]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FILS: Fix KEK2 derivation for FILS+FT
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
bb05d036 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
17c2559c 16#include "common/ocv.h"
3b5b7aa8 17#include "crypto/aes.h"
03da66bd 18#include "crypto/aes_wrap.h"
3b5b7aa8 19#include "crypto/aes_siv.h"
03da66bd
JM		 20#include "crypto/crypto.h"
21#include "crypto/sha1.h"
22#include "crypto/sha256.h"
c6eb3e34 23#include "crypto/sha384.h"
3642c431 24#include "crypto/random.h"
281c950b 25#include "eapol_auth/eapol_auth_sm.h"
17c2559c 26#include "drivers/driver.h"
6226e38d 27#include "ap_config.h"
6fc6879b 28#include "ieee802_11.h"
6226e38d
JM		 29#include "wpa_auth.h"
30#include "pmksa_cache_auth.h"
6fc6879b
JM		 31#include "wpa_auth_i.h"
32#include "wpa_auth_ie.h"
33
34#define STATE_MACHINE_DATA struct wpa_state_machine
35#define STATE_MACHINE_DEBUG_PREFIX "WPA"
36#define STATE_MACHINE_ADDR sm->addr
37
38
39static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 40static int wpa_sm_step(struct wpa_state_machine *sm);
567da5bb
JM		 41static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
42 u8 *data, size_t data_len);
75c8563e
JM		 43#ifdef CONFIG_FILS
44static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
45 u8 *buf, size_t buf_len, u16 *_key_data_len);
9392859d
JM		 46static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
47 const struct wpabuf *hlp);
75c8563e 48#endif /* CONFIG_FILS */
6fc6879b
JM		 49static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
50static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
581a8cde 52static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 53static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
54 struct wpa_group *group);
1bdb7ab3
JM		 55static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
f23c5b17 57static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 58 const u8 *pmk, unsigned int pmk_len,
59 struct wpa_ptk *ptk);
a0ad9e8c
MB		 60static void wpa_group_free(struct wpa_authenticator *wpa_auth,
61 struct wpa_group *group);
62static void wpa_group_get(struct wpa_authenticator *wpa_auth,
63 struct wpa_group *group);
64static void wpa_group_put(struct wpa_authenticator *wpa_auth,
65 struct wpa_group *group);
e73ffa09 66static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 67
bae61562
JM		 68static const u32 eapol_key_timeout_first = 100; /* ms */
69static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 70static const u32 eapol_key_timeout_first_group = 500; /* ms */
6f234c1e 71static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
6fc6879b
JM		 72
73/* TODO: make these configurable */
74static const int dot11RSNAConfigPMKLifetime = 43200;
75static const int dot11RSNAConfigPMKReauthThreshold = 70;
76static const int dot11RSNAConfigSATimeout = 60;
77
78
c772d054 79static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 80 struct wpa_authenticator *wpa_auth, const u8 *addr)
81{
cef8fac0
JB		 82 if (wpa_auth->cb->mic_failure_report)
83 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 84 return 0;
6fc6879b
JM		 85}
86
87
2c502460
JM		 88static inline void wpa_auth_psk_failure_report(
89 struct wpa_authenticator *wpa_auth, const u8 *addr)
90{
cef8fac0
JB		 91 if (wpa_auth->cb->psk_failure_report)
92 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 93}
94
95
6fc6879b
JM		 96static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
97 const u8 *addr, wpa_eapol_variable var,
98 int value)
99{
cef8fac0
JB		 100 if (wpa_auth->cb->set_eapol)
101 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 102}
103
104
105static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
106 const u8 *addr, wpa_eapol_variable var)
107{
cef8fac0 108 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 109 return -1;
cef8fac0 110 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 111}
112
113
114static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 115 const u8 *addr,
116 const u8 *p2p_dev_addr,
dbfa691d
JM		 117 const u8 *prev_psk, size_t *psk_len,
118 int *vlan_id)
6fc6879b 119{
cef8fac0 120 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 121 return NULL;
cef8fac0 122 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
dbfa691d 123 prev_psk, psk_len, vlan_id);
6fc6879b
JM		 124}
125
126
127static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
128 const u8 *addr, u8 *msk, size_t *len)
129{
cef8fac0 130 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 131 return -1;
cef8fac0 132 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 133}
134
135
136static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
137 int vlan_id,
71934751 138 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 139 u8 *key, size_t key_len)
140{
cef8fac0 141 if (wpa_auth->cb->set_key == NULL)
6fc6879b 142 return -1;
cef8fac0
JB		 143 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
144 key, key_len);
6fc6879b
JM		 145}
146
147
148static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
149 const u8 *addr, int idx, u8 *seq)
150{
cef8fac0 151 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 152 return -1;
cef8fac0 153 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 154}
155
156
6fc6879b
JM		 157static inline int
158wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
159 const u8 *data, size_t data_len, int encrypt)
160{
cef8fac0 161 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 162 return -1;
cef8fac0
JB		 163 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
164 encrypt);
6fc6879b
JM		 165}
166
167
c50d94f1
BC		 168#ifdef CONFIG_MESH
169static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
170 const u8 *addr)
171{
cef8fac0 172 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 173 return -1;
cef8fac0 174 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 175}
176#endif /* CONFIG_MESH */
177
178
6fc6879b
JM		 179int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
180 int (*cb)(struct wpa_state_machine *sm, void *ctx),
181 void *cb_ctx)
182{
cef8fac0 183 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 184 return 0;
cef8fac0 185 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 186}
187
188
bf98f7f3
JM		 189int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
190 int (*cb)(struct wpa_authenticator *a, void *ctx),
191 void *cb_ctx)
192{
cef8fac0 193 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 194 return 0;
cef8fac0 195 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 196}
197
198
6fc6879b
JM		 199void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
200 logger_level level, const char *txt)
201{
cef8fac0 202 if (wpa_auth->cb->logger == NULL)
6fc6879b 203 return;
cef8fac0 204 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 205}
206
207
208void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
209 logger_level level, const char *fmt, ...)
210{
211 char *format;
212 int maxlen;
213 va_list ap;
214
cef8fac0 215 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 216 return;
217
218 maxlen = os_strlen(fmt) + 100;
219 format = os_malloc(maxlen);
220 if (!format)
221 return;
222
223 va_start(ap, fmt);
224 vsnprintf(format, maxlen, fmt, ap);
225 va_end(ap);
226
227 wpa_auth_logger(wpa_auth, addr, level, format);
228
229 os_free(format);
230}
231
232
233static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
567da5bb 234 const u8 *addr, u16 reason)
6fc6879b 235{
cef8fac0 236 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 237 return;
567da5bb
JM		 238 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
239 MAC2STR(addr), reason);
240 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
6fc6879b
JM		 241}
242
243
17c2559c
MV		 244#ifdef CONFIG_OCV
245static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
246 struct wpa_channel_info *ci)
247{
248 if (!wpa_auth->cb->channel_info)
249 return -1;
250 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
251}
252#endif /* CONFIG_OCV */
253
254
dbfa691d
JM		 255static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
256 const u8 *addr, int vlan_id)
257{
258 if (!wpa_auth->cb->update_vlan)
259 return -1;
260 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
261}
262
263
6fc6879b
JM		 264static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
265{
266 struct wpa_authenticator *wpa_auth = eloop_ctx;
267
3642c431 268 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 269 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
270 "initialization.");
271 } else {
272 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 273 wpa_hexdump_key(MSG_DEBUG, "GMK",
274 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 275 }
276
277 if (wpa_auth->conf.wpa_gmk_rekey) {
278 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
279 wpa_rekey_gmk, wpa_auth, NULL);
280 }
281}
282
283
284static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
285{
286 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 287 struct wpa_group *group, *next;
6fc6879b
JM		 288
289 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 290 group = wpa_auth->group;
291 while (group) {
292 wpa_group_get(wpa_auth, group);
293
6fc6879b
JM		 294 group->GTKReKey = TRUE;
295 do {
296 group->changed = FALSE;
297 wpa_group_sm_step(wpa_auth, group);
298 } while (group->changed);
a0ad9e8c
MB		 299
300 next = group->next;
301 wpa_group_put(wpa_auth, group);
302 group = next;
6fc6879b
JM		 303 }
304
305 if (wpa_auth->conf.wpa_group_rekey) {
306 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
307 0, wpa_rekey_gtk, wpa_auth, NULL);
308 }
309}
310
311
581a8cde
JM		 312static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
313{
314 struct wpa_authenticator *wpa_auth = eloop_ctx;
315 struct wpa_state_machine *sm = timeout_ctx;
316
317 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
318 wpa_request_new_ptk(sm);
319 wpa_sm_step(sm);
320}
321
322
6fc6879b
JM		 323static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
324{
325 if (sm->pmksa == ctx)
326 sm->pmksa = NULL;
327 return 0;
328}
329
330
331static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
332 void *ctx)
333{
334 struct wpa_authenticator *wpa_auth = ctx;
335 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
336}
337
338
1bdb7ab3
JM		 339static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
340 struct wpa_group *group)
341{
559cdabb 342 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 343 u8 rkey[32];
559cdabb 344 unsigned long ptr;
1bdb7ab3 345
3642c431 346 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 347 return -1;
348 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
349
350 /*
351 * Counter = PRF-256(Random number, "Init Counter",
352 * Local MAC Address || Time)
353 */
354 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
355 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 356 ptr = (unsigned long) group;
357 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
525923b1
JM		 358#ifdef TEST_FUZZ
359 os_memset(buf + ETH_ALEN, 0xab, 8);
360 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
361#endif /* TEST_FUZZ */
3642c431 362 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 363 return -1;
364
365 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
366 group->Counter, WPA_NONCE_LEN) < 0)
367 return -1;
368 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
369 group->Counter, WPA_NONCE_LEN);
370
371 return 0;
372}
373
374
e6965d4e 375static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 376 int vlan_id, int delay_init)
e6965d4e
JM		 377{
378 struct wpa_group *group;
e6965d4e
JM		 379
380 group = os_zalloc(sizeof(struct wpa_group));
381 if (group == NULL)
382 return NULL;
383
384 group->GTKAuthenticator = TRUE;
385 group->vlan_id = vlan_id;
c3550295 386 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 387
08704cd8
JM		 388 if (random_pool_ready() != 1) {
389 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
390 "for secure operations - update keys later when "
391 "the first station connects");
392 }
393
1bdb7ab3
JM		 394 /*
395 * Set initial GMK/Counter value here. The actual values that will be
396 * used in negotiations will be set once the first station tries to
397 * connect. This allows more time for collecting additional randomness
398 * on embedded devices.
6fc6879b 399 */
1bdb7ab3 400 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 401 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
402 "initialization.");
403 os_free(group);
404 return NULL;
405 }
6fc6879b
JM		 406
407 group->GInit = TRUE;
bdffdc5d
JM		 408 if (delay_init) {
409 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
410 "until Beacon frames have been configured");
411 /* Initialization is completed in wpa_init_keys(). */
412 } else {
413 wpa_group_sm_step(wpa_auth, group);
414 group->GInit = FALSE;
415 wpa_group_sm_step(wpa_auth, group);
416 }
6fc6879b
JM		 417
418 return group;
419}
420
421
422/**
423 * wpa_init - Initialize WPA authenticator
424 * @addr: Authenticator address
425 * @conf: Configuration for WPA authenticator
a17df5fb 426 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 427 * Returns: Pointer to WPA authenticator data or %NULL on failure
428 */
429struct wpa_authenticator * wpa_init(const u8 *addr,
430 struct wpa_auth_config *conf,
cef8fac0
JB		 431 const struct wpa_auth_callbacks *cb,
432 void *cb_ctx)
6fc6879b
JM		 433{
434 struct wpa_authenticator *wpa_auth;
435
436 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
437 if (wpa_auth == NULL)
438 return NULL;
439 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
440 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 441 wpa_auth->cb = cb;
442 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 443
444 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
445 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
446 os_free(wpa_auth);
447 return NULL;
448 }
449
bdffdc5d 450 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 451 if (wpa_auth->group == NULL) {
452 os_free(wpa_auth->wpa_ie);
453 os_free(wpa_auth);
454 return NULL;
455 }
456
4bb081f1
JM		 457 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
458 wpa_auth);
6fc6879b
JM		 459 if (wpa_auth->pmksa == NULL) {
460 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 461 os_free(wpa_auth->group);
6fc6879b
JM		 462 os_free(wpa_auth->wpa_ie);
463 os_free(wpa_auth);
464 return NULL;
465 }
466
4ec1fd8e 467#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 468 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
469 if (wpa_auth->ft_pmk_cache == NULL) {
470 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 471 os_free(wpa_auth->group);
6fc6879b 472 os_free(wpa_auth->wpa_ie);
4bb081f1 473 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 474 os_free(wpa_auth);
475 return NULL;
476 }
4ec1fd8e 477#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 478
479 if (wpa_auth->conf.wpa_gmk_rekey) {
480 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
481 wpa_rekey_gmk, wpa_auth, NULL);
482 }
483
484 if (wpa_auth->conf.wpa_group_rekey) {
485 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
486 wpa_rekey_gtk, wpa_auth, NULL);
487 }
488
25ef8529
JM		 489#ifdef CONFIG_P2P
490 if (WPA_GET_BE32(conf->ip_addr_start)) {
491 int count = WPA_GET_BE32(conf->ip_addr_end) -
492 WPA_GET_BE32(conf->ip_addr_start) + 1;
493 if (count > 1000)
494 count = 1000;
495 if (count > 0)
496 wpa_auth->ip_pool = bitfield_alloc(count);
497 }
498#endif /* CONFIG_P2P */
499
6fc6879b
JM		 500 return wpa_auth;
501}
502
503
bdffdc5d
JM		 504int wpa_init_keys(struct wpa_authenticator *wpa_auth)
505{
506 struct wpa_group *group = wpa_auth->group;
507
508 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
509 "keys");
510 wpa_group_sm_step(wpa_auth, group);
511 group->GInit = FALSE;
512 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 513 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
514 return -1;
bdffdc5d
JM		 515 return 0;
516}
517
518
6fc6879b
JM		 519/**
520 * wpa_deinit - Deinitialize WPA authenticator
521 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
522 */
523void wpa_deinit(struct wpa_authenticator *wpa_auth)
524{
525 struct wpa_group *group, *prev;
526
527 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
528 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
529
4bb081f1 530 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 531
4ec1fd8e 532#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 533 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
534 wpa_auth->ft_pmk_cache = NULL;
eefe8630 535 wpa_ft_deinit(wpa_auth);
4ec1fd8e 536#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 537
25ef8529
JM		 538#ifdef CONFIG_P2P
539 bitfield_free(wpa_auth->ip_pool);
540#endif /* CONFIG_P2P */
541
542
6fc6879b
JM		 543 os_free(wpa_auth->wpa_ie);
544
545 group = wpa_auth->group;
546 while (group) {
547 prev = group;
548 group = group->next;
549 os_free(prev);
550 }
551
552 os_free(wpa_auth);
553}
554
555
556/**
557 * wpa_reconfig - Update WPA authenticator configuration
558 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
559 * @conf: Configuration for WPA authenticator
560 */
561int wpa_reconfig(struct wpa_authenticator *wpa_auth,
562 struct wpa_auth_config *conf)
563{
e6965d4e 564 struct wpa_group *group;
6fc6879b
JM		 565 if (wpa_auth == NULL)
566 return 0;
567
568 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 569 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
570 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
571 return -1;
572 }
573
e6965d4e
JM		 574 /*
575 * Reinitialize GTK to make sure it is suitable for the new
576 * configuration.
577 */
578 group = wpa_auth->group;
c3550295 579 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 580 group->GInit = TRUE;
581 wpa_group_sm_step(wpa_auth, group);
582 group->GInit = FALSE;
583 wpa_group_sm_step(wpa_auth, group);
584
6fc6879b
JM		 585 return 0;
586}
587
588
589struct wpa_state_machine *
94ddef3e
JM		 590wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
591 const u8 *p2p_dev_addr)
6fc6879b
JM		 592{
593 struct wpa_state_machine *sm;
594
7d7f7be2
JM		 595 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
596 return NULL;
597
6fc6879b
JM		 598 sm = os_zalloc(sizeof(struct wpa_state_machine));
599 if (sm == NULL)
600 return NULL;
601 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 602 if (p2p_dev_addr)
603 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 604
605 sm->wpa_auth = wpa_auth;
606 sm->group = wpa_auth->group;
a0ad9e8c 607 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 608
609 return sm;
610}
611
612
6f9b5d16
JM		 613int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
614 struct wpa_state_machine *sm)
6fc6879b
JM		 615{
616 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 617 return -1;
6fc6879b 618
4ec1fd8e 619#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 620 if (sm->ft_completed) {
621 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
622 "FT authentication already completed - do not "
623 "start 4-way handshake");
3d4d2348
JM		 624 /* Go to PTKINITDONE state to allow GTK rekeying */
625 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 626 sm->Pair = TRUE;
6f9b5d16 627 return 0;
6fc6879b 628 }
4ec1fd8e 629#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 630
07e0117d
JM		 631#ifdef CONFIG_FILS
632 if (sm->fils_completed) {
633 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
634 "FILS authentication already completed - do not start 4-way handshake");
635 /* Go to PTKINITDONE state to allow GTK rekeying */
636 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 637 sm->Pair = TRUE;
07e0117d
JM		 638 return 0;
639 }
640#endif /* CONFIG_FILS */
641
6fc6879b 642 if (sm->started) {
22a299ee 643 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 644 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 645 return wpa_sm_step(sm);
6fc6879b
JM		 646 }
647
648 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
649 "start authentication");
650 sm->started = 1;
651
652 sm->Init = TRUE;
e4a6ea1d 653 if (wpa_sm_step(sm) == 1)
6f9b5d16 654 return 1; /* should not really happen */
6fc6879b
JM		 655 sm->Init = FALSE;
656 sm->AuthenticationRequest = TRUE;
6f9b5d16 657 return wpa_sm_step(sm);
6fc6879b
JM		 658}
659
660
a8d05fca
JM		 661void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
662{
663 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
664 * reassociates back to the same AP while the previous entry for the
665 * STA has not yet been removed. */
666 if (sm == NULL)
667 return;
668
669 sm->wpa_key_mgmt = 0;
670}
671
672
6fc6879b
JM		 673static void wpa_free_sta_sm(struct wpa_state_machine *sm)
674{
25ef8529
JM		 675#ifdef CONFIG_P2P
676 if (WPA_GET_BE32(sm->ip_addr)) {
677 u32 start;
678 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
679 "address %u.%u.%u.%u from " MACSTR,
680 sm->ip_addr[0], sm->ip_addr[1],
681 sm->ip_addr[2], sm->ip_addr[3],
682 MAC2STR(sm->addr));
683 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
684 bitfield_clear(sm->wpa_auth->ip_pool,
685 WPA_GET_BE32(sm->ip_addr) - start);
686 }
687#endif /* CONFIG_P2P */
2ade8ef2
JM		 688 if (sm->GUpdateStationKeys) {
689 sm->group->GKeyDoneStations--;
690 sm->GUpdateStationKeys = FALSE;
691 }
4ec1fd8e 692#ifdef CONFIG_IEEE80211R_AP
0f857f43 693 os_free(sm->assoc_resp_ftie);
692ec305 694 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 695#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 696 os_free(sm->last_rx_eapol_key);
697 os_free(sm->wpa_ie);
a0ad9e8c 698 wpa_group_put(sm->wpa_auth, sm->group);
10ec6a5f
JM		 699#ifdef CONFIG_DPP2
700 wpabuf_clear_free(sm->dpp_z);
701#endif /* CONFIG_DPP2 */
6fc6879b
JM		 702 os_free(sm);
703}
704
705
706void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
707{
708 if (sm == NULL)
709 return;
710
711 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
712 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
713 "strict rekeying - force GTK rekey since STA "
714 "is leaving");
3f5a1860
JB		 715 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
716 sm->wpa_auth, NULL) == -1)
717 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
718 NULL);
6fc6879b
JM		 719 }
720
721 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 722 sm->pending_1_of_4_timeout = 0;
6fc6879b 723 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 724 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3a46cf93
MB		 725#ifdef CONFIG_IEEE80211R_AP
726 wpa_ft_sta_deinit(sm);
727#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 728 if (sm->in_step_loop) {
729 /* Must not free state machine while wpa_sm_step() is running.
730 * Freeing will be completed in the end of wpa_sm_step(). */
731 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
732 "machine deinit for " MACSTR, MAC2STR(sm->addr));
733 sm->pending_deinit = 1;
734 } else
735 wpa_free_sta_sm(sm);
736}
737
738
739static void wpa_request_new_ptk(struct wpa_state_machine *sm)
740{
741 if (sm == NULL)
742 return;
743
744 sm->PTKRequest = TRUE;
745 sm->PTK_valid = 0;
746}
747
748
68921e24 749static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 750 const u8 *replay_counter)
751{
752 int i;
753 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 754 if (!ctr[i].valid)
22a299ee 755 break;
68921e24 756 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 757 WPA_REPLAY_COUNTER_LEN) == 0)
758 return 1;
759 }
760 return 0;
761}
762
763
68921e24
JM		 764static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
765 const u8 *replay_counter)
766{
767 int i;
768 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
769 if (ctr[i].valid &&
770 (replay_counter == NULL ||
771 os_memcmp(replay_counter, ctr[i].counter,
772 WPA_REPLAY_COUNTER_LEN) == 0))
773 ctr[i].valid = FALSE;
774 }
775}
776
777
4ec1fd8e 778#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 779static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
780 struct wpa_state_machine *sm,
781 struct wpa_eapol_ie_parse *kde)
782{
783 struct wpa_ie_data ie;
784 struct rsn_mdie *mdie;
785
786 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
787 ie.num_pmkid != 1 || ie.pmkid == NULL) {
788 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
789 "FT 4-way handshake message 2/4");
790 return -1;
791 }
792
793 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
794 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
795 sm->sup_pmk_r1_name, PMKID_LEN);
796
797 if (!kde->mdie || !kde->ftie) {
798 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
799 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
800 return -1;
801 }
802
803 mdie = (struct rsn_mdie *) (kde->mdie + 2);
804 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
805 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
806 MOBILITY_DOMAIN_ID_LEN) != 0) {
807 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
808 return -1;
809 }
810
811 if (sm->assoc_resp_ftie &&
812 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
813 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
814 2 + sm->assoc_resp_ftie[1]) != 0)) {
815 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
816 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
817 kde->ftie, kde->ftie_len);
818 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
819 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
820 return -1;
821 }
822
823 return 0;
824}
4ec1fd8e 825#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 826
827
c772d054
JM		 828static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
829 struct wpa_state_machine *sm, int group)
ec027805
JM		 830{
831 /* Supplicant reported a Michael MIC error */
832 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
833 "received EAPOL-Key Error Request "
834 "(STA detected Michael MIC failure (group=%d))",
835 group);
fbc72d32
JM		 836
837 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
838 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
839 "ignore Michael MIC failure report since "
840 "group cipher is not TKIP");
841 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
842 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
843 "ignore Michael MIC failure report since "
844 "pairwise cipher is not TKIP");
845 } else {
c772d054
JM		 846 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
847 return 1; /* STA entry was removed */
fbc72d32
JM		 848 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
849 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
850 }
ec027805
JM		 851
852 /*
853 * Error report is not a request for a new key handshake, but since
854 * Authenticator may do it, let's change the keys now anyway.
855 */
856 wpa_request_new_ptk(sm);
c772d054 857 return 0;
ec027805
JM		 858}
859
860
f23c5b17
JM		 861static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
862 size_t data_len)
863{
864 struct wpa_ptk PTK;
865 int ok = 0;
866 const u8 *pmk = NULL;
7a12edd1 867 size_t pmk_len;
dbfa691d 868 int vlan_id = 0;
f23c5b17 869
b729fd8d 870 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17 871 for (;;) {
e61fea6b
JM		 872 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
873 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
f23c5b17 874 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
dbfa691d
JM		 875 sm->p2p_dev_addr, pmk, &pmk_len,
876 &vlan_id);
f23c5b17
JM		 877 if (pmk == NULL)
878 break;
f9854c18
MK		 879#ifdef CONFIG_IEEE80211R_AP
880 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
881 os_memcpy(sm->xxkey, pmk, pmk_len);
882 sm->xxkey_len = pmk_len;
883 }
884#endif /* CONFIG_IEEE80211R_AP */
207976f0 885 } else {
f23c5b17 886 pmk = sm->PMK;
207976f0
JM		 887 pmk_len = sm->pmk_len;
888 }
f23c5b17 889
364c064a
JM		 890 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
891 break;
f23c5b17 892
567da5bb
JM		 893 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
894 data, data_len) == 0) {
b08c9ad0
MK		 895 os_memcpy(sm->PMK, pmk, pmk_len);
896 sm->pmk_len = pmk_len;
f23c5b17
JM		 897 ok = 1;
898 break;
899 }
900
f5e0a332
JM		 901 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
902 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
f23c5b17
JM		 903 break;
904 }
905
906 if (!ok) {
907 wpa_printf(MSG_DEBUG,
908 "WPA: Earlier SNonce did not result in matching MIC");
909 return -1;
910 }
911
912 wpa_printf(MSG_DEBUG,
913 "WPA: Earlier SNonce resulted in matching MIC");
914 sm->alt_snonce_valid = 0;
dbfa691d
JM		 915
916 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
917 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
918 return -1;
919
f23c5b17
JM		 920 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
921 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
922 sm->PTK_valid = TRUE;
923
924 return 0;
925}
926
927
6fc6879b
JM		 928void wpa_receive(struct wpa_authenticator *wpa_auth,
929 struct wpa_state_machine *sm,
930 u8 *data, size_t data_len)
931{
932 struct ieee802_1x_hdr *hdr;
933 struct wpa_eapol_key *key;
934 u16 key_info, key_data_length;
a0bf1b68 935 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
6fc6879b
JM		 936 char *msgtxt;
937 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 938 const u8 *key_data;
939 size_t keyhdrlen, mic_len;
6d014ffc 940 u8 *mic;
6fc6879b
JM		 941
942 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
943 return;
dc5bad48 944 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 945
567da5bb 946 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 947 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 948
dc5bad48
JM		 949 if (data_len < sizeof(*hdr) + keyhdrlen) {
950 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 951 return;
dc5bad48 952 }
6fc6879b
JM		 953
954 hdr = (struct ieee802_1x_hdr *) data;
955 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 956 mic = (u8 *) (key + 1);
6fc6879b 957 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 958 key_data = mic + mic_len + 2;
959 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 960 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 961 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
962 MAC2STR(sm->addr), key_info, key->type,
963 (unsigned int) mic_len, key_data_length);
964 wpa_hexdump(MSG_MSGDUMP,
965 "WPA: EAPOL-Key header (ending before Key MIC)",
966 key, sizeof(*key));
967 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
968 mic, mic_len);
5e3b5197 969 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 970 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
971 "key_data overflow (%d > %lu)",
972 key_data_length,
973 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 974 keyhdrlen));
6fc6879b
JM		 975 return;
976 }
977
f8e96eb6 978 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 979 if (key->type == EAPOL_KEY_TYPE_WPA) {
980 /*
981 * Some deployed station implementations seem to send
982 * msg 4/4 with incorrect type value in WPA2 mode.
983 */
984 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
985 "with unexpected WPA type in RSN mode");
986 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 987 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
988 "unexpected type %d in RSN mode",
989 key->type);
990 return;
991 }
992 } else {
993 if (key->type != EAPOL_KEY_TYPE_WPA) {
994 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
995 "unexpected type %d in WPA mode",
996 key->type);
997 return;
998 }
999 }
1000
bc8318ac
JM		 1001 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1002 WPA_NONCE_LEN);
1003 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1004 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1005
6fc6879b
JM		 1006 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1007 * are set */
1008
a0bf1b68
JM		 1009 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1010 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1011 return;
1012 }
1013
1014 if (key_info & WPA_KEY_INFO_REQUEST) {
6fc6879b
JM		 1015 msg = REQUEST;
1016 msgtxt = "Request";
1017 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1018 msg = GROUP_2;
1019 msgtxt = "2/2 Group";
3b5b7aa8
JM		 1020 } else if (key_data_length == 0 ||
1021 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1022 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 1023 msg = PAIRWISE_4;
1024 msgtxt = "4/4 Pairwise";
1025 } else {
1026 msg = PAIRWISE_2;
1027 msgtxt = "2/4 Pairwise";
1028 }
1029
6fc6879b
JM		 1030 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1031 msg == GROUP_2) {
1032 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1033 if (sm->pairwise == WPA_CIPHER_CCMP ||
1034 sm->pairwise == WPA_CIPHER_GCMP) {
4bc801ab
JM		 1035 if (wpa_use_cmac(sm->wpa_key_mgmt) &&
1036 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1037 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1038 wpa_auth_logger(wpa_auth, sm->addr,
1039 LOGGER_WARNING,
1040 "advertised support for "
1041 "AES-128-CMAC, but did not "
1042 "use it");
1043 return;
1044 }
1045
4bc801ab
JM		 1046 if (!wpa_use_cmac(sm->wpa_key_mgmt) &&
1047 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1048 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1049 wpa_auth_logger(wpa_auth, sm->addr,
1050 LOGGER_WARNING,
1051 "did not use HMAC-SHA1-AES "
eb7719ff 1052 "with CCMP/GCMP");
6fc6879b
JM		 1053 return;
1054 }
1055 }
929a2ea5 1056
4bc801ab 1057 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
929a2ea5
JM		 1058 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1059 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1060 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1061 return;
1062 }
6fc6879b
JM		 1063 }
1064
1065 if (key_info & WPA_KEY_INFO_REQUEST) {
1066 if (sm->req_replay_counter_used &&
1067 os_memcmp(key->replay_counter, sm->req_replay_counter,
1068 WPA_REPLAY_COUNTER_LEN) <= 0) {
1069 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1070 "received EAPOL-Key request with "
1071 "replayed counter");
1072 return;
1073 }
1074 }
1075
1076 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1077 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1078 int i;
68921e24
JM		 1079
1080 if (msg == PAIRWISE_2 &&
1081 wpa_replay_counter_valid(sm->prev_key_replay,
1082 key->replay_counter) &&
1083 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1084 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1085 {
1086 /*
1087 * Some supplicant implementations (e.g., Windows XP
1088 * WZC) update SNonce for each EAPOL-Key 2/4. This
1089 * breaks the workaround on accepting any of the
1090 * pending requests, so allow the SNonce to be updated
1091 * even if we have already sent out EAPOL-Key 3/4.
1092 */
1093 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1094 "Process SNonce update from STA "
1095 "based on retransmitted EAPOL-Key "
1096 "1/4");
1097 sm->update_snonce = 1;
f23c5b17
JM		 1098 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1099 sm->alt_snonce_valid = TRUE;
1100 os_memcpy(sm->alt_replay_counter,
1101 sm->key_replay[0].counter,
1102 WPA_REPLAY_COUNTER_LEN);
1103 goto continue_processing;
1104 }
1105
1106 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1107 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1108 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1109 WPA_REPLAY_COUNTER_LEN) == 0) {
1110 /*
1111 * Supplicant may still be using the old SNonce since
1112 * there was two EAPOL-Key 2/4 messages and they had
1113 * different SNonce values.
1114 */
1115 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1116 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1117 goto continue_processing;
1118 }
1119
1120 if (msg == PAIRWISE_2 &&
1121 wpa_replay_counter_valid(sm->prev_key_replay,
1122 key->replay_counter) &&
1123 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1124 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1125 "ignore retransmitted EAPOL-Key %s - "
1126 "SNonce did not change", msgtxt);
1127 } else {
1128 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1129 "received EAPOL-Key %s with "
1130 "unexpected replay counter", msgtxt);
1131 }
22a299ee
JM		 1132 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1133 if (!sm->key_replay[i].valid)
1134 break;
1135 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1136 sm->key_replay[i].counter,
1137 WPA_REPLAY_COUNTER_LEN);
1138 }
6fc6879b
JM		 1139 wpa_hexdump(MSG_DEBUG, "received replay counter",
1140 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1141 return;
1142 }
1143
68921e24 1144continue_processing:
3b5b7aa8
JM		 1145#ifdef CONFIG_FILS
1146 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1147 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1148 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1149 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1150 return;
1151 }
1152#endif /* CONFIG_FILS */
1153
6fc6879b
JM		 1154 switch (msg) {
1155 case PAIRWISE_2:
1156 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1157 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1158 (!sm->update_snonce ||
1159 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1160 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1161 "received EAPOL-Key msg 2/4 in "
1162 "invalid state (%d) - dropped",
1163 sm->wpa_ptk_state);
1164 return;
1165 }
bbb921da 1166 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1167 if (sm->group->reject_4way_hs_for_entropy) {
1168 /*
1169 * The system did not have enough entropy to generate
1170 * strong random numbers. Reject the first 4-way
1171 * handshake(s) and collect some entropy based on the
1172 * information from it. Once enough entropy is
1173 * available, the next atempt will trigger GMK/Key
1174 * Counter update and the station will be allowed to
1175 * continue.
1176 */
1177 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1178 "collect more entropy for random number "
1179 "generation");
08704cd8 1180 random_mark_pool_ready();
567da5bb
JM		 1181 wpa_sta_disconnect(wpa_auth, sm->addr,
1182 WLAN_REASON_PREV_AUTH_NOT_VALID);
08704cd8
JM		 1183 return;
1184 }
6fc6879b
JM		 1185 break;
1186 case PAIRWISE_4:
1187 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1188 !sm->PTK_valid) {
1189 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1190 "received EAPOL-Key msg 4/4 in "
1191 "invalid state (%d) - dropped",
1192 sm->wpa_ptk_state);
1193 return;
1194 }
1195 break;
1196 case GROUP_2:
1197 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1198 || !sm->PTK_valid) {
1199 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1200 "received EAPOL-Key msg 2/2 in "
1201 "invalid state (%d) - dropped",
1202 sm->wpa_ptk_group_state);
1203 return;
1204 }
1205 break;
6fc6879b
JM		 1206 case REQUEST:
1207 break;
1208 }
1209
1210 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1211 "received EAPOL-Key frame (%s)", msgtxt);
1212
1213 if (key_info & WPA_KEY_INFO_ACK) {
1214 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1215 "received invalid EAPOL-Key: Key Ack set");
1216 return;
1217 }
1218
b9866483
JM		 1219 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1220 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1221 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1222 "received invalid EAPOL-Key: Key MIC not set");
1223 return;
1224 }
1225
b9866483
JM		 1226#ifdef CONFIG_FILS
1227 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1228 (key_info & WPA_KEY_INFO_MIC)) {
1229 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1230 "received invalid EAPOL-Key: Key MIC set");
1231 return;
1232 }
1233#endif /* CONFIG_FILS */
1234
6fc6879b 1235 sm->MICVerified = FALSE;
68921e24 1236 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8 1237 if (mic_len &&
567da5bb
JM		 1238 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1239 data, data_len) &&
f23c5b17
JM		 1240 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1241 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1242 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1243 "received EAPOL-Key with invalid MIC");
525923b1
JM		 1244#ifdef TEST_FUZZ
1245 wpa_printf(MSG_INFO,
1246 "TEST: Ignore Key MIC failure for fuzz testing");
1247 goto continue_fuzz;
1248#endif /* TEST_FUZZ */
6fc6879b
JM		 1249 return;
1250 }
75c8563e
JM		 1251#ifdef CONFIG_FILS
1252 if (!mic_len &&
1253 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1254 &key_data_length) < 0) {
1255 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1256 "received EAPOL-Key with invalid MIC");
525923b1
JM		 1257#ifdef TEST_FUZZ
1258 wpa_printf(MSG_INFO,
1259 "TEST: Ignore Key MIC failure for fuzz testing");
1260 goto continue_fuzz;
1261#endif /* TEST_FUZZ */
75c8563e
JM		 1262 return;
1263 }
1264#endif /* CONFIG_FILS */
525923b1
JM		 1265#ifdef TEST_FUZZ
1266 continue_fuzz:
1267#endif /* TEST_FUZZ */
6fc6879b
JM		 1268 sm->MICVerified = TRUE;
1269 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1270 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1271 }
1272
1273 if (key_info & WPA_KEY_INFO_REQUEST) {
1274 if (sm->MICVerified) {
1275 sm->req_replay_counter_used = 1;
1276 os_memcpy(sm->req_replay_counter, key->replay_counter,
1277 WPA_REPLAY_COUNTER_LEN);
1278 } else {
1279 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1280 "received EAPOL-Key request with "
1281 "invalid MIC");
1282 return;
1283 }
1284
1285 /*
1286 * TODO: should decrypt key data field if encryption was used;
1287 * even though MAC address KDE is not normally encrypted,
1288 * supplicant is allowed to encrypt it.
1289 */
a0bf1b68 1290 if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1291 if (wpa_receive_error_report(
1292 wpa_auth, sm,
1293 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1294 return; /* STA entry was removed */
6fc6879b
JM		 1295 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1296 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1297 "received EAPOL-Key Request for new "
1298 "4-Way Handshake");
1299 wpa_request_new_ptk(sm);
6fc6879b 1300 } else if (key_data_length > 0 &&
5e3b5197
JM		 1301 wpa_parse_kde_ies(key_data, key_data_length,
1302 &kde) == 0 &&
6fc6879b
JM		 1303 kde.mac_addr) {
1304 } else {
1305 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1306 "received EAPOL-Key Request for GTK "
1307 "rekeying");
6fc6879b
JM		 1308 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1309 wpa_rekey_gtk(wpa_auth, NULL);
1310 }
1311 } else {
68921e24
JM		 1312 /* Do not allow the same key replay counter to be reused. */
1313 wpa_replay_counter_mark_invalid(sm->key_replay,
1314 key->replay_counter);
1315
1316 if (msg == PAIRWISE_2) {
1317 /*
1318 * Maintain a copy of the pending EAPOL-Key frames in
1319 * case the EAPOL-Key frame was retransmitted. This is
1320 * needed to allow EAPOL-Key msg 2/4 reply to another
1321 * pending msg 1/4 to update the SNonce to work around
1322 * unexpected supplicant behavior.
1323 */
1324 os_memcpy(sm->prev_key_replay, sm->key_replay,
1325 sizeof(sm->key_replay));
1326 } else {
1327 os_memset(sm->prev_key_replay, 0,
1328 sizeof(sm->prev_key_replay));
1329 }
1330
1331 /*
1332 * Make sure old valid counters are not accepted anymore and
1333 * do not get copied again.
1334 */
1335 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1336 }
1337
6fc6879b 1338 os_free(sm->last_rx_eapol_key);
a1f11e34 1339 sm->last_rx_eapol_key = os_memdup(data, data_len);
6fc6879b
JM		 1340 if (sm->last_rx_eapol_key == NULL)
1341 return;
6fc6879b
JM		 1342 sm->last_rx_eapol_key_len = data_len;
1343
0d442aff 1344 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1345 sm->EAPOLKeyReceived = TRUE;
1346 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1347 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1348 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1349 wpa_sm_step(sm);
1350}
1351
1352
3c7302c2
JM		 1353static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1354 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1355{
c6eb3e34 1356 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
5cb9d5c3 1357 u8 *pos;
3c7302c2 1358 int ret = 0;
6fc6879b 1359
5cb9d5c3
JM		 1360 /* GTK = PRF-X(GMK, "Group key expansion",
1361 * AA || GNonce || Time || random data)
1362 * The example described in the IEEE 802.11 standard uses only AA and
1363 * GNonce as inputs here. Add some more entropy since this derivation
1364 * is done only at the Authenticator and as such, does not need to be
1365 * exactly same.
1366 */
c6eb3e34 1367 os_memset(data, 0, sizeof(data));
6fc6879b
JM		 1368 os_memcpy(data, addr, ETH_ALEN);
1369 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1370 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1371 wpa_get_ntp_timestamp(pos);
525923b1
JM		 1372#ifdef TEST_FUZZ
1373 os_memset(pos, 0xef, 8);
1374#endif /* TEST_FUZZ */
5cb9d5c3 1375 pos += 8;
c6eb3e34 1376 if (random_get_bytes(pos, gtk_len) < 0)
3c7302c2 1377 ret = -1;
6fc6879b 1378
c6eb3e34
JM		 1379#ifdef CONFIG_SHA384
1380 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1381 gtk, gtk_len) < 0)
3c7302c2 1382 ret = -1;
c6eb3e34
JM		 1383#else /* CONFIG_SHA384 */
1384#ifdef CONFIG_SHA256
1385 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1386 gtk, gtk_len) < 0)
1387 ret = -1;
1388#else /* CONFIG_SHA256 */
1389 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1390 gtk, gtk_len) < 0)
1391 ret = -1;
1392#endif /* CONFIG_SHA256 */
1393#endif /* CONFIG_SHA384 */
3c7302c2
JM		 1394
1395 return ret;
6fc6879b
JM		 1396}
1397
1398
1399static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1400{
1401 struct wpa_authenticator *wpa_auth = eloop_ctx;
1402 struct wpa_state_machine *sm = timeout_ctx;
1403
e4bf4db9 1404 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1405 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1406 sm->TimeoutEvt = TRUE;
1407 wpa_sm_step(sm);
1408}
1409
1410
1411void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1412 struct wpa_state_machine *sm, int key_info,
1413 const u8 *key_rsc, const u8 *nonce,
1414 const u8 *kde, size_t kde_len,
1415 int keyidx, int encr, int force_version)
1416{
1417 struct ieee802_1x_hdr *hdr;
1418 struct wpa_eapol_key *key;
5e3b5197 1419 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1420 int alg;
1421 int key_data_len, pad_len = 0;
1422 u8 *buf, *pos;
1423 int version, pairwise;
22a299ee 1424 int i;
6d014ffc 1425 u8 *key_mic, *key_data;
6fc6879b 1426
567da5bb 1427 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 1428 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1429
1430 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1431
1432 if (force_version)
1433 version = force_version;
4bc801ab 1434 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
a14896e8 1435 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
4bc801ab 1436 else if (wpa_use_cmac(sm->wpa_key_mgmt))
6fc6879b 1437 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1438 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1439 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1440 else
1441 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1442
8543ed8a 1443 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1444
1445 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1446 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1447 "encr=%d)",
1448 version,
1449 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1450 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1451 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1452 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1453 pairwise, (unsigned long) kde_len, keyidx, encr);
1454
1455 key_data_len = kde_len;
1456
1457 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
4bc801ab 1458 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1459 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1460 pad_len = key_data_len % 8;
1461 if (pad_len)
1462 pad_len = 8 - pad_len;
1463 key_data_len += pad_len + 8;
1464 }
1465
1466 len += key_data_len;
b729fd8d
JM		 1467 if (!mic_len && encr)
1468 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1469
1470 hdr = os_zalloc(len);
1471 if (hdr == NULL)
1472 return;
1473 hdr->version = wpa_auth->conf.eapol_version;
1474 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1475 hdr->length = host_to_be16(len - sizeof(*hdr));
1476 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1477 key_mic = (u8 *) (key + 1);
5e3b5197 1478 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1479
1480 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1481 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1482 key_info |= version;
1483 if (encr && sm->wpa == WPA_VERSION_WPA2)
1484 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1485 if (sm->wpa != WPA_VERSION_WPA2)
1486 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1487 WPA_PUT_BE16(key->key_info, key_info);
1488
1489 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
a0bf1b68 1490 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
6fc6879b 1491 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1492 else
1493 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b 1494
22a299ee
JM		 1495 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1496 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1497 os_memcpy(sm->key_replay[i].counter,
1498 sm->key_replay[i - 1].counter,
1499 WPA_REPLAY_COUNTER_LEN);
1500 }
1501 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1502 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1503 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1504 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1505 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1506 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1507
1508 if (nonce)
1509 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1510
1511 if (key_rsc)
1512 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1513
1514 if (kde && !encr) {
5e3b5197 1515 os_memcpy(key_data, kde, kde_len);
6d014ffc 1516 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d 1517#ifdef CONFIG_FILS
c05f96a3 1518 } else if (!mic_len && kde) {
b729fd8d
JM		 1519 const u8 *aad[1];
1520 size_t aad_len[1];
1521
1522 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1523 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1524 kde, kde_len);
1525
1526 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1527 sm->PTK.kek, sm->PTK.kek_len);
1528 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1529 * to Key Data (exclusive). */
1530 aad[0] = (u8 *) hdr;
1531 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1532 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1533 1, aad, aad_len, key_mic + 2) < 0) {
1534 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1535 return;
1536 }
1537
1538 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1539 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1540#endif /* CONFIG_FILS */
6fc6879b
JM		 1541 } else if (encr && kde) {
1542 buf = os_zalloc(key_data_len);
1543 if (buf == NULL) {
1544 os_free(hdr);
1545 return;
1546 }
1547 pos = buf;
1548 os_memcpy(pos, kde, kde_len);
1549 pos += kde_len;
1550
1551 if (pad_len)
1552 *pos++ = 0xdd;
1553
1554 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1555 buf, key_data_len);
1556 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
4bc801ab 1557 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
6fc6879b 1558 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
ef9627cb
JM		 1559 wpa_printf(MSG_DEBUG,
1560 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1561 (unsigned int) sm->PTK.kek_len);
98cd3d1c 1562 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1563 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1564 os_free(hdr);
1565 os_free(buf);
1566 return;
1567 }
6d014ffc 1568 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1569#ifndef CONFIG_NO_RC4
98cd3d1c 1570 } else if (sm->PTK.kek_len == 16) {
6fc6879b 1571 u8 ek[32];
ef9627cb
JM		 1572
1573 wpa_printf(MSG_DEBUG,
1574 "WPA: Encrypt Key Data using RC4");
6fc6879b
JM		 1575 os_memcpy(key->key_iv,
1576 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1577 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1578 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1579 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1580 os_memcpy(key_data, buf, key_data_len);
1581 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1582 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1583#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1584 } else {
1585 os_free(hdr);
1586 os_free(buf);
1587 return;
6fc6879b
JM		 1588 }
1589 os_free(buf);
1590 }
1591
1592 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1593 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1594 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1595 "PTK not valid when sending EAPOL-Key "
1596 "frame");
1597 os_free(hdr);
1598 return;
1599 }
5e3b5197 1600
beae255a
JM		 1601 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1602 sm->wpa_key_mgmt, version,
1603 (u8 *) hdr, len, key_mic) < 0) {
1604 os_free(hdr);
1605 return;
1606 }
7af092a0
JB		 1607#ifdef CONFIG_TESTING_OPTIONS
1608 if (!pairwise &&
06df2aa6 1609 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1610 drand48() <
1611 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1612 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1613 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1614 key_mic[0]++;
7af092a0
JB		 1615 }
1616#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1617 }
1618
1619 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1620 1);
1621 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1622 sm->pairwise_set);
1623 os_free(hdr);
1624}
1625
1626
1627static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1628 struct wpa_state_machine *sm, int key_info,
1629 const u8 *key_rsc, const u8 *nonce,
1630 const u8 *kde, size_t kde_len,
1631 int keyidx, int encr)
1632{
1633 int timeout_ms;
1634 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
41f140d3 1635 u32 ctr;
6fc6879b
JM		 1636
1637 if (sm == NULL)
1638 return;
1639
1640 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1641 keyidx, encr, 0);
1642
bae61562 1643 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1644 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1645 timeout_ms = pairwise ? eapol_key_timeout_first :
1646 eapol_key_timeout_first_group;
bae61562
JM		 1647 else
1648 timeout_ms = eapol_key_timeout_subseq;
6f234c1e
JM		 1649 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1650 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1651 timeout_ms = eapol_key_timeout_no_retrans;
e4bf4db9
JM		 1652 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1653 sm->pending_1_of_4_timeout = 1;
525923b1
JM		 1654#ifdef TEST_FUZZ
1655 timeout_ms = 1;
1656#endif /* TEST_FUZZ */
e4bf4db9 1657 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
41f140d3 1658 "counter %u)", timeout_ms, ctr);
6fc6879b
JM		 1659 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1660 wpa_send_eapol_timeout, wpa_auth, sm);
1661}
1662
1663
567da5bb
JM		 1664static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1665 u8 *data, size_t data_len)
6fc6879b
JM		 1666{
1667 struct ieee802_1x_hdr *hdr;
1668 struct wpa_eapol_key *key;
1669 u16 key_info;
1670 int ret = 0;
6d014ffc 1671 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
567da5bb 1672 size_t mic_len = wpa_mic_len(akmp, pmk_len);
6fc6879b
JM		 1673
1674 if (data_len < sizeof(*hdr) + sizeof(*key))
1675 return -1;
1676
1677 hdr = (struct ieee802_1x_hdr *) data;
1678 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1679 mic_pos = (u8 *) (key + 1);
6fc6879b 1680 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1681 os_memcpy(mic, mic_pos, mic_len);
1682 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1683 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1684 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1685 data, data_len, mic_pos) ||
1686 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1687 ret = -1;
6d014ffc 1688 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1689 return ret;
1690}
1691
1692
1693void wpa_remove_ptk(struct wpa_state_machine *sm)
1694{
1695 sm->PTK_valid = FALSE;
1696 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1697 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1698 0))
1699 wpa_printf(MSG_DEBUG,
1700 "RSN: PTK removal from the driver failed");
6fc6879b 1701 sm->pairwise_set = FALSE;
581a8cde 1702 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1703}
1704
1705
bb119228 1706int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1707{
5d22a1d5
JM		 1708 int remove_ptk = 1;
1709
6fc6879b 1710 if (sm == NULL)
6f9b5d16 1711 return -1;
6fc6879b
JM		 1712
1713 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1714 "event %d notification", event);
1715
1716 switch (event) {
1717 case WPA_AUTH:
c50d94f1
BC		 1718#ifdef CONFIG_MESH
1719 /* PTKs are derived through AMPE */
1720 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1721 /* not mesh */
1722 break;
1723 }
1724 return 0;
1725#endif /* CONFIG_MESH */
6fc6879b
JM		 1726 case WPA_ASSOC:
1727 break;
1728 case WPA_DEAUTH:
1729 case WPA_DISASSOC:
1730 sm->DeauthenticationRequest = TRUE;
1731 break;
1732 case WPA_REAUTH:
1733 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1734 if (!sm->started) {
1735 /*
1736 * When using WPS, we may end up here if the STA
1737 * manages to re-associate without the previous STA
1738 * entry getting removed. Consequently, we need to make
1739 * sure that the WPA state machines gets initialized
1740 * properly at this point.
1741 */
1742 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1743 "started - initialize now");
1744 sm->started = 1;
1745 sm->Init = TRUE;
1746 if (wpa_sm_step(sm) == 1)
1747 return 1; /* should not really happen */
1748 sm->Init = FALSE;
1749 sm->AuthenticationRequest = TRUE;
1750 break;
1751 }
9663596f
JM		 1752 if (sm->GUpdateStationKeys) {
1753 /*
1754 * Reauthentication cancels the pending group key
1755 * update for this STA.
1756 */
1757 sm->group->GKeyDoneStations--;
1758 sm->GUpdateStationKeys = FALSE;
1759 sm->PtkGroupInit = TRUE;
1760 }
6fc6879b
JM		 1761 sm->ReAuthenticationRequest = TRUE;
1762 break;
1763 case WPA_ASSOC_FT:
4ec1fd8e 1764#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1765 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1766 "after association");
1767 wpa_ft_install_ptk(sm);
1768
6fc6879b
JM		 1769 /* Using FT protocol, not WPA auth state machine */
1770 sm->ft_completed = 1;
6f9b5d16 1771 return 0;
4ec1fd8e 1772#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1773 break;
4ec1fd8e 1774#endif /* CONFIG_IEEE80211R_AP */
957bff83
JM		 1775 case WPA_ASSOC_FILS:
1776#ifdef CONFIG_FILS
1777 wpa_printf(MSG_DEBUG,
1778 "FILS: TK configuration after association");
1779 fils_set_tk(sm);
1780 sm->fils_completed = 1;
1781 return 0;
1782#else /* CONFIG_FILS */
1783 break;
1784#endif /* CONFIG_FILS */
0e3bd7ac
MV		 1785 case WPA_DRV_STA_REMOVED:
1786 sm->tk_already_set = FALSE;
1787 return 0;
6fc6879b
JM		 1788 }
1789
4ec1fd8e 1790#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1791 sm->ft_completed = 0;
4ec1fd8e 1792#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1793
5d22a1d5
JM		 1794#ifdef CONFIG_IEEE80211W
1795 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1796 remove_ptk = 0;
1797#endif /* CONFIG_IEEE80211W */
78815f3d 1798#ifdef CONFIG_FILS
da24c5aa
JM		 1799 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1800 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1801 remove_ptk = 0;
1802#endif /* CONFIG_FILS */
6fc6879b 1803
5d22a1d5
JM		 1804 if (remove_ptk) {
1805 sm->PTK_valid = FALSE;
1806 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1807
1808 if (event != WPA_REAUTH_EAPOL)
1809 wpa_remove_ptk(sm);
1810 }
6fc6879b 1811
43f49c37
JM		 1812 if (sm->in_step_loop) {
1813 /*
1814 * wpa_sm_step() is already running - avoid recursive call to
1815 * it by making the existing loop process the new update.
1816 */
1817 sm->changed = TRUE;
1818 return 0;
1819 }
6f9b5d16 1820 return wpa_sm_step(sm);
6fc6879b
JM		 1821}
1822
1823
6fc6879b
JM		 1824SM_STATE(WPA_PTK, INITIALIZE)
1825{
1826 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1827 if (sm->Init) {
1828 /* Init flag is not cleared here, so avoid busy
1829 * loop by claiming nothing changed. */
1830 sm->changed = FALSE;
1831 }
1832
1833 sm->keycount = 0;
1834 if (sm->GUpdateStationKeys)
1835 sm->group->GKeyDoneStations--;
1836 sm->GUpdateStationKeys = FALSE;
1837 if (sm->wpa == WPA_VERSION_WPA)
1838 sm->PInitAKeys = FALSE;
1839 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1840 * Local AA > Remote AA)) */) {
1841 sm->Pair = TRUE;
1842 }
1843 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1844 wpa_remove_ptk(sm);
1845 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1846 sm->TimeoutCtr = 0;
a1ea1b45 1847 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 1848 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 1849 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 1850 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1851 WPA_EAPOL_authorized, 0);
1852 }
1853}
1854
1855
1856SM_STATE(WPA_PTK, DISCONNECT)
1857{
567da5bb
JM		 1858 u16 reason = sm->disconnect_reason;
1859
6fc6879b
JM		 1860 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1861 sm->Disconnect = FALSE;
567da5bb
JM		 1862 sm->disconnect_reason = 0;
1863 if (!reason)
1864 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1865 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
6fc6879b
JM		 1866}
1867
1868
1869SM_STATE(WPA_PTK, DISCONNECTED)
1870{
1871 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1872 sm->DeauthenticationRequest = FALSE;
1873}
1874
1875
1876SM_STATE(WPA_PTK, AUTHENTICATION)
1877{
1878 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1879 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1880 sm->PTK_valid = FALSE;
1881 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1882 1);
1883 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1884 sm->AuthenticationRequest = FALSE;
1885}
1886
1887
40d00d2b
NC		 1888static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1889 struct wpa_group *group)
1bdb7ab3 1890{
40d00d2b
NC		 1891 if (group->first_sta_seen)
1892 return;
1bdb7ab3
JM		 1893 /*
1894 * System has run bit further than at the time hostapd was started
1895 * potentially very early during boot up. This provides better chances
1896 * of collecting more randomness on embedded systems. Re-initialize the
1897 * GMK and Counter here to improve their strength if there was not
1898 * enough entropy available immediately after system startup.
1899 */
1900 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1901 "station");
08704cd8
JM		 1902 if (random_pool_ready() != 1) {
1903 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1904 "to proceed - reject first 4-way handshake");
1905 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1906 } else {
1907 group->first_sta_seen = TRUE;
1908 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1909 }
40d00d2b 1910
aac1efec
JM		 1911 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1912 wpa_gtk_update(wpa_auth, group) < 0 ||
1913 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1914 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1915 group->first_sta_seen = FALSE;
1916 group->reject_4way_hs_for_entropy = TRUE;
1917 }
1bdb7ab3
JM		 1918}
1919
1920
6fc6879b
JM		 1921SM_STATE(WPA_PTK, AUTHENTICATION2)
1922{
1923 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1924
40d00d2b 1925 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1926 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1927
3825a19b
JM		 1928 /*
1929 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1930 * ambiguous. The Authenticator state machine uses a counter that is
1931 * incremented by one for each 4-way handshake. However, the security
1932 * analysis of 4-way handshake points out that unpredictable nonces
1933 * help in preventing precomputation attacks. Instead of the state
1934 * machine definition, use an unpredictable nonce value here to provide
1935 * stronger protection against potential precomputation attacks.
1936 */
1937 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1938 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1939 "ANonce.");
65a32cdb 1940 sm->Disconnect = TRUE;
3825a19b
JM		 1941 return;
1942 }
bc8318ac
JM		 1943 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1944 WPA_NONCE_LEN);
6fc6879b
JM		 1945 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1946 * logical place than INITIALIZE since AUTHENTICATION2 can be
1947 * re-entered on ReAuthenticationRequest without going through
1948 * INITIALIZE. */
1949 sm->TimeoutCtr = 0;
1950}
1951
1952
0adc9b28
JM		 1953static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
1954{
1955 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1956 wpa_printf(MSG_ERROR,
1957 "WPA: Failed to get random data for ANonce");
1958 sm->Disconnect = TRUE;
1959 return -1;
1960 }
1961 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
1962 WPA_NONCE_LEN);
1963 sm->TimeoutCtr = 0;
1964 return 0;
1965}
1966
1967
6fc6879b
JM		 1968SM_STATE(WPA_PTK, INITPMK)
1969{
1970 u8 msk[2 * PMK_LEN];
1971 size_t len = 2 * PMK_LEN;
1972
1973 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1974#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1975 sm->xxkey_len = 0;
4ec1fd8e 1976#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1977 if (sm->pmksa) {
1978 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1979 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1980 sm->pmk_len = sm->pmksa->pmk_len;
567da5bb
JM		 1981#ifdef CONFIG_DPP
1982 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
1983 wpa_printf(MSG_DEBUG,
1984 "DPP: No PMKSA cache entry for STA - reject connection");
1985 sm->Disconnect = TRUE;
1986 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
1987 return;
1988#endif /* CONFIG_DPP */
6fc6879b 1989 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 1990 unsigned int pmk_len;
1991
834c5d68 1992 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
207976f0
JM		 1993 pmk_len = PMK_LEN_SUITE_B_192;
1994 else
1995 pmk_len = PMK_LEN;
6fc6879b 1996 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 1997 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1998 pmk_len);
1999 if (len < pmk_len) {
2000 wpa_printf(MSG_DEBUG,
2001 "WPA: MSK not long enough (%u) to create PMK (%u)",
2002 (unsigned int) len, (unsigned int) pmk_len);
2003 sm->Disconnect = TRUE;
2004 return;
2005 }
2006 os_memcpy(sm->PMK, msk, pmk_len);
2007 sm->pmk_len = pmk_len;
4ec1fd8e 2008#ifdef CONFIG_IEEE80211R_AP
6fc6879b 2009 if (len >= 2 * PMK_LEN) {
9f12271b
JM		 2010 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2011 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2012 sm->xxkey_len = SHA384_MAC_LEN;
2013 } else {
2014 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2015 sm->xxkey_len = PMK_LEN;
2016 }
6fc6879b 2017 }
4ec1fd8e 2018#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2019 } else {
400de9b1 2020 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 2021 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 2022 sm->Disconnect = TRUE;
2023 return;
6fc6879b 2024 }
40aaa64f 2025 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 2026
2027 sm->req_replay_counter_used = 0;
2028 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
2029 * will break reauthentication since EAPOL state machines may not be
2030 * get into AUTHENTICATING state that clears keyRun before WPA state
2031 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2032 * state and takes PMK from the previously used AAA Key. This will
2033 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2034 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
2035 * be good workaround for this issue. */
2036 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
2037}
2038
2039
2040SM_STATE(WPA_PTK, INITPSK)
2041{
2042 const u8 *psk;
7a12edd1
JM		 2043 size_t psk_len;
2044
6fc6879b 2045 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
7a12edd1 2046 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
dbfa691d 2047 &psk_len, NULL);
6fc6879b 2048 if (psk) {
7a12edd1
JM		 2049 os_memcpy(sm->PMK, psk, psk_len);
2050 sm->pmk_len = psk_len;
4ec1fd8e 2051#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 2052 os_memcpy(sm->xxkey, psk, PMK_LEN);
2053 sm->xxkey_len = PMK_LEN;
4ec1fd8e 2054#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2055 }
e61fea6b
JM		 2056#ifdef CONFIG_SAE
2057 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2058 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2059 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2060 sm->pmk_len = sm->pmksa->pmk_len;
2061 }
2062#endif /* CONFIG_SAE */
6fc6879b
JM		 2063 sm->req_replay_counter_used = 0;
2064}
2065
2066
2067SM_STATE(WPA_PTK, PTKSTART)
2068{
2069 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2070 size_t pmkid_len = 0;
2071
2072 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2073 sm->PTKRequest = FALSE;
2074 sm->TimeoutEvt = FALSE;
f23c5b17 2075 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2076
2077 sm->TimeoutCtr++;
41f140d3 2078 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2079 /* No point in sending the EAPOL-Key - we will disconnect
2080 * immediately following this. */
2081 return;
2082 }
2083
6fc6879b
JM		 2084 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2085 "sending 1/4 msg of 4-Way Handshake");
2086 /*
c6e1a9a0
JM		 2087 * For infrastructure BSS cases, it is better for the AP not to include
2088 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2089 * offline search for the passphrase/PSK without having to be able to
2090 * capture a 4-way handshake from a STA that has access to the network.
2091 *
2092 * For IBSS cases, addition of PMKID KDE could be considered even with
2093 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2094 * possible PSK for this STA. However, this should not be done unless
2095 * there is support for using that information on the supplicant side.
2096 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2097 * cases would also apply here, but at least in the IBSS case, this
2098 * would cover a potential real use case.
6fc6879b
JM		 2099 */
2100 if (sm->wpa == WPA_VERSION_WPA2 &&
e61fea6b 2101 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
d90f10fa 2102 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
e61fea6b 2103 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
a14896e8 2104 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2105 pmkid = buf;
2106 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2107 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2108 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2109 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2110 if (sm->pmksa) {
9d94e4bb
JM		 2111 wpa_hexdump(MSG_DEBUG,
2112 "RSN: Message 1/4 PMKID from PMKSA entry",
2113 sm->pmksa->pmkid, PMKID_LEN);
6fc6879b
JM		 2114 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2115 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2116 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2117 /* No KCK available to derive PMKID */
9d94e4bb
JM		 2118 wpa_printf(MSG_DEBUG,
2119 "RSN: No KCK available to derive PMKID for message 1/4");
929a2ea5 2120 pmkid = NULL;
9d94e4bb
JM		 2121#ifdef CONFIG_SAE
2122 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2123 if (sm->pmkid_set) {
2124 wpa_hexdump(MSG_DEBUG,
2125 "RSN: Message 1/4 PMKID from SAE",
2126 sm->pmkid, PMKID_LEN);
2127 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2128 sm->pmkid, PMKID_LEN);
2129 } else {
2130 /* No PMKID available */
2131 wpa_printf(MSG_DEBUG,
2132 "RSN: No SAE PMKID available for message 1/4");
2133 pmkid = NULL;
2134 }
2135#endif /* CONFIG_SAE */
929a2ea5 2136 } else {
6fc6879b
JM		 2137 /*
2138 * Calculate PMKID since no PMKSA cache entry was
2139 * available with pre-calculated PMKID.
2140 */
207976f0 2141 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197 2142 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
41b81914 2143 sm->wpa_key_mgmt);
9d94e4bb
JM		 2144 wpa_hexdump(MSG_DEBUG,
2145 "RSN: Message 1/4 PMKID derived from PMK",
2146 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
6fc6879b
JM		 2147 }
2148 }
2149 wpa_send_eapol(sm->wpa_auth, sm,
2150 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2151 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2152}
2153
2154
f23c5b17 2155static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2156 const u8 *pmk, unsigned int pmk_len,
2157 struct wpa_ptk *ptk)
6fc6879b 2158{
10ec6a5f
JM		 2159 const u8 *z = NULL;
2160 size_t z_len = 0;
2161
4ec1fd8e 2162#ifdef CONFIG_IEEE80211R_AP
56586197 2163 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2164 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
4ec1fd8e 2165#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2166
10ec6a5f
JM		 2167#ifdef CONFIG_DPP2
2168 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2169 z = wpabuf_head(sm->dpp_z);
2170 z_len = wpabuf_len(sm->dpp_z);
2171 }
2172#endif /* CONFIG_DPP2 */
2173
207976f0 2174 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c 2175 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
10ec6a5f 2176 ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len);
6fc6879b
JM		 2177}
2178
2179
3b5b7aa8 2180#ifdef CONFIG_FILS
c4fd6d8a
JM		 2181
2182int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
80ddf5d9 2183 size_t pmk_len, const u8 *snonce, const u8 *anonce,
4cada9dc 2184 const u8 *dhss, size_t dhss_len,
80ddf5d9 2185 struct wpabuf *g_sta, struct wpabuf *g_ap)
c4fd6d8a
JM		 2186{
2187 u8 ick[FILS_ICK_MAX_LEN];
2188 size_t ick_len;
2189 int res;
8fed47e0
JM		 2190 u8 fils_ft[FILS_FT_MAX_LEN];
2191 size_t fils_ft_len = 0;
c4fd6d8a
JM		 2192
2193 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
4cada9dc
JM		 2194 snonce, anonce, dhss, dhss_len,
2195 &sm->PTK, ick, &ick_len,
8fed47e0
JM		 2196 sm->wpa_key_mgmt, sm->pairwise,
2197 fils_ft, &fils_ft_len);
c4fd6d8a
JM		 2198 if (res < 0)
2199 return res;
2200 sm->PTK_valid = TRUE;
2f1357fb 2201 sm->tk_already_set = FALSE;
c4fd6d8a 2202
8fed47e0
JM		 2203#ifdef CONFIG_IEEE80211R_AP
2204 if (fils_ft_len) {
2205 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2206 struct wpa_auth_config *conf = &wpa_auth->conf;
994eac7e
JM		 2207 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
2208 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
2209 size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
8fed47e0
JM		 2210
2211 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2212 conf->ssid, conf->ssid_len,
2213 conf->mobility_domain,
2214 conf->r0_key_holder,
2215 conf->r0_key_holder_len,
994eac7e
JM		 2216 sm->addr, pmk_r0, pmk_r0_name,
2217 use_sha384) < 0)
8fed47e0
JM		 2218 return -1;
2219
994eac7e
JM		 2220 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
2221 pmk_r0, pmk_r0_len);
8fed47e0
JM		 2222 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2223 pmk_r0_name, WPA_PMK_NAME_LEN);
89dea17e 2224 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
8fed47e0 2225 os_memset(fils_ft, 0, sizeof(fils_ft));
36536639
JM		 2226
2227 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
2228 sm->addr, sm->pmk_r1_name,
2229 use_sha384);
2230 os_memset(pmk_r0, 0, PMK_LEN_MAX);
2231 if (res < 0)
2232 return -1;
2233 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
2234 WPA_PMK_NAME_LEN);
2235 sm->pmk_r1_name_valid = 1;
8fed47e0
JM		 2236 }
2237#endif /* CONFIG_IEEE80211R_AP */
2238
c4fd6d8a
JM		 2239 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2240 sm->addr, sm->wpa_auth->addr,
80ddf5d9
JM		 2241 g_sta ? wpabuf_head(g_sta) : NULL,
2242 g_sta ? wpabuf_len(g_sta) : 0,
2243 g_ap ? wpabuf_head(g_ap) : NULL,
2244 g_ap ? wpabuf_len(g_ap) : 0,
c4fd6d8a
JM		 2245 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2246 sm->fils_key_auth_ap,
2247 &sm->fils_key_auth_len);
2248 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2249
2250 /* Store nonces for (Re)Association Request/Response frame processing */
2251 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2252 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2253
c4fd6d8a
JM		 2254 return res;
2255}
2256
2257
3b5b7aa8 2258static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2259 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2260{
2261 struct ieee802_1x_hdr *hdr;
2262 struct wpa_eapol_key *key;
2263 u8 *pos;
2264 u16 key_data_len;
2265 u8 *tmp;
2266 const u8 *aad[1];
2267 size_t aad_len[1];
2268
75c8563e 2269 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2270 key = (struct wpa_eapol_key *) (hdr + 1);
2271 pos = (u8 *) (key + 1);
2272 key_data_len = WPA_GET_BE16(pos);
2273 if (key_data_len < AES_BLOCK_SIZE ||
2274 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2275 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2276 "No room for AES-SIV data in the frame");
2277 return -1;
2278 }
2279 pos += 2; /* Pointing at the Encrypted Key Data field */
2280
2281 tmp = os_malloc(key_data_len);
2282 if (!tmp)
2283 return -1;
2284
2285 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2286 * to Key Data (exclusive). */
75c8563e
JM		 2287 aad[0] = buf;
2288 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2289 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2290 1, aad, aad_len, tmp) < 0) {
2291 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2292 "Invalid AES-SIV data in the frame");
2293 bin_clear_free(tmp, key_data_len);
2294 return -1;
2295 }
2296
2297 /* AEAD decryption and validation completed successfully */
2298 key_data_len -= AES_BLOCK_SIZE;
2299 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2300 tmp, key_data_len);
2301
2302 /* Replace Key Data field with the decrypted version */
2303 os_memcpy(pos, tmp, key_data_len);
2304 pos -= 2; /* Key Data Length field */
2305 WPA_PUT_BE16(pos, key_data_len);
2306 bin_clear_free(tmp, key_data_len);
2307 if (_key_data_len)
2308 *_key_data_len = key_data_len;
2309 return 0;
2310}
78815f3d
JM		 2311
2312
087631b9
JM		 2313const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2314 const u8 *ies, size_t ies_len,
2315 const u8 *fils_session)
2316{
2317 const u8 *ie, *end;
2318 const u8 *session = NULL;
2319
2320 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2321 wpa_printf(MSG_DEBUG,
2322 "FILS: Not a FILS AKM - reject association");
2323 return NULL;
2324 }
2325
2326 /* Verify Session element */
2327 ie = ies;
2328 end = ((const u8 *) ie) + ies_len;
2329 while (ie + 1 < end) {
2330 if (ie + 2 + ie[1] > end)
2331 break;
2332 if (ie[0] == WLAN_EID_EXTENSION &&
2333 ie[1] >= 1 + FILS_SESSION_LEN &&
2334 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2335 session = ie;
2336 break;
2337 }
2338 ie += 2 + ie[1];
2339 }
2340
2341 if (!session) {
2342 wpa_printf(MSG_DEBUG,
2343 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2344 __func__);
2345 return NULL;
2346 }
2347
2348 if (!fils_session) {
2349 wpa_printf(MSG_DEBUG,
2350 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2351 __func__);
2352 return NULL;
2353 }
2354
2355 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2356 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2357 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2358 fils_session, FILS_SESSION_LEN);
2359 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2360 session + 3, FILS_SESSION_LEN);
2361 return NULL;
2362 }
2363 return session;
2364}
2365
2366
bd599353
JM		 2367int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2368 size_t ies_len)
2369{
2370 struct ieee802_11_elems elems;
2371
2372 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2373 wpa_printf(MSG_DEBUG,
2374 "FILS: Failed to parse decrypted elements");
2375 return -1;
2376 }
2377
8b5ddda5
JM		 2378 if (!elems.fils_session) {
2379 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2380 return -1;
2381 }
2382
bd599353
JM		 2383 if (!elems.fils_key_confirm) {
2384 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2385 return -1;
2386 }
2387
2388 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2389 wpa_printf(MSG_DEBUG,
2390 "FILS: Unexpected Key-Auth length %d (expected %d)",
2391 elems.fils_key_confirm_len,
2392 (int) sm->fils_key_auth_len);
2393 return -1;
2394 }
2395
2396 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2397 sm->fils_key_auth_len) != 0) {
2398 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2399 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2400 elems.fils_key_confirm, elems.fils_key_confirm_len);
2401 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2402 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2403 return -1;
2404 }
2405
2406 return 0;
2407}
2408
2409
78815f3d
JM		 2410int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2411 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2412 u8 *pos, size_t left)
2413{
2414 u16 fc, stype;
2415 const u8 *end, *ie_start, *ie, *session, *crypt;
78815f3d
JM		 2416 const u8 *aad[5];
2417 size_t aad_len[5];
2418
2419 if (!sm || !sm->PTK_valid) {
2420 wpa_printf(MSG_DEBUG,
2421 "FILS: No KEK to decrypt Assocication Request frame");
2422 return -1;
2423 }
2424
2425 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2426 wpa_printf(MSG_DEBUG,
2427 "FILS: Not a FILS AKM - reject association");
2428 return -1;
2429 }
2430
2431 end = ((const u8 *) mgmt) + frame_len;
2432 fc = le_to_host16(mgmt->frame_control);
2433 stype = WLAN_FC_GET_STYPE(fc);
2434 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2435 ie_start = mgmt->u.reassoc_req.variable;
2436 else
2437 ie_start = mgmt->u.assoc_req.variable;
2438 ie = ie_start;
2439
2440 /*
2441 * Find FILS Session element which is the last unencrypted element in
2442 * the frame.
2443 */
087631b9
JM		 2444 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2445 fils_session);
78815f3d 2446 if (!session) {
087631b9 2447 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
78815f3d
JM		 2448 return -1;
2449 }
087631b9 2450
78815f3d
JM		 2451 crypt = session + 2 + session[1];
2452
2453 if (end - crypt < AES_BLOCK_SIZE) {
2454 wpa_printf(MSG_DEBUG,
2455 "FILS: Too short frame to include AES-SIV data");
2456 return -1;
2457 }
2458
2459 /* AES-SIV AAD vectors */
2460
2461 /* The STA's MAC address */
2462 aad[0] = mgmt->sa;
2463 aad_len[0] = ETH_ALEN;
2464 /* The AP's BSSID */
2465 aad[1] = mgmt->da;
2466 aad_len[1] = ETH_ALEN;
2467 /* The STA's nonce */
2468 aad[2] = sm->SNonce;
2469 aad_len[2] = FILS_NONCE_LEN;
2470 /* The AP's nonce */
2471 aad[3] = sm->ANonce;
2472 aad_len[3] = FILS_NONCE_LEN;
2473 /*
2474 * The (Re)Association Request frame from the Capability Information
2475 * field to the FILS Session element (both inclusive).
2476 */
2477 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2478 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2479
2480 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2481 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2482 wpa_printf(MSG_DEBUG,
2483 "FILS: Invalid AES-SIV data in the frame");
2484 return -1;
2485 }
2486 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2487 pos, left - AES_BLOCK_SIZE);
2488
bd599353
JM		 2489 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2490 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
78815f3d
JM		 2491 return -1;
2492 }
2493
2494 return left - AES_BLOCK_SIZE;
2495}
2496
e73ffa09
JM		 2497
2498int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2499 size_t current_len, size_t max_len,
2500 const struct wpabuf *hlp)
e73ffa09
JM		 2501{
2502 u8 *end = buf + max_len;
2503 u8 *pos = buf + current_len;
2504 struct ieee80211_mgmt *mgmt;
2505 struct wpabuf *plain;
e73ffa09
JM		 2506 const u8 *aad[5];
2507 size_t aad_len[5];
2508
2509 if (!sm || !sm->PTK_valid)
2510 return -1;
2511
2512 wpa_hexdump(MSG_DEBUG,
2513 "FILS: Association Response frame before FILS processing",
2514 buf, current_len);
2515
2516 mgmt = (struct ieee80211_mgmt *) buf;
2517
2518 /* AES-SIV AAD vectors */
2519
2520 /* The AP's BSSID */
2521 aad[0] = mgmt->sa;
2522 aad_len[0] = ETH_ALEN;
2523 /* The STA's MAC address */
2524 aad[1] = mgmt->da;
2525 aad_len[1] = ETH_ALEN;
2526 /* The AP's nonce */
2527 aad[2] = sm->ANonce;
2528 aad_len[2] = FILS_NONCE_LEN;
2529 /* The STA's nonce */
2530 aad[3] = sm->SNonce;
2531 aad_len[3] = FILS_NONCE_LEN;
2532 /*
2533 * The (Re)Association Response frame from the Capability Information
2534 * field (the same offset in both Association and Reassociation
2535 * Response frames) to the FILS Session element (both inclusive).
2536 */
2537 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2538 aad_len[4] = pos - aad[4];
2539
2540 /* The following elements will be encrypted with AES-SIV */
9392859d
JM		 2541 plain = fils_prepare_plainbuf(sm, hlp);
2542 if (!plain) {
2543 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2544 return -1;
2545 }
2546
2547 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2548 wpa_printf(MSG_DEBUG,
2549 "FILS: Not enough room for FILS elements");
2550 wpabuf_free(plain);
2551 return -1;
2552 }
2553
2554 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2555 plain);
2556
2557 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2558 wpabuf_head(plain), wpabuf_len(plain),
2559 5, aad, aad_len, pos) < 0) {
2560 wpabuf_free(plain);
2561 return -1;
2562 }
2563
2564 wpa_hexdump(MSG_DEBUG,
2565 "FILS: Encrypted Association Response elements",
2566 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2567 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2568 wpabuf_free(plain);
2569
2570 sm->fils_completed = 1;
2571
2572 return current_len;
2573}
2574
2575
2576static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2577 const struct wpabuf *hlp)
2578{
2579 struct wpabuf *plain;
2580 u8 *len, *tmp, *tmp2;
2581 u8 hdr[2];
2582 u8 *gtk, dummy_gtk[32];
2583 size_t gtk_len;
2584 struct wpa_group *gsm;
e73ffa09
JM		 2585
2586 plain = wpabuf_alloc(1000);
2587 if (!plain)
9392859d 2588 return NULL;
e73ffa09
JM		 2589
2590 /* TODO: FILS Public Key */
2591
2592 /* FILS Key Confirmation */
2593 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2594 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2595 /* Element ID Extension */
2596 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2597 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2598
91d91abf
JM		 2599 /* FILS HLP Container */
2600 if (hlp)
2601 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2602
2603 /* TODO: FILS IP Address Assignment */
2604
2605 /* Key Delivery */
2606 gsm = sm->group;
2607 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2608 len = wpabuf_put(plain, 1);
2609 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2610 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2611 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2612 /* GTK KDE */
2613 gtk = gsm->GTK[gsm->GN - 1];
2614 gtk_len = gsm->GTK_len;
8d660a4b
JM		 2615 if (sm->wpa_auth->conf.disable_gtk ||
2616 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
e73ffa09
JM		 2617 /*
2618 * Provide unique random GTK to each STA to prevent use
2619 * of GTK in the BSS.
2620 */
2621 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2622 wpabuf_free(plain);
9392859d 2623 return NULL;
e73ffa09
JM		 2624 }
2625 gtk = dummy_gtk;
2626 }
2627 hdr[0] = gsm->GN & 0x03;
2628 hdr[1] = 0;
2629 tmp = wpabuf_put(plain, 0);
2630 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2631 gtk, gtk_len);
2632 wpabuf_put(plain, tmp2 - tmp);
2633
2634 /* IGTK KDE */
2635 tmp = wpabuf_put(plain, 0);
2636 tmp2 = ieee80211w_kde_add(sm, tmp);
2637 wpabuf_put(plain, tmp2 - tmp);
2638
2639 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
99621dc1
MV		 2640
2641#ifdef CONFIG_OCV
2642 if (wpa_auth_uses_ocv(sm)) {
2643 struct wpa_channel_info ci;
2644 u8 *pos;
2645
2646 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
2647 wpa_printf(MSG_WARNING,
2648 "FILS: Failed to get channel info for OCI element");
2649 wpabuf_free(plain);
2650 return NULL;
2651 }
2652
2653 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
2654 if (ocv_insert_extended_oci(&ci, pos) < 0) {
2655 wpabuf_free(plain);
2656 return NULL;
2657 }
2658 }
2659#endif /* CONFIG_OCV */
2660
9392859d 2661 return plain;
e73ffa09
JM		 2662}
2663
da24c5aa
JM		 2664
2665int fils_set_tk(struct wpa_state_machine *sm)
2666{
2667 enum wpa_alg alg;
2668 int klen;
2669
2f1357fb
JM		 2670 if (!sm || !sm->PTK_valid) {
2671 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
2672 return -1;
2673 }
2674 if (sm->tk_already_set) {
2675 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
da24c5aa 2676 return -1;
2f1357fb 2677 }
da24c5aa
JM		 2678
2679 alg = wpa_cipher_to_alg(sm->pairwise);
2680 klen = wpa_cipher_key_len(sm->pairwise);
2681
2682 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2683 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2684 sm->PTK.tk, klen)) {
2685 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2686 return -1;
2687 }
2f1357fb 2688 sm->tk_already_set = TRUE;
da24c5aa
JM		 2689
2690 return 0;
2691}
2692
fa61bff6
JM		 2693
2694u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
8b5ddda5 2695 const u8 *fils_session, struct wpabuf *hlp)
fa61bff6
JM		 2696{
2697 struct wpabuf *plain;
2698 u8 *pos = buf;
2699
2700 /* FILS Session */
2701 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2702 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2703 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2704 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2705 pos += FILS_SESSION_LEN;
2706
8b5ddda5 2707 plain = fils_prepare_plainbuf(sm, hlp);
fa61bff6
JM		 2708 if (!plain) {
2709 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2710 return NULL;
2711 }
2712
2713 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2714 pos += wpabuf_len(plain);
2715
2716 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2717 (unsigned int) wpabuf_len(plain));
2718 wpabuf_free(plain);
2719 sm->fils_completed = 1;
2720 return pos;
2721}
2722
3b5b7aa8
JM		 2723#endif /* CONFIG_FILS */
2724
2725
1034f67b
MV		 2726#ifdef CONFIG_OCV
2727int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
2728 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
2729{
2730 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2731
2732 if (!wpa_auth->cb->get_sta_tx_params)
2733 return -1;
2734 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
2735 ap_max_chanwidth, ap_seg1_idx,
2736 bandwidth, seg1_idx);
2737}
2738#endif /* CONFIG_OCV */
2739
2740
6fc6879b
JM		 2741SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2742{
3b5b7aa8 2743 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2744 struct wpa_ptk PTK;
2c502460 2745 int ok = 0, psk_found = 0;
6fc6879b 2746 const u8 *pmk = NULL;
7a12edd1 2747 size_t pmk_len;
3b5b7aa8
JM		 2748 int ft;
2749 const u8 *eapol_key_ie, *key_data, *mic;
2750 u16 key_data_length;
2751 size_t mic_len, eapol_key_ie_len;
2752 struct ieee802_1x_hdr *hdr;
2753 struct wpa_eapol_key *key;
2754 struct wpa_eapol_ie_parse kde;
bb05d036 2755 int vlan_id = 0;
6fc6879b
JM		 2756
2757 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2758 sm->EAPOLKeyReceived = FALSE;
68921e24 2759 sm->update_snonce = FALSE;
b729fd8d 2760 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2761
567da5bb 2762 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3b5b7aa8 2763
6fc6879b
JM		 2764 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2765 * WPA-PSK: iterate through possible PSKs and select the one matching
2766 * the packet */
2767 for (;;) {
e61fea6b
JM		 2768 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2769 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
759fd76b 2770 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
dbfa691d
JM		 2771 sm->p2p_dev_addr, pmk, &pmk_len,
2772 &vlan_id);
6fc6879b
JM		 2773 if (pmk == NULL)
2774 break;
2c502460 2775 psk_found = 1;
f9854c18
MK		 2776#ifdef CONFIG_IEEE80211R_AP
2777 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
2778 os_memcpy(sm->xxkey, pmk, pmk_len);
2779 sm->xxkey_len = pmk_len;
2780 }
2781#endif /* CONFIG_IEEE80211R_AP */
207976f0 2782 } else {
6fc6879b 2783 pmk = sm->PMK;
207976f0
JM		 2784 pmk_len = sm->pmk_len;
2785 }
6fc6879b 2786
364c064a
JM		 2787 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2788 break;
6fc6879b 2789
3b5b7aa8 2790 if (mic_len &&
567da5bb 2791 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
929a2ea5 2792 sm->last_rx_eapol_key,
6fc6879b 2793 sm->last_rx_eapol_key_len) == 0) {
b08c9ad0
MK		 2794 os_memcpy(sm->PMK, pmk, pmk_len);
2795 sm->pmk_len = pmk_len;
6fc6879b
JM		 2796 ok = 1;
2797 break;
2798 }
2799
3b5b7aa8 2800#ifdef CONFIG_FILS
75c8563e
JM		 2801 if (!mic_len &&
2802 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2803 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2804 ok = 1;
2805 break;
2806 }
2807#endif /* CONFIG_FILS */
2808
f5e0a332
JM		 2809 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2810 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
6fc6879b
JM		 2811 break;
2812 }
2813
2814 if (!ok) {
2815 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2816 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2817 if (psk_found)
2818 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2819 return;
2820 }
2821
3b5b7aa8
JM		 2822 /*
2823 * Note: last_rx_eapol_key length fields have already been validated in
2824 * wpa_receive().
2825 */
2826 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2827 key = (struct wpa_eapol_key *) (hdr + 1);
2828 mic = (u8 *) (key + 1);
2829 key_data = mic + mic_len + 2;
2830 key_data_length = WPA_GET_BE16(mic + mic_len);
2831 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2832 sizeof(*key) - mic_len - 2)
2833 return;
2834
2835 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2836 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2837 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2838 return;
2839 }
2840 if (kde.rsn_ie) {
2841 eapol_key_ie = kde.rsn_ie;
2842 eapol_key_ie_len = kde.rsn_ie_len;
2843 } else if (kde.osen) {
2844 eapol_key_ie = kde.osen;
2845 eapol_key_ie_len = kde.osen_len;
2846 } else {
2847 eapol_key_ie = kde.wpa_ie;
2848 eapol_key_ie_len = kde.wpa_ie_len;
2849 }
2850 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2851 if (sm->wpa_ie == NULL ||
2852 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2853 eapol_key_ie, eapol_key_ie_len)) {
2854 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2855 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2856 if (sm->wpa_ie) {
2857 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2858 sm->wpa_ie, sm->wpa_ie_len);
2859 }
2860 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2861 eapol_key_ie, eapol_key_ie_len);
2862 /* MLME-DEAUTHENTICATE.request */
567da5bb
JM		 2863 wpa_sta_disconnect(wpa_auth, sm->addr,
2864 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2865 return;
2866 }
aed61c4e
MV		 2867#ifdef CONFIG_OCV
2868 if (wpa_auth_uses_ocv(sm)) {
2869 struct wpa_channel_info ci;
2870 int tx_chanwidth;
2871 int tx_seg1_idx;
2872
2873 if (wpa_channel_info(wpa_auth, &ci) != 0) {
2874 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2875 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
2876 return;
2877 }
2878
2879 if (get_sta_tx_parameters(sm,
2880 channel_width_to_int(ci.chanwidth),
2881 ci.seg1_idx, &tx_chanwidth,
2882 &tx_seg1_idx) < 0)
2883 return;
2884
2885 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
2886 tx_chanwidth, tx_seg1_idx) != 0) {
2887 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2888 ocv_errorstr);
2889 return;
2890 }
2891 }
2892#endif /* CONFIG_OCV */
4ec1fd8e 2893#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8 2894 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
567da5bb
JM		 2895 wpa_sta_disconnect(wpa_auth, sm->addr,
2896 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2897 return;
2898 }
4ec1fd8e 2899#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2900#ifdef CONFIG_P2P
2901 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2902 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2903 int idx;
2904 wpa_printf(MSG_DEBUG,
2905 "P2P: IP address requested in EAPOL-Key exchange");
2906 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2907 if (idx >= 0) {
2908 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2909 bitfield_set(wpa_auth->ip_pool, idx);
2910 WPA_PUT_BE32(sm->ip_addr, start + idx);
2911 wpa_printf(MSG_DEBUG,
2912 "P2P: Assigned IP address %u.%u.%u.%u to "
2913 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2914 sm->ip_addr[2], sm->ip_addr[3],
2915 MAC2STR(sm->addr));
2916 }
2917 }
2918#endif /* CONFIG_P2P */
2919
4ec1fd8e 2920#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2921 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2922 /*
2923 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2924 * with the value we derived.
2925 */
870834a1
JM		 2926 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2927 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2928 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2929 "PMKR1Name mismatch in FT 4-way "
2930 "handshake");
2931 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2932 "Supplicant",
2933 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2934 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2935 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2936 return;
2937 }
2938 }
4ec1fd8e 2939#endif /* CONFIG_IEEE80211R_AP */
26e23750 2940
dbfa691d
JM		 2941 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2942 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
2943 wpa_sta_disconnect(wpa_auth, sm->addr,
2944 WLAN_REASON_PREV_AUTH_NOT_VALID);
2945 return;
2946 }
2947
e4bf4db9 2948 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2949 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2950
56586197 2951 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2952 /* PSK may have changed from the previous choice, so update
2953 * state machine data based on whatever PSK was selected here.
2954 */
2955 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2956 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2957 }
2958
2959 sm->MICVerified = TRUE;
2960
2961 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2962 sm->PTK_valid = TRUE;
2963}
2964
2965
2966SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2967{
2968 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2969 sm->TimeoutCtr = 0;
2970}
2971
2972
2973#ifdef CONFIG_IEEE80211W
2974
2975static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2976{
2977 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 2978 size_t len;
2979 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2980 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 2981 }
2982
2983 return 0;
2984}
2985
2986
2987static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2988{
2989 struct wpa_igtk_kde igtk;
2990 struct wpa_group *gsm = sm->group;
03610ad2 2991 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 2992 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 2993
2994 if (!sm->mgmt_frame_prot)
2995 return pos;
2996
2997 igtk.keyid[0] = gsm->GN_igtk;
2998 igtk.keyid[1] = 0;
7b1080da 2999 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 3000 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 3001 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 3002 else
3003 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 3004 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
8d660a4b
JM		 3005 if (sm->wpa_auth->conf.disable_gtk ||
3006 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3007 /*
3008 * Provide unique random IGTK to each STA to prevent use of
3009 * IGTK in the BSS.
3010 */
8dd9f9cd 3011 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 3012 return pos;
3013 }
6fc6879b 3014 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 3015 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
3016 NULL, 0);
6fc6879b
JM		 3017
3018 return pos;
3019}
3020
3021#else /* CONFIG_IEEE80211W */
3022
3023static int ieee80211w_kde_len(struct wpa_state_machine *sm)
3024{
3025 return 0;
3026}
3027
3028
3029static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
3030{
3031 return pos;
3032}
3033
3034#endif /* CONFIG_IEEE80211W */
3035
3036
17c2559c
MV		 3037static int ocv_oci_len(struct wpa_state_machine *sm)
3038{
3039#ifdef CONFIG_OCV
3040 if (wpa_auth_uses_ocv(sm))
3041 return OCV_OCI_KDE_LEN;
3042#endif /* CONFIG_OCV */
3043 return 0;
3044}
3045
3046static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos)
3047{
3048#ifdef CONFIG_OCV
3049 struct wpa_channel_info ci;
3050
3051 if (!wpa_auth_uses_ocv(sm))
3052 return 0;
3053
3054 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3055 wpa_printf(MSG_WARNING,
3056 "Failed to get channel info for OCI element");
3057 return -1;
3058 }
3059
3060 return ocv_insert_oci_kde(&ci, argpos);
3061#else /* CONFIG_OCV */
3062 return 0;
3063#endif /* CONFIG_OCV */
3064}
3065
3066
6fc6879b
JM		 3067SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
3068{
83421850 3069 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 3070 size_t gtk_len, kde_len;
3071 struct wpa_group *gsm = sm->group;
3072 u8 *wpa_ie;
3073 int wpa_ie_len, secure, keyidx, encr = 0;
3074
3075 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
3076 sm->TimeoutEvt = FALSE;
bae61562
JM		 3077
3078 sm->TimeoutCtr++;
6f234c1e
JM		 3079 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3080 sm->TimeoutCtr > 1) {
3081 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
3082 return;
3083 }
41f140d3 3084 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 3085 /* No point in sending the EAPOL-Key - we will disconnect
3086 * immediately following this. */
3087 return;
3088 }
3089
86dfabb8
JM		 3090 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
3091 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 3092 */
3093 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3094 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 3095 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 3096 wpa_ie = sm->wpa_auth->wpa_ie;
3097 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
3098 if (sm->wpa == WPA_VERSION_WPA &&
3099 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
3100 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 3101 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 3102 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 3103 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
3104 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 3105 wpa_ie_len = wpa_ie[1] + 2;
3106 }
3107 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3108 "sending 3/4 msg of 4-Way Handshake");
3109 if (sm->wpa == WPA_VERSION_WPA2) {
3110 /* WPA2 send GTK in the 4-way handshake */
3111 secure = 1;
3112 gtk = gsm->GTK[gsm->GN - 1];
3113 gtk_len = gsm->GTK_len;
8d660a4b
JM		 3114 if (sm->wpa_auth->conf.disable_gtk ||
3115 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3116 /*
3117 * Provide unique random GTK to each STA to prevent use
3118 * of GTK in the BSS.
3119 */
3120 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
3121 return;
3122 gtk = dummy_gtk;
3123 }
6fc6879b
JM		 3124 keyidx = gsm->GN;
3125 _rsc = rsc;
3126 encr = 1;
3127 } else {
3128 /* WPA does not include GTK in msg 3/4 */
3129 secure = 0;
3130 gtk = NULL;
3131 gtk_len = 0;
3132 keyidx = 0;
3133 _rsc = NULL;
0d442aff
JM		 3134 if (sm->rx_eapol_key_secure) {
3135 /*
3136 * It looks like Windows 7 supplicant tries to use
3137 * Secure bit in msg 2/4 after having reported Michael
3138 * MIC failure and it then rejects the 4-way handshake
3139 * if msg 3/4 does not set Secure bit. Work around this
3140 * by setting the Secure bit here even in the case of
3141 * WPA if the supplicant used it first.
3142 */
3143 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 3144 "STA used Secure bit in WPA msg 2/4 - "
3145 "set Secure for 3/4 as workaround");
0d442aff
JM		 3146 secure = 1;
3147 }
6fc6879b
JM		 3148 }
3149
17c2559c 3150 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
6fc6879b
JM		 3151 if (gtk)
3152 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 3153#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 3154 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3155 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
3156 kde_len += 300; /* FTIE + 2 * TIE */
3157 }
4ec1fd8e 3158#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3159#ifdef CONFIG_P2P
3160 if (WPA_GET_BE32(sm->ip_addr) > 0)
3161 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
3162#endif /* CONFIG_P2P */
6fc6879b
JM		 3163 kde = os_malloc(kde_len);
3164 if (kde == NULL)
3165 return;
3166
3167 pos = kde;
3168 os_memcpy(pos, wpa_ie, wpa_ie_len);
3169 pos += wpa_ie_len;
4ec1fd8e 3170#ifdef CONFIG_IEEE80211R_AP
26e23750 3171 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 3172 int res;
3173 size_t elen;
3174
3175 elen = pos - kde;
3176 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 3177 if (res < 0) {
3178 wpa_printf(MSG_ERROR, "FT: Failed to insert "
3179 "PMKR1Name into RSN IE in EAPOL-Key data");
3180 os_free(kde);
3181 return;
3182 }
59e78c24
JM		 3183 pos -= wpa_ie_len;
3184 pos += elen;
26e23750 3185 }
4ec1fd8e 3186#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3187 if (gtk) {
3188 u8 hdr[2];
3189 hdr[0] = keyidx & 0x03;
3190 hdr[1] = 0;
3191 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3192 gtk, gtk_len);
3193 }
3194 pos = ieee80211w_kde_add(sm, pos);
17c2559c
MV		 3195 if (ocv_oci_add(sm, &pos) < 0) {
3196 os_free(kde);
3197 return;
3198 }
6fc6879b 3199
4ec1fd8e 3200#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 3201 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3202 int res;
3203 struct wpa_auth_config *conf;
3204
3205 conf = &sm->wpa_auth->conf;
9257610a
JM		 3206 if (sm->assoc_resp_ftie &&
3207 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3208 os_memcpy(pos, sm->assoc_resp_ftie,
3209 2 + sm->assoc_resp_ftie[1]);
3210 res = 2 + sm->assoc_resp_ftie[1];
3211 } else {
a7968ea5
JM		 3212 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
3213
3214 res = wpa_write_ftie(conf, use_sha384,
3215 conf->r0_key_holder,
9257610a
JM		 3216 conf->r0_key_holder_len,
3217 NULL, NULL, pos,
3218 kde + kde_len - pos,
3219 NULL, 0);
3220 }
86dfabb8
JM		 3221 if (res < 0) {
3222 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
3223 "into EAPOL-Key Key Data");
3224 os_free(kde);
3225 return;
3226 }
3227 pos += res;
3228
3229 /* TIE[ReassociationDeadline] (TU) */
3230 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3231 *pos++ = 5;
3232 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3233 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3234 pos += 4;
3235
3236 /* TIE[KeyLifetime] (seconds) */
3237 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3238 *pos++ = 5;
3239 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
83fe4bd3 3240 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
86dfabb8
JM		 3241 pos += 4;
3242 }
4ec1fd8e 3243#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3244#ifdef CONFIG_P2P
3245 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3246 u8 addr[3 * 4];
3247 os_memcpy(addr, sm->ip_addr, 4);
3248 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3249 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3250 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3251 addr, sizeof(addr), NULL, 0);
3252 }
3253#endif /* CONFIG_P2P */
86dfabb8 3254
6fc6879b 3255 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3256 (secure ? WPA_KEY_INFO_SECURE : 0) |
567da5bb
JM		 3257 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3258 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3259 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3260 WPA_KEY_INFO_KEY_TYPE,
3261 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
3262 os_free(kde);
6fc6879b
JM		 3263}
3264
3265
3266SM_STATE(WPA_PTK, PTKINITDONE)
3267{
3268 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3269 sm->EAPOLKeyReceived = FALSE;
3270 if (sm->Pair) {
c3550295
JM		 3271 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3272 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 3273 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 3274 sm->PTK.tk, klen)) {
567da5bb
JM		 3275 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3276 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 3277 return;
3278 }
3279 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3280 sm->pairwise_set = TRUE;
3281
581a8cde
JM		 3282 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
3283 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3284 eloop_register_timeout(sm->wpa_auth->conf.
3285 wpa_ptk_rekey, 0, wpa_rekey_ptk,
3286 sm->wpa_auth, sm);
3287 }
3288
a1ea1b45 3289 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 3290 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 3291 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 3292 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3293 WPA_EAPOL_authorized, 1);
3294 }
3295 }
3296
3297 if (0 /* IBSS == TRUE */) {
3298 sm->keycount++;
3299 if (sm->keycount == 2) {
3300 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3301 WPA_EAPOL_portValid, 1);
3302 }
3303 } else {
3304 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3305 1);
3306 }
3307 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3308 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3309 if (sm->wpa == WPA_VERSION_WPA)
3310 sm->PInitAKeys = TRUE;
3311 else
3312 sm->has_GTK = TRUE;
3313 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3314 "pairwise key handshake completed (%s)",
3315 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3316
4ec1fd8e 3317#ifdef CONFIG_IEEE80211R_AP
6fc6879b 3318 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 3319#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3320}
3321
3322
3323SM_STEP(WPA_PTK)
3324{
3325 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3326
3327 if (sm->Init)
3328 SM_ENTER(WPA_PTK, INITIALIZE);
3329 else if (sm->Disconnect
1aae01fc
BG		 3330 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3331 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3332 "WPA_PTK: sm->Disconnect");
6fc6879b 3333 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 3334 }
6fc6879b
JM		 3335 else if (sm->DeauthenticationRequest)
3336 SM_ENTER(WPA_PTK, DISCONNECTED);
3337 else if (sm->AuthenticationRequest)
3338 SM_ENTER(WPA_PTK, AUTHENTICATION);
3339 else if (sm->ReAuthenticationRequest)
3340 SM_ENTER(WPA_PTK, AUTHENTICATION2);
0adc9b28
JM		 3341 else if (sm->PTKRequest) {
3342 if (wpa_auth_sm_ptk_update(sm) < 0)
3343 SM_ENTER(WPA_PTK, DISCONNECTED);
3344 else
3345 SM_ENTER(WPA_PTK, PTKSTART);
3346 } else switch (sm->wpa_ptk_state) {
6fc6879b
JM		 3347 case WPA_PTK_INITIALIZE:
3348 break;
3349 case WPA_PTK_DISCONNECT:
3350 SM_ENTER(WPA_PTK, DISCONNECTED);
3351 break;
3352 case WPA_PTK_DISCONNECTED:
3353 SM_ENTER(WPA_PTK, INITIALIZE);
3354 break;
3355 case WPA_PTK_AUTHENTICATION:
3356 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3357 break;
3358 case WPA_PTK_AUTHENTICATION2:
56586197 3359 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 3360 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3361 WPA_EAPOL_keyRun) > 0)
3362 SM_ENTER(WPA_PTK, INITPMK);
a1ea1b45
JM		 3363 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3364 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
6fc6879b
JM		 3365 /* FIX: && 802.1X::keyRun */)
3366 SM_ENTER(WPA_PTK, INITPSK);
567da5bb
JM		 3367 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3368 SM_ENTER(WPA_PTK, INITPMK);
6fc6879b
JM		 3369 break;
3370 case WPA_PTK_INITPMK:
3371 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
567da5bb 3372 WPA_EAPOL_keyAvailable) > 0) {
6fc6879b 3373 SM_ENTER(WPA_PTK, PTKSTART);
567da5bb
JM		 3374#ifdef CONFIG_DPP
3375 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3376 SM_ENTER(WPA_PTK, PTKSTART);
3377#endif /* CONFIG_DPP */
3378 } else {
6fc6879b 3379 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 3380 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3381 "INITPMK - keyAvailable = false");
6fc6879b
JM		 3382 SM_ENTER(WPA_PTK, DISCONNECT);
3383 }
3384 break;
3385 case WPA_PTK_INITPSK:
759fd76b 3386 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
dbfa691d 3387 NULL, NULL, NULL)) {
6fc6879b 3388 SM_ENTER(WPA_PTK, PTKSTART);
e61fea6b
JM		 3389#ifdef CONFIG_SAE
3390 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3391 SM_ENTER(WPA_PTK, PTKSTART);
3392#endif /* CONFIG_SAE */
3393 } else {
6fc6879b
JM		 3394 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3395 "no PSK configured for the STA");
3396 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3397 SM_ENTER(WPA_PTK, DISCONNECT);
3398 }
3399 break;
3400 case WPA_PTK_PTKSTART:
3401 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3402 sm->EAPOLKeyPairwise)
3403 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3404 else if (sm->TimeoutCtr >
41f140d3 3405 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3406 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3407 wpa_auth_vlogger(
3408 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3409 "PTKSTART: Retry limit %u reached",
3410 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3411 SM_ENTER(WPA_PTK, DISCONNECT);
3412 } else if (sm->TimeoutEvt)
3413 SM_ENTER(WPA_PTK, PTKSTART);
3414 break;
3415 case WPA_PTK_PTKCALCNEGOTIATING:
3416 if (sm->MICVerified)
3417 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3418 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3419 sm->EAPOLKeyPairwise)
3420 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3421 else if (sm->TimeoutEvt)
3422 SM_ENTER(WPA_PTK, PTKSTART);
3423 break;
3424 case WPA_PTK_PTKCALCNEGOTIATING2:
3425 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3426 break;
3427 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3428 if (sm->update_snonce)
3429 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3430 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3431 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3432 SM_ENTER(WPA_PTK, PTKINITDONE);
3433 else if (sm->TimeoutCtr >
6f234c1e
JM		 3434 sm->wpa_auth->conf.wpa_pairwise_update_count ||
3435 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3436 sm->TimeoutCtr > 1)) {
6fc6879b 3437 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3438 wpa_auth_vlogger(
3439 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3440 "PTKINITNEGOTIATING: Retry limit %u reached",
3441 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3442 SM_ENTER(WPA_PTK, DISCONNECT);
3443 } else if (sm->TimeoutEvt)
3444 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3445 break;
3446 case WPA_PTK_PTKINITDONE:
3447 break;
3448 }
3449}
3450
3451
3452SM_STATE(WPA_PTK_GROUP, IDLE)
3453{
3454 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3455 if (sm->Init) {
3456 /* Init flag is not cleared here, so avoid busy
3457 * loop by claiming nothing changed. */
3458 sm->changed = FALSE;
3459 }
3460 sm->GTimeoutCtr = 0;
3461}
3462
3463
3464SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3465{
3466 u8 rsc[WPA_KEY_RSC_LEN];
3467 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3468 const u8 *kde;
3469 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3470 size_t kde_len;
83421850 3471 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3472
3473 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3474
3475 sm->GTimeoutCtr++;
6f234c1e
JM		 3476 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3477 sm->GTimeoutCtr > 1) {
3478 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
3479 return;
3480 }
41f140d3 3481 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
bae61562
JM		 3482 /* No point in sending the EAPOL-Key - we will disconnect
3483 * immediately following this. */
3484 return;
3485 }
3486
6fc6879b
JM		 3487 if (sm->wpa == WPA_VERSION_WPA)
3488 sm->PInitAKeys = FALSE;
3489 sm->TimeoutEvt = FALSE;
3490 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3491 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3492 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3493 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3494 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3495 "sending 1/2 msg of Group Key Handshake");
3496
83421850 3497 gtk = gsm->GTK[gsm->GN - 1];
8d660a4b
JM		 3498 if (sm->wpa_auth->conf.disable_gtk ||
3499 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
83421850
JM		 3500 /*
3501 * Provide unique random GTK to each STA to prevent use
3502 * of GTK in the BSS.
3503 */
3504 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3505 return;
3506 gtk = dummy_gtk;
3507 }
6fc6879b
JM		 3508 if (sm->wpa == WPA_VERSION_WPA2) {
3509 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
17c2559c 3510 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
e41e4f9e
JM		 3511 kde_buf = os_malloc(kde_len);
3512 if (kde_buf == NULL)
6fc6879b
JM		 3513 return;
3514
e41e4f9e 3515 kde = pos = kde_buf;
6fc6879b
JM		 3516 hdr[0] = gsm->GN & 0x03;
3517 hdr[1] = 0;
3518 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3519 gtk, gsm->GTK_len);
6fc6879b 3520 pos = ieee80211w_kde_add(sm, pos);
17c2559c
MV		 3521 if (ocv_oci_add(sm, &pos) < 0) {
3522 os_free(kde_buf);
3523 return;
3524 }
e41e4f9e 3525 kde_len = pos - kde;
6fc6879b 3526 } else {
83421850 3527 kde = gtk;
e41e4f9e 3528 kde_len = gsm->GTK_len;
6fc6879b
JM		 3529 }
3530
3531 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3532 WPA_KEY_INFO_SECURE |
567da5bb
JM		 3533 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3534 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3535 WPA_KEY_INFO_ACK |
3536 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3537 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3538
3539 os_free(kde_buf);
6fc6879b
JM		 3540}
3541
3542
3543SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3544{
aed61c4e
MV		 3545#ifdef CONFIG_OCV
3546 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3547 const u8 *key_data, *mic;
3548 struct ieee802_1x_hdr *hdr;
3549 struct wpa_eapol_key *key;
3550 struct wpa_eapol_ie_parse kde;
3551 size_t mic_len;
3552 u16 key_data_length;
3553#endif /* CONFIG_OCV */
3554
6fc6879b
JM		 3555 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3556 sm->EAPOLKeyReceived = FALSE;
aed61c4e
MV		 3557
3558#ifdef CONFIG_OCV
3559 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3560
3561 /*
3562 * Note: last_rx_eapol_key length fields have already been validated in
3563 * wpa_receive().
3564 */
3565 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3566 key = (struct wpa_eapol_key *) (hdr + 1);
3567 mic = (u8 *) (key + 1);
3568 key_data = mic + mic_len + 2;
3569 key_data_length = WPA_GET_BE16(mic + mic_len);
3570 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3571 sizeof(*key) - mic_len - 2)
3572 return;
3573
3574 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3575 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
3576 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
3577 return;
3578 }
3579
3580 if (wpa_auth_uses_ocv(sm)) {
3581 struct wpa_channel_info ci;
3582 int tx_chanwidth;
3583 int tx_seg1_idx;
3584
3585 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3586 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3587 "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2");
3588 return;
3589 }
3590
3591 if (get_sta_tx_parameters(sm,
3592 channel_width_to_int(ci.chanwidth),
3593 ci.seg1_idx, &tx_chanwidth,
3594 &tx_seg1_idx) < 0)
3595 return;
3596
3597 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3598 tx_chanwidth, tx_seg1_idx) != 0) {
3599 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
3600 ocv_errorstr);
3601 return;
3602 }
3603 }
3604#endif /* CONFIG_OCV */
3605
6fc6879b
JM		 3606 if (sm->GUpdateStationKeys)
3607 sm->group->GKeyDoneStations--;
3608 sm->GUpdateStationKeys = FALSE;
3609 sm->GTimeoutCtr = 0;
3610 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3611 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3612 "group key handshake completed (%s)",
3613 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3614 sm->has_GTK = TRUE;
3615}
3616
3617
3618SM_STATE(WPA_PTK_GROUP, KEYERROR)
3619{
3620 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3621 if (sm->GUpdateStationKeys)
3622 sm->group->GKeyDoneStations--;
3623 sm->GUpdateStationKeys = FALSE;
3624 sm->Disconnect = TRUE;
4bb9b674
GK		 3625 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3626 "group key handshake failed (%s) after %u tries",
3627 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3628 sm->wpa_auth->conf.wpa_group_update_count);
6fc6879b
JM		 3629}
3630
3631
3632SM_STEP(WPA_PTK_GROUP)
3633{
9663596f 3634 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3635 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3636 sm->PtkGroupInit = FALSE;
3637 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3638 case WPA_PTK_GROUP_IDLE:
3639 if (sm->GUpdateStationKeys ||
3640 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3641 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3642 break;
3643 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3644 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3645 !sm->EAPOLKeyPairwise && sm->MICVerified)
3646 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3647 else if (sm->GTimeoutCtr >
6f234c1e
JM		 3648 sm->wpa_auth->conf.wpa_group_update_count ||
3649 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3650 sm->GTimeoutCtr > 1))
6fc6879b
JM		 3651 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3652 else if (sm->TimeoutEvt)
3653 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3654 break;
3655 case WPA_PTK_GROUP_KEYERROR:
3656 SM_ENTER(WPA_PTK_GROUP, IDLE);
3657 break;
3658 case WPA_PTK_GROUP_REKEYESTABLISHED:
3659 SM_ENTER(WPA_PTK_GROUP, IDLE);
3660 break;
3661 }
3662}
3663
3664
3665static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3666 struct wpa_group *group)
3667{
3668 int ret = 0;
3669
6fc6879b
JM		 3670 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3671 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3672 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3673 wpa_auth->addr, group->GNonce,
3674 group->GTK[group->GN - 1], group->GTK_len) < 0)
3675 ret = -1;
5cb9d5c3
JM		 3676 wpa_hexdump_key(MSG_DEBUG, "GTK",
3677 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3678
3679#ifdef CONFIG_IEEE80211W
70f8cc8e 3680 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3681 size_t len;
3682 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3683 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3684 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3685 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3686 wpa_auth->addr, group->GNonce,
8dd9f9cd 3687 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3688 ret = -1;
6fc6879b 3689 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3690 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3691 }
3692#endif /* CONFIG_IEEE80211W */
3693
3694 return ret;
3695}
3696
3697
3698static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3699 struct wpa_group *group)
3700{
3701 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3702 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3703 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3704 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3705
3706 /* GTK[0..N] = 0 */
3707 os_memset(group->GTK, 0, sizeof(group->GTK));
3708 group->GN = 1;
3709 group->GM = 2;
3710#ifdef CONFIG_IEEE80211W
3711 group->GN_igtk = 4;
3712 group->GM_igtk = 5;
3713#endif /* CONFIG_IEEE80211W */
3714 /* GTK[GN] = CalcGTK() */
3715 wpa_gtk_update(wpa_auth, group);
3716}
3717
3718
3719static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3720{
473b6f22
MB		 3721 if (ctx != NULL && ctx != sm->group)
3722 return 0;
3723
6fc6879b
JM		 3724 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3725 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3726 "Not in PTKINITDONE; skip Group Key update");
3c183894 3727 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3728 return 0;
3729 }
9663596f
JM		 3730 if (sm->GUpdateStationKeys) {
3731 /*
3c183894
JM		 3732 * This should not really happen, so add a debug log entry.
3733 * Since we clear the GKeyDoneStations before the loop, the
3734 * station needs to be counted here anyway.
9663596f
JM		 3735 */
3736 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3737 "GUpdateStationKeys was already set when "
3738 "marking station for GTK rekeying");
9663596f 3739 }
3c183894 3740
ad3872a3 3741 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3742 if (sm->is_wnmsleep)
3743 return 0;
d32d94db 3744
3c183894
JM		 3745 sm->group->GKeyDoneStations++;
3746 sm->GUpdateStationKeys = TRUE;
3747
6fc6879b
JM		 3748 wpa_sm_step(sm);
3749 return 0;
3750}
3751
3752
b5bf84ba 3753#ifdef CONFIG_WNM_AP
ad3872a3 3754/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3755void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3756{
629edfef 3757 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3758 return;
3759
3760 wpa_group_update_sta(sm, NULL);
3761}
3762
3763
3764void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3765{
629edfef
JM		 3766 if (sm)
3767 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3768}
3769
3770
3771int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3772{
d32d94db 3773 struct wpa_group *gsm = sm->group;
835822d4 3774 u8 *start = pos;
d32d94db
XC		 3775
3776 /*
835822d4 3777 * GTK subelement:
d32d94db 3778 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3779 * Key[5..32]
d32d94db 3780 */
835822d4
JM		 3781 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3782 *pos++ = 11 + gsm->GTK_len;
d32d94db 3783 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3784 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3785 pos += 2;
3786 *pos++ = gsm->GTK_len;
3787 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3788 return 0;
835822d4
JM		 3789 pos += 8;
3790 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3791 pos += gsm->GTK_len;
d32d94db 3792
835822d4
JM		 3793 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3794 gsm->GN);
3795 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3796 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3797
835822d4 3798 return pos - start;
d32d94db
XC		 3799}
3800
3801
3802#ifdef CONFIG_IEEE80211W
3803int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3804{
d32d94db 3805 struct wpa_group *gsm = sm->group;
835822d4 3806 u8 *start = pos;
8dd9f9cd 3807 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3808
835822d4
JM		 3809 /*
3810 * IGTK subelement:
3811 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3812 */
3813 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3814 *pos++ = 2 + 6 + len;
835822d4
JM		 3815 WPA_PUT_LE16(pos, gsm->GN_igtk);
3816 pos += 2;
3817 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3818 return 0;
835822d4 3819 pos += 6;
d32d94db 3820
8dd9f9cd
JM		 3821 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3822 pos += len;
d32d94db 3823
835822d4
JM		 3824 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3825 gsm->GN_igtk);
3826 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3827 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3828
835822d4 3829 return pos - start;
d32d94db
XC		 3830}
3831#endif /* CONFIG_IEEE80211W */
b5bf84ba 3832#endif /* CONFIG_WNM_AP */
d32d94db
XC		 3833
3834
6fc6879b
JM		 3835static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3836 struct wpa_group *group)
3837{
3838 int tmp;
3839
3840 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3841 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3842 group->changed = TRUE;
3843 group->wpa_group_state = WPA_GROUP_SETKEYS;
3844 group->GTKReKey = FALSE;
3845 tmp = group->GM;
3846 group->GM = group->GN;
3847 group->GN = tmp;
3848#ifdef CONFIG_IEEE80211W
3849 tmp = group->GM_igtk;
3850 group->GM_igtk = group->GN_igtk;
3851 group->GN_igtk = tmp;
3852#endif /* CONFIG_IEEE80211W */
3853 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3854 * counting the STAs that are marked with GUpdateStationKeys instead of
3855 * including all STAs that could be in not-yet-completed state. */
3856 wpa_gtk_update(wpa_auth, group);
3857
3c183894
JM		 3858 if (group->GKeyDoneStations) {
3859 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3860 "GKeyDoneStations=%d when starting new GTK rekey",
3861 group->GKeyDoneStations);
3862 group->GKeyDoneStations = 0;
3863 }
473b6f22 3864 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3865 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3866 group->GKeyDoneStations);
3867}
3868
3869
1bdb7ab3
JM		 3870static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3871 struct wpa_group *group)
6fc6879b 3872{
3c7302c2
JM		 3873 int ret = 0;
3874
3c7302c2 3875 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3876 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3877 broadcast_ether_addr, group->GN,
3878 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3879 ret = -1;
6fc6879b
JM		 3880
3881#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3882 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3883 enum wpa_alg alg;
3884 size_t len;
3885
3886 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3887 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3888
3889 if (ret == 0 &&
3890 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3891 broadcast_ether_addr, group->GN_igtk,
3892 group->IGTK[group->GN_igtk - 4], len) < 0)
3893 ret = -1;
3894 }
6fc6879b 3895#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3896
3897 return ret;
6fc6879b
JM		 3898}
3899
3900
7d7f7be2
JM		 3901static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3902{
3903 if (sm->group == ctx) {
3904 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3905 " for discconnection due to fatal failure",
3906 MAC2STR(sm->addr));
3907 sm->Disconnect = TRUE;
3908 }
3909
3910 return 0;
3911}
3912
3913
3914static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3915 struct wpa_group *group)
3916{
3917 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3918 group->changed = TRUE;
3919 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3920 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3921}
3922
3923
1bdb7ab3
JM		 3924static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3925 struct wpa_group *group)
3926{
3927 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3928 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3929 group->changed = TRUE;
3930 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3931
7d7f7be2
JM		 3932 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3933 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3934 return -1;
7d7f7be2 3935 }
1bdb7ab3
JM		 3936
3937 return 0;
3938}
3939
3940
6fc6879b
JM		 3941static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3942 struct wpa_group *group)
3943{
3944 if (group->GInit) {
3945 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3946 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3947 /* Do not allow group operations */
6fc6879b
JM		 3948 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3949 group->GTKAuthenticator) {
3950 wpa_group_setkeysdone(wpa_auth, group);
3951 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3952 group->GTKReKey) {
3953 wpa_group_setkeys(wpa_auth, group);
3954 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3955 if (group->GKeyDoneStations == 0)
3956 wpa_group_setkeysdone(wpa_auth, group);
3957 else if (group->GTKReKey)
3958 wpa_group_setkeys(wpa_auth, group);
3959 }
3960}
3961
3962
e4a6ea1d 3963static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 3964{
3965 if (sm == NULL)
e4a6ea1d 3966 return 0;
6fc6879b
JM		 3967
3968 if (sm->in_step_loop) {
3969 /* This should not happen, but if it does, make sure we do not
3970 * end up freeing the state machine too early by exiting the
3971 * recursive call. */
3972 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 3973 return 0;
6fc6879b
JM		 3974 }
3975
3976 sm->in_step_loop = 1;
3977 do {
3978 if (sm->pending_deinit)
3979 break;
3980
3981 sm->changed = FALSE;
3982 sm->wpa_auth->group->changed = FALSE;
3983
3984 SM_STEP_RUN(WPA_PTK);
3985 if (sm->pending_deinit)
3986 break;
3987 SM_STEP_RUN(WPA_PTK_GROUP);
3988 if (sm->pending_deinit)
3989 break;
3990 wpa_group_sm_step(sm->wpa_auth, sm->group);
3991 } while (sm->changed || sm->wpa_auth->group->changed);
3992 sm->in_step_loop = 0;
3993
3994 if (sm->pending_deinit) {
3995 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3996 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3997 wpa_free_sta_sm(sm);
e4a6ea1d 3998 return 1;
6fc6879b 3999 }
e4a6ea1d 4000 return 0;
6fc6879b
JM		 4001}
4002
4003
4004static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
4005{
4006 struct wpa_state_machine *sm = eloop_ctx;
4007 wpa_sm_step(sm);
4008}
4009
4010
4011void wpa_auth_sm_notify(struct wpa_state_machine *sm)
4012{
4013 if (sm == NULL)
4014 return;
4015 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
4016}
4017
4018
4019void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
4020{
4021 int tmp, i;
4022 struct wpa_group *group;
4023
4024 if (wpa_auth == NULL)
4025 return;
4026
4027 group = wpa_auth->group;
4028
4029 for (i = 0; i < 2; i++) {
4030 tmp = group->GM;
4031 group->GM = group->GN;
4032 group->GN = tmp;
4033#ifdef CONFIG_IEEE80211W
4034 tmp = group->GM_igtk;
4035 group->GM_igtk = group->GN_igtk;
4036 group->GN_igtk = tmp;
4037#endif /* CONFIG_IEEE80211W */
4038 wpa_gtk_update(wpa_auth, group);
9354e594 4039 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 4040 }
4041}
4042
4043
a6da824b 4044static const char * wpa_bool_txt(int val)
6fc6879b 4045{
a6da824b 4046 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 4047}
4048
4049
6fc6879b
JM		 4050#define RSN_SUITE "%02x-%02x-%02x-%d"
4051#define RSN_SUITE_ARG(s) \
4052((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4053
4054int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
4055{
4056 int len = 0, ret;
4057 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 4058#ifdef CONFIG_RSN_PREAUTH
4059 const int preauth = 1;
4060#else /* CONFIG_RSN_PREAUTH */
4061 const int preauth = 0;
4062#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 4063
4064 if (wpa_auth == NULL)
4065 return len;
4066
4067 ret = os_snprintf(buf + len, buflen - len,
4068 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 4069 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 4070 "dot11RSNAEnabled=%s\n"
4071 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 4072 wpa_bool_txt(preauth),
6fc6879b
JM		 4073 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
4074 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 4075 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4076 return len;
4077 len += ret;
4078
4079 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4080 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
4081
4082 ret = os_snprintf(
4083 buf + len, buflen - len,
4084 "dot11RSNAConfigVersion=%u\n"
4085 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
4086 /* FIX: dot11RSNAConfigGroupCipher */
4087 /* FIX: dot11RSNAConfigGroupRekeyMethod */
4088 /* FIX: dot11RSNAConfigGroupRekeyTime */
4089 /* FIX: dot11RSNAConfigGroupRekeyPackets */
4090 "dot11RSNAConfigGroupRekeyStrict=%u\n"
4091 "dot11RSNAConfigGroupUpdateCount=%u\n"
4092 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
4093 "dot11RSNAConfigGroupCipherSize=%u\n"
4094 "dot11RSNAConfigPMKLifetime=%u\n"
4095 "dot11RSNAConfigPMKReauthThreshold=%u\n"
4096 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
4097 "dot11RSNAConfigSATimeout=%u\n"
4098 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4099 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4100 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4101 "dot11RSNAPMKIDUsed=%s\n"
4102 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4103 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4104 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4105 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
4106 "dot11RSNA4WayHandshakeFailures=%u\n"
4107 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
4108 RSN_VERSION,
4109 !!wpa_auth->conf.wpa_strict_rekey,
41f140d3
GK		 4110 wpa_auth->conf.wpa_group_update_count,
4111 wpa_auth->conf.wpa_pairwise_update_count,
c3550295 4112 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 4113 dot11RSNAConfigPMKLifetime,
4114 dot11RSNAConfigPMKReauthThreshold,
4115 dot11RSNAConfigSATimeout,
4116 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
4117 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
4118 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
4119 pmkid_txt,
4120 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
4121 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
4122 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
4123 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
4124 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 4125 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4126 return len;
4127 len += ret;
4128
4129 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
4130 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
4131
4132 /* Private MIB */
4133 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
4134 wpa_auth->group->wpa_group_state);
d85e1fc8 4135 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4136 return len;
4137 len += ret;
4138
4139 return len;
4140}
4141
4142
4143int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
4144{
4145 int len = 0, ret;
4146 u32 pairwise = 0;
4147
4148 if (sm == NULL)
4149 return 0;
4150
4151 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
4152
4153 /* dot11RSNAStatsEntry */
4154
c3550295
JM		 4155 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
4156 WPA_PROTO_RSN : WPA_PROTO_WPA,
4157 sm->pairwise);
4158 if (pairwise == 0)
6fc6879b
JM		 4159 return 0;
4160
4161 ret = os_snprintf(
4162 buf + len, buflen - len,
4163 /* TODO: dot11RSNAStatsIndex */
4164 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
4165 "dot11RSNAStatsVersion=1\n"
4166 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
4167 /* TODO: dot11RSNAStatsTKIPICVErrors */
4168 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 4169 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 4170 /* TODO: dot11RSNAStatsCCMPReplays */
4171 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
4172 /* TODO: dot11RSNAStatsTKIPReplays */,
4173 MAC2STR(sm->addr),
4174 RSN_SUITE_ARG(pairwise),
4175 sm->dot11RSNAStatsTKIPLocalMICFailures,
4176 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 4177 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4178 return len;
4179 len += ret;
4180
4181 /* Private MIB */
4182 ret = os_snprintf(buf + len, buflen - len,
4183 "hostapdWPAPTKState=%d\n"
4184 "hostapdWPAPTKGroupState=%d\n",
4185 sm->wpa_ptk_state,
4186 sm->wpa_ptk_group_state);
d85e1fc8 4187 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 4188 return len;
4189 len += ret;
4190
4191 return len;
4192}
4193
4194
4195void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
4196{
4197 if (wpa_auth)
4198 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
4199}
4200
4201
4202int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
4203{
4204 return sm && sm->pairwise_set;
4205}
4206
4207
ff36ff00
JM		 4208int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
4209{
4210 return sm->pairwise;
4211}
4212
4213
b08c9ad0
MK		 4214const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
4215{
4216 if (!sm)
4217 return NULL;
4218 *len = sm->pmk_len;
4219 return sm->PMK;
4220}
4221
4222
6fc6879b
JM		 4223int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
4224{
4225 if (sm == NULL)
4226 return -1;
4227 return sm->wpa_key_mgmt;
4228}
4229
4230
4231int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
4232{
4233 if (sm == NULL)
4234 return 0;
4235 return sm->wpa;
4236}
4237
4238
0e3bd7ac
MV		 4239int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
4240{
4241 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
4242 return 0;
4243 return sm->tk_already_set;
4244}
4245
4246
2f1357fb
JM		 4247int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
4248{
4249 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
4250 return 0;
4251 return sm->tk_already_set;
4252}
4253
4254
6fc6879b
JM		 4255int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
4256 struct rsn_pmksa_cache_entry *entry)
4257{
4258 if (sm == NULL || sm->pmksa != entry)
4259 return -1;
4260 sm->pmksa = NULL;
4261 return 0;
4262}
4263
4264
4265struct rsn_pmksa_cache_entry *
4266wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
4267{
4268 return sm ? sm->pmksa : NULL;
4269}
4270
4271
4272void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
4273{
4274 if (sm)
4275 sm->dot11RSNAStatsTKIPLocalMICFailures++;
4276}
4277
4278
4279const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
4280{
4281 if (wpa_auth == NULL)
4282 return NULL;
4283 *len = wpa_auth->wpa_ie_len;
4284 return wpa_auth->wpa_ie;
4285}
4286
4287
4288int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 4289 unsigned int pmk_len,
6fc6879b
JM		 4290 int session_timeout, struct eapol_state_machine *eapol)
4291{
cb465555
JM		 4292 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
4293 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 4294 return -1;
4295
834c5d68 4296 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
207976f0
JM		 4297 if (pmk_len > PMK_LEN_SUITE_B_192)
4298 pmk_len = PMK_LEN_SUITE_B_192;
4299 } else if (pmk_len > PMK_LEN) {
4300 pmk_len = PMK_LEN;
4301 }
4302
70c93963 4303 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 4304 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 4305 sm->wpa_auth->addr, sm->addr, session_timeout,
4306 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 4307 return 0;
4308
4309 return -1;
4310}
4311
4312
4313int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4314 const u8 *pmk, size_t len, const u8 *sta_addr,
4315 int session_timeout,
4316 struct eapol_state_machine *eapol)
4317{
4318 if (wpa_auth == NULL)
4319 return -1;
4320
70c93963 4321 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 4322 NULL, 0,
4323 wpa_auth->addr,
4bb081f1
JM		 4324 sta_addr, session_timeout, eapol,
4325 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 4326 return 0;
4327
4328 return -1;
4329}
4330
4331
f2991170 4332int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 4333 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 4334{
4335 if (wpa_auth->conf.disable_pmksa_caching)
4336 return -1;
4337
70c93963 4338 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 4339 NULL, 0,
f2991170
JM		 4340 wpa_auth->addr, addr, 0, NULL,
4341 WPA_KEY_MGMT_SAE))
4342 return 0;
4343
4344 return -1;
4345}
4346
4347
9d94e4bb
JM		 4348void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
4349{
4350 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
4351 sm->pmkid_set = 1;
4352}
4353
4354
0c52953b
JM		 4355int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4356 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4357 int session_timeout, int akmp)
4358{
4359 if (wpa_auth->conf.disable_pmksa_caching)
4360 return -1;
4361
4362 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4363 NULL, 0, wpa_auth->addr, addr, session_timeout,
4364 NULL, akmp))
4365 return 0;
4366
4367 return -1;
4368}
4369
4370
901d1fe1
JM		 4371void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4372 const u8 *sta_addr)
4373{
4374 struct rsn_pmksa_cache_entry *pmksa;
4375
4376 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4377 return;
4378 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4379 if (pmksa) {
4380 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4381 MACSTR " based on request", MAC2STR(sta_addr));
4382 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4383 }
4384}
4385
4386
b8daac18
MH		 4387int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4388 size_t len)
4389{
4390 if (!wpa_auth || !wpa_auth->pmksa)
4391 return 0;
4392 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4393}
4394
4395
4c522c77
MH		 4396void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4397{
4398 if (wpa_auth && wpa_auth->pmksa)
4399 pmksa_cache_auth_flush(wpa_auth->pmksa);
4400}
4401
4402
4d77d80e
MH		 4403#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4404#ifdef CONFIG_MESH
4405
4406int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4407 char *buf, size_t len)
4408{
4409 if (!wpa_auth || !wpa_auth->pmksa)
4410 return 0;
4411
4412 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4413}
4414
4415
4416struct rsn_pmksa_cache_entry *
4417wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4418 const u8 *pmkid, int expiration)
4419{
4420 struct rsn_pmksa_cache_entry *entry;
4421 struct os_reltime now;
4422
4423 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4424 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4425 if (!entry)
4426 return NULL;
4427
4428 os_get_reltime(&now);
4429 entry->expiration = now.sec + expiration;
4430 return entry;
4431}
4432
4433
4434int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4435 struct rsn_pmksa_cache_entry *entry)
4436{
4437 int ret;
4438
4439 if (!wpa_auth || !wpa_auth->pmksa)
4440 return -1;
4441
4442 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4443 if (ret < 0)
4444 wpa_printf(MSG_DEBUG,
4445 "RSN: Failed to store external PMKSA cache for "
4446 MACSTR, MAC2STR(entry->spa));
4447
4448 return ret;
4449}
4450
4451#endif /* CONFIG_MESH */
4452#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4453
4454
9f2cf23e 4455struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 4456wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4457 const u8 *pmkid)
9f2cf23e
MH		 4458{
4459 if (!wpa_auth || !wpa_auth->pmksa)
4460 return NULL;
c1bd4bac 4461 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 4462}
4463
4464
4465void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4466 struct wpa_state_machine *sm,
4467 struct wpa_authenticator *wpa_auth,
4468 u8 *pmkid, u8 *pmk)
4469{
4470 if (!sm)
4471 return;
4472
4473 sm->pmksa = pmksa;
8854f90b
JM		 4474 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4475 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4476 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 4477}
4478
4479
a0ad9e8c
MB		 4480/*
4481 * Remove and free the group from wpa_authenticator. This is triggered by a
4482 * callback to make sure nobody is currently iterating the group list while it
4483 * gets modified.
4484 */
4485static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4486 struct wpa_group *group)
4487{
4488 struct wpa_group *prev = wpa_auth->group;
4489
4490 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4491 group->vlan_id);
4492
4493 while (prev) {
4494 if (prev->next == group) {
4495 /* This never frees the special first group as needed */
4496 prev->next = group->next;
4497 os_free(group);
4498 break;
4499 }
4500 prev = prev->next;
4501 }
4502
4503}
4504
4505
4506/* Increase the reference counter for group */
4507static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4508 struct wpa_group *group)
4509{
4510 /* Skip the special first group */
4511 if (wpa_auth->group == group)
4512 return;
4513
4514 group->references++;
4515}
4516
4517
4518/* Decrease the reference counter and maybe free the group */
4519static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4520 struct wpa_group *group)
4521{
4522 /* Skip the special first group */
4523 if (wpa_auth->group == group)
4524 return;
4525
4526 group->references--;
4527 if (group->references)
4528 return;
4529 wpa_group_free(wpa_auth, group);
4530}
4531
4532
4533/*
4534 * Add a group that has its references counter set to zero. Caller needs to
4535 * call wpa_group_get() on the return value to mark the entry in use.
4536 */
6fc6879b
JM		 4537static struct wpa_group *
4538wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4539{
4540 struct wpa_group *group;
4541
4542 if (wpa_auth == NULL || wpa_auth->group == NULL)
4543 return NULL;
4544
4545 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4546 vlan_id);
bdffdc5d 4547 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4548 if (group == NULL)
4549 return NULL;
4550
4551 group->next = wpa_auth->group->next;
4552 wpa_auth->group->next = group;
4553
4554 return group;
4555}
4556
4557
7cebc8e2
MB		 4558/*
4559 * Enforce that the group state machine for the VLAN is running, increase
4560 * reference counter as interface is up. References might have been increased
4561 * even if a negative value is returned.
4562 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4563 */
4564int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4565{
4566 struct wpa_group *group;
4567
4568 if (wpa_auth == NULL)
4569 return 0;
4570
4571 group = wpa_auth->group;
4572 while (group) {
4573 if (group->vlan_id == vlan_id)
4574 break;
4575 group = group->next;
4576 }
4577
4578 if (group == NULL) {
4579 group = wpa_auth_add_group(wpa_auth, vlan_id);
4580 if (group == NULL)
4581 return -1;
4582 }
4583
4584 wpa_printf(MSG_DEBUG,
4585 "WPA: Ensure group state machine running for VLAN ID %d",
4586 vlan_id);
4587
4588 wpa_group_get(wpa_auth, group);
4589 group->num_setup_iface++;
4590
4591 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4592 return -1;
4593
4594 return 0;
4595}
4596
4597
4598/*
4599 * Decrease reference counter, expected to be zero afterwards.
4600 * returns: -1 on error (group not found, group in fail state)
4601 * -2 if wpa_group is still referenced
4602 * 0 else
4603 */
4604int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4605{
4606 struct wpa_group *group;
4607 int ret = 0;
4608
4609 if (wpa_auth == NULL)
4610 return 0;
4611
4612 group = wpa_auth->group;
4613 while (group) {
4614 if (group->vlan_id == vlan_id)
4615 break;
4616 group = group->next;
4617 }
4618
4619 if (group == NULL)
4620 return -1;
4621
4622 wpa_printf(MSG_DEBUG,
4623 "WPA: Try stopping group state machine for VLAN ID %d",
4624 vlan_id);
4625
4626 if (group->num_setup_iface <= 0) {
4627 wpa_printf(MSG_ERROR,
4628 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4629 vlan_id);
4630 return -1;
4631 }
4632 group->num_setup_iface--;
4633
4634 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4635 ret = -1;
4636
4637 if (group->references > 1) {
4638 wpa_printf(MSG_DEBUG,
4639 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4640 vlan_id);
4641 ret = -2;
4642 }
4643
4644 wpa_group_put(wpa_auth, group);
4645
4646 return ret;
4647}
4648
4649
6fc6879b
JM		 4650int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4651{
4652 struct wpa_group *group;
4653
4654 if (sm == NULL || sm->wpa_auth == NULL)
4655 return 0;
4656
4657 group = sm->wpa_auth->group;
4658 while (group) {
4659 if (group->vlan_id == vlan_id)
4660 break;
4661 group = group->next;
4662 }
4663
4664 if (group == NULL) {
4665 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4666 if (group == NULL)
4667 return -1;
4668 }
4669
4670 if (sm->group == group)
4671 return 0;
4672
7d7f7be2
JM		 4673 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4674 return -1;
4675
6fc6879b
JM		 4676 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4677 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4678
a0ad9e8c
MB		 4679 wpa_group_get(sm->wpa_auth, group);
4680 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4681 sm->group = group;
a0ad9e8c 4682
6fc6879b
JM		 4683 return 0;
4684}
e4bf4db9
JM		 4685
4686
4687void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4688 struct wpa_state_machine *sm, int ack)
4689{
4690 if (wpa_auth == NULL || sm == NULL)
4691 return;
4692 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4693 " ack=%d", MAC2STR(sm->addr), ack);
4694 if (sm->pending_1_of_4_timeout && ack) {
4695 /*
4696 * Some deployed supplicant implementations update their SNonce
4697 * for each EAPOL-Key 2/4 message even within the same 4-way
4698 * handshake and then fail to use the first SNonce when
4699 * deriving the PTK. This results in unsuccessful 4-way
4700 * handshake whenever the relatively short initial timeout is
4701 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4702 * around this by increasing the timeout now that we know that
4703 * the station has received the frame.
4704 */
4705 int timeout_ms = eapol_key_timeout_subseq;
4706 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4707 "timeout by %u ms because of acknowledged frame",
4708 timeout_ms);
4709 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4710 eloop_register_timeout(timeout_ms / 1000,
4711 (timeout_ms % 1000) * 1000,
4712 wpa_send_eapol_timeout, wpa_auth, sm);
4713 }
3d695328
JM		 4714
4715#ifdef CONFIG_TESTING_OPTIONS
4716 if (sm->eapol_status_cb) {
4717 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
4718 sm->eapol_status_cb_ctx2);
4719 sm->eapol_status_cb = NULL;
4720 }
4721#endif /* CONFIG_TESTING_OPTIONS */
e4bf4db9 4722}
c10347f2
JM		 4723
4724
4725int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4726{
4727 if (sm == NULL)
4728 return 0;
4729 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4730}
aa189ac9
JM		 4731
4732
4733int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4734{
4735 if (sm == NULL)
4736 return 0;
4737 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4738}
25ef8529
JM		 4739
4740
4741#ifdef CONFIG_P2P
4742int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4743{
4744 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4745 return -1;
4746 os_memcpy(addr, sm->ip_addr, 4);
4747 return 0;
4748}
4749#endif /* CONFIG_P2P */
cbc210de
JM		 4750
4751
4752int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4753 struct radius_das_attrs *attr)
4754{
4755 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4756}
34782730
JM		 4757
4758
4759void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4760{
4761 struct wpa_group *group;
4762
4763 if (!wpa_auth)
4764 return;
4765 for (group = wpa_auth->group; group; group = group->next)
4766 wpa_group_config_group_keys(wpa_auth, group);
4767}
7eace378
JM		 4768
4769
4770#ifdef CONFIG_FILS
4771
4772struct wpa_auth_fils_iter_data {
4773 struct wpa_authenticator *auth;
4774 const u8 *cache_id;
4775 struct rsn_pmksa_cache_entry *pmksa;
4776 const u8 *spa;
4777 const u8 *pmkid;
4778};
4779
4780
4781static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4782{
4783 struct wpa_auth_fils_iter_data *data = ctx;
4784
4cc6574d 4785 if (a == data->auth || !a->conf.fils_cache_id_set ||
7eace378
JM		 4786 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4787 FILS_CACHE_ID_LEN) != 0)
4788 return 0;
4789 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4790 return data->pmksa != NULL;
4791}
4792
4793
4794struct rsn_pmksa_cache_entry *
4795wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4796 const u8 *sta_addr, const u8 *pmkid)
4797{
4798 struct wpa_auth_fils_iter_data idata;
4799
4800 if (!wpa_auth->conf.fils_cache_id_set)
4801 return NULL;
4802 idata.auth = wpa_auth;
4803 idata.cache_id = wpa_auth->conf.fils_cache_id;
4804 idata.pmksa = NULL;
4805 idata.spa = sta_addr;
4806 idata.pmkid = pmkid;
4807 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4808 return idata.pmksa;
4809}
4810
5db997e3
JM		 4811
4812#ifdef CONFIG_IEEE80211R_AP
a7968ea5
JM		 4813int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384,
4814 u8 *buf, size_t len)
5db997e3
JM		 4815{
4816 struct wpa_auth_config *conf = &wpa_auth->conf;
4817
a7968ea5 4818 return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder,
5db997e3
JM		 4819 conf->r0_key_holder_len,
4820 NULL, NULL, buf, len, NULL, 0);
4821}
4822#endif /* CONFIG_IEEE80211R_AP */
4823
8acbf85f
JM		 4824
4825void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4826 u8 *fils_anonce, u8 *fils_snonce,
4827 u8 *fils_kek, size_t *fils_kek_len)
4828{
4829 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4830 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4831 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4832 *fils_kek_len = sm->PTK.kek_len;
4833}
4834
7eace378 4835#endif /* CONFIG_FILS */
6bc2f00f
JM		 4836
4837
36536639
JM		 4838void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
4839{
4840 if (sm)
4841 sm->auth_alg = auth_alg;
4842}
4843
4844
10ec6a5f
JM		 4845#ifdef CONFIG_DPP2
4846void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
4847{
4848 if (sm) {
4849 wpabuf_clear_free(sm->dpp_z);
4850 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
4851 }
4852}
4853#endif /* CONFIG_DPP2 */
4854
4855
82424732 4856#ifdef CONFIG_TESTING_OPTIONS
d8afdb21 4857
3d695328
JM		 4858int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
4859 void (*cb)(void *ctx1, void *ctx2),
4860 void *ctx1, void *ctx2)
d8afdb21
JM		 4861{
4862 const u8 *anonce = sm->ANonce;
4863 u8 anonce_buf[WPA_NONCE_LEN];
4864
4865 if (change_anonce) {
4866 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
4867 return -1;
4868 anonce = anonce_buf;
4869 }
4870
4871 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4872 "sending 1/4 msg of 4-Way Handshake (TESTING)");
4873 wpa_send_eapol(sm->wpa_auth, sm,
4874 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
4875 anonce, NULL, 0, 0, 0);
4876 return 0;
4877}
4878
4879
3d695328
JM		 4880int wpa_auth_resend_m3(struct wpa_state_machine *sm,
4881 void (*cb)(void *ctx1, void *ctx2),
4882 void *ctx1, void *ctx2)
d8afdb21 4883{
0c3bc1be
LD		 4884 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
4885#ifdef CONFIG_IEEE80211W
4886 u8 *opos;
4887#endif /* CONFIG_IEEE80211W */
d8afdb21
JM		 4888 size_t gtk_len, kde_len;
4889 struct wpa_group *gsm = sm->group;
4890 u8 *wpa_ie;
4891 int wpa_ie_len, secure, keyidx, encr = 0;
4892
4893 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4894 GTK[GN], IGTK, [FTIE], [TIE * 2])
4895 */
4896
4897 /* Use 0 RSC */
4898 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4899 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4900 wpa_ie = sm->wpa_auth->wpa_ie;
4901 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4902 if (sm->wpa == WPA_VERSION_WPA &&
4903 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
4904 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
4905 /* WPA-only STA, remove RSN IE and possible MDIE */
4906 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4907 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4908 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4909 wpa_ie_len = wpa_ie[1] + 2;
4910 }
4911 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4912 "sending 3/4 msg of 4-Way Handshake (TESTING)");
4913 if (sm->wpa == WPA_VERSION_WPA2) {
4914 /* WPA2 send GTK in the 4-way handshake */
4915 secure = 1;
4916 gtk = gsm->GTK[gsm->GN - 1];
4917 gtk_len = gsm->GTK_len;
4918 keyidx = gsm->GN;
4919 _rsc = rsc;
4920 encr = 1;
4921 } else {
4922 /* WPA does not include GTK in msg 3/4 */
4923 secure = 0;
4924 gtk = NULL;
4925 gtk_len = 0;
4926 keyidx = 0;
4927 _rsc = NULL;
4928 if (sm->rx_eapol_key_secure) {
4929 /*
4930 * It looks like Windows 7 supplicant tries to use
4931 * Secure bit in msg 2/4 after having reported Michael
4932 * MIC failure and it then rejects the 4-way handshake
4933 * if msg 3/4 does not set Secure bit. Work around this
4934 * by setting the Secure bit here even in the case of
4935 * WPA if the supplicant used it first.
4936 */
4937 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4938 "STA used Secure bit in WPA msg 2/4 - "
4939 "set Secure for 3/4 as workaround");
4940 secure = 1;
4941 }
4942 }
4943
17c2559c 4944 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
d8afdb21
JM		 4945 if (gtk)
4946 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4947#ifdef CONFIG_IEEE80211R_AP
4948 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4949 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4950 kde_len += 300; /* FTIE + 2 * TIE */
4951 }
4952#endif /* CONFIG_IEEE80211R_AP */
4953 kde = os_malloc(kde_len);
4954 if (kde == NULL)
4955 return -1;
4956
4957 pos = kde;
4958 os_memcpy(pos, wpa_ie, wpa_ie_len);
4959 pos += wpa_ie_len;
4960#ifdef CONFIG_IEEE80211R_AP
4961 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4962 int res;
4963 size_t elen;
4964
4965 elen = pos - kde;
4966 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
4967 if (res < 0) {
4968 wpa_printf(MSG_ERROR, "FT: Failed to insert "
4969 "PMKR1Name into RSN IE in EAPOL-Key data");
4970 os_free(kde);
4971 return -1;
4972 }
4973 pos -= wpa_ie_len;
4974 pos += elen;
4975 }
4976#endif /* CONFIG_IEEE80211R_AP */
4977 if (gtk) {
4978 u8 hdr[2];
4979 hdr[0] = keyidx & 0x03;
4980 hdr[1] = 0;
4981 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4982 gtk, gtk_len);
4983 }
0c3bc1be 4984#ifdef CONFIG_IEEE80211W
d8afdb21
JM		 4985 opos = pos;
4986 pos = ieee80211w_kde_add(sm, pos);
9f917339
MV		 4987 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
4988 /* skip KDE header and keyid */
4989 opos += 2 + RSN_SELECTOR_LEN + 2;
d8afdb21
JM		 4990 os_memset(opos, 0, 6); /* clear PN */
4991 }
0c3bc1be 4992#endif /* CONFIG_IEEE80211W */
17c2559c
MV		 4993 if (ocv_oci_add(sm, &pos) < 0) {
4994 os_free(kde);
4995 return -1;
4996 }
d8afdb21
JM		 4997
4998#ifdef CONFIG_IEEE80211R_AP
4999 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
5000 int res;
5001 struct wpa_auth_config *conf;
5002
5003 conf = &sm->wpa_auth->conf;
5004 if (sm->assoc_resp_ftie &&
5005 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
5006 os_memcpy(pos, sm->assoc_resp_ftie,
5007 2 + sm->assoc_resp_ftie[1]);
5008 res = 2 + sm->assoc_resp_ftie[1];
5009 } else {
a7968ea5
JM		 5010 int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
5011
5012 res = wpa_write_ftie(conf, use_sha384,
5013 conf->r0_key_holder,
d8afdb21
JM		 5014 conf->r0_key_holder_len,
5015 NULL, NULL, pos,
5016 kde + kde_len - pos,
5017 NULL, 0);
5018 }
5019 if (res < 0) {
5020 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
5021 "into EAPOL-Key Key Data");
5022 os_free(kde);
5023 return -1;
5024 }
5025 pos += res;
5026
5027 /* TIE[ReassociationDeadline] (TU) */
5028 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5029 *pos++ = 5;
5030 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
5031 WPA_PUT_LE32(pos, conf->reassociation_deadline);
5032 pos += 4;
5033
5034 /* TIE[KeyLifetime] (seconds) */
5035 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
5036 *pos++ = 5;
5037 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
83fe4bd3 5038 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
d8afdb21
JM		 5039 pos += 4;
5040 }
5041#endif /* CONFIG_IEEE80211R_AP */
5042
5043 wpa_send_eapol(sm->wpa_auth, sm,
5044 (secure ? WPA_KEY_INFO_SECURE : 0) |
5045 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5046 WPA_KEY_INFO_MIC : 0) |
5047 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
5048 WPA_KEY_INFO_KEY_TYPE,
5049 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
5050 os_free(kde);
5051 return 0;
5052}
5053
5054
3d695328
JM		 5055int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
5056 void (*cb)(void *ctx1, void *ctx2),
5057 void *ctx1, void *ctx2)
6bc2f00f
JM		 5058{
5059 u8 rsc[WPA_KEY_RSC_LEN];
5060 struct wpa_group *gsm = sm->group;
5061 const u8 *kde;
0c3bc1be
LD		 5062 u8 *kde_buf = NULL, *pos, hdr[2];
5063#ifdef CONFIG_IEEE80211W
5064 u8 *opos;
5065#endif /* CONFIG_IEEE80211W */
6bc2f00f
JM		 5066 size_t kde_len;
5067 u8 *gtk;
5068
5069 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5070 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5071 /* Use 0 RSC */
5072 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
5073 "sending 1/2 msg of Group Key Handshake (TESTING)");
5074
5075 gtk = gsm->GTK[gsm->GN - 1];
5076 if (sm->wpa == WPA_VERSION_WPA2) {
5077 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
17c2559c 5078 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
6bc2f00f
JM		 5079 kde_buf = os_malloc(kde_len);
5080 if (kde_buf == NULL)
5081 return -1;
5082
5083 kde = pos = kde_buf;
5084 hdr[0] = gsm->GN & 0x03;
5085 hdr[1] = 0;
5086 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5087 gtk, gsm->GTK_len);
0c3bc1be 5088#ifdef CONFIG_IEEE80211W
6bc2f00f
JM		 5089 opos = pos;
5090 pos = ieee80211w_kde_add(sm, pos);
9f917339
MV		 5091 if (pos - opos >=
5092 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
5093 /* skip KDE header and keyid */
5094 opos += 2 + RSN_SELECTOR_LEN + 2;
6bc2f00f
JM		 5095 os_memset(opos, 0, 6); /* clear PN */
5096 }
0c3bc1be 5097#endif /* CONFIG_IEEE80211W */
17c2559c
MV		 5098 if (ocv_oci_add(sm, &pos) < 0) {
5099 os_free(kde_buf);
5100 return -1;
5101 }
6bc2f00f
JM		 5102 kde_len = pos - kde;
5103 } else {
5104 kde = gtk;
5105 kde_len = gsm->GTK_len;
5106 }
5107
3d695328
JM		 5108 sm->eapol_status_cb = cb;
5109 sm->eapol_status_cb_ctx1 = ctx1;
5110 sm->eapol_status_cb_ctx2 = ctx2;
5111
6bc2f00f
JM		 5112 wpa_send_eapol(sm->wpa_auth, sm,
5113 WPA_KEY_INFO_SECURE |
5114 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5115 WPA_KEY_INFO_MIC : 0) |
5116 WPA_KEY_INFO_ACK |
5117 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5118 rsc, NULL, kde, kde_len, gsm->GN, 1);
5119
5120 os_free(kde_buf);
5121 return 0;
5122}
d8afdb21 5123
92662fb2
JB		 5124
5125int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
5126{
5127 if (!wpa_auth)
5128 return -1;
5129 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
5130 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL);
5131}
5132
6bc2f00f 5133#endif /* CONFIG_TESTING_OPTIONS */
Unnamed repository; edit this file 'description' to name the repository.