]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
DPP: Fix EAPOL-Key Key MIC calculation
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
98cd3d1c 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
3b5b7aa8 16#include "crypto/aes.h"
03da66bd 17#include "crypto/aes_wrap.h"
3b5b7aa8 18#include "crypto/aes_siv.h"
03da66bd
JM		 19#include "crypto/crypto.h"
20#include "crypto/sha1.h"
21#include "crypto/sha256.h"
3642c431 22#include "crypto/random.h"
281c950b 23#include "eapol_auth/eapol_auth_sm.h"
6226e38d 24#include "ap_config.h"
6fc6879b 25#include "ieee802_11.h"
6226e38d
JM		 26#include "wpa_auth.h"
27#include "pmksa_cache_auth.h"
6fc6879b
JM		 28#include "wpa_auth_i.h"
29#include "wpa_auth_ie.h"
30
31#define STATE_MACHINE_DATA struct wpa_state_machine
32#define STATE_MACHINE_DEBUG_PREFIX "WPA"
33#define STATE_MACHINE_ADDR sm->addr
34
35
36static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 37static int wpa_sm_step(struct wpa_state_machine *sm);
567da5bb
JM		 38static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
39 u8 *data, size_t data_len);
75c8563e
JM		 40#ifdef CONFIG_FILS
41static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 u8 *buf, size_t buf_len, u16 *_key_data_len);
9392859d
JM		 43static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
44 const struct wpabuf *hlp);
75c8563e 45#endif /* CONFIG_FILS */
6fc6879b
JM		 46static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
47static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
48 struct wpa_group *group);
581a8cde 49static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 50static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
1bdb7ab3
JM		 52static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
53 struct wpa_group *group);
f23c5b17 54static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 55 const u8 *pmk, unsigned int pmk_len,
56 struct wpa_ptk *ptk);
a0ad9e8c
MB		 57static void wpa_group_free(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59static void wpa_group_get(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
61static void wpa_group_put(struct wpa_authenticator *wpa_auth,
62 struct wpa_group *group);
e73ffa09 63static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 64
bae61562
JM		 65static const u32 eapol_key_timeout_first = 100; /* ms */
66static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 67static const u32 eapol_key_timeout_first_group = 500; /* ms */
6fc6879b
JM		 68
69/* TODO: make these configurable */
70static const int dot11RSNAConfigPMKLifetime = 43200;
71static const int dot11RSNAConfigPMKReauthThreshold = 70;
72static const int dot11RSNAConfigSATimeout = 60;
73
74
c772d054 75static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 76 struct wpa_authenticator *wpa_auth, const u8 *addr)
77{
cef8fac0
JB		 78 if (wpa_auth->cb->mic_failure_report)
79 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 80 return 0;
6fc6879b
JM		 81}
82
83
2c502460
JM		 84static inline void wpa_auth_psk_failure_report(
85 struct wpa_authenticator *wpa_auth, const u8 *addr)
86{
cef8fac0
JB		 87 if (wpa_auth->cb->psk_failure_report)
88 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 89}
90
91
6fc6879b
JM		 92static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
93 const u8 *addr, wpa_eapol_variable var,
94 int value)
95{
cef8fac0
JB		 96 if (wpa_auth->cb->set_eapol)
97 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 98}
99
100
101static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
102 const u8 *addr, wpa_eapol_variable var)
103{
cef8fac0 104 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 105 return -1;
cef8fac0 106 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 107}
108
109
110static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 111 const u8 *addr,
112 const u8 *p2p_dev_addr,
7a12edd1 113 const u8 *prev_psk, size_t *psk_len)
6fc6879b 114{
cef8fac0 115 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 116 return NULL;
cef8fac0 117 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
7a12edd1 118 prev_psk, psk_len);
6fc6879b
JM		 119}
120
121
122static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
123 const u8 *addr, u8 *msk, size_t *len)
124{
cef8fac0 125 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 126 return -1;
cef8fac0 127 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 128}
129
130
131static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
132 int vlan_id,
71934751 133 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 134 u8 *key, size_t key_len)
135{
cef8fac0 136 if (wpa_auth->cb->set_key == NULL)
6fc6879b 137 return -1;
cef8fac0
JB		 138 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
139 key, key_len);
6fc6879b
JM		 140}
141
142
143static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
144 const u8 *addr, int idx, u8 *seq)
145{
cef8fac0 146 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 147 return -1;
cef8fac0 148 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 149}
150
151
6fc6879b
JM		 152static inline int
153wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
154 const u8 *data, size_t data_len, int encrypt)
155{
cef8fac0 156 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 157 return -1;
cef8fac0
JB		 158 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
159 encrypt);
6fc6879b
JM		 160}
161
162
c50d94f1
BC		 163#ifdef CONFIG_MESH
164static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
165 const u8 *addr)
166{
cef8fac0 167 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 168 return -1;
cef8fac0 169 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 170}
171#endif /* CONFIG_MESH */
172
173
6fc6879b
JM		 174int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
175 int (*cb)(struct wpa_state_machine *sm, void *ctx),
176 void *cb_ctx)
177{
cef8fac0 178 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 179 return 0;
cef8fac0 180 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 181}
182
183
bf98f7f3
JM		 184int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
185 int (*cb)(struct wpa_authenticator *a, void *ctx),
186 void *cb_ctx)
187{
cef8fac0 188 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 189 return 0;
cef8fac0 190 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 191}
192
193
6fc6879b
JM		 194void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
195 logger_level level, const char *txt)
196{
cef8fac0 197 if (wpa_auth->cb->logger == NULL)
6fc6879b 198 return;
cef8fac0 199 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 200}
201
202
203void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
204 logger_level level, const char *fmt, ...)
205{
206 char *format;
207 int maxlen;
208 va_list ap;
209
cef8fac0 210 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 211 return;
212
213 maxlen = os_strlen(fmt) + 100;
214 format = os_malloc(maxlen);
215 if (!format)
216 return;
217
218 va_start(ap, fmt);
219 vsnprintf(format, maxlen, fmt, ap);
220 va_end(ap);
221
222 wpa_auth_logger(wpa_auth, addr, level, format);
223
224 os_free(format);
225}
226
227
228static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
567da5bb 229 const u8 *addr, u16 reason)
6fc6879b 230{
cef8fac0 231 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 232 return;
567da5bb
JM		 233 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
234 MAC2STR(addr), reason);
235 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
6fc6879b
JM		 236}
237
238
239static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
240{
56586197 241 int ret = 0;
4ec1fd8e 242#ifdef CONFIG_IEEE80211R_AP
56586197
JM		 243 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
244 ret = 1;
4ec1fd8e 245#endif /* CONFIG_IEEE80211R_AP */
56586197
JM		 246#ifdef CONFIG_IEEE80211W
247 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
248 ret = 1;
249#endif /* CONFIG_IEEE80211W */
a14896e8
JM		 250 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
251 ret = 1;
56586197 252 return ret;
6fc6879b
JM		 253}
254
255
256static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
257{
258 struct wpa_authenticator *wpa_auth = eloop_ctx;
259
3642c431 260 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 261 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
262 "initialization.");
263 } else {
264 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 265 wpa_hexdump_key(MSG_DEBUG, "GMK",
266 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 267 }
268
269 if (wpa_auth->conf.wpa_gmk_rekey) {
270 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
271 wpa_rekey_gmk, wpa_auth, NULL);
272 }
273}
274
275
276static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
277{
278 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 279 struct wpa_group *group, *next;
6fc6879b
JM		 280
281 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 282 group = wpa_auth->group;
283 while (group) {
284 wpa_group_get(wpa_auth, group);
285
6fc6879b
JM		 286 group->GTKReKey = TRUE;
287 do {
288 group->changed = FALSE;
289 wpa_group_sm_step(wpa_auth, group);
290 } while (group->changed);
a0ad9e8c
MB		 291
292 next = group->next;
293 wpa_group_put(wpa_auth, group);
294 group = next;
6fc6879b
JM		 295 }
296
297 if (wpa_auth->conf.wpa_group_rekey) {
298 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
299 0, wpa_rekey_gtk, wpa_auth, NULL);
300 }
301}
302
303
581a8cde
JM		 304static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
305{
306 struct wpa_authenticator *wpa_auth = eloop_ctx;
307 struct wpa_state_machine *sm = timeout_ctx;
308
309 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
310 wpa_request_new_ptk(sm);
311 wpa_sm_step(sm);
312}
313
314
6fc6879b
JM		 315static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
316{
317 if (sm->pmksa == ctx)
318 sm->pmksa = NULL;
319 return 0;
320}
321
322
323static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
324 void *ctx)
325{
326 struct wpa_authenticator *wpa_auth = ctx;
327 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
328}
329
330
1bdb7ab3
JM		 331static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
332 struct wpa_group *group)
333{
559cdabb 334 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 335 u8 rkey[32];
559cdabb 336 unsigned long ptr;
1bdb7ab3 337
3642c431 338 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 339 return -1;
340 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
341
342 /*
343 * Counter = PRF-256(Random number, "Init Counter",
344 * Local MAC Address || Time)
345 */
346 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
347 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 348 ptr = (unsigned long) group;
349 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
3642c431 350 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 351 return -1;
352
353 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
354 group->Counter, WPA_NONCE_LEN) < 0)
355 return -1;
356 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
357 group->Counter, WPA_NONCE_LEN);
358
359 return 0;
360}
361
362
e6965d4e 363static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 364 int vlan_id, int delay_init)
e6965d4e
JM		 365{
366 struct wpa_group *group;
e6965d4e
JM		 367
368 group = os_zalloc(sizeof(struct wpa_group));
369 if (group == NULL)
370 return NULL;
371
372 group->GTKAuthenticator = TRUE;
373 group->vlan_id = vlan_id;
c3550295 374 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 375
08704cd8
JM		 376 if (random_pool_ready() != 1) {
377 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
378 "for secure operations - update keys later when "
379 "the first station connects");
380 }
381
1bdb7ab3
JM		 382 /*
383 * Set initial GMK/Counter value here. The actual values that will be
384 * used in negotiations will be set once the first station tries to
385 * connect. This allows more time for collecting additional randomness
386 * on embedded devices.
6fc6879b 387 */
1bdb7ab3 388 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 389 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
390 "initialization.");
391 os_free(group);
392 return NULL;
393 }
6fc6879b
JM		 394
395 group->GInit = TRUE;
bdffdc5d
JM		 396 if (delay_init) {
397 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
398 "until Beacon frames have been configured");
399 /* Initialization is completed in wpa_init_keys(). */
400 } else {
401 wpa_group_sm_step(wpa_auth, group);
402 group->GInit = FALSE;
403 wpa_group_sm_step(wpa_auth, group);
404 }
6fc6879b
JM		 405
406 return group;
407}
408
409
410/**
411 * wpa_init - Initialize WPA authenticator
412 * @addr: Authenticator address
413 * @conf: Configuration for WPA authenticator
a17df5fb 414 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 415 * Returns: Pointer to WPA authenticator data or %NULL on failure
416 */
417struct wpa_authenticator * wpa_init(const u8 *addr,
418 struct wpa_auth_config *conf,
cef8fac0
JB		 419 const struct wpa_auth_callbacks *cb,
420 void *cb_ctx)
6fc6879b
JM		 421{
422 struct wpa_authenticator *wpa_auth;
423
424 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
425 if (wpa_auth == NULL)
426 return NULL;
427 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
428 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 429 wpa_auth->cb = cb;
430 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 431
432 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
433 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
434 os_free(wpa_auth);
435 return NULL;
436 }
437
bdffdc5d 438 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 439 if (wpa_auth->group == NULL) {
440 os_free(wpa_auth->wpa_ie);
441 os_free(wpa_auth);
442 return NULL;
443 }
444
4bb081f1
JM		 445 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
446 wpa_auth);
6fc6879b
JM		 447 if (wpa_auth->pmksa == NULL) {
448 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 449 os_free(wpa_auth->group);
6fc6879b
JM		 450 os_free(wpa_auth->wpa_ie);
451 os_free(wpa_auth);
452 return NULL;
453 }
454
4ec1fd8e 455#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 456 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
457 if (wpa_auth->ft_pmk_cache == NULL) {
458 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 459 os_free(wpa_auth->group);
6fc6879b 460 os_free(wpa_auth->wpa_ie);
4bb081f1 461 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 462 os_free(wpa_auth);
463 return NULL;
464 }
4ec1fd8e 465#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 466
467 if (wpa_auth->conf.wpa_gmk_rekey) {
468 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
469 wpa_rekey_gmk, wpa_auth, NULL);
470 }
471
472 if (wpa_auth->conf.wpa_group_rekey) {
473 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
474 wpa_rekey_gtk, wpa_auth, NULL);
475 }
476
25ef8529
JM		 477#ifdef CONFIG_P2P
478 if (WPA_GET_BE32(conf->ip_addr_start)) {
479 int count = WPA_GET_BE32(conf->ip_addr_end) -
480 WPA_GET_BE32(conf->ip_addr_start) + 1;
481 if (count > 1000)
482 count = 1000;
483 if (count > 0)
484 wpa_auth->ip_pool = bitfield_alloc(count);
485 }
486#endif /* CONFIG_P2P */
487
6fc6879b
JM		 488 return wpa_auth;
489}
490
491
bdffdc5d
JM		 492int wpa_init_keys(struct wpa_authenticator *wpa_auth)
493{
494 struct wpa_group *group = wpa_auth->group;
495
496 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
497 "keys");
498 wpa_group_sm_step(wpa_auth, group);
499 group->GInit = FALSE;
500 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 501 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
502 return -1;
bdffdc5d
JM		 503 return 0;
504}
505
506
6fc6879b
JM		 507/**
508 * wpa_deinit - Deinitialize WPA authenticator
509 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
510 */
511void wpa_deinit(struct wpa_authenticator *wpa_auth)
512{
513 struct wpa_group *group, *prev;
514
515 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
516 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
517
4bb081f1 518 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 519
4ec1fd8e 520#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 521 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
522 wpa_auth->ft_pmk_cache = NULL;
eefe8630 523 wpa_ft_deinit(wpa_auth);
4ec1fd8e 524#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 525
25ef8529
JM		 526#ifdef CONFIG_P2P
527 bitfield_free(wpa_auth->ip_pool);
528#endif /* CONFIG_P2P */
529
530
6fc6879b
JM		 531 os_free(wpa_auth->wpa_ie);
532
533 group = wpa_auth->group;
534 while (group) {
535 prev = group;
536 group = group->next;
537 os_free(prev);
538 }
539
540 os_free(wpa_auth);
541}
542
543
544/**
545 * wpa_reconfig - Update WPA authenticator configuration
546 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
547 * @conf: Configuration for WPA authenticator
548 */
549int wpa_reconfig(struct wpa_authenticator *wpa_auth,
550 struct wpa_auth_config *conf)
551{
e6965d4e 552 struct wpa_group *group;
6fc6879b
JM		 553 if (wpa_auth == NULL)
554 return 0;
555
556 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 557 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
558 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
559 return -1;
560 }
561
e6965d4e
JM		 562 /*
563 * Reinitialize GTK to make sure it is suitable for the new
564 * configuration.
565 */
566 group = wpa_auth->group;
c3550295 567 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 568 group->GInit = TRUE;
569 wpa_group_sm_step(wpa_auth, group);
570 group->GInit = FALSE;
571 wpa_group_sm_step(wpa_auth, group);
572
6fc6879b
JM		 573 return 0;
574}
575
576
577struct wpa_state_machine *
94ddef3e
JM		 578wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
579 const u8 *p2p_dev_addr)
6fc6879b
JM		 580{
581 struct wpa_state_machine *sm;
582
7d7f7be2
JM		 583 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
584 return NULL;
585
6fc6879b
JM		 586 sm = os_zalloc(sizeof(struct wpa_state_machine));
587 if (sm == NULL)
588 return NULL;
589 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 590 if (p2p_dev_addr)
591 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 592
593 sm->wpa_auth = wpa_auth;
594 sm->group = wpa_auth->group;
a0ad9e8c 595 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 596
597 return sm;
598}
599
600
6f9b5d16
JM		 601int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
602 struct wpa_state_machine *sm)
6fc6879b
JM		 603{
604 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 605 return -1;
6fc6879b 606
4ec1fd8e 607#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 608 if (sm->ft_completed) {
609 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
610 "FT authentication already completed - do not "
611 "start 4-way handshake");
3d4d2348
JM		 612 /* Go to PTKINITDONE state to allow GTK rekeying */
613 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 614 sm->Pair = TRUE;
6f9b5d16 615 return 0;
6fc6879b 616 }
4ec1fd8e 617#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 618
07e0117d
JM		 619#ifdef CONFIG_FILS
620 if (sm->fils_completed) {
621 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
622 "FILS authentication already completed - do not start 4-way handshake");
623 /* Go to PTKINITDONE state to allow GTK rekeying */
624 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 625 sm->Pair = TRUE;
07e0117d
JM		 626 return 0;
627 }
628#endif /* CONFIG_FILS */
629
6fc6879b 630 if (sm->started) {
22a299ee 631 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 632 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 633 return wpa_sm_step(sm);
6fc6879b
JM		 634 }
635
636 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
637 "start authentication");
638 sm->started = 1;
639
640 sm->Init = TRUE;
e4a6ea1d 641 if (wpa_sm_step(sm) == 1)
6f9b5d16 642 return 1; /* should not really happen */
6fc6879b
JM		 643 sm->Init = FALSE;
644 sm->AuthenticationRequest = TRUE;
6f9b5d16 645 return wpa_sm_step(sm);
6fc6879b
JM		 646}
647
648
a8d05fca
JM		 649void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
650{
651 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
652 * reassociates back to the same AP while the previous entry for the
653 * STA has not yet been removed. */
654 if (sm == NULL)
655 return;
656
657 sm->wpa_key_mgmt = 0;
658}
659
660
6fc6879b
JM		 661static void wpa_free_sta_sm(struct wpa_state_machine *sm)
662{
25ef8529
JM		 663#ifdef CONFIG_P2P
664 if (WPA_GET_BE32(sm->ip_addr)) {
665 u32 start;
666 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
667 "address %u.%u.%u.%u from " MACSTR,
668 sm->ip_addr[0], sm->ip_addr[1],
669 sm->ip_addr[2], sm->ip_addr[3],
670 MAC2STR(sm->addr));
671 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
672 bitfield_clear(sm->wpa_auth->ip_pool,
673 WPA_GET_BE32(sm->ip_addr) - start);
674 }
675#endif /* CONFIG_P2P */
2ade8ef2
JM		 676 if (sm->GUpdateStationKeys) {
677 sm->group->GKeyDoneStations--;
678 sm->GUpdateStationKeys = FALSE;
679 }
4ec1fd8e 680#ifdef CONFIG_IEEE80211R_AP
0f857f43 681 os_free(sm->assoc_resp_ftie);
692ec305 682 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 683#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 684 os_free(sm->last_rx_eapol_key);
685 os_free(sm->wpa_ie);
a0ad9e8c 686 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b
JM		 687 os_free(sm);
688}
689
690
691void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
692{
693 if (sm == NULL)
694 return;
695
696 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
697 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
698 "strict rekeying - force GTK rekey since STA "
699 "is leaving");
700 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
701 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
702 NULL);
703 }
704
705 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 706 sm->pending_1_of_4_timeout = 0;
6fc6879b 707 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 708 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3a46cf93
MB		 709#ifdef CONFIG_IEEE80211R_AP
710 wpa_ft_sta_deinit(sm);
711#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 712 if (sm->in_step_loop) {
713 /* Must not free state machine while wpa_sm_step() is running.
714 * Freeing will be completed in the end of wpa_sm_step(). */
715 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
716 "machine deinit for " MACSTR, MAC2STR(sm->addr));
717 sm->pending_deinit = 1;
718 } else
719 wpa_free_sta_sm(sm);
720}
721
722
723static void wpa_request_new_ptk(struct wpa_state_machine *sm)
724{
725 if (sm == NULL)
726 return;
727
728 sm->PTKRequest = TRUE;
729 sm->PTK_valid = 0;
730}
731
732
68921e24 733static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 734 const u8 *replay_counter)
735{
736 int i;
737 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 738 if (!ctr[i].valid)
22a299ee 739 break;
68921e24 740 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 741 WPA_REPLAY_COUNTER_LEN) == 0)
742 return 1;
743 }
744 return 0;
745}
746
747
68921e24
JM		 748static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
749 const u8 *replay_counter)
750{
751 int i;
752 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
753 if (ctr[i].valid &&
754 (replay_counter == NULL ||
755 os_memcmp(replay_counter, ctr[i].counter,
756 WPA_REPLAY_COUNTER_LEN) == 0))
757 ctr[i].valid = FALSE;
758 }
759}
760
761
4ec1fd8e 762#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 763static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
764 struct wpa_state_machine *sm,
765 struct wpa_eapol_ie_parse *kde)
766{
767 struct wpa_ie_data ie;
768 struct rsn_mdie *mdie;
769
770 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
771 ie.num_pmkid != 1 || ie.pmkid == NULL) {
772 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
773 "FT 4-way handshake message 2/4");
774 return -1;
775 }
776
777 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
778 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
779 sm->sup_pmk_r1_name, PMKID_LEN);
780
781 if (!kde->mdie || !kde->ftie) {
782 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
783 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
784 return -1;
785 }
786
787 mdie = (struct rsn_mdie *) (kde->mdie + 2);
788 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
789 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
790 MOBILITY_DOMAIN_ID_LEN) != 0) {
791 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
792 return -1;
793 }
794
795 if (sm->assoc_resp_ftie &&
796 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
797 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
798 2 + sm->assoc_resp_ftie[1]) != 0)) {
799 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
800 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
801 kde->ftie, kde->ftie_len);
802 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
803 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
804 return -1;
805 }
806
807 return 0;
808}
4ec1fd8e 809#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 810
811
c772d054
JM		 812static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
813 struct wpa_state_machine *sm, int group)
ec027805
JM		 814{
815 /* Supplicant reported a Michael MIC error */
816 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
817 "received EAPOL-Key Error Request "
818 "(STA detected Michael MIC failure (group=%d))",
819 group);
fbc72d32
JM		 820
821 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
822 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
823 "ignore Michael MIC failure report since "
824 "group cipher is not TKIP");
825 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
826 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
827 "ignore Michael MIC failure report since "
828 "pairwise cipher is not TKIP");
829 } else {
c772d054
JM		 830 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
831 return 1; /* STA entry was removed */
fbc72d32
JM		 832 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
833 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
834 }
ec027805
JM		 835
836 /*
837 * Error report is not a request for a new key handshake, but since
838 * Authenticator may do it, let's change the keys now anyway.
839 */
840 wpa_request_new_ptk(sm);
c772d054 841 return 0;
ec027805
JM		 842}
843
844
f23c5b17
JM		 845static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
846 size_t data_len)
847{
848 struct wpa_ptk PTK;
849 int ok = 0;
850 const u8 *pmk = NULL;
7a12edd1 851 size_t pmk_len;
f23c5b17 852
b729fd8d 853 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17 854 for (;;) {
e61fea6b
JM		 855 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
856 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
f23c5b17 857 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
7a12edd1 858 sm->p2p_dev_addr, pmk, &pmk_len);
f23c5b17
JM		 859 if (pmk == NULL)
860 break;
207976f0 861 } else {
f23c5b17 862 pmk = sm->PMK;
207976f0
JM		 863 pmk_len = sm->pmk_len;
864 }
f23c5b17 865
364c064a
JM		 866 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
867 break;
f23c5b17 868
567da5bb
JM		 869 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
870 data, data_len) == 0) {
f23c5b17
JM		 871 ok = 1;
872 break;
873 }
874
875 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
876 break;
877 }
878
879 if (!ok) {
880 wpa_printf(MSG_DEBUG,
881 "WPA: Earlier SNonce did not result in matching MIC");
882 return -1;
883 }
884
885 wpa_printf(MSG_DEBUG,
886 "WPA: Earlier SNonce resulted in matching MIC");
887 sm->alt_snonce_valid = 0;
888 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
889 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
890 sm->PTK_valid = TRUE;
891
892 return 0;
893}
894
895
6fc6879b
JM		 896void wpa_receive(struct wpa_authenticator *wpa_auth,
897 struct wpa_state_machine *sm,
898 u8 *data, size_t data_len)
899{
900 struct ieee802_1x_hdr *hdr;
901 struct wpa_eapol_key *key;
902 u16 key_info, key_data_length;
903 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
904 SMK_M1, SMK_M3, SMK_ERROR } msg;
905 char *msgtxt;
906 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 907 const u8 *key_data;
908 size_t keyhdrlen, mic_len;
6d014ffc 909 u8 *mic;
6fc6879b
JM		 910
911 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
912 return;
dc5bad48 913 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 914
567da5bb 915 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 916 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 917
dc5bad48
JM		 918 if (data_len < sizeof(*hdr) + keyhdrlen) {
919 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 920 return;
dc5bad48 921 }
6fc6879b
JM		 922
923 hdr = (struct ieee802_1x_hdr *) data;
924 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 925 mic = (u8 *) (key + 1);
6fc6879b 926 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 927 key_data = mic + mic_len + 2;
928 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 929 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 930 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
931 MAC2STR(sm->addr), key_info, key->type,
932 (unsigned int) mic_len, key_data_length);
933 wpa_hexdump(MSG_MSGDUMP,
934 "WPA: EAPOL-Key header (ending before Key MIC)",
935 key, sizeof(*key));
936 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
937 mic, mic_len);
5e3b5197 938 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 939 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
940 "key_data overflow (%d > %lu)",
941 key_data_length,
942 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 943 keyhdrlen));
6fc6879b
JM		 944 return;
945 }
946
f8e96eb6 947 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 948 if (key->type == EAPOL_KEY_TYPE_WPA) {
949 /*
950 * Some deployed station implementations seem to send
951 * msg 4/4 with incorrect type value in WPA2 mode.
952 */
953 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
954 "with unexpected WPA type in RSN mode");
955 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 956 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
957 "unexpected type %d in RSN mode",
958 key->type);
959 return;
960 }
961 } else {
962 if (key->type != EAPOL_KEY_TYPE_WPA) {
963 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
964 "unexpected type %d in WPA mode",
965 key->type);
966 return;
967 }
968 }
969
bc8318ac
JM		 970 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
971 WPA_NONCE_LEN);
972 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
973 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
974
6fc6879b
JM		 975 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
976 * are set */
977
978 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
979 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
980 if (key_info & WPA_KEY_INFO_ERROR) {
981 msg = SMK_ERROR;
982 msgtxt = "SMK Error";
983 } else {
984 msg = SMK_M1;
985 msgtxt = "SMK M1";
986 }
987 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
988 msg = SMK_M3;
989 msgtxt = "SMK M3";
990 } else if (key_info & WPA_KEY_INFO_REQUEST) {
991 msg = REQUEST;
992 msgtxt = "Request";
993 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
994 msg = GROUP_2;
995 msgtxt = "2/2 Group";
3b5b7aa8
JM		 996 } else if (key_data_length == 0 ||
997 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
998 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 999 msg = PAIRWISE_4;
1000 msgtxt = "4/4 Pairwise";
1001 } else {
1002 msg = PAIRWISE_2;
1003 msgtxt = "2/4 Pairwise";
1004 }
1005
1006 /* TODO: key_info type validation for PeerKey */
1007 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1008 msg == GROUP_2) {
1009 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1010 if (sm->pairwise == WPA_CIPHER_CCMP ||
1011 sm->pairwise == WPA_CIPHER_GCMP) {
6fc6879b 1012 if (wpa_use_aes_cmac(sm) &&
a14896e8 1013 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
929a2ea5 1014 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
b9866483 1015 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1016 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1017 wpa_auth_logger(wpa_auth, sm->addr,
1018 LOGGER_WARNING,
1019 "advertised support for "
1020 "AES-128-CMAC, but did not "
1021 "use it");
1022 return;
1023 }
1024
1025 if (!wpa_use_aes_cmac(sm) &&
9824de57 1026 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
2449791b 1027 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
07a5fe82 1028 sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE &&
567da5bb 1029 sm->wpa_key_mgmt != WPA_KEY_MGMT_DPP &&
6fc6879b
JM		 1030 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1031 wpa_auth_logger(wpa_auth, sm->addr,
1032 LOGGER_WARNING,
1033 "did not use HMAC-SHA1-AES "
eb7719ff 1034 "with CCMP/GCMP");
6fc6879b
JM		 1035 return;
1036 }
1037 }
929a2ea5 1038
2449791b 1039 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
07a5fe82 1040 wpa_key_mgmt_fils(sm->wpa_key_mgmt) ||
567da5bb 1041 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
07a5fe82 1042 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) &&
929a2ea5
JM		 1043 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1044 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1045 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1046 return;
1047 }
6fc6879b
JM		 1048 }
1049
1050 if (key_info & WPA_KEY_INFO_REQUEST) {
1051 if (sm->req_replay_counter_used &&
1052 os_memcmp(key->replay_counter, sm->req_replay_counter,
1053 WPA_REPLAY_COUNTER_LEN) <= 0) {
1054 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1055 "received EAPOL-Key request with "
1056 "replayed counter");
1057 return;
1058 }
1059 }
1060
1061 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1062 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1063 int i;
68921e24
JM		 1064
1065 if (msg == PAIRWISE_2 &&
1066 wpa_replay_counter_valid(sm->prev_key_replay,
1067 key->replay_counter) &&
1068 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1069 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1070 {
1071 /*
1072 * Some supplicant implementations (e.g., Windows XP
1073 * WZC) update SNonce for each EAPOL-Key 2/4. This
1074 * breaks the workaround on accepting any of the
1075 * pending requests, so allow the SNonce to be updated
1076 * even if we have already sent out EAPOL-Key 3/4.
1077 */
1078 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1079 "Process SNonce update from STA "
1080 "based on retransmitted EAPOL-Key "
1081 "1/4");
1082 sm->update_snonce = 1;
f23c5b17
JM		 1083 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1084 sm->alt_snonce_valid = TRUE;
1085 os_memcpy(sm->alt_replay_counter,
1086 sm->key_replay[0].counter,
1087 WPA_REPLAY_COUNTER_LEN);
1088 goto continue_processing;
1089 }
1090
1091 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1092 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1093 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1094 WPA_REPLAY_COUNTER_LEN) == 0) {
1095 /*
1096 * Supplicant may still be using the old SNonce since
1097 * there was two EAPOL-Key 2/4 messages and they had
1098 * different SNonce values.
1099 */
1100 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1101 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1102 goto continue_processing;
1103 }
1104
1105 if (msg == PAIRWISE_2 &&
1106 wpa_replay_counter_valid(sm->prev_key_replay,
1107 key->replay_counter) &&
1108 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1109 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1110 "ignore retransmitted EAPOL-Key %s - "
1111 "SNonce did not change", msgtxt);
1112 } else {
1113 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1114 "received EAPOL-Key %s with "
1115 "unexpected replay counter", msgtxt);
1116 }
22a299ee
JM		 1117 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1118 if (!sm->key_replay[i].valid)
1119 break;
1120 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1121 sm->key_replay[i].counter,
1122 WPA_REPLAY_COUNTER_LEN);
1123 }
6fc6879b
JM		 1124 wpa_hexdump(MSG_DEBUG, "received replay counter",
1125 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1126 return;
1127 }
1128
68921e24 1129continue_processing:
3b5b7aa8
JM		 1130#ifdef CONFIG_FILS
1131 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1132 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1133 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1134 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1135 return;
1136 }
1137#endif /* CONFIG_FILS */
1138
6fc6879b
JM		 1139 switch (msg) {
1140 case PAIRWISE_2:
1141 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1142 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1143 (!sm->update_snonce ||
1144 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1145 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1146 "received EAPOL-Key msg 2/4 in "
1147 "invalid state (%d) - dropped",
1148 sm->wpa_ptk_state);
1149 return;
1150 }
bbb921da 1151 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1152 if (sm->group->reject_4way_hs_for_entropy) {
1153 /*
1154 * The system did not have enough entropy to generate
1155 * strong random numbers. Reject the first 4-way
1156 * handshake(s) and collect some entropy based on the
1157 * information from it. Once enough entropy is
1158 * available, the next atempt will trigger GMK/Key
1159 * Counter update and the station will be allowed to
1160 * continue.
1161 */
1162 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1163 "collect more entropy for random number "
1164 "generation");
08704cd8 1165 random_mark_pool_ready();
567da5bb
JM		 1166 wpa_sta_disconnect(wpa_auth, sm->addr,
1167 WLAN_REASON_PREV_AUTH_NOT_VALID);
08704cd8
JM		 1168 return;
1169 }
6fc6879b
JM		 1170 break;
1171 case PAIRWISE_4:
1172 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1173 !sm->PTK_valid) {
1174 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1175 "received EAPOL-Key msg 4/4 in "
1176 "invalid state (%d) - dropped",
1177 sm->wpa_ptk_state);
1178 return;
1179 }
1180 break;
1181 case GROUP_2:
1182 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1183 || !sm->PTK_valid) {
1184 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1185 "received EAPOL-Key msg 2/2 in "
1186 "invalid state (%d) - dropped",
1187 sm->wpa_ptk_group_state);
1188 return;
1189 }
1190 break;
1191#ifdef CONFIG_PEERKEY
1192 case SMK_M1:
1193 case SMK_M3:
1194 case SMK_ERROR:
1195 if (!wpa_auth->conf.peerkey) {
1196 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1197 "PeerKey use disabled - ignoring message");
1198 return;
1199 }
1200 if (!sm->PTK_valid) {
1201 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1202 "received EAPOL-Key msg SMK in "
1203 "invalid state - dropped");
1204 return;
1205 }
1206 break;
1207#else /* CONFIG_PEERKEY */
1208 case SMK_M1:
1209 case SMK_M3:
1210 case SMK_ERROR:
1211 return; /* STSL disabled - ignore SMK messages */
1212#endif /* CONFIG_PEERKEY */
1213 case REQUEST:
1214 break;
1215 }
1216
1217 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1218 "received EAPOL-Key frame (%s)", msgtxt);
1219
1220 if (key_info & WPA_KEY_INFO_ACK) {
1221 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1222 "received invalid EAPOL-Key: Key Ack set");
1223 return;
1224 }
1225
b9866483
JM		 1226 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1227 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1228 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1229 "received invalid EAPOL-Key: Key MIC not set");
1230 return;
1231 }
1232
b9866483
JM		 1233#ifdef CONFIG_FILS
1234 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1235 (key_info & WPA_KEY_INFO_MIC)) {
1236 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1237 "received invalid EAPOL-Key: Key MIC set");
1238 return;
1239 }
1240#endif /* CONFIG_FILS */
1241
6fc6879b 1242 sm->MICVerified = FALSE;
68921e24 1243 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8 1244 if (mic_len &&
567da5bb
JM		 1245 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1246 data, data_len) &&
f23c5b17
JM		 1247 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1248 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1249 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1250 "received EAPOL-Key with invalid MIC");
1251 return;
1252 }
75c8563e
JM		 1253#ifdef CONFIG_FILS
1254 if (!mic_len &&
1255 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1256 &key_data_length) < 0) {
1257 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1258 "received EAPOL-Key with invalid MIC");
1259 return;
1260 }
1261#endif /* CONFIG_FILS */
6fc6879b
JM		 1262 sm->MICVerified = TRUE;
1263 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1264 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1265 }
1266
1267 if (key_info & WPA_KEY_INFO_REQUEST) {
1268 if (sm->MICVerified) {
1269 sm->req_replay_counter_used = 1;
1270 os_memcpy(sm->req_replay_counter, key->replay_counter,
1271 WPA_REPLAY_COUNTER_LEN);
1272 } else {
1273 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1274 "received EAPOL-Key request with "
1275 "invalid MIC");
1276 return;
1277 }
1278
1279 /*
1280 * TODO: should decrypt key data field if encryption was used;
1281 * even though MAC address KDE is not normally encrypted,
1282 * supplicant is allowed to encrypt it.
1283 */
1284 if (msg == SMK_ERROR) {
1285#ifdef CONFIG_PEERKEY
5e3b5197 1286 wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
6fc6879b
JM		 1287#endif /* CONFIG_PEERKEY */
1288 return;
1289 } else if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1290 if (wpa_receive_error_report(
1291 wpa_auth, sm,
1292 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1293 return; /* STA entry was removed */
6fc6879b
JM		 1294 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1295 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1296 "received EAPOL-Key Request for new "
1297 "4-Way Handshake");
1298 wpa_request_new_ptk(sm);
1299#ifdef CONFIG_PEERKEY
1300 } else if (msg == SMK_M1) {
5e3b5197 1301 wpa_smk_m1(wpa_auth, sm, key, key_data,
5c6787a6 1302 key_data_length);
6fc6879b
JM		 1303#endif /* CONFIG_PEERKEY */
1304 } else if (key_data_length > 0 &&
5e3b5197
JM		 1305 wpa_parse_kde_ies(key_data, key_data_length,
1306 &kde) == 0 &&
6fc6879b
JM		 1307 kde.mac_addr) {
1308 } else {
1309 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1310 "received EAPOL-Key Request for GTK "
1311 "rekeying");
6fc6879b
JM		 1312 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1313 wpa_rekey_gtk(wpa_auth, NULL);
1314 }
1315 } else {
68921e24
JM		 1316 /* Do not allow the same key replay counter to be reused. */
1317 wpa_replay_counter_mark_invalid(sm->key_replay,
1318 key->replay_counter);
1319
1320 if (msg == PAIRWISE_2) {
1321 /*
1322 * Maintain a copy of the pending EAPOL-Key frames in
1323 * case the EAPOL-Key frame was retransmitted. This is
1324 * needed to allow EAPOL-Key msg 2/4 reply to another
1325 * pending msg 1/4 to update the SNonce to work around
1326 * unexpected supplicant behavior.
1327 */
1328 os_memcpy(sm->prev_key_replay, sm->key_replay,
1329 sizeof(sm->key_replay));
1330 } else {
1331 os_memset(sm->prev_key_replay, 0,
1332 sizeof(sm->prev_key_replay));
1333 }
1334
1335 /*
1336 * Make sure old valid counters are not accepted anymore and
1337 * do not get copied again.
1338 */
1339 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1340 }
1341
1342#ifdef CONFIG_PEERKEY
1343 if (msg == SMK_M3) {
5e3b5197 1344 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
6fc6879b
JM		 1345 return;
1346 }
1347#endif /* CONFIG_PEERKEY */
1348
1349 os_free(sm->last_rx_eapol_key);
a1f11e34 1350 sm->last_rx_eapol_key = os_memdup(data, data_len);
6fc6879b
JM		 1351 if (sm->last_rx_eapol_key == NULL)
1352 return;
6fc6879b
JM		 1353 sm->last_rx_eapol_key_len = data_len;
1354
0d442aff 1355 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1356 sm->EAPOLKeyReceived = TRUE;
1357 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1358 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1359 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1360 wpa_sm_step(sm);
1361}
1362
1363
3c7302c2
JM		 1364static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1365 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1366{
5cb9d5c3
JM		 1367 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1368 u8 *pos;
3c7302c2 1369 int ret = 0;
6fc6879b 1370
5cb9d5c3
JM		 1371 /* GTK = PRF-X(GMK, "Group key expansion",
1372 * AA || GNonce || Time || random data)
1373 * The example described in the IEEE 802.11 standard uses only AA and
1374 * GNonce as inputs here. Add some more entropy since this derivation
1375 * is done only at the Authenticator and as such, does not need to be
1376 * exactly same.
1377 */
6fc6879b
JM		 1378 os_memcpy(data, addr, ETH_ALEN);
1379 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1380 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1381 wpa_get_ntp_timestamp(pos);
1382 pos += 8;
3642c431 1383 if (random_get_bytes(pos, 16) < 0)
3c7302c2 1384 ret = -1;
6fc6879b 1385
56586197 1386#ifdef CONFIG_IEEE80211W
5cb9d5c3 1387 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
56586197 1388#else /* CONFIG_IEEE80211W */
3c7302c2
JM		 1389 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1390 < 0)
1391 ret = -1;
56586197 1392#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 1393
1394 return ret;
6fc6879b
JM		 1395}
1396
1397
1398static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1399{
1400 struct wpa_authenticator *wpa_auth = eloop_ctx;
1401 struct wpa_state_machine *sm = timeout_ctx;
1402
e4bf4db9 1403 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1404 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1405 sm->TimeoutEvt = TRUE;
1406 wpa_sm_step(sm);
1407}
1408
1409
1410void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1411 struct wpa_state_machine *sm, int key_info,
1412 const u8 *key_rsc, const u8 *nonce,
1413 const u8 *kde, size_t kde_len,
1414 int keyidx, int encr, int force_version)
1415{
1416 struct ieee802_1x_hdr *hdr;
1417 struct wpa_eapol_key *key;
5e3b5197 1418 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1419 int alg;
1420 int key_data_len, pad_len = 0;
1421 u8 *buf, *pos;
1422 int version, pairwise;
22a299ee 1423 int i;
6d014ffc 1424 u8 *key_mic, *key_data;
6fc6879b 1425
567da5bb 1426 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 1427 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1428
1429 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1430
1431 if (force_version)
1432 version = force_version;
929a2ea5 1433 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
07a5fe82 1434 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1435 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
36a50fd4
JM		 1436 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1437 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
a14896e8 1438 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
6fc6879b
JM		 1439 else if (wpa_use_aes_cmac(sm))
1440 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1441 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1442 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1443 else
1444 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1445
8543ed8a 1446 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1447
1448 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1449 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1450 "encr=%d)",
1451 version,
1452 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1453 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1454 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1455 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1456 pairwise, (unsigned long) kde_len, keyidx, encr);
1457
1458 key_data_len = kde_len;
1459
1460 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1461 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1462 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a14896e8 1463 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1464 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1465 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1466 pad_len = key_data_len % 8;
1467 if (pad_len)
1468 pad_len = 8 - pad_len;
1469 key_data_len += pad_len + 8;
1470 }
1471
1472 len += key_data_len;
b729fd8d
JM		 1473 if (!mic_len && encr)
1474 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1475
1476 hdr = os_zalloc(len);
1477 if (hdr == NULL)
1478 return;
1479 hdr->version = wpa_auth->conf.eapol_version;
1480 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1481 hdr->length = host_to_be16(len - sizeof(*hdr));
1482 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1483 key_mic = (u8 *) (key + 1);
5e3b5197 1484 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1485
1486 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1487 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1488 key_info |= version;
1489 if (encr && sm->wpa == WPA_VERSION_WPA2)
1490 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1491 if (sm->wpa != WPA_VERSION_WPA2)
1492 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1493 WPA_PUT_BE16(key->key_info, key_info);
1494
1495 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
caab23f1
JM		 1496 if ((key_info & WPA_KEY_INFO_SMK_MESSAGE) ||
1497 (sm->wpa == WPA_VERSION_WPA2 && !pairwise))
6fc6879b 1498 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1499 else
1500 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b
JM		 1501
1502 /* FIX: STSL: what to use as key_replay_counter? */
22a299ee
JM		 1503 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1504 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1505 os_memcpy(sm->key_replay[i].counter,
1506 sm->key_replay[i - 1].counter,
1507 WPA_REPLAY_COUNTER_LEN);
1508 }
1509 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1510 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1511 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1512 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1513 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1514 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1515
1516 if (nonce)
1517 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1518
1519 if (key_rsc)
1520 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1521
1522 if (kde && !encr) {
5e3b5197 1523 os_memcpy(key_data, kde, kde_len);
6d014ffc 1524 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d
JM		 1525#ifdef CONFIG_FILS
1526 } else if (!mic_len) {
1527 const u8 *aad[1];
1528 size_t aad_len[1];
1529
1530 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1531 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1532 kde, kde_len);
1533
1534 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1535 sm->PTK.kek, sm->PTK.kek_len);
1536 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1537 * to Key Data (exclusive). */
1538 aad[0] = (u8 *) hdr;
1539 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1540 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1541 1, aad, aad_len, key_mic + 2) < 0) {
1542 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1543 return;
1544 }
1545
1546 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1547 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1548#endif /* CONFIG_FILS */
6fc6879b
JM		 1549 } else if (encr && kde) {
1550 buf = os_zalloc(key_data_len);
1551 if (buf == NULL) {
1552 os_free(hdr);
1553 return;
1554 }
1555 pos = buf;
1556 os_memcpy(pos, kde, kde_len);
1557 pos += kde_len;
1558
1559 if (pad_len)
1560 *pos++ = 0xdd;
1561
1562 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1563 buf, key_data_len);
1564 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1565 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1566 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a14896e8 1567 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1568 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b 1569 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
ef9627cb
JM		 1570 wpa_printf(MSG_DEBUG,
1571 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1572 (unsigned int) sm->PTK.kek_len);
98cd3d1c 1573 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1574 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1575 os_free(hdr);
1576 os_free(buf);
1577 return;
1578 }
6d014ffc 1579 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1580#ifndef CONFIG_NO_RC4
98cd3d1c 1581 } else if (sm->PTK.kek_len == 16) {
6fc6879b 1582 u8 ek[32];
ef9627cb
JM		 1583
1584 wpa_printf(MSG_DEBUG,
1585 "WPA: Encrypt Key Data using RC4");
6fc6879b
JM		 1586 os_memcpy(key->key_iv,
1587 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1588 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1589 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1590 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1591 os_memcpy(key_data, buf, key_data_len);
1592 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1593 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1594#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1595 } else {
1596 os_free(hdr);
1597 os_free(buf);
1598 return;
6fc6879b
JM		 1599 }
1600 os_free(buf);
1601 }
1602
1603 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1604 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1605 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1606 "PTK not valid when sending EAPOL-Key "
1607 "frame");
1608 os_free(hdr);
1609 return;
1610 }
5e3b5197 1611
98cd3d1c
JM		 1612 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1613 sm->wpa_key_mgmt, version,
5e3b5197 1614 (u8 *) hdr, len, key_mic);
7af092a0
JB		 1615#ifdef CONFIG_TESTING_OPTIONS
1616 if (!pairwise &&
06df2aa6 1617 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1618 drand48() <
1619 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1620 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1621 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1622 key_mic[0]++;
7af092a0
JB		 1623 }
1624#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1625 }
1626
1627 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1628 1);
1629 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1630 sm->pairwise_set);
1631 os_free(hdr);
1632}
1633
1634
1635static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1636 struct wpa_state_machine *sm, int key_info,
1637 const u8 *key_rsc, const u8 *nonce,
1638 const u8 *kde, size_t kde_len,
1639 int keyidx, int encr)
1640{
1641 int timeout_ms;
1642 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
41f140d3 1643 u32 ctr;
6fc6879b
JM		 1644
1645 if (sm == NULL)
1646 return;
1647
1648 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1649 keyidx, encr, 0);
1650
bae61562 1651 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1652 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1653 timeout_ms = pairwise ? eapol_key_timeout_first :
1654 eapol_key_timeout_first_group;
bae61562
JM		 1655 else
1656 timeout_ms = eapol_key_timeout_subseq;
e4bf4db9
JM		 1657 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1658 sm->pending_1_of_4_timeout = 1;
1659 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
41f140d3 1660 "counter %u)", timeout_ms, ctr);
6fc6879b
JM		 1661 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1662 wpa_send_eapol_timeout, wpa_auth, sm);
1663}
1664
1665
567da5bb
JM		 1666static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1667 u8 *data, size_t data_len)
6fc6879b
JM		 1668{
1669 struct ieee802_1x_hdr *hdr;
1670 struct wpa_eapol_key *key;
1671 u16 key_info;
1672 int ret = 0;
6d014ffc 1673 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
567da5bb 1674 size_t mic_len = wpa_mic_len(akmp, pmk_len);
6fc6879b
JM		 1675
1676 if (data_len < sizeof(*hdr) + sizeof(*key))
1677 return -1;
1678
1679 hdr = (struct ieee802_1x_hdr *) data;
1680 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1681 mic_pos = (u8 *) (key + 1);
6fc6879b 1682 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1683 os_memcpy(mic, mic_pos, mic_len);
1684 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1685 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1686 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1687 data, data_len, mic_pos) ||
1688 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1689 ret = -1;
6d014ffc 1690 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1691 return ret;
1692}
1693
1694
1695void wpa_remove_ptk(struct wpa_state_machine *sm)
1696{
1697 sm->PTK_valid = FALSE;
1698 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1699 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1700 0))
1701 wpa_printf(MSG_DEBUG,
1702 "RSN: PTK removal from the driver failed");
6fc6879b 1703 sm->pairwise_set = FALSE;
581a8cde 1704 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1705}
1706
1707
bb119228 1708int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1709{
5d22a1d5
JM		 1710 int remove_ptk = 1;
1711
6fc6879b 1712 if (sm == NULL)
6f9b5d16 1713 return -1;
6fc6879b
JM		 1714
1715 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1716 "event %d notification", event);
1717
1718 switch (event) {
1719 case WPA_AUTH:
c50d94f1
BC		 1720#ifdef CONFIG_MESH
1721 /* PTKs are derived through AMPE */
1722 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1723 /* not mesh */
1724 break;
1725 }
1726 return 0;
1727#endif /* CONFIG_MESH */
6fc6879b
JM		 1728 case WPA_ASSOC:
1729 break;
1730 case WPA_DEAUTH:
1731 case WPA_DISASSOC:
1732 sm->DeauthenticationRequest = TRUE;
1733 break;
1734 case WPA_REAUTH:
1735 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1736 if (!sm->started) {
1737 /*
1738 * When using WPS, we may end up here if the STA
1739 * manages to re-associate without the previous STA
1740 * entry getting removed. Consequently, we need to make
1741 * sure that the WPA state machines gets initialized
1742 * properly at this point.
1743 */
1744 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1745 "started - initialize now");
1746 sm->started = 1;
1747 sm->Init = TRUE;
1748 if (wpa_sm_step(sm) == 1)
1749 return 1; /* should not really happen */
1750 sm->Init = FALSE;
1751 sm->AuthenticationRequest = TRUE;
1752 break;
1753 }
9663596f
JM		 1754 if (sm->GUpdateStationKeys) {
1755 /*
1756 * Reauthentication cancels the pending group key
1757 * update for this STA.
1758 */
1759 sm->group->GKeyDoneStations--;
1760 sm->GUpdateStationKeys = FALSE;
1761 sm->PtkGroupInit = TRUE;
1762 }
6fc6879b
JM		 1763 sm->ReAuthenticationRequest = TRUE;
1764 break;
1765 case WPA_ASSOC_FT:
4ec1fd8e 1766#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1767 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1768 "after association");
1769 wpa_ft_install_ptk(sm);
1770
6fc6879b
JM		 1771 /* Using FT protocol, not WPA auth state machine */
1772 sm->ft_completed = 1;
6f9b5d16 1773 return 0;
4ec1fd8e 1774#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1775 break;
4ec1fd8e 1776#endif /* CONFIG_IEEE80211R_AP */
957bff83
JM		 1777 case WPA_ASSOC_FILS:
1778#ifdef CONFIG_FILS
1779 wpa_printf(MSG_DEBUG,
1780 "FILS: TK configuration after association");
1781 fils_set_tk(sm);
1782 sm->fils_completed = 1;
1783 return 0;
1784#else /* CONFIG_FILS */
1785 break;
1786#endif /* CONFIG_FILS */
6fc6879b
JM		 1787 }
1788
4ec1fd8e 1789#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1790 sm->ft_completed = 0;
4ec1fd8e 1791#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1792
5d22a1d5
JM		 1793#ifdef CONFIG_IEEE80211W
1794 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1795 remove_ptk = 0;
1796#endif /* CONFIG_IEEE80211W */
78815f3d 1797#ifdef CONFIG_FILS
da24c5aa
JM		 1798 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1799 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1800 remove_ptk = 0;
1801#endif /* CONFIG_FILS */
6fc6879b 1802
5d22a1d5
JM		 1803 if (remove_ptk) {
1804 sm->PTK_valid = FALSE;
1805 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1806
1807 if (event != WPA_REAUTH_EAPOL)
1808 wpa_remove_ptk(sm);
1809 }
6fc6879b 1810
43f49c37
JM		 1811 if (sm->in_step_loop) {
1812 /*
1813 * wpa_sm_step() is already running - avoid recursive call to
1814 * it by making the existing loop process the new update.
1815 */
1816 sm->changed = TRUE;
1817 return 0;
1818 }
6f9b5d16 1819 return wpa_sm_step(sm);
6fc6879b
JM		 1820}
1821
1822
6fc6879b
JM		 1823SM_STATE(WPA_PTK, INITIALIZE)
1824{
1825 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1826 if (sm->Init) {
1827 /* Init flag is not cleared here, so avoid busy
1828 * loop by claiming nothing changed. */
1829 sm->changed = FALSE;
1830 }
1831
1832 sm->keycount = 0;
1833 if (sm->GUpdateStationKeys)
1834 sm->group->GKeyDoneStations--;
1835 sm->GUpdateStationKeys = FALSE;
1836 if (sm->wpa == WPA_VERSION_WPA)
1837 sm->PInitAKeys = FALSE;
1838 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1839 * Local AA > Remote AA)) */) {
1840 sm->Pair = TRUE;
1841 }
1842 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1843 wpa_remove_ptk(sm);
1844 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1845 sm->TimeoutCtr = 0;
a1ea1b45 1846 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 1847 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 1848 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 1849 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1850 WPA_EAPOL_authorized, 0);
1851 }
1852}
1853
1854
1855SM_STATE(WPA_PTK, DISCONNECT)
1856{
567da5bb
JM		 1857 u16 reason = sm->disconnect_reason;
1858
6fc6879b
JM		 1859 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1860 sm->Disconnect = FALSE;
567da5bb
JM		 1861 sm->disconnect_reason = 0;
1862 if (!reason)
1863 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1864 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
6fc6879b
JM		 1865}
1866
1867
1868SM_STATE(WPA_PTK, DISCONNECTED)
1869{
1870 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1871 sm->DeauthenticationRequest = FALSE;
1872}
1873
1874
1875SM_STATE(WPA_PTK, AUTHENTICATION)
1876{
1877 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1878 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1879 sm->PTK_valid = FALSE;
1880 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1881 1);
1882 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1883 sm->AuthenticationRequest = FALSE;
1884}
1885
1886
40d00d2b
NC		 1887static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1888 struct wpa_group *group)
1bdb7ab3 1889{
40d00d2b
NC		 1890 if (group->first_sta_seen)
1891 return;
1bdb7ab3
JM		 1892 /*
1893 * System has run bit further than at the time hostapd was started
1894 * potentially very early during boot up. This provides better chances
1895 * of collecting more randomness on embedded systems. Re-initialize the
1896 * GMK and Counter here to improve their strength if there was not
1897 * enough entropy available immediately after system startup.
1898 */
1899 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1900 "station");
08704cd8
JM		 1901 if (random_pool_ready() != 1) {
1902 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1903 "to proceed - reject first 4-way handshake");
1904 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1905 } else {
1906 group->first_sta_seen = TRUE;
1907 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1908 }
40d00d2b 1909
aac1efec
JM		 1910 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1911 wpa_gtk_update(wpa_auth, group) < 0 ||
1912 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1913 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1914 group->first_sta_seen = FALSE;
1915 group->reject_4way_hs_for_entropy = TRUE;
1916 }
1bdb7ab3
JM		 1917}
1918
1919
6fc6879b
JM		 1920SM_STATE(WPA_PTK, AUTHENTICATION2)
1921{
1922 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1923
40d00d2b 1924 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1925 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1926
3825a19b
JM		 1927 /*
1928 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1929 * ambiguous. The Authenticator state machine uses a counter that is
1930 * incremented by one for each 4-way handshake. However, the security
1931 * analysis of 4-way handshake points out that unpredictable nonces
1932 * help in preventing precomputation attacks. Instead of the state
1933 * machine definition, use an unpredictable nonce value here to provide
1934 * stronger protection against potential precomputation attacks.
1935 */
1936 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1937 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1938 "ANonce.");
65a32cdb 1939 sm->Disconnect = TRUE;
3825a19b
JM		 1940 return;
1941 }
bc8318ac
JM		 1942 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1943 WPA_NONCE_LEN);
6fc6879b
JM		 1944 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1945 * logical place than INITIALIZE since AUTHENTICATION2 can be
1946 * re-entered on ReAuthenticationRequest without going through
1947 * INITIALIZE. */
1948 sm->TimeoutCtr = 0;
1949}
1950
1951
1952SM_STATE(WPA_PTK, INITPMK)
1953{
1954 u8 msk[2 * PMK_LEN];
1955 size_t len = 2 * PMK_LEN;
1956
1957 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1958#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1959 sm->xxkey_len = 0;
4ec1fd8e 1960#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1961 if (sm->pmksa) {
1962 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1963 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1964 sm->pmk_len = sm->pmksa->pmk_len;
567da5bb
JM		 1965#ifdef CONFIG_DPP
1966 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
1967 wpa_printf(MSG_DEBUG,
1968 "DPP: No PMKSA cache entry for STA - reject connection");
1969 sm->Disconnect = TRUE;
1970 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
1971 return;
1972#endif /* CONFIG_DPP */
6fc6879b 1973 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 1974 unsigned int pmk_len;
1975
834c5d68 1976 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
207976f0
JM		 1977 pmk_len = PMK_LEN_SUITE_B_192;
1978 else
1979 pmk_len = PMK_LEN;
6fc6879b 1980 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 1981 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1982 pmk_len);
1983 if (len < pmk_len) {
1984 wpa_printf(MSG_DEBUG,
1985 "WPA: MSK not long enough (%u) to create PMK (%u)",
1986 (unsigned int) len, (unsigned int) pmk_len);
1987 sm->Disconnect = TRUE;
1988 return;
1989 }
1990 os_memcpy(sm->PMK, msk, pmk_len);
1991 sm->pmk_len = pmk_len;
4ec1fd8e 1992#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 1993 if (len >= 2 * PMK_LEN) {
1994 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1995 sm->xxkey_len = PMK_LEN;
1996 }
4ec1fd8e 1997#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1998 } else {
400de9b1 1999 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 2000 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 2001 sm->Disconnect = TRUE;
2002 return;
6fc6879b 2003 }
40aaa64f 2004 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 2005
2006 sm->req_replay_counter_used = 0;
2007 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
2008 * will break reauthentication since EAPOL state machines may not be
2009 * get into AUTHENTICATING state that clears keyRun before WPA state
2010 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2011 * state and takes PMK from the previously used AAA Key. This will
2012 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2013 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
2014 * be good workaround for this issue. */
2015 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
2016}
2017
2018
2019SM_STATE(WPA_PTK, INITPSK)
2020{
2021 const u8 *psk;
7a12edd1
JM		 2022 size_t psk_len;
2023
6fc6879b 2024 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
7a12edd1
JM		 2025 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2026 &psk_len);
6fc6879b 2027 if (psk) {
7a12edd1
JM		 2028 os_memcpy(sm->PMK, psk, psk_len);
2029 sm->pmk_len = psk_len;
4ec1fd8e 2030#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 2031 os_memcpy(sm->xxkey, psk, PMK_LEN);
2032 sm->xxkey_len = PMK_LEN;
4ec1fd8e 2033#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2034 }
e61fea6b
JM		 2035#ifdef CONFIG_SAE
2036 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2037 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2038 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2039 sm->pmk_len = sm->pmksa->pmk_len;
2040 }
2041#endif /* CONFIG_SAE */
6fc6879b
JM		 2042 sm->req_replay_counter_used = 0;
2043}
2044
2045
2046SM_STATE(WPA_PTK, PTKSTART)
2047{
2048 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2049 size_t pmkid_len = 0;
2050
2051 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2052 sm->PTKRequest = FALSE;
2053 sm->TimeoutEvt = FALSE;
f23c5b17 2054 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2055
2056 sm->TimeoutCtr++;
41f140d3 2057 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2058 /* No point in sending the EAPOL-Key - we will disconnect
2059 * immediately following this. */
2060 return;
2061 }
2062
6fc6879b
JM		 2063 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2064 "sending 1/4 msg of 4-Way Handshake");
2065 /*
2066 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
2067 * one possible PSK for this STA.
2068 */
2069 if (sm->wpa == WPA_VERSION_WPA2 &&
e61fea6b
JM		 2070 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2071 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
a14896e8 2072 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2073 pmkid = buf;
2074 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2075 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2076 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2077 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2078 if (sm->pmksa) {
6fc6879b
JM		 2079 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2080 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2081 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2082 /* No KCK available to derive PMKID */
2083 pmkid = NULL;
2084 } else {
6fc6879b
JM		 2085 /*
2086 * Calculate PMKID since no PMKSA cache entry was
2087 * available with pre-calculated PMKID.
2088 */
207976f0 2089 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197 2090 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
41b81914 2091 sm->wpa_key_mgmt);
6fc6879b
JM		 2092 }
2093 }
2094 wpa_send_eapol(sm->wpa_auth, sm,
2095 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2096 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2097}
2098
2099
f23c5b17 2100static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2101 const u8 *pmk, unsigned int pmk_len,
2102 struct wpa_ptk *ptk)
6fc6879b 2103{
4ec1fd8e 2104#ifdef CONFIG_IEEE80211R_AP
56586197 2105 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2106 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
4ec1fd8e 2107#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2108
207976f0 2109 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c
JM		 2110 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2111 ptk, sm->wpa_key_mgmt, sm->pairwise);
6fc6879b
JM		 2112}
2113
2114
3b5b7aa8 2115#ifdef CONFIG_FILS
c4fd6d8a
JM		 2116
2117int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
80ddf5d9 2118 size_t pmk_len, const u8 *snonce, const u8 *anonce,
4cada9dc 2119 const u8 *dhss, size_t dhss_len,
80ddf5d9 2120 struct wpabuf *g_sta, struct wpabuf *g_ap)
c4fd6d8a
JM		 2121{
2122 u8 ick[FILS_ICK_MAX_LEN];
2123 size_t ick_len;
2124 int res;
8fed47e0
JM		 2125 u8 fils_ft[FILS_FT_MAX_LEN];
2126 size_t fils_ft_len = 0;
c4fd6d8a
JM		 2127
2128 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
4cada9dc
JM		 2129 snonce, anonce, dhss, dhss_len,
2130 &sm->PTK, ick, &ick_len,
8fed47e0
JM		 2131 sm->wpa_key_mgmt, sm->pairwise,
2132 fils_ft, &fils_ft_len);
c4fd6d8a
JM		 2133 if (res < 0)
2134 return res;
2135 sm->PTK_valid = TRUE;
2136
8fed47e0
JM		 2137#ifdef CONFIG_IEEE80211R_AP
2138 if (fils_ft_len) {
2139 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2140 struct wpa_auth_config *conf = &wpa_auth->conf;
2141 u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
2142
2143 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2144 conf->ssid, conf->ssid_len,
2145 conf->mobility_domain,
2146 conf->r0_key_holder,
2147 conf->r0_key_holder_len,
2148 sm->addr, pmk_r0, pmk_r0_name) < 0)
2149 return -1;
2150
2151 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", pmk_r0, PMK_LEN);
2152 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2153 pmk_r0_name, WPA_PMK_NAME_LEN);
2154 wpa_ft_store_pmk_r0(wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
2155 sm->pairwise);
2156 os_memset(fils_ft, 0, sizeof(fils_ft));
2157 }
2158#endif /* CONFIG_IEEE80211R_AP */
2159
c4fd6d8a
JM		 2160 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2161 sm->addr, sm->wpa_auth->addr,
80ddf5d9
JM		 2162 g_sta ? wpabuf_head(g_sta) : NULL,
2163 g_sta ? wpabuf_len(g_sta) : 0,
2164 g_ap ? wpabuf_head(g_ap) : NULL,
2165 g_ap ? wpabuf_len(g_ap) : 0,
c4fd6d8a
JM		 2166 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2167 sm->fils_key_auth_ap,
2168 &sm->fils_key_auth_len);
2169 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2170
2171 /* Store nonces for (Re)Association Request/Response frame processing */
2172 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2173 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2174
c4fd6d8a
JM		 2175 return res;
2176}
2177
2178
3b5b7aa8 2179static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2180 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2181{
2182 struct ieee802_1x_hdr *hdr;
2183 struct wpa_eapol_key *key;
2184 u8 *pos;
2185 u16 key_data_len;
2186 u8 *tmp;
2187 const u8 *aad[1];
2188 size_t aad_len[1];
2189
75c8563e 2190 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2191 key = (struct wpa_eapol_key *) (hdr + 1);
2192 pos = (u8 *) (key + 1);
2193 key_data_len = WPA_GET_BE16(pos);
2194 if (key_data_len < AES_BLOCK_SIZE ||
2195 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2196 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2197 "No room for AES-SIV data in the frame");
2198 return -1;
2199 }
2200 pos += 2; /* Pointing at the Encrypted Key Data field */
2201
2202 tmp = os_malloc(key_data_len);
2203 if (!tmp)
2204 return -1;
2205
2206 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2207 * to Key Data (exclusive). */
75c8563e
JM		 2208 aad[0] = buf;
2209 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2210 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2211 1, aad, aad_len, tmp) < 0) {
2212 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2213 "Invalid AES-SIV data in the frame");
2214 bin_clear_free(tmp, key_data_len);
2215 return -1;
2216 }
2217
2218 /* AEAD decryption and validation completed successfully */
2219 key_data_len -= AES_BLOCK_SIZE;
2220 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2221 tmp, key_data_len);
2222
2223 /* Replace Key Data field with the decrypted version */
2224 os_memcpy(pos, tmp, key_data_len);
2225 pos -= 2; /* Key Data Length field */
2226 WPA_PUT_BE16(pos, key_data_len);
2227 bin_clear_free(tmp, key_data_len);
2228 if (_key_data_len)
2229 *_key_data_len = key_data_len;
2230 return 0;
2231}
78815f3d
JM		 2232
2233
087631b9
JM		 2234const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2235 const u8 *ies, size_t ies_len,
2236 const u8 *fils_session)
2237{
2238 const u8 *ie, *end;
2239 const u8 *session = NULL;
2240
2241 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2242 wpa_printf(MSG_DEBUG,
2243 "FILS: Not a FILS AKM - reject association");
2244 return NULL;
2245 }
2246
2247 /* Verify Session element */
2248 ie = ies;
2249 end = ((const u8 *) ie) + ies_len;
2250 while (ie + 1 < end) {
2251 if (ie + 2 + ie[1] > end)
2252 break;
2253 if (ie[0] == WLAN_EID_EXTENSION &&
2254 ie[1] >= 1 + FILS_SESSION_LEN &&
2255 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2256 session = ie;
2257 break;
2258 }
2259 ie += 2 + ie[1];
2260 }
2261
2262 if (!session) {
2263 wpa_printf(MSG_DEBUG,
2264 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2265 __func__);
2266 return NULL;
2267 }
2268
2269 if (!fils_session) {
2270 wpa_printf(MSG_DEBUG,
2271 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2272 __func__);
2273 return NULL;
2274 }
2275
2276 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2277 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2278 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2279 fils_session, FILS_SESSION_LEN);
2280 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2281 session + 3, FILS_SESSION_LEN);
2282 return NULL;
2283 }
2284 return session;
2285}
2286
2287
bd599353
JM		 2288int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2289 size_t ies_len)
2290{
2291 struct ieee802_11_elems elems;
2292
2293 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2294 wpa_printf(MSG_DEBUG,
2295 "FILS: Failed to parse decrypted elements");
2296 return -1;
2297 }
2298
8b5ddda5
JM		 2299 if (!elems.fils_session) {
2300 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2301 return -1;
2302 }
2303
bd599353
JM		 2304 if (!elems.fils_key_confirm) {
2305 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2306 return -1;
2307 }
2308
2309 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2310 wpa_printf(MSG_DEBUG,
2311 "FILS: Unexpected Key-Auth length %d (expected %d)",
2312 elems.fils_key_confirm_len,
2313 (int) sm->fils_key_auth_len);
2314 return -1;
2315 }
2316
2317 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2318 sm->fils_key_auth_len) != 0) {
2319 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2320 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2321 elems.fils_key_confirm, elems.fils_key_confirm_len);
2322 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2323 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2324 return -1;
2325 }
2326
2327 return 0;
2328}
2329
2330
78815f3d
JM		 2331int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2332 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2333 u8 *pos, size_t left)
2334{
2335 u16 fc, stype;
2336 const u8 *end, *ie_start, *ie, *session, *crypt;
78815f3d
JM		 2337 const u8 *aad[5];
2338 size_t aad_len[5];
2339
2340 if (!sm || !sm->PTK_valid) {
2341 wpa_printf(MSG_DEBUG,
2342 "FILS: No KEK to decrypt Assocication Request frame");
2343 return -1;
2344 }
2345
2346 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2347 wpa_printf(MSG_DEBUG,
2348 "FILS: Not a FILS AKM - reject association");
2349 return -1;
2350 }
2351
2352 end = ((const u8 *) mgmt) + frame_len;
2353 fc = le_to_host16(mgmt->frame_control);
2354 stype = WLAN_FC_GET_STYPE(fc);
2355 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2356 ie_start = mgmt->u.reassoc_req.variable;
2357 else
2358 ie_start = mgmt->u.assoc_req.variable;
2359 ie = ie_start;
2360
2361 /*
2362 * Find FILS Session element which is the last unencrypted element in
2363 * the frame.
2364 */
087631b9
JM		 2365 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2366 fils_session);
78815f3d 2367 if (!session) {
087631b9 2368 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
78815f3d
JM		 2369 return -1;
2370 }
087631b9 2371
78815f3d
JM		 2372 crypt = session + 2 + session[1];
2373
2374 if (end - crypt < AES_BLOCK_SIZE) {
2375 wpa_printf(MSG_DEBUG,
2376 "FILS: Too short frame to include AES-SIV data");
2377 return -1;
2378 }
2379
2380 /* AES-SIV AAD vectors */
2381
2382 /* The STA's MAC address */
2383 aad[0] = mgmt->sa;
2384 aad_len[0] = ETH_ALEN;
2385 /* The AP's BSSID */
2386 aad[1] = mgmt->da;
2387 aad_len[1] = ETH_ALEN;
2388 /* The STA's nonce */
2389 aad[2] = sm->SNonce;
2390 aad_len[2] = FILS_NONCE_LEN;
2391 /* The AP's nonce */
2392 aad[3] = sm->ANonce;
2393 aad_len[3] = FILS_NONCE_LEN;
2394 /*
2395 * The (Re)Association Request frame from the Capability Information
2396 * field to the FILS Session element (both inclusive).
2397 */
2398 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2399 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2400
2401 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2402 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2403 wpa_printf(MSG_DEBUG,
2404 "FILS: Invalid AES-SIV data in the frame");
2405 return -1;
2406 }
2407 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2408 pos, left - AES_BLOCK_SIZE);
2409
bd599353
JM		 2410 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2411 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
78815f3d
JM		 2412 return -1;
2413 }
2414
2415 return left - AES_BLOCK_SIZE;
2416}
2417
e73ffa09
JM		 2418
2419int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2420 size_t current_len, size_t max_len,
2421 const struct wpabuf *hlp)
e73ffa09
JM		 2422{
2423 u8 *end = buf + max_len;
2424 u8 *pos = buf + current_len;
2425 struct ieee80211_mgmt *mgmt;
2426 struct wpabuf *plain;
e73ffa09
JM		 2427 const u8 *aad[5];
2428 size_t aad_len[5];
2429
2430 if (!sm || !sm->PTK_valid)
2431 return -1;
2432
2433 wpa_hexdump(MSG_DEBUG,
2434 "FILS: Association Response frame before FILS processing",
2435 buf, current_len);
2436
2437 mgmt = (struct ieee80211_mgmt *) buf;
2438
2439 /* AES-SIV AAD vectors */
2440
2441 /* The AP's BSSID */
2442 aad[0] = mgmt->sa;
2443 aad_len[0] = ETH_ALEN;
2444 /* The STA's MAC address */
2445 aad[1] = mgmt->da;
2446 aad_len[1] = ETH_ALEN;
2447 /* The AP's nonce */
2448 aad[2] = sm->ANonce;
2449 aad_len[2] = FILS_NONCE_LEN;
2450 /* The STA's nonce */
2451 aad[3] = sm->SNonce;
2452 aad_len[3] = FILS_NONCE_LEN;
2453 /*
2454 * The (Re)Association Response frame from the Capability Information
2455 * field (the same offset in both Association and Reassociation
2456 * Response frames) to the FILS Session element (both inclusive).
2457 */
2458 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2459 aad_len[4] = pos - aad[4];
2460
2461 /* The following elements will be encrypted with AES-SIV */
9392859d
JM		 2462 plain = fils_prepare_plainbuf(sm, hlp);
2463 if (!plain) {
2464 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2465 return -1;
2466 }
2467
2468 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2469 wpa_printf(MSG_DEBUG,
2470 "FILS: Not enough room for FILS elements");
2471 wpabuf_free(plain);
2472 return -1;
2473 }
2474
2475 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2476 plain);
2477
2478 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2479 wpabuf_head(plain), wpabuf_len(plain),
2480 5, aad, aad_len, pos) < 0) {
2481 wpabuf_free(plain);
2482 return -1;
2483 }
2484
2485 wpa_hexdump(MSG_DEBUG,
2486 "FILS: Encrypted Association Response elements",
2487 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2488 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2489 wpabuf_free(plain);
2490
2491 sm->fils_completed = 1;
2492
2493 return current_len;
2494}
2495
2496
2497static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2498 const struct wpabuf *hlp)
2499{
2500 struct wpabuf *plain;
2501 u8 *len, *tmp, *tmp2;
2502 u8 hdr[2];
2503 u8 *gtk, dummy_gtk[32];
2504 size_t gtk_len;
2505 struct wpa_group *gsm;
e73ffa09
JM		 2506
2507 plain = wpabuf_alloc(1000);
2508 if (!plain)
9392859d 2509 return NULL;
e73ffa09
JM		 2510
2511 /* TODO: FILS Public Key */
2512
2513 /* FILS Key Confirmation */
2514 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2515 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2516 /* Element ID Extension */
2517 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2518 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2519
91d91abf
JM		 2520 /* FILS HLP Container */
2521 if (hlp)
2522 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2523
2524 /* TODO: FILS IP Address Assignment */
2525
2526 /* Key Delivery */
2527 gsm = sm->group;
2528 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2529 len = wpabuf_put(plain, 1);
2530 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2531 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2532 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2533 /* GTK KDE */
2534 gtk = gsm->GTK[gsm->GN - 1];
2535 gtk_len = gsm->GTK_len;
2536 if (sm->wpa_auth->conf.disable_gtk) {
2537 /*
2538 * Provide unique random GTK to each STA to prevent use
2539 * of GTK in the BSS.
2540 */
2541 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2542 wpabuf_free(plain);
9392859d 2543 return NULL;
e73ffa09
JM		 2544 }
2545 gtk = dummy_gtk;
2546 }
2547 hdr[0] = gsm->GN & 0x03;
2548 hdr[1] = 0;
2549 tmp = wpabuf_put(plain, 0);
2550 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2551 gtk, gtk_len);
2552 wpabuf_put(plain, tmp2 - tmp);
2553
2554 /* IGTK KDE */
2555 tmp = wpabuf_put(plain, 0);
2556 tmp2 = ieee80211w_kde_add(sm, tmp);
2557 wpabuf_put(plain, tmp2 - tmp);
2558
2559 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
9392859d 2560 return plain;
e73ffa09
JM		 2561}
2562
da24c5aa
JM		 2563
2564int fils_set_tk(struct wpa_state_machine *sm)
2565{
2566 enum wpa_alg alg;
2567 int klen;
2568
2569 if (!sm || !sm->PTK_valid)
2570 return -1;
2571
2572 alg = wpa_cipher_to_alg(sm->pairwise);
2573 klen = wpa_cipher_key_len(sm->pairwise);
2574
2575 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2576 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2577 sm->PTK.tk, klen)) {
2578 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2579 return -1;
2580 }
2581
2582 return 0;
2583}
2584
fa61bff6
JM		 2585
2586u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
8b5ddda5 2587 const u8 *fils_session, struct wpabuf *hlp)
fa61bff6
JM		 2588{
2589 struct wpabuf *plain;
2590 u8 *pos = buf;
2591
2592 /* FILS Session */
2593 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2594 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2595 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2596 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2597 pos += FILS_SESSION_LEN;
2598
8b5ddda5 2599 plain = fils_prepare_plainbuf(sm, hlp);
fa61bff6
JM		 2600 if (!plain) {
2601 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2602 return NULL;
2603 }
2604
2605 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2606 pos += wpabuf_len(plain);
2607
2608 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2609 (unsigned int) wpabuf_len(plain));
2610 wpabuf_free(plain);
2611 sm->fils_completed = 1;
2612 return pos;
2613}
2614
3b5b7aa8
JM		 2615#endif /* CONFIG_FILS */
2616
2617
6fc6879b
JM		 2618SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2619{
3b5b7aa8 2620 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2621 struct wpa_ptk PTK;
2c502460 2622 int ok = 0, psk_found = 0;
6fc6879b 2623 const u8 *pmk = NULL;
7a12edd1 2624 size_t pmk_len;
3b5b7aa8
JM		 2625 int ft;
2626 const u8 *eapol_key_ie, *key_data, *mic;
2627 u16 key_data_length;
2628 size_t mic_len, eapol_key_ie_len;
2629 struct ieee802_1x_hdr *hdr;
2630 struct wpa_eapol_key *key;
2631 struct wpa_eapol_ie_parse kde;
6fc6879b
JM		 2632
2633 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2634 sm->EAPOLKeyReceived = FALSE;
68921e24 2635 sm->update_snonce = FALSE;
b729fd8d 2636 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2637
567da5bb 2638 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3b5b7aa8 2639
6fc6879b
JM		 2640 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2641 * WPA-PSK: iterate through possible PSKs and select the one matching
2642 * the packet */
2643 for (;;) {
e61fea6b
JM		 2644 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2645 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
759fd76b 2646 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
7a12edd1 2647 sm->p2p_dev_addr, pmk, &pmk_len);
6fc6879b
JM		 2648 if (pmk == NULL)
2649 break;
2c502460 2650 psk_found = 1;
207976f0 2651 } else {
6fc6879b 2652 pmk = sm->PMK;
207976f0
JM		 2653 pmk_len = sm->pmk_len;
2654 }
6fc6879b 2655
364c064a
JM		 2656 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2657 break;
6fc6879b 2658
3b5b7aa8 2659 if (mic_len &&
567da5bb 2660 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
929a2ea5 2661 sm->last_rx_eapol_key,
6fc6879b
JM		 2662 sm->last_rx_eapol_key_len) == 0) {
2663 ok = 1;
2664 break;
2665 }
2666
3b5b7aa8 2667#ifdef CONFIG_FILS
75c8563e
JM		 2668 if (!mic_len &&
2669 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2670 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2671 ok = 1;
2672 break;
2673 }
2674#endif /* CONFIG_FILS */
2675
56586197 2676 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
6fc6879b
JM		 2677 break;
2678 }
2679
2680 if (!ok) {
2681 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2682 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2683 if (psk_found)
2684 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2685 return;
2686 }
2687
3b5b7aa8
JM		 2688 /*
2689 * Note: last_rx_eapol_key length fields have already been validated in
2690 * wpa_receive().
2691 */
2692 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2693 key = (struct wpa_eapol_key *) (hdr + 1);
2694 mic = (u8 *) (key + 1);
2695 key_data = mic + mic_len + 2;
2696 key_data_length = WPA_GET_BE16(mic + mic_len);
2697 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2698 sizeof(*key) - mic_len - 2)
2699 return;
2700
2701 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2702 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2703 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2704 return;
2705 }
2706 if (kde.rsn_ie) {
2707 eapol_key_ie = kde.rsn_ie;
2708 eapol_key_ie_len = kde.rsn_ie_len;
2709 } else if (kde.osen) {
2710 eapol_key_ie = kde.osen;
2711 eapol_key_ie_len = kde.osen_len;
2712 } else {
2713 eapol_key_ie = kde.wpa_ie;
2714 eapol_key_ie_len = kde.wpa_ie_len;
2715 }
2716 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2717 if (sm->wpa_ie == NULL ||
2718 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2719 eapol_key_ie, eapol_key_ie_len)) {
2720 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2721 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2722 if (sm->wpa_ie) {
2723 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2724 sm->wpa_ie, sm->wpa_ie_len);
2725 }
2726 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2727 eapol_key_ie, eapol_key_ie_len);
2728 /* MLME-DEAUTHENTICATE.request */
567da5bb
JM		 2729 wpa_sta_disconnect(wpa_auth, sm->addr,
2730 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2731 return;
2732 }
4ec1fd8e 2733#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8 2734 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
567da5bb
JM		 2735 wpa_sta_disconnect(wpa_auth, sm->addr,
2736 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2737 return;
2738 }
4ec1fd8e 2739#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2740#ifdef CONFIG_P2P
2741 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2742 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2743 int idx;
2744 wpa_printf(MSG_DEBUG,
2745 "P2P: IP address requested in EAPOL-Key exchange");
2746 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2747 if (idx >= 0) {
2748 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2749 bitfield_set(wpa_auth->ip_pool, idx);
2750 WPA_PUT_BE32(sm->ip_addr, start + idx);
2751 wpa_printf(MSG_DEBUG,
2752 "P2P: Assigned IP address %u.%u.%u.%u to "
2753 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2754 sm->ip_addr[2], sm->ip_addr[3],
2755 MAC2STR(sm->addr));
2756 }
2757 }
2758#endif /* CONFIG_P2P */
2759
4ec1fd8e 2760#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2761 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2762 /*
2763 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2764 * with the value we derived.
2765 */
870834a1
JM		 2766 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2767 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2768 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2769 "PMKR1Name mismatch in FT 4-way "
2770 "handshake");
2771 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2772 "Supplicant",
2773 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2774 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2775 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2776 return;
2777 }
2778 }
4ec1fd8e 2779#endif /* CONFIG_IEEE80211R_AP */
26e23750 2780
e4bf4db9 2781 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2782 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2783
56586197 2784 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2785 /* PSK may have changed from the previous choice, so update
2786 * state machine data based on whatever PSK was selected here.
2787 */
2788 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2789 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2790 }
2791
2792 sm->MICVerified = TRUE;
2793
2794 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2795 sm->PTK_valid = TRUE;
2796}
2797
2798
2799SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2800{
2801 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2802 sm->TimeoutCtr = 0;
2803}
2804
2805
2806#ifdef CONFIG_IEEE80211W
2807
2808static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2809{
2810 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 2811 size_t len;
2812 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2813 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 2814 }
2815
2816 return 0;
2817}
2818
2819
2820static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2821{
2822 struct wpa_igtk_kde igtk;
2823 struct wpa_group *gsm = sm->group;
03610ad2 2824 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 2825 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 2826
2827 if (!sm->mgmt_frame_prot)
2828 return pos;
2829
2830 igtk.keyid[0] = gsm->GN_igtk;
2831 igtk.keyid[1] = 0;
7b1080da 2832 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 2833 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 2834 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 2835 else
2836 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 2837 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
83421850
JM		 2838 if (sm->wpa_auth->conf.disable_gtk) {
2839 /*
2840 * Provide unique random IGTK to each STA to prevent use of
2841 * IGTK in the BSS.
2842 */
8dd9f9cd 2843 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 2844 return pos;
2845 }
6fc6879b 2846 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 2847 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2848 NULL, 0);
6fc6879b
JM		 2849
2850 return pos;
2851}
2852
2853#else /* CONFIG_IEEE80211W */
2854
2855static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2856{
2857 return 0;
2858}
2859
2860
2861static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2862{
2863 return pos;
2864}
2865
2866#endif /* CONFIG_IEEE80211W */
2867
2868
2869SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2870{
83421850 2871 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 2872 size_t gtk_len, kde_len;
2873 struct wpa_group *gsm = sm->group;
2874 u8 *wpa_ie;
2875 int wpa_ie_len, secure, keyidx, encr = 0;
2876
2877 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2878 sm->TimeoutEvt = FALSE;
bae61562
JM		 2879
2880 sm->TimeoutCtr++;
41f140d3 2881 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2882 /* No point in sending the EAPOL-Key - we will disconnect
2883 * immediately following this. */
2884 return;
2885 }
2886
86dfabb8
JM		 2887 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2888 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 2889 */
2890 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2891 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 2892 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 2893 wpa_ie = sm->wpa_auth->wpa_ie;
2894 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2895 if (sm->wpa == WPA_VERSION_WPA &&
2896 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2897 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 2898 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 2899 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 2900 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2901 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 2902 wpa_ie_len = wpa_ie[1] + 2;
2903 }
2904 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2905 "sending 3/4 msg of 4-Way Handshake");
2906 if (sm->wpa == WPA_VERSION_WPA2) {
2907 /* WPA2 send GTK in the 4-way handshake */
2908 secure = 1;
2909 gtk = gsm->GTK[gsm->GN - 1];
2910 gtk_len = gsm->GTK_len;
83421850
JM		 2911 if (sm->wpa_auth->conf.disable_gtk) {
2912 /*
2913 * Provide unique random GTK to each STA to prevent use
2914 * of GTK in the BSS.
2915 */
2916 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2917 return;
2918 gtk = dummy_gtk;
2919 }
6fc6879b
JM		 2920 keyidx = gsm->GN;
2921 _rsc = rsc;
2922 encr = 1;
2923 } else {
2924 /* WPA does not include GTK in msg 3/4 */
2925 secure = 0;
2926 gtk = NULL;
2927 gtk_len = 0;
2928 keyidx = 0;
2929 _rsc = NULL;
0d442aff
JM		 2930 if (sm->rx_eapol_key_secure) {
2931 /*
2932 * It looks like Windows 7 supplicant tries to use
2933 * Secure bit in msg 2/4 after having reported Michael
2934 * MIC failure and it then rejects the 4-way handshake
2935 * if msg 3/4 does not set Secure bit. Work around this
2936 * by setting the Secure bit here even in the case of
2937 * WPA if the supplicant used it first.
2938 */
2939 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 2940 "STA used Secure bit in WPA msg 2/4 - "
2941 "set Secure for 3/4 as workaround");
0d442aff
JM		 2942 secure = 1;
2943 }
6fc6879b
JM		 2944 }
2945
2946 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2947 if (gtk)
2948 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 2949#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2950 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2951 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2952 kde_len += 300; /* FTIE + 2 * TIE */
2953 }
4ec1fd8e 2954#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2955#ifdef CONFIG_P2P
2956 if (WPA_GET_BE32(sm->ip_addr) > 0)
2957 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2958#endif /* CONFIG_P2P */
6fc6879b
JM		 2959 kde = os_malloc(kde_len);
2960 if (kde == NULL)
2961 return;
2962
2963 pos = kde;
2964 os_memcpy(pos, wpa_ie, wpa_ie_len);
2965 pos += wpa_ie_len;
4ec1fd8e 2966#ifdef CONFIG_IEEE80211R_AP
26e23750 2967 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 2968 int res;
2969 size_t elen;
2970
2971 elen = pos - kde;
2972 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 2973 if (res < 0) {
2974 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2975 "PMKR1Name into RSN IE in EAPOL-Key data");
2976 os_free(kde);
2977 return;
2978 }
59e78c24
JM		 2979 pos -= wpa_ie_len;
2980 pos += elen;
26e23750 2981 }
4ec1fd8e 2982#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2983 if (gtk) {
2984 u8 hdr[2];
2985 hdr[0] = keyidx & 0x03;
2986 hdr[1] = 0;
2987 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2988 gtk, gtk_len);
2989 }
2990 pos = ieee80211w_kde_add(sm, pos);
2991
4ec1fd8e 2992#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2993 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2994 int res;
2995 struct wpa_auth_config *conf;
2996
2997 conf = &sm->wpa_auth->conf;
9257610a
JM		 2998 if (sm->assoc_resp_ftie &&
2999 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
3000 os_memcpy(pos, sm->assoc_resp_ftie,
3001 2 + sm->assoc_resp_ftie[1]);
3002 res = 2 + sm->assoc_resp_ftie[1];
3003 } else {
3004 res = wpa_write_ftie(conf, conf->r0_key_holder,
3005 conf->r0_key_holder_len,
3006 NULL, NULL, pos,
3007 kde + kde_len - pos,
3008 NULL, 0);
3009 }
86dfabb8
JM		 3010 if (res < 0) {
3011 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
3012 "into EAPOL-Key Key Data");
3013 os_free(kde);
3014 return;
3015 }
3016 pos += res;
3017
3018 /* TIE[ReassociationDeadline] (TU) */
3019 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3020 *pos++ = 5;
3021 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3022 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3023 pos += 4;
3024
3025 /* TIE[KeyLifetime] (seconds) */
3026 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3027 *pos++ = 5;
3028 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
3029 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
3030 pos += 4;
3031 }
4ec1fd8e 3032#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3033#ifdef CONFIG_P2P
3034 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3035 u8 addr[3 * 4];
3036 os_memcpy(addr, sm->ip_addr, 4);
3037 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3038 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3039 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3040 addr, sizeof(addr), NULL, 0);
3041 }
3042#endif /* CONFIG_P2P */
86dfabb8 3043
6fc6879b 3044 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3045 (secure ? WPA_KEY_INFO_SECURE : 0) |
567da5bb
JM		 3046 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3047 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3048 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3049 WPA_KEY_INFO_KEY_TYPE,
3050 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
3051 os_free(kde);
6fc6879b
JM		 3052}
3053
3054
3055SM_STATE(WPA_PTK, PTKINITDONE)
3056{
3057 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3058 sm->EAPOLKeyReceived = FALSE;
3059 if (sm->Pair) {
c3550295
JM		 3060 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3061 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 3062 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 3063 sm->PTK.tk, klen)) {
567da5bb
JM		 3064 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3065 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 3066 return;
3067 }
3068 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3069 sm->pairwise_set = TRUE;
3070
581a8cde
JM		 3071 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
3072 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3073 eloop_register_timeout(sm->wpa_auth->conf.
3074 wpa_ptk_rekey, 0, wpa_rekey_ptk,
3075 sm->wpa_auth, sm);
3076 }
3077
a1ea1b45 3078 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 3079 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 3080 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 3081 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3082 WPA_EAPOL_authorized, 1);
3083 }
3084 }
3085
3086 if (0 /* IBSS == TRUE */) {
3087 sm->keycount++;
3088 if (sm->keycount == 2) {
3089 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3090 WPA_EAPOL_portValid, 1);
3091 }
3092 } else {
3093 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3094 1);
3095 }
3096 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3097 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3098 if (sm->wpa == WPA_VERSION_WPA)
3099 sm->PInitAKeys = TRUE;
3100 else
3101 sm->has_GTK = TRUE;
3102 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3103 "pairwise key handshake completed (%s)",
3104 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3105
4ec1fd8e 3106#ifdef CONFIG_IEEE80211R_AP
6fc6879b 3107 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 3108#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3109}
3110
3111
3112SM_STEP(WPA_PTK)
3113{
3114 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3115
3116 if (sm->Init)
3117 SM_ENTER(WPA_PTK, INITIALIZE);
3118 else if (sm->Disconnect
1aae01fc
BG		 3119 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3120 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3121 "WPA_PTK: sm->Disconnect");
6fc6879b 3122 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 3123 }
6fc6879b
JM		 3124 else if (sm->DeauthenticationRequest)
3125 SM_ENTER(WPA_PTK, DISCONNECTED);
3126 else if (sm->AuthenticationRequest)
3127 SM_ENTER(WPA_PTK, AUTHENTICATION);
3128 else if (sm->ReAuthenticationRequest)
3129 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3130 else if (sm->PTKRequest)
3131 SM_ENTER(WPA_PTK, PTKSTART);
3132 else switch (sm->wpa_ptk_state) {
3133 case WPA_PTK_INITIALIZE:
3134 break;
3135 case WPA_PTK_DISCONNECT:
3136 SM_ENTER(WPA_PTK, DISCONNECTED);
3137 break;
3138 case WPA_PTK_DISCONNECTED:
3139 SM_ENTER(WPA_PTK, INITIALIZE);
3140 break;
3141 case WPA_PTK_AUTHENTICATION:
3142 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3143 break;
3144 case WPA_PTK_AUTHENTICATION2:
56586197 3145 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 3146 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3147 WPA_EAPOL_keyRun) > 0)
3148 SM_ENTER(WPA_PTK, INITPMK);
a1ea1b45
JM		 3149 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3150 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
6fc6879b
JM		 3151 /* FIX: && 802.1X::keyRun */)
3152 SM_ENTER(WPA_PTK, INITPSK);
567da5bb
JM		 3153 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3154 SM_ENTER(WPA_PTK, INITPMK);
6fc6879b
JM		 3155 break;
3156 case WPA_PTK_INITPMK:
3157 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
567da5bb 3158 WPA_EAPOL_keyAvailable) > 0) {
6fc6879b 3159 SM_ENTER(WPA_PTK, PTKSTART);
567da5bb
JM		 3160#ifdef CONFIG_DPP
3161 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3162 SM_ENTER(WPA_PTK, PTKSTART);
3163#endif /* CONFIG_DPP */
3164 } else {
6fc6879b 3165 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 3166 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3167 "INITPMK - keyAvailable = false");
6fc6879b
JM		 3168 SM_ENTER(WPA_PTK, DISCONNECT);
3169 }
3170 break;
3171 case WPA_PTK_INITPSK:
759fd76b 3172 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
7a12edd1 3173 NULL, NULL)) {
6fc6879b 3174 SM_ENTER(WPA_PTK, PTKSTART);
e61fea6b
JM		 3175#ifdef CONFIG_SAE
3176 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3177 SM_ENTER(WPA_PTK, PTKSTART);
3178#endif /* CONFIG_SAE */
3179 } else {
6fc6879b
JM		 3180 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3181 "no PSK configured for the STA");
3182 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3183 SM_ENTER(WPA_PTK, DISCONNECT);
3184 }
3185 break;
3186 case WPA_PTK_PTKSTART:
3187 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3188 sm->EAPOLKeyPairwise)
3189 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3190 else if (sm->TimeoutCtr >
41f140d3 3191 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3192 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3193 wpa_auth_vlogger(
3194 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3195 "PTKSTART: Retry limit %u reached",
3196 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3197 SM_ENTER(WPA_PTK, DISCONNECT);
3198 } else if (sm->TimeoutEvt)
3199 SM_ENTER(WPA_PTK, PTKSTART);
3200 break;
3201 case WPA_PTK_PTKCALCNEGOTIATING:
3202 if (sm->MICVerified)
3203 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3204 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3205 sm->EAPOLKeyPairwise)
3206 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3207 else if (sm->TimeoutEvt)
3208 SM_ENTER(WPA_PTK, PTKSTART);
3209 break;
3210 case WPA_PTK_PTKCALCNEGOTIATING2:
3211 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3212 break;
3213 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3214 if (sm->update_snonce)
3215 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3216 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3217 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3218 SM_ENTER(WPA_PTK, PTKINITDONE);
3219 else if (sm->TimeoutCtr >
41f140d3 3220 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3221 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3222 wpa_auth_vlogger(
3223 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3224 "PTKINITNEGOTIATING: Retry limit %u reached",
3225 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3226 SM_ENTER(WPA_PTK, DISCONNECT);
3227 } else if (sm->TimeoutEvt)
3228 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3229 break;
3230 case WPA_PTK_PTKINITDONE:
3231 break;
3232 }
3233}
3234
3235
3236SM_STATE(WPA_PTK_GROUP, IDLE)
3237{
3238 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3239 if (sm->Init) {
3240 /* Init flag is not cleared here, so avoid busy
3241 * loop by claiming nothing changed. */
3242 sm->changed = FALSE;
3243 }
3244 sm->GTimeoutCtr = 0;
3245}
3246
3247
3248SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3249{
3250 u8 rsc[WPA_KEY_RSC_LEN];
3251 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3252 const u8 *kde;
3253 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3254 size_t kde_len;
83421850 3255 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3256
3257 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3258
3259 sm->GTimeoutCtr++;
41f140d3 3260 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
bae61562
JM		 3261 /* No point in sending the EAPOL-Key - we will disconnect
3262 * immediately following this. */
3263 return;
3264 }
3265
6fc6879b
JM		 3266 if (sm->wpa == WPA_VERSION_WPA)
3267 sm->PInitAKeys = FALSE;
3268 sm->TimeoutEvt = FALSE;
3269 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3270 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3271 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3272 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3273 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3274 "sending 1/2 msg of Group Key Handshake");
3275
83421850
JM		 3276 gtk = gsm->GTK[gsm->GN - 1];
3277 if (sm->wpa_auth->conf.disable_gtk) {
3278 /*
3279 * Provide unique random GTK to each STA to prevent use
3280 * of GTK in the BSS.
3281 */
3282 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3283 return;
3284 gtk = dummy_gtk;
3285 }
6fc6879b
JM		 3286 if (sm->wpa == WPA_VERSION_WPA2) {
3287 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3288 ieee80211w_kde_len(sm);
e41e4f9e
JM		 3289 kde_buf = os_malloc(kde_len);
3290 if (kde_buf == NULL)
6fc6879b
JM		 3291 return;
3292
e41e4f9e 3293 kde = pos = kde_buf;
6fc6879b
JM		 3294 hdr[0] = gsm->GN & 0x03;
3295 hdr[1] = 0;
3296 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3297 gtk, gsm->GTK_len);
6fc6879b 3298 pos = ieee80211w_kde_add(sm, pos);
e41e4f9e 3299 kde_len = pos - kde;
6fc6879b 3300 } else {
83421850 3301 kde = gtk;
e41e4f9e 3302 kde_len = gsm->GTK_len;
6fc6879b
JM		 3303 }
3304
3305 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3306 WPA_KEY_INFO_SECURE |
567da5bb
JM		 3307 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3308 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3309 WPA_KEY_INFO_ACK |
3310 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3311 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3312
3313 os_free(kde_buf);
6fc6879b
JM		 3314}
3315
3316
3317SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3318{
3319 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3320 sm->EAPOLKeyReceived = FALSE;
3321 if (sm->GUpdateStationKeys)
3322 sm->group->GKeyDoneStations--;
3323 sm->GUpdateStationKeys = FALSE;
3324 sm->GTimeoutCtr = 0;
3325 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3326 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3327 "group key handshake completed (%s)",
3328 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3329 sm->has_GTK = TRUE;
3330}
3331
3332
3333SM_STATE(WPA_PTK_GROUP, KEYERROR)
3334{
3335 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3336 if (sm->GUpdateStationKeys)
3337 sm->group->GKeyDoneStations--;
3338 sm->GUpdateStationKeys = FALSE;
3339 sm->Disconnect = TRUE;
4bb9b674
GK		 3340 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3341 "group key handshake failed (%s) after %u tries",
3342 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3343 sm->wpa_auth->conf.wpa_group_update_count);
6fc6879b
JM		 3344}
3345
3346
3347SM_STEP(WPA_PTK_GROUP)
3348{
9663596f 3349 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3350 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3351 sm->PtkGroupInit = FALSE;
3352 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3353 case WPA_PTK_GROUP_IDLE:
3354 if (sm->GUpdateStationKeys ||
3355 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3356 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3357 break;
3358 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3359 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3360 !sm->EAPOLKeyPairwise && sm->MICVerified)
3361 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3362 else if (sm->GTimeoutCtr >
41f140d3 3363 sm->wpa_auth->conf.wpa_group_update_count)
6fc6879b
JM		 3364 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3365 else if (sm->TimeoutEvt)
3366 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3367 break;
3368 case WPA_PTK_GROUP_KEYERROR:
3369 SM_ENTER(WPA_PTK_GROUP, IDLE);
3370 break;
3371 case WPA_PTK_GROUP_REKEYESTABLISHED:
3372 SM_ENTER(WPA_PTK_GROUP, IDLE);
3373 break;
3374 }
3375}
3376
3377
3378static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3379 struct wpa_group *group)
3380{
3381 int ret = 0;
3382
6fc6879b
JM		 3383 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3384 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3385 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3386 wpa_auth->addr, group->GNonce,
3387 group->GTK[group->GN - 1], group->GTK_len) < 0)
3388 ret = -1;
5cb9d5c3
JM		 3389 wpa_hexdump_key(MSG_DEBUG, "GTK",
3390 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3391
3392#ifdef CONFIG_IEEE80211W
70f8cc8e 3393 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3394 size_t len;
3395 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3396 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3397 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3398 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3399 wpa_auth->addr, group->GNonce,
8dd9f9cd 3400 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3401 ret = -1;
6fc6879b 3402 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3403 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3404 }
3405#endif /* CONFIG_IEEE80211W */
3406
3407 return ret;
3408}
3409
3410
3411static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3412 struct wpa_group *group)
3413{
3414 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3415 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3416 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3417 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3418
3419 /* GTK[0..N] = 0 */
3420 os_memset(group->GTK, 0, sizeof(group->GTK));
3421 group->GN = 1;
3422 group->GM = 2;
3423#ifdef CONFIG_IEEE80211W
3424 group->GN_igtk = 4;
3425 group->GM_igtk = 5;
3426#endif /* CONFIG_IEEE80211W */
3427 /* GTK[GN] = CalcGTK() */
3428 wpa_gtk_update(wpa_auth, group);
3429}
3430
3431
3432static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3433{
473b6f22
MB		 3434 if (ctx != NULL && ctx != sm->group)
3435 return 0;
3436
6fc6879b
JM		 3437 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3438 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3439 "Not in PTKINITDONE; skip Group Key update");
3c183894 3440 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3441 return 0;
3442 }
9663596f
JM		 3443 if (sm->GUpdateStationKeys) {
3444 /*
3c183894
JM		 3445 * This should not really happen, so add a debug log entry.
3446 * Since we clear the GKeyDoneStations before the loop, the
3447 * station needs to be counted here anyway.
9663596f
JM		 3448 */
3449 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3450 "GUpdateStationKeys was already set when "
3451 "marking station for GTK rekeying");
9663596f 3452 }
3c183894 3453
ad3872a3 3454 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3455 if (sm->is_wnmsleep)
3456 return 0;
d32d94db 3457
3c183894
JM		 3458 sm->group->GKeyDoneStations++;
3459 sm->GUpdateStationKeys = TRUE;
3460
6fc6879b
JM		 3461 wpa_sm_step(sm);
3462 return 0;
3463}
3464
3465
b5bf84ba 3466#ifdef CONFIG_WNM_AP
ad3872a3 3467/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3468void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3469{
629edfef 3470 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3471 return;
3472
3473 wpa_group_update_sta(sm, NULL);
3474}
3475
3476
3477void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3478{
629edfef
JM		 3479 if (sm)
3480 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3481}
3482
3483
3484int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3485{
d32d94db 3486 struct wpa_group *gsm = sm->group;
835822d4 3487 u8 *start = pos;
d32d94db
XC		 3488
3489 /*
835822d4 3490 * GTK subelement:
d32d94db 3491 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3492 * Key[5..32]
d32d94db 3493 */
835822d4
JM		 3494 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3495 *pos++ = 11 + gsm->GTK_len;
d32d94db 3496 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3497 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3498 pos += 2;
3499 *pos++ = gsm->GTK_len;
3500 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3501 return 0;
835822d4
JM		 3502 pos += 8;
3503 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3504 pos += gsm->GTK_len;
d32d94db 3505
835822d4
JM		 3506 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3507 gsm->GN);
3508 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3509 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3510
835822d4 3511 return pos - start;
d32d94db
XC		 3512}
3513
3514
3515#ifdef CONFIG_IEEE80211W
3516int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3517{
d32d94db 3518 struct wpa_group *gsm = sm->group;
835822d4 3519 u8 *start = pos;
8dd9f9cd 3520 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3521
835822d4
JM		 3522 /*
3523 * IGTK subelement:
3524 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3525 */
3526 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3527 *pos++ = 2 + 6 + len;
835822d4
JM		 3528 WPA_PUT_LE16(pos, gsm->GN_igtk);
3529 pos += 2;
3530 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3531 return 0;
835822d4 3532 pos += 6;
d32d94db 3533
8dd9f9cd
JM		 3534 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3535 pos += len;
d32d94db 3536
835822d4
JM		 3537 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3538 gsm->GN_igtk);
3539 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3540 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3541
835822d4 3542 return pos - start;
d32d94db
XC		 3543}
3544#endif /* CONFIG_IEEE80211W */
b5bf84ba 3545#endif /* CONFIG_WNM_AP */
d32d94db
XC		 3546
3547
6fc6879b
JM		 3548static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3549 struct wpa_group *group)
3550{
3551 int tmp;
3552
3553 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3554 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3555 group->changed = TRUE;
3556 group->wpa_group_state = WPA_GROUP_SETKEYS;
3557 group->GTKReKey = FALSE;
3558 tmp = group->GM;
3559 group->GM = group->GN;
3560 group->GN = tmp;
3561#ifdef CONFIG_IEEE80211W
3562 tmp = group->GM_igtk;
3563 group->GM_igtk = group->GN_igtk;
3564 group->GN_igtk = tmp;
3565#endif /* CONFIG_IEEE80211W */
3566 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3567 * counting the STAs that are marked with GUpdateStationKeys instead of
3568 * including all STAs that could be in not-yet-completed state. */
3569 wpa_gtk_update(wpa_auth, group);
3570
3c183894
JM		 3571 if (group->GKeyDoneStations) {
3572 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3573 "GKeyDoneStations=%d when starting new GTK rekey",
3574 group->GKeyDoneStations);
3575 group->GKeyDoneStations = 0;
3576 }
473b6f22 3577 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3578 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3579 group->GKeyDoneStations);
3580}
3581
3582
1bdb7ab3
JM		 3583static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3584 struct wpa_group *group)
6fc6879b 3585{
3c7302c2
JM		 3586 int ret = 0;
3587
3c7302c2 3588 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3589 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3590 broadcast_ether_addr, group->GN,
3591 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3592 ret = -1;
6fc6879b
JM		 3593
3594#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3595 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3596 enum wpa_alg alg;
3597 size_t len;
3598
3599 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3600 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3601
3602 if (ret == 0 &&
3603 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3604 broadcast_ether_addr, group->GN_igtk,
3605 group->IGTK[group->GN_igtk - 4], len) < 0)
3606 ret = -1;
3607 }
6fc6879b 3608#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3609
3610 return ret;
6fc6879b
JM		 3611}
3612
3613
7d7f7be2
JM		 3614static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3615{
3616 if (sm->group == ctx) {
3617 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3618 " for discconnection due to fatal failure",
3619 MAC2STR(sm->addr));
3620 sm->Disconnect = TRUE;
3621 }
3622
3623 return 0;
3624}
3625
3626
3627static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3628 struct wpa_group *group)
3629{
3630 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3631 group->changed = TRUE;
3632 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3633 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3634}
3635
3636
1bdb7ab3
JM		 3637static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3638 struct wpa_group *group)
3639{
3640 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3641 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3642 group->changed = TRUE;
3643 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3644
7d7f7be2
JM		 3645 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3646 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3647 return -1;
7d7f7be2 3648 }
1bdb7ab3
JM		 3649
3650 return 0;
3651}
3652
3653
6fc6879b
JM		 3654static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3655 struct wpa_group *group)
3656{
3657 if (group->GInit) {
3658 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3659 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3660 /* Do not allow group operations */
6fc6879b
JM		 3661 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3662 group->GTKAuthenticator) {
3663 wpa_group_setkeysdone(wpa_auth, group);
3664 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3665 group->GTKReKey) {
3666 wpa_group_setkeys(wpa_auth, group);
3667 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3668 if (group->GKeyDoneStations == 0)
3669 wpa_group_setkeysdone(wpa_auth, group);
3670 else if (group->GTKReKey)
3671 wpa_group_setkeys(wpa_auth, group);
3672 }
3673}
3674
3675
e4a6ea1d 3676static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 3677{
3678 if (sm == NULL)
e4a6ea1d 3679 return 0;
6fc6879b
JM		 3680
3681 if (sm->in_step_loop) {
3682 /* This should not happen, but if it does, make sure we do not
3683 * end up freeing the state machine too early by exiting the
3684 * recursive call. */
3685 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 3686 return 0;
6fc6879b
JM		 3687 }
3688
3689 sm->in_step_loop = 1;
3690 do {
3691 if (sm->pending_deinit)
3692 break;
3693
3694 sm->changed = FALSE;
3695 sm->wpa_auth->group->changed = FALSE;
3696
3697 SM_STEP_RUN(WPA_PTK);
3698 if (sm->pending_deinit)
3699 break;
3700 SM_STEP_RUN(WPA_PTK_GROUP);
3701 if (sm->pending_deinit)
3702 break;
3703 wpa_group_sm_step(sm->wpa_auth, sm->group);
3704 } while (sm->changed || sm->wpa_auth->group->changed);
3705 sm->in_step_loop = 0;
3706
3707 if (sm->pending_deinit) {
3708 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3709 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3710 wpa_free_sta_sm(sm);
e4a6ea1d 3711 return 1;
6fc6879b 3712 }
e4a6ea1d 3713 return 0;
6fc6879b
JM		 3714}
3715
3716
3717static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3718{
3719 struct wpa_state_machine *sm = eloop_ctx;
3720 wpa_sm_step(sm);
3721}
3722
3723
3724void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3725{
3726 if (sm == NULL)
3727 return;
3728 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3729}
3730
3731
3732void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3733{
3734 int tmp, i;
3735 struct wpa_group *group;
3736
3737 if (wpa_auth == NULL)
3738 return;
3739
3740 group = wpa_auth->group;
3741
3742 for (i = 0; i < 2; i++) {
3743 tmp = group->GM;
3744 group->GM = group->GN;
3745 group->GN = tmp;
3746#ifdef CONFIG_IEEE80211W
3747 tmp = group->GM_igtk;
3748 group->GM_igtk = group->GN_igtk;
3749 group->GN_igtk = tmp;
3750#endif /* CONFIG_IEEE80211W */
3751 wpa_gtk_update(wpa_auth, group);
9354e594 3752 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 3753 }
3754}
3755
3756
a6da824b 3757static const char * wpa_bool_txt(int val)
6fc6879b 3758{
a6da824b 3759 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 3760}
3761
3762
6fc6879b
JM		 3763#define RSN_SUITE "%02x-%02x-%02x-%d"
3764#define RSN_SUITE_ARG(s) \
3765((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3766
3767int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3768{
3769 int len = 0, ret;
3770 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 3771#ifdef CONFIG_RSN_PREAUTH
3772 const int preauth = 1;
3773#else /* CONFIG_RSN_PREAUTH */
3774 const int preauth = 0;
3775#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 3776
3777 if (wpa_auth == NULL)
3778 return len;
3779
3780 ret = os_snprintf(buf + len, buflen - len,
3781 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 3782 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 3783 "dot11RSNAEnabled=%s\n"
3784 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 3785 wpa_bool_txt(preauth),
6fc6879b
JM		 3786 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3787 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 3788 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3789 return len;
3790 len += ret;
3791
3792 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3793 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3794
3795 ret = os_snprintf(
3796 buf + len, buflen - len,
3797 "dot11RSNAConfigVersion=%u\n"
3798 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3799 /* FIX: dot11RSNAConfigGroupCipher */
3800 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3801 /* FIX: dot11RSNAConfigGroupRekeyTime */
3802 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3803 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3804 "dot11RSNAConfigGroupUpdateCount=%u\n"
3805 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3806 "dot11RSNAConfigGroupCipherSize=%u\n"
3807 "dot11RSNAConfigPMKLifetime=%u\n"
3808 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3809 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3810 "dot11RSNAConfigSATimeout=%u\n"
3811 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3812 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3813 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3814 "dot11RSNAPMKIDUsed=%s\n"
3815 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3816 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3817 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3818 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3819 "dot11RSNA4WayHandshakeFailures=%u\n"
3820 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3821 RSN_VERSION,
3822 !!wpa_auth->conf.wpa_strict_rekey,
41f140d3
GK		 3823 wpa_auth->conf.wpa_group_update_count,
3824 wpa_auth->conf.wpa_pairwise_update_count,
c3550295 3825 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 3826 dot11RSNAConfigPMKLifetime,
3827 dot11RSNAConfigPMKReauthThreshold,
3828 dot11RSNAConfigSATimeout,
3829 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3830 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3831 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3832 pmkid_txt,
3833 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3834 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3835 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3836 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3837 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 3838 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3839 return len;
3840 len += ret;
3841
3842 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3843 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3844
3845 /* Private MIB */
3846 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3847 wpa_auth->group->wpa_group_state);
d85e1fc8 3848 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3849 return len;
3850 len += ret;
3851
3852 return len;
3853}
3854
3855
3856int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3857{
3858 int len = 0, ret;
3859 u32 pairwise = 0;
3860
3861 if (sm == NULL)
3862 return 0;
3863
3864 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3865
3866 /* dot11RSNAStatsEntry */
3867
c3550295
JM		 3868 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3869 WPA_PROTO_RSN : WPA_PROTO_WPA,
3870 sm->pairwise);
3871 if (pairwise == 0)
6fc6879b
JM		 3872 return 0;
3873
3874 ret = os_snprintf(
3875 buf + len, buflen - len,
3876 /* TODO: dot11RSNAStatsIndex */
3877 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3878 "dot11RSNAStatsVersion=1\n"
3879 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3880 /* TODO: dot11RSNAStatsTKIPICVErrors */
3881 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 3882 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 3883 /* TODO: dot11RSNAStatsCCMPReplays */
3884 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3885 /* TODO: dot11RSNAStatsTKIPReplays */,
3886 MAC2STR(sm->addr),
3887 RSN_SUITE_ARG(pairwise),
3888 sm->dot11RSNAStatsTKIPLocalMICFailures,
3889 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 3890 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3891 return len;
3892 len += ret;
3893
3894 /* Private MIB */
3895 ret = os_snprintf(buf + len, buflen - len,
3896 "hostapdWPAPTKState=%d\n"
3897 "hostapdWPAPTKGroupState=%d\n",
3898 sm->wpa_ptk_state,
3899 sm->wpa_ptk_group_state);
d85e1fc8 3900 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3901 return len;
3902 len += ret;
3903
3904 return len;
3905}
3906
3907
3908void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3909{
3910 if (wpa_auth)
3911 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3912}
3913
3914
3915int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3916{
3917 return sm && sm->pairwise_set;
3918}
3919
3920
ff36ff00
JM		 3921int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3922{
3923 return sm->pairwise;
3924}
3925
3926
6fc6879b
JM		 3927int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3928{
3929 if (sm == NULL)
3930 return -1;
3931 return sm->wpa_key_mgmt;
3932}
3933
3934
3935int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3936{
3937 if (sm == NULL)
3938 return 0;
3939 return sm->wpa;
3940}
3941
3942
3943int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3944 struct rsn_pmksa_cache_entry *entry)
3945{
3946 if (sm == NULL || sm->pmksa != entry)
3947 return -1;
3948 sm->pmksa = NULL;
3949 return 0;
3950}
3951
3952
3953struct rsn_pmksa_cache_entry *
3954wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3955{
3956 return sm ? sm->pmksa : NULL;
3957}
3958
3959
3960void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3961{
3962 if (sm)
3963 sm->dot11RSNAStatsTKIPLocalMICFailures++;
3964}
3965
3966
3967const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3968{
3969 if (wpa_auth == NULL)
3970 return NULL;
3971 *len = wpa_auth->wpa_ie_len;
3972 return wpa_auth->wpa_ie;
3973}
3974
3975
3976int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 3977 unsigned int pmk_len,
6fc6879b
JM		 3978 int session_timeout, struct eapol_state_machine *eapol)
3979{
cb465555
JM		 3980 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3981 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 3982 return -1;
3983
834c5d68 3984 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
207976f0
JM		 3985 if (pmk_len > PMK_LEN_SUITE_B_192)
3986 pmk_len = PMK_LEN_SUITE_B_192;
3987 } else if (pmk_len > PMK_LEN) {
3988 pmk_len = PMK_LEN;
3989 }
3990
70c93963 3991 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 3992 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 3993 sm->wpa_auth->addr, sm->addr, session_timeout,
3994 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 3995 return 0;
3996
3997 return -1;
3998}
3999
4000
4001int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4002 const u8 *pmk, size_t len, const u8 *sta_addr,
4003 int session_timeout,
4004 struct eapol_state_machine *eapol)
4005{
4006 if (wpa_auth == NULL)
4007 return -1;
4008
70c93963 4009 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 4010 NULL, 0,
4011 wpa_auth->addr,
4bb081f1
JM		 4012 sta_addr, session_timeout, eapol,
4013 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 4014 return 0;
4015
4016 return -1;
4017}
4018
4019
f2991170 4020int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 4021 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 4022{
4023 if (wpa_auth->conf.disable_pmksa_caching)
4024 return -1;
4025
70c93963 4026 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 4027 NULL, 0,
f2991170
JM		 4028 wpa_auth->addr, addr, 0, NULL,
4029 WPA_KEY_MGMT_SAE))
4030 return 0;
4031
4032 return -1;
4033}
4034
4035
0c52953b
JM		 4036int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4037 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4038 int session_timeout, int akmp)
4039{
4040 if (wpa_auth->conf.disable_pmksa_caching)
4041 return -1;
4042
4043 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4044 NULL, 0, wpa_auth->addr, addr, session_timeout,
4045 NULL, akmp))
4046 return 0;
4047
4048 return -1;
4049}
4050
4051
901d1fe1
JM		 4052void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4053 const u8 *sta_addr)
4054{
4055 struct rsn_pmksa_cache_entry *pmksa;
4056
4057 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4058 return;
4059 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4060 if (pmksa) {
4061 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4062 MACSTR " based on request", MAC2STR(sta_addr));
4063 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4064 }
4065}
4066
4067
b8daac18
MH		 4068int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4069 size_t len)
4070{
4071 if (!wpa_auth || !wpa_auth->pmksa)
4072 return 0;
4073 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4074}
4075
4076
4c522c77
MH		 4077void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4078{
4079 if (wpa_auth && wpa_auth->pmksa)
4080 pmksa_cache_auth_flush(wpa_auth->pmksa);
4081}
4082
4083
4d77d80e
MH		 4084#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4085#ifdef CONFIG_MESH
4086
4087int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4088 char *buf, size_t len)
4089{
4090 if (!wpa_auth || !wpa_auth->pmksa)
4091 return 0;
4092
4093 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4094}
4095
4096
4097struct rsn_pmksa_cache_entry *
4098wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4099 const u8 *pmkid, int expiration)
4100{
4101 struct rsn_pmksa_cache_entry *entry;
4102 struct os_reltime now;
4103
4104 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4105 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4106 if (!entry)
4107 return NULL;
4108
4109 os_get_reltime(&now);
4110 entry->expiration = now.sec + expiration;
4111 return entry;
4112}
4113
4114
4115int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4116 struct rsn_pmksa_cache_entry *entry)
4117{
4118 int ret;
4119
4120 if (!wpa_auth || !wpa_auth->pmksa)
4121 return -1;
4122
4123 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4124 if (ret < 0)
4125 wpa_printf(MSG_DEBUG,
4126 "RSN: Failed to store external PMKSA cache for "
4127 MACSTR, MAC2STR(entry->spa));
4128
4129 return ret;
4130}
4131
4132#endif /* CONFIG_MESH */
4133#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4134
4135
9f2cf23e 4136struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 4137wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4138 const u8 *pmkid)
9f2cf23e
MH		 4139{
4140 if (!wpa_auth || !wpa_auth->pmksa)
4141 return NULL;
c1bd4bac 4142 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 4143}
4144
4145
4146void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4147 struct wpa_state_machine *sm,
4148 struct wpa_authenticator *wpa_auth,
4149 u8 *pmkid, u8 *pmk)
4150{
4151 if (!sm)
4152 return;
4153
4154 sm->pmksa = pmksa;
8854f90b
JM		 4155 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4156 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4157 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 4158}
4159
4160
a0ad9e8c
MB		 4161/*
4162 * Remove and free the group from wpa_authenticator. This is triggered by a
4163 * callback to make sure nobody is currently iterating the group list while it
4164 * gets modified.
4165 */
4166static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4167 struct wpa_group *group)
4168{
4169 struct wpa_group *prev = wpa_auth->group;
4170
4171 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4172 group->vlan_id);
4173
4174 while (prev) {
4175 if (prev->next == group) {
4176 /* This never frees the special first group as needed */
4177 prev->next = group->next;
4178 os_free(group);
4179 break;
4180 }
4181 prev = prev->next;
4182 }
4183
4184}
4185
4186
4187/* Increase the reference counter for group */
4188static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4189 struct wpa_group *group)
4190{
4191 /* Skip the special first group */
4192 if (wpa_auth->group == group)
4193 return;
4194
4195 group->references++;
4196}
4197
4198
4199/* Decrease the reference counter and maybe free the group */
4200static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4201 struct wpa_group *group)
4202{
4203 /* Skip the special first group */
4204 if (wpa_auth->group == group)
4205 return;
4206
4207 group->references--;
4208 if (group->references)
4209 return;
4210 wpa_group_free(wpa_auth, group);
4211}
4212
4213
4214/*
4215 * Add a group that has its references counter set to zero. Caller needs to
4216 * call wpa_group_get() on the return value to mark the entry in use.
4217 */
6fc6879b
JM		 4218static struct wpa_group *
4219wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4220{
4221 struct wpa_group *group;
4222
4223 if (wpa_auth == NULL || wpa_auth->group == NULL)
4224 return NULL;
4225
4226 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4227 vlan_id);
bdffdc5d 4228 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4229 if (group == NULL)
4230 return NULL;
4231
4232 group->next = wpa_auth->group->next;
4233 wpa_auth->group->next = group;
4234
4235 return group;
4236}
4237
4238
7cebc8e2
MB		 4239/*
4240 * Enforce that the group state machine for the VLAN is running, increase
4241 * reference counter as interface is up. References might have been increased
4242 * even if a negative value is returned.
4243 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4244 */
4245int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4246{
4247 struct wpa_group *group;
4248
4249 if (wpa_auth == NULL)
4250 return 0;
4251
4252 group = wpa_auth->group;
4253 while (group) {
4254 if (group->vlan_id == vlan_id)
4255 break;
4256 group = group->next;
4257 }
4258
4259 if (group == NULL) {
4260 group = wpa_auth_add_group(wpa_auth, vlan_id);
4261 if (group == NULL)
4262 return -1;
4263 }
4264
4265 wpa_printf(MSG_DEBUG,
4266 "WPA: Ensure group state machine running for VLAN ID %d",
4267 vlan_id);
4268
4269 wpa_group_get(wpa_auth, group);
4270 group->num_setup_iface++;
4271
4272 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4273 return -1;
4274
4275 return 0;
4276}
4277
4278
4279/*
4280 * Decrease reference counter, expected to be zero afterwards.
4281 * returns: -1 on error (group not found, group in fail state)
4282 * -2 if wpa_group is still referenced
4283 * 0 else
4284 */
4285int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4286{
4287 struct wpa_group *group;
4288 int ret = 0;
4289
4290 if (wpa_auth == NULL)
4291 return 0;
4292
4293 group = wpa_auth->group;
4294 while (group) {
4295 if (group->vlan_id == vlan_id)
4296 break;
4297 group = group->next;
4298 }
4299
4300 if (group == NULL)
4301 return -1;
4302
4303 wpa_printf(MSG_DEBUG,
4304 "WPA: Try stopping group state machine for VLAN ID %d",
4305 vlan_id);
4306
4307 if (group->num_setup_iface <= 0) {
4308 wpa_printf(MSG_ERROR,
4309 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4310 vlan_id);
4311 return -1;
4312 }
4313 group->num_setup_iface--;
4314
4315 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4316 ret = -1;
4317
4318 if (group->references > 1) {
4319 wpa_printf(MSG_DEBUG,
4320 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4321 vlan_id);
4322 ret = -2;
4323 }
4324
4325 wpa_group_put(wpa_auth, group);
4326
4327 return ret;
4328}
4329
4330
6fc6879b
JM		 4331int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4332{
4333 struct wpa_group *group;
4334
4335 if (sm == NULL || sm->wpa_auth == NULL)
4336 return 0;
4337
4338 group = sm->wpa_auth->group;
4339 while (group) {
4340 if (group->vlan_id == vlan_id)
4341 break;
4342 group = group->next;
4343 }
4344
4345 if (group == NULL) {
4346 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4347 if (group == NULL)
4348 return -1;
4349 }
4350
4351 if (sm->group == group)
4352 return 0;
4353
7d7f7be2
JM		 4354 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4355 return -1;
4356
6fc6879b
JM		 4357 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4358 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4359
a0ad9e8c
MB		 4360 wpa_group_get(sm->wpa_auth, group);
4361 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4362 sm->group = group;
a0ad9e8c 4363
6fc6879b
JM		 4364 return 0;
4365}
e4bf4db9
JM		 4366
4367
4368void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4369 struct wpa_state_machine *sm, int ack)
4370{
4371 if (wpa_auth == NULL || sm == NULL)
4372 return;
4373 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4374 " ack=%d", MAC2STR(sm->addr), ack);
4375 if (sm->pending_1_of_4_timeout && ack) {
4376 /*
4377 * Some deployed supplicant implementations update their SNonce
4378 * for each EAPOL-Key 2/4 message even within the same 4-way
4379 * handshake and then fail to use the first SNonce when
4380 * deriving the PTK. This results in unsuccessful 4-way
4381 * handshake whenever the relatively short initial timeout is
4382 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4383 * around this by increasing the timeout now that we know that
4384 * the station has received the frame.
4385 */
4386 int timeout_ms = eapol_key_timeout_subseq;
4387 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4388 "timeout by %u ms because of acknowledged frame",
4389 timeout_ms);
4390 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4391 eloop_register_timeout(timeout_ms / 1000,
4392 (timeout_ms % 1000) * 1000,
4393 wpa_send_eapol_timeout, wpa_auth, sm);
4394 }
4395}
c10347f2
JM		 4396
4397
4398int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4399{
4400 if (sm == NULL)
4401 return 0;
4402 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4403}
aa189ac9
JM		 4404
4405
4406int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4407{
4408 if (sm == NULL)
4409 return 0;
4410 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4411}
25ef8529
JM		 4412
4413
4414#ifdef CONFIG_P2P
4415int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4416{
4417 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4418 return -1;
4419 os_memcpy(addr, sm->ip_addr, 4);
4420 return 0;
4421}
4422#endif /* CONFIG_P2P */
cbc210de
JM		 4423
4424
4425int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4426 struct radius_das_attrs *attr)
4427{
4428 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4429}
34782730
JM		 4430
4431
4432void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4433{
4434 struct wpa_group *group;
4435
4436 if (!wpa_auth)
4437 return;
4438 for (group = wpa_auth->group; group; group = group->next)
4439 wpa_group_config_group_keys(wpa_auth, group);
4440}
7eace378
JM		 4441
4442
4443#ifdef CONFIG_FILS
4444
4445struct wpa_auth_fils_iter_data {
4446 struct wpa_authenticator *auth;
4447 const u8 *cache_id;
4448 struct rsn_pmksa_cache_entry *pmksa;
4449 const u8 *spa;
4450 const u8 *pmkid;
4451};
4452
4453
4454static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4455{
4456 struct wpa_auth_fils_iter_data *data = ctx;
4457
4cc6574d 4458 if (a == data->auth || !a->conf.fils_cache_id_set ||
7eace378
JM		 4459 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4460 FILS_CACHE_ID_LEN) != 0)
4461 return 0;
4462 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4463 return data->pmksa != NULL;
4464}
4465
4466
4467struct rsn_pmksa_cache_entry *
4468wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4469 const u8 *sta_addr, const u8 *pmkid)
4470{
4471 struct wpa_auth_fils_iter_data idata;
4472
4473 if (!wpa_auth->conf.fils_cache_id_set)
4474 return NULL;
4475 idata.auth = wpa_auth;
4476 idata.cache_id = wpa_auth->conf.fils_cache_id;
4477 idata.pmksa = NULL;
4478 idata.spa = sta_addr;
4479 idata.pmkid = pmkid;
4480 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4481 return idata.pmksa;
4482}
4483
5db997e3
JM		 4484
4485#ifdef CONFIG_IEEE80211R_AP
4486int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len)
4487{
4488 struct wpa_auth_config *conf = &wpa_auth->conf;
4489
4490 return wpa_write_ftie(conf, conf->r0_key_holder,
4491 conf->r0_key_holder_len,
4492 NULL, NULL, buf, len, NULL, 0);
4493}
4494#endif /* CONFIG_IEEE80211R_AP */
4495
8acbf85f
JM		 4496
4497void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4498 u8 *fils_anonce, u8 *fils_snonce,
4499 u8 *fils_kek, size_t *fils_kek_len)
4500{
4501 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4502 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4503 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4504 *fils_kek_len = sm->PTK.kek_len;
4505}
4506
7eace378 4507#endif /* CONFIG_FILS */
Unnamed repository; edit this file 'description' to name the repository.