]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FT: Allow 4-way handshake for PTK rekeying to continue without PMK/PMKID
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
bb05d036 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
17c2559c 16#include "common/ocv.h"
3b5b7aa8 17#include "crypto/aes.h"
03da66bd 18#include "crypto/aes_wrap.h"
3b5b7aa8 19#include "crypto/aes_siv.h"
03da66bd
JM		 20#include "crypto/crypto.h"
21#include "crypto/sha1.h"
22#include "crypto/sha256.h"
c6eb3e34 23#include "crypto/sha384.h"
3642c431 24#include "crypto/random.h"
281c950b 25#include "eapol_auth/eapol_auth_sm.h"
17c2559c 26#include "drivers/driver.h"
6226e38d 27#include "ap_config.h"
6fc6879b 28#include "ieee802_11.h"
6226e38d
JM		 29#include "wpa_auth.h"
30#include "pmksa_cache_auth.h"
6fc6879b
JM		 31#include "wpa_auth_i.h"
32#include "wpa_auth_ie.h"
33
34#define STATE_MACHINE_DATA struct wpa_state_machine
35#define STATE_MACHINE_DEBUG_PREFIX "WPA"
36#define STATE_MACHINE_ADDR sm->addr
37
38
39static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 40static int wpa_sm_step(struct wpa_state_machine *sm);
567da5bb
JM		 41static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
42 u8 *data, size_t data_len);
75c8563e
JM		 43#ifdef CONFIG_FILS
44static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
45 u8 *buf, size_t buf_len, u16 *_key_data_len);
9392859d
JM		 46static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
47 const struct wpabuf *hlp);
75c8563e 48#endif /* CONFIG_FILS */
6fc6879b
JM		 49static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
50static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
581a8cde 52static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 53static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
54 struct wpa_group *group);
1bdb7ab3
JM		 55static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
f23c5b17 57static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 58 const u8 *pmk, unsigned int pmk_len,
59 struct wpa_ptk *ptk);
a0ad9e8c
MB		 60static void wpa_group_free(struct wpa_authenticator *wpa_auth,
61 struct wpa_group *group);
62static void wpa_group_get(struct wpa_authenticator *wpa_auth,
63 struct wpa_group *group);
64static void wpa_group_put(struct wpa_authenticator *wpa_auth,
65 struct wpa_group *group);
e73ffa09 66static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 67
bae61562
JM		 68static const u32 eapol_key_timeout_first = 100; /* ms */
69static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 70static const u32 eapol_key_timeout_first_group = 500; /* ms */
6f234c1e 71static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
6fc6879b
JM		 72
73/* TODO: make these configurable */
74static const int dot11RSNAConfigPMKLifetime = 43200;
75static const int dot11RSNAConfigPMKReauthThreshold = 70;
76static const int dot11RSNAConfigSATimeout = 60;
77
78
c772d054 79static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 80 struct wpa_authenticator *wpa_auth, const u8 *addr)
81{
cef8fac0
JB		 82 if (wpa_auth->cb->mic_failure_report)
83 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 84 return 0;
6fc6879b
JM		 85}
86
87
2c502460
JM		 88static inline void wpa_auth_psk_failure_report(
89 struct wpa_authenticator *wpa_auth, const u8 *addr)
90{
cef8fac0
JB		 91 if (wpa_auth->cb->psk_failure_report)
92 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 93}
94
95
6fc6879b
JM		 96static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
97 const u8 *addr, wpa_eapol_variable var,
98 int value)
99{
cef8fac0
JB		 100 if (wpa_auth->cb->set_eapol)
101 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 102}
103
104
105static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
106 const u8 *addr, wpa_eapol_variable var)
107{
cef8fac0 108 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 109 return -1;
cef8fac0 110 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 111}
112
113
114static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 115 const u8 *addr,
116 const u8 *p2p_dev_addr,
dbfa691d
JM		 117 const u8 *prev_psk, size_t *psk_len,
118 int *vlan_id)
6fc6879b 119{
cef8fac0 120 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 121 return NULL;
cef8fac0 122 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
dbfa691d 123 prev_psk, psk_len, vlan_id);
6fc6879b
JM		 124}
125
126
127static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
128 const u8 *addr, u8 *msk, size_t *len)
129{
cef8fac0 130 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 131 return -1;
cef8fac0 132 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 133}
134
135
136static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
137 int vlan_id,
71934751 138 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 139 u8 *key, size_t key_len)
140{
cef8fac0 141 if (wpa_auth->cb->set_key == NULL)
6fc6879b 142 return -1;
cef8fac0
JB		 143 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
144 key, key_len);
6fc6879b
JM		 145}
146
147
148static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
149 const u8 *addr, int idx, u8 *seq)
150{
cef8fac0 151 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 152 return -1;
cef8fac0 153 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 154}
155
156
6fc6879b
JM		 157static inline int
158wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
159 const u8 *data, size_t data_len, int encrypt)
160{
cef8fac0 161 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 162 return -1;
cef8fac0
JB		 163 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
164 encrypt);
6fc6879b
JM		 165}
166
167
c50d94f1
BC		 168#ifdef CONFIG_MESH
169static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
170 const u8 *addr)
171{
cef8fac0 172 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 173 return -1;
cef8fac0 174 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 175}
176#endif /* CONFIG_MESH */
177
178
6fc6879b
JM		 179int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
180 int (*cb)(struct wpa_state_machine *sm, void *ctx),
181 void *cb_ctx)
182{
cef8fac0 183 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 184 return 0;
cef8fac0 185 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 186}
187
188
bf98f7f3
JM		 189int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
190 int (*cb)(struct wpa_authenticator *a, void *ctx),
191 void *cb_ctx)
192{
cef8fac0 193 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 194 return 0;
cef8fac0 195 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 196}
197
198
6fc6879b
JM		 199void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
200 logger_level level, const char *txt)
201{
cef8fac0 202 if (wpa_auth->cb->logger == NULL)
6fc6879b 203 return;
cef8fac0 204 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 205}
206
207
208void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
209 logger_level level, const char *fmt, ...)
210{
211 char *format;
212 int maxlen;
213 va_list ap;
214
cef8fac0 215 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 216 return;
217
218 maxlen = os_strlen(fmt) + 100;
219 format = os_malloc(maxlen);
220 if (!format)
221 return;
222
223 va_start(ap, fmt);
224 vsnprintf(format, maxlen, fmt, ap);
225 va_end(ap);
226
227 wpa_auth_logger(wpa_auth, addr, level, format);
228
229 os_free(format);
230}
231
232
233static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
567da5bb 234 const u8 *addr, u16 reason)
6fc6879b 235{
cef8fac0 236 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 237 return;
567da5bb
JM		 238 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
239 MAC2STR(addr), reason);
240 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
6fc6879b
JM		 241}
242
243
17c2559c
MV		 244#ifdef CONFIG_OCV
245static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
246 struct wpa_channel_info *ci)
247{
248 if (!wpa_auth->cb->channel_info)
249 return -1;
250 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
251}
252#endif /* CONFIG_OCV */
253
254
dbfa691d
JM		 255static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
256 const u8 *addr, int vlan_id)
257{
258 if (!wpa_auth->cb->update_vlan)
259 return -1;
260 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
261}
262
263
6fc6879b
JM		 264static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
265{
266 struct wpa_authenticator *wpa_auth = eloop_ctx;
267
3642c431 268 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 269 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
270 "initialization.");
271 } else {
272 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 273 wpa_hexdump_key(MSG_DEBUG, "GMK",
274 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 275 }
276
277 if (wpa_auth->conf.wpa_gmk_rekey) {
278 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
279 wpa_rekey_gmk, wpa_auth, NULL);
280 }
281}
282
283
284static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
285{
286 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 287 struct wpa_group *group, *next;
6fc6879b
JM		 288
289 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 290 group = wpa_auth->group;
291 while (group) {
292 wpa_group_get(wpa_auth, group);
293
6fc6879b
JM		 294 group->GTKReKey = TRUE;
295 do {
296 group->changed = FALSE;
297 wpa_group_sm_step(wpa_auth, group);
298 } while (group->changed);
a0ad9e8c
MB		 299
300 next = group->next;
301 wpa_group_put(wpa_auth, group);
302 group = next;
6fc6879b
JM		 303 }
304
305 if (wpa_auth->conf.wpa_group_rekey) {
306 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
307 0, wpa_rekey_gtk, wpa_auth, NULL);
308 }
309}
310
311
581a8cde
JM		 312static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
313{
314 struct wpa_authenticator *wpa_auth = eloop_ctx;
315 struct wpa_state_machine *sm = timeout_ctx;
316
317 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
318 wpa_request_new_ptk(sm);
319 wpa_sm_step(sm);
320}
321
322
a40bd06e
JM		 323void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm)
324{
325 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) {
326 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for "
327 MACSTR " (%d seconds)", MAC2STR(sm->addr),
328 sm->wpa_auth->conf.wpa_ptk_rekey);
329 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
330 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0,
331 wpa_rekey_ptk, sm->wpa_auth, sm);
332 }
333}
334
335
6fc6879b
JM		 336static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
337{
338 if (sm->pmksa == ctx)
339 sm->pmksa = NULL;
340 return 0;
341}
342
343
344static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
345 void *ctx)
346{
347 struct wpa_authenticator *wpa_auth = ctx;
348 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
349}
350
351
1bdb7ab3
JM		 352static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
353 struct wpa_group *group)
354{
559cdabb 355 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 356 u8 rkey[32];
559cdabb 357 unsigned long ptr;
1bdb7ab3 358
3642c431 359 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 360 return -1;
361 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
362
363 /*
364 * Counter = PRF-256(Random number, "Init Counter",
365 * Local MAC Address || Time)
366 */
367 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
368 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 369 ptr = (unsigned long) group;
370 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
525923b1
JM		 371#ifdef TEST_FUZZ
372 os_memset(buf + ETH_ALEN, 0xab, 8);
373 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
374#endif /* TEST_FUZZ */
3642c431 375 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 376 return -1;
377
378 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
379 group->Counter, WPA_NONCE_LEN) < 0)
380 return -1;
381 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
382 group->Counter, WPA_NONCE_LEN);
383
384 return 0;
385}
386
387
e6965d4e 388static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 389 int vlan_id, int delay_init)
e6965d4e
JM		 390{
391 struct wpa_group *group;
e6965d4e
JM		 392
393 group = os_zalloc(sizeof(struct wpa_group));
394 if (group == NULL)
395 return NULL;
396
397 group->GTKAuthenticator = TRUE;
398 group->vlan_id = vlan_id;
c3550295 399 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 400
08704cd8
JM		 401 if (random_pool_ready() != 1) {
402 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
403 "for secure operations - update keys later when "
404 "the first station connects");
405 }
406
1bdb7ab3
JM		 407 /*
408 * Set initial GMK/Counter value here. The actual values that will be
409 * used in negotiations will be set once the first station tries to
410 * connect. This allows more time for collecting additional randomness
411 * on embedded devices.
6fc6879b 412 */
1bdb7ab3 413 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 414 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
415 "initialization.");
416 os_free(group);
417 return NULL;
418 }
6fc6879b
JM		 419
420 group->GInit = TRUE;
bdffdc5d
JM		 421 if (delay_init) {
422 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
423 "until Beacon frames have been configured");
424 /* Initialization is completed in wpa_init_keys(). */
425 } else {
426 wpa_group_sm_step(wpa_auth, group);
427 group->GInit = FALSE;
428 wpa_group_sm_step(wpa_auth, group);
429 }
6fc6879b
JM		 430
431 return group;
432}
433
434
435/**
436 * wpa_init - Initialize WPA authenticator
437 * @addr: Authenticator address
438 * @conf: Configuration for WPA authenticator
a17df5fb 439 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 440 * Returns: Pointer to WPA authenticator data or %NULL on failure
441 */
442struct wpa_authenticator * wpa_init(const u8 *addr,
443 struct wpa_auth_config *conf,
cef8fac0
JB		 444 const struct wpa_auth_callbacks *cb,
445 void *cb_ctx)
6fc6879b
JM		 446{
447 struct wpa_authenticator *wpa_auth;
448
449 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
450 if (wpa_auth == NULL)
451 return NULL;
452 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
453 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 454 wpa_auth->cb = cb;
455 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 456
457 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
458 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
459 os_free(wpa_auth);
460 return NULL;
461 }
462
bdffdc5d 463 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 464 if (wpa_auth->group == NULL) {
465 os_free(wpa_auth->wpa_ie);
466 os_free(wpa_auth);
467 return NULL;
468 }
469
4bb081f1
JM		 470 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
471 wpa_auth);
6fc6879b
JM		 472 if (wpa_auth->pmksa == NULL) {
473 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 474 os_free(wpa_auth->group);
6fc6879b
JM		 475 os_free(wpa_auth->wpa_ie);
476 os_free(wpa_auth);
477 return NULL;
478 }
479
4ec1fd8e 480#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 481 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
482 if (wpa_auth->ft_pmk_cache == NULL) {
483 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 484 os_free(wpa_auth->group);
6fc6879b 485 os_free(wpa_auth->wpa_ie);
4bb081f1 486 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 487 os_free(wpa_auth);
488 return NULL;
489 }
4ec1fd8e 490#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 491
492 if (wpa_auth->conf.wpa_gmk_rekey) {
493 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
494 wpa_rekey_gmk, wpa_auth, NULL);
495 }
496
497 if (wpa_auth->conf.wpa_group_rekey) {
498 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
499 wpa_rekey_gtk, wpa_auth, NULL);
500 }
501
25ef8529
JM		 502#ifdef CONFIG_P2P
503 if (WPA_GET_BE32(conf->ip_addr_start)) {
504 int count = WPA_GET_BE32(conf->ip_addr_end) -
505 WPA_GET_BE32(conf->ip_addr_start) + 1;
506 if (count > 1000)
507 count = 1000;
508 if (count > 0)
509 wpa_auth->ip_pool = bitfield_alloc(count);
510 }
511#endif /* CONFIG_P2P */
512
6fc6879b
JM		 513 return wpa_auth;
514}
515
516
bdffdc5d
JM		 517int wpa_init_keys(struct wpa_authenticator *wpa_auth)
518{
519 struct wpa_group *group = wpa_auth->group;
520
521 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
522 "keys");
523 wpa_group_sm_step(wpa_auth, group);
524 group->GInit = FALSE;
525 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 526 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
527 return -1;
bdffdc5d
JM		 528 return 0;
529}
530
531
6fc6879b
JM		 532/**
533 * wpa_deinit - Deinitialize WPA authenticator
534 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
535 */
536void wpa_deinit(struct wpa_authenticator *wpa_auth)
537{
538 struct wpa_group *group, *prev;
539
540 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
541 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
542
4bb081f1 543 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 544
4ec1fd8e 545#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 546 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
547 wpa_auth->ft_pmk_cache = NULL;
eefe8630 548 wpa_ft_deinit(wpa_auth);
4ec1fd8e 549#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 550
25ef8529
JM		 551#ifdef CONFIG_P2P
552 bitfield_free(wpa_auth->ip_pool);
553#endif /* CONFIG_P2P */
554
555
6fc6879b
JM		 556 os_free(wpa_auth->wpa_ie);
557
558 group = wpa_auth->group;
559 while (group) {
560 prev = group;
561 group = group->next;
562 os_free(prev);
563 }
564
565 os_free(wpa_auth);
566}
567
568
569/**
570 * wpa_reconfig - Update WPA authenticator configuration
571 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
572 * @conf: Configuration for WPA authenticator
573 */
574int wpa_reconfig(struct wpa_authenticator *wpa_auth,
575 struct wpa_auth_config *conf)
576{
e6965d4e 577 struct wpa_group *group;
6fc6879b
JM		 578 if (wpa_auth == NULL)
579 return 0;
580
581 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 582 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
583 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
584 return -1;
585 }
586
e6965d4e
JM		 587 /*
588 * Reinitialize GTK to make sure it is suitable for the new
589 * configuration.
590 */
591 group = wpa_auth->group;
c3550295 592 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 593 group->GInit = TRUE;
594 wpa_group_sm_step(wpa_auth, group);
595 group->GInit = FALSE;
596 wpa_group_sm_step(wpa_auth, group);
597
6fc6879b
JM		 598 return 0;
599}
600
601
602struct wpa_state_machine *
94ddef3e
JM		 603wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
604 const u8 *p2p_dev_addr)
6fc6879b
JM		 605{
606 struct wpa_state_machine *sm;
607
7d7f7be2
JM		 608 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
609 return NULL;
610
6fc6879b
JM		 611 sm = os_zalloc(sizeof(struct wpa_state_machine));
612 if (sm == NULL)
613 return NULL;
614 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 615 if (p2p_dev_addr)
616 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 617
618 sm->wpa_auth = wpa_auth;
619 sm->group = wpa_auth->group;
a0ad9e8c 620 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 621
622 return sm;
623}
624
625
6f9b5d16
JM		 626int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
627 struct wpa_state_machine *sm)
6fc6879b
JM		 628{
629 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 630 return -1;
6fc6879b 631
4ec1fd8e 632#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 633 if (sm->ft_completed) {
634 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
635 "FT authentication already completed - do not "
636 "start 4-way handshake");
3d4d2348
JM		 637 /* Go to PTKINITDONE state to allow GTK rekeying */
638 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 639 sm->Pair = TRUE;
6f9b5d16 640 return 0;
6fc6879b 641 }
4ec1fd8e 642#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 643
07e0117d
JM		 644#ifdef CONFIG_FILS
645 if (sm->fils_completed) {
646 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
647 "FILS authentication already completed - do not start 4-way handshake");
648 /* Go to PTKINITDONE state to allow GTK rekeying */
649 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 650 sm->Pair = TRUE;
07e0117d
JM		 651 return 0;
652 }
653#endif /* CONFIG_FILS */
654
6fc6879b 655 if (sm->started) {
22a299ee 656 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 657 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 658 return wpa_sm_step(sm);
6fc6879b
JM		 659 }
660
661 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
662 "start authentication");
663 sm->started = 1;
664
665 sm->Init = TRUE;
e4a6ea1d 666 if (wpa_sm_step(sm) == 1)
6f9b5d16 667 return 1; /* should not really happen */
6fc6879b
JM		 668 sm->Init = FALSE;
669 sm->AuthenticationRequest = TRUE;
6f9b5d16 670 return wpa_sm_step(sm);
6fc6879b
JM		 671}
672
673
a8d05fca
JM		 674void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
675{
676 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
677 * reassociates back to the same AP while the previous entry for the
678 * STA has not yet been removed. */
679 if (sm == NULL)
680 return;
681
682 sm->wpa_key_mgmt = 0;
683}
684
685
6fc6879b
JM		 686static void wpa_free_sta_sm(struct wpa_state_machine *sm)
687{
25ef8529
JM		 688#ifdef CONFIG_P2P
689 if (WPA_GET_BE32(sm->ip_addr)) {
690 u32 start;
691 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
692 "address %u.%u.%u.%u from " MACSTR,
693 sm->ip_addr[0], sm->ip_addr[1],
694 sm->ip_addr[2], sm->ip_addr[3],
695 MAC2STR(sm->addr));
696 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
697 bitfield_clear(sm->wpa_auth->ip_pool,
698 WPA_GET_BE32(sm->ip_addr) - start);
699 }
700#endif /* CONFIG_P2P */
2ade8ef2
JM		 701 if (sm->GUpdateStationKeys) {
702 sm->group->GKeyDoneStations--;
703 sm->GUpdateStationKeys = FALSE;
704 }
4ec1fd8e 705#ifdef CONFIG_IEEE80211R_AP
0f857f43 706 os_free(sm->assoc_resp_ftie);
692ec305 707 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 708#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 709 os_free(sm->last_rx_eapol_key);
710 os_free(sm->wpa_ie);
a0ad9e8c 711 wpa_group_put(sm->wpa_auth, sm->group);
10ec6a5f
JM		 712#ifdef CONFIG_DPP2
713 wpabuf_clear_free(sm->dpp_z);
714#endif /* CONFIG_DPP2 */
6fc6879b
JM		 715 os_free(sm);
716}
717
718
719void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
720{
721 if (sm == NULL)
722 return;
723
724 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
725 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
726 "strict rekeying - force GTK rekey since STA "
727 "is leaving");
3f5a1860
JB		 728 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
729 sm->wpa_auth, NULL) == -1)
730 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
731 NULL);
6fc6879b
JM		 732 }
733
734 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 735 sm->pending_1_of_4_timeout = 0;
6fc6879b 736 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 737 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3a46cf93
MB		 738#ifdef CONFIG_IEEE80211R_AP
739 wpa_ft_sta_deinit(sm);
740#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 741 if (sm->in_step_loop) {
742 /* Must not free state machine while wpa_sm_step() is running.
743 * Freeing will be completed in the end of wpa_sm_step(). */
744 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
745 "machine deinit for " MACSTR, MAC2STR(sm->addr));
746 sm->pending_deinit = 1;
747 } else
748 wpa_free_sta_sm(sm);
749}
750
751
752static void wpa_request_new_ptk(struct wpa_state_machine *sm)
753{
754 if (sm == NULL)
755 return;
756
757 sm->PTKRequest = TRUE;
758 sm->PTK_valid = 0;
759}
760
761
68921e24 762static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 763 const u8 *replay_counter)
764{
765 int i;
766 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 767 if (!ctr[i].valid)
22a299ee 768 break;
68921e24 769 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 770 WPA_REPLAY_COUNTER_LEN) == 0)
771 return 1;
772 }
773 return 0;
774}
775
776
68921e24
JM		 777static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
778 const u8 *replay_counter)
779{
780 int i;
781 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
782 if (ctr[i].valid &&
783 (replay_counter == NULL ||
784 os_memcmp(replay_counter, ctr[i].counter,
785 WPA_REPLAY_COUNTER_LEN) == 0))
786 ctr[i].valid = FALSE;
787 }
788}
789
790
4ec1fd8e 791#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 792static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
793 struct wpa_state_machine *sm,
794 struct wpa_eapol_ie_parse *kde)
795{
796 struct wpa_ie_data ie;
797 struct rsn_mdie *mdie;
798
799 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
800 ie.num_pmkid != 1 || ie.pmkid == NULL) {
801 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
802 "FT 4-way handshake message 2/4");
803 return -1;
804 }
805
806 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
807 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
808 sm->sup_pmk_r1_name, PMKID_LEN);
809
810 if (!kde->mdie || !kde->ftie) {
811 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
812 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
813 return -1;
814 }
815
816 mdie = (struct rsn_mdie *) (kde->mdie + 2);
817 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
818 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
819 MOBILITY_DOMAIN_ID_LEN) != 0) {
820 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
821 return -1;
822 }
823
824 if (sm->assoc_resp_ftie &&
825 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
826 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
827 2 + sm->assoc_resp_ftie[1]) != 0)) {
828 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
829 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
830 kde->ftie, kde->ftie_len);
831 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
832 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
833 return -1;
834 }
835
836 return 0;
837}
4ec1fd8e 838#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 839
840
c772d054
JM		 841static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
842 struct wpa_state_machine *sm, int group)
ec027805
JM		 843{
844 /* Supplicant reported a Michael MIC error */
845 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
846 "received EAPOL-Key Error Request "
847 "(STA detected Michael MIC failure (group=%d))",
848 group);
fbc72d32
JM		 849
850 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
851 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
852 "ignore Michael MIC failure report since "
853 "group cipher is not TKIP");
854 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
855 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
856 "ignore Michael MIC failure report since "
857 "pairwise cipher is not TKIP");
858 } else {
c772d054
JM		 859 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
860 return 1; /* STA entry was removed */
fbc72d32
JM		 861 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
862 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
863 }
ec027805
JM		 864
865 /*
866 * Error report is not a request for a new key handshake, but since
867 * Authenticator may do it, let's change the keys now anyway.
868 */
869 wpa_request_new_ptk(sm);
c772d054 870 return 0;
ec027805
JM		 871}
872
873
f23c5b17
JM		 874static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
875 size_t data_len)
876{
877 struct wpa_ptk PTK;
878 int ok = 0;
879 const u8 *pmk = NULL;
7a12edd1 880 size_t pmk_len;
dbfa691d 881 int vlan_id = 0;
f23c5b17 882
b729fd8d 883 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17 884 for (;;) {
e61fea6b
JM		 885 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
886 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
f23c5b17 887 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
dbfa691d
JM		 888 sm->p2p_dev_addr, pmk, &pmk_len,
889 &vlan_id);
f23c5b17
JM		 890 if (pmk == NULL)
891 break;
f9854c18
MK		 892#ifdef CONFIG_IEEE80211R_AP
893 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
894 os_memcpy(sm->xxkey, pmk, pmk_len);
895 sm->xxkey_len = pmk_len;
896 }
897#endif /* CONFIG_IEEE80211R_AP */
207976f0 898 } else {
f23c5b17 899 pmk = sm->PMK;
207976f0
JM		 900 pmk_len = sm->pmk_len;
901 }
f23c5b17 902
364c064a
JM		 903 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
904 break;
f23c5b17 905
567da5bb
JM		 906 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
907 data, data_len) == 0) {
08dc8efd
JM		 908 if (sm->PMK != pmk) {
909 os_memcpy(sm->PMK, pmk, pmk_len);
910 sm->pmk_len = pmk_len;
911 }
f23c5b17
JM		 912 ok = 1;
913 break;
914 }
915
f5e0a332
JM		 916 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
917 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
f23c5b17
JM		 918 break;
919 }
920
921 if (!ok) {
922 wpa_printf(MSG_DEBUG,
923 "WPA: Earlier SNonce did not result in matching MIC");
924 return -1;
925 }
926
927 wpa_printf(MSG_DEBUG,
928 "WPA: Earlier SNonce resulted in matching MIC");
929 sm->alt_snonce_valid = 0;
dbfa691d
JM		 930
931 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
932 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
933 return -1;
934
f23c5b17
JM		 935 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
936 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
937 sm->PTK_valid = TRUE;
938
939 return 0;
940}
941
942
6fc6879b
JM		 943void wpa_receive(struct wpa_authenticator *wpa_auth,
944 struct wpa_state_machine *sm,
945 u8 *data, size_t data_len)
946{
947 struct ieee802_1x_hdr *hdr;
948 struct wpa_eapol_key *key;
949 u16 key_info, key_data_length;
a0bf1b68 950 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
6fc6879b
JM		 951 char *msgtxt;
952 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 953 const u8 *key_data;
954 size_t keyhdrlen, mic_len;
6d014ffc 955 u8 *mic;
6fc6879b
JM		 956
957 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
958 return;
dc5bad48 959 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 960
567da5bb 961 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 962 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 963
dc5bad48
JM		 964 if (data_len < sizeof(*hdr) + keyhdrlen) {
965 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 966 return;
dc5bad48 967 }
6fc6879b
JM		 968
969 hdr = (struct ieee802_1x_hdr *) data;
970 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 971 mic = (u8 *) (key + 1);
6fc6879b 972 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 973 key_data = mic + mic_len + 2;
974 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 975 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 976 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
977 MAC2STR(sm->addr), key_info, key->type,
978 (unsigned int) mic_len, key_data_length);
979 wpa_hexdump(MSG_MSGDUMP,
980 "WPA: EAPOL-Key header (ending before Key MIC)",
981 key, sizeof(*key));
982 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
983 mic, mic_len);
5e3b5197 984 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 985 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
986 "key_data overflow (%d > %lu)",
987 key_data_length,
988 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 989 keyhdrlen));
6fc6879b
JM		 990 return;
991 }
992
f8e96eb6 993 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 994 if (key->type == EAPOL_KEY_TYPE_WPA) {
995 /*
996 * Some deployed station implementations seem to send
997 * msg 4/4 with incorrect type value in WPA2 mode.
998 */
999 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
1000 "with unexpected WPA type in RSN mode");
1001 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 1002 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
1003 "unexpected type %d in RSN mode",
1004 key->type);
1005 return;
1006 }
1007 } else {
1008 if (key->type != EAPOL_KEY_TYPE_WPA) {
1009 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
1010 "unexpected type %d in WPA mode",
1011 key->type);
1012 return;
1013 }
1014 }
1015
bc8318ac
JM		 1016 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1017 WPA_NONCE_LEN);
1018 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1019 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1020
6fc6879b
JM		 1021 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1022 * are set */
1023
a0bf1b68
JM		 1024 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1025 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1026 return;
1027 }
1028
1029 if (key_info & WPA_KEY_INFO_REQUEST) {
6fc6879b
JM		 1030 msg = REQUEST;
1031 msgtxt = "Request";
1032 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1033 msg = GROUP_2;
1034 msgtxt = "2/2 Group";
3b5b7aa8
JM		 1035 } else if (key_data_length == 0 ||
1036 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1037 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 1038 msg = PAIRWISE_4;
1039 msgtxt = "4/4 Pairwise";
1040 } else {
1041 msg = PAIRWISE_2;
1042 msgtxt = "2/4 Pairwise";
1043 }
1044
6fc6879b
JM		 1045 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1046 msg == GROUP_2) {
1047 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1048 if (sm->pairwise == WPA_CIPHER_CCMP ||
1049 sm->pairwise == WPA_CIPHER_GCMP) {
4bc801ab
JM		 1050 if (wpa_use_cmac(sm->wpa_key_mgmt) &&
1051 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1052 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1053 wpa_auth_logger(wpa_auth, sm->addr,
1054 LOGGER_WARNING,
1055 "advertised support for "
1056 "AES-128-CMAC, but did not "
1057 "use it");
1058 return;
1059 }
1060
4bc801ab
JM		 1061 if (!wpa_use_cmac(sm->wpa_key_mgmt) &&
1062 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1063 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1064 wpa_auth_logger(wpa_auth, sm->addr,
1065 LOGGER_WARNING,
1066 "did not use HMAC-SHA1-AES "
eb7719ff 1067 "with CCMP/GCMP");
6fc6879b
JM		 1068 return;
1069 }
1070 }
929a2ea5 1071
4bc801ab 1072 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
929a2ea5
JM		 1073 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1074 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1075 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1076 return;
1077 }
6fc6879b
JM		 1078 }
1079
1080 if (key_info & WPA_KEY_INFO_REQUEST) {
1081 if (sm->req_replay_counter_used &&
1082 os_memcmp(key->replay_counter, sm->req_replay_counter,
1083 WPA_REPLAY_COUNTER_LEN) <= 0) {
1084 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1085 "received EAPOL-Key request with "
1086 "replayed counter");
1087 return;
1088 }
1089 }
1090
1091 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1092 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1093 int i;
68921e24
JM		 1094
1095 if (msg == PAIRWISE_2 &&
1096 wpa_replay_counter_valid(sm->prev_key_replay,
1097 key->replay_counter) &&
1098 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1099 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1100 {
1101 /*
1102 * Some supplicant implementations (e.g., Windows XP
1103 * WZC) update SNonce for each EAPOL-Key 2/4. This
1104 * breaks the workaround on accepting any of the
1105 * pending requests, so allow the SNonce to be updated
1106 * even if we have already sent out EAPOL-Key 3/4.
1107 */
1108 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1109 "Process SNonce update from STA "
1110 "based on retransmitted EAPOL-Key "
1111 "1/4");
1112 sm->update_snonce = 1;
f23c5b17
JM		 1113 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1114 sm->alt_snonce_valid = TRUE;
1115 os_memcpy(sm->alt_replay_counter,
1116 sm->key_replay[0].counter,
1117 WPA_REPLAY_COUNTER_LEN);
1118 goto continue_processing;
1119 }
1120
1121 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1122 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1123 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1124 WPA_REPLAY_COUNTER_LEN) == 0) {
1125 /*
1126 * Supplicant may still be using the old SNonce since
1127 * there was two EAPOL-Key 2/4 messages and they had
1128 * different SNonce values.
1129 */
1130 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1131 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1132 goto continue_processing;
1133 }
1134
1135 if (msg == PAIRWISE_2 &&
1136 wpa_replay_counter_valid(sm->prev_key_replay,
1137 key->replay_counter) &&
1138 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1139 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1140 "ignore retransmitted EAPOL-Key %s - "
1141 "SNonce did not change", msgtxt);
1142 } else {
1143 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1144 "received EAPOL-Key %s with "
1145 "unexpected replay counter", msgtxt);
1146 }
22a299ee
JM		 1147 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1148 if (!sm->key_replay[i].valid)
1149 break;
1150 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1151 sm->key_replay[i].counter,
1152 WPA_REPLAY_COUNTER_LEN);
1153 }
6fc6879b
JM		 1154 wpa_hexdump(MSG_DEBUG, "received replay counter",
1155 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1156 return;
1157 }
1158
68921e24 1159continue_processing:
3b5b7aa8
JM		 1160#ifdef CONFIG_FILS
1161 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1162 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1163 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1164 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1165 return;
1166 }
1167#endif /* CONFIG_FILS */
1168
6fc6879b
JM		 1169 switch (msg) {
1170 case PAIRWISE_2:
1171 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1172 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1173 (!sm->update_snonce ||
1174 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1175 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1176 "received EAPOL-Key msg 2/4 in "
1177 "invalid state (%d) - dropped",
1178 sm->wpa_ptk_state);
1179 return;
1180 }
bbb921da 1181 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1182 if (sm->group->reject_4way_hs_for_entropy) {
1183 /*
1184 * The system did not have enough entropy to generate
1185 * strong random numbers. Reject the first 4-way
1186 * handshake(s) and collect some entropy based on the
1187 * information from it. Once enough entropy is
1188 * available, the next atempt will trigger GMK/Key
1189 * Counter update and the station will be allowed to
1190 * continue.
1191 */
1192 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1193 "collect more entropy for random number "
1194 "generation");
08704cd8 1195 random_mark_pool_ready();
567da5bb
JM		 1196 wpa_sta_disconnect(wpa_auth, sm->addr,
1197 WLAN_REASON_PREV_AUTH_NOT_VALID);
08704cd8
JM		 1198 return;
1199 }
6fc6879b
JM		 1200 break;
1201 case PAIRWISE_4:
1202 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1203 !sm->PTK_valid) {
1204 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1205 "received EAPOL-Key msg 4/4 in "
1206 "invalid state (%d) - dropped",
1207 sm->wpa_ptk_state);
1208 return;
1209 }
1210 break;
1211 case GROUP_2:
1212 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1213 || !sm->PTK_valid) {
1214 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1215 "received EAPOL-Key msg 2/2 in "
1216 "invalid state (%d) - dropped",
1217 sm->wpa_ptk_group_state);
1218 return;
1219 }
1220 break;
6fc6879b
JM		 1221 case REQUEST:
1222 break;
1223 }
1224
1225 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1226 "received EAPOL-Key frame (%s)", msgtxt);
1227
1228 if (key_info & WPA_KEY_INFO_ACK) {
1229 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1230 "received invalid EAPOL-Key: Key Ack set");
1231 return;
1232 }
1233
b9866483
JM		 1234 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1235 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1236 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1237 "received invalid EAPOL-Key: Key MIC not set");
1238 return;
1239 }
1240
b9866483
JM		 1241#ifdef CONFIG_FILS
1242 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1243 (key_info & WPA_KEY_INFO_MIC)) {
1244 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1245 "received invalid EAPOL-Key: Key MIC set");
1246 return;
1247 }
1248#endif /* CONFIG_FILS */
1249
6fc6879b 1250 sm->MICVerified = FALSE;
68921e24 1251 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8 1252 if (mic_len &&
567da5bb
JM		 1253 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1254 data, data_len) &&
f23c5b17
JM		 1255 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1256 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1257 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1258 "received EAPOL-Key with invalid MIC");
525923b1
JM		 1259#ifdef TEST_FUZZ
1260 wpa_printf(MSG_INFO,
1261 "TEST: Ignore Key MIC failure for fuzz testing");
1262 goto continue_fuzz;
1263#endif /* TEST_FUZZ */
6fc6879b
JM		 1264 return;
1265 }
75c8563e
JM		 1266#ifdef CONFIG_FILS
1267 if (!mic_len &&
1268 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1269 &key_data_length) < 0) {
1270 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1271 "received EAPOL-Key with invalid MIC");
525923b1
JM		 1272#ifdef TEST_FUZZ
1273 wpa_printf(MSG_INFO,
1274 "TEST: Ignore Key MIC failure for fuzz testing");
1275 goto continue_fuzz;
1276#endif /* TEST_FUZZ */
75c8563e
JM		 1277 return;
1278 }
1279#endif /* CONFIG_FILS */
525923b1
JM		 1280#ifdef TEST_FUZZ
1281 continue_fuzz:
1282#endif /* TEST_FUZZ */
6fc6879b
JM		 1283 sm->MICVerified = TRUE;
1284 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1285 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1286 }
1287
1288 if (key_info & WPA_KEY_INFO_REQUEST) {
1289 if (sm->MICVerified) {
1290 sm->req_replay_counter_used = 1;
1291 os_memcpy(sm->req_replay_counter, key->replay_counter,
1292 WPA_REPLAY_COUNTER_LEN);
1293 } else {
1294 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1295 "received EAPOL-Key request with "
1296 "invalid MIC");
1297 return;
1298 }
1299
1300 /*
1301 * TODO: should decrypt key data field if encryption was used;
1302 * even though MAC address KDE is not normally encrypted,
1303 * supplicant is allowed to encrypt it.
1304 */
a0bf1b68 1305 if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1306 if (wpa_receive_error_report(
1307 wpa_auth, sm,
1308 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1309 return; /* STA entry was removed */
6fc6879b
JM		 1310 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1311 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1312 "received EAPOL-Key Request for new "
1313 "4-Way Handshake");
1314 wpa_request_new_ptk(sm);
6fc6879b 1315 } else if (key_data_length > 0 &&
5e3b5197
JM		 1316 wpa_parse_kde_ies(key_data, key_data_length,
1317 &kde) == 0 &&
6fc6879b
JM		 1318 kde.mac_addr) {
1319 } else {
1320 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1321 "received EAPOL-Key Request for GTK "
1322 "rekeying");
6fc6879b
JM		 1323 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1324 wpa_rekey_gtk(wpa_auth, NULL);
1325 }
1326 } else {
68921e24
JM		 1327 /* Do not allow the same key replay counter to be reused. */
1328 wpa_replay_counter_mark_invalid(sm->key_replay,
1329 key->replay_counter);
1330
1331 if (msg == PAIRWISE_2) {
1332 /*
1333 * Maintain a copy of the pending EAPOL-Key frames in
1334 * case the EAPOL-Key frame was retransmitted. This is
1335 * needed to allow EAPOL-Key msg 2/4 reply to another
1336 * pending msg 1/4 to update the SNonce to work around
1337 * unexpected supplicant behavior.
1338 */
1339 os_memcpy(sm->prev_key_replay, sm->key_replay,
1340 sizeof(sm->key_replay));
1341 } else {
1342 os_memset(sm->prev_key_replay, 0,
1343 sizeof(sm->prev_key_replay));
1344 }
1345
1346 /*
1347 * Make sure old valid counters are not accepted anymore and
1348 * do not get copied again.
1349 */
1350 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1351 }
1352
6fc6879b 1353 os_free(sm->last_rx_eapol_key);
a1f11e34 1354 sm->last_rx_eapol_key = os_memdup(data, data_len);
6fc6879b
JM		 1355 if (sm->last_rx_eapol_key == NULL)
1356 return;
6fc6879b
JM		 1357 sm->last_rx_eapol_key_len = data_len;
1358
0d442aff 1359 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1360 sm->EAPOLKeyReceived = TRUE;
1361 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1362 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1363 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1364 wpa_sm_step(sm);
1365}
1366
1367
3c7302c2
JM		 1368static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1369 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1370{
c6eb3e34 1371 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
5cb9d5c3 1372 u8 *pos;
3c7302c2 1373 int ret = 0;
6fc6879b 1374
5cb9d5c3
JM		 1375 /* GTK = PRF-X(GMK, "Group key expansion",
1376 * AA || GNonce || Time || random data)
1377 * The example described in the IEEE 802.11 standard uses only AA and
1378 * GNonce as inputs here. Add some more entropy since this derivation
1379 * is done only at the Authenticator and as such, does not need to be
1380 * exactly same.
1381 */
c6eb3e34 1382 os_memset(data, 0, sizeof(data));
6fc6879b
JM		 1383 os_memcpy(data, addr, ETH_ALEN);
1384 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1385 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1386 wpa_get_ntp_timestamp(pos);
525923b1
JM		 1387#ifdef TEST_FUZZ
1388 os_memset(pos, 0xef, 8);
1389#endif /* TEST_FUZZ */
5cb9d5c3 1390 pos += 8;
c6eb3e34 1391 if (random_get_bytes(pos, gtk_len) < 0)
3c7302c2 1392 ret = -1;
6fc6879b 1393
c6eb3e34
JM		 1394#ifdef CONFIG_SHA384
1395 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1396 gtk, gtk_len) < 0)
3c7302c2 1397 ret = -1;
c6eb3e34
JM		 1398#else /* CONFIG_SHA384 */
1399#ifdef CONFIG_SHA256
1400 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1401 gtk, gtk_len) < 0)
1402 ret = -1;
1403#else /* CONFIG_SHA256 */
1404 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1405 gtk, gtk_len) < 0)
1406 ret = -1;
1407#endif /* CONFIG_SHA256 */
1408#endif /* CONFIG_SHA384 */
3c7302c2
JM		 1409
1410 return ret;
6fc6879b
JM		 1411}
1412
1413
1414static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1415{
1416 struct wpa_authenticator *wpa_auth = eloop_ctx;
1417 struct wpa_state_machine *sm = timeout_ctx;
1418
e4bf4db9 1419 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1420 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1421 sm->TimeoutEvt = TRUE;
1422 wpa_sm_step(sm);
1423}
1424
1425
1426void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1427 struct wpa_state_machine *sm, int key_info,
1428 const u8 *key_rsc, const u8 *nonce,
1429 const u8 *kde, size_t kde_len,
1430 int keyidx, int encr, int force_version)
1431{
1432 struct ieee802_1x_hdr *hdr;
1433 struct wpa_eapol_key *key;
5e3b5197 1434 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1435 int alg;
1436 int key_data_len, pad_len = 0;
1437 u8 *buf, *pos;
1438 int version, pairwise;
22a299ee 1439 int i;
6d014ffc 1440 u8 *key_mic, *key_data;
6fc6879b 1441
567da5bb 1442 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 1443 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1444
1445 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1446
1447 if (force_version)
1448 version = force_version;
4bc801ab 1449 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
a14896e8 1450 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
4bc801ab 1451 else if (wpa_use_cmac(sm->wpa_key_mgmt))
6fc6879b 1452 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1453 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1454 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1455 else
1456 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1457
8543ed8a 1458 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1459
1460 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1461 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1462 "encr=%d)",
1463 version,
1464 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1465 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1466 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1467 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1468 pairwise, (unsigned long) kde_len, keyidx, encr);
1469
1470 key_data_len = kde_len;
1471
1472 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
4bc801ab 1473 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1474 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1475 pad_len = key_data_len % 8;
1476 if (pad_len)
1477 pad_len = 8 - pad_len;
1478 key_data_len += pad_len + 8;
1479 }
1480
1481 len += key_data_len;
b729fd8d
JM		 1482 if (!mic_len && encr)
1483 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1484
1485 hdr = os_zalloc(len);
1486 if (hdr == NULL)
1487 return;
1488 hdr->version = wpa_auth->conf.eapol_version;
1489 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1490 hdr->length = host_to_be16(len - sizeof(*hdr));
1491 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1492 key_mic = (u8 *) (key + 1);
5e3b5197 1493 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1494
1495 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1496 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1497 key_info |= version;
1498 if (encr && sm->wpa == WPA_VERSION_WPA2)
1499 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1500 if (sm->wpa != WPA_VERSION_WPA2)
1501 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1502 WPA_PUT_BE16(key->key_info, key_info);
1503
1504 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
a0bf1b68 1505 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
6fc6879b 1506 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1507 else
1508 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b 1509
22a299ee
JM		 1510 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1511 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1512 os_memcpy(sm->key_replay[i].counter,
1513 sm->key_replay[i - 1].counter,
1514 WPA_REPLAY_COUNTER_LEN);
1515 }
1516 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1517 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1518 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1519 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1520 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1521 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1522
1523 if (nonce)
1524 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1525
1526 if (key_rsc)
1527 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1528
1529 if (kde && !encr) {
5e3b5197 1530 os_memcpy(key_data, kde, kde_len);
6d014ffc 1531 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d 1532#ifdef CONFIG_FILS
c05f96a3 1533 } else if (!mic_len && kde) {
b729fd8d
JM		 1534 const u8 *aad[1];
1535 size_t aad_len[1];
1536
1537 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1538 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1539 kde, kde_len);
1540
1541 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1542 sm->PTK.kek, sm->PTK.kek_len);
1543 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1544 * to Key Data (exclusive). */
1545 aad[0] = (u8 *) hdr;
1546 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1547 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1548 1, aad, aad_len, key_mic + 2) < 0) {
1549 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1550 return;
1551 }
1552
1553 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1554 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1555#endif /* CONFIG_FILS */
6fc6879b
JM		 1556 } else if (encr && kde) {
1557 buf = os_zalloc(key_data_len);
1558 if (buf == NULL) {
1559 os_free(hdr);
1560 return;
1561 }
1562 pos = buf;
1563 os_memcpy(pos, kde, kde_len);
1564 pos += kde_len;
1565
1566 if (pad_len)
1567 *pos++ = 0xdd;
1568
1569 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1570 buf, key_data_len);
1571 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
4bc801ab 1572 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
6fc6879b 1573 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
ef9627cb
JM		 1574 wpa_printf(MSG_DEBUG,
1575 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1576 (unsigned int) sm->PTK.kek_len);
98cd3d1c 1577 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1578 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1579 os_free(hdr);
1580 os_free(buf);
1581 return;
1582 }
6d014ffc 1583 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1584#ifndef CONFIG_NO_RC4
98cd3d1c 1585 } else if (sm->PTK.kek_len == 16) {
6fc6879b 1586 u8 ek[32];
ef9627cb
JM		 1587
1588 wpa_printf(MSG_DEBUG,
1589 "WPA: Encrypt Key Data using RC4");
6fc6879b
JM		 1590 os_memcpy(key->key_iv,
1591 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1592 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1593 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1594 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1595 os_memcpy(key_data, buf, key_data_len);
1596 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1597 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1598#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1599 } else {
1600 os_free(hdr);
1601 os_free(buf);
1602 return;
6fc6879b
JM		 1603 }
1604 os_free(buf);
1605 }
1606
1607 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1608 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1609 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1610 "PTK not valid when sending EAPOL-Key "
1611 "frame");
1612 os_free(hdr);
1613 return;
1614 }
5e3b5197 1615
beae255a
JM		 1616 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1617 sm->wpa_key_mgmt, version,
1618 (u8 *) hdr, len, key_mic) < 0) {
1619 os_free(hdr);
1620 return;
1621 }
7af092a0
JB		 1622#ifdef CONFIG_TESTING_OPTIONS
1623 if (!pairwise &&
06df2aa6 1624 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1625 drand48() <
1626 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1627 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1628 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1629 key_mic[0]++;
7af092a0
JB		 1630 }
1631#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1632 }
1633
1634 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1635 1);
1636 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1637 sm->pairwise_set);
1638 os_free(hdr);
1639}
1640
1641
1642static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1643 struct wpa_state_machine *sm, int key_info,
1644 const u8 *key_rsc, const u8 *nonce,
1645 const u8 *kde, size_t kde_len,
1646 int keyidx, int encr)
1647{
1648 int timeout_ms;
1649 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
41f140d3 1650 u32 ctr;
6fc6879b
JM		 1651
1652 if (sm == NULL)
1653 return;
1654
1655 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1656 keyidx, encr, 0);
1657
bae61562 1658 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1659 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1660 timeout_ms = pairwise ? eapol_key_timeout_first :
1661 eapol_key_timeout_first_group;
bae61562
JM		 1662 else
1663 timeout_ms = eapol_key_timeout_subseq;
6f234c1e
JM		 1664 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1665 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1666 timeout_ms = eapol_key_timeout_no_retrans;
e4bf4db9
JM		 1667 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1668 sm->pending_1_of_4_timeout = 1;
525923b1
JM		 1669#ifdef TEST_FUZZ
1670 timeout_ms = 1;
1671#endif /* TEST_FUZZ */
e4bf4db9 1672 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
41f140d3 1673 "counter %u)", timeout_ms, ctr);
6fc6879b
JM		 1674 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1675 wpa_send_eapol_timeout, wpa_auth, sm);
1676}
1677
1678
567da5bb
JM		 1679static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1680 u8 *data, size_t data_len)
6fc6879b
JM		 1681{
1682 struct ieee802_1x_hdr *hdr;
1683 struct wpa_eapol_key *key;
1684 u16 key_info;
1685 int ret = 0;
6d014ffc 1686 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
567da5bb 1687 size_t mic_len = wpa_mic_len(akmp, pmk_len);
6fc6879b
JM		 1688
1689 if (data_len < sizeof(*hdr) + sizeof(*key))
1690 return -1;
1691
1692 hdr = (struct ieee802_1x_hdr *) data;
1693 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1694 mic_pos = (u8 *) (key + 1);
6fc6879b 1695 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1696 os_memcpy(mic, mic_pos, mic_len);
1697 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1698 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1699 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1700 data, data_len, mic_pos) ||
1701 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1702 ret = -1;
6d014ffc 1703 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1704 return ret;
1705}
1706
1707
1708void wpa_remove_ptk(struct wpa_state_machine *sm)
1709{
1710 sm->PTK_valid = FALSE;
1711 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1712 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1713 0))
1714 wpa_printf(MSG_DEBUG,
1715 "RSN: PTK removal from the driver failed");
6fc6879b 1716 sm->pairwise_set = FALSE;
581a8cde 1717 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1718}
1719
1720
bb119228 1721int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1722{
5d22a1d5
JM		 1723 int remove_ptk = 1;
1724
6fc6879b 1725 if (sm == NULL)
6f9b5d16 1726 return -1;
6fc6879b
JM		 1727
1728 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1729 "event %d notification", event);
1730
1731 switch (event) {
1732 case WPA_AUTH:
c50d94f1
BC		 1733#ifdef CONFIG_MESH
1734 /* PTKs are derived through AMPE */
1735 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1736 /* not mesh */
1737 break;
1738 }
1739 return 0;
1740#endif /* CONFIG_MESH */
6fc6879b
JM		 1741 case WPA_ASSOC:
1742 break;
1743 case WPA_DEAUTH:
1744 case WPA_DISASSOC:
1745 sm->DeauthenticationRequest = TRUE;
1746 break;
1747 case WPA_REAUTH:
1748 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1749 if (!sm->started) {
1750 /*
1751 * When using WPS, we may end up here if the STA
1752 * manages to re-associate without the previous STA
1753 * entry getting removed. Consequently, we need to make
1754 * sure that the WPA state machines gets initialized
1755 * properly at this point.
1756 */
1757 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1758 "started - initialize now");
1759 sm->started = 1;
1760 sm->Init = TRUE;
1761 if (wpa_sm_step(sm) == 1)
1762 return 1; /* should not really happen */
1763 sm->Init = FALSE;
1764 sm->AuthenticationRequest = TRUE;
1765 break;
1766 }
9663596f
JM		 1767 if (sm->GUpdateStationKeys) {
1768 /*
1769 * Reauthentication cancels the pending group key
1770 * update for this STA.
1771 */
1772 sm->group->GKeyDoneStations--;
1773 sm->GUpdateStationKeys = FALSE;
1774 sm->PtkGroupInit = TRUE;
1775 }
6fc6879b
JM		 1776 sm->ReAuthenticationRequest = TRUE;
1777 break;
1778 case WPA_ASSOC_FT:
4ec1fd8e 1779#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1780 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1781 "after association");
1782 wpa_ft_install_ptk(sm);
1783
6fc6879b
JM		 1784 /* Using FT protocol, not WPA auth state machine */
1785 sm->ft_completed = 1;
6f9b5d16 1786 return 0;
4ec1fd8e 1787#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1788 break;
4ec1fd8e 1789#endif /* CONFIG_IEEE80211R_AP */
957bff83
JM		 1790 case WPA_ASSOC_FILS:
1791#ifdef CONFIG_FILS
1792 wpa_printf(MSG_DEBUG,
1793 "FILS: TK configuration after association");
1794 fils_set_tk(sm);
1795 sm->fils_completed = 1;
1796 return 0;
1797#else /* CONFIG_FILS */
1798 break;
1799#endif /* CONFIG_FILS */
0e3bd7ac
MV		 1800 case WPA_DRV_STA_REMOVED:
1801 sm->tk_already_set = FALSE;
1802 return 0;
6fc6879b
JM		 1803 }
1804
4ec1fd8e 1805#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1806 sm->ft_completed = 0;
4ec1fd8e 1807#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1808
5d22a1d5
JM		 1809#ifdef CONFIG_IEEE80211W
1810 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1811 remove_ptk = 0;
1812#endif /* CONFIG_IEEE80211W */
78815f3d 1813#ifdef CONFIG_FILS
da24c5aa
JM		 1814 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1815 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1816 remove_ptk = 0;
1817#endif /* CONFIG_FILS */
6fc6879b 1818
5d22a1d5
JM		 1819 if (remove_ptk) {
1820 sm->PTK_valid = FALSE;
1821 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1822
1823 if (event != WPA_REAUTH_EAPOL)
1824 wpa_remove_ptk(sm);
1825 }
6fc6879b 1826
43f49c37
JM		 1827 if (sm->in_step_loop) {
1828 /*
1829 * wpa_sm_step() is already running - avoid recursive call to
1830 * it by making the existing loop process the new update.
1831 */
1832 sm->changed = TRUE;
1833 return 0;
1834 }
6f9b5d16 1835 return wpa_sm_step(sm);
6fc6879b
JM		 1836}
1837
1838
6fc6879b
JM		 1839SM_STATE(WPA_PTK, INITIALIZE)
1840{
1841 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1842 if (sm->Init) {
1843 /* Init flag is not cleared here, so avoid busy
1844 * loop by claiming nothing changed. */
1845 sm->changed = FALSE;
1846 }
1847
1848 sm->keycount = 0;
1849 if (sm->GUpdateStationKeys)
1850 sm->group->GKeyDoneStations--;
1851 sm->GUpdateStationKeys = FALSE;
1852 if (sm->wpa == WPA_VERSION_WPA)
1853 sm->PInitAKeys = FALSE;
1854 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1855 * Local AA > Remote AA)) */) {
1856 sm->Pair = TRUE;
1857 }
1858 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1859 wpa_remove_ptk(sm);
1860 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1861 sm->TimeoutCtr = 0;
a1ea1b45 1862 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 1863 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 1864 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 1865 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1866 WPA_EAPOL_authorized, 0);
1867 }
1868}
1869
1870
1871SM_STATE(WPA_PTK, DISCONNECT)
1872{
567da5bb
JM		 1873 u16 reason = sm->disconnect_reason;
1874
6fc6879b
JM		 1875 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1876 sm->Disconnect = FALSE;
567da5bb
JM		 1877 sm->disconnect_reason = 0;
1878 if (!reason)
1879 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1880 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
6fc6879b
JM		 1881}
1882
1883
1884SM_STATE(WPA_PTK, DISCONNECTED)
1885{
1886 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1887 sm->DeauthenticationRequest = FALSE;
1888}
1889
1890
1891SM_STATE(WPA_PTK, AUTHENTICATION)
1892{
1893 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1894 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1895 sm->PTK_valid = FALSE;
1896 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1897 1);
1898 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1899 sm->AuthenticationRequest = FALSE;
1900}
1901
1902
40d00d2b
NC		 1903static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1904 struct wpa_group *group)
1bdb7ab3 1905{
40d00d2b
NC		 1906 if (group->first_sta_seen)
1907 return;
1bdb7ab3
JM		 1908 /*
1909 * System has run bit further than at the time hostapd was started
1910 * potentially very early during boot up. This provides better chances
1911 * of collecting more randomness on embedded systems. Re-initialize the
1912 * GMK and Counter here to improve their strength if there was not
1913 * enough entropy available immediately after system startup.
1914 */
1915 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1916 "station");
08704cd8
JM		 1917 if (random_pool_ready() != 1) {
1918 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1919 "to proceed - reject first 4-way handshake");
1920 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1921 } else {
1922 group->first_sta_seen = TRUE;
1923 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1924 }
40d00d2b 1925
aac1efec
JM		 1926 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1927 wpa_gtk_update(wpa_auth, group) < 0 ||
1928 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1929 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1930 group->first_sta_seen = FALSE;
1931 group->reject_4way_hs_for_entropy = TRUE;
1932 }
1bdb7ab3
JM		 1933}
1934
1935
6fc6879b
JM		 1936SM_STATE(WPA_PTK, AUTHENTICATION2)
1937{
1938 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1939
40d00d2b 1940 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1941 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1942
3825a19b
JM		 1943 /*
1944 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1945 * ambiguous. The Authenticator state machine uses a counter that is
1946 * incremented by one for each 4-way handshake. However, the security
1947 * analysis of 4-way handshake points out that unpredictable nonces
1948 * help in preventing precomputation attacks. Instead of the state
1949 * machine definition, use an unpredictable nonce value here to provide
1950 * stronger protection against potential precomputation attacks.
1951 */
1952 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1953 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1954 "ANonce.");
65a32cdb 1955 sm->Disconnect = TRUE;
3825a19b
JM		 1956 return;
1957 }
bc8318ac
JM		 1958 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1959 WPA_NONCE_LEN);
6fc6879b
JM		 1960 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1961 * logical place than INITIALIZE since AUTHENTICATION2 can be
1962 * re-entered on ReAuthenticationRequest without going through
1963 * INITIALIZE. */
1964 sm->TimeoutCtr = 0;
1965}
1966
1967
0adc9b28
JM		 1968static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
1969{
1970 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1971 wpa_printf(MSG_ERROR,
1972 "WPA: Failed to get random data for ANonce");
1973 sm->Disconnect = TRUE;
1974 return -1;
1975 }
1976 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
1977 WPA_NONCE_LEN);
1978 sm->TimeoutCtr = 0;
1979 return 0;
1980}
1981
1982
6fc6879b
JM		 1983SM_STATE(WPA_PTK, INITPMK)
1984{
1985 u8 msk[2 * PMK_LEN];
1986 size_t len = 2 * PMK_LEN;
1987
1988 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1989#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1990 sm->xxkey_len = 0;
4ec1fd8e 1991#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1992 if (sm->pmksa) {
1993 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1994 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1995 sm->pmk_len = sm->pmksa->pmk_len;
567da5bb
JM		 1996#ifdef CONFIG_DPP
1997 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
1998 wpa_printf(MSG_DEBUG,
1999 "DPP: No PMKSA cache entry for STA - reject connection");
2000 sm->Disconnect = TRUE;
2001 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
2002 return;
2003#endif /* CONFIG_DPP */
6fc6879b 2004 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 2005 unsigned int pmk_len;
2006
834c5d68 2007 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
207976f0
JM		 2008 pmk_len = PMK_LEN_SUITE_B_192;
2009 else
2010 pmk_len = PMK_LEN;
6fc6879b 2011 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 2012 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
2013 pmk_len);
2014 if (len < pmk_len) {
2015 wpa_printf(MSG_DEBUG,
2016 "WPA: MSK not long enough (%u) to create PMK (%u)",
2017 (unsigned int) len, (unsigned int) pmk_len);
2018 sm->Disconnect = TRUE;
2019 return;
2020 }
2021 os_memcpy(sm->PMK, msk, pmk_len);
2022 sm->pmk_len = pmk_len;
4ec1fd8e 2023#ifdef CONFIG_IEEE80211R_AP
6fc6879b 2024 if (len >= 2 * PMK_LEN) {
9f12271b
JM		 2025 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2026 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2027 sm->xxkey_len = SHA384_MAC_LEN;
2028 } else {
2029 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2030 sm->xxkey_len = PMK_LEN;
2031 }
6fc6879b 2032 }
4ec1fd8e 2033#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2034 } else {
400de9b1 2035 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 2036 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 2037 sm->Disconnect = TRUE;
2038 return;
6fc6879b 2039 }
40aaa64f 2040 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 2041
2042 sm->req_replay_counter_used = 0;
2043 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
2044 * will break reauthentication since EAPOL state machines may not be
2045 * get into AUTHENTICATING state that clears keyRun before WPA state
2046 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2047 * state and takes PMK from the previously used AAA Key. This will
2048 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2049 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
2050 * be good workaround for this issue. */
2051 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
2052}
2053
2054
2055SM_STATE(WPA_PTK, INITPSK)
2056{
2057 const u8 *psk;
7a12edd1
JM		 2058 size_t psk_len;
2059
6fc6879b 2060 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
7a12edd1 2061 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
dbfa691d 2062 &psk_len, NULL);
6fc6879b 2063 if (psk) {
7a12edd1
JM		 2064 os_memcpy(sm->PMK, psk, psk_len);
2065 sm->pmk_len = psk_len;
4ec1fd8e 2066#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 2067 os_memcpy(sm->xxkey, psk, PMK_LEN);
2068 sm->xxkey_len = PMK_LEN;
4ec1fd8e 2069#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2070 }
e61fea6b
JM		 2071#ifdef CONFIG_SAE
2072 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2073 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2074 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2075 sm->pmk_len = sm->pmksa->pmk_len;
6fe3f0f7 2076#ifdef CONFIG_IEEE80211R_AP
2077 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len);
2078 sm->xxkey_len = sm->pmksa->pmk_len;
2079#endif /* CONFIG_IEEE80211R_AP */
e61fea6b
JM		 2080 }
2081#endif /* CONFIG_SAE */
6fc6879b
JM		 2082 sm->req_replay_counter_used = 0;
2083}
2084
2085
2086SM_STATE(WPA_PTK, PTKSTART)
2087{
2088 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2089 size_t pmkid_len = 0;
2090
2091 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2092 sm->PTKRequest = FALSE;
2093 sm->TimeoutEvt = FALSE;
f23c5b17 2094 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2095
2096 sm->TimeoutCtr++;
41f140d3 2097 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2098 /* No point in sending the EAPOL-Key - we will disconnect
2099 * immediately following this. */
2100 return;
2101 }
2102
6fc6879b
JM		 2103 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2104 "sending 1/4 msg of 4-Way Handshake");
2105 /*
c6e1a9a0
JM		 2106 * For infrastructure BSS cases, it is better for the AP not to include
2107 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2108 * offline search for the passphrase/PSK without having to be able to
2109 * capture a 4-way handshake from a STA that has access to the network.
2110 *
2111 * For IBSS cases, addition of PMKID KDE could be considered even with
2112 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2113 * possible PSK for this STA. However, this should not be done unless
2114 * there is support for using that information on the supplicant side.
2115 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2116 * cases would also apply here, but at least in the IBSS case, this
2117 * would cover a potential real use case.
6fc6879b
JM		 2118 */
2119 if (sm->wpa == WPA_VERSION_WPA2 &&
e61fea6b 2120 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
d90f10fa 2121 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
e61fea6b 2122 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
a14896e8 2123 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2124 pmkid = buf;
2125 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2126 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2127 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2128 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2129 if (sm->pmksa) {
9d94e4bb
JM		 2130 wpa_hexdump(MSG_DEBUG,
2131 "RSN: Message 1/4 PMKID from PMKSA entry",
2132 sm->pmksa->pmkid, PMKID_LEN);
6fc6879b
JM		 2133 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2134 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2135 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2136 /* No KCK available to derive PMKID */
9d94e4bb
JM		 2137 wpa_printf(MSG_DEBUG,
2138 "RSN: No KCK available to derive PMKID for message 1/4");
929a2ea5 2139 pmkid = NULL;
a40bd06e
JM		 2140#ifdef CONFIG_FILS
2141 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2142 if (sm->pmkid_set) {
2143 wpa_hexdump(MSG_DEBUG,
2144 "RSN: Message 1/4 PMKID from FILS/ERP",
2145 sm->pmkid, PMKID_LEN);
2146 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2147 sm->pmkid, PMKID_LEN);
2148 } else {
2149 /* No PMKID available */
2150 wpa_printf(MSG_DEBUG,
2151 "RSN: No FILS/ERP PMKID available for message 1/4");
2152 pmkid = NULL;
2153 }
2154#endif /* CONFIG_FILS */
9d94e4bb
JM		 2155#ifdef CONFIG_SAE
2156 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2157 if (sm->pmkid_set) {
2158 wpa_hexdump(MSG_DEBUG,
2159 "RSN: Message 1/4 PMKID from SAE",
2160 sm->pmkid, PMKID_LEN);
2161 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2162 sm->pmkid, PMKID_LEN);
2163 } else {
2164 /* No PMKID available */
2165 wpa_printf(MSG_DEBUG,
2166 "RSN: No SAE PMKID available for message 1/4");
2167 pmkid = NULL;
2168 }
2169#endif /* CONFIG_SAE */
929a2ea5 2170 } else {
6fc6879b
JM		 2171 /*
2172 * Calculate PMKID since no PMKSA cache entry was
2173 * available with pre-calculated PMKID.
2174 */
207976f0 2175 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197 2176 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
41b81914 2177 sm->wpa_key_mgmt);
9d94e4bb
JM		 2178 wpa_hexdump(MSG_DEBUG,
2179 "RSN: Message 1/4 PMKID derived from PMK",
2180 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
6fc6879b
JM		 2181 }
2182 }
2183 wpa_send_eapol(sm->wpa_auth, sm,
2184 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2185 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2186}
2187
2188
f23c5b17 2189static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2190 const u8 *pmk, unsigned int pmk_len,
2191 struct wpa_ptk *ptk)
6fc6879b 2192{
10ec6a5f
JM		 2193 const u8 *z = NULL;
2194 size_t z_len = 0;
2195
4ec1fd8e 2196#ifdef CONFIG_IEEE80211R_AP
56586197 2197 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2198 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
4ec1fd8e 2199#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2200
10ec6a5f
JM		 2201#ifdef CONFIG_DPP2
2202 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2203 z = wpabuf_head(sm->dpp_z);
2204 z_len = wpabuf_len(sm->dpp_z);
2205 }
2206#endif /* CONFIG_DPP2 */
2207
207976f0 2208 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c 2209 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
10ec6a5f 2210 ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len);
6fc6879b
JM		 2211}
2212
2213
3b5b7aa8 2214#ifdef CONFIG_FILS
c4fd6d8a
JM		 2215
2216int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
80ddf5d9 2217 size_t pmk_len, const u8 *snonce, const u8 *anonce,
4cada9dc 2218 const u8 *dhss, size_t dhss_len,
80ddf5d9 2219 struct wpabuf *g_sta, struct wpabuf *g_ap)
c4fd6d8a
JM		 2220{
2221 u8 ick[FILS_ICK_MAX_LEN];
2222 size_t ick_len;
2223 int res;
8fed47e0
JM		 2224 u8 fils_ft[FILS_FT_MAX_LEN];
2225 size_t fils_ft_len = 0;
c4fd6d8a
JM		 2226
2227 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
4cada9dc
JM		 2228 snonce, anonce, dhss, dhss_len,
2229 &sm->PTK, ick, &ick_len,
8fed47e0
JM		 2230 sm->wpa_key_mgmt, sm->pairwise,
2231 fils_ft, &fils_ft_len);
c4fd6d8a
JM		 2232 if (res < 0)
2233 return res;
2234 sm->PTK_valid = TRUE;
2f1357fb 2235 sm->tk_already_set = FALSE;
c4fd6d8a 2236
8fed47e0
JM		 2237#ifdef CONFIG_IEEE80211R_AP
2238 if (fils_ft_len) {
2239 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2240 struct wpa_auth_config *conf = &wpa_auth->conf;
994eac7e
JM		 2241 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
2242 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
2243 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
8fed47e0
JM		 2244
2245 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2246 conf->ssid, conf->ssid_len,
2247 conf->mobility_domain,
2248 conf->r0_key_holder,
2249 conf->r0_key_holder_len,
994eac7e
JM		 2250 sm->addr, pmk_r0, pmk_r0_name,
2251 use_sha384) < 0)
8fed47e0
JM		 2252 return -1;
2253
994eac7e
JM		 2254 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
2255 pmk_r0, pmk_r0_len);
8fed47e0
JM		 2256 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2257 pmk_r0_name, WPA_PMK_NAME_LEN);
89dea17e 2258 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
8fed47e0 2259 os_memset(fils_ft, 0, sizeof(fils_ft));
36536639
JM		 2260
2261 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
2262 sm->addr, sm->pmk_r1_name,
2263 use_sha384);
2264 os_memset(pmk_r0, 0, PMK_LEN_MAX);
2265 if (res < 0)
2266 return -1;
2267 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
2268 WPA_PMK_NAME_LEN);
2269 sm->pmk_r1_name_valid = 1;
8fed47e0
JM		 2270 }
2271#endif /* CONFIG_IEEE80211R_AP */
2272
c4fd6d8a
JM		 2273 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2274 sm->addr, sm->wpa_auth->addr,
80ddf5d9
JM		 2275 g_sta ? wpabuf_head(g_sta) : NULL,
2276 g_sta ? wpabuf_len(g_sta) : 0,
2277 g_ap ? wpabuf_head(g_ap) : NULL,
2278 g_ap ? wpabuf_len(g_ap) : 0,
c4fd6d8a
JM		 2279 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2280 sm->fils_key_auth_ap,
2281 &sm->fils_key_auth_len);
2282 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2283
2284 /* Store nonces for (Re)Association Request/Response frame processing */
2285 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2286 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2287
c4fd6d8a
JM		 2288 return res;
2289}
2290
2291
3b5b7aa8 2292static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2293 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2294{
2295 struct ieee802_1x_hdr *hdr;
2296 struct wpa_eapol_key *key;
2297 u8 *pos;
2298 u16 key_data_len;
2299 u8 *tmp;
2300 const u8 *aad[1];
2301 size_t aad_len[1];
2302
75c8563e 2303 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2304 key = (struct wpa_eapol_key *) (hdr + 1);
2305 pos = (u8 *) (key + 1);
2306 key_data_len = WPA_GET_BE16(pos);
2307 if (key_data_len < AES_BLOCK_SIZE ||
2308 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2309 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2310 "No room for AES-SIV data in the frame");
2311 return -1;
2312 }
2313 pos += 2; /* Pointing at the Encrypted Key Data field */
2314
2315 tmp = os_malloc(key_data_len);
2316 if (!tmp)
2317 return -1;
2318
2319 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2320 * to Key Data (exclusive). */
75c8563e
JM		 2321 aad[0] = buf;
2322 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2323 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2324 1, aad, aad_len, tmp) < 0) {
2325 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2326 "Invalid AES-SIV data in the frame");
2327 bin_clear_free(tmp, key_data_len);
2328 return -1;
2329 }
2330
2331 /* AEAD decryption and validation completed successfully */
2332 key_data_len -= AES_BLOCK_SIZE;
2333 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2334 tmp, key_data_len);
2335
2336 /* Replace Key Data field with the decrypted version */
2337 os_memcpy(pos, tmp, key_data_len);
2338 pos -= 2; /* Key Data Length field */
2339 WPA_PUT_BE16(pos, key_data_len);
2340 bin_clear_free(tmp, key_data_len);
2341 if (_key_data_len)
2342 *_key_data_len = key_data_len;
2343 return 0;
2344}
78815f3d
JM		 2345
2346
087631b9
JM		 2347const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2348 const u8 *ies, size_t ies_len,
2349 const u8 *fils_session)
2350{
2351 const u8 *ie, *end;
2352 const u8 *session = NULL;
2353
2354 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2355 wpa_printf(MSG_DEBUG,
2356 "FILS: Not a FILS AKM - reject association");
2357 return NULL;
2358 }
2359
2360 /* Verify Session element */
2361 ie = ies;
2362 end = ((const u8 *) ie) + ies_len;
2363 while (ie + 1 < end) {
2364 if (ie + 2 + ie[1] > end)
2365 break;
2366 if (ie[0] == WLAN_EID_EXTENSION &&
2367 ie[1] >= 1 + FILS_SESSION_LEN &&
2368 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2369 session = ie;
2370 break;
2371 }
2372 ie += 2 + ie[1];
2373 }
2374
2375 if (!session) {
2376 wpa_printf(MSG_DEBUG,
2377 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2378 __func__);
2379 return NULL;
2380 }
2381
2382 if (!fils_session) {
2383 wpa_printf(MSG_DEBUG,
2384 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2385 __func__);
2386 return NULL;
2387 }
2388
2389 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2390 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2391 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2392 fils_session, FILS_SESSION_LEN);
2393 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2394 session + 3, FILS_SESSION_LEN);
2395 return NULL;
2396 }
2397 return session;
2398}
2399
2400
bd599353
JM		 2401int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2402 size_t ies_len)
2403{
2404 struct ieee802_11_elems elems;
2405
2406 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2407 wpa_printf(MSG_DEBUG,
2408 "FILS: Failed to parse decrypted elements");
2409 return -1;
2410 }
2411
8b5ddda5
JM		 2412 if (!elems.fils_session) {
2413 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2414 return -1;
2415 }
2416
bd599353
JM		 2417 if (!elems.fils_key_confirm) {
2418 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2419 return -1;
2420 }
2421
2422 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2423 wpa_printf(MSG_DEBUG,
2424 "FILS: Unexpected Key-Auth length %d (expected %d)",
2425 elems.fils_key_confirm_len,
2426 (int) sm->fils_key_auth_len);
2427 return -1;
2428 }
2429
2430 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2431 sm->fils_key_auth_len) != 0) {
2432 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2433 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2434 elems.fils_key_confirm, elems.fils_key_confirm_len);
2435 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2436 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2437 return -1;
2438 }
2439
2440 return 0;
2441}
2442
2443
78815f3d
JM		 2444int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2445 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2446 u8 *pos, size_t left)
2447{
2448 u16 fc, stype;
2449 const u8 *end, *ie_start, *ie, *session, *crypt;
78815f3d
JM		 2450 const u8 *aad[5];
2451 size_t aad_len[5];
2452
2453 if (!sm || !sm->PTK_valid) {
2454 wpa_printf(MSG_DEBUG,
2455 "FILS: No KEK to decrypt Assocication Request frame");
2456 return -1;
2457 }
2458
2459 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2460 wpa_printf(MSG_DEBUG,
2461 "FILS: Not a FILS AKM - reject association");
2462 return -1;
2463 }
2464
2465 end = ((const u8 *) mgmt) + frame_len;
2466 fc = le_to_host16(mgmt->frame_control);
2467 stype = WLAN_FC_GET_STYPE(fc);
2468 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2469 ie_start = mgmt->u.reassoc_req.variable;
2470 else
2471 ie_start = mgmt->u.assoc_req.variable;
2472 ie = ie_start;
2473
2474 /*
2475 * Find FILS Session element which is the last unencrypted element in
2476 * the frame.
2477 */
087631b9
JM		 2478 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2479 fils_session);
78815f3d 2480 if (!session) {
087631b9 2481 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
78815f3d
JM		 2482 return -1;
2483 }
087631b9 2484
78815f3d
JM		 2485 crypt = session + 2 + session[1];
2486
2487 if (end - crypt < AES_BLOCK_SIZE) {
2488 wpa_printf(MSG_DEBUG,
2489 "FILS: Too short frame to include AES-SIV data");
2490 return -1;
2491 }
2492
2493 /* AES-SIV AAD vectors */
2494
2495 /* The STA's MAC address */
2496 aad[0] = mgmt->sa;
2497 aad_len[0] = ETH_ALEN;
2498 /* The AP's BSSID */
2499 aad[1] = mgmt->da;
2500 aad_len[1] = ETH_ALEN;
2501 /* The STA's nonce */
2502 aad[2] = sm->SNonce;
2503 aad_len[2] = FILS_NONCE_LEN;
2504 /* The AP's nonce */
2505 aad[3] = sm->ANonce;
2506 aad_len[3] = FILS_NONCE_LEN;
2507 /*
2508 * The (Re)Association Request frame from the Capability Information
2509 * field to the FILS Session element (both inclusive).
2510 */
2511 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2512 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2513
2514 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2515 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2516 wpa_printf(MSG_DEBUG,
2517 "FILS: Invalid AES-SIV data in the frame");
2518 return -1;
2519 }
2520 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2521 pos, left - AES_BLOCK_SIZE);
2522
bd599353
JM		 2523 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2524 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
78815f3d
JM		 2525 return -1;
2526 }
2527
2528 return left - AES_BLOCK_SIZE;
2529}
2530
e73ffa09
JM		 2531
2532int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2533 size_t current_len, size_t max_len,
2534 const struct wpabuf *hlp)
e73ffa09
JM		 2535{
2536 u8 *end = buf + max_len;
2537 u8 *pos = buf + current_len;
2538 struct ieee80211_mgmt *mgmt;
2539 struct wpabuf *plain;
e73ffa09
JM		 2540 const u8 *aad[5];
2541 size_t aad_len[5];
2542
2543 if (!sm || !sm->PTK_valid)
2544 return -1;
2545
2546 wpa_hexdump(MSG_DEBUG,
2547 "FILS: Association Response frame before FILS processing",
2548 buf, current_len);
2549
2550 mgmt = (struct ieee80211_mgmt *) buf;
2551
2552 /* AES-SIV AAD vectors */
2553
2554 /* The AP's BSSID */
2555 aad[0] = mgmt->sa;
2556 aad_len[0] = ETH_ALEN;
2557 /* The STA's MAC address */
2558 aad[1] = mgmt->da;
2559 aad_len[1] = ETH_ALEN;
2560 /* The AP's nonce */
2561 aad[2] = sm->ANonce;
2562 aad_len[2] = FILS_NONCE_LEN;
2563 /* The STA's nonce */
2564 aad[3] = sm->SNonce;
2565 aad_len[3] = FILS_NONCE_LEN;
2566 /*
2567 * The (Re)Association Response frame from the Capability Information
2568 * field (the same offset in both Association and Reassociation
2569 * Response frames) to the FILS Session element (both inclusive).
2570 */
2571 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2572 aad_len[4] = pos - aad[4];
2573
2574 /* The following elements will be encrypted with AES-SIV */
9392859d
JM		 2575 plain = fils_prepare_plainbuf(sm, hlp);
2576 if (!plain) {
2577 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2578 return -1;
2579 }
2580
2581 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2582 wpa_printf(MSG_DEBUG,
2583 "FILS: Not enough room for FILS elements");
2584 wpabuf_free(plain);
2585 return -1;
2586 }
2587
2588 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2589 plain);
2590
2591 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2592 wpabuf_head(plain), wpabuf_len(plain),
2593 5, aad, aad_len, pos) < 0) {
2594 wpabuf_free(plain);
2595 return -1;
2596 }
2597
2598 wpa_hexdump(MSG_DEBUG,
2599 "FILS: Encrypted Association Response elements",
2600 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2601 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2602 wpabuf_free(plain);
2603
2604 sm->fils_completed = 1;
2605
2606 return current_len;
2607}
2608
2609
2610static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2611 const struct wpabuf *hlp)
2612{
2613 struct wpabuf *plain;
2614 u8 *len, *tmp, *tmp2;
2615 u8 hdr[2];
2616 u8 *gtk, dummy_gtk[32];
2617 size_t gtk_len;
2618 struct wpa_group *gsm;
e73ffa09
JM		 2619
2620 plain = wpabuf_alloc(1000);
2621 if (!plain)
9392859d 2622 return NULL;
e73ffa09
JM		 2623
2624 /* TODO: FILS Public Key */
2625
2626 /* FILS Key Confirmation */
2627 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2628 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2629 /* Element ID Extension */
2630 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2631 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2632
91d91abf
JM		 2633 /* FILS HLP Container */
2634 if (hlp)
2635 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2636
2637 /* TODO: FILS IP Address Assignment */
2638
2639 /* Key Delivery */
2640 gsm = sm->group;
2641 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2642 len = wpabuf_put(plain, 1);
2643 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2644 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2645 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2646 /* GTK KDE */
2647 gtk = gsm->GTK[gsm->GN - 1];
2648 gtk_len = gsm->GTK_len;
8d660a4b
JM		 2649 if (sm->wpa_auth->conf.disable_gtk ||
2650 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
e73ffa09
JM		 2651 /*
2652 * Provide unique random GTK to each STA to prevent use
2653 * of GTK in the BSS.
2654 */
2655 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2656 wpabuf_free(plain);
9392859d 2657 return NULL;
e73ffa09
JM		 2658 }
2659 gtk = dummy_gtk;
2660 }
2661 hdr[0] = gsm->GN & 0x03;
2662 hdr[1] = 0;
2663 tmp = wpabuf_put(plain, 0);
2664 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2665 gtk, gtk_len);
2666 wpabuf_put(plain, tmp2 - tmp);
2667
2668 /* IGTK KDE */
2669 tmp = wpabuf_put(plain, 0);
2670 tmp2 = ieee80211w_kde_add(sm, tmp);
2671 wpabuf_put(plain, tmp2 - tmp);
2672
2673 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
99621dc1
MV		 2674
2675#ifdef CONFIG_OCV
2676 if (wpa_auth_uses_ocv(sm)) {
2677 struct wpa_channel_info ci;
2678 u8 *pos;
2679
2680 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
2681 wpa_printf(MSG_WARNING,
2682 "FILS: Failed to get channel info for OCI element");
2683 wpabuf_free(plain);
2684 return NULL;
2685 }
2686
2687 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
2688 if (ocv_insert_extended_oci(&ci, pos) < 0) {
2689 wpabuf_free(plain);
2690 return NULL;
2691 }
2692 }
2693#endif /* CONFIG_OCV */
2694
9392859d 2695 return plain;
e73ffa09
JM		 2696}
2697
da24c5aa
JM		 2698
2699int fils_set_tk(struct wpa_state_machine *sm)
2700{
2701 enum wpa_alg alg;
2702 int klen;
2703
2f1357fb
JM		 2704 if (!sm || !sm->PTK_valid) {
2705 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
2706 return -1;
2707 }
2708 if (sm->tk_already_set) {
2709 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
da24c5aa 2710 return -1;
2f1357fb 2711 }
da24c5aa
JM		 2712
2713 alg = wpa_cipher_to_alg(sm->pairwise);
2714 klen = wpa_cipher_key_len(sm->pairwise);
2715
2716 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2717 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2718 sm->PTK.tk, klen)) {
2719 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2720 return -1;
2721 }
2f1357fb 2722 sm->tk_already_set = TRUE;
da24c5aa
JM		 2723
2724 return 0;
2725}
2726
fa61bff6
JM		 2727
2728u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
8b5ddda5 2729 const u8 *fils_session, struct wpabuf *hlp)
fa61bff6
JM		 2730{
2731 struct wpabuf *plain;
2732 u8 *pos = buf;
2733
2734 /* FILS Session */
2735 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2736 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2737 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2738 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2739 pos += FILS_SESSION_LEN;
2740
8b5ddda5 2741 plain = fils_prepare_plainbuf(sm, hlp);
fa61bff6
JM		 2742 if (!plain) {
2743 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2744 return NULL;
2745 }
2746
2747 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2748 pos += wpabuf_len(plain);
2749
2750 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2751 (unsigned int) wpabuf_len(plain));
2752 wpabuf_free(plain);
2753 sm->fils_completed = 1;
2754 return pos;
2755}
2756
3b5b7aa8
JM		 2757#endif /* CONFIG_FILS */
2758
2759
1034f67b
MV		 2760#ifdef CONFIG_OCV
2761int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
2762 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
2763{
2764 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2765
2766 if (!wpa_auth->cb->get_sta_tx_params)
2767 return -1;
2768 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
2769 ap_max_chanwidth, ap_seg1_idx,
2770 bandwidth, seg1_idx);
2771}
2772#endif /* CONFIG_OCV */
2773
2774
6fc6879b
JM		 2775SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2776{
3b5b7aa8 2777 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2778 struct wpa_ptk PTK;
2c502460 2779 int ok = 0, psk_found = 0;
6fc6879b 2780 const u8 *pmk = NULL;
7a12edd1 2781 size_t pmk_len;
3b5b7aa8
JM		 2782 int ft;
2783 const u8 *eapol_key_ie, *key_data, *mic;
2784 u16 key_data_length;
2785 size_t mic_len, eapol_key_ie_len;
2786 struct ieee802_1x_hdr *hdr;
2787 struct wpa_eapol_key *key;
2788 struct wpa_eapol_ie_parse kde;
bb05d036 2789 int vlan_id = 0;
6fc6879b
JM		 2790
2791 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2792 sm->EAPOLKeyReceived = FALSE;
68921e24 2793 sm->update_snonce = FALSE;
b729fd8d 2794 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2795
567da5bb 2796 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3b5b7aa8 2797
6fc6879b
JM		 2798 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2799 * WPA-PSK: iterate through possible PSKs and select the one matching
2800 * the packet */
2801 for (;;) {
e61fea6b
JM		 2802 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2803 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
759fd76b 2804 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
dbfa691d
JM		 2805 sm->p2p_dev_addr, pmk, &pmk_len,
2806 &vlan_id);
6fc6879b
JM		 2807 if (pmk == NULL)
2808 break;
2c502460 2809 psk_found = 1;
f9854c18
MK		 2810#ifdef CONFIG_IEEE80211R_AP
2811 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
2812 os_memcpy(sm->xxkey, pmk, pmk_len);
2813 sm->xxkey_len = pmk_len;
2814 }
2815#endif /* CONFIG_IEEE80211R_AP */
207976f0 2816 } else {
6fc6879b 2817 pmk = sm->PMK;
207976f0
JM		 2818 pmk_len = sm->pmk_len;
2819 }
6fc6879b 2820
a40bd06e
JM		 2821 if ((!pmk || !pmk_len) && sm->pmksa) {
2822 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache");
2823 pmk = sm->pmksa->pmk;
2824 pmk_len = sm->pmksa->pmk_len;
2825 }
2826
364c064a
JM		 2827 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2828 break;
6fc6879b 2829
3b5b7aa8 2830 if (mic_len &&
567da5bb 2831 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
929a2ea5 2832 sm->last_rx_eapol_key,
6fc6879b 2833 sm->last_rx_eapol_key_len) == 0) {
08dc8efd
JM		 2834 if (sm->PMK != pmk) {
2835 os_memcpy(sm->PMK, pmk, pmk_len);
2836 sm->pmk_len = pmk_len;
2837 }
6fc6879b
JM		 2838 ok = 1;
2839 break;
2840 }
2841
3b5b7aa8 2842#ifdef CONFIG_FILS
75c8563e
JM		 2843 if (!mic_len &&
2844 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2845 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2846 ok = 1;
2847 break;
2848 }
2849#endif /* CONFIG_FILS */
2850
f5e0a332
JM		 2851 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2852 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
6fc6879b
JM		 2853 break;
2854 }
2855
2856 if (!ok) {
2857 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2858 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2859 if (psk_found)
2860 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2861 return;
2862 }
2863
3b5b7aa8
JM		 2864 /*
2865 * Note: last_rx_eapol_key length fields have already been validated in
2866 * wpa_receive().
2867 */
2868 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2869 key = (struct wpa_eapol_key *) (hdr + 1);
2870 mic = (u8 *) (key + 1);
2871 key_data = mic + mic_len + 2;
2872 key_data_length = WPA_GET_BE16(mic + mic_len);
2873 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2874 sizeof(*key) - mic_len - 2)
2875 return;
2876
2877 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2878 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2879 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2880 return;
2881 }
2882 if (kde.rsn_ie) {
2883 eapol_key_ie = kde.rsn_ie;
2884 eapol_key_ie_len = kde.rsn_ie_len;
2885 } else if (kde.osen) {
2886 eapol_key_ie = kde.osen;
2887 eapol_key_ie_len = kde.osen_len;
2888 } else {
2889 eapol_key_ie = kde.wpa_ie;
2890 eapol_key_ie_len = kde.wpa_ie_len;
2891 }
2892 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2893 if (sm->wpa_ie == NULL ||
2894 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2895 eapol_key_ie, eapol_key_ie_len)) {
2896 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2897 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2898 if (sm->wpa_ie) {
2899 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2900 sm->wpa_ie, sm->wpa_ie_len);
2901 }
2902 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2903 eapol_key_ie, eapol_key_ie_len);
2904 /* MLME-DEAUTHENTICATE.request */
567da5bb
JM		 2905 wpa_sta_disconnect(wpa_auth, sm->addr,
2906 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2907 return;
2908 }
aed61c4e
MV		 2909#ifdef CONFIG_OCV
2910 if (wpa_auth_uses_ocv(sm)) {
2911 struct wpa_channel_info ci;
2912 int tx_chanwidth;
2913 int tx_seg1_idx;
2914
2915 if (wpa_channel_info(wpa_auth, &ci) != 0) {
2916 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2917 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
2918 return;
2919 }
2920
2921 if (get_sta_tx_parameters(sm,
2922 channel_width_to_int(ci.chanwidth),
2923 ci.seg1_idx, &tx_chanwidth,
2924 &tx_seg1_idx) < 0)
2925 return;
2926
2927 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
2928 tx_chanwidth, tx_seg1_idx) != 0) {
2929 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2930 ocv_errorstr);
2931 return;
2932 }
2933 }
2934#endif /* CONFIG_OCV */
4ec1fd8e 2935#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8 2936 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
567da5bb
JM		 2937 wpa_sta_disconnect(wpa_auth, sm->addr,
2938 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2939 return;
2940 }
4ec1fd8e 2941#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2942#ifdef CONFIG_P2P
2943 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2944 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2945 int idx;
2946 wpa_printf(MSG_DEBUG,
2947 "P2P: IP address requested in EAPOL-Key exchange");
2948 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2949 if (idx >= 0) {
2950 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2951 bitfield_set(wpa_auth->ip_pool, idx);
2952 WPA_PUT_BE32(sm->ip_addr, start + idx);
2953 wpa_printf(MSG_DEBUG,
2954 "P2P: Assigned IP address %u.%u.%u.%u to "
2955 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2956 sm->ip_addr[2], sm->ip_addr[3],
2957 MAC2STR(sm->addr));
2958 }
2959 }
2960#endif /* CONFIG_P2P */
2961
4ec1fd8e 2962#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2963 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2964 /*
2965 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2966 * with the value we derived.
2967 */
870834a1
JM		 2968 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2969 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2970 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2971 "PMKR1Name mismatch in FT 4-way "
2972 "handshake");
2973 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2974 "Supplicant",
2975 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2976 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2977 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2978 return;
2979 }
2980 }
4ec1fd8e 2981#endif /* CONFIG_IEEE80211R_AP */
26e23750 2982
dbfa691d
JM		 2983 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2984 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
2985 wpa_sta_disconnect(wpa_auth, sm->addr,
2986 WLAN_REASON_PREV_AUTH_NOT_VALID);
2987 return;
2988 }
2989
e4bf4db9 2990 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2991 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2992
56586197 2993 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2994 /* PSK may have changed from the previous choice, so update
2995 * state machine data based on whatever PSK was selected here.
2996 */
2997 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2998 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2999 }
3000
3001 sm->MICVerified = TRUE;
3002
3003 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
3004 sm->PTK_valid = TRUE;
3005}
3006
3007
3008SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
3009{
3010 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
3011 sm->TimeoutCtr = 0;
3012}
3013
3014
3015#ifdef CONFIG_IEEE80211W
3016
3017static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3018{
3019 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 3020 size_t len;
3021 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3022 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 3023 }
3024
3025 return 0;
3026}
3027
3028
3029static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3030{
3031 struct wpa_igtk_kde igtk;
3032 struct wpa_group *gsm = sm->group;
03610ad2 3033 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 3034 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 3035
3036 if (!sm->mgmt_frame_prot)
3037 return pos;
3038
3039 igtk.keyid[0] = gsm->GN_igtk;
3040 igtk.keyid[1] = 0;
7b1080da 3041 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 3042 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 3043 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 3044 else
3045 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 3046 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
8d660a4b
JM		 3047 if (sm->wpa_auth->conf.disable_gtk ||
3048 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3049 /*
3050 * Provide unique random IGTK to each STA to prevent use of
3051 * IGTK in the BSS.
3052 */
8dd9f9cd 3053 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 3054 return pos;
3055 }
6fc6879b 3056 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 3057 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
3058 NULL, 0);
6fc6879b
JM		 3059
3060 return pos;
3061}
3062
3063#else /* CONFIG_IEEE80211W */
3064
3065static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3066{
3067 return 0;
3068}
3069
3070
3071static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3072{
3073 return pos;
3074}
3075
3076#endif /* CONFIG_IEEE80211W */
3077
3078
17c2559c
MV		 3079static int ocv_oci_len(struct wpa_state_machine *sm)
3080{
3081#ifdef CONFIG_OCV
3082 if (wpa_auth_uses_ocv(sm))
3083 return OCV_OCI_KDE_LEN;
3084#endif /* CONFIG_OCV */
3085 return 0;
3086}
3087
3088static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos)
3089{
3090#ifdef CONFIG_OCV
3091 struct wpa_channel_info ci;
3092
3093 if (!wpa_auth_uses_ocv(sm))
3094 return 0;
3095
3096 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3097 wpa_printf(MSG_WARNING,
3098 "Failed to get channel info for OCI element");
3099 return -1;
3100 }
3101
3102 return ocv_insert_oci_kde(&ci, argpos);
3103#else /* CONFIG_OCV */
3104 return 0;
3105#endif /* CONFIG_OCV */
3106}
3107
3108
6fc6879b
JM		 3109SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
3110{
83421850 3111 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 3112 size_t gtk_len, kde_len;
3113 struct wpa_group *gsm = sm->group;
3114 u8 *wpa_ie;
3115 int wpa_ie_len, secure, keyidx, encr = 0;
3116
3117 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
3118 sm->TimeoutEvt = FALSE;
bae61562
JM		 3119
3120 sm->TimeoutCtr++;
6f234c1e
JM		 3121 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3122 sm->TimeoutCtr > 1) {
3123 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
3124 return;
3125 }
41f140d3 3126 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 3127 /* No point in sending the EAPOL-Key - we will disconnect
3128 * immediately following this. */
3129 return;
3130 }
3131
86dfabb8
JM		 3132 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
3133 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 3134 */
3135 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3136 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 3137 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 3138 wpa_ie = sm->wpa_auth->wpa_ie;
3139 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
3140 if (sm->wpa == WPA_VERSION_WPA &&
3141 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
3142 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 3143 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 3144 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 3145 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
3146 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 3147 wpa_ie_len = wpa_ie[1] + 2;
3148 }
3149 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3150 "sending 3/4 msg of 4-Way Handshake");
3151 if (sm->wpa == WPA_VERSION_WPA2) {
3152 /* WPA2 send GTK in the 4-way handshake */
3153 secure = 1;
3154 gtk = gsm->GTK[gsm->GN - 1];
3155 gtk_len = gsm->GTK_len;
8d660a4b
JM		 3156 if (sm->wpa_auth->conf.disable_gtk ||
3157 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3158 /*
3159 * Provide unique random GTK to each STA to prevent use
3160 * of GTK in the BSS.
3161 */
3162 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
3163 return;
3164 gtk = dummy_gtk;
3165 }
6fc6879b
JM		 3166 keyidx = gsm->GN;
3167 _rsc = rsc;
3168 encr = 1;
3169 } else {
3170 /* WPA does not include GTK in msg 3/4 */
3171 secure = 0;
3172 gtk = NULL;
3173 gtk_len = 0;
3174 keyidx = 0;
3175 _rsc = NULL;
0d442aff
JM		 3176 if (sm->rx_eapol_key_secure) {
3177 /*
3178 * It looks like Windows 7 supplicant tries to use
3179 * Secure bit in msg 2/4 after having reported Michael
3180 * MIC failure and it then rejects the 4-way handshake
3181 * if msg 3/4 does not set Secure bit. Work around this
3182 * by setting the Secure bit here even in the case of
3183 * WPA if the supplicant used it first.
3184 */
3185 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 3186 "STA used Secure bit in WPA msg 2/4 - "
3187 "set Secure for 3/4 as workaround");
0d442aff
JM		 3188 secure = 1;
3189 }
6fc6879b
JM		 3190 }
3191
17c2559c 3192 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
6fc6879b
JM		 3193 if (gtk)
3194 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 3195#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 3196 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3197 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
3198 kde_len += 300; /* FTIE + 2 * TIE */
3199 }
4ec1fd8e 3200#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3201#ifdef CONFIG_P2P
3202 if (WPA_GET_BE32(sm->ip_addr) > 0)
3203 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
3204#endif /* CONFIG_P2P */
6fc6879b
JM		 3205 kde = os_malloc(kde_len);
3206 if (kde == NULL)
3207 return;
3208
3209 pos = kde;
3210 os_memcpy(pos, wpa_ie, wpa_ie_len);
3211 pos += wpa_ie_len;
4ec1fd8e 3212#ifdef CONFIG_IEEE80211R_AP
26e23750 3213 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 3214 int res;
3215 size_t elen;
3216
3217 elen = pos - kde;
3218 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 3219 if (res < 0) {
3220 wpa_printf(MSG_ERROR, "FT: Failed to insert "
3221 "PMKR1Name into RSN IE in EAPOL-Key data");
3222 os_free(kde);
3223 return;
3224 }
59e78c24
JM		 3225 pos -= wpa_ie_len;
3226 pos += elen;
26e23750 3227 }
4ec1fd8e 3228#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3229 if (gtk) {
3230 u8 hdr[2];
3231 hdr[0] = keyidx & 0x03;
3232 hdr[1] = 0;
3233 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3234 gtk, gtk_len);
3235 }
3236 pos = ieee80211w_kde_add(sm, pos);
17c2559c
MV		 3237 if (ocv_oci_add(sm, &pos) < 0) {
3238 os_free(kde);
3239 return;
3240 }
6fc6879b 3241
4ec1fd8e 3242#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 3243 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3244 int res;
3245 struct wpa_auth_config *conf;
3246
3247 conf = &sm->wpa_auth->conf;
9257610a
JM		 3248 if (sm->assoc_resp_ftie &&
3249 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3250 os_memcpy(pos, sm->assoc_resp_ftie,
3251 2 + sm->assoc_resp_ftie[1]);
3252 res = 2 + sm->assoc_resp_ftie[1];
3253 } else {
a7968ea5
JM		 3254 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
3255
3256 res = wpa_write_ftie(conf, use_sha384,
3257 conf->r0_key_holder,
9257610a
JM		 3258 conf->r0_key_holder_len,
3259 NULL, NULL, pos,
3260 kde + kde_len - pos,
3261 NULL, 0);
3262 }
86dfabb8
JM		 3263 if (res < 0) {
3264 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
3265 "into EAPOL-Key Key Data");
3266 os_free(kde);
3267 return;
3268 }
3269 pos += res;
3270
3271 /* TIE[ReassociationDeadline] (TU) */
3272 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3273 *pos++ = 5;
3274 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3275 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3276 pos += 4;
3277
3278 /* TIE[KeyLifetime] (seconds) */
3279 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3280 *pos++ = 5;
3281 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
83fe4bd3 3282 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
86dfabb8
JM		 3283 pos += 4;
3284 }
4ec1fd8e 3285#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3286#ifdef CONFIG_P2P
3287 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3288 u8 addr[3 * 4];
3289 os_memcpy(addr, sm->ip_addr, 4);
3290 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3291 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3292 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3293 addr, sizeof(addr), NULL, 0);
3294 }
3295#endif /* CONFIG_P2P */
86dfabb8 3296
6fc6879b 3297 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3298 (secure ? WPA_KEY_INFO_SECURE : 0) |
567da5bb
JM		 3299 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3300 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3301 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3302 WPA_KEY_INFO_KEY_TYPE,
3303 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
3304 os_free(kde);
6fc6879b
JM		 3305}
3306
3307
3308SM_STATE(WPA_PTK, PTKINITDONE)
3309{
3310 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3311 sm->EAPOLKeyReceived = FALSE;
3312 if (sm->Pair) {
c3550295
JM		 3313 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3314 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 3315 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 3316 sm->PTK.tk, klen)) {
567da5bb
JM		 3317 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3318 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 3319 return;
3320 }
3321 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3322 sm->pairwise_set = TRUE;
3323
a40bd06e 3324 wpa_auth_set_ptk_rekey_timer(sm);
581a8cde 3325
a1ea1b45 3326 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 3327 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 3328 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 3329 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3330 WPA_EAPOL_authorized, 1);
3331 }
3332 }
3333
3334 if (0 /* IBSS == TRUE */) {
3335 sm->keycount++;
3336 if (sm->keycount == 2) {
3337 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3338 WPA_EAPOL_portValid, 1);
3339 }
3340 } else {
3341 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3342 1);
3343 }
3344 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3345 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3346 if (sm->wpa == WPA_VERSION_WPA)
3347 sm->PInitAKeys = TRUE;
3348 else
3349 sm->has_GTK = TRUE;
3350 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3351 "pairwise key handshake completed (%s)",
3352 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3353
4ec1fd8e 3354#ifdef CONFIG_IEEE80211R_AP
6fc6879b 3355 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 3356#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3357}
3358
3359
3360SM_STEP(WPA_PTK)
3361{
3362 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3363
3364 if (sm->Init)
3365 SM_ENTER(WPA_PTK, INITIALIZE);
3366 else if (sm->Disconnect
1aae01fc
BG		 3367 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3368 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3369 "WPA_PTK: sm->Disconnect");
6fc6879b 3370 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 3371 }
6fc6879b
JM		 3372 else if (sm->DeauthenticationRequest)
3373 SM_ENTER(WPA_PTK, DISCONNECTED);
3374 else if (sm->AuthenticationRequest)
3375 SM_ENTER(WPA_PTK, AUTHENTICATION);
3376 else if (sm->ReAuthenticationRequest)
3377 SM_ENTER(WPA_PTK, AUTHENTICATION2);
0adc9b28
JM		 3378 else if (sm->PTKRequest) {
3379 if (wpa_auth_sm_ptk_update(sm) < 0)
3380 SM_ENTER(WPA_PTK, DISCONNECTED);
3381 else
3382 SM_ENTER(WPA_PTK, PTKSTART);
3383 } else switch (sm->wpa_ptk_state) {
6fc6879b
JM		 3384 case WPA_PTK_INITIALIZE:
3385 break;
3386 case WPA_PTK_DISCONNECT:
3387 SM_ENTER(WPA_PTK, DISCONNECTED);
3388 break;
3389 case WPA_PTK_DISCONNECTED:
3390 SM_ENTER(WPA_PTK, INITIALIZE);
3391 break;
3392 case WPA_PTK_AUTHENTICATION:
3393 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3394 break;
3395 case WPA_PTK_AUTHENTICATION2:
56586197 3396 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 3397 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3398 WPA_EAPOL_keyRun) > 0)
3399 SM_ENTER(WPA_PTK, INITPMK);
a1ea1b45
JM		 3400 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3401 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
6fc6879b
JM		 3402 /* FIX: && 802.1X::keyRun */)
3403 SM_ENTER(WPA_PTK, INITPSK);
567da5bb
JM		 3404 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3405 SM_ENTER(WPA_PTK, INITPMK);
6fc6879b
JM		 3406 break;
3407 case WPA_PTK_INITPMK:
3408 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
567da5bb 3409 WPA_EAPOL_keyAvailable) > 0) {
6fc6879b 3410 SM_ENTER(WPA_PTK, PTKSTART);
567da5bb
JM		 3411#ifdef CONFIG_DPP
3412 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3413 SM_ENTER(WPA_PTK, PTKSTART);
3414#endif /* CONFIG_DPP */
3415 } else {
6fc6879b 3416 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 3417 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3418 "INITPMK - keyAvailable = false");
6fc6879b
JM		 3419 SM_ENTER(WPA_PTK, DISCONNECT);
3420 }
3421 break;
3422 case WPA_PTK_INITPSK:
759fd76b 3423 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
dbfa691d 3424 NULL, NULL, NULL)) {
6fc6879b 3425 SM_ENTER(WPA_PTK, PTKSTART);
e61fea6b
JM		 3426#ifdef CONFIG_SAE
3427 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3428 SM_ENTER(WPA_PTK, PTKSTART);
3429#endif /* CONFIG_SAE */
3430 } else {
6fc6879b
JM		 3431 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3432 "no PSK configured for the STA");
3433 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3434 SM_ENTER(WPA_PTK, DISCONNECT);
3435 }
3436 break;
3437 case WPA_PTK_PTKSTART:
3438 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3439 sm->EAPOLKeyPairwise)
3440 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3441 else if (sm->TimeoutCtr >
41f140d3 3442 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3443 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3444 wpa_auth_vlogger(
3445 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3446 "PTKSTART: Retry limit %u reached",
3447 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3448 SM_ENTER(WPA_PTK, DISCONNECT);
3449 } else if (sm->TimeoutEvt)
3450 SM_ENTER(WPA_PTK, PTKSTART);
3451 break;
3452 case WPA_PTK_PTKCALCNEGOTIATING:
3453 if (sm->MICVerified)
3454 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3455 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3456 sm->EAPOLKeyPairwise)
3457 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3458 else if (sm->TimeoutEvt)
3459 SM_ENTER(WPA_PTK, PTKSTART);
3460 break;
3461 case WPA_PTK_PTKCALCNEGOTIATING2:
3462 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3463 break;
3464 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3465 if (sm->update_snonce)
3466 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3467 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3468 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3469 SM_ENTER(WPA_PTK, PTKINITDONE);
3470 else if (sm->TimeoutCtr >
6f234c1e
JM		 3471 sm->wpa_auth->conf.wpa_pairwise_update_count ||
3472 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3473 sm->TimeoutCtr > 1)) {
6fc6879b 3474 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3475 wpa_auth_vlogger(
3476 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3477 "PTKINITNEGOTIATING: Retry limit %u reached",
3478 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3479 SM_ENTER(WPA_PTK, DISCONNECT);
3480 } else if (sm->TimeoutEvt)
3481 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3482 break;
3483 case WPA_PTK_PTKINITDONE:
3484 break;
3485 }
3486}
3487
3488
3489SM_STATE(WPA_PTK_GROUP, IDLE)
3490{
3491 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3492 if (sm->Init) {
3493 /* Init flag is not cleared here, so avoid busy
3494 * loop by claiming nothing changed. */
3495 sm->changed = FALSE;
3496 }
3497 sm->GTimeoutCtr = 0;
3498}
3499
3500
3501SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3502{
3503 u8 rsc[WPA_KEY_RSC_LEN];
3504 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3505 const u8 *kde;
3506 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3507 size_t kde_len;
83421850 3508 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3509
3510 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3511
3512 sm->GTimeoutCtr++;
6f234c1e
JM		 3513 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3514 sm->GTimeoutCtr > 1) {
3515 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
3516 return;
3517 }
41f140d3 3518 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
bae61562
JM		 3519 /* No point in sending the EAPOL-Key - we will disconnect
3520 * immediately following this. */
3521 return;
3522 }
3523
6fc6879b
JM		 3524 if (sm->wpa == WPA_VERSION_WPA)
3525 sm->PInitAKeys = FALSE;
3526 sm->TimeoutEvt = FALSE;
3527 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3528 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3529 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3530 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3531 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3532 "sending 1/2 msg of Group Key Handshake");
3533
83421850 3534 gtk = gsm->GTK[gsm->GN - 1];
8d660a4b
JM		 3535 if (sm->wpa_auth->conf.disable_gtk ||
3536 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3537 /*
3538 * Provide unique random GTK to each STA to prevent use
3539 * of GTK in the BSS.
3540 */
3541 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3542 return;
3543 gtk = dummy_gtk;
3544 }
6fc6879b
JM		 3545 if (sm->wpa == WPA_VERSION_WPA2) {
3546 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
17c2559c 3547 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
e41e4f9e
JM		 3548 kde_buf = os_malloc(kde_len);
3549 if (kde_buf == NULL)
6fc6879b
JM		 3550 return;
3551
e41e4f9e 3552 kde = pos = kde_buf;
6fc6879b
JM		 3553 hdr[0] = gsm->GN & 0x03;
3554 hdr[1] = 0;
3555 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3556 gtk, gsm->GTK_len);
6fc6879b 3557 pos = ieee80211w_kde_add(sm, pos);
17c2559c
MV		 3558 if (ocv_oci_add(sm, &pos) < 0) {
3559 os_free(kde_buf);
3560 return;
3561 }
e41e4f9e 3562 kde_len = pos - kde;
6fc6879b 3563 } else {
83421850 3564 kde = gtk;
e41e4f9e 3565 kde_len = gsm->GTK_len;
6fc6879b
JM		 3566 }
3567
3568 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3569 WPA_KEY_INFO_SECURE |
567da5bb
JM		 3570 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3571 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3572 WPA_KEY_INFO_ACK |
3573 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3574 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3575
3576 os_free(kde_buf);
6fc6879b
JM		 3577}
3578
3579
3580SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3581{
aed61c4e
MV		 3582#ifdef CONFIG_OCV
3583 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3584 const u8 *key_data, *mic;
3585 struct ieee802_1x_hdr *hdr;
3586 struct wpa_eapol_key *key;
3587 struct wpa_eapol_ie_parse kde;
3588 size_t mic_len;
3589 u16 key_data_length;
3590#endif /* CONFIG_OCV */
3591
6fc6879b
JM		 3592 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3593 sm->EAPOLKeyReceived = FALSE;
aed61c4e
MV		 3594
3595#ifdef CONFIG_OCV
3596 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3597
3598 /*
3599 * Note: last_rx_eapol_key length fields have already been validated in
3600 * wpa_receive().
3601 */
3602 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3603 key = (struct wpa_eapol_key *) (hdr + 1);
3604 mic = (u8 *) (key + 1);
3605 key_data = mic + mic_len + 2;
3606 key_data_length = WPA_GET_BE16(mic + mic_len);
3607 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3608 sizeof(*key) - mic_len - 2)
3609 return;
3610
3611 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3612 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
3613 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
3614 return;
3615 }
3616
3617 if (wpa_auth_uses_ocv(sm)) {
3618 struct wpa_channel_info ci;
3619 int tx_chanwidth;
3620 int tx_seg1_idx;
3621
3622 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3623 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3624 "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2");
3625 return;
3626 }
3627
3628 if (get_sta_tx_parameters(sm,
3629 channel_width_to_int(ci.chanwidth),
3630 ci.seg1_idx, &tx_chanwidth,
3631 &tx_seg1_idx) < 0)
3632 return;
3633
3634 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3635 tx_chanwidth, tx_seg1_idx) != 0) {
3636 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3637 ocv_errorstr);
3638 return;
3639 }
3640 }
3641#endif /* CONFIG_OCV */
3642
6fc6879b
JM		 3643 if (sm->GUpdateStationKeys)
3644 sm->group->GKeyDoneStations--;
3645 sm->GUpdateStationKeys = FALSE;
3646 sm->GTimeoutCtr = 0;
3647 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3648 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3649 "group key handshake completed (%s)",
3650 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3651 sm->has_GTK = TRUE;
3652}
3653
3654
3655SM_STATE(WPA_PTK_GROUP, KEYERROR)
3656{
3657 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3658 if (sm->GUpdateStationKeys)
3659 sm->group->GKeyDoneStations--;
3660 sm->GUpdateStationKeys = FALSE;
3661 sm->Disconnect = TRUE;
4bb9b674
GK		 3662 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3663 "group key handshake failed (%s) after %u tries",
3664 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3665 sm->wpa_auth->conf.wpa_group_update_count);
6fc6879b
JM		 3666}
3667
3668
3669SM_STEP(WPA_PTK_GROUP)
3670{
9663596f 3671 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3672 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3673 sm->PtkGroupInit = FALSE;
3674 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3675 case WPA_PTK_GROUP_IDLE:
3676 if (sm->GUpdateStationKeys ||
3677 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3678 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3679 break;
3680 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3681 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3682 !sm->EAPOLKeyPairwise && sm->MICVerified)
3683 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3684 else if (sm->GTimeoutCtr >
6f234c1e
JM		 3685 sm->wpa_auth->conf.wpa_group_update_count ||
3686 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3687 sm->GTimeoutCtr > 1))
6fc6879b
JM		 3688 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3689 else if (sm->TimeoutEvt)
3690 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3691 break;
3692 case WPA_PTK_GROUP_KEYERROR:
3693 SM_ENTER(WPA_PTK_GROUP, IDLE);
3694 break;
3695 case WPA_PTK_GROUP_REKEYESTABLISHED:
3696 SM_ENTER(WPA_PTK_GROUP, IDLE);
3697 break;
3698 }
3699}
3700
3701
3702static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3703 struct wpa_group *group)
3704{
3705 int ret = 0;
3706
6fc6879b
JM		 3707 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3708 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3709 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3710 wpa_auth->addr, group->GNonce,
3711 group->GTK[group->GN - 1], group->GTK_len) < 0)
3712 ret = -1;
5cb9d5c3
JM		 3713 wpa_hexdump_key(MSG_DEBUG, "GTK",
3714 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3715
3716#ifdef CONFIG_IEEE80211W
70f8cc8e 3717 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3718 size_t len;
3719 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3720 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3721 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3722 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3723 wpa_auth->addr, group->GNonce,
8dd9f9cd 3724 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3725 ret = -1;
6fc6879b 3726 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3727 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3728 }
3729#endif /* CONFIG_IEEE80211W */
3730
3731 return ret;
3732}
3733
3734
3735static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3736 struct wpa_group *group)
3737{
3738 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3739 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3740 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3741 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3742
3743 /* GTK[0..N] = 0 */
3744 os_memset(group->GTK, 0, sizeof(group->GTK));
3745 group->GN = 1;
3746 group->GM = 2;
3747#ifdef CONFIG_IEEE80211W
3748 group->GN_igtk = 4;
3749 group->GM_igtk = 5;
3750#endif /* CONFIG_IEEE80211W */
3751 /* GTK[GN] = CalcGTK() */
3752 wpa_gtk_update(wpa_auth, group);
3753}
3754
3755
3756static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3757{
473b6f22
MB		 3758 if (ctx != NULL && ctx != sm->group)
3759 return 0;
3760
6fc6879b
JM		 3761 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3762 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3763 "Not in PTKINITDONE; skip Group Key update");
3c183894 3764 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3765 return 0;
3766 }
9663596f
JM		 3767 if (sm->GUpdateStationKeys) {
3768 /*
3c183894
JM		 3769 * This should not really happen, so add a debug log entry.
3770 * Since we clear the GKeyDoneStations before the loop, the
3771 * station needs to be counted here anyway.
9663596f
JM		 3772 */
3773 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3774 "GUpdateStationKeys was already set when "
3775 "marking station for GTK rekeying");
9663596f 3776 }
3c183894 3777
ad3872a3 3778 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3779 if (sm->is_wnmsleep)
3780 return 0;
d32d94db 3781
3c183894
JM		 3782 sm->group->GKeyDoneStations++;
3783 sm->GUpdateStationKeys = TRUE;
3784
6fc6879b
JM		 3785 wpa_sm_step(sm);
3786 return 0;
3787}
3788
3789
b5bf84ba 3790#ifdef CONFIG_WNM_AP
ad3872a3 3791/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3792void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3793{
629edfef 3794 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3795 return;
3796
3797 wpa_group_update_sta(sm, NULL);
3798}
3799
3800
3801void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3802{
629edfef
JM		 3803 if (sm)
3804 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3805}
3806
3807
3808int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3809{
d32d94db 3810 struct wpa_group *gsm = sm->group;
835822d4 3811 u8 *start = pos;
d32d94db
XC		 3812
3813 /*
835822d4 3814 * GTK subelement:
d32d94db 3815 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3816 * Key[5..32]
d32d94db 3817 */
835822d4
JM		 3818 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3819 *pos++ = 11 + gsm->GTK_len;
d32d94db 3820 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3821 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3822 pos += 2;
3823 *pos++ = gsm->GTK_len;
3824 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3825 return 0;
835822d4
JM		 3826 pos += 8;
3827 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3828 pos += gsm->GTK_len;
d32d94db 3829
835822d4
JM		 3830 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3831 gsm->GN);
3832 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3833 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3834
835822d4 3835 return pos - start;
d32d94db
XC		 3836}
3837
3838
3839#ifdef CONFIG_IEEE80211W
3840int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3841{
d32d94db 3842 struct wpa_group *gsm = sm->group;
835822d4 3843 u8 *start = pos;
8dd9f9cd 3844 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3845
835822d4
JM		 3846 /*
3847 * IGTK subelement:
3848 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3849 */
3850 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3851 *pos++ = 2 + 6 + len;
835822d4
JM		 3852 WPA_PUT_LE16(pos, gsm->GN_igtk);
3853 pos += 2;
3854 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3855 return 0;
835822d4 3856 pos += 6;
d32d94db 3857
8dd9f9cd
JM		 3858 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3859 pos += len;
d32d94db 3860
835822d4
JM		 3861 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3862 gsm->GN_igtk);
3863 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3864 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3865
835822d4 3866 return pos - start;
d32d94db
XC		 3867}
3868#endif /* CONFIG_IEEE80211W */
b5bf84ba 3869#endif /* CONFIG_WNM_AP */
d32d94db
XC		 3870
3871
6fc6879b
JM		 3872static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3873 struct wpa_group *group)
3874{
3875 int tmp;
3876
3877 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3878 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3879 group->changed = TRUE;
3880 group->wpa_group_state = WPA_GROUP_SETKEYS;
3881 group->GTKReKey = FALSE;
3882 tmp = group->GM;
3883 group->GM = group->GN;
3884 group->GN = tmp;
3885#ifdef CONFIG_IEEE80211W
3886 tmp = group->GM_igtk;
3887 group->GM_igtk = group->GN_igtk;
3888 group->GN_igtk = tmp;
3889#endif /* CONFIG_IEEE80211W */
3890 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3891 * counting the STAs that are marked with GUpdateStationKeys instead of
3892 * including all STAs that could be in not-yet-completed state. */
3893 wpa_gtk_update(wpa_auth, group);
3894
3c183894
JM		 3895 if (group->GKeyDoneStations) {
3896 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3897 "GKeyDoneStations=%d when starting new GTK rekey",
3898 group->GKeyDoneStations);
3899 group->GKeyDoneStations = 0;
3900 }
473b6f22 3901 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3902 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3903 group->GKeyDoneStations);
3904}
3905
3906
1bdb7ab3
JM		 3907static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3908 struct wpa_group *group)
6fc6879b 3909{
3c7302c2
JM		 3910 int ret = 0;
3911
3c7302c2 3912 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3913 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3914 broadcast_ether_addr, group->GN,
3915 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3916 ret = -1;
6fc6879b
JM		 3917
3918#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3919 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3920 enum wpa_alg alg;
3921 size_t len;
3922
3923 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3924 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3925
3926 if (ret == 0 &&
3927 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3928 broadcast_ether_addr, group->GN_igtk,
3929 group->IGTK[group->GN_igtk - 4], len) < 0)
3930 ret = -1;
3931 }
6fc6879b 3932#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3933
3934 return ret;
6fc6879b
JM		 3935}
3936
3937
7d7f7be2
JM		 3938static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3939{
3940 if (sm->group == ctx) {
3941 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3942 " for discconnection due to fatal failure",
3943 MAC2STR(sm->addr));
3944 sm->Disconnect = TRUE;
3945 }
3946
3947 return 0;
3948}
3949
3950
3951static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3952 struct wpa_group *group)
3953{
3954 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3955 group->changed = TRUE;
3956 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3957 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3958}
3959
3960
1bdb7ab3
JM		 3961static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3962 struct wpa_group *group)
3963{
3964 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3965 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3966 group->changed = TRUE;
3967 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3968
7d7f7be2
JM		 3969 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3970 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3971 return -1;
7d7f7be2 3972 }
1bdb7ab3
JM		 3973
3974 return 0;
3975}
3976
3977
6fc6879b
JM		 3978static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3979 struct wpa_group *group)
3980{
3981 if (group->GInit) {
3982 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3983 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3984 /* Do not allow group operations */
6fc6879b
JM		 3985 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3986 group->GTKAuthenticator) {
3987 wpa_group_setkeysdone(wpa_auth, group);
3988 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3989 group->GTKReKey) {
3990 wpa_group_setkeys(wpa_auth, group);
3991 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3992 if (group->GKeyDoneStations == 0)
3993 wpa_group_setkeysdone(wpa_auth, group);
3994 else if (group->GTKReKey)
3995 wpa_group_setkeys(wpa_auth, group);
3996 }
3997}
3998
3999
e4a6ea1d 4000static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 4001{
4002 if (sm == NULL)
e4a6ea1d 4003 return 0;
6fc6879b
JM		 4004
4005 if (sm->in_step_loop) {
4006 /* This should not happen, but if it does, make sure we do not
4007 * end up freeing the state machine too early by exiting the
4008 * recursive call. */
4009 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 4010 return 0;
6fc6879b
JM		 4011 }
4012
4013 sm->in_step_loop = 1;
4014 do {
4015 if (sm->pending_deinit)
4016 break;
4017
4018 sm->changed = FALSE;
4019 sm->wpa_auth->group->changed = FALSE;
4020
4021 SM_STEP_RUN(WPA_PTK);
4022 if (sm->pending_deinit)
4023 break;
4024 SM_STEP_RUN(WPA_PTK_GROUP);
4025 if (sm->pending_deinit)
4026 break;
4027 wpa_group_sm_step(sm->wpa_auth, sm->group);
4028 } while (sm->changed || sm->wpa_auth->group->changed);
4029 sm->in_step_loop = 0;
4030
4031 if (sm->pending_deinit) {
4032 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
4033 "machine deinit for " MACSTR, MAC2STR(sm->addr));
4034 wpa_free_sta_sm(sm);
e4a6ea1d 4035 return 1;
6fc6879b 4036 }
e4a6ea1d 4037 return 0;
6fc6879b
JM		 4038}
4039
4040
4041static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
4042{
4043 struct wpa_state_machine *sm = eloop_ctx;
4044 wpa_sm_step(sm);
4045}
4046
4047
4048void wpa_auth_sm_notify(struct wpa_state_machine *sm)
4049{
4050 if (sm == NULL)
4051 return;
4052 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
4053}
4054
4055
4056void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
4057{
4058 int tmp, i;
4059 struct wpa_group *group;
4060
4061 if (wpa_auth == NULL)
4062 return;
4063
4064 group = wpa_auth->group;
4065
4066 for (i = 0; i < 2; i++) {
4067 tmp = group->GM;
4068 group->GM = group->GN;
4069 group->GN = tmp;
4070#ifdef CONFIG_IEEE80211W
4071 tmp = group->GM_igtk;
4072 group->GM_igtk = group->GN_igtk;
4073 group->GN_igtk = tmp;
4074#endif /* CONFIG_IEEE80211W */
4075 wpa_gtk_update(wpa_auth, group);
9354e594 4076 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 4077 }
4078}
4079
4080
a6da824b 4081static const char * wpa_bool_txt(int val)
6fc6879b 4082{
a6da824b 4083 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 4084}
4085
4086
6fc6879b
JM		 4087#define RSN_SUITE "%02x-%02x-%02x-%d"
4088#define RSN_SUITE_ARG(s) \
4089((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4090
4091int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
4092{
4093 int len = 0, ret;
4094 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 4095#ifdef CONFIG_RSN_PREAUTH
4096 const int preauth = 1;
4097#else /* CONFIG_RSN_PREAUTH */
4098 const int preauth = 0;
4099#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 4100
4101 if (wpa_auth == NULL)
4102 return len;
4103
4104 ret = os_snprintf(buf + len, buflen - len,
4105 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 4106 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 4107 "dot11RSNAEnabled=%s\n"
4108 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 4109 wpa_bool_txt(preauth),
6fc6879b
JM		 4110 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
4111 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 4112 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4113 return len;
4114 len += ret;
4115
4116 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4117 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
4118
4119 ret = os_snprintf(
4120 buf + len, buflen - len,
4121 "dot11RSNAConfigVersion=%u\n"
4122 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
4123 /* FIX: dot11RSNAConfigGroupCipher */
4124 /* FIX: dot11RSNAConfigGroupRekeyMethod */
4125 /* FIX: dot11RSNAConfigGroupRekeyTime */
4126 /* FIX: dot11RSNAConfigGroupRekeyPackets */
4127 "dot11RSNAConfigGroupRekeyStrict=%u\n"
4128 "dot11RSNAConfigGroupUpdateCount=%u\n"
4129 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
4130 "dot11RSNAConfigGroupCipherSize=%u\n"
4131 "dot11RSNAConfigPMKLifetime=%u\n"
4132 "dot11RSNAConfigPMKReauthThreshold=%u\n"
4133 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
4134 "dot11RSNAConfigSATimeout=%u\n"
4135 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4136 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4137 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4138 "dot11RSNAPMKIDUsed=%s\n"
4139 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4140 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4141 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4142 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
4143 "dot11RSNA4WayHandshakeFailures=%u\n"
4144 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
4145 RSN_VERSION,
4146 !!wpa_auth->conf.wpa_strict_rekey,
41f140d3
GK		 4147 wpa_auth->conf.wpa_group_update_count,
4148 wpa_auth->conf.wpa_pairwise_update_count,
c3550295 4149 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 4150 dot11RSNAConfigPMKLifetime,
4151 dot11RSNAConfigPMKReauthThreshold,
4152 dot11RSNAConfigSATimeout,
4153 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
4154 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
4155 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
4156 pmkid_txt,
4157 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
4158 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
4159 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
4160 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
4161 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 4162 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4163 return len;
4164 len += ret;
4165
4166 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
4167 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
4168
4169 /* Private MIB */
4170 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
4171 wpa_auth->group->wpa_group_state);
d85e1fc8 4172 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4173 return len;
4174 len += ret;
4175
4176 return len;
4177}
4178
4179
4180int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
4181{
4182 int len = 0, ret;
4183 u32 pairwise = 0;
4184
4185 if (sm == NULL)
4186 return 0;
4187
4188 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
4189
4190 /* dot11RSNAStatsEntry */
4191
c3550295
JM		 4192 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
4193 WPA_PROTO_RSN : WPA_PROTO_WPA,
4194 sm->pairwise);
4195 if (pairwise == 0)
6fc6879b
JM		 4196 return 0;
4197
4198 ret = os_snprintf(
4199 buf + len, buflen - len,
4200 /* TODO: dot11RSNAStatsIndex */
4201 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
4202 "dot11RSNAStatsVersion=1\n"
4203 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
4204 /* TODO: dot11RSNAStatsTKIPICVErrors */
4205 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 4206 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 4207 /* TODO: dot11RSNAStatsCCMPReplays */
4208 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
4209 /* TODO: dot11RSNAStatsTKIPReplays */,
4210 MAC2STR(sm->addr),
4211 RSN_SUITE_ARG(pairwise),
4212 sm->dot11RSNAStatsTKIPLocalMICFailures,
4213 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 4214 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4215 return len;
4216 len += ret;
4217
4218 /* Private MIB */
4219 ret = os_snprintf(buf + len, buflen - len,
4220 "hostapdWPAPTKState=%d\n"
4221 "hostapdWPAPTKGroupState=%d\n",
4222 sm->wpa_ptk_state,
4223 sm->wpa_ptk_group_state);
d85e1fc8 4224 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4225 return len;
4226 len += ret;
4227
4228 return len;
4229}
4230
4231
4232void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
4233{
4234 if (wpa_auth)
4235 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
4236}
4237
4238
4239int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
4240{
4241 return sm && sm->pairwise_set;
4242}
4243
4244
ff36ff00
JM		 4245int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
4246{
4247 return sm->pairwise;
4248}
4249
4250
b08c9ad0
MK		 4251const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
4252{
4253 if (!sm)
4254 return NULL;
4255 *len = sm->pmk_len;
4256 return sm->PMK;
4257}
4258
4259
6fc6879b
JM		 4260int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
4261{
4262 if (sm == NULL)
4263 return -1;
4264 return sm->wpa_key_mgmt;
4265}
4266
4267
4268int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
4269{
4270 if (sm == NULL)
4271 return 0;
4272 return sm->wpa;
4273}
4274
4275
0e3bd7ac
MV		 4276int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
4277{
4278 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
4279 return 0;
4280 return sm->tk_already_set;
4281}
4282
4283
2f1357fb
JM		 4284int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
4285{
4286 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
4287 return 0;
4288 return sm->tk_already_set;
4289}
4290
4291
6fc6879b
JM		 4292int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
4293 struct rsn_pmksa_cache_entry *entry)
4294{
4295 if (sm == NULL || sm->pmksa != entry)
4296 return -1;
4297 sm->pmksa = NULL;
4298 return 0;
4299}
4300
4301
4302struct rsn_pmksa_cache_entry *
4303wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
4304{
4305 return sm ? sm->pmksa : NULL;
4306}
4307
4308
4309void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
4310{
4311 if (sm)
4312 sm->dot11RSNAStatsTKIPLocalMICFailures++;
4313}
4314
4315
4316const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
4317{
4318 if (wpa_auth == NULL)
4319 return NULL;
4320 *len = wpa_auth->wpa_ie_len;
4321 return wpa_auth->wpa_ie;
4322}
4323
4324
4325int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 4326 unsigned int pmk_len,
6fc6879b
JM		 4327 int session_timeout, struct eapol_state_machine *eapol)
4328{
cb465555
JM		 4329 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
4330 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 4331 return -1;
4332
834c5d68 4333 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
207976f0
JM		 4334 if (pmk_len > PMK_LEN_SUITE_B_192)
4335 pmk_len = PMK_LEN_SUITE_B_192;
4336 } else if (pmk_len > PMK_LEN) {
4337 pmk_len = PMK_LEN;
4338 }
4339
70c93963 4340 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 4341 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 4342 sm->wpa_auth->addr, sm->addr, session_timeout,
4343 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 4344 return 0;
4345
4346 return -1;
4347}
4348
4349
4350int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4351 const u8 *pmk, size_t len, const u8 *sta_addr,
4352 int session_timeout,
4353 struct eapol_state_machine *eapol)
4354{
4355 if (wpa_auth == NULL)
4356 return -1;
4357
70c93963 4358 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 4359 NULL, 0,
4360 wpa_auth->addr,
4bb081f1
JM		 4361 sta_addr, session_timeout, eapol,
4362 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 4363 return 0;
4364
4365 return -1;
4366}
4367
4368
f2991170 4369int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 4370 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 4371{
4372 if (wpa_auth->conf.disable_pmksa_caching)
4373 return -1;
4374
70c93963 4375 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 4376 NULL, 0,
f2991170
JM		 4377 wpa_auth->addr, addr, 0, NULL,
4378 WPA_KEY_MGMT_SAE))
4379 return 0;
4380
4381 return -1;
4382}
4383
4384
9d94e4bb
JM		 4385void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
4386{
4387 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4388 sm->pmkid_set = 1;
4389}
4390
4391
0c52953b
JM		 4392int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4393 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4394 int session_timeout, int akmp)
4395{
4396 if (wpa_auth->conf.disable_pmksa_caching)
4397 return -1;
4398
4399 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4400 NULL, 0, wpa_auth->addr, addr, session_timeout,
4401 NULL, akmp))
4402 return 0;
4403
4404 return -1;
4405}
4406
4407
901d1fe1
JM		 4408void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4409 const u8 *sta_addr)
4410{
4411 struct rsn_pmksa_cache_entry *pmksa;
4412
4413 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4414 return;
4415 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4416 if (pmksa) {
4417 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4418 MACSTR " based on request", MAC2STR(sta_addr));
4419 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4420 }
4421}
4422
4423
b8daac18
MH		 4424int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4425 size_t len)
4426{
4427 if (!wpa_auth || !wpa_auth->pmksa)
4428 return 0;
4429 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4430}
4431
4432
4c522c77
MH		 4433void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4434{
4435 if (wpa_auth && wpa_auth->pmksa)
4436 pmksa_cache_auth_flush(wpa_auth->pmksa);
4437}
4438
4439
4d77d80e
MH		 4440#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4441#ifdef CONFIG_MESH
4442
4443int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4444 char *buf, size_t len)
4445{
4446 if (!wpa_auth || !wpa_auth->pmksa)
4447 return 0;
4448
4449 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4450}
4451
4452
4453struct rsn_pmksa_cache_entry *
4454wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4455 const u8 *pmkid, int expiration)
4456{
4457 struct rsn_pmksa_cache_entry *entry;
4458 struct os_reltime now;
4459
4460 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4461 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4462 if (!entry)
4463 return NULL;
4464
4465 os_get_reltime(&now);
4466 entry->expiration = now.sec + expiration;
4467 return entry;
4468}
4469
4470
4471int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4472 struct rsn_pmksa_cache_entry *entry)
4473{
4474 int ret;
4475
4476 if (!wpa_auth || !wpa_auth->pmksa)
4477 return -1;
4478
4479 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4480 if (ret < 0)
4481 wpa_printf(MSG_DEBUG,
4482 "RSN: Failed to store external PMKSA cache for "
4483 MACSTR, MAC2STR(entry->spa));
4484
4485 return ret;
4486}
4487
4488#endif /* CONFIG_MESH */
4489#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4490
4491
9f2cf23e 4492struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 4493wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4494 const u8 *pmkid)
9f2cf23e
MH		 4495{
4496 if (!wpa_auth || !wpa_auth->pmksa)
4497 return NULL;
c1bd4bac 4498 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 4499}
4500
4501
4502void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4503 struct wpa_state_machine *sm,
4504 struct wpa_authenticator *wpa_auth,
4505 u8 *pmkid, u8 *pmk)
4506{
4507 if (!sm)
4508 return;
4509
4510 sm->pmksa = pmksa;
8854f90b
JM		 4511 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4512 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4513 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 4514}
4515
4516
a0ad9e8c
MB		 4517/*
4518 * Remove and free the group from wpa_authenticator. This is triggered by a
4519 * callback to make sure nobody is currently iterating the group list while it
4520 * gets modified.
4521 */
4522static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4523 struct wpa_group *group)
4524{
4525 struct wpa_group *prev = wpa_auth->group;
4526
4527 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4528 group->vlan_id);
4529
4530 while (prev) {
4531 if (prev->next == group) {
4532 /* This never frees the special first group as needed */
4533 prev->next = group->next;
4534 os_free(group);
4535 break;
4536 }
4537 prev = prev->next;
4538 }
4539
4540}
4541
4542
4543/* Increase the reference counter for group */
4544static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4545 struct wpa_group *group)
4546{
4547 /* Skip the special first group */
4548 if (wpa_auth->group == group)
4549 return;
4550
4551 group->references++;
4552}
4553
4554
4555/* Decrease the reference counter and maybe free the group */
4556static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4557 struct wpa_group *group)
4558{
4559 /* Skip the special first group */
4560 if (wpa_auth->group == group)
4561 return;
4562
4563 group->references--;
4564 if (group->references)
4565 return;
4566 wpa_group_free(wpa_auth, group);
4567}
4568
4569
4570/*
4571 * Add a group that has its references counter set to zero. Caller needs to
4572 * call wpa_group_get() on the return value to mark the entry in use.
4573 */
6fc6879b
JM		 4574static struct wpa_group *
4575wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4576{
4577 struct wpa_group *group;
4578
4579 if (wpa_auth == NULL || wpa_auth->group == NULL)
4580 return NULL;
4581
4582 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4583 vlan_id);
bdffdc5d 4584 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4585 if (group == NULL)
4586 return NULL;
4587
4588 group->next = wpa_auth->group->next;
4589 wpa_auth->group->next = group;
4590
4591 return group;
4592}
4593
4594
7cebc8e2
MB		 4595/*
4596 * Enforce that the group state machine for the VLAN is running, increase
4597 * reference counter as interface is up. References might have been increased
4598 * even if a negative value is returned.
4599 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4600 */
4601int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4602{
4603 struct wpa_group *group;
4604
4605 if (wpa_auth == NULL)
4606 return 0;
4607
4608 group = wpa_auth->group;
4609 while (group) {
4610 if (group->vlan_id == vlan_id)
4611 break;
4612 group = group->next;
4613 }
4614
4615 if (group == NULL) {
4616 group = wpa_auth_add_group(wpa_auth, vlan_id);
4617 if (group == NULL)
4618 return -1;
4619 }
4620
4621 wpa_printf(MSG_DEBUG,
4622 "WPA: Ensure group state machine running for VLAN ID %d",
4623 vlan_id);
4624
4625 wpa_group_get(wpa_auth, group);
4626 group->num_setup_iface++;
4627
4628 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4629 return -1;
4630
4631 return 0;
4632}
4633
4634
4635/*
4636 * Decrease reference counter, expected to be zero afterwards.
4637 * returns: -1 on error (group not found, group in fail state)
4638 * -2 if wpa_group is still referenced
4639 * 0 else
4640 */
4641int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4642{
4643 struct wpa_group *group;
4644 int ret = 0;
4645
4646 if (wpa_auth == NULL)
4647 return 0;
4648
4649 group = wpa_auth->group;
4650 while (group) {
4651 if (group->vlan_id == vlan_id)
4652 break;
4653 group = group->next;
4654 }
4655
4656 if (group == NULL)
4657 return -1;
4658
4659 wpa_printf(MSG_DEBUG,
4660 "WPA: Try stopping group state machine for VLAN ID %d",
4661 vlan_id);
4662
4663 if (group->num_setup_iface <= 0) {
4664 wpa_printf(MSG_ERROR,
4665 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4666 vlan_id);
4667 return -1;
4668 }
4669 group->num_setup_iface--;
4670
4671 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4672 ret = -1;
4673
4674 if (group->references > 1) {
4675 wpa_printf(MSG_DEBUG,
4676 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4677 vlan_id);
4678 ret = -2;
4679 }
4680
4681 wpa_group_put(wpa_auth, group);
4682
4683 return ret;
4684}
4685
4686
6fc6879b
JM		 4687int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4688{
4689 struct wpa_group *group;
4690
4691 if (sm == NULL || sm->wpa_auth == NULL)
4692 return 0;
4693
4694 group = sm->wpa_auth->group;
4695 while (group) {
4696 if (group->vlan_id == vlan_id)
4697 break;
4698 group = group->next;
4699 }
4700
4701 if (group == NULL) {
4702 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4703 if (group == NULL)
4704 return -1;
4705 }
4706
4707 if (sm->group == group)
4708 return 0;
4709
7d7f7be2
JM		 4710 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4711 return -1;
4712
6fc6879b
JM		 4713 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4714 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4715
a0ad9e8c
MB		 4716 wpa_group_get(sm->wpa_auth, group);
4717 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4718 sm->group = group;
a0ad9e8c 4719
6fc6879b
JM		 4720 return 0;
4721}
e4bf4db9
JM		 4722
4723
4724void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4725 struct wpa_state_machine *sm, int ack)
4726{
4727 if (wpa_auth == NULL || sm == NULL)
4728 return;
4729 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4730 " ack=%d", MAC2STR(sm->addr), ack);
4731 if (sm->pending_1_of_4_timeout && ack) {
4732 /*
4733 * Some deployed supplicant implementations update their SNonce
4734 * for each EAPOL-Key 2/4 message even within the same 4-way
4735 * handshake and then fail to use the first SNonce when
4736 * deriving the PTK. This results in unsuccessful 4-way
4737 * handshake whenever the relatively short initial timeout is
4738 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4739 * around this by increasing the timeout now that we know that
4740 * the station has received the frame.
4741 */
4742 int timeout_ms = eapol_key_timeout_subseq;
4743 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4744 "timeout by %u ms because of acknowledged frame",
4745 timeout_ms);
4746 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4747 eloop_register_timeout(timeout_ms / 1000,
4748 (timeout_ms % 1000) * 1000,
4749 wpa_send_eapol_timeout, wpa_auth, sm);
4750 }
3d695328
JM		 4751
4752#ifdef CONFIG_TESTING_OPTIONS
4753 if (sm->eapol_status_cb) {
4754 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
4755 sm->eapol_status_cb_ctx2);
4756 sm->eapol_status_cb = NULL;
4757 }
4758#endif /* CONFIG_TESTING_OPTIONS */
e4bf4db9 4759}
c10347f2
JM		 4760
4761
4762int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4763{
4764 if (sm == NULL)
4765 return 0;
4766 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4767}
aa189ac9
JM		 4768
4769
4770int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4771{
4772 if (sm == NULL)
4773 return 0;
4774 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4775}
25ef8529
JM		 4776
4777
4778#ifdef CONFIG_P2P
4779int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4780{
4781 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4782 return -1;
4783 os_memcpy(addr, sm->ip_addr, 4);
4784 return 0;
4785}
4786#endif /* CONFIG_P2P */
cbc210de
JM		 4787
4788
4789int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4790 struct radius_das_attrs *attr)
4791{
4792 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4793}
34782730
JM		 4794
4795
4796void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4797{
4798 struct wpa_group *group;
4799
4800 if (!wpa_auth)
4801 return;
4802 for (group = wpa_auth->group; group; group = group->next)
4803 wpa_group_config_group_keys(wpa_auth, group);
4804}
7eace378
JM		 4805
4806
4807#ifdef CONFIG_FILS
4808
4809struct wpa_auth_fils_iter_data {
4810 struct wpa_authenticator *auth;
4811 const u8 *cache_id;
4812 struct rsn_pmksa_cache_entry *pmksa;
4813 const u8 *spa;
4814 const u8 *pmkid;
4815};
4816
4817
4818static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4819{
4820 struct wpa_auth_fils_iter_data *data = ctx;
4821
4cc6574d 4822 if (a == data->auth || !a->conf.fils_cache_id_set ||
7eace378
JM		 4823 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4824 FILS_CACHE_ID_LEN) != 0)
4825 return 0;
4826 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4827 return data->pmksa != NULL;
4828}
4829
4830
4831struct rsn_pmksa_cache_entry *
4832wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4833 const u8 *sta_addr, const u8 *pmkid)
4834{
4835 struct wpa_auth_fils_iter_data idata;
4836
4837 if (!wpa_auth->conf.fils_cache_id_set)
4838 return NULL;
4839 idata.auth = wpa_auth;
4840 idata.cache_id = wpa_auth->conf.fils_cache_id;
4841 idata.pmksa = NULL;
4842 idata.spa = sta_addr;
4843 idata.pmkid = pmkid;
4844 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4845 return idata.pmksa;
4846}
4847
5db997e3
JM		 4848
4849#ifdef CONFIG_IEEE80211R_AP
a7968ea5
JM		 4850int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384,
4851 u8 *buf, size_t len)
5db997e3
JM		 4852{
4853 struct wpa_auth_config *conf = &wpa_auth->conf;
4854
a7968ea5 4855 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder,
5db997e3
JM		 4856 conf->r0_key_holder_len,
4857 NULL, NULL, buf, len, NULL, 0);
4858}
4859#endif /* CONFIG_IEEE80211R_AP */
4860
8acbf85f
JM		 4861
4862void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4863 u8 *fils_anonce, u8 *fils_snonce,
4864 u8 *fils_kek, size_t *fils_kek_len)
4865{
4866 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4867 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4868 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4869 *fils_kek_len = sm->PTK.kek_len;
4870}
4871
a40bd06e
JM		 4872
4873void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
4874 size_t pmk_len, const u8 *pmkid)
4875{
4876 os_memcpy(sm->PMK, pmk, pmk_len);
4877 sm->pmk_len = pmk_len;
4878 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4879 sm->pmkid_set = 1;
4880}
4881
7eace378 4882#endif /* CONFIG_FILS */
6bc2f00f
JM		 4883
4884
36536639
JM		 4885void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
4886{
4887 if (sm)
4888 sm->auth_alg = auth_alg;
4889}
4890
4891
10ec6a5f
JM		 4892#ifdef CONFIG_DPP2
4893void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
4894{
4895 if (sm) {
4896 wpabuf_clear_free(sm->dpp_z);
4897 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
4898 }
4899}
4900#endif /* CONFIG_DPP2 */
4901
4902
82424732 4903#ifdef CONFIG_TESTING_OPTIONS
d8afdb21 4904
3d695328
JM		 4905int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
4906 void (*cb)(void *ctx1, void *ctx2),
4907 void *ctx1, void *ctx2)
d8afdb21
JM		 4908{
4909 const u8 *anonce = sm->ANonce;
4910 u8 anonce_buf[WPA_NONCE_LEN];
4911
4912 if (change_anonce) {
4913 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
4914 return -1;
4915 anonce = anonce_buf;
4916 }
4917
4918 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4919 "sending 1/4 msg of 4-Way Handshake (TESTING)");
4920 wpa_send_eapol(sm->wpa_auth, sm,
4921 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
4922 anonce, NULL, 0, 0, 0);
4923 return 0;
4924}
4925
4926
3d695328
JM		 4927int wpa_auth_resend_m3(struct wpa_state_machine *sm,
4928 void (*cb)(void *ctx1, void *ctx2),
4929 void *ctx1, void *ctx2)
d8afdb21 4930{
0c3bc1be
LD		 4931 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
4932#ifdef CONFIG_IEEE80211W
4933 u8 *opos;
4934#endif /* CONFIG_IEEE80211W */
d8afdb21
JM		 4935 size_t gtk_len, kde_len;
4936 struct wpa_group *gsm = sm->group;
4937 u8 *wpa_ie;
4938 int wpa_ie_len, secure, keyidx, encr = 0;
4939
4940 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4941 GTK[GN], IGTK, [FTIE], [TIE * 2])
4942 */
4943
4944 /* Use 0 RSC */
4945 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4946 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4947 wpa_ie = sm->wpa_auth->wpa_ie;
4948 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4949 if (sm->wpa == WPA_VERSION_WPA &&
4950 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
4951 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
4952 /* WPA-only STA, remove RSN IE and possible MDIE */
4953 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4954 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4955 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4956 wpa_ie_len = wpa_ie[1] + 2;
4957 }
4958 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4959 "sending 3/4 msg of 4-Way Handshake (TESTING)");
4960 if (sm->wpa == WPA_VERSION_WPA2) {
4961 /* WPA2 send GTK in the 4-way handshake */
4962 secure = 1;
4963 gtk = gsm->GTK[gsm->GN - 1];
4964 gtk_len = gsm->GTK_len;
4965 keyidx = gsm->GN;
4966 _rsc = rsc;
4967 encr = 1;
4968 } else {
4969 /* WPA does not include GTK in msg 3/4 */
4970 secure = 0;
4971 gtk = NULL;
4972 gtk_len = 0;
4973 keyidx = 0;
4974 _rsc = NULL;
4975 if (sm->rx_eapol_key_secure) {
4976 /*
4977 * It looks like Windows 7 supplicant tries to use
4978 * Secure bit in msg 2/4 after having reported Michael
4979 * MIC failure and it then rejects the 4-way handshake
4980 * if msg 3/4 does not set Secure bit. Work around this
4981 * by setting the Secure bit here even in the case of
4982 * WPA if the supplicant used it first.
4983 */
4984 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4985 "STA used Secure bit in WPA msg 2/4 - "
4986 "set Secure for 3/4 as workaround");
4987 secure = 1;
4988 }
4989 }
4990
17c2559c 4991 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
d8afdb21
JM		 4992 if (gtk)
4993 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4994#ifdef CONFIG_IEEE80211R_AP
4995 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4996 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4997 kde_len += 300; /* FTIE + 2 * TIE */
4998 }
4999#endif /* CONFIG_IEEE80211R_AP */
5000 kde = os_malloc(kde_len);
5001 if (kde == NULL)
5002 return -1;
5003
5004 pos = kde;
5005 os_memcpy(pos, wpa_ie, wpa_ie_len);
5006 pos += wpa_ie_len;
5007#ifdef CONFIG_IEEE80211R_AP
5008 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5009 int res;
5010 size_t elen;
5011
5012 elen = pos - kde;
5013 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
5014 if (res < 0) {
5015 wpa_printf(MSG_ERROR, "FT: Failed to insert "
5016 "PMKR1Name into RSN IE in EAPOL-Key data");
5017 os_free(kde);
5018 return -1;
5019 }
5020 pos -= wpa_ie_len;
5021 pos += elen;
5022 }
5023#endif /* CONFIG_IEEE80211R_AP */
5024 if (gtk) {
5025 u8 hdr[2];
5026 hdr[0] = keyidx & 0x03;
5027 hdr[1] = 0;
5028 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5029 gtk, gtk_len);
5030 }
0c3bc1be 5031#ifdef CONFIG_IEEE80211W
d8afdb21
JM		 5032 opos = pos;
5033 pos = ieee80211w_kde_add(sm, pos);
9f917339
MV		 5034 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5035 /* skip KDE header and keyid */
5036 opos += 2 + RSN_SELECTOR_LEN + 2;
d8afdb21
JM		 5037 os_memset(opos, 0, 6); /* clear PN */
5038 }
0c3bc1be 5039#endif /* CONFIG_IEEE80211W */
17c2559c
MV		 5040 if (ocv_oci_add(sm, &pos) < 0) {
5041 os_free(kde);
5042 return -1;
5043 }
d8afdb21
JM		 5044
5045#ifdef CONFIG_IEEE80211R_AP
5046 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5047 int res;
5048 struct wpa_auth_config *conf;
5049
5050 conf = &sm->wpa_auth->conf;
5051 if (sm->assoc_resp_ftie &&
5052 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
5053 os_memcpy(pos, sm->assoc_resp_ftie,
5054 2 + sm->assoc_resp_ftie[1]);
5055 res = 2 + sm->assoc_resp_ftie[1];
5056 } else {
a7968ea5
JM		 5057 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
5058
5059 res = wpa_write_ftie(conf, use_sha384,
5060 conf->r0_key_holder,
d8afdb21
JM		 5061 conf->r0_key_holder_len,
5062 NULL, NULL, pos,
5063 kde + kde_len - pos,
5064 NULL, 0);
5065 }
5066 if (res < 0) {
5067 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
5068 "into EAPOL-Key Key Data");
5069 os_free(kde);
5070 return -1;
5071 }
5072 pos += res;
5073
5074 /* TIE[ReassociationDeadline] (TU) */
5075 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5076 *pos++ = 5;
5077 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
5078 WPA_PUT_LE32(pos, conf->reassociation_deadline);
5079 pos += 4;
5080
5081 /* TIE[KeyLifetime] (seconds) */
5082 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5083 *pos++ = 5;
5084 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
83fe4bd3 5085 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
d8afdb21
JM		 5086 pos += 4;
5087 }
5088#endif /* CONFIG_IEEE80211R_AP */
5089
5090 wpa_send_eapol(sm->wpa_auth, sm,
5091 (secure ? WPA_KEY_INFO_SECURE : 0) |
5092 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5093 WPA_KEY_INFO_MIC : 0) |
5094 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
5095 WPA_KEY_INFO_KEY_TYPE,
5096 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
5097 os_free(kde);
5098 return 0;
5099}
5100
5101
3d695328
JM		 5102int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
5103 void (*cb)(void *ctx1, void *ctx2),
5104 void *ctx1, void *ctx2)
6bc2f00f
JM		 5105{
5106 u8 rsc[WPA_KEY_RSC_LEN];
5107 struct wpa_group *gsm = sm->group;
5108 const u8 *kde;
0c3bc1be
LD		 5109 u8 *kde_buf = NULL, *pos, hdr[2];
5110#ifdef CONFIG_IEEE80211W
5111 u8 *opos;
5112#endif /* CONFIG_IEEE80211W */
6bc2f00f
JM		 5113 size_t kde_len;
5114 u8 *gtk;
5115
5116 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5117 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5118 /* Use 0 RSC */
5119 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5120 "sending 1/2 msg of Group Key Handshake (TESTING)");
5121
5122 gtk = gsm->GTK[gsm->GN - 1];
5123 if (sm->wpa == WPA_VERSION_WPA2) {
5124 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
17c2559c 5125 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
6bc2f00f
JM		 5126 kde_buf = os_malloc(kde_len);
5127 if (kde_buf == NULL)
5128 return -1;
5129
5130 kde = pos = kde_buf;
5131 hdr[0] = gsm->GN & 0x03;
5132 hdr[1] = 0;
5133 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5134 gtk, gsm->GTK_len);
0c3bc1be 5135#ifdef CONFIG_IEEE80211W
6bc2f00f
JM		 5136 opos = pos;
5137 pos = ieee80211w_kde_add(sm, pos);
9f917339
MV		 5138 if (pos - opos >=
5139 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5140 /* skip KDE header and keyid */
5141 opos += 2 + RSN_SELECTOR_LEN + 2;
6bc2f00f
JM		 5142 os_memset(opos, 0, 6); /* clear PN */
5143 }
0c3bc1be 5144#endif /* CONFIG_IEEE80211W */
17c2559c
MV		 5145 if (ocv_oci_add(sm, &pos) < 0) {
5146 os_free(kde_buf);
5147 return -1;
5148 }
6bc2f00f
JM		 5149 kde_len = pos - kde;
5150 } else {
5151 kde = gtk;
5152 kde_len = gsm->GTK_len;
5153 }
5154
3d695328
JM		 5155 sm->eapol_status_cb = cb;
5156 sm->eapol_status_cb_ctx1 = ctx1;
5157 sm->eapol_status_cb_ctx2 = ctx2;
5158
6bc2f00f
JM		 5159 wpa_send_eapol(sm->wpa_auth, sm,
5160 WPA_KEY_INFO_SECURE |
5161 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5162 WPA_KEY_INFO_MIC : 0) |
5163 WPA_KEY_INFO_ACK |
5164 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5165 rsc, NULL, kde, kde_len, gsm->GN, 1);
5166
5167 os_free(kde_buf);
5168 return 0;
5169}
d8afdb21 5170
92662fb2
JB		 5171
5172int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
5173{
5174 if (!wpa_auth)
5175 return -1;
5176 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
5177 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL);
5178}
5179
6bc2f00f 5180#endif /* CONFIG_TESTING_OPTIONS */
Unnamed repository; edit this file 'description' to name the repository.