]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Reject eap_server_erp hostapd.conf parameter without CONFIG_ERP=y
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
98cd3d1c 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
3b5b7aa8 16#include "crypto/aes.h"
03da66bd 17#include "crypto/aes_wrap.h"
3b5b7aa8 18#include "crypto/aes_siv.h"
03da66bd
JM		 19#include "crypto/crypto.h"
20#include "crypto/sha1.h"
21#include "crypto/sha256.h"
c6eb3e34 22#include "crypto/sha384.h"
3642c431 23#include "crypto/random.h"
281c950b 24#include "eapol_auth/eapol_auth_sm.h"
6226e38d 25#include "ap_config.h"
6fc6879b 26#include "ieee802_11.h"
6226e38d
JM		 27#include "wpa_auth.h"
28#include "pmksa_cache_auth.h"
6fc6879b
JM		 29#include "wpa_auth_i.h"
30#include "wpa_auth_ie.h"
31
32#define STATE_MACHINE_DATA struct wpa_state_machine
33#define STATE_MACHINE_DEBUG_PREFIX "WPA"
34#define STATE_MACHINE_ADDR sm->addr
35
36
37static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 38static int wpa_sm_step(struct wpa_state_machine *sm);
567da5bb
JM		 39static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
40 u8 *data, size_t data_len);
75c8563e
JM		 41#ifdef CONFIG_FILS
42static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
43 u8 *buf, size_t buf_len, u16 *_key_data_len);
9392859d
JM		 44static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
45 const struct wpabuf *hlp);
75c8563e 46#endif /* CONFIG_FILS */
6fc6879b
JM		 47static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
48static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
49 struct wpa_group *group);
581a8cde 50static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 51static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
52 struct wpa_group *group);
1bdb7ab3
JM		 53static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
54 struct wpa_group *group);
f23c5b17 55static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 56 const u8 *pmk, unsigned int pmk_len,
57 struct wpa_ptk *ptk);
a0ad9e8c
MB		 58static void wpa_group_free(struct wpa_authenticator *wpa_auth,
59 struct wpa_group *group);
60static void wpa_group_get(struct wpa_authenticator *wpa_auth,
61 struct wpa_group *group);
62static void wpa_group_put(struct wpa_authenticator *wpa_auth,
63 struct wpa_group *group);
e73ffa09 64static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 65
bae61562
JM		 66static const u32 eapol_key_timeout_first = 100; /* ms */
67static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 68static const u32 eapol_key_timeout_first_group = 500; /* ms */
6f234c1e 69static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
6fc6879b
JM		 70
71/* TODO: make these configurable */
72static const int dot11RSNAConfigPMKLifetime = 43200;
73static const int dot11RSNAConfigPMKReauthThreshold = 70;
74static const int dot11RSNAConfigSATimeout = 60;
75
76
c772d054 77static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 78 struct wpa_authenticator *wpa_auth, const u8 *addr)
79{
cef8fac0
JB		 80 if (wpa_auth->cb->mic_failure_report)
81 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 82 return 0;
6fc6879b
JM		 83}
84
85
2c502460
JM		 86static inline void wpa_auth_psk_failure_report(
87 struct wpa_authenticator *wpa_auth, const u8 *addr)
88{
cef8fac0
JB		 89 if (wpa_auth->cb->psk_failure_report)
90 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 91}
92
93
6fc6879b
JM		 94static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
95 const u8 *addr, wpa_eapol_variable var,
96 int value)
97{
cef8fac0
JB		 98 if (wpa_auth->cb->set_eapol)
99 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 100}
101
102
103static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
104 const u8 *addr, wpa_eapol_variable var)
105{
cef8fac0 106 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 107 return -1;
cef8fac0 108 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 109}
110
111
112static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 113 const u8 *addr,
114 const u8 *p2p_dev_addr,
7a12edd1 115 const u8 *prev_psk, size_t *psk_len)
6fc6879b 116{
cef8fac0 117 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 118 return NULL;
cef8fac0 119 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
7a12edd1 120 prev_psk, psk_len);
6fc6879b
JM		 121}
122
123
124static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
125 const u8 *addr, u8 *msk, size_t *len)
126{
cef8fac0 127 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 128 return -1;
cef8fac0 129 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 130}
131
132
133static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
134 int vlan_id,
71934751 135 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 136 u8 *key, size_t key_len)
137{
cef8fac0 138 if (wpa_auth->cb->set_key == NULL)
6fc6879b 139 return -1;
cef8fac0
JB		 140 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
141 key, key_len);
6fc6879b
JM		 142}
143
144
145static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
146 const u8 *addr, int idx, u8 *seq)
147{
cef8fac0 148 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 149 return -1;
cef8fac0 150 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 151}
152
153
6fc6879b
JM		 154static inline int
155wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
156 const u8 *data, size_t data_len, int encrypt)
157{
cef8fac0 158 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 159 return -1;
cef8fac0
JB		 160 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
161 encrypt);
6fc6879b
JM		 162}
163
164
c50d94f1
BC		 165#ifdef CONFIG_MESH
166static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
167 const u8 *addr)
168{
cef8fac0 169 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 170 return -1;
cef8fac0 171 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 172}
173#endif /* CONFIG_MESH */
174
175
6fc6879b
JM		 176int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
177 int (*cb)(struct wpa_state_machine *sm, void *ctx),
178 void *cb_ctx)
179{
cef8fac0 180 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 181 return 0;
cef8fac0 182 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 183}
184
185
bf98f7f3
JM		 186int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
187 int (*cb)(struct wpa_authenticator *a, void *ctx),
188 void *cb_ctx)
189{
cef8fac0 190 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 191 return 0;
cef8fac0 192 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 193}
194
195
6fc6879b
JM		 196void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
197 logger_level level, const char *txt)
198{
cef8fac0 199 if (wpa_auth->cb->logger == NULL)
6fc6879b 200 return;
cef8fac0 201 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 202}
203
204
205void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
206 logger_level level, const char *fmt, ...)
207{
208 char *format;
209 int maxlen;
210 va_list ap;
211
cef8fac0 212 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 213 return;
214
215 maxlen = os_strlen(fmt) + 100;
216 format = os_malloc(maxlen);
217 if (!format)
218 return;
219
220 va_start(ap, fmt);
221 vsnprintf(format, maxlen, fmt, ap);
222 va_end(ap);
223
224 wpa_auth_logger(wpa_auth, addr, level, format);
225
226 os_free(format);
227}
228
229
230static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
567da5bb 231 const u8 *addr, u16 reason)
6fc6879b 232{
cef8fac0 233 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 234 return;
567da5bb
JM		 235 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
236 MAC2STR(addr), reason);
237 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
6fc6879b
JM		 238}
239
240
241static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
242{
56586197 243 int ret = 0;
4ec1fd8e 244#ifdef CONFIG_IEEE80211R_AP
56586197
JM		 245 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
246 ret = 1;
4ec1fd8e 247#endif /* CONFIG_IEEE80211R_AP */
56586197
JM		 248#ifdef CONFIG_IEEE80211W
249 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
250 ret = 1;
251#endif /* CONFIG_IEEE80211W */
a14896e8
JM		 252 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
253 ret = 1;
56586197 254 return ret;
6fc6879b
JM		 255}
256
257
258static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
259{
260 struct wpa_authenticator *wpa_auth = eloop_ctx;
261
3642c431 262 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 263 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
264 "initialization.");
265 } else {
266 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 267 wpa_hexdump_key(MSG_DEBUG, "GMK",
268 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 269 }
270
271 if (wpa_auth->conf.wpa_gmk_rekey) {
272 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
273 wpa_rekey_gmk, wpa_auth, NULL);
274 }
275}
276
277
278static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
279{
280 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 281 struct wpa_group *group, *next;
6fc6879b
JM		 282
283 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 284 group = wpa_auth->group;
285 while (group) {
286 wpa_group_get(wpa_auth, group);
287
6fc6879b
JM		 288 group->GTKReKey = TRUE;
289 do {
290 group->changed = FALSE;
291 wpa_group_sm_step(wpa_auth, group);
292 } while (group->changed);
a0ad9e8c
MB		 293
294 next = group->next;
295 wpa_group_put(wpa_auth, group);
296 group = next;
6fc6879b
JM		 297 }
298
299 if (wpa_auth->conf.wpa_group_rekey) {
300 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
301 0, wpa_rekey_gtk, wpa_auth, NULL);
302 }
303}
304
305
581a8cde
JM		 306static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
307{
308 struct wpa_authenticator *wpa_auth = eloop_ctx;
309 struct wpa_state_machine *sm = timeout_ctx;
310
311 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
312 wpa_request_new_ptk(sm);
313 wpa_sm_step(sm);
314}
315
316
6fc6879b
JM		 317static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
318{
319 if (sm->pmksa == ctx)
320 sm->pmksa = NULL;
321 return 0;
322}
323
324
325static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
326 void *ctx)
327{
328 struct wpa_authenticator *wpa_auth = ctx;
329 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
330}
331
332
1bdb7ab3
JM		 333static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
334 struct wpa_group *group)
335{
559cdabb 336 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 337 u8 rkey[32];
559cdabb 338 unsigned long ptr;
1bdb7ab3 339
3642c431 340 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 341 return -1;
342 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
343
344 /*
345 * Counter = PRF-256(Random number, "Init Counter",
346 * Local MAC Address || Time)
347 */
348 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
349 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 350 ptr = (unsigned long) group;
351 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
3642c431 352 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 353 return -1;
354
355 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
356 group->Counter, WPA_NONCE_LEN) < 0)
357 return -1;
358 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
359 group->Counter, WPA_NONCE_LEN);
360
361 return 0;
362}
363
364
e6965d4e 365static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 366 int vlan_id, int delay_init)
e6965d4e
JM		 367{
368 struct wpa_group *group;
e6965d4e
JM		 369
370 group = os_zalloc(sizeof(struct wpa_group));
371 if (group == NULL)
372 return NULL;
373
374 group->GTKAuthenticator = TRUE;
375 group->vlan_id = vlan_id;
c3550295 376 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 377
08704cd8
JM		 378 if (random_pool_ready() != 1) {
379 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
380 "for secure operations - update keys later when "
381 "the first station connects");
382 }
383
1bdb7ab3
JM		 384 /*
385 * Set initial GMK/Counter value here. The actual values that will be
386 * used in negotiations will be set once the first station tries to
387 * connect. This allows more time for collecting additional randomness
388 * on embedded devices.
6fc6879b 389 */
1bdb7ab3 390 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 391 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
392 "initialization.");
393 os_free(group);
394 return NULL;
395 }
6fc6879b
JM		 396
397 group->GInit = TRUE;
bdffdc5d
JM		 398 if (delay_init) {
399 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
400 "until Beacon frames have been configured");
401 /* Initialization is completed in wpa_init_keys(). */
402 } else {
403 wpa_group_sm_step(wpa_auth, group);
404 group->GInit = FALSE;
405 wpa_group_sm_step(wpa_auth, group);
406 }
6fc6879b
JM		 407
408 return group;
409}
410
411
412/**
413 * wpa_init - Initialize WPA authenticator
414 * @addr: Authenticator address
415 * @conf: Configuration for WPA authenticator
a17df5fb 416 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 417 * Returns: Pointer to WPA authenticator data or %NULL on failure
418 */
419struct wpa_authenticator * wpa_init(const u8 *addr,
420 struct wpa_auth_config *conf,
cef8fac0
JB		 421 const struct wpa_auth_callbacks *cb,
422 void *cb_ctx)
6fc6879b
JM		 423{
424 struct wpa_authenticator *wpa_auth;
425
426 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
427 if (wpa_auth == NULL)
428 return NULL;
429 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
430 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 431 wpa_auth->cb = cb;
432 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 433
434 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
435 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
436 os_free(wpa_auth);
437 return NULL;
438 }
439
bdffdc5d 440 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 441 if (wpa_auth->group == NULL) {
442 os_free(wpa_auth->wpa_ie);
443 os_free(wpa_auth);
444 return NULL;
445 }
446
4bb081f1
JM		 447 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
448 wpa_auth);
6fc6879b
JM		 449 if (wpa_auth->pmksa == NULL) {
450 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 451 os_free(wpa_auth->group);
6fc6879b
JM		 452 os_free(wpa_auth->wpa_ie);
453 os_free(wpa_auth);
454 return NULL;
455 }
456
4ec1fd8e 457#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 458 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
459 if (wpa_auth->ft_pmk_cache == NULL) {
460 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 461 os_free(wpa_auth->group);
6fc6879b 462 os_free(wpa_auth->wpa_ie);
4bb081f1 463 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 464 os_free(wpa_auth);
465 return NULL;
466 }
4ec1fd8e 467#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 468
469 if (wpa_auth->conf.wpa_gmk_rekey) {
470 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
471 wpa_rekey_gmk, wpa_auth, NULL);
472 }
473
474 if (wpa_auth->conf.wpa_group_rekey) {
475 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
476 wpa_rekey_gtk, wpa_auth, NULL);
477 }
478
25ef8529
JM		 479#ifdef CONFIG_P2P
480 if (WPA_GET_BE32(conf->ip_addr_start)) {
481 int count = WPA_GET_BE32(conf->ip_addr_end) -
482 WPA_GET_BE32(conf->ip_addr_start) + 1;
483 if (count > 1000)
484 count = 1000;
485 if (count > 0)
486 wpa_auth->ip_pool = bitfield_alloc(count);
487 }
488#endif /* CONFIG_P2P */
489
6fc6879b
JM		 490 return wpa_auth;
491}
492
493
bdffdc5d
JM		 494int wpa_init_keys(struct wpa_authenticator *wpa_auth)
495{
496 struct wpa_group *group = wpa_auth->group;
497
498 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
499 "keys");
500 wpa_group_sm_step(wpa_auth, group);
501 group->GInit = FALSE;
502 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 503 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
504 return -1;
bdffdc5d
JM		 505 return 0;
506}
507
508
6fc6879b
JM		 509/**
510 * wpa_deinit - Deinitialize WPA authenticator
511 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
512 */
513void wpa_deinit(struct wpa_authenticator *wpa_auth)
514{
515 struct wpa_group *group, *prev;
516
517 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
518 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
519
4bb081f1 520 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 521
4ec1fd8e 522#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 523 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
524 wpa_auth->ft_pmk_cache = NULL;
eefe8630 525 wpa_ft_deinit(wpa_auth);
4ec1fd8e 526#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 527
25ef8529
JM		 528#ifdef CONFIG_P2P
529 bitfield_free(wpa_auth->ip_pool);
530#endif /* CONFIG_P2P */
531
532
6fc6879b
JM		 533 os_free(wpa_auth->wpa_ie);
534
535 group = wpa_auth->group;
536 while (group) {
537 prev = group;
538 group = group->next;
539 os_free(prev);
540 }
541
542 os_free(wpa_auth);
543}
544
545
546/**
547 * wpa_reconfig - Update WPA authenticator configuration
548 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
549 * @conf: Configuration for WPA authenticator
550 */
551int wpa_reconfig(struct wpa_authenticator *wpa_auth,
552 struct wpa_auth_config *conf)
553{
e6965d4e 554 struct wpa_group *group;
6fc6879b
JM		 555 if (wpa_auth == NULL)
556 return 0;
557
558 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 559 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
560 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
561 return -1;
562 }
563
e6965d4e
JM		 564 /*
565 * Reinitialize GTK to make sure it is suitable for the new
566 * configuration.
567 */
568 group = wpa_auth->group;
c3550295 569 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 570 group->GInit = TRUE;
571 wpa_group_sm_step(wpa_auth, group);
572 group->GInit = FALSE;
573 wpa_group_sm_step(wpa_auth, group);
574
6fc6879b
JM		 575 return 0;
576}
577
578
579struct wpa_state_machine *
94ddef3e
JM		 580wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
581 const u8 *p2p_dev_addr)
6fc6879b
JM		 582{
583 struct wpa_state_machine *sm;
584
7d7f7be2
JM		 585 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
586 return NULL;
587
6fc6879b
JM		 588 sm = os_zalloc(sizeof(struct wpa_state_machine));
589 if (sm == NULL)
590 return NULL;
591 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 592 if (p2p_dev_addr)
593 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 594
595 sm->wpa_auth = wpa_auth;
596 sm->group = wpa_auth->group;
a0ad9e8c 597 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 598
599 return sm;
600}
601
602
6f9b5d16
JM		 603int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
604 struct wpa_state_machine *sm)
6fc6879b
JM		 605{
606 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 607 return -1;
6fc6879b 608
4ec1fd8e 609#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 610 if (sm->ft_completed) {
611 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
612 "FT authentication already completed - do not "
613 "start 4-way handshake");
3d4d2348
JM		 614 /* Go to PTKINITDONE state to allow GTK rekeying */
615 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 616 sm->Pair = TRUE;
6f9b5d16 617 return 0;
6fc6879b 618 }
4ec1fd8e 619#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 620
07e0117d
JM		 621#ifdef CONFIG_FILS
622 if (sm->fils_completed) {
623 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
624 "FILS authentication already completed - do not start 4-way handshake");
625 /* Go to PTKINITDONE state to allow GTK rekeying */
626 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 627 sm->Pair = TRUE;
07e0117d
JM		 628 return 0;
629 }
630#endif /* CONFIG_FILS */
631
6fc6879b 632 if (sm->started) {
22a299ee 633 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 634 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 635 return wpa_sm_step(sm);
6fc6879b
JM		 636 }
637
638 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
639 "start authentication");
640 sm->started = 1;
641
642 sm->Init = TRUE;
e4a6ea1d 643 if (wpa_sm_step(sm) == 1)
6f9b5d16 644 return 1; /* should not really happen */
6fc6879b
JM		 645 sm->Init = FALSE;
646 sm->AuthenticationRequest = TRUE;
6f9b5d16 647 return wpa_sm_step(sm);
6fc6879b
JM		 648}
649
650
a8d05fca
JM		 651void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
652{
653 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
654 * reassociates back to the same AP while the previous entry for the
655 * STA has not yet been removed. */
656 if (sm == NULL)
657 return;
658
659 sm->wpa_key_mgmt = 0;
660}
661
662
6fc6879b
JM		 663static void wpa_free_sta_sm(struct wpa_state_machine *sm)
664{
25ef8529
JM		 665#ifdef CONFIG_P2P
666 if (WPA_GET_BE32(sm->ip_addr)) {
667 u32 start;
668 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
669 "address %u.%u.%u.%u from " MACSTR,
670 sm->ip_addr[0], sm->ip_addr[1],
671 sm->ip_addr[2], sm->ip_addr[3],
672 MAC2STR(sm->addr));
673 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
674 bitfield_clear(sm->wpa_auth->ip_pool,
675 WPA_GET_BE32(sm->ip_addr) - start);
676 }
677#endif /* CONFIG_P2P */
2ade8ef2
JM		 678 if (sm->GUpdateStationKeys) {
679 sm->group->GKeyDoneStations--;
680 sm->GUpdateStationKeys = FALSE;
681 }
4ec1fd8e 682#ifdef CONFIG_IEEE80211R_AP
0f857f43 683 os_free(sm->assoc_resp_ftie);
692ec305 684 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 685#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 686 os_free(sm->last_rx_eapol_key);
687 os_free(sm->wpa_ie);
a0ad9e8c 688 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b
JM		 689 os_free(sm);
690}
691
692
693void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
694{
695 if (sm == NULL)
696 return;
697
698 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
699 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
700 "strict rekeying - force GTK rekey since STA "
701 "is leaving");
3f5a1860
JB		 702 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
703 sm->wpa_auth, NULL) == -1)
704 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
705 NULL);
6fc6879b
JM		 706 }
707
708 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 709 sm->pending_1_of_4_timeout = 0;
6fc6879b 710 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 711 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3a46cf93
MB		 712#ifdef CONFIG_IEEE80211R_AP
713 wpa_ft_sta_deinit(sm);
714#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 715 if (sm->in_step_loop) {
716 /* Must not free state machine while wpa_sm_step() is running.
717 * Freeing will be completed in the end of wpa_sm_step(). */
718 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
719 "machine deinit for " MACSTR, MAC2STR(sm->addr));
720 sm->pending_deinit = 1;
721 } else
722 wpa_free_sta_sm(sm);
723}
724
725
726static void wpa_request_new_ptk(struct wpa_state_machine *sm)
727{
728 if (sm == NULL)
729 return;
730
731 sm->PTKRequest = TRUE;
732 sm->PTK_valid = 0;
733}
734
735
68921e24 736static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 737 const u8 *replay_counter)
738{
739 int i;
740 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 741 if (!ctr[i].valid)
22a299ee 742 break;
68921e24 743 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 744 WPA_REPLAY_COUNTER_LEN) == 0)
745 return 1;
746 }
747 return 0;
748}
749
750
68921e24
JM		 751static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
752 const u8 *replay_counter)
753{
754 int i;
755 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
756 if (ctr[i].valid &&
757 (replay_counter == NULL ||
758 os_memcmp(replay_counter, ctr[i].counter,
759 WPA_REPLAY_COUNTER_LEN) == 0))
760 ctr[i].valid = FALSE;
761 }
762}
763
764
4ec1fd8e 765#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 766static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
767 struct wpa_state_machine *sm,
768 struct wpa_eapol_ie_parse *kde)
769{
770 struct wpa_ie_data ie;
771 struct rsn_mdie *mdie;
772
773 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
774 ie.num_pmkid != 1 || ie.pmkid == NULL) {
775 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
776 "FT 4-way handshake message 2/4");
777 return -1;
778 }
779
780 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
781 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
782 sm->sup_pmk_r1_name, PMKID_LEN);
783
784 if (!kde->mdie || !kde->ftie) {
785 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
786 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
787 return -1;
788 }
789
790 mdie = (struct rsn_mdie *) (kde->mdie + 2);
791 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
792 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
793 MOBILITY_DOMAIN_ID_LEN) != 0) {
794 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
795 return -1;
796 }
797
798 if (sm->assoc_resp_ftie &&
799 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
800 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
801 2 + sm->assoc_resp_ftie[1]) != 0)) {
802 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
803 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
804 kde->ftie, kde->ftie_len);
805 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
806 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
807 return -1;
808 }
809
810 return 0;
811}
4ec1fd8e 812#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 813
814
c772d054
JM		 815static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
816 struct wpa_state_machine *sm, int group)
ec027805
JM		 817{
818 /* Supplicant reported a Michael MIC error */
819 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
820 "received EAPOL-Key Error Request "
821 "(STA detected Michael MIC failure (group=%d))",
822 group);
fbc72d32
JM		 823
824 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
825 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
826 "ignore Michael MIC failure report since "
827 "group cipher is not TKIP");
828 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
829 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
830 "ignore Michael MIC failure report since "
831 "pairwise cipher is not TKIP");
832 } else {
c772d054
JM		 833 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
834 return 1; /* STA entry was removed */
fbc72d32
JM		 835 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
836 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
837 }
ec027805
JM		 838
839 /*
840 * Error report is not a request for a new key handshake, but since
841 * Authenticator may do it, let's change the keys now anyway.
842 */
843 wpa_request_new_ptk(sm);
c772d054 844 return 0;
ec027805
JM		 845}
846
847
f23c5b17
JM		 848static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
849 size_t data_len)
850{
851 struct wpa_ptk PTK;
852 int ok = 0;
853 const u8 *pmk = NULL;
7a12edd1 854 size_t pmk_len;
f23c5b17 855
b729fd8d 856 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17 857 for (;;) {
e61fea6b
JM		 858 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
859 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
f23c5b17 860 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
7a12edd1 861 sm->p2p_dev_addr, pmk, &pmk_len);
f23c5b17
JM		 862 if (pmk == NULL)
863 break;
f9854c18
MK		 864#ifdef CONFIG_IEEE80211R_AP
865 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
866 os_memcpy(sm->xxkey, pmk, pmk_len);
867 sm->xxkey_len = pmk_len;
868 }
869#endif /* CONFIG_IEEE80211R_AP */
207976f0 870 } else {
f23c5b17 871 pmk = sm->PMK;
207976f0
JM		 872 pmk_len = sm->pmk_len;
873 }
f23c5b17 874
364c064a
JM		 875 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
876 break;
f23c5b17 877
567da5bb
JM		 878 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
879 data, data_len) == 0) {
f23c5b17
JM		 880 ok = 1;
881 break;
882 }
883
884 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
885 break;
886 }
887
888 if (!ok) {
889 wpa_printf(MSG_DEBUG,
890 "WPA: Earlier SNonce did not result in matching MIC");
891 return -1;
892 }
893
894 wpa_printf(MSG_DEBUG,
895 "WPA: Earlier SNonce resulted in matching MIC");
896 sm->alt_snonce_valid = 0;
897 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
898 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
899 sm->PTK_valid = TRUE;
900
901 return 0;
902}
903
904
6fc6879b
JM		 905void wpa_receive(struct wpa_authenticator *wpa_auth,
906 struct wpa_state_machine *sm,
907 u8 *data, size_t data_len)
908{
909 struct ieee802_1x_hdr *hdr;
910 struct wpa_eapol_key *key;
911 u16 key_info, key_data_length;
a0bf1b68 912 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
6fc6879b
JM		 913 char *msgtxt;
914 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 915 const u8 *key_data;
916 size_t keyhdrlen, mic_len;
6d014ffc 917 u8 *mic;
6fc6879b
JM		 918
919 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
920 return;
dc5bad48 921 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 922
567da5bb 923 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 924 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 925
dc5bad48
JM		 926 if (data_len < sizeof(*hdr) + keyhdrlen) {
927 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 928 return;
dc5bad48 929 }
6fc6879b
JM		 930
931 hdr = (struct ieee802_1x_hdr *) data;
932 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 933 mic = (u8 *) (key + 1);
6fc6879b 934 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 935 key_data = mic + mic_len + 2;
936 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 937 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 938 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
939 MAC2STR(sm->addr), key_info, key->type,
940 (unsigned int) mic_len, key_data_length);
941 wpa_hexdump(MSG_MSGDUMP,
942 "WPA: EAPOL-Key header (ending before Key MIC)",
943 key, sizeof(*key));
944 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
945 mic, mic_len);
5e3b5197 946 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 947 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
948 "key_data overflow (%d > %lu)",
949 key_data_length,
950 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 951 keyhdrlen));
6fc6879b
JM		 952 return;
953 }
954
f8e96eb6 955 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 956 if (key->type == EAPOL_KEY_TYPE_WPA) {
957 /*
958 * Some deployed station implementations seem to send
959 * msg 4/4 with incorrect type value in WPA2 mode.
960 */
961 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
962 "with unexpected WPA type in RSN mode");
963 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 964 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
965 "unexpected type %d in RSN mode",
966 key->type);
967 return;
968 }
969 } else {
970 if (key->type != EAPOL_KEY_TYPE_WPA) {
971 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
972 "unexpected type %d in WPA mode",
973 key->type);
974 return;
975 }
976 }
977
bc8318ac
JM		 978 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
979 WPA_NONCE_LEN);
980 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
981 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
982
6fc6879b
JM		 983 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
984 * are set */
985
a0bf1b68
JM		 986 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
987 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
988 return;
989 }
990
991 if (key_info & WPA_KEY_INFO_REQUEST) {
6fc6879b
JM		 992 msg = REQUEST;
993 msgtxt = "Request";
994 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
995 msg = GROUP_2;
996 msgtxt = "2/2 Group";
3b5b7aa8
JM		 997 } else if (key_data_length == 0 ||
998 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
999 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 1000 msg = PAIRWISE_4;
1001 msgtxt = "4/4 Pairwise";
1002 } else {
1003 msg = PAIRWISE_2;
1004 msgtxt = "2/4 Pairwise";
1005 }
1006
6fc6879b
JM		 1007 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1008 msg == GROUP_2) {
1009 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1010 if (sm->pairwise == WPA_CIPHER_CCMP ||
1011 sm->pairwise == WPA_CIPHER_GCMP) {
6fc6879b 1012 if (wpa_use_aes_cmac(sm) &&
a14896e8 1013 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
929a2ea5 1014 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
b9866483 1015 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1016 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1017 wpa_auth_logger(wpa_auth, sm->addr,
1018 LOGGER_WARNING,
1019 "advertised support for "
1020 "AES-128-CMAC, but did not "
1021 "use it");
1022 return;
1023 }
1024
1025 if (!wpa_use_aes_cmac(sm) &&
9824de57 1026 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
2449791b 1027 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
07a5fe82 1028 sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE &&
567da5bb 1029 sm->wpa_key_mgmt != WPA_KEY_MGMT_DPP &&
6fc6879b
JM		 1030 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1031 wpa_auth_logger(wpa_auth, sm->addr,
1032 LOGGER_WARNING,
1033 "did not use HMAC-SHA1-AES "
eb7719ff 1034 "with CCMP/GCMP");
6fc6879b
JM		 1035 return;
1036 }
1037 }
929a2ea5 1038
2449791b 1039 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
07a5fe82 1040 wpa_key_mgmt_fils(sm->wpa_key_mgmt) ||
567da5bb 1041 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
07a5fe82 1042 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) &&
929a2ea5
JM		 1043 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1044 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1045 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1046 return;
1047 }
6fc6879b
JM		 1048 }
1049
1050 if (key_info & WPA_KEY_INFO_REQUEST) {
1051 if (sm->req_replay_counter_used &&
1052 os_memcmp(key->replay_counter, sm->req_replay_counter,
1053 WPA_REPLAY_COUNTER_LEN) <= 0) {
1054 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1055 "received EAPOL-Key request with "
1056 "replayed counter");
1057 return;
1058 }
1059 }
1060
1061 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1062 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1063 int i;
68921e24
JM		 1064
1065 if (msg == PAIRWISE_2 &&
1066 wpa_replay_counter_valid(sm->prev_key_replay,
1067 key->replay_counter) &&
1068 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1069 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1070 {
1071 /*
1072 * Some supplicant implementations (e.g., Windows XP
1073 * WZC) update SNonce for each EAPOL-Key 2/4. This
1074 * breaks the workaround on accepting any of the
1075 * pending requests, so allow the SNonce to be updated
1076 * even if we have already sent out EAPOL-Key 3/4.
1077 */
1078 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1079 "Process SNonce update from STA "
1080 "based on retransmitted EAPOL-Key "
1081 "1/4");
1082 sm->update_snonce = 1;
f23c5b17
JM		 1083 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1084 sm->alt_snonce_valid = TRUE;
1085 os_memcpy(sm->alt_replay_counter,
1086 sm->key_replay[0].counter,
1087 WPA_REPLAY_COUNTER_LEN);
1088 goto continue_processing;
1089 }
1090
1091 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1092 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1093 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1094 WPA_REPLAY_COUNTER_LEN) == 0) {
1095 /*
1096 * Supplicant may still be using the old SNonce since
1097 * there was two EAPOL-Key 2/4 messages and they had
1098 * different SNonce values.
1099 */
1100 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1101 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1102 goto continue_processing;
1103 }
1104
1105 if (msg == PAIRWISE_2 &&
1106 wpa_replay_counter_valid(sm->prev_key_replay,
1107 key->replay_counter) &&
1108 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1109 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1110 "ignore retransmitted EAPOL-Key %s - "
1111 "SNonce did not change", msgtxt);
1112 } else {
1113 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1114 "received EAPOL-Key %s with "
1115 "unexpected replay counter", msgtxt);
1116 }
22a299ee
JM		 1117 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1118 if (!sm->key_replay[i].valid)
1119 break;
1120 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1121 sm->key_replay[i].counter,
1122 WPA_REPLAY_COUNTER_LEN);
1123 }
6fc6879b
JM		 1124 wpa_hexdump(MSG_DEBUG, "received replay counter",
1125 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1126 return;
1127 }
1128
68921e24 1129continue_processing:
3b5b7aa8
JM		 1130#ifdef CONFIG_FILS
1131 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1132 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1133 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1134 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1135 return;
1136 }
1137#endif /* CONFIG_FILS */
1138
6fc6879b
JM		 1139 switch (msg) {
1140 case PAIRWISE_2:
1141 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1142 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1143 (!sm->update_snonce ||
1144 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1145 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1146 "received EAPOL-Key msg 2/4 in "
1147 "invalid state (%d) - dropped",
1148 sm->wpa_ptk_state);
1149 return;
1150 }
bbb921da 1151 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1152 if (sm->group->reject_4way_hs_for_entropy) {
1153 /*
1154 * The system did not have enough entropy to generate
1155 * strong random numbers. Reject the first 4-way
1156 * handshake(s) and collect some entropy based on the
1157 * information from it. Once enough entropy is
1158 * available, the next atempt will trigger GMK/Key
1159 * Counter update and the station will be allowed to
1160 * continue.
1161 */
1162 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1163 "collect more entropy for random number "
1164 "generation");
08704cd8 1165 random_mark_pool_ready();
567da5bb
JM		 1166 wpa_sta_disconnect(wpa_auth, sm->addr,
1167 WLAN_REASON_PREV_AUTH_NOT_VALID);
08704cd8
JM		 1168 return;
1169 }
6fc6879b
JM		 1170 break;
1171 case PAIRWISE_4:
1172 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1173 !sm->PTK_valid) {
1174 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1175 "received EAPOL-Key msg 4/4 in "
1176 "invalid state (%d) - dropped",
1177 sm->wpa_ptk_state);
1178 return;
1179 }
1180 break;
1181 case GROUP_2:
1182 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1183 || !sm->PTK_valid) {
1184 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1185 "received EAPOL-Key msg 2/2 in "
1186 "invalid state (%d) - dropped",
1187 sm->wpa_ptk_group_state);
1188 return;
1189 }
1190 break;
6fc6879b
JM		 1191 case REQUEST:
1192 break;
1193 }
1194
1195 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1196 "received EAPOL-Key frame (%s)", msgtxt);
1197
1198 if (key_info & WPA_KEY_INFO_ACK) {
1199 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1200 "received invalid EAPOL-Key: Key Ack set");
1201 return;
1202 }
1203
b9866483
JM		 1204 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1205 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1206 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1207 "received invalid EAPOL-Key: Key MIC not set");
1208 return;
1209 }
1210
b9866483
JM		 1211#ifdef CONFIG_FILS
1212 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1213 (key_info & WPA_KEY_INFO_MIC)) {
1214 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1215 "received invalid EAPOL-Key: Key MIC set");
1216 return;
1217 }
1218#endif /* CONFIG_FILS */
1219
6fc6879b 1220 sm->MICVerified = FALSE;
68921e24 1221 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8 1222 if (mic_len &&
567da5bb
JM		 1223 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1224 data, data_len) &&
f23c5b17
JM		 1225 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1226 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1227 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1228 "received EAPOL-Key with invalid MIC");
1229 return;
1230 }
75c8563e
JM		 1231#ifdef CONFIG_FILS
1232 if (!mic_len &&
1233 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1234 &key_data_length) < 0) {
1235 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1236 "received EAPOL-Key with invalid MIC");
1237 return;
1238 }
1239#endif /* CONFIG_FILS */
6fc6879b
JM		 1240 sm->MICVerified = TRUE;
1241 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1242 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1243 }
1244
1245 if (key_info & WPA_KEY_INFO_REQUEST) {
1246 if (sm->MICVerified) {
1247 sm->req_replay_counter_used = 1;
1248 os_memcpy(sm->req_replay_counter, key->replay_counter,
1249 WPA_REPLAY_COUNTER_LEN);
1250 } else {
1251 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1252 "received EAPOL-Key request with "
1253 "invalid MIC");
1254 return;
1255 }
1256
1257 /*
1258 * TODO: should decrypt key data field if encryption was used;
1259 * even though MAC address KDE is not normally encrypted,
1260 * supplicant is allowed to encrypt it.
1261 */
a0bf1b68 1262 if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1263 if (wpa_receive_error_report(
1264 wpa_auth, sm,
1265 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1266 return; /* STA entry was removed */
6fc6879b
JM		 1267 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1268 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1269 "received EAPOL-Key Request for new "
1270 "4-Way Handshake");
1271 wpa_request_new_ptk(sm);
6fc6879b 1272 } else if (key_data_length > 0 &&
5e3b5197
JM		 1273 wpa_parse_kde_ies(key_data, key_data_length,
1274 &kde) == 0 &&
6fc6879b
JM		 1275 kde.mac_addr) {
1276 } else {
1277 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1278 "received EAPOL-Key Request for GTK "
1279 "rekeying");
6fc6879b
JM		 1280 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1281 wpa_rekey_gtk(wpa_auth, NULL);
1282 }
1283 } else {
68921e24
JM		 1284 /* Do not allow the same key replay counter to be reused. */
1285 wpa_replay_counter_mark_invalid(sm->key_replay,
1286 key->replay_counter);
1287
1288 if (msg == PAIRWISE_2) {
1289 /*
1290 * Maintain a copy of the pending EAPOL-Key frames in
1291 * case the EAPOL-Key frame was retransmitted. This is
1292 * needed to allow EAPOL-Key msg 2/4 reply to another
1293 * pending msg 1/4 to update the SNonce to work around
1294 * unexpected supplicant behavior.
1295 */
1296 os_memcpy(sm->prev_key_replay, sm->key_replay,
1297 sizeof(sm->key_replay));
1298 } else {
1299 os_memset(sm->prev_key_replay, 0,
1300 sizeof(sm->prev_key_replay));
1301 }
1302
1303 /*
1304 * Make sure old valid counters are not accepted anymore and
1305 * do not get copied again.
1306 */
1307 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1308 }
1309
6fc6879b 1310 os_free(sm->last_rx_eapol_key);
a1f11e34 1311 sm->last_rx_eapol_key = os_memdup(data, data_len);
6fc6879b
JM		 1312 if (sm->last_rx_eapol_key == NULL)
1313 return;
6fc6879b
JM		 1314 sm->last_rx_eapol_key_len = data_len;
1315
0d442aff 1316 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1317 sm->EAPOLKeyReceived = TRUE;
1318 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1319 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1320 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1321 wpa_sm_step(sm);
1322}
1323
1324
3c7302c2
JM		 1325static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1326 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1327{
c6eb3e34 1328 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
5cb9d5c3 1329 u8 *pos;
3c7302c2 1330 int ret = 0;
6fc6879b 1331
5cb9d5c3
JM		 1332 /* GTK = PRF-X(GMK, "Group key expansion",
1333 * AA || GNonce || Time || random data)
1334 * The example described in the IEEE 802.11 standard uses only AA and
1335 * GNonce as inputs here. Add some more entropy since this derivation
1336 * is done only at the Authenticator and as such, does not need to be
1337 * exactly same.
1338 */
c6eb3e34 1339 os_memset(data, 0, sizeof(data));
6fc6879b
JM		 1340 os_memcpy(data, addr, ETH_ALEN);
1341 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1342 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1343 wpa_get_ntp_timestamp(pos);
1344 pos += 8;
c6eb3e34 1345 if (random_get_bytes(pos, gtk_len) < 0)
3c7302c2 1346 ret = -1;
6fc6879b 1347
c6eb3e34
JM		 1348#ifdef CONFIG_SHA384
1349 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1350 gtk, gtk_len) < 0)
3c7302c2 1351 ret = -1;
c6eb3e34
JM		 1352#else /* CONFIG_SHA384 */
1353#ifdef CONFIG_SHA256
1354 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1355 gtk, gtk_len) < 0)
1356 ret = -1;
1357#else /* CONFIG_SHA256 */
1358 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1359 gtk, gtk_len) < 0)
1360 ret = -1;
1361#endif /* CONFIG_SHA256 */
1362#endif /* CONFIG_SHA384 */
3c7302c2
JM		 1363
1364 return ret;
6fc6879b
JM		 1365}
1366
1367
1368static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1369{
1370 struct wpa_authenticator *wpa_auth = eloop_ctx;
1371 struct wpa_state_machine *sm = timeout_ctx;
1372
e4bf4db9 1373 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1374 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1375 sm->TimeoutEvt = TRUE;
1376 wpa_sm_step(sm);
1377}
1378
1379
1380void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1381 struct wpa_state_machine *sm, int key_info,
1382 const u8 *key_rsc, const u8 *nonce,
1383 const u8 *kde, size_t kde_len,
1384 int keyidx, int encr, int force_version)
1385{
1386 struct ieee802_1x_hdr *hdr;
1387 struct wpa_eapol_key *key;
5e3b5197 1388 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1389 int alg;
1390 int key_data_len, pad_len = 0;
1391 u8 *buf, *pos;
1392 int version, pairwise;
22a299ee 1393 int i;
6d014ffc 1394 u8 *key_mic, *key_data;
6fc6879b 1395
567da5bb 1396 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 1397 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1398
1399 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1400
1401 if (force_version)
1402 version = force_version;
929a2ea5 1403 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
07a5fe82 1404 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1405 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
36a50fd4
JM		 1406 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1407 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
a14896e8 1408 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
6fc6879b
JM		 1409 else if (wpa_use_aes_cmac(sm))
1410 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1411 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1412 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1413 else
1414 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1415
8543ed8a 1416 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1417
1418 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1419 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1420 "encr=%d)",
1421 version,
1422 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1423 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1424 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1425 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1426 pairwise, (unsigned long) kde_len, keyidx, encr);
1427
1428 key_data_len = kde_len;
1429
1430 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1431 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1432 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a14896e8 1433 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1434 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1435 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1436 pad_len = key_data_len % 8;
1437 if (pad_len)
1438 pad_len = 8 - pad_len;
1439 key_data_len += pad_len + 8;
1440 }
1441
1442 len += key_data_len;
b729fd8d
JM		 1443 if (!mic_len && encr)
1444 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1445
1446 hdr = os_zalloc(len);
1447 if (hdr == NULL)
1448 return;
1449 hdr->version = wpa_auth->conf.eapol_version;
1450 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1451 hdr->length = host_to_be16(len - sizeof(*hdr));
1452 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1453 key_mic = (u8 *) (key + 1);
5e3b5197 1454 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1455
1456 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1457 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1458 key_info |= version;
1459 if (encr && sm->wpa == WPA_VERSION_WPA2)
1460 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1461 if (sm->wpa != WPA_VERSION_WPA2)
1462 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1463 WPA_PUT_BE16(key->key_info, key_info);
1464
1465 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
a0bf1b68 1466 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
6fc6879b 1467 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1468 else
1469 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b 1470
22a299ee
JM		 1471 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1472 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1473 os_memcpy(sm->key_replay[i].counter,
1474 sm->key_replay[i - 1].counter,
1475 WPA_REPLAY_COUNTER_LEN);
1476 }
1477 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1478 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1479 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1480 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1481 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1482 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1483
1484 if (nonce)
1485 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1486
1487 if (key_rsc)
1488 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1489
1490 if (kde && !encr) {
5e3b5197 1491 os_memcpy(key_data, kde, kde_len);
6d014ffc 1492 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d
JM		 1493#ifdef CONFIG_FILS
1494 } else if (!mic_len) {
1495 const u8 *aad[1];
1496 size_t aad_len[1];
1497
1498 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1499 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1500 kde, kde_len);
1501
1502 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1503 sm->PTK.kek, sm->PTK.kek_len);
1504 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1505 * to Key Data (exclusive). */
1506 aad[0] = (u8 *) hdr;
1507 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1508 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1509 1, aad, aad_len, key_mic + 2) < 0) {
1510 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1511 return;
1512 }
1513
1514 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1515 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1516#endif /* CONFIG_FILS */
6fc6879b
JM		 1517 } else if (encr && kde) {
1518 buf = os_zalloc(key_data_len);
1519 if (buf == NULL) {
1520 os_free(hdr);
1521 return;
1522 }
1523 pos = buf;
1524 os_memcpy(pos, kde, kde_len);
1525 pos += kde_len;
1526
1527 if (pad_len)
1528 *pos++ = 0xdd;
1529
1530 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1531 buf, key_data_len);
1532 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1533 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1534 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a14896e8 1535 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1536 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b 1537 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
ef9627cb
JM		 1538 wpa_printf(MSG_DEBUG,
1539 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1540 (unsigned int) sm->PTK.kek_len);
98cd3d1c 1541 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1542 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1543 os_free(hdr);
1544 os_free(buf);
1545 return;
1546 }
6d014ffc 1547 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1548#ifndef CONFIG_NO_RC4
98cd3d1c 1549 } else if (sm->PTK.kek_len == 16) {
6fc6879b 1550 u8 ek[32];
ef9627cb
JM		 1551
1552 wpa_printf(MSG_DEBUG,
1553 "WPA: Encrypt Key Data using RC4");
6fc6879b
JM		 1554 os_memcpy(key->key_iv,
1555 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1556 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1557 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1558 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1559 os_memcpy(key_data, buf, key_data_len);
1560 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1561 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1562#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1563 } else {
1564 os_free(hdr);
1565 os_free(buf);
1566 return;
6fc6879b
JM		 1567 }
1568 os_free(buf);
1569 }
1570
1571 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1572 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1573 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1574 "PTK not valid when sending EAPOL-Key "
1575 "frame");
1576 os_free(hdr);
1577 return;
1578 }
5e3b5197 1579
beae255a
JM		 1580 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1581 sm->wpa_key_mgmt, version,
1582 (u8 *) hdr, len, key_mic) < 0) {
1583 os_free(hdr);
1584 return;
1585 }
7af092a0
JB		 1586#ifdef CONFIG_TESTING_OPTIONS
1587 if (!pairwise &&
06df2aa6 1588 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1589 drand48() <
1590 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1591 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1592 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1593 key_mic[0]++;
7af092a0
JB		 1594 }
1595#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1596 }
1597
1598 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1599 1);
1600 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1601 sm->pairwise_set);
1602 os_free(hdr);
1603}
1604
1605
1606static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1607 struct wpa_state_machine *sm, int key_info,
1608 const u8 *key_rsc, const u8 *nonce,
1609 const u8 *kde, size_t kde_len,
1610 int keyidx, int encr)
1611{
1612 int timeout_ms;
1613 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
41f140d3 1614 u32 ctr;
6fc6879b
JM		 1615
1616 if (sm == NULL)
1617 return;
1618
1619 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1620 keyidx, encr, 0);
1621
bae61562 1622 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1623 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1624 timeout_ms = pairwise ? eapol_key_timeout_first :
1625 eapol_key_timeout_first_group;
bae61562
JM		 1626 else
1627 timeout_ms = eapol_key_timeout_subseq;
6f234c1e
JM		 1628 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1629 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1630 timeout_ms = eapol_key_timeout_no_retrans;
e4bf4db9
JM		 1631 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1632 sm->pending_1_of_4_timeout = 1;
1633 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
41f140d3 1634 "counter %u)", timeout_ms, ctr);
6fc6879b
JM		 1635 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1636 wpa_send_eapol_timeout, wpa_auth, sm);
1637}
1638
1639
567da5bb
JM		 1640static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1641 u8 *data, size_t data_len)
6fc6879b
JM		 1642{
1643 struct ieee802_1x_hdr *hdr;
1644 struct wpa_eapol_key *key;
1645 u16 key_info;
1646 int ret = 0;
6d014ffc 1647 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
567da5bb 1648 size_t mic_len = wpa_mic_len(akmp, pmk_len);
6fc6879b
JM		 1649
1650 if (data_len < sizeof(*hdr) + sizeof(*key))
1651 return -1;
1652
1653 hdr = (struct ieee802_1x_hdr *) data;
1654 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1655 mic_pos = (u8 *) (key + 1);
6fc6879b 1656 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1657 os_memcpy(mic, mic_pos, mic_len);
1658 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1659 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1660 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1661 data, data_len, mic_pos) ||
1662 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1663 ret = -1;
6d014ffc 1664 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1665 return ret;
1666}
1667
1668
1669void wpa_remove_ptk(struct wpa_state_machine *sm)
1670{
1671 sm->PTK_valid = FALSE;
1672 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1673 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1674 0))
1675 wpa_printf(MSG_DEBUG,
1676 "RSN: PTK removal from the driver failed");
6fc6879b 1677 sm->pairwise_set = FALSE;
581a8cde 1678 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1679}
1680
1681
bb119228 1682int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1683{
5d22a1d5
JM		 1684 int remove_ptk = 1;
1685
6fc6879b 1686 if (sm == NULL)
6f9b5d16 1687 return -1;
6fc6879b
JM		 1688
1689 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1690 "event %d notification", event);
1691
1692 switch (event) {
1693 case WPA_AUTH:
c50d94f1
BC		 1694#ifdef CONFIG_MESH
1695 /* PTKs are derived through AMPE */
1696 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1697 /* not mesh */
1698 break;
1699 }
1700 return 0;
1701#endif /* CONFIG_MESH */
6fc6879b
JM		 1702 case WPA_ASSOC:
1703 break;
1704 case WPA_DEAUTH:
1705 case WPA_DISASSOC:
1706 sm->DeauthenticationRequest = TRUE;
1707 break;
1708 case WPA_REAUTH:
1709 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1710 if (!sm->started) {
1711 /*
1712 * When using WPS, we may end up here if the STA
1713 * manages to re-associate without the previous STA
1714 * entry getting removed. Consequently, we need to make
1715 * sure that the WPA state machines gets initialized
1716 * properly at this point.
1717 */
1718 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1719 "started - initialize now");
1720 sm->started = 1;
1721 sm->Init = TRUE;
1722 if (wpa_sm_step(sm) == 1)
1723 return 1; /* should not really happen */
1724 sm->Init = FALSE;
1725 sm->AuthenticationRequest = TRUE;
1726 break;
1727 }
9663596f
JM		 1728 if (sm->GUpdateStationKeys) {
1729 /*
1730 * Reauthentication cancels the pending group key
1731 * update for this STA.
1732 */
1733 sm->group->GKeyDoneStations--;
1734 sm->GUpdateStationKeys = FALSE;
1735 sm->PtkGroupInit = TRUE;
1736 }
6fc6879b
JM		 1737 sm->ReAuthenticationRequest = TRUE;
1738 break;
1739 case WPA_ASSOC_FT:
4ec1fd8e 1740#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1741 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1742 "after association");
1743 wpa_ft_install_ptk(sm);
1744
6fc6879b
JM		 1745 /* Using FT protocol, not WPA auth state machine */
1746 sm->ft_completed = 1;
6f9b5d16 1747 return 0;
4ec1fd8e 1748#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1749 break;
4ec1fd8e 1750#endif /* CONFIG_IEEE80211R_AP */
957bff83
JM		 1751 case WPA_ASSOC_FILS:
1752#ifdef CONFIG_FILS
1753 wpa_printf(MSG_DEBUG,
1754 "FILS: TK configuration after association");
1755 fils_set_tk(sm);
1756 sm->fils_completed = 1;
1757 return 0;
1758#else /* CONFIG_FILS */
1759 break;
1760#endif /* CONFIG_FILS */
0e3bd7ac
MV		 1761 case WPA_DRV_STA_REMOVED:
1762 sm->tk_already_set = FALSE;
1763 return 0;
6fc6879b
JM		 1764 }
1765
4ec1fd8e 1766#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1767 sm->ft_completed = 0;
4ec1fd8e 1768#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1769
5d22a1d5
JM		 1770#ifdef CONFIG_IEEE80211W
1771 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1772 remove_ptk = 0;
1773#endif /* CONFIG_IEEE80211W */
78815f3d 1774#ifdef CONFIG_FILS
da24c5aa
JM		 1775 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1776 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1777 remove_ptk = 0;
1778#endif /* CONFIG_FILS */
6fc6879b 1779
5d22a1d5
JM		 1780 if (remove_ptk) {
1781 sm->PTK_valid = FALSE;
1782 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1783
1784 if (event != WPA_REAUTH_EAPOL)
1785 wpa_remove_ptk(sm);
1786 }
6fc6879b 1787
43f49c37
JM		 1788 if (sm->in_step_loop) {
1789 /*
1790 * wpa_sm_step() is already running - avoid recursive call to
1791 * it by making the existing loop process the new update.
1792 */
1793 sm->changed = TRUE;
1794 return 0;
1795 }
6f9b5d16 1796 return wpa_sm_step(sm);
6fc6879b
JM		 1797}
1798
1799
6fc6879b
JM		 1800SM_STATE(WPA_PTK, INITIALIZE)
1801{
1802 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1803 if (sm->Init) {
1804 /* Init flag is not cleared here, so avoid busy
1805 * loop by claiming nothing changed. */
1806 sm->changed = FALSE;
1807 }
1808
1809 sm->keycount = 0;
1810 if (sm->GUpdateStationKeys)
1811 sm->group->GKeyDoneStations--;
1812 sm->GUpdateStationKeys = FALSE;
1813 if (sm->wpa == WPA_VERSION_WPA)
1814 sm->PInitAKeys = FALSE;
1815 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1816 * Local AA > Remote AA)) */) {
1817 sm->Pair = TRUE;
1818 }
1819 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1820 wpa_remove_ptk(sm);
1821 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1822 sm->TimeoutCtr = 0;
a1ea1b45 1823 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 1824 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 1825 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 1826 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1827 WPA_EAPOL_authorized, 0);
1828 }
1829}
1830
1831
1832SM_STATE(WPA_PTK, DISCONNECT)
1833{
567da5bb
JM		 1834 u16 reason = sm->disconnect_reason;
1835
6fc6879b
JM		 1836 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1837 sm->Disconnect = FALSE;
567da5bb
JM		 1838 sm->disconnect_reason = 0;
1839 if (!reason)
1840 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1841 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
6fc6879b
JM		 1842}
1843
1844
1845SM_STATE(WPA_PTK, DISCONNECTED)
1846{
1847 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1848 sm->DeauthenticationRequest = FALSE;
1849}
1850
1851
1852SM_STATE(WPA_PTK, AUTHENTICATION)
1853{
1854 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1855 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1856 sm->PTK_valid = FALSE;
1857 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1858 1);
1859 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1860 sm->AuthenticationRequest = FALSE;
1861}
1862
1863
40d00d2b
NC		 1864static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1865 struct wpa_group *group)
1bdb7ab3 1866{
40d00d2b
NC		 1867 if (group->first_sta_seen)
1868 return;
1bdb7ab3
JM		 1869 /*
1870 * System has run bit further than at the time hostapd was started
1871 * potentially very early during boot up. This provides better chances
1872 * of collecting more randomness on embedded systems. Re-initialize the
1873 * GMK and Counter here to improve their strength if there was not
1874 * enough entropy available immediately after system startup.
1875 */
1876 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1877 "station");
08704cd8
JM		 1878 if (random_pool_ready() != 1) {
1879 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1880 "to proceed - reject first 4-way handshake");
1881 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1882 } else {
1883 group->first_sta_seen = TRUE;
1884 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1885 }
40d00d2b 1886
aac1efec
JM		 1887 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1888 wpa_gtk_update(wpa_auth, group) < 0 ||
1889 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1890 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1891 group->first_sta_seen = FALSE;
1892 group->reject_4way_hs_for_entropy = TRUE;
1893 }
1bdb7ab3
JM		 1894}
1895
1896
6fc6879b
JM		 1897SM_STATE(WPA_PTK, AUTHENTICATION2)
1898{
1899 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1900
40d00d2b 1901 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1902 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1903
3825a19b
JM		 1904 /*
1905 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1906 * ambiguous. The Authenticator state machine uses a counter that is
1907 * incremented by one for each 4-way handshake. However, the security
1908 * analysis of 4-way handshake points out that unpredictable nonces
1909 * help in preventing precomputation attacks. Instead of the state
1910 * machine definition, use an unpredictable nonce value here to provide
1911 * stronger protection against potential precomputation attacks.
1912 */
1913 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1914 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1915 "ANonce.");
65a32cdb 1916 sm->Disconnect = TRUE;
3825a19b
JM		 1917 return;
1918 }
bc8318ac
JM		 1919 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1920 WPA_NONCE_LEN);
6fc6879b
JM		 1921 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1922 * logical place than INITIALIZE since AUTHENTICATION2 can be
1923 * re-entered on ReAuthenticationRequest without going through
1924 * INITIALIZE. */
1925 sm->TimeoutCtr = 0;
1926}
1927
1928
0adc9b28
JM		 1929static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
1930{
1931 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1932 wpa_printf(MSG_ERROR,
1933 "WPA: Failed to get random data for ANonce");
1934 sm->Disconnect = TRUE;
1935 return -1;
1936 }
1937 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
1938 WPA_NONCE_LEN);
1939 sm->TimeoutCtr = 0;
1940 return 0;
1941}
1942
1943
6fc6879b
JM		 1944SM_STATE(WPA_PTK, INITPMK)
1945{
1946 u8 msk[2 * PMK_LEN];
1947 size_t len = 2 * PMK_LEN;
1948
1949 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1950#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1951 sm->xxkey_len = 0;
4ec1fd8e 1952#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1953 if (sm->pmksa) {
1954 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1955 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1956 sm->pmk_len = sm->pmksa->pmk_len;
567da5bb
JM		 1957#ifdef CONFIG_DPP
1958 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
1959 wpa_printf(MSG_DEBUG,
1960 "DPP: No PMKSA cache entry for STA - reject connection");
1961 sm->Disconnect = TRUE;
1962 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
1963 return;
1964#endif /* CONFIG_DPP */
6fc6879b 1965 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 1966 unsigned int pmk_len;
1967
834c5d68 1968 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
207976f0
JM		 1969 pmk_len = PMK_LEN_SUITE_B_192;
1970 else
1971 pmk_len = PMK_LEN;
6fc6879b 1972 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 1973 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1974 pmk_len);
1975 if (len < pmk_len) {
1976 wpa_printf(MSG_DEBUG,
1977 "WPA: MSK not long enough (%u) to create PMK (%u)",
1978 (unsigned int) len, (unsigned int) pmk_len);
1979 sm->Disconnect = TRUE;
1980 return;
1981 }
1982 os_memcpy(sm->PMK, msk, pmk_len);
1983 sm->pmk_len = pmk_len;
4ec1fd8e 1984#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 1985 if (len >= 2 * PMK_LEN) {
1986 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1987 sm->xxkey_len = PMK_LEN;
1988 }
4ec1fd8e 1989#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1990 } else {
400de9b1 1991 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 1992 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 1993 sm->Disconnect = TRUE;
1994 return;
6fc6879b 1995 }
40aaa64f 1996 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 1997
1998 sm->req_replay_counter_used = 0;
1999 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
2000 * will break reauthentication since EAPOL state machines may not be
2001 * get into AUTHENTICATING state that clears keyRun before WPA state
2002 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2003 * state and takes PMK from the previously used AAA Key. This will
2004 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2005 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
2006 * be good workaround for this issue. */
2007 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
2008}
2009
2010
2011SM_STATE(WPA_PTK, INITPSK)
2012{
2013 const u8 *psk;
7a12edd1
JM		 2014 size_t psk_len;
2015
6fc6879b 2016 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
7a12edd1
JM		 2017 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2018 &psk_len);
6fc6879b 2019 if (psk) {
7a12edd1
JM		 2020 os_memcpy(sm->PMK, psk, psk_len);
2021 sm->pmk_len = psk_len;
4ec1fd8e 2022#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 2023 os_memcpy(sm->xxkey, psk, PMK_LEN);
2024 sm->xxkey_len = PMK_LEN;
4ec1fd8e 2025#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2026 }
e61fea6b
JM		 2027#ifdef CONFIG_SAE
2028 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2029 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2030 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2031 sm->pmk_len = sm->pmksa->pmk_len;
2032 }
2033#endif /* CONFIG_SAE */
6fc6879b
JM		 2034 sm->req_replay_counter_used = 0;
2035}
2036
2037
2038SM_STATE(WPA_PTK, PTKSTART)
2039{
2040 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2041 size_t pmkid_len = 0;
2042
2043 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2044 sm->PTKRequest = FALSE;
2045 sm->TimeoutEvt = FALSE;
f23c5b17 2046 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2047
2048 sm->TimeoutCtr++;
41f140d3 2049 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2050 /* No point in sending the EAPOL-Key - we will disconnect
2051 * immediately following this. */
2052 return;
2053 }
2054
6fc6879b
JM		 2055 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2056 "sending 1/4 msg of 4-Way Handshake");
2057 /*
2058 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
2059 * one possible PSK for this STA.
2060 */
2061 if (sm->wpa == WPA_VERSION_WPA2 &&
e61fea6b 2062 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
d90f10fa 2063 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
e61fea6b 2064 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
a14896e8 2065 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2066 pmkid = buf;
2067 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2068 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2069 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2070 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2071 if (sm->pmksa) {
6fc6879b
JM		 2072 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2073 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2074 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2075 /* No KCK available to derive PMKID */
2076 pmkid = NULL;
2077 } else {
6fc6879b
JM		 2078 /*
2079 * Calculate PMKID since no PMKSA cache entry was
2080 * available with pre-calculated PMKID.
2081 */
207976f0 2082 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197 2083 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
41b81914 2084 sm->wpa_key_mgmt);
6fc6879b
JM		 2085 }
2086 }
2087 wpa_send_eapol(sm->wpa_auth, sm,
2088 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2089 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2090}
2091
2092
f23c5b17 2093static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2094 const u8 *pmk, unsigned int pmk_len,
2095 struct wpa_ptk *ptk)
6fc6879b 2096{
4ec1fd8e 2097#ifdef CONFIG_IEEE80211R_AP
56586197 2098 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2099 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
4ec1fd8e 2100#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2101
207976f0 2102 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c
JM		 2103 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2104 ptk, sm->wpa_key_mgmt, sm->pairwise);
6fc6879b
JM		 2105}
2106
2107
3b5b7aa8 2108#ifdef CONFIG_FILS
c4fd6d8a
JM		 2109
2110int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
80ddf5d9 2111 size_t pmk_len, const u8 *snonce, const u8 *anonce,
4cada9dc 2112 const u8 *dhss, size_t dhss_len,
80ddf5d9 2113 struct wpabuf *g_sta, struct wpabuf *g_ap)
c4fd6d8a
JM		 2114{
2115 u8 ick[FILS_ICK_MAX_LEN];
2116 size_t ick_len;
2117 int res;
8fed47e0
JM		 2118 u8 fils_ft[FILS_FT_MAX_LEN];
2119 size_t fils_ft_len = 0;
c4fd6d8a
JM		 2120
2121 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
4cada9dc
JM		 2122 snonce, anonce, dhss, dhss_len,
2123 &sm->PTK, ick, &ick_len,
8fed47e0
JM		 2124 sm->wpa_key_mgmt, sm->pairwise,
2125 fils_ft, &fils_ft_len);
c4fd6d8a
JM		 2126 if (res < 0)
2127 return res;
2128 sm->PTK_valid = TRUE;
2f1357fb 2129 sm->tk_already_set = FALSE;
c4fd6d8a 2130
8fed47e0
JM		 2131#ifdef CONFIG_IEEE80211R_AP
2132 if (fils_ft_len) {
2133 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2134 struct wpa_auth_config *conf = &wpa_auth->conf;
2135 u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
2136
2137 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2138 conf->ssid, conf->ssid_len,
2139 conf->mobility_domain,
2140 conf->r0_key_holder,
2141 conf->r0_key_holder_len,
2142 sm->addr, pmk_r0, pmk_r0_name) < 0)
2143 return -1;
2144
2145 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", pmk_r0, PMK_LEN);
2146 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2147 pmk_r0_name, WPA_PMK_NAME_LEN);
2148 wpa_ft_store_pmk_r0(wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
2149 sm->pairwise);
2150 os_memset(fils_ft, 0, sizeof(fils_ft));
2151 }
2152#endif /* CONFIG_IEEE80211R_AP */
2153
c4fd6d8a
JM		 2154 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2155 sm->addr, sm->wpa_auth->addr,
80ddf5d9
JM		 2156 g_sta ? wpabuf_head(g_sta) : NULL,
2157 g_sta ? wpabuf_len(g_sta) : 0,
2158 g_ap ? wpabuf_head(g_ap) : NULL,
2159 g_ap ? wpabuf_len(g_ap) : 0,
c4fd6d8a
JM		 2160 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2161 sm->fils_key_auth_ap,
2162 &sm->fils_key_auth_len);
2163 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2164
2165 /* Store nonces for (Re)Association Request/Response frame processing */
2166 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2167 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2168
c4fd6d8a
JM		 2169 return res;
2170}
2171
2172
3b5b7aa8 2173static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2174 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2175{
2176 struct ieee802_1x_hdr *hdr;
2177 struct wpa_eapol_key *key;
2178 u8 *pos;
2179 u16 key_data_len;
2180 u8 *tmp;
2181 const u8 *aad[1];
2182 size_t aad_len[1];
2183
75c8563e 2184 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2185 key = (struct wpa_eapol_key *) (hdr + 1);
2186 pos = (u8 *) (key + 1);
2187 key_data_len = WPA_GET_BE16(pos);
2188 if (key_data_len < AES_BLOCK_SIZE ||
2189 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2190 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2191 "No room for AES-SIV data in the frame");
2192 return -1;
2193 }
2194 pos += 2; /* Pointing at the Encrypted Key Data field */
2195
2196 tmp = os_malloc(key_data_len);
2197 if (!tmp)
2198 return -1;
2199
2200 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2201 * to Key Data (exclusive). */
75c8563e
JM		 2202 aad[0] = buf;
2203 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2204 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2205 1, aad, aad_len, tmp) < 0) {
2206 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2207 "Invalid AES-SIV data in the frame");
2208 bin_clear_free(tmp, key_data_len);
2209 return -1;
2210 }
2211
2212 /* AEAD decryption and validation completed successfully */
2213 key_data_len -= AES_BLOCK_SIZE;
2214 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2215 tmp, key_data_len);
2216
2217 /* Replace Key Data field with the decrypted version */
2218 os_memcpy(pos, tmp, key_data_len);
2219 pos -= 2; /* Key Data Length field */
2220 WPA_PUT_BE16(pos, key_data_len);
2221 bin_clear_free(tmp, key_data_len);
2222 if (_key_data_len)
2223 *_key_data_len = key_data_len;
2224 return 0;
2225}
78815f3d
JM		 2226
2227
087631b9
JM		 2228const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2229 const u8 *ies, size_t ies_len,
2230 const u8 *fils_session)
2231{
2232 const u8 *ie, *end;
2233 const u8 *session = NULL;
2234
2235 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2236 wpa_printf(MSG_DEBUG,
2237 "FILS: Not a FILS AKM - reject association");
2238 return NULL;
2239 }
2240
2241 /* Verify Session element */
2242 ie = ies;
2243 end = ((const u8 *) ie) + ies_len;
2244 while (ie + 1 < end) {
2245 if (ie + 2 + ie[1] > end)
2246 break;
2247 if (ie[0] == WLAN_EID_EXTENSION &&
2248 ie[1] >= 1 + FILS_SESSION_LEN &&
2249 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2250 session = ie;
2251 break;
2252 }
2253 ie += 2 + ie[1];
2254 }
2255
2256 if (!session) {
2257 wpa_printf(MSG_DEBUG,
2258 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2259 __func__);
2260 return NULL;
2261 }
2262
2263 if (!fils_session) {
2264 wpa_printf(MSG_DEBUG,
2265 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2266 __func__);
2267 return NULL;
2268 }
2269
2270 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2271 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2272 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2273 fils_session, FILS_SESSION_LEN);
2274 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2275 session + 3, FILS_SESSION_LEN);
2276 return NULL;
2277 }
2278 return session;
2279}
2280
2281
bd599353
JM		 2282int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2283 size_t ies_len)
2284{
2285 struct ieee802_11_elems elems;
2286
2287 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2288 wpa_printf(MSG_DEBUG,
2289 "FILS: Failed to parse decrypted elements");
2290 return -1;
2291 }
2292
8b5ddda5
JM		 2293 if (!elems.fils_session) {
2294 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2295 return -1;
2296 }
2297
bd599353
JM		 2298 if (!elems.fils_key_confirm) {
2299 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2300 return -1;
2301 }
2302
2303 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2304 wpa_printf(MSG_DEBUG,
2305 "FILS: Unexpected Key-Auth length %d (expected %d)",
2306 elems.fils_key_confirm_len,
2307 (int) sm->fils_key_auth_len);
2308 return -1;
2309 }
2310
2311 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2312 sm->fils_key_auth_len) != 0) {
2313 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2314 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2315 elems.fils_key_confirm, elems.fils_key_confirm_len);
2316 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2317 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2318 return -1;
2319 }
2320
2321 return 0;
2322}
2323
2324
78815f3d
JM		 2325int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2326 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2327 u8 *pos, size_t left)
2328{
2329 u16 fc, stype;
2330 const u8 *end, *ie_start, *ie, *session, *crypt;
78815f3d
JM		 2331 const u8 *aad[5];
2332 size_t aad_len[5];
2333
2334 if (!sm || !sm->PTK_valid) {
2335 wpa_printf(MSG_DEBUG,
2336 "FILS: No KEK to decrypt Assocication Request frame");
2337 return -1;
2338 }
2339
2340 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2341 wpa_printf(MSG_DEBUG,
2342 "FILS: Not a FILS AKM - reject association");
2343 return -1;
2344 }
2345
2346 end = ((const u8 *) mgmt) + frame_len;
2347 fc = le_to_host16(mgmt->frame_control);
2348 stype = WLAN_FC_GET_STYPE(fc);
2349 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2350 ie_start = mgmt->u.reassoc_req.variable;
2351 else
2352 ie_start = mgmt->u.assoc_req.variable;
2353 ie = ie_start;
2354
2355 /*
2356 * Find FILS Session element which is the last unencrypted element in
2357 * the frame.
2358 */
087631b9
JM		 2359 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2360 fils_session);
78815f3d 2361 if (!session) {
087631b9 2362 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
78815f3d
JM		 2363 return -1;
2364 }
087631b9 2365
78815f3d
JM		 2366 crypt = session + 2 + session[1];
2367
2368 if (end - crypt < AES_BLOCK_SIZE) {
2369 wpa_printf(MSG_DEBUG,
2370 "FILS: Too short frame to include AES-SIV data");
2371 return -1;
2372 }
2373
2374 /* AES-SIV AAD vectors */
2375
2376 /* The STA's MAC address */
2377 aad[0] = mgmt->sa;
2378 aad_len[0] = ETH_ALEN;
2379 /* The AP's BSSID */
2380 aad[1] = mgmt->da;
2381 aad_len[1] = ETH_ALEN;
2382 /* The STA's nonce */
2383 aad[2] = sm->SNonce;
2384 aad_len[2] = FILS_NONCE_LEN;
2385 /* The AP's nonce */
2386 aad[3] = sm->ANonce;
2387 aad_len[3] = FILS_NONCE_LEN;
2388 /*
2389 * The (Re)Association Request frame from the Capability Information
2390 * field to the FILS Session element (both inclusive).
2391 */
2392 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2393 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2394
2395 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2396 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2397 wpa_printf(MSG_DEBUG,
2398 "FILS: Invalid AES-SIV data in the frame");
2399 return -1;
2400 }
2401 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2402 pos, left - AES_BLOCK_SIZE);
2403
bd599353
JM		 2404 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2405 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
78815f3d
JM		 2406 return -1;
2407 }
2408
2409 return left - AES_BLOCK_SIZE;
2410}
2411
e73ffa09
JM		 2412
2413int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2414 size_t current_len, size_t max_len,
2415 const struct wpabuf *hlp)
e73ffa09
JM		 2416{
2417 u8 *end = buf + max_len;
2418 u8 *pos = buf + current_len;
2419 struct ieee80211_mgmt *mgmt;
2420 struct wpabuf *plain;
e73ffa09
JM		 2421 const u8 *aad[5];
2422 size_t aad_len[5];
2423
2424 if (!sm || !sm->PTK_valid)
2425 return -1;
2426
2427 wpa_hexdump(MSG_DEBUG,
2428 "FILS: Association Response frame before FILS processing",
2429 buf, current_len);
2430
2431 mgmt = (struct ieee80211_mgmt *) buf;
2432
2433 /* AES-SIV AAD vectors */
2434
2435 /* The AP's BSSID */
2436 aad[0] = mgmt->sa;
2437 aad_len[0] = ETH_ALEN;
2438 /* The STA's MAC address */
2439 aad[1] = mgmt->da;
2440 aad_len[1] = ETH_ALEN;
2441 /* The AP's nonce */
2442 aad[2] = sm->ANonce;
2443 aad_len[2] = FILS_NONCE_LEN;
2444 /* The STA's nonce */
2445 aad[3] = sm->SNonce;
2446 aad_len[3] = FILS_NONCE_LEN;
2447 /*
2448 * The (Re)Association Response frame from the Capability Information
2449 * field (the same offset in both Association and Reassociation
2450 * Response frames) to the FILS Session element (both inclusive).
2451 */
2452 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2453 aad_len[4] = pos - aad[4];
2454
2455 /* The following elements will be encrypted with AES-SIV */
9392859d
JM		 2456 plain = fils_prepare_plainbuf(sm, hlp);
2457 if (!plain) {
2458 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2459 return -1;
2460 }
2461
2462 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2463 wpa_printf(MSG_DEBUG,
2464 "FILS: Not enough room for FILS elements");
2465 wpabuf_free(plain);
2466 return -1;
2467 }
2468
2469 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2470 plain);
2471
2472 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2473 wpabuf_head(plain), wpabuf_len(plain),
2474 5, aad, aad_len, pos) < 0) {
2475 wpabuf_free(plain);
2476 return -1;
2477 }
2478
2479 wpa_hexdump(MSG_DEBUG,
2480 "FILS: Encrypted Association Response elements",
2481 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2482 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2483 wpabuf_free(plain);
2484
2485 sm->fils_completed = 1;
2486
2487 return current_len;
2488}
2489
2490
2491static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2492 const struct wpabuf *hlp)
2493{
2494 struct wpabuf *plain;
2495 u8 *len, *tmp, *tmp2;
2496 u8 hdr[2];
2497 u8 *gtk, dummy_gtk[32];
2498 size_t gtk_len;
2499 struct wpa_group *gsm;
e73ffa09
JM		 2500
2501 plain = wpabuf_alloc(1000);
2502 if (!plain)
9392859d 2503 return NULL;
e73ffa09
JM		 2504
2505 /* TODO: FILS Public Key */
2506
2507 /* FILS Key Confirmation */
2508 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2509 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2510 /* Element ID Extension */
2511 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2512 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2513
91d91abf
JM		 2514 /* FILS HLP Container */
2515 if (hlp)
2516 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2517
2518 /* TODO: FILS IP Address Assignment */
2519
2520 /* Key Delivery */
2521 gsm = sm->group;
2522 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2523 len = wpabuf_put(plain, 1);
2524 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2525 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2526 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2527 /* GTK KDE */
2528 gtk = gsm->GTK[gsm->GN - 1];
2529 gtk_len = gsm->GTK_len;
2530 if (sm->wpa_auth->conf.disable_gtk) {
2531 /*
2532 * Provide unique random GTK to each STA to prevent use
2533 * of GTK in the BSS.
2534 */
2535 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2536 wpabuf_free(plain);
9392859d 2537 return NULL;
e73ffa09
JM		 2538 }
2539 gtk = dummy_gtk;
2540 }
2541 hdr[0] = gsm->GN & 0x03;
2542 hdr[1] = 0;
2543 tmp = wpabuf_put(plain, 0);
2544 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2545 gtk, gtk_len);
2546 wpabuf_put(plain, tmp2 - tmp);
2547
2548 /* IGTK KDE */
2549 tmp = wpabuf_put(plain, 0);
2550 tmp2 = ieee80211w_kde_add(sm, tmp);
2551 wpabuf_put(plain, tmp2 - tmp);
2552
2553 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
9392859d 2554 return plain;
e73ffa09
JM		 2555}
2556
da24c5aa
JM		 2557
2558int fils_set_tk(struct wpa_state_machine *sm)
2559{
2560 enum wpa_alg alg;
2561 int klen;
2562
2f1357fb
JM		 2563 if (!sm || !sm->PTK_valid) {
2564 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
2565 return -1;
2566 }
2567 if (sm->tk_already_set) {
2568 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
da24c5aa 2569 return -1;
2f1357fb 2570 }
da24c5aa
JM		 2571
2572 alg = wpa_cipher_to_alg(sm->pairwise);
2573 klen = wpa_cipher_key_len(sm->pairwise);
2574
2575 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2576 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2577 sm->PTK.tk, klen)) {
2578 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2579 return -1;
2580 }
2f1357fb 2581 sm->tk_already_set = TRUE;
da24c5aa
JM		 2582
2583 return 0;
2584}
2585
fa61bff6
JM		 2586
2587u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
8b5ddda5 2588 const u8 *fils_session, struct wpabuf *hlp)
fa61bff6
JM		 2589{
2590 struct wpabuf *plain;
2591 u8 *pos = buf;
2592
2593 /* FILS Session */
2594 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2595 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2596 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2597 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2598 pos += FILS_SESSION_LEN;
2599
8b5ddda5 2600 plain = fils_prepare_plainbuf(sm, hlp);
fa61bff6
JM		 2601 if (!plain) {
2602 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2603 return NULL;
2604 }
2605
2606 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2607 pos += wpabuf_len(plain);
2608
2609 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2610 (unsigned int) wpabuf_len(plain));
2611 wpabuf_free(plain);
2612 sm->fils_completed = 1;
2613 return pos;
2614}
2615
3b5b7aa8
JM		 2616#endif /* CONFIG_FILS */
2617
2618
6fc6879b
JM		 2619SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2620{
3b5b7aa8 2621 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2622 struct wpa_ptk PTK;
2c502460 2623 int ok = 0, psk_found = 0;
6fc6879b 2624 const u8 *pmk = NULL;
7a12edd1 2625 size_t pmk_len;
3b5b7aa8
JM		 2626 int ft;
2627 const u8 *eapol_key_ie, *key_data, *mic;
2628 u16 key_data_length;
2629 size_t mic_len, eapol_key_ie_len;
2630 struct ieee802_1x_hdr *hdr;
2631 struct wpa_eapol_key *key;
2632 struct wpa_eapol_ie_parse kde;
6fc6879b
JM		 2633
2634 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2635 sm->EAPOLKeyReceived = FALSE;
68921e24 2636 sm->update_snonce = FALSE;
b729fd8d 2637 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2638
567da5bb 2639 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3b5b7aa8 2640
6fc6879b
JM		 2641 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2642 * WPA-PSK: iterate through possible PSKs and select the one matching
2643 * the packet */
2644 for (;;) {
e61fea6b
JM		 2645 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2646 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
759fd76b 2647 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
7a12edd1 2648 sm->p2p_dev_addr, pmk, &pmk_len);
6fc6879b
JM		 2649 if (pmk == NULL)
2650 break;
2c502460 2651 psk_found = 1;
f9854c18
MK		 2652#ifdef CONFIG_IEEE80211R_AP
2653 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
2654 os_memcpy(sm->xxkey, pmk, pmk_len);
2655 sm->xxkey_len = pmk_len;
2656 }
2657#endif /* CONFIG_IEEE80211R_AP */
207976f0 2658 } else {
6fc6879b 2659 pmk = sm->PMK;
207976f0
JM		 2660 pmk_len = sm->pmk_len;
2661 }
6fc6879b 2662
364c064a
JM		 2663 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2664 break;
6fc6879b 2665
3b5b7aa8 2666 if (mic_len &&
567da5bb 2667 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
929a2ea5 2668 sm->last_rx_eapol_key,
6fc6879b
JM		 2669 sm->last_rx_eapol_key_len) == 0) {
2670 ok = 1;
2671 break;
2672 }
2673
3b5b7aa8 2674#ifdef CONFIG_FILS
75c8563e
JM		 2675 if (!mic_len &&
2676 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2677 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2678 ok = 1;
2679 break;
2680 }
2681#endif /* CONFIG_FILS */
2682
56586197 2683 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
6fc6879b
JM		 2684 break;
2685 }
2686
2687 if (!ok) {
2688 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2689 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2690 if (psk_found)
2691 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2692 return;
2693 }
2694
3b5b7aa8
JM		 2695 /*
2696 * Note: last_rx_eapol_key length fields have already been validated in
2697 * wpa_receive().
2698 */
2699 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2700 key = (struct wpa_eapol_key *) (hdr + 1);
2701 mic = (u8 *) (key + 1);
2702 key_data = mic + mic_len + 2;
2703 key_data_length = WPA_GET_BE16(mic + mic_len);
2704 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2705 sizeof(*key) - mic_len - 2)
2706 return;
2707
2708 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2709 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2710 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2711 return;
2712 }
2713 if (kde.rsn_ie) {
2714 eapol_key_ie = kde.rsn_ie;
2715 eapol_key_ie_len = kde.rsn_ie_len;
2716 } else if (kde.osen) {
2717 eapol_key_ie = kde.osen;
2718 eapol_key_ie_len = kde.osen_len;
2719 } else {
2720 eapol_key_ie = kde.wpa_ie;
2721 eapol_key_ie_len = kde.wpa_ie_len;
2722 }
2723 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2724 if (sm->wpa_ie == NULL ||
2725 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2726 eapol_key_ie, eapol_key_ie_len)) {
2727 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2728 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2729 if (sm->wpa_ie) {
2730 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2731 sm->wpa_ie, sm->wpa_ie_len);
2732 }
2733 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2734 eapol_key_ie, eapol_key_ie_len);
2735 /* MLME-DEAUTHENTICATE.request */
567da5bb
JM		 2736 wpa_sta_disconnect(wpa_auth, sm->addr,
2737 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2738 return;
2739 }
4ec1fd8e 2740#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8 2741 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
567da5bb
JM		 2742 wpa_sta_disconnect(wpa_auth, sm->addr,
2743 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2744 return;
2745 }
4ec1fd8e 2746#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2747#ifdef CONFIG_P2P
2748 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2749 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2750 int idx;
2751 wpa_printf(MSG_DEBUG,
2752 "P2P: IP address requested in EAPOL-Key exchange");
2753 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2754 if (idx >= 0) {
2755 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2756 bitfield_set(wpa_auth->ip_pool, idx);
2757 WPA_PUT_BE32(sm->ip_addr, start + idx);
2758 wpa_printf(MSG_DEBUG,
2759 "P2P: Assigned IP address %u.%u.%u.%u to "
2760 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2761 sm->ip_addr[2], sm->ip_addr[3],
2762 MAC2STR(sm->addr));
2763 }
2764 }
2765#endif /* CONFIG_P2P */
2766
4ec1fd8e 2767#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2768 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2769 /*
2770 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2771 * with the value we derived.
2772 */
870834a1
JM		 2773 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2774 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2775 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2776 "PMKR1Name mismatch in FT 4-way "
2777 "handshake");
2778 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2779 "Supplicant",
2780 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2781 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2782 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2783 return;
2784 }
2785 }
4ec1fd8e 2786#endif /* CONFIG_IEEE80211R_AP */
26e23750 2787
e4bf4db9 2788 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2789 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2790
56586197 2791 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2792 /* PSK may have changed from the previous choice, so update
2793 * state machine data based on whatever PSK was selected here.
2794 */
2795 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2796 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2797 }
2798
2799 sm->MICVerified = TRUE;
2800
2801 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2802 sm->PTK_valid = TRUE;
2803}
2804
2805
2806SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2807{
2808 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2809 sm->TimeoutCtr = 0;
2810}
2811
2812
2813#ifdef CONFIG_IEEE80211W
2814
2815static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2816{
2817 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 2818 size_t len;
2819 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2820 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 2821 }
2822
2823 return 0;
2824}
2825
2826
2827static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2828{
2829 struct wpa_igtk_kde igtk;
2830 struct wpa_group *gsm = sm->group;
03610ad2 2831 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 2832 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 2833
2834 if (!sm->mgmt_frame_prot)
2835 return pos;
2836
2837 igtk.keyid[0] = gsm->GN_igtk;
2838 igtk.keyid[1] = 0;
7b1080da 2839 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 2840 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 2841 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 2842 else
2843 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 2844 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
83421850
JM		 2845 if (sm->wpa_auth->conf.disable_gtk) {
2846 /*
2847 * Provide unique random IGTK to each STA to prevent use of
2848 * IGTK in the BSS.
2849 */
8dd9f9cd 2850 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 2851 return pos;
2852 }
6fc6879b 2853 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 2854 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2855 NULL, 0);
6fc6879b
JM		 2856
2857 return pos;
2858}
2859
2860#else /* CONFIG_IEEE80211W */
2861
2862static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2863{
2864 return 0;
2865}
2866
2867
2868static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2869{
2870 return pos;
2871}
2872
2873#endif /* CONFIG_IEEE80211W */
2874
2875
2876SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2877{
83421850 2878 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 2879 size_t gtk_len, kde_len;
2880 struct wpa_group *gsm = sm->group;
2881 u8 *wpa_ie;
2882 int wpa_ie_len, secure, keyidx, encr = 0;
2883
2884 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2885 sm->TimeoutEvt = FALSE;
bae61562
JM		 2886
2887 sm->TimeoutCtr++;
6f234c1e
JM		 2888 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
2889 sm->TimeoutCtr > 1) {
2890 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
2891 return;
2892 }
41f140d3 2893 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2894 /* No point in sending the EAPOL-Key - we will disconnect
2895 * immediately following this. */
2896 return;
2897 }
2898
86dfabb8
JM		 2899 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2900 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 2901 */
2902 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2903 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 2904 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 2905 wpa_ie = sm->wpa_auth->wpa_ie;
2906 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2907 if (sm->wpa == WPA_VERSION_WPA &&
2908 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2909 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 2910 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 2911 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 2912 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2913 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 2914 wpa_ie_len = wpa_ie[1] + 2;
2915 }
2916 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2917 "sending 3/4 msg of 4-Way Handshake");
2918 if (sm->wpa == WPA_VERSION_WPA2) {
2919 /* WPA2 send GTK in the 4-way handshake */
2920 secure = 1;
2921 gtk = gsm->GTK[gsm->GN - 1];
2922 gtk_len = gsm->GTK_len;
83421850
JM		 2923 if (sm->wpa_auth->conf.disable_gtk) {
2924 /*
2925 * Provide unique random GTK to each STA to prevent use
2926 * of GTK in the BSS.
2927 */
2928 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2929 return;
2930 gtk = dummy_gtk;
2931 }
6fc6879b
JM		 2932 keyidx = gsm->GN;
2933 _rsc = rsc;
2934 encr = 1;
2935 } else {
2936 /* WPA does not include GTK in msg 3/4 */
2937 secure = 0;
2938 gtk = NULL;
2939 gtk_len = 0;
2940 keyidx = 0;
2941 _rsc = NULL;
0d442aff
JM		 2942 if (sm->rx_eapol_key_secure) {
2943 /*
2944 * It looks like Windows 7 supplicant tries to use
2945 * Secure bit in msg 2/4 after having reported Michael
2946 * MIC failure and it then rejects the 4-way handshake
2947 * if msg 3/4 does not set Secure bit. Work around this
2948 * by setting the Secure bit here even in the case of
2949 * WPA if the supplicant used it first.
2950 */
2951 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 2952 "STA used Secure bit in WPA msg 2/4 - "
2953 "set Secure for 3/4 as workaround");
0d442aff
JM		 2954 secure = 1;
2955 }
6fc6879b
JM		 2956 }
2957
2958 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2959 if (gtk)
2960 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 2961#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2962 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2963 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2964 kde_len += 300; /* FTIE + 2 * TIE */
2965 }
4ec1fd8e 2966#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2967#ifdef CONFIG_P2P
2968 if (WPA_GET_BE32(sm->ip_addr) > 0)
2969 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2970#endif /* CONFIG_P2P */
6fc6879b
JM		 2971 kde = os_malloc(kde_len);
2972 if (kde == NULL)
2973 return;
2974
2975 pos = kde;
2976 os_memcpy(pos, wpa_ie, wpa_ie_len);
2977 pos += wpa_ie_len;
4ec1fd8e 2978#ifdef CONFIG_IEEE80211R_AP
26e23750 2979 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 2980 int res;
2981 size_t elen;
2982
2983 elen = pos - kde;
2984 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 2985 if (res < 0) {
2986 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2987 "PMKR1Name into RSN IE in EAPOL-Key data");
2988 os_free(kde);
2989 return;
2990 }
59e78c24
JM		 2991 pos -= wpa_ie_len;
2992 pos += elen;
26e23750 2993 }
4ec1fd8e 2994#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2995 if (gtk) {
2996 u8 hdr[2];
2997 hdr[0] = keyidx & 0x03;
2998 hdr[1] = 0;
2999 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3000 gtk, gtk_len);
3001 }
3002 pos = ieee80211w_kde_add(sm, pos);
3003
4ec1fd8e 3004#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 3005 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
3006 int res;
3007 struct wpa_auth_config *conf;
3008
3009 conf = &sm->wpa_auth->conf;
9257610a
JM		 3010 if (sm->assoc_resp_ftie &&
3011 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3012 os_memcpy(pos, sm->assoc_resp_ftie,
3013 2 + sm->assoc_resp_ftie[1]);
3014 res = 2 + sm->assoc_resp_ftie[1];
3015 } else {
3016 res = wpa_write_ftie(conf, conf->r0_key_holder,
3017 conf->r0_key_holder_len,
3018 NULL, NULL, pos,
3019 kde + kde_len - pos,
3020 NULL, 0);
3021 }
86dfabb8
JM		 3022 if (res < 0) {
3023 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
3024 "into EAPOL-Key Key Data");
3025 os_free(kde);
3026 return;
3027 }
3028 pos += res;
3029
3030 /* TIE[ReassociationDeadline] (TU) */
3031 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3032 *pos++ = 5;
3033 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3034 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3035 pos += 4;
3036
3037 /* TIE[KeyLifetime] (seconds) */
3038 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3039 *pos++ = 5;
3040 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
3041 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
3042 pos += 4;
3043 }
4ec1fd8e 3044#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3045#ifdef CONFIG_P2P
3046 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3047 u8 addr[3 * 4];
3048 os_memcpy(addr, sm->ip_addr, 4);
3049 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3050 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3051 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3052 addr, sizeof(addr), NULL, 0);
3053 }
3054#endif /* CONFIG_P2P */
86dfabb8 3055
6fc6879b 3056 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3057 (secure ? WPA_KEY_INFO_SECURE : 0) |
567da5bb
JM		 3058 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3059 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3060 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3061 WPA_KEY_INFO_KEY_TYPE,
3062 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
3063 os_free(kde);
6fc6879b
JM		 3064}
3065
3066
3067SM_STATE(WPA_PTK, PTKINITDONE)
3068{
3069 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3070 sm->EAPOLKeyReceived = FALSE;
3071 if (sm->Pair) {
c3550295
JM		 3072 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3073 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 3074 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 3075 sm->PTK.tk, klen)) {
567da5bb
JM		 3076 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3077 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 3078 return;
3079 }
3080 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3081 sm->pairwise_set = TRUE;
3082
581a8cde
JM		 3083 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
3084 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3085 eloop_register_timeout(sm->wpa_auth->conf.
3086 wpa_ptk_rekey, 0, wpa_rekey_ptk,
3087 sm->wpa_auth, sm);
3088 }
3089
a1ea1b45 3090 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 3091 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 3092 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 3093 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3094 WPA_EAPOL_authorized, 1);
3095 }
3096 }
3097
3098 if (0 /* IBSS == TRUE */) {
3099 sm->keycount++;
3100 if (sm->keycount == 2) {
3101 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3102 WPA_EAPOL_portValid, 1);
3103 }
3104 } else {
3105 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3106 1);
3107 }
3108 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3109 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3110 if (sm->wpa == WPA_VERSION_WPA)
3111 sm->PInitAKeys = TRUE;
3112 else
3113 sm->has_GTK = TRUE;
3114 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3115 "pairwise key handshake completed (%s)",
3116 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3117
4ec1fd8e 3118#ifdef CONFIG_IEEE80211R_AP
6fc6879b 3119 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 3120#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3121}
3122
3123
3124SM_STEP(WPA_PTK)
3125{
3126 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3127
3128 if (sm->Init)
3129 SM_ENTER(WPA_PTK, INITIALIZE);
3130 else if (sm->Disconnect
1aae01fc
BG		 3131 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3132 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3133 "WPA_PTK: sm->Disconnect");
6fc6879b 3134 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 3135 }
6fc6879b
JM		 3136 else if (sm->DeauthenticationRequest)
3137 SM_ENTER(WPA_PTK, DISCONNECTED);
3138 else if (sm->AuthenticationRequest)
3139 SM_ENTER(WPA_PTK, AUTHENTICATION);
3140 else if (sm->ReAuthenticationRequest)
3141 SM_ENTER(WPA_PTK, AUTHENTICATION2);
0adc9b28
JM		 3142 else if (sm->PTKRequest) {
3143 if (wpa_auth_sm_ptk_update(sm) < 0)
3144 SM_ENTER(WPA_PTK, DISCONNECTED);
3145 else
3146 SM_ENTER(WPA_PTK, PTKSTART);
3147 } else switch (sm->wpa_ptk_state) {
6fc6879b
JM		 3148 case WPA_PTK_INITIALIZE:
3149 break;
3150 case WPA_PTK_DISCONNECT:
3151 SM_ENTER(WPA_PTK, DISCONNECTED);
3152 break;
3153 case WPA_PTK_DISCONNECTED:
3154 SM_ENTER(WPA_PTK, INITIALIZE);
3155 break;
3156 case WPA_PTK_AUTHENTICATION:
3157 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3158 break;
3159 case WPA_PTK_AUTHENTICATION2:
56586197 3160 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 3161 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3162 WPA_EAPOL_keyRun) > 0)
3163 SM_ENTER(WPA_PTK, INITPMK);
a1ea1b45
JM		 3164 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3165 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
6fc6879b
JM		 3166 /* FIX: && 802.1X::keyRun */)
3167 SM_ENTER(WPA_PTK, INITPSK);
567da5bb
JM		 3168 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3169 SM_ENTER(WPA_PTK, INITPMK);
6fc6879b
JM		 3170 break;
3171 case WPA_PTK_INITPMK:
3172 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
567da5bb 3173 WPA_EAPOL_keyAvailable) > 0) {
6fc6879b 3174 SM_ENTER(WPA_PTK, PTKSTART);
567da5bb
JM		 3175#ifdef CONFIG_DPP
3176 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3177 SM_ENTER(WPA_PTK, PTKSTART);
3178#endif /* CONFIG_DPP */
3179 } else {
6fc6879b 3180 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 3181 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3182 "INITPMK - keyAvailable = false");
6fc6879b
JM		 3183 SM_ENTER(WPA_PTK, DISCONNECT);
3184 }
3185 break;
3186 case WPA_PTK_INITPSK:
759fd76b 3187 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
7a12edd1 3188 NULL, NULL)) {
6fc6879b 3189 SM_ENTER(WPA_PTK, PTKSTART);
e61fea6b
JM		 3190#ifdef CONFIG_SAE
3191 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3192 SM_ENTER(WPA_PTK, PTKSTART);
3193#endif /* CONFIG_SAE */
3194 } else {
6fc6879b
JM		 3195 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3196 "no PSK configured for the STA");
3197 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3198 SM_ENTER(WPA_PTK, DISCONNECT);
3199 }
3200 break;
3201 case WPA_PTK_PTKSTART:
3202 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3203 sm->EAPOLKeyPairwise)
3204 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3205 else if (sm->TimeoutCtr >
41f140d3 3206 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3207 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3208 wpa_auth_vlogger(
3209 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3210 "PTKSTART: Retry limit %u reached",
3211 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3212 SM_ENTER(WPA_PTK, DISCONNECT);
3213 } else if (sm->TimeoutEvt)
3214 SM_ENTER(WPA_PTK, PTKSTART);
3215 break;
3216 case WPA_PTK_PTKCALCNEGOTIATING:
3217 if (sm->MICVerified)
3218 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3219 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3220 sm->EAPOLKeyPairwise)
3221 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3222 else if (sm->TimeoutEvt)
3223 SM_ENTER(WPA_PTK, PTKSTART);
3224 break;
3225 case WPA_PTK_PTKCALCNEGOTIATING2:
3226 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3227 break;
3228 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3229 if (sm->update_snonce)
3230 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3231 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3232 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3233 SM_ENTER(WPA_PTK, PTKINITDONE);
3234 else if (sm->TimeoutCtr >
6f234c1e
JM		 3235 sm->wpa_auth->conf.wpa_pairwise_update_count ||
3236 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3237 sm->TimeoutCtr > 1)) {
6fc6879b 3238 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3239 wpa_auth_vlogger(
3240 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3241 "PTKINITNEGOTIATING: Retry limit %u reached",
3242 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3243 SM_ENTER(WPA_PTK, DISCONNECT);
3244 } else if (sm->TimeoutEvt)
3245 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3246 break;
3247 case WPA_PTK_PTKINITDONE:
3248 break;
3249 }
3250}
3251
3252
3253SM_STATE(WPA_PTK_GROUP, IDLE)
3254{
3255 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3256 if (sm->Init) {
3257 /* Init flag is not cleared here, so avoid busy
3258 * loop by claiming nothing changed. */
3259 sm->changed = FALSE;
3260 }
3261 sm->GTimeoutCtr = 0;
3262}
3263
3264
3265SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3266{
3267 u8 rsc[WPA_KEY_RSC_LEN];
3268 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3269 const u8 *kde;
3270 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3271 size_t kde_len;
83421850 3272 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3273
3274 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3275
3276 sm->GTimeoutCtr++;
6f234c1e
JM		 3277 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3278 sm->GTimeoutCtr > 1) {
3279 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
3280 return;
3281 }
41f140d3 3282 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
bae61562
JM		 3283 /* No point in sending the EAPOL-Key - we will disconnect
3284 * immediately following this. */
3285 return;
3286 }
3287
6fc6879b
JM		 3288 if (sm->wpa == WPA_VERSION_WPA)
3289 sm->PInitAKeys = FALSE;
3290 sm->TimeoutEvt = FALSE;
3291 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3292 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3293 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3294 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3295 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3296 "sending 1/2 msg of Group Key Handshake");
3297
83421850
JM		 3298 gtk = gsm->GTK[gsm->GN - 1];
3299 if (sm->wpa_auth->conf.disable_gtk) {
3300 /*
3301 * Provide unique random GTK to each STA to prevent use
3302 * of GTK in the BSS.
3303 */
3304 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3305 return;
3306 gtk = dummy_gtk;
3307 }
6fc6879b
JM		 3308 if (sm->wpa == WPA_VERSION_WPA2) {
3309 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3310 ieee80211w_kde_len(sm);
e41e4f9e
JM		 3311 kde_buf = os_malloc(kde_len);
3312 if (kde_buf == NULL)
6fc6879b
JM		 3313 return;
3314
e41e4f9e 3315 kde = pos = kde_buf;
6fc6879b
JM		 3316 hdr[0] = gsm->GN & 0x03;
3317 hdr[1] = 0;
3318 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3319 gtk, gsm->GTK_len);
6fc6879b 3320 pos = ieee80211w_kde_add(sm, pos);
e41e4f9e 3321 kde_len = pos - kde;
6fc6879b 3322 } else {
83421850 3323 kde = gtk;
e41e4f9e 3324 kde_len = gsm->GTK_len;
6fc6879b
JM		 3325 }
3326
3327 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3328 WPA_KEY_INFO_SECURE |
567da5bb
JM		 3329 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3330 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3331 WPA_KEY_INFO_ACK |
3332 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3333 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3334
3335 os_free(kde_buf);
6fc6879b
JM		 3336}
3337
3338
3339SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3340{
3341 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3342 sm->EAPOLKeyReceived = FALSE;
3343 if (sm->GUpdateStationKeys)
3344 sm->group->GKeyDoneStations--;
3345 sm->GUpdateStationKeys = FALSE;
3346 sm->GTimeoutCtr = 0;
3347 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3348 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3349 "group key handshake completed (%s)",
3350 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3351 sm->has_GTK = TRUE;
3352}
3353
3354
3355SM_STATE(WPA_PTK_GROUP, KEYERROR)
3356{
3357 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3358 if (sm->GUpdateStationKeys)
3359 sm->group->GKeyDoneStations--;
3360 sm->GUpdateStationKeys = FALSE;
3361 sm->Disconnect = TRUE;
4bb9b674
GK		 3362 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3363 "group key handshake failed (%s) after %u tries",
3364 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3365 sm->wpa_auth->conf.wpa_group_update_count);
6fc6879b
JM		 3366}
3367
3368
3369SM_STEP(WPA_PTK_GROUP)
3370{
9663596f 3371 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3372 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3373 sm->PtkGroupInit = FALSE;
3374 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3375 case WPA_PTK_GROUP_IDLE:
3376 if (sm->GUpdateStationKeys ||
3377 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3378 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3379 break;
3380 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3381 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3382 !sm->EAPOLKeyPairwise && sm->MICVerified)
3383 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3384 else if (sm->GTimeoutCtr >
6f234c1e
JM		 3385 sm->wpa_auth->conf.wpa_group_update_count ||
3386 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3387 sm->GTimeoutCtr > 1))
6fc6879b
JM		 3388 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3389 else if (sm->TimeoutEvt)
3390 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3391 break;
3392 case WPA_PTK_GROUP_KEYERROR:
3393 SM_ENTER(WPA_PTK_GROUP, IDLE);
3394 break;
3395 case WPA_PTK_GROUP_REKEYESTABLISHED:
3396 SM_ENTER(WPA_PTK_GROUP, IDLE);
3397 break;
3398 }
3399}
3400
3401
3402static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3403 struct wpa_group *group)
3404{
3405 int ret = 0;
3406
6fc6879b
JM		 3407 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3408 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3409 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3410 wpa_auth->addr, group->GNonce,
3411 group->GTK[group->GN - 1], group->GTK_len) < 0)
3412 ret = -1;
5cb9d5c3
JM		 3413 wpa_hexdump_key(MSG_DEBUG, "GTK",
3414 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3415
3416#ifdef CONFIG_IEEE80211W
70f8cc8e 3417 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3418 size_t len;
3419 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3420 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3421 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3422 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3423 wpa_auth->addr, group->GNonce,
8dd9f9cd 3424 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3425 ret = -1;
6fc6879b 3426 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3427 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3428 }
3429#endif /* CONFIG_IEEE80211W */
3430
3431 return ret;
3432}
3433
3434
3435static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3436 struct wpa_group *group)
3437{
3438 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3439 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3440 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3441 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3442
3443 /* GTK[0..N] = 0 */
3444 os_memset(group->GTK, 0, sizeof(group->GTK));
3445 group->GN = 1;
3446 group->GM = 2;
3447#ifdef CONFIG_IEEE80211W
3448 group->GN_igtk = 4;
3449 group->GM_igtk = 5;
3450#endif /* CONFIG_IEEE80211W */
3451 /* GTK[GN] = CalcGTK() */
3452 wpa_gtk_update(wpa_auth, group);
3453}
3454
3455
3456static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3457{
473b6f22
MB		 3458 if (ctx != NULL && ctx != sm->group)
3459 return 0;
3460
6fc6879b
JM		 3461 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3462 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3463 "Not in PTKINITDONE; skip Group Key update");
3c183894 3464 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3465 return 0;
3466 }
9663596f
JM		 3467 if (sm->GUpdateStationKeys) {
3468 /*
3c183894
JM		 3469 * This should not really happen, so add a debug log entry.
3470 * Since we clear the GKeyDoneStations before the loop, the
3471 * station needs to be counted here anyway.
9663596f
JM		 3472 */
3473 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3474 "GUpdateStationKeys was already set when "
3475 "marking station for GTK rekeying");
9663596f 3476 }
3c183894 3477
ad3872a3 3478 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3479 if (sm->is_wnmsleep)
3480 return 0;
d32d94db 3481
3c183894
JM		 3482 sm->group->GKeyDoneStations++;
3483 sm->GUpdateStationKeys = TRUE;
3484
6fc6879b
JM		 3485 wpa_sm_step(sm);
3486 return 0;
3487}
3488
3489
b5bf84ba 3490#ifdef CONFIG_WNM_AP
ad3872a3 3491/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3492void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3493{
629edfef 3494 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3495 return;
3496
3497 wpa_group_update_sta(sm, NULL);
3498}
3499
3500
3501void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3502{
629edfef
JM		 3503 if (sm)
3504 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3505}
3506
3507
3508int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3509{
d32d94db 3510 struct wpa_group *gsm = sm->group;
835822d4 3511 u8 *start = pos;
d32d94db
XC		 3512
3513 /*
835822d4 3514 * GTK subelement:
d32d94db 3515 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3516 * Key[5..32]
d32d94db 3517 */
835822d4
JM		 3518 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3519 *pos++ = 11 + gsm->GTK_len;
d32d94db 3520 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3521 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3522 pos += 2;
3523 *pos++ = gsm->GTK_len;
3524 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3525 return 0;
835822d4
JM		 3526 pos += 8;
3527 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3528 pos += gsm->GTK_len;
d32d94db 3529
835822d4
JM		 3530 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3531 gsm->GN);
3532 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3533 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3534
835822d4 3535 return pos - start;
d32d94db
XC		 3536}
3537
3538
3539#ifdef CONFIG_IEEE80211W
3540int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3541{
d32d94db 3542 struct wpa_group *gsm = sm->group;
835822d4 3543 u8 *start = pos;
8dd9f9cd 3544 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3545
835822d4
JM		 3546 /*
3547 * IGTK subelement:
3548 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3549 */
3550 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3551 *pos++ = 2 + 6 + len;
835822d4
JM		 3552 WPA_PUT_LE16(pos, gsm->GN_igtk);
3553 pos += 2;
3554 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3555 return 0;
835822d4 3556 pos += 6;
d32d94db 3557
8dd9f9cd
JM		 3558 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3559 pos += len;
d32d94db 3560
835822d4
JM		 3561 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3562 gsm->GN_igtk);
3563 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3564 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3565
835822d4 3566 return pos - start;
d32d94db
XC		 3567}
3568#endif /* CONFIG_IEEE80211W */
b5bf84ba 3569#endif /* CONFIG_WNM_AP */
d32d94db
XC		 3570
3571
6fc6879b
JM		 3572static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3573 struct wpa_group *group)
3574{
3575 int tmp;
3576
3577 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3578 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3579 group->changed = TRUE;
3580 group->wpa_group_state = WPA_GROUP_SETKEYS;
3581 group->GTKReKey = FALSE;
3582 tmp = group->GM;
3583 group->GM = group->GN;
3584 group->GN = tmp;
3585#ifdef CONFIG_IEEE80211W
3586 tmp = group->GM_igtk;
3587 group->GM_igtk = group->GN_igtk;
3588 group->GN_igtk = tmp;
3589#endif /* CONFIG_IEEE80211W */
3590 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3591 * counting the STAs that are marked with GUpdateStationKeys instead of
3592 * including all STAs that could be in not-yet-completed state. */
3593 wpa_gtk_update(wpa_auth, group);
3594
3c183894
JM		 3595 if (group->GKeyDoneStations) {
3596 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3597 "GKeyDoneStations=%d when starting new GTK rekey",
3598 group->GKeyDoneStations);
3599 group->GKeyDoneStations = 0;
3600 }
473b6f22 3601 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3602 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3603 group->GKeyDoneStations);
3604}
3605
3606
1bdb7ab3
JM		 3607static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3608 struct wpa_group *group)
6fc6879b 3609{
3c7302c2
JM		 3610 int ret = 0;
3611
3c7302c2 3612 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3613 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3614 broadcast_ether_addr, group->GN,
3615 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3616 ret = -1;
6fc6879b
JM		 3617
3618#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3619 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3620 enum wpa_alg alg;
3621 size_t len;
3622
3623 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3624 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3625
3626 if (ret == 0 &&
3627 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3628 broadcast_ether_addr, group->GN_igtk,
3629 group->IGTK[group->GN_igtk - 4], len) < 0)
3630 ret = -1;
3631 }
6fc6879b 3632#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3633
3634 return ret;
6fc6879b
JM		 3635}
3636
3637
7d7f7be2
JM		 3638static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3639{
3640 if (sm->group == ctx) {
3641 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3642 " for discconnection due to fatal failure",
3643 MAC2STR(sm->addr));
3644 sm->Disconnect = TRUE;
3645 }
3646
3647 return 0;
3648}
3649
3650
3651static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3652 struct wpa_group *group)
3653{
3654 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3655 group->changed = TRUE;
3656 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3657 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3658}
3659
3660
1bdb7ab3
JM		 3661static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3662 struct wpa_group *group)
3663{
3664 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3665 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3666 group->changed = TRUE;
3667 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3668
7d7f7be2
JM		 3669 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3670 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3671 return -1;
7d7f7be2 3672 }
1bdb7ab3
JM		 3673
3674 return 0;
3675}
3676
3677
6fc6879b
JM		 3678static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3679 struct wpa_group *group)
3680{
3681 if (group->GInit) {
3682 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3683 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3684 /* Do not allow group operations */
6fc6879b
JM		 3685 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3686 group->GTKAuthenticator) {
3687 wpa_group_setkeysdone(wpa_auth, group);
3688 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3689 group->GTKReKey) {
3690 wpa_group_setkeys(wpa_auth, group);
3691 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3692 if (group->GKeyDoneStations == 0)
3693 wpa_group_setkeysdone(wpa_auth, group);
3694 else if (group->GTKReKey)
3695 wpa_group_setkeys(wpa_auth, group);
3696 }
3697}
3698
3699
e4a6ea1d 3700static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 3701{
3702 if (sm == NULL)
e4a6ea1d 3703 return 0;
6fc6879b
JM		 3704
3705 if (sm->in_step_loop) {
3706 /* This should not happen, but if it does, make sure we do not
3707 * end up freeing the state machine too early by exiting the
3708 * recursive call. */
3709 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 3710 return 0;
6fc6879b
JM		 3711 }
3712
3713 sm->in_step_loop = 1;
3714 do {
3715 if (sm->pending_deinit)
3716 break;
3717
3718 sm->changed = FALSE;
3719 sm->wpa_auth->group->changed = FALSE;
3720
3721 SM_STEP_RUN(WPA_PTK);
3722 if (sm->pending_deinit)
3723 break;
3724 SM_STEP_RUN(WPA_PTK_GROUP);
3725 if (sm->pending_deinit)
3726 break;
3727 wpa_group_sm_step(sm->wpa_auth, sm->group);
3728 } while (sm->changed || sm->wpa_auth->group->changed);
3729 sm->in_step_loop = 0;
3730
3731 if (sm->pending_deinit) {
3732 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3733 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3734 wpa_free_sta_sm(sm);
e4a6ea1d 3735 return 1;
6fc6879b 3736 }
e4a6ea1d 3737 return 0;
6fc6879b
JM		 3738}
3739
3740
3741static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3742{
3743 struct wpa_state_machine *sm = eloop_ctx;
3744 wpa_sm_step(sm);
3745}
3746
3747
3748void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3749{
3750 if (sm == NULL)
3751 return;
3752 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3753}
3754
3755
3756void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3757{
3758 int tmp, i;
3759 struct wpa_group *group;
3760
3761 if (wpa_auth == NULL)
3762 return;
3763
3764 group = wpa_auth->group;
3765
3766 for (i = 0; i < 2; i++) {
3767 tmp = group->GM;
3768 group->GM = group->GN;
3769 group->GN = tmp;
3770#ifdef CONFIG_IEEE80211W
3771 tmp = group->GM_igtk;
3772 group->GM_igtk = group->GN_igtk;
3773 group->GN_igtk = tmp;
3774#endif /* CONFIG_IEEE80211W */
3775 wpa_gtk_update(wpa_auth, group);
9354e594 3776 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 3777 }
3778}
3779
3780
a6da824b 3781static const char * wpa_bool_txt(int val)
6fc6879b 3782{
a6da824b 3783 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 3784}
3785
3786
6fc6879b
JM		 3787#define RSN_SUITE "%02x-%02x-%02x-%d"
3788#define RSN_SUITE_ARG(s) \
3789((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3790
3791int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3792{
3793 int len = 0, ret;
3794 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 3795#ifdef CONFIG_RSN_PREAUTH
3796 const int preauth = 1;
3797#else /* CONFIG_RSN_PREAUTH */
3798 const int preauth = 0;
3799#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 3800
3801 if (wpa_auth == NULL)
3802 return len;
3803
3804 ret = os_snprintf(buf + len, buflen - len,
3805 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 3806 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 3807 "dot11RSNAEnabled=%s\n"
3808 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 3809 wpa_bool_txt(preauth),
6fc6879b
JM		 3810 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3811 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 3812 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3813 return len;
3814 len += ret;
3815
3816 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3817 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3818
3819 ret = os_snprintf(
3820 buf + len, buflen - len,
3821 "dot11RSNAConfigVersion=%u\n"
3822 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3823 /* FIX: dot11RSNAConfigGroupCipher */
3824 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3825 /* FIX: dot11RSNAConfigGroupRekeyTime */
3826 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3827 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3828 "dot11RSNAConfigGroupUpdateCount=%u\n"
3829 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3830 "dot11RSNAConfigGroupCipherSize=%u\n"
3831 "dot11RSNAConfigPMKLifetime=%u\n"
3832 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3833 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3834 "dot11RSNAConfigSATimeout=%u\n"
3835 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3836 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3837 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3838 "dot11RSNAPMKIDUsed=%s\n"
3839 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3840 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3841 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3842 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3843 "dot11RSNA4WayHandshakeFailures=%u\n"
3844 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3845 RSN_VERSION,
3846 !!wpa_auth->conf.wpa_strict_rekey,
41f140d3
GK		 3847 wpa_auth->conf.wpa_group_update_count,
3848 wpa_auth->conf.wpa_pairwise_update_count,
c3550295 3849 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 3850 dot11RSNAConfigPMKLifetime,
3851 dot11RSNAConfigPMKReauthThreshold,
3852 dot11RSNAConfigSATimeout,
3853 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3854 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3855 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3856 pmkid_txt,
3857 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3858 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3859 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3860 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3861 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 3862 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3863 return len;
3864 len += ret;
3865
3866 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3867 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3868
3869 /* Private MIB */
3870 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3871 wpa_auth->group->wpa_group_state);
d85e1fc8 3872 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3873 return len;
3874 len += ret;
3875
3876 return len;
3877}
3878
3879
3880int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3881{
3882 int len = 0, ret;
3883 u32 pairwise = 0;
3884
3885 if (sm == NULL)
3886 return 0;
3887
3888 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3889
3890 /* dot11RSNAStatsEntry */
3891
c3550295
JM		 3892 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3893 WPA_PROTO_RSN : WPA_PROTO_WPA,
3894 sm->pairwise);
3895 if (pairwise == 0)
6fc6879b
JM		 3896 return 0;
3897
3898 ret = os_snprintf(
3899 buf + len, buflen - len,
3900 /* TODO: dot11RSNAStatsIndex */
3901 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3902 "dot11RSNAStatsVersion=1\n"
3903 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3904 /* TODO: dot11RSNAStatsTKIPICVErrors */
3905 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 3906 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 3907 /* TODO: dot11RSNAStatsCCMPReplays */
3908 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3909 /* TODO: dot11RSNAStatsTKIPReplays */,
3910 MAC2STR(sm->addr),
3911 RSN_SUITE_ARG(pairwise),
3912 sm->dot11RSNAStatsTKIPLocalMICFailures,
3913 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 3914 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3915 return len;
3916 len += ret;
3917
3918 /* Private MIB */
3919 ret = os_snprintf(buf + len, buflen - len,
3920 "hostapdWPAPTKState=%d\n"
3921 "hostapdWPAPTKGroupState=%d\n",
3922 sm->wpa_ptk_state,
3923 sm->wpa_ptk_group_state);
d85e1fc8 3924 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3925 return len;
3926 len += ret;
3927
3928 return len;
3929}
3930
3931
3932void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3933{
3934 if (wpa_auth)
3935 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3936}
3937
3938
3939int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3940{
3941 return sm && sm->pairwise_set;
3942}
3943
3944
ff36ff00
JM		 3945int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3946{
3947 return sm->pairwise;
3948}
3949
3950
6fc6879b
JM		 3951int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3952{
3953 if (sm == NULL)
3954 return -1;
3955 return sm->wpa_key_mgmt;
3956}
3957
3958
3959int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3960{
3961 if (sm == NULL)
3962 return 0;
3963 return sm->wpa;
3964}
3965
3966
0e3bd7ac
MV		 3967int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
3968{
3969 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
3970 return 0;
3971 return sm->tk_already_set;
3972}
3973
3974
2f1357fb
JM		 3975int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
3976{
3977 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
3978 return 0;
3979 return sm->tk_already_set;
3980}
3981
3982
6fc6879b
JM		 3983int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3984 struct rsn_pmksa_cache_entry *entry)
3985{
3986 if (sm == NULL || sm->pmksa != entry)
3987 return -1;
3988 sm->pmksa = NULL;
3989 return 0;
3990}
3991
3992
3993struct rsn_pmksa_cache_entry *
3994wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3995{
3996 return sm ? sm->pmksa : NULL;
3997}
3998
3999
4000void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
4001{
4002 if (sm)
4003 sm->dot11RSNAStatsTKIPLocalMICFailures++;
4004}
4005
4006
4007const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
4008{
4009 if (wpa_auth == NULL)
4010 return NULL;
4011 *len = wpa_auth->wpa_ie_len;
4012 return wpa_auth->wpa_ie;
4013}
4014
4015
4016int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 4017 unsigned int pmk_len,
6fc6879b
JM		 4018 int session_timeout, struct eapol_state_machine *eapol)
4019{
cb465555
JM		 4020 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
4021 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 4022 return -1;
4023
834c5d68 4024 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
207976f0
JM		 4025 if (pmk_len > PMK_LEN_SUITE_B_192)
4026 pmk_len = PMK_LEN_SUITE_B_192;
4027 } else if (pmk_len > PMK_LEN) {
4028 pmk_len = PMK_LEN;
4029 }
4030
70c93963 4031 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 4032 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 4033 sm->wpa_auth->addr, sm->addr, session_timeout,
4034 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 4035 return 0;
4036
4037 return -1;
4038}
4039
4040
4041int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4042 const u8 *pmk, size_t len, const u8 *sta_addr,
4043 int session_timeout,
4044 struct eapol_state_machine *eapol)
4045{
4046 if (wpa_auth == NULL)
4047 return -1;
4048
70c93963 4049 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 4050 NULL, 0,
4051 wpa_auth->addr,
4bb081f1
JM		 4052 sta_addr, session_timeout, eapol,
4053 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 4054 return 0;
4055
4056 return -1;
4057}
4058
4059
f2991170 4060int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 4061 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 4062{
4063 if (wpa_auth->conf.disable_pmksa_caching)
4064 return -1;
4065
70c93963 4066 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 4067 NULL, 0,
f2991170
JM		 4068 wpa_auth->addr, addr, 0, NULL,
4069 WPA_KEY_MGMT_SAE))
4070 return 0;
4071
4072 return -1;
4073}
4074
4075
0c52953b
JM		 4076int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4077 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4078 int session_timeout, int akmp)
4079{
4080 if (wpa_auth->conf.disable_pmksa_caching)
4081 return -1;
4082
4083 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4084 NULL, 0, wpa_auth->addr, addr, session_timeout,
4085 NULL, akmp))
4086 return 0;
4087
4088 return -1;
4089}
4090
4091
901d1fe1
JM		 4092void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4093 const u8 *sta_addr)
4094{
4095 struct rsn_pmksa_cache_entry *pmksa;
4096
4097 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4098 return;
4099 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4100 if (pmksa) {
4101 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4102 MACSTR " based on request", MAC2STR(sta_addr));
4103 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4104 }
4105}
4106
4107
b8daac18
MH		 4108int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4109 size_t len)
4110{
4111 if (!wpa_auth || !wpa_auth->pmksa)
4112 return 0;
4113 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4114}
4115
4116
4c522c77
MH		 4117void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4118{
4119 if (wpa_auth && wpa_auth->pmksa)
4120 pmksa_cache_auth_flush(wpa_auth->pmksa);
4121}
4122
4123
4d77d80e
MH		 4124#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4125#ifdef CONFIG_MESH
4126
4127int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4128 char *buf, size_t len)
4129{
4130 if (!wpa_auth || !wpa_auth->pmksa)
4131 return 0;
4132
4133 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4134}
4135
4136
4137struct rsn_pmksa_cache_entry *
4138wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4139 const u8 *pmkid, int expiration)
4140{
4141 struct rsn_pmksa_cache_entry *entry;
4142 struct os_reltime now;
4143
4144 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4145 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4146 if (!entry)
4147 return NULL;
4148
4149 os_get_reltime(&now);
4150 entry->expiration = now.sec + expiration;
4151 return entry;
4152}
4153
4154
4155int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4156 struct rsn_pmksa_cache_entry *entry)
4157{
4158 int ret;
4159
4160 if (!wpa_auth || !wpa_auth->pmksa)
4161 return -1;
4162
4163 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4164 if (ret < 0)
4165 wpa_printf(MSG_DEBUG,
4166 "RSN: Failed to store external PMKSA cache for "
4167 MACSTR, MAC2STR(entry->spa));
4168
4169 return ret;
4170}
4171
4172#endif /* CONFIG_MESH */
4173#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4174
4175
9f2cf23e 4176struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 4177wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4178 const u8 *pmkid)
9f2cf23e
MH		 4179{
4180 if (!wpa_auth || !wpa_auth->pmksa)
4181 return NULL;
c1bd4bac 4182 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 4183}
4184
4185
4186void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4187 struct wpa_state_machine *sm,
4188 struct wpa_authenticator *wpa_auth,
4189 u8 *pmkid, u8 *pmk)
4190{
4191 if (!sm)
4192 return;
4193
4194 sm->pmksa = pmksa;
8854f90b
JM		 4195 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4196 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4197 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 4198}
4199
4200
a0ad9e8c
MB		 4201/*
4202 * Remove and free the group from wpa_authenticator. This is triggered by a
4203 * callback to make sure nobody is currently iterating the group list while it
4204 * gets modified.
4205 */
4206static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4207 struct wpa_group *group)
4208{
4209 struct wpa_group *prev = wpa_auth->group;
4210
4211 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4212 group->vlan_id);
4213
4214 while (prev) {
4215 if (prev->next == group) {
4216 /* This never frees the special first group as needed */
4217 prev->next = group->next;
4218 os_free(group);
4219 break;
4220 }
4221 prev = prev->next;
4222 }
4223
4224}
4225
4226
4227/* Increase the reference counter for group */
4228static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4229 struct wpa_group *group)
4230{
4231 /* Skip the special first group */
4232 if (wpa_auth->group == group)
4233 return;
4234
4235 group->references++;
4236}
4237
4238
4239/* Decrease the reference counter and maybe free the group */
4240static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4241 struct wpa_group *group)
4242{
4243 /* Skip the special first group */
4244 if (wpa_auth->group == group)
4245 return;
4246
4247 group->references--;
4248 if (group->references)
4249 return;
4250 wpa_group_free(wpa_auth, group);
4251}
4252
4253
4254/*
4255 * Add a group that has its references counter set to zero. Caller needs to
4256 * call wpa_group_get() on the return value to mark the entry in use.
4257 */
6fc6879b
JM		 4258static struct wpa_group *
4259wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4260{
4261 struct wpa_group *group;
4262
4263 if (wpa_auth == NULL || wpa_auth->group == NULL)
4264 return NULL;
4265
4266 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4267 vlan_id);
bdffdc5d 4268 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4269 if (group == NULL)
4270 return NULL;
4271
4272 group->next = wpa_auth->group->next;
4273 wpa_auth->group->next = group;
4274
4275 return group;
4276}
4277
4278
7cebc8e2
MB		 4279/*
4280 * Enforce that the group state machine for the VLAN is running, increase
4281 * reference counter as interface is up. References might have been increased
4282 * even if a negative value is returned.
4283 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4284 */
4285int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4286{
4287 struct wpa_group *group;
4288
4289 if (wpa_auth == NULL)
4290 return 0;
4291
4292 group = wpa_auth->group;
4293 while (group) {
4294 if (group->vlan_id == vlan_id)
4295 break;
4296 group = group->next;
4297 }
4298
4299 if (group == NULL) {
4300 group = wpa_auth_add_group(wpa_auth, vlan_id);
4301 if (group == NULL)
4302 return -1;
4303 }
4304
4305 wpa_printf(MSG_DEBUG,
4306 "WPA: Ensure group state machine running for VLAN ID %d",
4307 vlan_id);
4308
4309 wpa_group_get(wpa_auth, group);
4310 group->num_setup_iface++;
4311
4312 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4313 return -1;
4314
4315 return 0;
4316}
4317
4318
4319/*
4320 * Decrease reference counter, expected to be zero afterwards.
4321 * returns: -1 on error (group not found, group in fail state)
4322 * -2 if wpa_group is still referenced
4323 * 0 else
4324 */
4325int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4326{
4327 struct wpa_group *group;
4328 int ret = 0;
4329
4330 if (wpa_auth == NULL)
4331 return 0;
4332
4333 group = wpa_auth->group;
4334 while (group) {
4335 if (group->vlan_id == vlan_id)
4336 break;
4337 group = group->next;
4338 }
4339
4340 if (group == NULL)
4341 return -1;
4342
4343 wpa_printf(MSG_DEBUG,
4344 "WPA: Try stopping group state machine for VLAN ID %d",
4345 vlan_id);
4346
4347 if (group->num_setup_iface <= 0) {
4348 wpa_printf(MSG_ERROR,
4349 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4350 vlan_id);
4351 return -1;
4352 }
4353 group->num_setup_iface--;
4354
4355 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4356 ret = -1;
4357
4358 if (group->references > 1) {
4359 wpa_printf(MSG_DEBUG,
4360 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4361 vlan_id);
4362 ret = -2;
4363 }
4364
4365 wpa_group_put(wpa_auth, group);
4366
4367 return ret;
4368}
4369
4370
6fc6879b
JM		 4371int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4372{
4373 struct wpa_group *group;
4374
4375 if (sm == NULL || sm->wpa_auth == NULL)
4376 return 0;
4377
4378 group = sm->wpa_auth->group;
4379 while (group) {
4380 if (group->vlan_id == vlan_id)
4381 break;
4382 group = group->next;
4383 }
4384
4385 if (group == NULL) {
4386 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4387 if (group == NULL)
4388 return -1;
4389 }
4390
4391 if (sm->group == group)
4392 return 0;
4393
7d7f7be2
JM		 4394 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4395 return -1;
4396
6fc6879b
JM		 4397 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4398 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4399
a0ad9e8c
MB		 4400 wpa_group_get(sm->wpa_auth, group);
4401 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4402 sm->group = group;
a0ad9e8c 4403
6fc6879b
JM		 4404 return 0;
4405}
e4bf4db9
JM		 4406
4407
4408void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4409 struct wpa_state_machine *sm, int ack)
4410{
4411 if (wpa_auth == NULL || sm == NULL)
4412 return;
4413 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4414 " ack=%d", MAC2STR(sm->addr), ack);
4415 if (sm->pending_1_of_4_timeout && ack) {
4416 /*
4417 * Some deployed supplicant implementations update their SNonce
4418 * for each EAPOL-Key 2/4 message even within the same 4-way
4419 * handshake and then fail to use the first SNonce when
4420 * deriving the PTK. This results in unsuccessful 4-way
4421 * handshake whenever the relatively short initial timeout is
4422 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4423 * around this by increasing the timeout now that we know that
4424 * the station has received the frame.
4425 */
4426 int timeout_ms = eapol_key_timeout_subseq;
4427 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4428 "timeout by %u ms because of acknowledged frame",
4429 timeout_ms);
4430 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4431 eloop_register_timeout(timeout_ms / 1000,
4432 (timeout_ms % 1000) * 1000,
4433 wpa_send_eapol_timeout, wpa_auth, sm);
4434 }
3d695328
JM		 4435
4436#ifdef CONFIG_TESTING_OPTIONS
4437 if (sm->eapol_status_cb) {
4438 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
4439 sm->eapol_status_cb_ctx2);
4440 sm->eapol_status_cb = NULL;
4441 }
4442#endif /* CONFIG_TESTING_OPTIONS */
e4bf4db9 4443}
c10347f2
JM		 4444
4445
4446int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4447{
4448 if (sm == NULL)
4449 return 0;
4450 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4451}
aa189ac9
JM		 4452
4453
4454int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4455{
4456 if (sm == NULL)
4457 return 0;
4458 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4459}
25ef8529
JM		 4460
4461
4462#ifdef CONFIG_P2P
4463int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4464{
4465 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4466 return -1;
4467 os_memcpy(addr, sm->ip_addr, 4);
4468 return 0;
4469}
4470#endif /* CONFIG_P2P */
cbc210de
JM		 4471
4472
4473int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4474 struct radius_das_attrs *attr)
4475{
4476 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4477}
34782730
JM		 4478
4479
4480void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4481{
4482 struct wpa_group *group;
4483
4484 if (!wpa_auth)
4485 return;
4486 for (group = wpa_auth->group; group; group = group->next)
4487 wpa_group_config_group_keys(wpa_auth, group);
4488}
7eace378
JM		 4489
4490
4491#ifdef CONFIG_FILS
4492
4493struct wpa_auth_fils_iter_data {
4494 struct wpa_authenticator *auth;
4495 const u8 *cache_id;
4496 struct rsn_pmksa_cache_entry *pmksa;
4497 const u8 *spa;
4498 const u8 *pmkid;
4499};
4500
4501
4502static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4503{
4504 struct wpa_auth_fils_iter_data *data = ctx;
4505
4cc6574d 4506 if (a == data->auth || !a->conf.fils_cache_id_set ||
7eace378
JM		 4507 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4508 FILS_CACHE_ID_LEN) != 0)
4509 return 0;
4510 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4511 return data->pmksa != NULL;
4512}
4513
4514
4515struct rsn_pmksa_cache_entry *
4516wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4517 const u8 *sta_addr, const u8 *pmkid)
4518{
4519 struct wpa_auth_fils_iter_data idata;
4520
4521 if (!wpa_auth->conf.fils_cache_id_set)
4522 return NULL;
4523 idata.auth = wpa_auth;
4524 idata.cache_id = wpa_auth->conf.fils_cache_id;
4525 idata.pmksa = NULL;
4526 idata.spa = sta_addr;
4527 idata.pmkid = pmkid;
4528 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4529 return idata.pmksa;
4530}
4531
5db997e3
JM		 4532
4533#ifdef CONFIG_IEEE80211R_AP
4534int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len)
4535{
4536 struct wpa_auth_config *conf = &wpa_auth->conf;
4537
4538 return wpa_write_ftie(conf, conf->r0_key_holder,
4539 conf->r0_key_holder_len,
4540 NULL, NULL, buf, len, NULL, 0);
4541}
4542#endif /* CONFIG_IEEE80211R_AP */
4543
8acbf85f
JM		 4544
4545void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4546 u8 *fils_anonce, u8 *fils_snonce,
4547 u8 *fils_kek, size_t *fils_kek_len)
4548{
4549 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4550 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4551 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4552 *fils_kek_len = sm->PTK.kek_len;
4553}
4554
7eace378 4555#endif /* CONFIG_FILS */
6bc2f00f
JM		 4556
4557
82424732 4558#ifdef CONFIG_TESTING_OPTIONS
d8afdb21 4559
3d695328
JM		 4560int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
4561 void (*cb)(void *ctx1, void *ctx2),
4562 void *ctx1, void *ctx2)
d8afdb21
JM		 4563{
4564 const u8 *anonce = sm->ANonce;
4565 u8 anonce_buf[WPA_NONCE_LEN];
4566
4567 if (change_anonce) {
4568 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
4569 return -1;
4570 anonce = anonce_buf;
4571 }
4572
4573 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4574 "sending 1/4 msg of 4-Way Handshake (TESTING)");
4575 wpa_send_eapol(sm->wpa_auth, sm,
4576 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
4577 anonce, NULL, 0, 0, 0);
4578 return 0;
4579}
4580
4581
3d695328
JM		 4582int wpa_auth_resend_m3(struct wpa_state_machine *sm,
4583 void (*cb)(void *ctx1, void *ctx2),
4584 void *ctx1, void *ctx2)
d8afdb21 4585{
0c3bc1be
LD		 4586 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
4587#ifdef CONFIG_IEEE80211W
4588 u8 *opos;
4589#endif /* CONFIG_IEEE80211W */
d8afdb21
JM		 4590 size_t gtk_len, kde_len;
4591 struct wpa_group *gsm = sm->group;
4592 u8 *wpa_ie;
4593 int wpa_ie_len, secure, keyidx, encr = 0;
4594
4595 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4596 GTK[GN], IGTK, [FTIE], [TIE * 2])
4597 */
4598
4599 /* Use 0 RSC */
4600 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4601 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4602 wpa_ie = sm->wpa_auth->wpa_ie;
4603 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4604 if (sm->wpa == WPA_VERSION_WPA &&
4605 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
4606 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
4607 /* WPA-only STA, remove RSN IE and possible MDIE */
4608 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4609 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4610 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4611 wpa_ie_len = wpa_ie[1] + 2;
4612 }
4613 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4614 "sending 3/4 msg of 4-Way Handshake (TESTING)");
4615 if (sm->wpa == WPA_VERSION_WPA2) {
4616 /* WPA2 send GTK in the 4-way handshake */
4617 secure = 1;
4618 gtk = gsm->GTK[gsm->GN - 1];
4619 gtk_len = gsm->GTK_len;
4620 keyidx = gsm->GN;
4621 _rsc = rsc;
4622 encr = 1;
4623 } else {
4624 /* WPA does not include GTK in msg 3/4 */
4625 secure = 0;
4626 gtk = NULL;
4627 gtk_len = 0;
4628 keyidx = 0;
4629 _rsc = NULL;
4630 if (sm->rx_eapol_key_secure) {
4631 /*
4632 * It looks like Windows 7 supplicant tries to use
4633 * Secure bit in msg 2/4 after having reported Michael
4634 * MIC failure and it then rejects the 4-way handshake
4635 * if msg 3/4 does not set Secure bit. Work around this
4636 * by setting the Secure bit here even in the case of
4637 * WPA if the supplicant used it first.
4638 */
4639 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4640 "STA used Secure bit in WPA msg 2/4 - "
4641 "set Secure for 3/4 as workaround");
4642 secure = 1;
4643 }
4644 }
4645
4646 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
4647 if (gtk)
4648 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4649#ifdef CONFIG_IEEE80211R_AP
4650 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4651 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4652 kde_len += 300; /* FTIE + 2 * TIE */
4653 }
4654#endif /* CONFIG_IEEE80211R_AP */
4655 kde = os_malloc(kde_len);
4656 if (kde == NULL)
4657 return -1;
4658
4659 pos = kde;
4660 os_memcpy(pos, wpa_ie, wpa_ie_len);
4661 pos += wpa_ie_len;
4662#ifdef CONFIG_IEEE80211R_AP
4663 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4664 int res;
4665 size_t elen;
4666
4667 elen = pos - kde;
4668 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
4669 if (res < 0) {
4670 wpa_printf(MSG_ERROR, "FT: Failed to insert "
4671 "PMKR1Name into RSN IE in EAPOL-Key data");
4672 os_free(kde);
4673 return -1;
4674 }
4675 pos -= wpa_ie_len;
4676 pos += elen;
4677 }
4678#endif /* CONFIG_IEEE80211R_AP */
4679 if (gtk) {
4680 u8 hdr[2];
4681 hdr[0] = keyidx & 0x03;
4682 hdr[1] = 0;
4683 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4684 gtk, gtk_len);
4685 }
0c3bc1be 4686#ifdef CONFIG_IEEE80211W
d8afdb21
JM		 4687 opos = pos;
4688 pos = ieee80211w_kde_add(sm, pos);
4689 if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) {
4690 opos += 2; /* skip keyid */
4691 os_memset(opos, 0, 6); /* clear PN */
4692 }
0c3bc1be 4693#endif /* CONFIG_IEEE80211W */
d8afdb21
JM		 4694
4695#ifdef CONFIG_IEEE80211R_AP
4696 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4697 int res;
4698 struct wpa_auth_config *conf;
4699
4700 conf = &sm->wpa_auth->conf;
4701 if (sm->assoc_resp_ftie &&
4702 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
4703 os_memcpy(pos, sm->assoc_resp_ftie,
4704 2 + sm->assoc_resp_ftie[1]);
4705 res = 2 + sm->assoc_resp_ftie[1];
4706 } else {
4707 res = wpa_write_ftie(conf, conf->r0_key_holder,
4708 conf->r0_key_holder_len,
4709 NULL, NULL, pos,
4710 kde + kde_len - pos,
4711 NULL, 0);
4712 }
4713 if (res < 0) {
4714 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
4715 "into EAPOL-Key Key Data");
4716 os_free(kde);
4717 return -1;
4718 }
4719 pos += res;
4720
4721 /* TIE[ReassociationDeadline] (TU) */
4722 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4723 *pos++ = 5;
4724 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
4725 WPA_PUT_LE32(pos, conf->reassociation_deadline);
4726 pos += 4;
4727
4728 /* TIE[KeyLifetime] (seconds) */
4729 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4730 *pos++ = 5;
4731 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
4732 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
4733 pos += 4;
4734 }
4735#endif /* CONFIG_IEEE80211R_AP */
4736
4737 wpa_send_eapol(sm->wpa_auth, sm,
4738 (secure ? WPA_KEY_INFO_SECURE : 0) |
4739 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
4740 WPA_KEY_INFO_MIC : 0) |
4741 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
4742 WPA_KEY_INFO_KEY_TYPE,
4743 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
4744 os_free(kde);
4745 return 0;
4746}
4747
4748
3d695328
JM		 4749int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
4750 void (*cb)(void *ctx1, void *ctx2),
4751 void *ctx1, void *ctx2)
6bc2f00f
JM		 4752{
4753 u8 rsc[WPA_KEY_RSC_LEN];
4754 struct wpa_group *gsm = sm->group;
4755 const u8 *kde;
0c3bc1be
LD		 4756 u8 *kde_buf = NULL, *pos, hdr[2];
4757#ifdef CONFIG_IEEE80211W
4758 u8 *opos;
4759#endif /* CONFIG_IEEE80211W */
6bc2f00f
JM		 4760 size_t kde_len;
4761 u8 *gtk;
4762
4763 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
4764 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4765 /* Use 0 RSC */
4766 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4767 "sending 1/2 msg of Group Key Handshake (TESTING)");
4768
4769 gtk = gsm->GTK[gsm->GN - 1];
4770 if (sm->wpa == WPA_VERSION_WPA2) {
4771 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
4772 ieee80211w_kde_len(sm);
4773 kde_buf = os_malloc(kde_len);
4774 if (kde_buf == NULL)
4775 return -1;
4776
4777 kde = pos = kde_buf;
4778 hdr[0] = gsm->GN & 0x03;
4779 hdr[1] = 0;
4780 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4781 gtk, gsm->GTK_len);
0c3bc1be 4782#ifdef CONFIG_IEEE80211W
6bc2f00f
JM		 4783 opos = pos;
4784 pos = ieee80211w_kde_add(sm, pos);
4785 if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) {
4786 opos += 2; /* skip keyid */
4787 os_memset(opos, 0, 6); /* clear PN */
4788 }
0c3bc1be 4789#endif /* CONFIG_IEEE80211W */
6bc2f00f
JM		 4790 kde_len = pos - kde;
4791 } else {
4792 kde = gtk;
4793 kde_len = gsm->GTK_len;
4794 }
4795
3d695328
JM		 4796 sm->eapol_status_cb = cb;
4797 sm->eapol_status_cb_ctx1 = ctx1;
4798 sm->eapol_status_cb_ctx2 = ctx2;
4799
6bc2f00f
JM		 4800 wpa_send_eapol(sm->wpa_auth, sm,
4801 WPA_KEY_INFO_SECURE |
4802 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
4803 WPA_KEY_INFO_MIC : 0) |
4804 WPA_KEY_INFO_ACK |
4805 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
4806 rsc, NULL, kde, kde_len, gsm->GN, 1);
4807
4808 os_free(kde_buf);
4809 return 0;
4810}
d8afdb21 4811
92662fb2
JB		 4812
4813int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
4814{
4815 if (!wpa_auth)
4816 return -1;
4817 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
4818 return eloop_register_timeout(0, 0, wpa_rekey_gtk, wpa_auth, NULL);
4819}
4820
6bc2f00f 4821#endif /* CONFIG_TESTING_OPTIONS */
Unnamed repository; edit this file 'description' to name the repository.