void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3228{
3229 if (rx_replay_counter == NULL)
3230 return;
3231
3232 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3233 WPA_REPLAY_COUNTER_LEN);
3234 sm->rx_replay_counter_set = 1;
3235 wpa_printf(MSG_DEBUG, "Updated key replay counter");
3236}
3237
3238
98cd3d1c
JM		 3239void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
3240 const u8 *ptk_kck, size_t ptk_kck_len,
3241 const u8 *ptk_kek, size_t ptk_kek_len)
b41f2684 3242{
98cd3d1c
JM		 3243 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
3244 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
3245 sm->ptk.kck_len = ptk_kck_len;
b41f2684
CL		 3246 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
3247 }
98cd3d1c
JM		 3248 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
3249 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
3250 sm->ptk.kek_len = ptk_kek_len;
b41f2684
CL		 3251 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
3252 }
3253 sm->ptk_set = 1;
3254}
651c6a84
JM		 3255
3256
3257#ifdef CONFIG_TESTING_OPTIONS
3258void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
3259{
3260 wpabuf_free(sm->test_assoc_ie);
3261 sm->test_assoc_ie = buf;
3262}
3263#endif /* CONFIG_TESTING_OPTIONS */
f00b9b88
JM		 3264
3265
3266#ifdef CONFIG_FILS
3267
3268struct wpabuf * fils_build_auth(struct wpa_sm *sm)
3269{
3270 struct wpabuf *buf = NULL;
3271 struct wpabuf *erp_msg;
3272
3273 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
3274 if (!erp_msg && !sm->cur_pmksa) {
3275 wpa_printf(MSG_DEBUG,
3276 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3277 goto fail;
3278 }
3279
3280 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3281 erp_msg != NULL, sm->cur_pmksa != NULL);
3282
706df429
JM		 3283 sm->fils_completed = 0;
3284
f00b9b88
JM		 3285 if (!sm->assoc_wpa_ie) {
3286 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
3287 goto fail;
3288 }
3289
3290 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
3291 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
3292 goto fail;
3293
3294 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
3295 sm->fils_nonce, FILS_NONCE_LEN);
3296 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
3297 sm->fils_session, FILS_SESSION_LEN);
3298
3299 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len);
3300 if (!buf)
3301 goto fail;
3302
3303 /* Fields following the Authentication algorithm number field */
3304
3305 /* Authentication Transaction seq# */
3306 wpabuf_put_le16(buf, 1);
3307
3308 /* Status Code */
3309 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
3310
3311 /* TODO: Finite Cyclic Group when using PK or PFS */
3312 /* TODO: Element when using PK or PFS */
3313
3314 /* RSNE */
3315 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
3316 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3317 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3318
3319 /* TODO: MDE when using FILS for FT initial association */
3320 /* TODO: FTE when using FILS for FT initial association */
3321
3322 /* FILS Nonce */
3323 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3324 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
3325 /* Element ID Extension */
3326 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
3327 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
3328
3329 /* FILS Session */
3330 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3331 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3332 /* Element ID Extension */
3333 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3334 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3335
3336 /* FILS Wrapped Data */
fcd3d6ce 3337 sm->fils_erp_pmkid_set = 0;
f00b9b88
JM		 3338 if (erp_msg) {
3339 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3340 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
3341 /* Element ID Extension */
3342 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA);
3343 wpabuf_put_buf(buf, erp_msg);
fcd3d6ce
JM		 3344 /* Calculate pending PMKID here so that we do not need to
3345 * maintain a copy of the EAP-Initiate/Reauth message. */
3346 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
3347 wpabuf_len(erp_msg),
3348 sm->fils_erp_pmkid) == 0)
3349 sm->fils_erp_pmkid_set = 1;
f00b9b88
JM		 3350 }
3351
3352 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
3353 buf);
3354
3355fail:
3356 wpabuf_free(erp_msg);
3357 return buf;
3358}
3359
a6609937 3360
ba9774bd
JM		 3361int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
3362 size_t len)
a6609937
JM		 3363{
3364 const u8 *pos, *end;
3365 struct ieee802_11_elems elems;
3366 struct wpa_ie_data rsn;
3367 int pmkid_match = 0;
3368 u8 ick[FILS_ICK_MAX_LEN];
3369 size_t ick_len;
3370 int res;
3371
ba9774bd
JM		 3372 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3373
a6609937
JM		 3374 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
3375 data, len);
3376 pos = data;
3377 end = data + len;
3378
3379 /* TODO: Finite Cyclic Group when using PK or PFS */
3380 /* TODO: Element when using PK or PFS */
3381
3382 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
3383 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
3384 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
3385 return -1;
3386 }
3387
3388 /* RSNE */
3389 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
3390 elems.rsn_ie_len);
3391 if (!elems.rsn_ie ||
3392 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3393 &rsn) < 0) {
3394 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
3395 return -1;
3396 }
3397
3398 if (!elems.fils_nonce) {
3399 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
3400 return -1;
3401 }
3402 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
3403 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
3404
3405 /* TODO: MDE when using FILS+FT */
3406 /* TODO: FTE when using FILS+FT */
3407
3408 /* PMKID List */
3409 if (rsn.pmkid && rsn.num_pmkid > 0) {
3410 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
3411 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
3412
3413 if (rsn.num_pmkid != 1) {
3414 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
3415 return -1;
3416 }
3417 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
3418 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
3419 {
3420 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
3421 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
3422 sm->cur_pmksa->pmkid, PMKID_LEN);
3423 return -1;
3424 }
3425 wpa_printf(MSG_DEBUG,
3426 "FILS: Matching PMKID - continue using PMKSA caching");
3427 pmkid_match = 1;
3428 }
3429 if (!pmkid_match && sm->cur_pmksa) {
3430 wpa_printf(MSG_DEBUG,
3431 "FILS: No PMKID match - cannot use cached PMKSA entry");
3432 sm->cur_pmksa = NULL;
3433 }
3434
3435 /* FILS Session */
3436 if (!elems.fils_session) {
3437 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3438 return -1;
3439 }
3440 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
3441 FILS_SESSION_LEN);
3442 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
3443 != 0) {
3444 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3445 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3446 sm->fils_session, FILS_SESSION_LEN);
3447 return -1;
3448 }
3449
3450 /* FILS Wrapped Data */
3451 if (!sm->cur_pmksa && elems.fils_wrapped_data) {
fcd3d6ce
JM		 3452 u8 rmsk[ERP_MAX_KEY_LEN];
3453 size_t rmsk_len;
3454
a6609937
JM		 3455 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
3456 elems.fils_wrapped_data,
3457 elems.fils_wrapped_data_len);
3458 eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data,
3459 elems.fils_wrapped_data_len);
3460 if (eapol_sm_failed(sm->eapol))
3461 return -1;
3462
fcd3d6ce
JM		 3463 rmsk_len = ERP_MAX_KEY_LEN;
3464 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3465 if (res == PMK_LEN) {
3466 rmsk_len = PMK_LEN;
3467 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3468 }
a6609937
JM		 3469 if (res)
3470 return -1;
3471
fcd3d6ce
JM		 3472 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
3473 sm->fils_nonce, sm->fils_anonce, NULL, 0,
3474 sm->pmk, &sm->pmk_len);
3475 os_memset(rmsk, 0, sizeof(rmsk));
275cc942
JM		 3476 if (res)
3477 return -1;
fcd3d6ce
JM		 3478
3479 if (!sm->fils_erp_pmkid_set) {
3480 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
3481 return -1;
3482 }
3483 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
3484 PMKID_LEN);
a6609937 3485 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
fcd3d6ce
JM		 3486 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
3487 sm->fils_erp_pmkid, NULL, 0,
3488 sm->bssid, sm->own_addr,
869af307
JM		 3489 sm->network_ctx, sm->key_mgmt,
3490 NULL);
a6609937
JM		 3491 }
3492
3493 if (!sm->cur_pmksa) {
3494 wpa_printf(MSG_DEBUG,
3495 "FILS: No remaining options to continue FILS authentication");
3496 return -1;
3497 }
3498
3499 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
3500 sm->fils_nonce, sm->fils_anonce, &sm->ptk,
3501 ick, &ick_len, sm->key_mgmt, sm->pairwise_cipher) <
3502 0) {
3503 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
3504 return -1;
3505 }
3506 sm->ptk_set = 1;
3507 sm->tptk_set = 0;
3508 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3509
3510 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
3511 sm->fils_anonce, sm->own_addr, sm->bssid,
3512 NULL, 0, NULL, 0, /* TODO: SK+PFS */
3513 sm->key_mgmt, sm->fils_key_auth_sta,
3514 sm->fils_key_auth_ap,
3515 &sm->fils_key_auth_len);
3516 os_memset(ick, 0, sizeof(ick));
3517 return res;
3518}
3519
86cd6928
JM		 3520
3521struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
3522 size_t *kek_len, const u8 **snonce,
5732b770
JM		 3523 const u8 **anonce,
3524 const struct wpabuf **hlp,
3525 unsigned int num_hlp)
86cd6928
JM		 3526{
3527 struct wpabuf *buf;
5732b770
JM		 3528 size_t len;
3529 unsigned int i;
86cd6928 3530
5732b770
JM		 3531 len = 1000;
3532 for (i = 0; hlp && i < num_hlp; i++)
3533 len += 10 + wpabuf_len(hlp[i]);
3534 buf = wpabuf_alloc(len);
86cd6928
JM		 3535 if (!buf)
3536 return NULL;
3537
3538 /* FILS Session */
3539 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3540 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3541 /* Element ID Extension */
3542 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3543 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3544
3545 /* Everything after FILS Session element gets encrypted in the driver
3546 * with KEK. The buffer returned from here is the plaintext version. */
3547
3548 /* TODO: FILS Public Key */
3549
3550 /* FILS Key Confirm */
3551 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3552 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
3553 /* Element ID Extension */
3554 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
3555 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
3556
5732b770
JM		 3557 /* FILS HLP Container */
3558 for (i = 0; hlp && i < num_hlp; i++) {
3559 const u8 *pos = wpabuf_head(hlp[i]);
3560 size_t left = wpabuf_len(hlp[i]);
3561
3562 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3563 if (left <= 254)
3564 len = 1 + left;
3565 else
3566 len = 255;
3567 wpabuf_put_u8(buf, len); /* Length */
3568 /* Element ID Extension */
3569 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
3570 /* Destination MAC Address, Source MAC Address, HLP Packet.
3571 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
3572 * header when LPD is used). */
3573 wpabuf_put_data(buf, pos, len - 1);
3574 pos += len - 1;
3575 left -= len - 1;
3576 while (left) {
3577 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
3578 len = left > 255 ? 255 : left;
3579 wpabuf_put_u8(buf, len);
3580 wpabuf_put_data(buf, pos, len);
3581 pos += len;
3582 left -= len;
3583 }
3584 }
86cd6928
JM		 3585
3586 /* TODO: FILS IP Address Assignment */
3587
3588 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
3589
3590 *kek = sm->ptk.kek;
3591 *kek_len = sm->ptk.kek_len;
3592 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
3593 *snonce = sm->fils_nonce;
3594 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
3595 *snonce, FILS_NONCE_LEN);
3596 *anonce = sm->fils_anonce;
3597 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
3598 *anonce, FILS_NONCE_LEN);
3599
3600 return buf;
3601}
3602
706df429 3603
124ddfa1
JM		 3604static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3605{
3606 const u8 *pos, *end;
3607
3608 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
3609 if (len < 2 * ETH_ALEN)
3610 return;
3611 pos = resp + 2 * ETH_ALEN;
3612 end = resp + len;
3613 if (end - pos >= 6 &&
3614 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
3615 pos += 6; /* Remove SNAP/LLC header */
3616 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
3617}
3618
3619
3620static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
3621 size_t len)
3622{
3623 const u8 *end = pos + len;
3624 u8 *tmp, *tmp_pos;
3625
3626 /* Check if there are any FILS HLP Container elements */
3627 while (end - pos >= 2) {
3628 if (2 + pos[1] > end - pos)
3629 return;
3630 if (pos[0] == WLAN_EID_EXTENSION &&
3631 pos[1] >= 1 + 2 * ETH_ALEN &&
3632 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
3633 break;
3634 pos += 2 + pos[1];
3635 }
3636 if (end - pos < 2)
3637 return; /* No FILS HLP Container elements */
3638
3639 tmp = os_malloc(end - pos);
3640 if (!tmp)
3641 return;
3642
3643 while (end - pos >= 2) {
3644 if (2 + pos[1] > end - pos ||
3645 pos[0] != WLAN_EID_EXTENSION ||
3646 pos[1] < 1 + 2 * ETH_ALEN ||
3647 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
3648 break;
3649 tmp_pos = tmp;
3650 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
3651 tmp_pos += pos[1] - 1;
3652 pos += 2 + pos[1];
3653
3654 /* Add possible fragments */
3655 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
3656 2 + pos[1] <= end - pos) {
3657 os_memcpy(tmp_pos, pos + 2, pos[1]);
3658 tmp_pos += pos[1];
3659 pos += 2 + pos[1];
3660 }
3661
3662 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
3663 }
3664
3665 os_free(tmp);
3666}
3667
3668
706df429
JM		 3669int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3670{
3671 const struct ieee80211_mgmt *mgmt;
3672 const u8 *end, *ie_start;
3673 struct ieee802_11_elems elems;
3674 int keylen, rsclen;
3675 enum wpa_alg alg;
3676 struct wpa_gtk_data gd;
3677 int maxkeylen;
3678 struct wpa_eapol_ie_parse kde;
3679
3680 if (!sm || !sm->ptk_set) {
3681 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
3682 return -1;
3683 }
3684
3685 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
3686 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
3687 return -1;
3688 }
3689
3690 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
3691 resp, len);
3692
3693 mgmt = (const struct ieee80211_mgmt *) resp;
3694 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
3695 return -1;
3696
3697 end = resp + len;
3698 /* Same offset for Association Response and Reassociation Response */
3699 ie_start = mgmt->u.assoc_resp.variable;
3700
3701 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
3702 ParseFailed) {
3703 wpa_printf(MSG_DEBUG,
3704 "FILS: Failed to parse decrypted elements");
3705 goto fail;
3706 }
3707
3708 if (!elems.fils_session) {
3709 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3710 return -1;
3711 }
3712 if (os_memcmp(elems.fils_session, sm->fils_session,
3713 FILS_SESSION_LEN) != 0) {
3714 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
3715 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
3716 elems.fils_session, FILS_SESSION_LEN);
3717 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3718 sm->fils_session, FILS_SESSION_LEN);
3719 }
3720
3721 /* TODO: FILS Public Key */
3722
3723 if (!elems.fils_key_confirm) {
3724 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
3725 goto fail;
3726 }
3727 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
3728 wpa_printf(MSG_DEBUG,
3729 "FILS: Unexpected Key-Auth length %d (expected %d)",
3730 elems.fils_key_confirm_len,
3731 (int) sm->fils_key_auth_len);
3732 goto fail;
3733 }
3734 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
3735 sm->fils_key_auth_len) != 0) {
3736 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
3737 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
3738 elems.fils_key_confirm,
3739 elems.fils_key_confirm_len);
3740 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
3741 sm->fils_key_auth_ap, sm->fils_key_auth_len);
3742 goto fail;
3743 }
3744
3745 /* Key Delivery */
3746 if (!elems.key_delivery) {
3747 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
3748 goto fail;
3749 }
3750
3751 /* Parse GTK and set the key to the driver */
3752 os_memset(&gd, 0, sizeof(gd));
3753 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
3754 elems.key_delivery_len - WPA_KEY_RSC_LEN,
3755 &kde) < 0) {
3756 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
3757 goto fail;
3758 }
3759 if (!kde.gtk) {
3760 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
3761 goto fail;
3762 }
3763 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
3764 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3765 gd.gtk_len, maxkeylen,
3766 &gd.key_rsc_len, &gd.alg))
3767 goto fail;
3768
3769 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
3770 gd.keyidx = kde.gtk[0] & 0x3;
3771 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3772 !!(kde.gtk[0] & BIT(2)));
3773 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
3774 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
3775 (unsigned long) kde.gtk_len - 2);
3776 goto fail;
3777 }
3778 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
3779
3780 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
3781 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) {
3782 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
3783 goto fail;
3784 }
3785
3786 if (ieee80211w_set_keys(sm, &kde) < 0) {
3787 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
3788 goto fail;
3789 }
3790
3791 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
3792 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
3793 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
3794 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
3795 sm->ptk.tk, keylen);
3796 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
3797 sm->ptk.tk, keylen) < 0) {
3798 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3799 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
3800 MACSTR ")",
3801 alg, keylen, MAC2STR(sm->bssid));
3802 goto fail;
3803 }
3804
3805 /* TODO: TK could be cleared after auth frame exchange now that driver
3806 * takes care of association frame encryption/decryption. */
3807 /* TK is not needed anymore in supplicant */
3808 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
3809
124ddfa1
JM		 3810 /* FILS HLP Container */
3811 fils_process_hlp_container(sm, ie_start, end - ie_start);
706df429
JM		 3812
3813 /* TODO: FILS IP Address Assignment */
3814
3815 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
3816 sm->fils_completed = 1;
3817
3818 return 0;
3819fail:
3820 return -1;
3821}
3822
3823#endif /* CONFIG_FILS */
3824
3825
3826int wpa_fils_is_completed(struct wpa_sm *sm)
3827{
3828#ifdef CONFIG_FILS
3829 return sm && sm->fils_completed;
3830#else /* CONFIG_FILS */
3831 return 0;
f00b9b88 3832#endif /* CONFIG_FILS */
706df429 3833}
0a614799
JM		 3834
3835
3836#ifdef CONFIG_OWE
3837
3838struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm)
3839{
3840 struct wpabuf *ie = NULL, *pub = NULL;
3841
3842 crypto_ecdh_deinit(sm->owe_ecdh);
3843 sm->owe_ecdh = crypto_ecdh_init(OWE_DH_GROUP);
3844 if (!sm->owe_ecdh)
3845 goto fail;
3846 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
3847 if (!pub)
3848 goto fail;
3849
3850 ie = wpabuf_alloc(5 + wpabuf_len(pub));
3851 if (!ie)
3852 goto fail;
3853 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
3854 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
3855 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
3856 wpabuf_put_le16(ie, OWE_DH_GROUP);
3857 wpabuf_put_buf(ie, pub);
3858 wpabuf_free(pub);
3859 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
3860 ie);
3861
3862 return ie;
3863fail:
3864 wpabuf_free(pub);
3865 crypto_ecdh_deinit(sm->owe_ecdh);
3866 sm->owe_ecdh = NULL;
3867 return NULL;
3868}
3869
3870
3871int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *resp_ies,
3872 size_t resp_ies_len)
3873{
3874 struct ieee802_11_elems elems;
3875 u16 group;
3876 struct wpabuf *secret, *pub, *hkey;
3877 int res;
3878 u8 prk[SHA256_MAC_LEN], pmkid[SHA256_MAC_LEN];
3879 const char *info = "OWE Key Generation";
3880 const u8 *addr[2];
3881 size_t len[2];
3882
3883 if (!resp_ies ||
3884 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
3885 ParseFailed ||
3886 !elems.owe_dh) {
3887 wpa_printf(MSG_INFO,
3888 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
3889 return -1;
3890 }
3891
3892 group = WPA_GET_LE16(elems.owe_dh);
3893 if (group != OWE_DH_GROUP) {
3894 wpa_printf(MSG_INFO,
3895 "OWE: Unexpected Diffie-Hellman group in response: %u",
3896 group);
3897 return -1;
3898 }
3899
3900 if (!sm->owe_ecdh) {
3901 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
3902 return -1;
3903 }
3904
3905 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
3906 elems.owe_dh + 2,
3907 elems.owe_dh_len - 2);
3908 if (!secret) {
3909 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
3910 return -1;
3911 }
3912 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
3913
3914 /* prk = HKDF-extract(C | A | group, z) */
3915
3916 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
3917 if (!pub) {
3918 wpabuf_clear_free(secret);
3919 return -1;
3920 }
3921
3922 /* PMKID = Truncate-128(Hash(C | A)) */
3923 addr[0] = wpabuf_head(pub);
3924 len[0] = wpabuf_len(pub);
3925 addr[1] = elems.owe_dh + 2;
3926 len[1] = elems.owe_dh_len - 2;
3927 res = sha256_vector(2, addr, len, pmkid);
3928 if (res < 0) {
3929 wpabuf_free(pub);
3930 wpabuf_clear_free(secret);
3931 return -1;
3932 }
3933
3934 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
3935 if (!hkey) {
3936 wpabuf_free(pub);
3937 wpabuf_clear_free(secret);
3938 return -1;
3939 }
3940
3941 wpabuf_put_buf(hkey, pub); /* C */
3942 wpabuf_free(pub);
3943 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
3944 wpabuf_put_le16(hkey, OWE_DH_GROUP); /* group */
3945 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
3946 wpabuf_head(secret), wpabuf_len(secret), prk);
3947 wpabuf_clear_free(hkey);
3948 wpabuf_clear_free(secret);
3949 if (res < 0)
3950 return -1;
3951
3952 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, SHA256_MAC_LEN);
3953
3954 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
3955
3956 res = hmac_sha256_kdf(prk, SHA256_MAC_LEN, NULL, (const u8 *) info,
3957 os_strlen(info), sm->pmk, PMK_LEN);
3958 os_memset(prk, 0, SHA256_MAC_LEN);
3959 if (res < 0)
3960 return -1;
3961
3962 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, PMK_LEN);
3963 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
3964 /* TODO: Add PMKSA cache entry */
3965
3966 return 0;
3967}
3968
3969#endif /* CONFIG_OWE */
Unnamed repository; edit this file 'description' to name the repository.