]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
FILS: Perform AEAD processing after PTK has been confirmed
[thirdparty/hostap.git] / src / ap / wpa_auth.c
1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "crypto/aes.h"
17 #include "crypto/aes_wrap.h"
18 #include "crypto/aes_siv.h"
19 #include "crypto/crypto.h"
20 #include "crypto/sha1.h"
21 #include "crypto/sha256.h"
22 #include "crypto/random.h"
23 #include "eapol_auth/eapol_auth_sm.h"
24 #include "ap_config.h"
25 #include "ieee802_11.h"
26 #include "wpa_auth.h"
27 #include "pmksa_cache_auth.h"
28 #include "wpa_auth_i.h"
29 #include "wpa_auth_ie.h"
30
31 #define STATE_MACHINE_DATA struct wpa_state_machine
32 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
33 #define STATE_MACHINE_ADDR sm->addr
34
35
36 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
37 static int wpa_sm_step(struct wpa_state_machine *sm);
38 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
39 size_t data_len);
40 #ifdef CONFIG_FILS
41 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 u8 *buf, size_t buf_len, u16 *_key_data_len);
43 #endif /* CONFIG_FILS */
44 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
45 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
46 struct wpa_group *group);
47 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
48 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
49 struct wpa_group *group);
50 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
52 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
53 const u8 *pmk, unsigned int pmk_len,
54 struct wpa_ptk *ptk);
55 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
57 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
61
62 static const u32 dot11RSNAConfigGroupUpdateCount = 4;
63 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
64 static const u32 eapol_key_timeout_first = 100; /* ms */
65 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
66 static const u32 eapol_key_timeout_first_group = 500; /* ms */
67
68 /* TODO: make these configurable */
69 static const int dot11RSNAConfigPMKLifetime = 43200;
70 static const int dot11RSNAConfigPMKReauthThreshold = 70;
71 static const int dot11RSNAConfigSATimeout = 60;
72
73
74 static inline int wpa_auth_mic_failure_report(
75 struct wpa_authenticator *wpa_auth, const u8 *addr)
76 {
77 if (wpa_auth->cb.mic_failure_report)
78 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
79 return 0;
80 }
81
82
83 static inline void wpa_auth_psk_failure_report(
84 struct wpa_authenticator *wpa_auth, const u8 *addr)
85 {
86 if (wpa_auth->cb.psk_failure_report)
87 wpa_auth->cb.psk_failure_report(wpa_auth->cb.ctx, addr);
88 }
89
90
91 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
92 const u8 *addr, wpa_eapol_variable var,
93 int value)
94 {
95 if (wpa_auth->cb.set_eapol)
96 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
97 }
98
99
100 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
101 const u8 *addr, wpa_eapol_variable var)
102 {
103 if (wpa_auth->cb.get_eapol == NULL)
104 return -1;
105 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
106 }
107
108
109 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
110 const u8 *addr,
111 const u8 *p2p_dev_addr,
112 const u8 *prev_psk)
113 {
114 if (wpa_auth->cb.get_psk == NULL)
115 return NULL;
116 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
117 prev_psk);
118 }
119
120
121 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
122 const u8 *addr, u8 *msk, size_t *len)
123 {
124 if (wpa_auth->cb.get_msk == NULL)
125 return -1;
126 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
127 }
128
129
130 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
131 int vlan_id,
132 enum wpa_alg alg, const u8 *addr, int idx,
133 u8 *key, size_t key_len)
134 {
135 if (wpa_auth->cb.set_key == NULL)
136 return -1;
137 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
138 key, key_len);
139 }
140
141
142 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
143 const u8 *addr, int idx, u8 *seq)
144 {
145 if (wpa_auth->cb.get_seqnum == NULL)
146 return -1;
147 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
148 }
149
150
151 static inline int
152 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
153 const u8 *data, size_t data_len, int encrypt)
154 {
155 if (wpa_auth->cb.send_eapol == NULL)
156 return -1;
157 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
158 encrypt);
159 }
160
161
162 #ifdef CONFIG_MESH
163 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
164 const u8 *addr)
165 {
166 if (wpa_auth->cb.start_ampe == NULL)
167 return -1;
168 return wpa_auth->cb.start_ampe(wpa_auth->cb.ctx, addr);
169 }
170 #endif /* CONFIG_MESH */
171
172
173 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
174 int (*cb)(struct wpa_state_machine *sm, void *ctx),
175 void *cb_ctx)
176 {
177 if (wpa_auth->cb.for_each_sta == NULL)
178 return 0;
179 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
180 }
181
182
183 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
184 int (*cb)(struct wpa_authenticator *a, void *ctx),
185 void *cb_ctx)
186 {
187 if (wpa_auth->cb.for_each_auth == NULL)
188 return 0;
189 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
190 }
191
192
193 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
194 logger_level level, const char *txt)
195 {
196 if (wpa_auth->cb.logger == NULL)
197 return;
198 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
199 }
200
201
202 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
203 logger_level level, const char *fmt, ...)
204 {
205 char *format;
206 int maxlen;
207 va_list ap;
208
209 if (wpa_auth->cb.logger == NULL)
210 return;
211
212 maxlen = os_strlen(fmt) + 100;
213 format = os_malloc(maxlen);
214 if (!format)
215 return;
216
217 va_start(ap, fmt);
218 vsnprintf(format, maxlen, fmt, ap);
219 va_end(ap);
220
221 wpa_auth_logger(wpa_auth, addr, level, format);
222
223 os_free(format);
224 }
225
226
227 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
228 const u8 *addr)
229 {
230 if (wpa_auth->cb.disconnect == NULL)
231 return;
232 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
233 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
234 WLAN_REASON_PREV_AUTH_NOT_VALID);
235 }
236
237
238 static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
239 {
240 int ret = 0;
241 #ifdef CONFIG_IEEE80211R
242 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
243 ret = 1;
244 #endif /* CONFIG_IEEE80211R */
245 #ifdef CONFIG_IEEE80211W
246 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
247 ret = 1;
248 #endif /* CONFIG_IEEE80211W */
249 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
250 ret = 1;
251 return ret;
252 }
253
254
255 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
256 {
257 struct wpa_authenticator *wpa_auth = eloop_ctx;
258
259 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
260 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
261 "initialization.");
262 } else {
263 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
264 wpa_hexdump_key(MSG_DEBUG, "GMK",
265 wpa_auth->group->GMK, WPA_GMK_LEN);
266 }
267
268 if (wpa_auth->conf.wpa_gmk_rekey) {
269 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
270 wpa_rekey_gmk, wpa_auth, NULL);
271 }
272 }
273
274
275 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
276 {
277 struct wpa_authenticator *wpa_auth = eloop_ctx;
278 struct wpa_group *group, *next;
279
280 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
281 group = wpa_auth->group;
282 while (group) {
283 wpa_group_get(wpa_auth, group);
284
285 group->GTKReKey = TRUE;
286 do {
287 group->changed = FALSE;
288 wpa_group_sm_step(wpa_auth, group);
289 } while (group->changed);
290
291 next = group->next;
292 wpa_group_put(wpa_auth, group);
293 group = next;
294 }
295
296 if (wpa_auth->conf.wpa_group_rekey) {
297 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
298 0, wpa_rekey_gtk, wpa_auth, NULL);
299 }
300 }
301
302
303 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
304 {
305 struct wpa_authenticator *wpa_auth = eloop_ctx;
306 struct wpa_state_machine *sm = timeout_ctx;
307
308 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
309 wpa_request_new_ptk(sm);
310 wpa_sm_step(sm);
311 }
312
313
314 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
315 {
316 if (sm->pmksa == ctx)
317 sm->pmksa = NULL;
318 return 0;
319 }
320
321
322 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
323 void *ctx)
324 {
325 struct wpa_authenticator *wpa_auth = ctx;
326 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
327 }
328
329
330 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
331 struct wpa_group *group)
332 {
333 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
334 u8 rkey[32];
335 unsigned long ptr;
336
337 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
338 return -1;
339 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
340
341 /*
342 * Counter = PRF-256(Random number, "Init Counter",
343 * Local MAC Address || Time)
344 */
345 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
346 wpa_get_ntp_timestamp(buf + ETH_ALEN);
347 ptr = (unsigned long) group;
348 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
349 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
350 return -1;
351
352 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
353 group->Counter, WPA_NONCE_LEN) < 0)
354 return -1;
355 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
356 group->Counter, WPA_NONCE_LEN);
357
358 return 0;
359 }
360
361
362 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
363 int vlan_id, int delay_init)
364 {
365 struct wpa_group *group;
366
367 group = os_zalloc(sizeof(struct wpa_group));
368 if (group == NULL)
369 return NULL;
370
371 group->GTKAuthenticator = TRUE;
372 group->vlan_id = vlan_id;
373 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
374
375 if (random_pool_ready() != 1) {
376 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
377 "for secure operations - update keys later when "
378 "the first station connects");
379 }
380
381 /*
382 * Set initial GMK/Counter value here. The actual values that will be
383 * used in negotiations will be set once the first station tries to
384 * connect. This allows more time for collecting additional randomness
385 * on embedded devices.
386 */
387 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
388 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
389 "initialization.");
390 os_free(group);
391 return NULL;
392 }
393
394 group->GInit = TRUE;
395 if (delay_init) {
396 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
397 "until Beacon frames have been configured");
398 /* Initialization is completed in wpa_init_keys(). */
399 } else {
400 wpa_group_sm_step(wpa_auth, group);
401 group->GInit = FALSE;
402 wpa_group_sm_step(wpa_auth, group);
403 }
404
405 return group;
406 }
407
408
409 /**
410 * wpa_init - Initialize WPA authenticator
411 * @addr: Authenticator address
412 * @conf: Configuration for WPA authenticator
413 * @cb: Callback functions for WPA authenticator
414 * Returns: Pointer to WPA authenticator data or %NULL on failure
415 */
416 struct wpa_authenticator * wpa_init(const u8 *addr,
417 struct wpa_auth_config *conf,
418 struct wpa_auth_callbacks *cb)
419 {
420 struct wpa_authenticator *wpa_auth;
421
422 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
423 if (wpa_auth == NULL)
424 return NULL;
425 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
426 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
427 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
428
429 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
430 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
431 os_free(wpa_auth);
432 return NULL;
433 }
434
435 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
436 if (wpa_auth->group == NULL) {
437 os_free(wpa_auth->wpa_ie);
438 os_free(wpa_auth);
439 return NULL;
440 }
441
442 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
443 wpa_auth);
444 if (wpa_auth->pmksa == NULL) {
445 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
446 os_free(wpa_auth->group);
447 os_free(wpa_auth->wpa_ie);
448 os_free(wpa_auth);
449 return NULL;
450 }
451
452 #ifdef CONFIG_IEEE80211R
453 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
454 if (wpa_auth->ft_pmk_cache == NULL) {
455 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
456 os_free(wpa_auth->group);
457 os_free(wpa_auth->wpa_ie);
458 pmksa_cache_auth_deinit(wpa_auth->pmksa);
459 os_free(wpa_auth);
460 return NULL;
461 }
462 #endif /* CONFIG_IEEE80211R */
463
464 if (wpa_auth->conf.wpa_gmk_rekey) {
465 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
466 wpa_rekey_gmk, wpa_auth, NULL);
467 }
468
469 if (wpa_auth->conf.wpa_group_rekey) {
470 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
471 wpa_rekey_gtk, wpa_auth, NULL);
472 }
473
474 #ifdef CONFIG_P2P
475 if (WPA_GET_BE32(conf->ip_addr_start)) {
476 int count = WPA_GET_BE32(conf->ip_addr_end) -
477 WPA_GET_BE32(conf->ip_addr_start) + 1;
478 if (count > 1000)
479 count = 1000;
480 if (count > 0)
481 wpa_auth->ip_pool = bitfield_alloc(count);
482 }
483 #endif /* CONFIG_P2P */
484
485 return wpa_auth;
486 }
487
488
489 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
490 {
491 struct wpa_group *group = wpa_auth->group;
492
493 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
494 "keys");
495 wpa_group_sm_step(wpa_auth, group);
496 group->GInit = FALSE;
497 wpa_group_sm_step(wpa_auth, group);
498 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
499 return -1;
500 return 0;
501 }
502
503
504 /**
505 * wpa_deinit - Deinitialize WPA authenticator
506 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
507 */
508 void wpa_deinit(struct wpa_authenticator *wpa_auth)
509 {
510 struct wpa_group *group, *prev;
511
512 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
513 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
514
515 #ifdef CONFIG_PEERKEY
516 while (wpa_auth->stsl_negotiations)
517 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
518 #endif /* CONFIG_PEERKEY */
519
520 pmksa_cache_auth_deinit(wpa_auth->pmksa);
521
522 #ifdef CONFIG_IEEE80211R
523 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
524 wpa_auth->ft_pmk_cache = NULL;
525 #endif /* CONFIG_IEEE80211R */
526
527 #ifdef CONFIG_P2P
528 bitfield_free(wpa_auth->ip_pool);
529 #endif /* CONFIG_P2P */
530
531
532 os_free(wpa_auth->wpa_ie);
533
534 group = wpa_auth->group;
535 while (group) {
536 prev = group;
537 group = group->next;
538 os_free(prev);
539 }
540
541 os_free(wpa_auth);
542 }
543
544
545 /**
546 * wpa_reconfig - Update WPA authenticator configuration
547 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
548 * @conf: Configuration for WPA authenticator
549 */
550 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
551 struct wpa_auth_config *conf)
552 {
553 struct wpa_group *group;
554 if (wpa_auth == NULL)
555 return 0;
556
557 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
558 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
559 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
560 return -1;
561 }
562
563 /*
564 * Reinitialize GTK to make sure it is suitable for the new
565 * configuration.
566 */
567 group = wpa_auth->group;
568 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
569 group->GInit = TRUE;
570 wpa_group_sm_step(wpa_auth, group);
571 group->GInit = FALSE;
572 wpa_group_sm_step(wpa_auth, group);
573
574 return 0;
575 }
576
577
578 struct wpa_state_machine *
579 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
580 const u8 *p2p_dev_addr)
581 {
582 struct wpa_state_machine *sm;
583
584 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
585 return NULL;
586
587 sm = os_zalloc(sizeof(struct wpa_state_machine));
588 if (sm == NULL)
589 return NULL;
590 os_memcpy(sm->addr, addr, ETH_ALEN);
591 if (p2p_dev_addr)
592 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
593
594 sm->wpa_auth = wpa_auth;
595 sm->group = wpa_auth->group;
596 wpa_group_get(sm->wpa_auth, sm->group);
597
598 return sm;
599 }
600
601
602 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
603 struct wpa_state_machine *sm)
604 {
605 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
606 return -1;
607
608 #ifdef CONFIG_IEEE80211R
609 if (sm->ft_completed) {
610 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
611 "FT authentication already completed - do not "
612 "start 4-way handshake");
613 /* Go to PTKINITDONE state to allow GTK rekeying */
614 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
615 return 0;
616 }
617 #endif /* CONFIG_IEEE80211R */
618
619 if (sm->started) {
620 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
621 sm->ReAuthenticationRequest = TRUE;
622 return wpa_sm_step(sm);
623 }
624
625 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
626 "start authentication");
627 sm->started = 1;
628
629 sm->Init = TRUE;
630 if (wpa_sm_step(sm) == 1)
631 return 1; /* should not really happen */
632 sm->Init = FALSE;
633 sm->AuthenticationRequest = TRUE;
634 return wpa_sm_step(sm);
635 }
636
637
638 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
639 {
640 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
641 * reassociates back to the same AP while the previous entry for the
642 * STA has not yet been removed. */
643 if (sm == NULL)
644 return;
645
646 sm->wpa_key_mgmt = 0;
647 }
648
649
650 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
651 {
652 #ifdef CONFIG_P2P
653 if (WPA_GET_BE32(sm->ip_addr)) {
654 u32 start;
655 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
656 "address %u.%u.%u.%u from " MACSTR,
657 sm->ip_addr[0], sm->ip_addr[1],
658 sm->ip_addr[2], sm->ip_addr[3],
659 MAC2STR(sm->addr));
660 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
661 bitfield_clear(sm->wpa_auth->ip_pool,
662 WPA_GET_BE32(sm->ip_addr) - start);
663 }
664 #endif /* CONFIG_P2P */
665 if (sm->GUpdateStationKeys) {
666 sm->group->GKeyDoneStations--;
667 sm->GUpdateStationKeys = FALSE;
668 }
669 #ifdef CONFIG_IEEE80211R
670 os_free(sm->assoc_resp_ftie);
671 wpabuf_free(sm->ft_pending_req_ies);
672 #endif /* CONFIG_IEEE80211R */
673 os_free(sm->last_rx_eapol_key);
674 os_free(sm->wpa_ie);
675 wpa_group_put(sm->wpa_auth, sm->group);
676 os_free(sm);
677 }
678
679
680 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
681 {
682 if (sm == NULL)
683 return;
684
685 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
686 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
687 "strict rekeying - force GTK rekey since STA "
688 "is leaving");
689 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
690 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
691 NULL);
692 }
693
694 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
695 sm->pending_1_of_4_timeout = 0;
696 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
697 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
698 if (sm->in_step_loop) {
699 /* Must not free state machine while wpa_sm_step() is running.
700 * Freeing will be completed in the end of wpa_sm_step(). */
701 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
702 "machine deinit for " MACSTR, MAC2STR(sm->addr));
703 sm->pending_deinit = 1;
704 } else
705 wpa_free_sta_sm(sm);
706 }
707
708
709 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
710 {
711 if (sm == NULL)
712 return;
713
714 sm->PTKRequest = TRUE;
715 sm->PTK_valid = 0;
716 }
717
718
719 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
720 const u8 *replay_counter)
721 {
722 int i;
723 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
724 if (!ctr[i].valid)
725 break;
726 if (os_memcmp(replay_counter, ctr[i].counter,
727 WPA_REPLAY_COUNTER_LEN) == 0)
728 return 1;
729 }
730 return 0;
731 }
732
733
734 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
735 const u8 *replay_counter)
736 {
737 int i;
738 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
739 if (ctr[i].valid &&
740 (replay_counter == NULL ||
741 os_memcmp(replay_counter, ctr[i].counter,
742 WPA_REPLAY_COUNTER_LEN) == 0))
743 ctr[i].valid = FALSE;
744 }
745 }
746
747
748 #ifdef CONFIG_IEEE80211R
749 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
750 struct wpa_state_machine *sm,
751 struct wpa_eapol_ie_parse *kde)
752 {
753 struct wpa_ie_data ie;
754 struct rsn_mdie *mdie;
755
756 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
757 ie.num_pmkid != 1 || ie.pmkid == NULL) {
758 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
759 "FT 4-way handshake message 2/4");
760 return -1;
761 }
762
763 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
764 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
765 sm->sup_pmk_r1_name, PMKID_LEN);
766
767 if (!kde->mdie || !kde->ftie) {
768 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
769 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
770 return -1;
771 }
772
773 mdie = (struct rsn_mdie *) (kde->mdie + 2);
774 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
775 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
776 MOBILITY_DOMAIN_ID_LEN) != 0) {
777 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
778 return -1;
779 }
780
781 if (sm->assoc_resp_ftie &&
782 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
783 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
784 2 + sm->assoc_resp_ftie[1]) != 0)) {
785 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
786 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
787 kde->ftie, kde->ftie_len);
788 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
789 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
790 return -1;
791 }
792
793 return 0;
794 }
795 #endif /* CONFIG_IEEE80211R */
796
797
798 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
799 struct wpa_state_machine *sm, int group)
800 {
801 /* Supplicant reported a Michael MIC error */
802 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
803 "received EAPOL-Key Error Request "
804 "(STA detected Michael MIC failure (group=%d))",
805 group);
806
807 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
808 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
809 "ignore Michael MIC failure report since "
810 "group cipher is not TKIP");
811 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
812 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
813 "ignore Michael MIC failure report since "
814 "pairwise cipher is not TKIP");
815 } else {
816 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
817 return 1; /* STA entry was removed */
818 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
819 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
820 }
821
822 /*
823 * Error report is not a request for a new key handshake, but since
824 * Authenticator may do it, let's change the keys now anyway.
825 */
826 wpa_request_new_ptk(sm);
827 return 0;
828 }
829
830
831 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
832 size_t data_len)
833 {
834 struct wpa_ptk PTK;
835 int ok = 0;
836 const u8 *pmk = NULL;
837 unsigned int pmk_len;
838
839 os_memset(&PTK, 0, sizeof(PTK));
840 for (;;) {
841 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
842 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
843 sm->p2p_dev_addr, pmk);
844 if (pmk == NULL)
845 break;
846 pmk_len = PMK_LEN;
847 } else {
848 pmk = sm->PMK;
849 pmk_len = sm->pmk_len;
850 }
851
852 wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK);
853
854 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len)
855 == 0) {
856 ok = 1;
857 break;
858 }
859
860 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
861 break;
862 }
863
864 if (!ok) {
865 wpa_printf(MSG_DEBUG,
866 "WPA: Earlier SNonce did not result in matching MIC");
867 return -1;
868 }
869
870 wpa_printf(MSG_DEBUG,
871 "WPA: Earlier SNonce resulted in matching MIC");
872 sm->alt_snonce_valid = 0;
873 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
874 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
875 sm->PTK_valid = TRUE;
876
877 return 0;
878 }
879
880
881 void wpa_receive(struct wpa_authenticator *wpa_auth,
882 struct wpa_state_machine *sm,
883 u8 *data, size_t data_len)
884 {
885 struct ieee802_1x_hdr *hdr;
886 struct wpa_eapol_key *key;
887 u16 key_info, key_data_length;
888 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
889 SMK_M1, SMK_M3, SMK_ERROR } msg;
890 char *msgtxt;
891 struct wpa_eapol_ie_parse kde;
892 const u8 *key_data;
893 size_t keyhdrlen, mic_len;
894 u8 *mic;
895
896 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
897 return;
898 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
899
900 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
901 keyhdrlen = sizeof(*key) + mic_len + 2;
902
903 if (data_len < sizeof(*hdr) + keyhdrlen) {
904 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
905 return;
906 }
907
908 hdr = (struct ieee802_1x_hdr *) data;
909 key = (struct wpa_eapol_key *) (hdr + 1);
910 mic = (u8 *) (key + 1);
911 key_info = WPA_GET_BE16(key->key_info);
912 key_data = mic + mic_len + 2;
913 key_data_length = WPA_GET_BE16(mic + mic_len);
914 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
915 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
916 MAC2STR(sm->addr), key_info, key->type,
917 (unsigned int) mic_len, key_data_length);
918 wpa_hexdump(MSG_MSGDUMP,
919 "WPA: EAPOL-Key header (ending before Key MIC)",
920 key, sizeof(*key));
921 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
922 mic, mic_len);
923 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
924 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
925 "key_data overflow (%d > %lu)",
926 key_data_length,
927 (unsigned long) (data_len - sizeof(*hdr) -
928 keyhdrlen));
929 return;
930 }
931
932 if (sm->wpa == WPA_VERSION_WPA2) {
933 if (key->type == EAPOL_KEY_TYPE_WPA) {
934 /*
935 * Some deployed station implementations seem to send
936 * msg 4/4 with incorrect type value in WPA2 mode.
937 */
938 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
939 "with unexpected WPA type in RSN mode");
940 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
941 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
942 "unexpected type %d in RSN mode",
943 key->type);
944 return;
945 }
946 } else {
947 if (key->type != EAPOL_KEY_TYPE_WPA) {
948 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
949 "unexpected type %d in WPA mode",
950 key->type);
951 return;
952 }
953 }
954
955 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
956 WPA_NONCE_LEN);
957 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
958 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
959
960 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
961 * are set */
962
963 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
964 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
965 if (key_info & WPA_KEY_INFO_ERROR) {
966 msg = SMK_ERROR;
967 msgtxt = "SMK Error";
968 } else {
969 msg = SMK_M1;
970 msgtxt = "SMK M1";
971 }
972 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
973 msg = SMK_M3;
974 msgtxt = "SMK M3";
975 } else if (key_info & WPA_KEY_INFO_REQUEST) {
976 msg = REQUEST;
977 msgtxt = "Request";
978 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
979 msg = GROUP_2;
980 msgtxt = "2/2 Group";
981 } else if (key_data_length == 0 ||
982 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
983 key_data_length == AES_BLOCK_SIZE)) {
984 msg = PAIRWISE_4;
985 msgtxt = "4/4 Pairwise";
986 } else {
987 msg = PAIRWISE_2;
988 msgtxt = "2/4 Pairwise";
989 }
990
991 /* TODO: key_info type validation for PeerKey */
992 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
993 msg == GROUP_2) {
994 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
995 if (sm->pairwise == WPA_CIPHER_CCMP ||
996 sm->pairwise == WPA_CIPHER_GCMP) {
997 if (wpa_use_aes_cmac(sm) &&
998 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
999 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
1000 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1001 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1002 wpa_auth_logger(wpa_auth, sm->addr,
1003 LOGGER_WARNING,
1004 "advertised support for "
1005 "AES-128-CMAC, but did not "
1006 "use it");
1007 return;
1008 }
1009
1010 if (!wpa_use_aes_cmac(sm) &&
1011 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1012 wpa_auth_logger(wpa_auth, sm->addr,
1013 LOGGER_WARNING,
1014 "did not use HMAC-SHA1-AES "
1015 "with CCMP/GCMP");
1016 return;
1017 }
1018 }
1019
1020 if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
1021 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1022 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1023 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1024 return;
1025 }
1026 }
1027
1028 if (key_info & WPA_KEY_INFO_REQUEST) {
1029 if (sm->req_replay_counter_used &&
1030 os_memcmp(key->replay_counter, sm->req_replay_counter,
1031 WPA_REPLAY_COUNTER_LEN) <= 0) {
1032 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1033 "received EAPOL-Key request with "
1034 "replayed counter");
1035 return;
1036 }
1037 }
1038
1039 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
1040 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1041 int i;
1042
1043 if (msg == PAIRWISE_2 &&
1044 wpa_replay_counter_valid(sm->prev_key_replay,
1045 key->replay_counter) &&
1046 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1047 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1048 {
1049 /*
1050 * Some supplicant implementations (e.g., Windows XP
1051 * WZC) update SNonce for each EAPOL-Key 2/4. This
1052 * breaks the workaround on accepting any of the
1053 * pending requests, so allow the SNonce to be updated
1054 * even if we have already sent out EAPOL-Key 3/4.
1055 */
1056 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1057 "Process SNonce update from STA "
1058 "based on retransmitted EAPOL-Key "
1059 "1/4");
1060 sm->update_snonce = 1;
1061 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1062 sm->alt_snonce_valid = TRUE;
1063 os_memcpy(sm->alt_replay_counter,
1064 sm->key_replay[0].counter,
1065 WPA_REPLAY_COUNTER_LEN);
1066 goto continue_processing;
1067 }
1068
1069 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1070 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1071 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1072 WPA_REPLAY_COUNTER_LEN) == 0) {
1073 /*
1074 * Supplicant may still be using the old SNonce since
1075 * there was two EAPOL-Key 2/4 messages and they had
1076 * different SNonce values.
1077 */
1078 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1079 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1080 goto continue_processing;
1081 }
1082
1083 if (msg == PAIRWISE_2 &&
1084 wpa_replay_counter_valid(sm->prev_key_replay,
1085 key->replay_counter) &&
1086 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1087 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1088 "ignore retransmitted EAPOL-Key %s - "
1089 "SNonce did not change", msgtxt);
1090 } else {
1091 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1092 "received EAPOL-Key %s with "
1093 "unexpected replay counter", msgtxt);
1094 }
1095 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1096 if (!sm->key_replay[i].valid)
1097 break;
1098 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1099 sm->key_replay[i].counter,
1100 WPA_REPLAY_COUNTER_LEN);
1101 }
1102 wpa_hexdump(MSG_DEBUG, "received replay counter",
1103 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1104 return;
1105 }
1106
1107 continue_processing:
1108 #ifdef CONFIG_FILS
1109 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1110 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1111 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1112 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1113 return;
1114 }
1115 #endif /* CONFIG_FILS */
1116
1117 switch (msg) {
1118 case PAIRWISE_2:
1119 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1120 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1121 (!sm->update_snonce ||
1122 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1123 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1124 "received EAPOL-Key msg 2/4 in "
1125 "invalid state (%d) - dropped",
1126 sm->wpa_ptk_state);
1127 return;
1128 }
1129 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1130 if (sm->group->reject_4way_hs_for_entropy) {
1131 /*
1132 * The system did not have enough entropy to generate
1133 * strong random numbers. Reject the first 4-way
1134 * handshake(s) and collect some entropy based on the
1135 * information from it. Once enough entropy is
1136 * available, the next atempt will trigger GMK/Key
1137 * Counter update and the station will be allowed to
1138 * continue.
1139 */
1140 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1141 "collect more entropy for random number "
1142 "generation");
1143 random_mark_pool_ready();
1144 wpa_sta_disconnect(wpa_auth, sm->addr);
1145 return;
1146 }
1147 break;
1148 case PAIRWISE_4:
1149 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1150 !sm->PTK_valid) {
1151 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1152 "received EAPOL-Key msg 4/4 in "
1153 "invalid state (%d) - dropped",
1154 sm->wpa_ptk_state);
1155 return;
1156 }
1157 break;
1158 case GROUP_2:
1159 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1160 || !sm->PTK_valid) {
1161 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1162 "received EAPOL-Key msg 2/2 in "
1163 "invalid state (%d) - dropped",
1164 sm->wpa_ptk_group_state);
1165 return;
1166 }
1167 break;
1168 #ifdef CONFIG_PEERKEY
1169 case SMK_M1:
1170 case SMK_M3:
1171 case SMK_ERROR:
1172 if (!wpa_auth->conf.peerkey) {
1173 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1174 "PeerKey use disabled - ignoring message");
1175 return;
1176 }
1177 if (!sm->PTK_valid) {
1178 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1179 "received EAPOL-Key msg SMK in "
1180 "invalid state - dropped");
1181 return;
1182 }
1183 break;
1184 #else /* CONFIG_PEERKEY */
1185 case SMK_M1:
1186 case SMK_M3:
1187 case SMK_ERROR:
1188 return; /* STSL disabled - ignore SMK messages */
1189 #endif /* CONFIG_PEERKEY */
1190 case REQUEST:
1191 break;
1192 }
1193
1194 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1195 "received EAPOL-Key frame (%s)", msgtxt);
1196
1197 if (key_info & WPA_KEY_INFO_ACK) {
1198 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1199 "received invalid EAPOL-Key: Key Ack set");
1200 return;
1201 }
1202
1203 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1204 !(key_info & WPA_KEY_INFO_MIC)) {
1205 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1206 "received invalid EAPOL-Key: Key MIC not set");
1207 return;
1208 }
1209
1210 #ifdef CONFIG_FILS
1211 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1212 (key_info & WPA_KEY_INFO_MIC)) {
1213 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1214 "received invalid EAPOL-Key: Key MIC set");
1215 return;
1216 }
1217 #endif /* CONFIG_FILS */
1218
1219 sm->MICVerified = FALSE;
1220 if (sm->PTK_valid && !sm->update_snonce) {
1221 if (mic_len &&
1222 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
1223 data_len) &&
1224 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1225 wpa_try_alt_snonce(sm, data, data_len))) {
1226 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1227 "received EAPOL-Key with invalid MIC");
1228 return;
1229 }
1230 #ifdef CONFIG_FILS
1231 if (!mic_len &&
1232 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1233 &key_data_length) < 0) {
1234 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1235 "received EAPOL-Key with invalid MIC");
1236 return;
1237 }
1238 #endif /* CONFIG_FILS */
1239 sm->MICVerified = TRUE;
1240 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1241 sm->pending_1_of_4_timeout = 0;
1242 }
1243
1244 if (key_info & WPA_KEY_INFO_REQUEST) {
1245 if (sm->MICVerified) {
1246 sm->req_replay_counter_used = 1;
1247 os_memcpy(sm->req_replay_counter, key->replay_counter,
1248 WPA_REPLAY_COUNTER_LEN);
1249 } else {
1250 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1251 "received EAPOL-Key request with "
1252 "invalid MIC");
1253 return;
1254 }
1255
1256 /*
1257 * TODO: should decrypt key data field if encryption was used;
1258 * even though MAC address KDE is not normally encrypted,
1259 * supplicant is allowed to encrypt it.
1260 */
1261 if (msg == SMK_ERROR) {
1262 #ifdef CONFIG_PEERKEY
1263 wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
1264 #endif /* CONFIG_PEERKEY */
1265 return;
1266 } else if (key_info & WPA_KEY_INFO_ERROR) {
1267 if (wpa_receive_error_report(
1268 wpa_auth, sm,
1269 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1270 return; /* STA entry was removed */
1271 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1272 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1273 "received EAPOL-Key Request for new "
1274 "4-Way Handshake");
1275 wpa_request_new_ptk(sm);
1276 #ifdef CONFIG_PEERKEY
1277 } else if (msg == SMK_M1) {
1278 wpa_smk_m1(wpa_auth, sm, key, key_data,
1279 key_data_length);
1280 #endif /* CONFIG_PEERKEY */
1281 } else if (key_data_length > 0 &&
1282 wpa_parse_kde_ies(key_data, key_data_length,
1283 &kde) == 0 &&
1284 kde.mac_addr) {
1285 } else {
1286 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1287 "received EAPOL-Key Request for GTK "
1288 "rekeying");
1289 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1290 wpa_rekey_gtk(wpa_auth, NULL);
1291 }
1292 } else {
1293 /* Do not allow the same key replay counter to be reused. */
1294 wpa_replay_counter_mark_invalid(sm->key_replay,
1295 key->replay_counter);
1296
1297 if (msg == PAIRWISE_2) {
1298 /*
1299 * Maintain a copy of the pending EAPOL-Key frames in
1300 * case the EAPOL-Key frame was retransmitted. This is
1301 * needed to allow EAPOL-Key msg 2/4 reply to another
1302 * pending msg 1/4 to update the SNonce to work around
1303 * unexpected supplicant behavior.
1304 */
1305 os_memcpy(sm->prev_key_replay, sm->key_replay,
1306 sizeof(sm->key_replay));
1307 } else {
1308 os_memset(sm->prev_key_replay, 0,
1309 sizeof(sm->prev_key_replay));
1310 }
1311
1312 /*
1313 * Make sure old valid counters are not accepted anymore and
1314 * do not get copied again.
1315 */
1316 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1317 }
1318
1319 #ifdef CONFIG_PEERKEY
1320 if (msg == SMK_M3) {
1321 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
1322 return;
1323 }
1324 #endif /* CONFIG_PEERKEY */
1325
1326 os_free(sm->last_rx_eapol_key);
1327 sm->last_rx_eapol_key = os_malloc(data_len);
1328 if (sm->last_rx_eapol_key == NULL)
1329 return;
1330 os_memcpy(sm->last_rx_eapol_key, data, data_len);
1331 sm->last_rx_eapol_key_len = data_len;
1332
1333 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1334 sm->EAPOLKeyReceived = TRUE;
1335 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1336 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1337 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1338 wpa_sm_step(sm);
1339 }
1340
1341
1342 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1343 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1344 {
1345 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1346 u8 *pos;
1347 int ret = 0;
1348
1349 /* GTK = PRF-X(GMK, "Group key expansion",
1350 * AA || GNonce || Time || random data)
1351 * The example described in the IEEE 802.11 standard uses only AA and
1352 * GNonce as inputs here. Add some more entropy since this derivation
1353 * is done only at the Authenticator and as such, does not need to be
1354 * exactly same.
1355 */
1356 os_memcpy(data, addr, ETH_ALEN);
1357 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1358 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1359 wpa_get_ntp_timestamp(pos);
1360 pos += 8;
1361 if (random_get_bytes(pos, 16) < 0)
1362 ret = -1;
1363
1364 #ifdef CONFIG_IEEE80211W
1365 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1366 #else /* CONFIG_IEEE80211W */
1367 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1368 < 0)
1369 ret = -1;
1370 #endif /* CONFIG_IEEE80211W */
1371
1372 return ret;
1373 }
1374
1375
1376 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1377 {
1378 struct wpa_authenticator *wpa_auth = eloop_ctx;
1379 struct wpa_state_machine *sm = timeout_ctx;
1380
1381 sm->pending_1_of_4_timeout = 0;
1382 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1383 sm->TimeoutEvt = TRUE;
1384 wpa_sm_step(sm);
1385 }
1386
1387
1388 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1389 struct wpa_state_machine *sm, int key_info,
1390 const u8 *key_rsc, const u8 *nonce,
1391 const u8 *kde, size_t kde_len,
1392 int keyidx, int encr, int force_version)
1393 {
1394 struct ieee802_1x_hdr *hdr;
1395 struct wpa_eapol_key *key;
1396 size_t len, mic_len, keyhdrlen;
1397 int alg;
1398 int key_data_len, pad_len = 0;
1399 u8 *buf, *pos;
1400 int version, pairwise;
1401 int i;
1402 u8 *key_mic, *key_data;
1403
1404 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
1405 keyhdrlen = sizeof(*key) + mic_len + 2;
1406
1407 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1408
1409 if (force_version)
1410 version = force_version;
1411 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1412 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1413 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
1414 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1415 else if (wpa_use_aes_cmac(sm))
1416 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1417 else if (sm->pairwise != WPA_CIPHER_TKIP)
1418 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1419 else
1420 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1421
1422 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1423
1424 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1425 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1426 "encr=%d)",
1427 version,
1428 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1429 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1430 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1431 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1432 pairwise, (unsigned long) kde_len, keyidx, encr);
1433
1434 key_data_len = kde_len;
1435
1436 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1437 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1438 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1439 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1440 pad_len = key_data_len % 8;
1441 if (pad_len)
1442 pad_len = 8 - pad_len;
1443 key_data_len += pad_len + 8;
1444 }
1445
1446 len += key_data_len;
1447 if (!mic_len && encr)
1448 len += AES_BLOCK_SIZE;
1449
1450 hdr = os_zalloc(len);
1451 if (hdr == NULL)
1452 return;
1453 hdr->version = wpa_auth->conf.eapol_version;
1454 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1455 hdr->length = host_to_be16(len - sizeof(*hdr));
1456 key = (struct wpa_eapol_key *) (hdr + 1);
1457 key_mic = (u8 *) (key + 1);
1458 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1459
1460 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1461 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1462 key_info |= version;
1463 if (encr && sm->wpa == WPA_VERSION_WPA2)
1464 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1465 if (sm->wpa != WPA_VERSION_WPA2)
1466 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1467 WPA_PUT_BE16(key->key_info, key_info);
1468
1469 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1470 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1471 if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1472 WPA_PUT_BE16(key->key_length, 0);
1473
1474 /* FIX: STSL: what to use as key_replay_counter? */
1475 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1476 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1477 os_memcpy(sm->key_replay[i].counter,
1478 sm->key_replay[i - 1].counter,
1479 WPA_REPLAY_COUNTER_LEN);
1480 }
1481 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1482 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1483 WPA_REPLAY_COUNTER_LEN);
1484 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1485 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1486 sm->key_replay[0].valid = TRUE;
1487
1488 if (nonce)
1489 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1490
1491 if (key_rsc)
1492 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1493
1494 if (kde && !encr) {
1495 os_memcpy(key_data, kde, kde_len);
1496 WPA_PUT_BE16(key_mic + mic_len, kde_len);
1497 #ifdef CONFIG_FILS
1498 } else if (!mic_len) {
1499 const u8 *aad[1];
1500 size_t aad_len[1];
1501
1502 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1503 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1504 kde, kde_len);
1505
1506 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1507 sm->PTK.kek, sm->PTK.kek_len);
1508 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1509 * to Key Data (exclusive). */
1510 aad[0] = (u8 *) hdr;
1511 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1512 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1513 1, aad, aad_len, key_mic + 2) < 0) {
1514 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1515 return;
1516 }
1517
1518 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1519 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1520 #endif /* CONFIG_FILS */
1521 } else if (encr && kde) {
1522 buf = os_zalloc(key_data_len);
1523 if (buf == NULL) {
1524 os_free(hdr);
1525 return;
1526 }
1527 pos = buf;
1528 os_memcpy(pos, kde, kde_len);
1529 pos += kde_len;
1530
1531 if (pad_len)
1532 *pos++ = 0xdd;
1533
1534 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1535 buf, key_data_len);
1536 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1537 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1538 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1539 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1540 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1541 (key_data_len - 8) / 8, buf, key_data)) {
1542 os_free(hdr);
1543 os_free(buf);
1544 return;
1545 }
1546 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1547 #ifndef CONFIG_NO_RC4
1548 } else if (sm->PTK.kek_len == 16) {
1549 u8 ek[32];
1550 os_memcpy(key->key_iv,
1551 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1552 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1553 os_memcpy(ek, key->key_iv, 16);
1554 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1555 os_memcpy(key_data, buf, key_data_len);
1556 rc4_skip(ek, 32, 256, key_data, key_data_len);
1557 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1558 #endif /* CONFIG_NO_RC4 */
1559 } else {
1560 os_free(hdr);
1561 os_free(buf);
1562 return;
1563 }
1564 os_free(buf);
1565 }
1566
1567 if (key_info & WPA_KEY_INFO_MIC) {
1568 if (!sm->PTK_valid || !mic_len) {
1569 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1570 "PTK not valid when sending EAPOL-Key "
1571 "frame");
1572 os_free(hdr);
1573 return;
1574 }
1575
1576 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1577 sm->wpa_key_mgmt, version,
1578 (u8 *) hdr, len, key_mic);
1579 #ifdef CONFIG_TESTING_OPTIONS
1580 if (!pairwise &&
1581 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
1582 drand48() <
1583 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1584 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1585 "Corrupting group EAPOL-Key Key MIC");
1586 key_mic[0]++;
1587 }
1588 #endif /* CONFIG_TESTING_OPTIONS */
1589 }
1590
1591 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1592 1);
1593 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1594 sm->pairwise_set);
1595 os_free(hdr);
1596 }
1597
1598
1599 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1600 struct wpa_state_machine *sm, int key_info,
1601 const u8 *key_rsc, const u8 *nonce,
1602 const u8 *kde, size_t kde_len,
1603 int keyidx, int encr)
1604 {
1605 int timeout_ms;
1606 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1607 int ctr;
1608
1609 if (sm == NULL)
1610 return;
1611
1612 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1613 keyidx, encr, 0);
1614
1615 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1616 if (ctr == 1 && wpa_auth->conf.tx_status)
1617 timeout_ms = pairwise ? eapol_key_timeout_first :
1618 eapol_key_timeout_first_group;
1619 else
1620 timeout_ms = eapol_key_timeout_subseq;
1621 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1622 sm->pending_1_of_4_timeout = 1;
1623 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1624 "counter %d)", timeout_ms, ctr);
1625 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1626 wpa_send_eapol_timeout, wpa_auth, sm);
1627 }
1628
1629
1630 static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
1631 size_t data_len)
1632 {
1633 struct ieee802_1x_hdr *hdr;
1634 struct wpa_eapol_key *key;
1635 u16 key_info;
1636 int ret = 0;
1637 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
1638 size_t mic_len = wpa_mic_len(akmp);
1639
1640 if (data_len < sizeof(*hdr) + sizeof(*key))
1641 return -1;
1642
1643 hdr = (struct ieee802_1x_hdr *) data;
1644 key = (struct wpa_eapol_key *) (hdr + 1);
1645 mic_pos = (u8 *) (key + 1);
1646 key_info = WPA_GET_BE16(key->key_info);
1647 os_memcpy(mic, mic_pos, mic_len);
1648 os_memset(mic_pos, 0, mic_len);
1649 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1650 key_info & WPA_KEY_INFO_TYPE_MASK,
1651 data, data_len, mic_pos) ||
1652 os_memcmp_const(mic, mic_pos, mic_len) != 0)
1653 ret = -1;
1654 os_memcpy(mic_pos, mic, mic_len);
1655 return ret;
1656 }
1657
1658
1659 void wpa_remove_ptk(struct wpa_state_machine *sm)
1660 {
1661 sm->PTK_valid = FALSE;
1662 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1663 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
1664 sm->pairwise_set = FALSE;
1665 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1666 }
1667
1668
1669 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
1670 {
1671 int remove_ptk = 1;
1672
1673 if (sm == NULL)
1674 return -1;
1675
1676 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1677 "event %d notification", event);
1678
1679 switch (event) {
1680 case WPA_AUTH:
1681 #ifdef CONFIG_MESH
1682 /* PTKs are derived through AMPE */
1683 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1684 /* not mesh */
1685 break;
1686 }
1687 return 0;
1688 #endif /* CONFIG_MESH */
1689 case WPA_ASSOC:
1690 break;
1691 case WPA_DEAUTH:
1692 case WPA_DISASSOC:
1693 sm->DeauthenticationRequest = TRUE;
1694 break;
1695 case WPA_REAUTH:
1696 case WPA_REAUTH_EAPOL:
1697 if (!sm->started) {
1698 /*
1699 * When using WPS, we may end up here if the STA
1700 * manages to re-associate without the previous STA
1701 * entry getting removed. Consequently, we need to make
1702 * sure that the WPA state machines gets initialized
1703 * properly at this point.
1704 */
1705 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1706 "started - initialize now");
1707 sm->started = 1;
1708 sm->Init = TRUE;
1709 if (wpa_sm_step(sm) == 1)
1710 return 1; /* should not really happen */
1711 sm->Init = FALSE;
1712 sm->AuthenticationRequest = TRUE;
1713 break;
1714 }
1715 if (sm->GUpdateStationKeys) {
1716 /*
1717 * Reauthentication cancels the pending group key
1718 * update for this STA.
1719 */
1720 sm->group->GKeyDoneStations--;
1721 sm->GUpdateStationKeys = FALSE;
1722 sm->PtkGroupInit = TRUE;
1723 }
1724 sm->ReAuthenticationRequest = TRUE;
1725 break;
1726 case WPA_ASSOC_FT:
1727 #ifdef CONFIG_IEEE80211R
1728 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1729 "after association");
1730 wpa_ft_install_ptk(sm);
1731
1732 /* Using FT protocol, not WPA auth state machine */
1733 sm->ft_completed = 1;
1734 return 0;
1735 #else /* CONFIG_IEEE80211R */
1736 break;
1737 #endif /* CONFIG_IEEE80211R */
1738 }
1739
1740 #ifdef CONFIG_IEEE80211R
1741 sm->ft_completed = 0;
1742 #endif /* CONFIG_IEEE80211R */
1743
1744 #ifdef CONFIG_IEEE80211W
1745 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1746 remove_ptk = 0;
1747 #endif /* CONFIG_IEEE80211W */
1748
1749 if (remove_ptk) {
1750 sm->PTK_valid = FALSE;
1751 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1752
1753 if (event != WPA_REAUTH_EAPOL)
1754 wpa_remove_ptk(sm);
1755 }
1756
1757 if (sm->in_step_loop) {
1758 /*
1759 * wpa_sm_step() is already running - avoid recursive call to
1760 * it by making the existing loop process the new update.
1761 */
1762 sm->changed = TRUE;
1763 return 0;
1764 }
1765 return wpa_sm_step(sm);
1766 }
1767
1768
1769 SM_STATE(WPA_PTK, INITIALIZE)
1770 {
1771 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1772 if (sm->Init) {
1773 /* Init flag is not cleared here, so avoid busy
1774 * loop by claiming nothing changed. */
1775 sm->changed = FALSE;
1776 }
1777
1778 sm->keycount = 0;
1779 if (sm->GUpdateStationKeys)
1780 sm->group->GKeyDoneStations--;
1781 sm->GUpdateStationKeys = FALSE;
1782 if (sm->wpa == WPA_VERSION_WPA)
1783 sm->PInitAKeys = FALSE;
1784 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1785 * Local AA > Remote AA)) */) {
1786 sm->Pair = TRUE;
1787 }
1788 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1789 wpa_remove_ptk(sm);
1790 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1791 sm->TimeoutCtr = 0;
1792 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1793 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1794 WPA_EAPOL_authorized, 0);
1795 }
1796 }
1797
1798
1799 SM_STATE(WPA_PTK, DISCONNECT)
1800 {
1801 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1802 sm->Disconnect = FALSE;
1803 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1804 }
1805
1806
1807 SM_STATE(WPA_PTK, DISCONNECTED)
1808 {
1809 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1810 sm->DeauthenticationRequest = FALSE;
1811 }
1812
1813
1814 SM_STATE(WPA_PTK, AUTHENTICATION)
1815 {
1816 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1817 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1818 sm->PTK_valid = FALSE;
1819 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1820 1);
1821 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1822 sm->AuthenticationRequest = FALSE;
1823 }
1824
1825
1826 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1827 struct wpa_group *group)
1828 {
1829 if (group->first_sta_seen)
1830 return;
1831 /*
1832 * System has run bit further than at the time hostapd was started
1833 * potentially very early during boot up. This provides better chances
1834 * of collecting more randomness on embedded systems. Re-initialize the
1835 * GMK and Counter here to improve their strength if there was not
1836 * enough entropy available immediately after system startup.
1837 */
1838 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1839 "station");
1840 if (random_pool_ready() != 1) {
1841 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1842 "to proceed - reject first 4-way handshake");
1843 group->reject_4way_hs_for_entropy = TRUE;
1844 } else {
1845 group->first_sta_seen = TRUE;
1846 group->reject_4way_hs_for_entropy = FALSE;
1847 }
1848
1849 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1850 wpa_gtk_update(wpa_auth, group) < 0 ||
1851 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1852 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1853 group->first_sta_seen = FALSE;
1854 group->reject_4way_hs_for_entropy = TRUE;
1855 }
1856 }
1857
1858
1859 SM_STATE(WPA_PTK, AUTHENTICATION2)
1860 {
1861 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1862
1863 wpa_group_ensure_init(sm->wpa_auth, sm->group);
1864 sm->ReAuthenticationRequest = FALSE;
1865
1866 /*
1867 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1868 * ambiguous. The Authenticator state machine uses a counter that is
1869 * incremented by one for each 4-way handshake. However, the security
1870 * analysis of 4-way handshake points out that unpredictable nonces
1871 * help in preventing precomputation attacks. Instead of the state
1872 * machine definition, use an unpredictable nonce value here to provide
1873 * stronger protection against potential precomputation attacks.
1874 */
1875 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1876 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1877 "ANonce.");
1878 sm->Disconnect = TRUE;
1879 return;
1880 }
1881 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1882 WPA_NONCE_LEN);
1883 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1884 * logical place than INITIALIZE since AUTHENTICATION2 can be
1885 * re-entered on ReAuthenticationRequest without going through
1886 * INITIALIZE. */
1887 sm->TimeoutCtr = 0;
1888 }
1889
1890
1891 SM_STATE(WPA_PTK, INITPMK)
1892 {
1893 u8 msk[2 * PMK_LEN];
1894 size_t len = 2 * PMK_LEN;
1895
1896 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1897 #ifdef CONFIG_IEEE80211R
1898 sm->xxkey_len = 0;
1899 #endif /* CONFIG_IEEE80211R */
1900 if (sm->pmksa) {
1901 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1902 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1903 sm->pmk_len = sm->pmksa->pmk_len;
1904 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1905 unsigned int pmk_len;
1906
1907 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
1908 pmk_len = PMK_LEN_SUITE_B_192;
1909 else
1910 pmk_len = PMK_LEN;
1911 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1912 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1913 pmk_len);
1914 if (len < pmk_len) {
1915 wpa_printf(MSG_DEBUG,
1916 "WPA: MSK not long enough (%u) to create PMK (%u)",
1917 (unsigned int) len, (unsigned int) pmk_len);
1918 sm->Disconnect = TRUE;
1919 return;
1920 }
1921 os_memcpy(sm->PMK, msk, pmk_len);
1922 sm->pmk_len = pmk_len;
1923 #ifdef CONFIG_IEEE80211R
1924 if (len >= 2 * PMK_LEN) {
1925 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1926 sm->xxkey_len = PMK_LEN;
1927 }
1928 #endif /* CONFIG_IEEE80211R */
1929 } else {
1930 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
1931 sm->wpa_auth->cb.get_msk);
1932 sm->Disconnect = TRUE;
1933 return;
1934 }
1935 os_memset(msk, 0, sizeof(msk));
1936
1937 sm->req_replay_counter_used = 0;
1938 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1939 * will break reauthentication since EAPOL state machines may not be
1940 * get into AUTHENTICATING state that clears keyRun before WPA state
1941 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1942 * state and takes PMK from the previously used AAA Key. This will
1943 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1944 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1945 * be good workaround for this issue. */
1946 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1947 }
1948
1949
1950 SM_STATE(WPA_PTK, INITPSK)
1951 {
1952 const u8 *psk;
1953 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1954 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
1955 if (psk) {
1956 os_memcpy(sm->PMK, psk, PMK_LEN);
1957 sm->pmk_len = PMK_LEN;
1958 #ifdef CONFIG_IEEE80211R
1959 os_memcpy(sm->xxkey, psk, PMK_LEN);
1960 sm->xxkey_len = PMK_LEN;
1961 #endif /* CONFIG_IEEE80211R */
1962 }
1963 sm->req_replay_counter_used = 0;
1964 }
1965
1966
1967 SM_STATE(WPA_PTK, PTKSTART)
1968 {
1969 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1970 size_t pmkid_len = 0;
1971
1972 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1973 sm->PTKRequest = FALSE;
1974 sm->TimeoutEvt = FALSE;
1975 sm->alt_snonce_valid = FALSE;
1976
1977 sm->TimeoutCtr++;
1978 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1979 /* No point in sending the EAPOL-Key - we will disconnect
1980 * immediately following this. */
1981 return;
1982 }
1983
1984 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1985 "sending 1/4 msg of 4-Way Handshake");
1986 /*
1987 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1988 * one possible PSK for this STA.
1989 */
1990 if (sm->wpa == WPA_VERSION_WPA2 &&
1991 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
1992 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
1993 pmkid = buf;
1994 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
1995 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
1996 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
1997 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
1998 if (sm->pmksa) {
1999 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2000 sm->pmksa->pmkid, PMKID_LEN);
2001 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2002 /* No KCK available to derive PMKID */
2003 pmkid = NULL;
2004 } else {
2005 /*
2006 * Calculate PMKID since no PMKSA cache entry was
2007 * available with pre-calculated PMKID.
2008 */
2009 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
2010 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2011 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
2012 }
2013 }
2014 wpa_send_eapol(sm->wpa_auth, sm,
2015 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2016 sm->ANonce, pmkid, pmkid_len, 0, 0);
2017 }
2018
2019
2020 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2021 const u8 *pmk, unsigned int pmk_len,
2022 struct wpa_ptk *ptk)
2023 {
2024 #ifdef CONFIG_IEEE80211R
2025 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
2026 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
2027 #endif /* CONFIG_IEEE80211R */
2028
2029 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2030 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2031 ptk, sm->wpa_key_mgmt, sm->pairwise);
2032 }
2033
2034
2035 #ifdef CONFIG_FILS
2036 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
2037 u8 *buf, size_t buf_len, u16 *_key_data_len)
2038 {
2039 struct ieee802_1x_hdr *hdr;
2040 struct wpa_eapol_key *key;
2041 u8 *pos;
2042 u16 key_data_len;
2043 u8 *tmp;
2044 const u8 *aad[1];
2045 size_t aad_len[1];
2046
2047 hdr = (struct ieee802_1x_hdr *) buf;
2048 key = (struct wpa_eapol_key *) (hdr + 1);
2049 pos = (u8 *) (key + 1);
2050 key_data_len = WPA_GET_BE16(pos);
2051 if (key_data_len < AES_BLOCK_SIZE ||
2052 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2053 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2054 "No room for AES-SIV data in the frame");
2055 return -1;
2056 }
2057 pos += 2; /* Pointing at the Encrypted Key Data field */
2058
2059 tmp = os_malloc(key_data_len);
2060 if (!tmp)
2061 return -1;
2062
2063 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2064 * to Key Data (exclusive). */
2065 aad[0] = buf;
2066 aad_len[0] = pos - buf;
2067 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2068 1, aad, aad_len, tmp) < 0) {
2069 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2070 "Invalid AES-SIV data in the frame");
2071 bin_clear_free(tmp, key_data_len);
2072 return -1;
2073 }
2074
2075 /* AEAD decryption and validation completed successfully */
2076 key_data_len -= AES_BLOCK_SIZE;
2077 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2078 tmp, key_data_len);
2079
2080 /* Replace Key Data field with the decrypted version */
2081 os_memcpy(pos, tmp, key_data_len);
2082 pos -= 2; /* Key Data Length field */
2083 WPA_PUT_BE16(pos, key_data_len);
2084 bin_clear_free(tmp, key_data_len);
2085 if (_key_data_len)
2086 *_key_data_len = key_data_len;
2087 return 0;
2088 }
2089 #endif /* CONFIG_FILS */
2090
2091
2092 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2093 {
2094 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2095 struct wpa_ptk PTK;
2096 int ok = 0, psk_found = 0;
2097 const u8 *pmk = NULL;
2098 unsigned int pmk_len;
2099 int ft;
2100 const u8 *eapol_key_ie, *key_data, *mic;
2101 u16 key_data_length;
2102 size_t mic_len, eapol_key_ie_len;
2103 struct ieee802_1x_hdr *hdr;
2104 struct wpa_eapol_key *key;
2105 struct wpa_eapol_ie_parse kde;
2106
2107 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2108 sm->EAPOLKeyReceived = FALSE;
2109 sm->update_snonce = FALSE;
2110 os_memset(&PTK, 0, sizeof(PTK));
2111
2112 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
2113
2114 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2115 * WPA-PSK: iterate through possible PSKs and select the one matching
2116 * the packet */
2117 for (;;) {
2118 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2119 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2120 sm->p2p_dev_addr, pmk);
2121 if (pmk == NULL)
2122 break;
2123 psk_found = 1;
2124 pmk_len = PMK_LEN;
2125 } else {
2126 pmk = sm->PMK;
2127 pmk_len = sm->pmk_len;
2128 }
2129
2130 wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK);
2131
2132 if (mic_len &&
2133 wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
2134 sm->last_rx_eapol_key,
2135 sm->last_rx_eapol_key_len) == 0) {
2136 ok = 1;
2137 break;
2138 }
2139
2140 #ifdef CONFIG_FILS
2141 if (!mic_len &&
2142 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2143 sm->last_rx_eapol_key_len, NULL) == 0) {
2144 ok = 1;
2145 break;
2146 }
2147 #endif /* CONFIG_FILS */
2148
2149 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
2150 break;
2151 }
2152
2153 if (!ok) {
2154 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2155 "invalid MIC in msg 2/4 of 4-Way Handshake");
2156 if (psk_found)
2157 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
2158 return;
2159 }
2160
2161 /*
2162 * Note: last_rx_eapol_key length fields have already been validated in
2163 * wpa_receive().
2164 */
2165 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2166 key = (struct wpa_eapol_key *) (hdr + 1);
2167 mic = (u8 *) (key + 1);
2168 key_data = mic + mic_len + 2;
2169 key_data_length = WPA_GET_BE16(mic + mic_len);
2170 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2171 sizeof(*key) - mic_len - 2)
2172 return;
2173
2174 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2175 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2176 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2177 return;
2178 }
2179 if (kde.rsn_ie) {
2180 eapol_key_ie = kde.rsn_ie;
2181 eapol_key_ie_len = kde.rsn_ie_len;
2182 } else if (kde.osen) {
2183 eapol_key_ie = kde.osen;
2184 eapol_key_ie_len = kde.osen_len;
2185 } else {
2186 eapol_key_ie = kde.wpa_ie;
2187 eapol_key_ie_len = kde.wpa_ie_len;
2188 }
2189 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2190 if (sm->wpa_ie == NULL ||
2191 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2192 eapol_key_ie, eapol_key_ie_len)) {
2193 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2194 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2195 if (sm->wpa_ie) {
2196 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2197 sm->wpa_ie, sm->wpa_ie_len);
2198 }
2199 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2200 eapol_key_ie, eapol_key_ie_len);
2201 /* MLME-DEAUTHENTICATE.request */
2202 wpa_sta_disconnect(wpa_auth, sm->addr);
2203 return;
2204 }
2205 #ifdef CONFIG_IEEE80211R
2206 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
2207 wpa_sta_disconnect(wpa_auth, sm->addr);
2208 return;
2209 }
2210 #endif /* CONFIG_IEEE80211R */
2211 #ifdef CONFIG_P2P
2212 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2213 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2214 int idx;
2215 wpa_printf(MSG_DEBUG,
2216 "P2P: IP address requested in EAPOL-Key exchange");
2217 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2218 if (idx >= 0) {
2219 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2220 bitfield_set(wpa_auth->ip_pool, idx);
2221 WPA_PUT_BE32(sm->ip_addr, start + idx);
2222 wpa_printf(MSG_DEBUG,
2223 "P2P: Assigned IP address %u.%u.%u.%u to "
2224 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2225 sm->ip_addr[2], sm->ip_addr[3],
2226 MAC2STR(sm->addr));
2227 }
2228 }
2229 #endif /* CONFIG_P2P */
2230
2231 #ifdef CONFIG_IEEE80211R
2232 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2233 /*
2234 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2235 * with the value we derived.
2236 */
2237 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2238 WPA_PMK_NAME_LEN) != 0) {
2239 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2240 "PMKR1Name mismatch in FT 4-way "
2241 "handshake");
2242 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2243 "Supplicant",
2244 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2245 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2246 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2247 return;
2248 }
2249 }
2250 #endif /* CONFIG_IEEE80211R */
2251
2252 sm->pending_1_of_4_timeout = 0;
2253 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2254
2255 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2256 /* PSK may have changed from the previous choice, so update
2257 * state machine data based on whatever PSK was selected here.
2258 */
2259 os_memcpy(sm->PMK, pmk, PMK_LEN);
2260 sm->pmk_len = PMK_LEN;
2261 }
2262
2263 sm->MICVerified = TRUE;
2264
2265 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2266 sm->PTK_valid = TRUE;
2267 }
2268
2269
2270 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2271 {
2272 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2273 sm->TimeoutCtr = 0;
2274 }
2275
2276
2277 #ifdef CONFIG_IEEE80211W
2278
2279 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2280 {
2281 if (sm->mgmt_frame_prot) {
2282 size_t len;
2283 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2284 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
2285 }
2286
2287 return 0;
2288 }
2289
2290
2291 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2292 {
2293 struct wpa_igtk_kde igtk;
2294 struct wpa_group *gsm = sm->group;
2295 u8 rsc[WPA_KEY_RSC_LEN];
2296 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2297
2298 if (!sm->mgmt_frame_prot)
2299 return pos;
2300
2301 igtk.keyid[0] = gsm->GN_igtk;
2302 igtk.keyid[1] = 0;
2303 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
2304 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
2305 os_memset(igtk.pn, 0, sizeof(igtk.pn));
2306 else
2307 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
2308 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
2309 if (sm->wpa_auth->conf.disable_gtk) {
2310 /*
2311 * Provide unique random IGTK to each STA to prevent use of
2312 * IGTK in the BSS.
2313 */
2314 if (random_get_bytes(igtk.igtk, len) < 0)
2315 return pos;
2316 }
2317 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
2318 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2319 NULL, 0);
2320
2321 return pos;
2322 }
2323
2324 #else /* CONFIG_IEEE80211W */
2325
2326 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2327 {
2328 return 0;
2329 }
2330
2331
2332 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2333 {
2334 return pos;
2335 }
2336
2337 #endif /* CONFIG_IEEE80211W */
2338
2339
2340 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2341 {
2342 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
2343 size_t gtk_len, kde_len;
2344 struct wpa_group *gsm = sm->group;
2345 u8 *wpa_ie;
2346 int wpa_ie_len, secure, keyidx, encr = 0;
2347
2348 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2349 sm->TimeoutEvt = FALSE;
2350
2351 sm->TimeoutCtr++;
2352 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
2353 /* No point in sending the EAPOL-Key - we will disconnect
2354 * immediately following this. */
2355 return;
2356 }
2357
2358 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2359 GTK[GN], IGTK, [FTIE], [TIE * 2])
2360 */
2361 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2362 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2363 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
2364 wpa_ie = sm->wpa_auth->wpa_ie;
2365 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2366 if (sm->wpa == WPA_VERSION_WPA &&
2367 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2368 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
2369 /* WPA-only STA, remove RSN IE and possible MDIE */
2370 wpa_ie = wpa_ie + wpa_ie[1] + 2;
2371 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2372 wpa_ie = wpa_ie + wpa_ie[1] + 2;
2373 wpa_ie_len = wpa_ie[1] + 2;
2374 }
2375 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2376 "sending 3/4 msg of 4-Way Handshake");
2377 if (sm->wpa == WPA_VERSION_WPA2) {
2378 /* WPA2 send GTK in the 4-way handshake */
2379 secure = 1;
2380 gtk = gsm->GTK[gsm->GN - 1];
2381 gtk_len = gsm->GTK_len;
2382 if (sm->wpa_auth->conf.disable_gtk) {
2383 /*
2384 * Provide unique random GTK to each STA to prevent use
2385 * of GTK in the BSS.
2386 */
2387 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2388 return;
2389 gtk = dummy_gtk;
2390 }
2391 keyidx = gsm->GN;
2392 _rsc = rsc;
2393 encr = 1;
2394 } else {
2395 /* WPA does not include GTK in msg 3/4 */
2396 secure = 0;
2397 gtk = NULL;
2398 gtk_len = 0;
2399 keyidx = 0;
2400 _rsc = NULL;
2401 if (sm->rx_eapol_key_secure) {
2402 /*
2403 * It looks like Windows 7 supplicant tries to use
2404 * Secure bit in msg 2/4 after having reported Michael
2405 * MIC failure and it then rejects the 4-way handshake
2406 * if msg 3/4 does not set Secure bit. Work around this
2407 * by setting the Secure bit here even in the case of
2408 * WPA if the supplicant used it first.
2409 */
2410 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2411 "STA used Secure bit in WPA msg 2/4 - "
2412 "set Secure for 3/4 as workaround");
2413 secure = 1;
2414 }
2415 }
2416
2417 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2418 if (gtk)
2419 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
2420 #ifdef CONFIG_IEEE80211R
2421 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2422 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2423 kde_len += 300; /* FTIE + 2 * TIE */
2424 }
2425 #endif /* CONFIG_IEEE80211R */
2426 #ifdef CONFIG_P2P
2427 if (WPA_GET_BE32(sm->ip_addr) > 0)
2428 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2429 #endif /* CONFIG_P2P */
2430 kde = os_malloc(kde_len);
2431 if (kde == NULL)
2432 return;
2433
2434 pos = kde;
2435 os_memcpy(pos, wpa_ie, wpa_ie_len);
2436 pos += wpa_ie_len;
2437 #ifdef CONFIG_IEEE80211R
2438 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2439 int res;
2440 size_t elen;
2441
2442 elen = pos - kde;
2443 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
2444 if (res < 0) {
2445 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2446 "PMKR1Name into RSN IE in EAPOL-Key data");
2447 os_free(kde);
2448 return;
2449 }
2450 pos -= wpa_ie_len;
2451 pos += elen;
2452 }
2453 #endif /* CONFIG_IEEE80211R */
2454 if (gtk) {
2455 u8 hdr[2];
2456 hdr[0] = keyidx & 0x03;
2457 hdr[1] = 0;
2458 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2459 gtk, gtk_len);
2460 }
2461 pos = ieee80211w_kde_add(sm, pos);
2462
2463 #ifdef CONFIG_IEEE80211R
2464 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2465 int res;
2466 struct wpa_auth_config *conf;
2467
2468 conf = &sm->wpa_auth->conf;
2469 if (sm->assoc_resp_ftie &&
2470 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
2471 os_memcpy(pos, sm->assoc_resp_ftie,
2472 2 + sm->assoc_resp_ftie[1]);
2473 res = 2 + sm->assoc_resp_ftie[1];
2474 } else {
2475 res = wpa_write_ftie(conf, conf->r0_key_holder,
2476 conf->r0_key_holder_len,
2477 NULL, NULL, pos,
2478 kde + kde_len - pos,
2479 NULL, 0);
2480 }
2481 if (res < 0) {
2482 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2483 "into EAPOL-Key Key Data");
2484 os_free(kde);
2485 return;
2486 }
2487 pos += res;
2488
2489 /* TIE[ReassociationDeadline] (TU) */
2490 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2491 *pos++ = 5;
2492 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2493 WPA_PUT_LE32(pos, conf->reassociation_deadline);
2494 pos += 4;
2495
2496 /* TIE[KeyLifetime] (seconds) */
2497 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2498 *pos++ = 5;
2499 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2500 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2501 pos += 4;
2502 }
2503 #endif /* CONFIG_IEEE80211R */
2504 #ifdef CONFIG_P2P
2505 if (WPA_GET_BE32(sm->ip_addr) > 0) {
2506 u8 addr[3 * 4];
2507 os_memcpy(addr, sm->ip_addr, 4);
2508 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2509 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2510 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2511 addr, sizeof(addr), NULL, 0);
2512 }
2513 #endif /* CONFIG_P2P */
2514
2515 wpa_send_eapol(sm->wpa_auth, sm,
2516 (secure ? WPA_KEY_INFO_SECURE : 0) |
2517 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
2518 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2519 WPA_KEY_INFO_KEY_TYPE,
2520 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2521 os_free(kde);
2522 }
2523
2524
2525 SM_STATE(WPA_PTK, PTKINITDONE)
2526 {
2527 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2528 sm->EAPOLKeyReceived = FALSE;
2529 if (sm->Pair) {
2530 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2531 int klen = wpa_cipher_key_len(sm->pairwise);
2532 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2533 sm->PTK.tk, klen)) {
2534 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2535 return;
2536 }
2537 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2538 sm->pairwise_set = TRUE;
2539
2540 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2541 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2542 eloop_register_timeout(sm->wpa_auth->conf.
2543 wpa_ptk_rekey, 0, wpa_rekey_ptk,
2544 sm->wpa_auth, sm);
2545 }
2546
2547 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2548 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2549 WPA_EAPOL_authorized, 1);
2550 }
2551 }
2552
2553 if (0 /* IBSS == TRUE */) {
2554 sm->keycount++;
2555 if (sm->keycount == 2) {
2556 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2557 WPA_EAPOL_portValid, 1);
2558 }
2559 } else {
2560 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2561 1);
2562 }
2563 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2564 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2565 if (sm->wpa == WPA_VERSION_WPA)
2566 sm->PInitAKeys = TRUE;
2567 else
2568 sm->has_GTK = TRUE;
2569 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2570 "pairwise key handshake completed (%s)",
2571 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2572
2573 #ifdef CONFIG_IEEE80211R
2574 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2575 #endif /* CONFIG_IEEE80211R */
2576 }
2577
2578
2579 SM_STEP(WPA_PTK)
2580 {
2581 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2582
2583 if (sm->Init)
2584 SM_ENTER(WPA_PTK, INITIALIZE);
2585 else if (sm->Disconnect
2586 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2587 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2588 "WPA_PTK: sm->Disconnect");
2589 SM_ENTER(WPA_PTK, DISCONNECT);
2590 }
2591 else if (sm->DeauthenticationRequest)
2592 SM_ENTER(WPA_PTK, DISCONNECTED);
2593 else if (sm->AuthenticationRequest)
2594 SM_ENTER(WPA_PTK, AUTHENTICATION);
2595 else if (sm->ReAuthenticationRequest)
2596 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2597 else if (sm->PTKRequest)
2598 SM_ENTER(WPA_PTK, PTKSTART);
2599 else switch (sm->wpa_ptk_state) {
2600 case WPA_PTK_INITIALIZE:
2601 break;
2602 case WPA_PTK_DISCONNECT:
2603 SM_ENTER(WPA_PTK, DISCONNECTED);
2604 break;
2605 case WPA_PTK_DISCONNECTED:
2606 SM_ENTER(WPA_PTK, INITIALIZE);
2607 break;
2608 case WPA_PTK_AUTHENTICATION:
2609 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2610 break;
2611 case WPA_PTK_AUTHENTICATION2:
2612 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2613 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2614 WPA_EAPOL_keyRun) > 0)
2615 SM_ENTER(WPA_PTK, INITPMK);
2616 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
2617 /* FIX: && 802.1X::keyRun */)
2618 SM_ENTER(WPA_PTK, INITPSK);
2619 break;
2620 case WPA_PTK_INITPMK:
2621 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2622 WPA_EAPOL_keyAvailable) > 0)
2623 SM_ENTER(WPA_PTK, PTKSTART);
2624 else {
2625 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2626 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2627 "INITPMK - keyAvailable = false");
2628 SM_ENTER(WPA_PTK, DISCONNECT);
2629 }
2630 break;
2631 case WPA_PTK_INITPSK:
2632 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2633 NULL))
2634 SM_ENTER(WPA_PTK, PTKSTART);
2635 else {
2636 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2637 "no PSK configured for the STA");
2638 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2639 SM_ENTER(WPA_PTK, DISCONNECT);
2640 }
2641 break;
2642 case WPA_PTK_PTKSTART:
2643 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2644 sm->EAPOLKeyPairwise)
2645 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2646 else if (sm->TimeoutCtr >
2647 (int) dot11RSNAConfigPairwiseUpdateCount) {
2648 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2649 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2650 "PTKSTART: Retry limit %d reached",
2651 dot11RSNAConfigPairwiseUpdateCount);
2652 SM_ENTER(WPA_PTK, DISCONNECT);
2653 } else if (sm->TimeoutEvt)
2654 SM_ENTER(WPA_PTK, PTKSTART);
2655 break;
2656 case WPA_PTK_PTKCALCNEGOTIATING:
2657 if (sm->MICVerified)
2658 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2659 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2660 sm->EAPOLKeyPairwise)
2661 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2662 else if (sm->TimeoutEvt)
2663 SM_ENTER(WPA_PTK, PTKSTART);
2664 break;
2665 case WPA_PTK_PTKCALCNEGOTIATING2:
2666 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2667 break;
2668 case WPA_PTK_PTKINITNEGOTIATING:
2669 if (sm->update_snonce)
2670 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2671 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2672 sm->EAPOLKeyPairwise && sm->MICVerified)
2673 SM_ENTER(WPA_PTK, PTKINITDONE);
2674 else if (sm->TimeoutCtr >
2675 (int) dot11RSNAConfigPairwiseUpdateCount) {
2676 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2677 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2678 "PTKINITNEGOTIATING: Retry limit %d "
2679 "reached",
2680 dot11RSNAConfigPairwiseUpdateCount);
2681 SM_ENTER(WPA_PTK, DISCONNECT);
2682 } else if (sm->TimeoutEvt)
2683 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2684 break;
2685 case WPA_PTK_PTKINITDONE:
2686 break;
2687 }
2688 }
2689
2690
2691 SM_STATE(WPA_PTK_GROUP, IDLE)
2692 {
2693 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2694 if (sm->Init) {
2695 /* Init flag is not cleared here, so avoid busy
2696 * loop by claiming nothing changed. */
2697 sm->changed = FALSE;
2698 }
2699 sm->GTimeoutCtr = 0;
2700 }
2701
2702
2703 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
2704 {
2705 u8 rsc[WPA_KEY_RSC_LEN];
2706 struct wpa_group *gsm = sm->group;
2707 const u8 *kde;
2708 u8 *kde_buf = NULL, *pos, hdr[2];
2709 size_t kde_len;
2710 u8 *gtk, dummy_gtk[32];
2711
2712 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
2713
2714 sm->GTimeoutCtr++;
2715 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
2716 /* No point in sending the EAPOL-Key - we will disconnect
2717 * immediately following this. */
2718 return;
2719 }
2720
2721 if (sm->wpa == WPA_VERSION_WPA)
2722 sm->PInitAKeys = FALSE;
2723 sm->TimeoutEvt = FALSE;
2724 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
2725 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2726 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
2727 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2728 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2729 "sending 1/2 msg of Group Key Handshake");
2730
2731 gtk = gsm->GTK[gsm->GN - 1];
2732 if (sm->wpa_auth->conf.disable_gtk) {
2733 /*
2734 * Provide unique random GTK to each STA to prevent use
2735 * of GTK in the BSS.
2736 */
2737 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
2738 return;
2739 gtk = dummy_gtk;
2740 }
2741 if (sm->wpa == WPA_VERSION_WPA2) {
2742 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
2743 ieee80211w_kde_len(sm);
2744 kde_buf = os_malloc(kde_len);
2745 if (kde_buf == NULL)
2746 return;
2747
2748 kde = pos = kde_buf;
2749 hdr[0] = gsm->GN & 0x03;
2750 hdr[1] = 0;
2751 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2752 gtk, gsm->GTK_len);
2753 pos = ieee80211w_kde_add(sm, pos);
2754 kde_len = pos - kde;
2755 } else {
2756 kde = gtk;
2757 kde_len = gsm->GTK_len;
2758 }
2759
2760 wpa_send_eapol(sm->wpa_auth, sm,
2761 WPA_KEY_INFO_SECURE |
2762 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
2763 WPA_KEY_INFO_ACK |
2764 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
2765 rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1);
2766
2767 os_free(kde_buf);
2768 }
2769
2770
2771 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
2772 {
2773 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
2774 sm->EAPOLKeyReceived = FALSE;
2775 if (sm->GUpdateStationKeys)
2776 sm->group->GKeyDoneStations--;
2777 sm->GUpdateStationKeys = FALSE;
2778 sm->GTimeoutCtr = 0;
2779 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
2780 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2781 "group key handshake completed (%s)",
2782 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2783 sm->has_GTK = TRUE;
2784 }
2785
2786
2787 SM_STATE(WPA_PTK_GROUP, KEYERROR)
2788 {
2789 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
2790 if (sm->GUpdateStationKeys)
2791 sm->group->GKeyDoneStations--;
2792 sm->GUpdateStationKeys = FALSE;
2793 sm->Disconnect = TRUE;
2794 }
2795
2796
2797 SM_STEP(WPA_PTK_GROUP)
2798 {
2799 if (sm->Init || sm->PtkGroupInit) {
2800 SM_ENTER(WPA_PTK_GROUP, IDLE);
2801 sm->PtkGroupInit = FALSE;
2802 } else switch (sm->wpa_ptk_group_state) {
2803 case WPA_PTK_GROUP_IDLE:
2804 if (sm->GUpdateStationKeys ||
2805 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
2806 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2807 break;
2808 case WPA_PTK_GROUP_REKEYNEGOTIATING:
2809 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2810 !sm->EAPOLKeyPairwise && sm->MICVerified)
2811 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
2812 else if (sm->GTimeoutCtr >
2813 (int) dot11RSNAConfigGroupUpdateCount)
2814 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
2815 else if (sm->TimeoutEvt)
2816 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2817 break;
2818 case WPA_PTK_GROUP_KEYERROR:
2819 SM_ENTER(WPA_PTK_GROUP, IDLE);
2820 break;
2821 case WPA_PTK_GROUP_REKEYESTABLISHED:
2822 SM_ENTER(WPA_PTK_GROUP, IDLE);
2823 break;
2824 }
2825 }
2826
2827
2828 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
2829 struct wpa_group *group)
2830 {
2831 int ret = 0;
2832
2833 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2834 inc_byte_array(group->Counter, WPA_NONCE_LEN);
2835 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
2836 wpa_auth->addr, group->GNonce,
2837 group->GTK[group->GN - 1], group->GTK_len) < 0)
2838 ret = -1;
2839 wpa_hexdump_key(MSG_DEBUG, "GTK",
2840 group->GTK[group->GN - 1], group->GTK_len);
2841
2842 #ifdef CONFIG_IEEE80211W
2843 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2844 size_t len;
2845 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
2846 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2847 inc_byte_array(group->Counter, WPA_NONCE_LEN);
2848 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
2849 wpa_auth->addr, group->GNonce,
2850 group->IGTK[group->GN_igtk - 4], len) < 0)
2851 ret = -1;
2852 wpa_hexdump_key(MSG_DEBUG, "IGTK",
2853 group->IGTK[group->GN_igtk - 4], len);
2854 }
2855 #endif /* CONFIG_IEEE80211W */
2856
2857 return ret;
2858 }
2859
2860
2861 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
2862 struct wpa_group *group)
2863 {
2864 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2865 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
2866 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
2867 group->wpa_group_state = WPA_GROUP_GTK_INIT;
2868
2869 /* GTK[0..N] = 0 */
2870 os_memset(group->GTK, 0, sizeof(group->GTK));
2871 group->GN = 1;
2872 group->GM = 2;
2873 #ifdef CONFIG_IEEE80211W
2874 group->GN_igtk = 4;
2875 group->GM_igtk = 5;
2876 #endif /* CONFIG_IEEE80211W */
2877 /* GTK[GN] = CalcGTK() */
2878 wpa_gtk_update(wpa_auth, group);
2879 }
2880
2881
2882 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
2883 {
2884 if (ctx != NULL && ctx != sm->group)
2885 return 0;
2886
2887 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
2888 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2889 "Not in PTKINITDONE; skip Group Key update");
2890 sm->GUpdateStationKeys = FALSE;
2891 return 0;
2892 }
2893 if (sm->GUpdateStationKeys) {
2894 /*
2895 * This should not really happen, so add a debug log entry.
2896 * Since we clear the GKeyDoneStations before the loop, the
2897 * station needs to be counted here anyway.
2898 */
2899 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2900 "GUpdateStationKeys was already set when "
2901 "marking station for GTK rekeying");
2902 }
2903
2904 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
2905 if (sm->is_wnmsleep)
2906 return 0;
2907
2908 sm->group->GKeyDoneStations++;
2909 sm->GUpdateStationKeys = TRUE;
2910
2911 wpa_sm_step(sm);
2912 return 0;
2913 }
2914
2915
2916 #ifdef CONFIG_WNM
2917 /* update GTK when exiting WNM-Sleep Mode */
2918 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
2919 {
2920 if (sm == NULL || sm->is_wnmsleep)
2921 return;
2922
2923 wpa_group_update_sta(sm, NULL);
2924 }
2925
2926
2927 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
2928 {
2929 if (sm)
2930 sm->is_wnmsleep = !!flag;
2931 }
2932
2933
2934 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2935 {
2936 struct wpa_group *gsm = sm->group;
2937 u8 *start = pos;
2938
2939 /*
2940 * GTK subelement:
2941 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
2942 * Key[5..32]
2943 */
2944 *pos++ = WNM_SLEEP_SUBELEM_GTK;
2945 *pos++ = 11 + gsm->GTK_len;
2946 /* Key ID in B0-B1 of Key Info */
2947 WPA_PUT_LE16(pos, gsm->GN & 0x03);
2948 pos += 2;
2949 *pos++ = gsm->GTK_len;
2950 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
2951 return 0;
2952 pos += 8;
2953 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2954 pos += gsm->GTK_len;
2955
2956 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
2957 gsm->GN);
2958 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
2959 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2960
2961 return pos - start;
2962 }
2963
2964
2965 #ifdef CONFIG_IEEE80211W
2966 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2967 {
2968 struct wpa_group *gsm = sm->group;
2969 u8 *start = pos;
2970 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2971
2972 /*
2973 * IGTK subelement:
2974 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
2975 */
2976 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
2977 *pos++ = 2 + 6 + len;
2978 WPA_PUT_LE16(pos, gsm->GN_igtk);
2979 pos += 2;
2980 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
2981 return 0;
2982 pos += 6;
2983
2984 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
2985 pos += len;
2986
2987 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
2988 gsm->GN_igtk);
2989 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
2990 gsm->IGTK[gsm->GN_igtk - 4], len);
2991
2992 return pos - start;
2993 }
2994 #endif /* CONFIG_IEEE80211W */
2995 #endif /* CONFIG_WNM */
2996
2997
2998 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
2999 struct wpa_group *group)
3000 {
3001 int tmp;
3002
3003 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3004 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3005 group->changed = TRUE;
3006 group->wpa_group_state = WPA_GROUP_SETKEYS;
3007 group->GTKReKey = FALSE;
3008 tmp = group->GM;
3009 group->GM = group->GN;
3010 group->GN = tmp;
3011 #ifdef CONFIG_IEEE80211W
3012 tmp = group->GM_igtk;
3013 group->GM_igtk = group->GN_igtk;
3014 group->GN_igtk = tmp;
3015 #endif /* CONFIG_IEEE80211W */
3016 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3017 * counting the STAs that are marked with GUpdateStationKeys instead of
3018 * including all STAs that could be in not-yet-completed state. */
3019 wpa_gtk_update(wpa_auth, group);
3020
3021 if (group->GKeyDoneStations) {
3022 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3023 "GKeyDoneStations=%d when starting new GTK rekey",
3024 group->GKeyDoneStations);
3025 group->GKeyDoneStations = 0;
3026 }
3027 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
3028 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3029 group->GKeyDoneStations);
3030 }
3031
3032
3033 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3034 struct wpa_group *group)
3035 {
3036 int ret = 0;
3037
3038 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
3039 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
3040 broadcast_ether_addr, group->GN,
3041 group->GTK[group->GN - 1], group->GTK_len) < 0)
3042 ret = -1;
3043
3044 #ifdef CONFIG_IEEE80211W
3045 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3046 enum wpa_alg alg;
3047 size_t len;
3048
3049 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3050 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3051
3052 if (ret == 0 &&
3053 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3054 broadcast_ether_addr, group->GN_igtk,
3055 group->IGTK[group->GN_igtk - 4], len) < 0)
3056 ret = -1;
3057 }
3058 #endif /* CONFIG_IEEE80211W */
3059
3060 return ret;
3061 }
3062
3063
3064 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3065 {
3066 if (sm->group == ctx) {
3067 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3068 " for discconnection due to fatal failure",
3069 MAC2STR(sm->addr));
3070 sm->Disconnect = TRUE;
3071 }
3072
3073 return 0;
3074 }
3075
3076
3077 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3078 struct wpa_group *group)
3079 {
3080 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3081 group->changed = TRUE;
3082 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3083 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3084 }
3085
3086
3087 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3088 struct wpa_group *group)
3089 {
3090 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3091 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3092 group->changed = TRUE;
3093 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3094
3095 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3096 wpa_group_fatal_failure(wpa_auth, group);
3097 return -1;
3098 }
3099
3100 return 0;
3101 }
3102
3103
3104 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3105 struct wpa_group *group)
3106 {
3107 if (group->GInit) {
3108 wpa_group_gtk_init(wpa_auth, group);
3109 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3110 /* Do not allow group operations */
3111 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3112 group->GTKAuthenticator) {
3113 wpa_group_setkeysdone(wpa_auth, group);
3114 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3115 group->GTKReKey) {
3116 wpa_group_setkeys(wpa_auth, group);
3117 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3118 if (group->GKeyDoneStations == 0)
3119 wpa_group_setkeysdone(wpa_auth, group);
3120 else if (group->GTKReKey)
3121 wpa_group_setkeys(wpa_auth, group);
3122 }
3123 }
3124
3125
3126 static int wpa_sm_step(struct wpa_state_machine *sm)
3127 {
3128 if (sm == NULL)
3129 return 0;
3130
3131 if (sm->in_step_loop) {
3132 /* This should not happen, but if it does, make sure we do not
3133 * end up freeing the state machine too early by exiting the
3134 * recursive call. */
3135 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
3136 return 0;
3137 }
3138
3139 sm->in_step_loop = 1;
3140 do {
3141 if (sm->pending_deinit)
3142 break;
3143
3144 sm->changed = FALSE;
3145 sm->wpa_auth->group->changed = FALSE;
3146
3147 SM_STEP_RUN(WPA_PTK);
3148 if (sm->pending_deinit)
3149 break;
3150 SM_STEP_RUN(WPA_PTK_GROUP);
3151 if (sm->pending_deinit)
3152 break;
3153 wpa_group_sm_step(sm->wpa_auth, sm->group);
3154 } while (sm->changed || sm->wpa_auth->group->changed);
3155 sm->in_step_loop = 0;
3156
3157 if (sm->pending_deinit) {
3158 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3159 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3160 wpa_free_sta_sm(sm);
3161 return 1;
3162 }
3163 return 0;
3164 }
3165
3166
3167 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3168 {
3169 struct wpa_state_machine *sm = eloop_ctx;
3170 wpa_sm_step(sm);
3171 }
3172
3173
3174 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3175 {
3176 if (sm == NULL)
3177 return;
3178 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3179 }
3180
3181
3182 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3183 {
3184 int tmp, i;
3185 struct wpa_group *group;
3186
3187 if (wpa_auth == NULL)
3188 return;
3189
3190 group = wpa_auth->group;
3191
3192 for (i = 0; i < 2; i++) {
3193 tmp = group->GM;
3194 group->GM = group->GN;
3195 group->GN = tmp;
3196 #ifdef CONFIG_IEEE80211W
3197 tmp = group->GM_igtk;
3198 group->GM_igtk = group->GN_igtk;
3199 group->GN_igtk = tmp;
3200 #endif /* CONFIG_IEEE80211W */
3201 wpa_gtk_update(wpa_auth, group);
3202 wpa_group_config_group_keys(wpa_auth, group);
3203 }
3204 }
3205
3206
3207 static const char * wpa_bool_txt(int val)
3208 {
3209 return val ? "TRUE" : "FALSE";
3210 }
3211
3212
3213 #define RSN_SUITE "%02x-%02x-%02x-%d"
3214 #define RSN_SUITE_ARG(s) \
3215 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3216
3217 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3218 {
3219 int len = 0, ret;
3220 char pmkid_txt[PMKID_LEN * 2 + 1];
3221 #ifdef CONFIG_RSN_PREAUTH
3222 const int preauth = 1;
3223 #else /* CONFIG_RSN_PREAUTH */
3224 const int preauth = 0;
3225 #endif /* CONFIG_RSN_PREAUTH */
3226
3227 if (wpa_auth == NULL)
3228 return len;
3229
3230 ret = os_snprintf(buf + len, buflen - len,
3231 "dot11RSNAOptionImplemented=TRUE\n"
3232 "dot11RSNAPreauthenticationImplemented=%s\n"
3233 "dot11RSNAEnabled=%s\n"
3234 "dot11RSNAPreauthenticationEnabled=%s\n",
3235 wpa_bool_txt(preauth),
3236 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3237 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
3238 if (os_snprintf_error(buflen - len, ret))
3239 return len;
3240 len += ret;
3241
3242 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3243 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3244
3245 ret = os_snprintf(
3246 buf + len, buflen - len,
3247 "dot11RSNAConfigVersion=%u\n"
3248 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3249 /* FIX: dot11RSNAConfigGroupCipher */
3250 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3251 /* FIX: dot11RSNAConfigGroupRekeyTime */
3252 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3253 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3254 "dot11RSNAConfigGroupUpdateCount=%u\n"
3255 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3256 "dot11RSNAConfigGroupCipherSize=%u\n"
3257 "dot11RSNAConfigPMKLifetime=%u\n"
3258 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3259 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3260 "dot11RSNAConfigSATimeout=%u\n"
3261 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3262 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3263 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3264 "dot11RSNAPMKIDUsed=%s\n"
3265 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3266 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3267 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3268 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3269 "dot11RSNA4WayHandshakeFailures=%u\n"
3270 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3271 RSN_VERSION,
3272 !!wpa_auth->conf.wpa_strict_rekey,
3273 dot11RSNAConfigGroupUpdateCount,
3274 dot11RSNAConfigPairwiseUpdateCount,
3275 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
3276 dot11RSNAConfigPMKLifetime,
3277 dot11RSNAConfigPMKReauthThreshold,
3278 dot11RSNAConfigSATimeout,
3279 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3280 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3281 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3282 pmkid_txt,
3283 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3284 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3285 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3286 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3287 wpa_auth->dot11RSNA4WayHandshakeFailures);
3288 if (os_snprintf_error(buflen - len, ret))
3289 return len;
3290 len += ret;
3291
3292 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3293 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3294
3295 /* Private MIB */
3296 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3297 wpa_auth->group->wpa_group_state);
3298 if (os_snprintf_error(buflen - len, ret))
3299 return len;
3300 len += ret;
3301
3302 return len;
3303 }
3304
3305
3306 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3307 {
3308 int len = 0, ret;
3309 u32 pairwise = 0;
3310
3311 if (sm == NULL)
3312 return 0;
3313
3314 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3315
3316 /* dot11RSNAStatsEntry */
3317
3318 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3319 WPA_PROTO_RSN : WPA_PROTO_WPA,
3320 sm->pairwise);
3321 if (pairwise == 0)
3322 return 0;
3323
3324 ret = os_snprintf(
3325 buf + len, buflen - len,
3326 /* TODO: dot11RSNAStatsIndex */
3327 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3328 "dot11RSNAStatsVersion=1\n"
3329 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3330 /* TODO: dot11RSNAStatsTKIPICVErrors */
3331 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
3332 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
3333 /* TODO: dot11RSNAStatsCCMPReplays */
3334 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3335 /* TODO: dot11RSNAStatsTKIPReplays */,
3336 MAC2STR(sm->addr),
3337 RSN_SUITE_ARG(pairwise),
3338 sm->dot11RSNAStatsTKIPLocalMICFailures,
3339 sm->dot11RSNAStatsTKIPRemoteMICFailures);
3340 if (os_snprintf_error(buflen - len, ret))
3341 return len;
3342 len += ret;
3343
3344 /* Private MIB */
3345 ret = os_snprintf(buf + len, buflen - len,
3346 "hostapdWPAPTKState=%d\n"
3347 "hostapdWPAPTKGroupState=%d\n",
3348 sm->wpa_ptk_state,
3349 sm->wpa_ptk_group_state);
3350 if (os_snprintf_error(buflen - len, ret))
3351 return len;
3352 len += ret;
3353
3354 return len;
3355 }
3356
3357
3358 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3359 {
3360 if (wpa_auth)
3361 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3362 }
3363
3364
3365 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3366 {
3367 return sm && sm->pairwise_set;
3368 }
3369
3370
3371 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3372 {
3373 return sm->pairwise;
3374 }
3375
3376
3377 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3378 {
3379 if (sm == NULL)
3380 return -1;
3381 return sm->wpa_key_mgmt;
3382 }
3383
3384
3385 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3386 {
3387 if (sm == NULL)
3388 return 0;
3389 return sm->wpa;
3390 }
3391
3392
3393 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3394 struct rsn_pmksa_cache_entry *entry)
3395 {
3396 if (sm == NULL || sm->pmksa != entry)
3397 return -1;
3398 sm->pmksa = NULL;
3399 return 0;
3400 }
3401
3402
3403 struct rsn_pmksa_cache_entry *
3404 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3405 {
3406 return sm ? sm->pmksa : NULL;
3407 }
3408
3409
3410 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3411 {
3412 if (sm)
3413 sm->dot11RSNAStatsTKIPLocalMICFailures++;
3414 }
3415
3416
3417 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3418 {
3419 if (wpa_auth == NULL)
3420 return NULL;
3421 *len = wpa_auth->wpa_ie_len;
3422 return wpa_auth->wpa_ie;
3423 }
3424
3425
3426 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
3427 unsigned int pmk_len,
3428 int session_timeout, struct eapol_state_machine *eapol)
3429 {
3430 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3431 sm->wpa_auth->conf.disable_pmksa_caching)
3432 return -1;
3433
3434 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
3435 if (pmk_len > PMK_LEN_SUITE_B_192)
3436 pmk_len = PMK_LEN_SUITE_B_192;
3437 } else if (pmk_len > PMK_LEN) {
3438 pmk_len = PMK_LEN;
3439 }
3440
3441 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
3442 sm->PTK.kck, sm->PTK.kck_len,
3443 sm->wpa_auth->addr, sm->addr, session_timeout,
3444 eapol, sm->wpa_key_mgmt))
3445 return 0;
3446
3447 return -1;
3448 }
3449
3450
3451 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3452 const u8 *pmk, size_t len, const u8 *sta_addr,
3453 int session_timeout,
3454 struct eapol_state_machine *eapol)
3455 {
3456 if (wpa_auth == NULL)
3457 return -1;
3458
3459 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
3460 NULL, 0,
3461 wpa_auth->addr,
3462 sta_addr, session_timeout, eapol,
3463 WPA_KEY_MGMT_IEEE8021X))
3464 return 0;
3465
3466 return -1;
3467 }
3468
3469
3470 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
3471 const u8 *pmk, const u8 *pmkid)
3472 {
3473 if (wpa_auth->conf.disable_pmksa_caching)
3474 return -1;
3475
3476 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
3477 NULL, 0,
3478 wpa_auth->addr, addr, 0, NULL,
3479 WPA_KEY_MGMT_SAE))
3480 return 0;
3481
3482 return -1;
3483 }
3484
3485
3486 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3487 const u8 *sta_addr)
3488 {
3489 struct rsn_pmksa_cache_entry *pmksa;
3490
3491 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3492 return;
3493 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3494 if (pmksa) {
3495 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3496 MACSTR " based on request", MAC2STR(sta_addr));
3497 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3498 }
3499 }
3500
3501
3502 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
3503 size_t len)
3504 {
3505 if (!wpa_auth || !wpa_auth->pmksa)
3506 return 0;
3507 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
3508 }
3509
3510
3511 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
3512 {
3513 if (wpa_auth && wpa_auth->pmksa)
3514 pmksa_cache_auth_flush(wpa_auth->pmksa);
3515 }
3516
3517
3518 struct rsn_pmksa_cache_entry *
3519 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr)
3520 {
3521 if (!wpa_auth || !wpa_auth->pmksa)
3522 return NULL;
3523 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3524 }
3525
3526
3527 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
3528 struct wpa_state_machine *sm,
3529 struct wpa_authenticator *wpa_auth,
3530 u8 *pmkid, u8 *pmk)
3531 {
3532 if (!sm)
3533 return;
3534
3535 sm->pmksa = pmksa;
3536 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
3537 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
3538 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
3539 }
3540
3541
3542 /*
3543 * Remove and free the group from wpa_authenticator. This is triggered by a
3544 * callback to make sure nobody is currently iterating the group list while it
3545 * gets modified.
3546 */
3547 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
3548 struct wpa_group *group)
3549 {
3550 struct wpa_group *prev = wpa_auth->group;
3551
3552 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
3553 group->vlan_id);
3554
3555 while (prev) {
3556 if (prev->next == group) {
3557 /* This never frees the special first group as needed */
3558 prev->next = group->next;
3559 os_free(group);
3560 break;
3561 }
3562 prev = prev->next;
3563 }
3564
3565 }
3566
3567
3568 /* Increase the reference counter for group */
3569 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
3570 struct wpa_group *group)
3571 {
3572 /* Skip the special first group */
3573 if (wpa_auth->group == group)
3574 return;
3575
3576 group->references++;
3577 }
3578
3579
3580 /* Decrease the reference counter and maybe free the group */
3581 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
3582 struct wpa_group *group)
3583 {
3584 /* Skip the special first group */
3585 if (wpa_auth->group == group)
3586 return;
3587
3588 group->references--;
3589 if (group->references)
3590 return;
3591 wpa_group_free(wpa_auth, group);
3592 }
3593
3594
3595 /*
3596 * Add a group that has its references counter set to zero. Caller needs to
3597 * call wpa_group_get() on the return value to mark the entry in use.
3598 */
3599 static struct wpa_group *
3600 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3601 {
3602 struct wpa_group *group;
3603
3604 if (wpa_auth == NULL || wpa_auth->group == NULL)
3605 return NULL;
3606
3607 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
3608 vlan_id);
3609 group = wpa_group_init(wpa_auth, vlan_id, 0);
3610 if (group == NULL)
3611 return NULL;
3612
3613 group->next = wpa_auth->group->next;
3614 wpa_auth->group->next = group;
3615
3616 return group;
3617 }
3618
3619
3620 /*
3621 * Enforce that the group state machine for the VLAN is running, increase
3622 * reference counter as interface is up. References might have been increased
3623 * even if a negative value is returned.
3624 * Returns: -1 on error (group missing, group already failed); otherwise, 0
3625 */
3626 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3627 {
3628 struct wpa_group *group;
3629
3630 if (wpa_auth == NULL)
3631 return 0;
3632
3633 group = wpa_auth->group;
3634 while (group) {
3635 if (group->vlan_id == vlan_id)
3636 break;
3637 group = group->next;
3638 }
3639
3640 if (group == NULL) {
3641 group = wpa_auth_add_group(wpa_auth, vlan_id);
3642 if (group == NULL)
3643 return -1;
3644 }
3645
3646 wpa_printf(MSG_DEBUG,
3647 "WPA: Ensure group state machine running for VLAN ID %d",
3648 vlan_id);
3649
3650 wpa_group_get(wpa_auth, group);
3651 group->num_setup_iface++;
3652
3653 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3654 return -1;
3655
3656 return 0;
3657 }
3658
3659
3660 /*
3661 * Decrease reference counter, expected to be zero afterwards.
3662 * returns: -1 on error (group not found, group in fail state)
3663 * -2 if wpa_group is still referenced
3664 * 0 else
3665 */
3666 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3667 {
3668 struct wpa_group *group;
3669 int ret = 0;
3670
3671 if (wpa_auth == NULL)
3672 return 0;
3673
3674 group = wpa_auth->group;
3675 while (group) {
3676 if (group->vlan_id == vlan_id)
3677 break;
3678 group = group->next;
3679 }
3680
3681 if (group == NULL)
3682 return -1;
3683
3684 wpa_printf(MSG_DEBUG,
3685 "WPA: Try stopping group state machine for VLAN ID %d",
3686 vlan_id);
3687
3688 if (group->num_setup_iface <= 0) {
3689 wpa_printf(MSG_ERROR,
3690 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
3691 vlan_id);
3692 return -1;
3693 }
3694 group->num_setup_iface--;
3695
3696 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3697 ret = -1;
3698
3699 if (group->references > 1) {
3700 wpa_printf(MSG_DEBUG,
3701 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
3702 vlan_id);
3703 ret = -2;
3704 }
3705
3706 wpa_group_put(wpa_auth, group);
3707
3708 return ret;
3709 }
3710
3711
3712 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
3713 {
3714 struct wpa_group *group;
3715
3716 if (sm == NULL || sm->wpa_auth == NULL)
3717 return 0;
3718
3719 group = sm->wpa_auth->group;
3720 while (group) {
3721 if (group->vlan_id == vlan_id)
3722 break;
3723 group = group->next;
3724 }
3725
3726 if (group == NULL) {
3727 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
3728 if (group == NULL)
3729 return -1;
3730 }
3731
3732 if (sm->group == group)
3733 return 0;
3734
3735 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3736 return -1;
3737
3738 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
3739 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
3740
3741 wpa_group_get(sm->wpa_auth, group);
3742 wpa_group_put(sm->wpa_auth, sm->group);
3743 sm->group = group;
3744
3745 return 0;
3746 }
3747
3748
3749 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
3750 struct wpa_state_machine *sm, int ack)
3751 {
3752 if (wpa_auth == NULL || sm == NULL)
3753 return;
3754 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
3755 " ack=%d", MAC2STR(sm->addr), ack);
3756 if (sm->pending_1_of_4_timeout && ack) {
3757 /*
3758 * Some deployed supplicant implementations update their SNonce
3759 * for each EAPOL-Key 2/4 message even within the same 4-way
3760 * handshake and then fail to use the first SNonce when
3761 * deriving the PTK. This results in unsuccessful 4-way
3762 * handshake whenever the relatively short initial timeout is
3763 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
3764 * around this by increasing the timeout now that we know that
3765 * the station has received the frame.
3766 */
3767 int timeout_ms = eapol_key_timeout_subseq;
3768 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
3769 "timeout by %u ms because of acknowledged frame",
3770 timeout_ms);
3771 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
3772 eloop_register_timeout(timeout_ms / 1000,
3773 (timeout_ms % 1000) * 1000,
3774 wpa_send_eapol_timeout, wpa_auth, sm);
3775 }
3776 }
3777
3778
3779 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
3780 {
3781 if (sm == NULL)
3782 return 0;
3783 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
3784 }
3785
3786
3787 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
3788 {
3789 if (sm == NULL)
3790 return 0;
3791 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
3792 }
3793
3794
3795 #ifdef CONFIG_P2P
3796 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
3797 {
3798 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
3799 return -1;
3800 os_memcpy(addr, sm->ip_addr, 4);
3801 return 0;
3802 }
3803 #endif /* CONFIG_P2P */
3804
3805
3806 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
3807 struct radius_das_attrs *attr)
3808 {
3809 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
3810 }
3811
3812
3813 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
3814 {
3815 struct wpa_group *group;
3816
3817 if (!wpa_auth)
3818 return;
3819 for (group = wpa_auth->group; group; group = group->next)
3820 wpa_group_config_group_keys(wpa_auth, group);
3821 }
Unnamed repository; edit this file 'description' to name the repository.