]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
WNM: Differentiate between WNM for station and for AP in build
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
98cd3d1c 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
3b5b7aa8 16#include "crypto/aes.h"
03da66bd 17#include "crypto/aes_wrap.h"
3b5b7aa8 18#include "crypto/aes_siv.h"
03da66bd
JM		 19#include "crypto/crypto.h"
20#include "crypto/sha1.h"
21#include "crypto/sha256.h"
3642c431 22#include "crypto/random.h"
281c950b 23#include "eapol_auth/eapol_auth_sm.h"
6226e38d 24#include "ap_config.h"
6fc6879b 25#include "ieee802_11.h"
6226e38d
JM		 26#include "wpa_auth.h"
27#include "pmksa_cache_auth.h"
6fc6879b
JM		 28#include "wpa_auth_i.h"
29#include "wpa_auth_ie.h"
30
31#define STATE_MACHINE_DATA struct wpa_state_machine
32#define STATE_MACHINE_DEBUG_PREFIX "WPA"
33#define STATE_MACHINE_ADDR sm->addr
34
35
36static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 37static int wpa_sm_step(struct wpa_state_machine *sm);
567da5bb
JM		 38static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
39 u8 *data, size_t data_len);
75c8563e
JM		 40#ifdef CONFIG_FILS
41static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 u8 *buf, size_t buf_len, u16 *_key_data_len);
9392859d
JM		 43static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
44 const struct wpabuf *hlp);
75c8563e 45#endif /* CONFIG_FILS */
6fc6879b
JM		 46static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
47static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
48 struct wpa_group *group);
581a8cde 49static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 50static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
1bdb7ab3
JM		 52static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
53 struct wpa_group *group);
f23c5b17 54static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 55 const u8 *pmk, unsigned int pmk_len,
56 struct wpa_ptk *ptk);
a0ad9e8c
MB		 57static void wpa_group_free(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59static void wpa_group_get(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
61static void wpa_group_put(struct wpa_authenticator *wpa_auth,
62 struct wpa_group *group);
e73ffa09 63static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 64
bae61562
JM		 65static const u32 eapol_key_timeout_first = 100; /* ms */
66static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 67static const u32 eapol_key_timeout_first_group = 500; /* ms */
6fc6879b
JM		 68
69/* TODO: make these configurable */
70static const int dot11RSNAConfigPMKLifetime = 43200;
71static const int dot11RSNAConfigPMKReauthThreshold = 70;
72static const int dot11RSNAConfigSATimeout = 60;
73
74
c772d054 75static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 76 struct wpa_authenticator *wpa_auth, const u8 *addr)
77{
cef8fac0
JB		 78 if (wpa_auth->cb->mic_failure_report)
79 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 80 return 0;
6fc6879b
JM		 81}
82
83
2c502460
JM		 84static inline void wpa_auth_psk_failure_report(
85 struct wpa_authenticator *wpa_auth, const u8 *addr)
86{
cef8fac0
JB		 87 if (wpa_auth->cb->psk_failure_report)
88 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 89}
90
91
6fc6879b
JM		 92static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
93 const u8 *addr, wpa_eapol_variable var,
94 int value)
95{
cef8fac0
JB		 96 if (wpa_auth->cb->set_eapol)
97 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 98}
99
100
101static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
102 const u8 *addr, wpa_eapol_variable var)
103{
cef8fac0 104 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 105 return -1;
cef8fac0 106 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 107}
108
109
110static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 111 const u8 *addr,
112 const u8 *p2p_dev_addr,
113 const u8 *prev_psk)
6fc6879b 114{
cef8fac0 115 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 116 return NULL;
cef8fac0
JB		 117 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
118 prev_psk);
6fc6879b
JM		 119}
120
121
122static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
123 const u8 *addr, u8 *msk, size_t *len)
124{
cef8fac0 125 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 126 return -1;
cef8fac0 127 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 128}
129
130
131static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
132 int vlan_id,
71934751 133 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 134 u8 *key, size_t key_len)
135{
cef8fac0 136 if (wpa_auth->cb->set_key == NULL)
6fc6879b 137 return -1;
cef8fac0
JB		 138 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
139 key, key_len);
6fc6879b
JM		 140}
141
142
143static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
144 const u8 *addr, int idx, u8 *seq)
145{
cef8fac0 146 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 147 return -1;
cef8fac0 148 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 149}
150
151
6fc6879b
JM		 152static inline int
153wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
154 const u8 *data, size_t data_len, int encrypt)
155{
cef8fac0 156 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 157 return -1;
cef8fac0
JB		 158 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
159 encrypt);
6fc6879b
JM		 160}
161
162
c50d94f1
BC		 163#ifdef CONFIG_MESH
164static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
165 const u8 *addr)
166{
cef8fac0 167 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 168 return -1;
cef8fac0 169 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 170}
171#endif /* CONFIG_MESH */
172
173
6fc6879b
JM		 174int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
175 int (*cb)(struct wpa_state_machine *sm, void *ctx),
176 void *cb_ctx)
177{
cef8fac0 178 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 179 return 0;
cef8fac0 180 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 181}
182
183
bf98f7f3
JM		 184int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
185 int (*cb)(struct wpa_authenticator *a, void *ctx),
186 void *cb_ctx)
187{
cef8fac0 188 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 189 return 0;
cef8fac0 190 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 191}
192
193
6fc6879b
JM		 194void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
195 logger_level level, const char *txt)
196{
cef8fac0 197 if (wpa_auth->cb->logger == NULL)
6fc6879b 198 return;
cef8fac0 199 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 200}
201
202
203void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
204 logger_level level, const char *fmt, ...)
205{
206 char *format;
207 int maxlen;
208 va_list ap;
209
cef8fac0 210 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 211 return;
212
213 maxlen = os_strlen(fmt) + 100;
214 format = os_malloc(maxlen);
215 if (!format)
216 return;
217
218 va_start(ap, fmt);
219 vsnprintf(format, maxlen, fmt, ap);
220 va_end(ap);
221
222 wpa_auth_logger(wpa_auth, addr, level, format);
223
224 os_free(format);
225}
226
227
228static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
567da5bb 229 const u8 *addr, u16 reason)
6fc6879b 230{
cef8fac0 231 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 232 return;
567da5bb
JM		 233 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
234 MAC2STR(addr), reason);
235 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
6fc6879b
JM		 236}
237
238
239static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
240{
56586197 241 int ret = 0;
4ec1fd8e 242#ifdef CONFIG_IEEE80211R_AP
56586197
JM		 243 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
244 ret = 1;
4ec1fd8e 245#endif /* CONFIG_IEEE80211R_AP */
56586197
JM		 246#ifdef CONFIG_IEEE80211W
247 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
248 ret = 1;
249#endif /* CONFIG_IEEE80211W */
a14896e8
JM		 250 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
251 ret = 1;
56586197 252 return ret;
6fc6879b
JM		 253}
254
255
256static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
257{
258 struct wpa_authenticator *wpa_auth = eloop_ctx;
259
3642c431 260 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 261 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
262 "initialization.");
263 } else {
264 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 265 wpa_hexdump_key(MSG_DEBUG, "GMK",
266 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 267 }
268
269 if (wpa_auth->conf.wpa_gmk_rekey) {
270 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
271 wpa_rekey_gmk, wpa_auth, NULL);
272 }
273}
274
275
276static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
277{
278 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 279 struct wpa_group *group, *next;
6fc6879b
JM		 280
281 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 282 group = wpa_auth->group;
283 while (group) {
284 wpa_group_get(wpa_auth, group);
285
6fc6879b
JM		 286 group->GTKReKey = TRUE;
287 do {
288 group->changed = FALSE;
289 wpa_group_sm_step(wpa_auth, group);
290 } while (group->changed);
a0ad9e8c
MB		 291
292 next = group->next;
293 wpa_group_put(wpa_auth, group);
294 group = next;
6fc6879b
JM		 295 }
296
297 if (wpa_auth->conf.wpa_group_rekey) {
298 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
299 0, wpa_rekey_gtk, wpa_auth, NULL);
300 }
301}
302
303
581a8cde
JM		 304static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
305{
306 struct wpa_authenticator *wpa_auth = eloop_ctx;
307 struct wpa_state_machine *sm = timeout_ctx;
308
309 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
310 wpa_request_new_ptk(sm);
311 wpa_sm_step(sm);
312}
313
314
6fc6879b
JM		 315static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
316{
317 if (sm->pmksa == ctx)
318 sm->pmksa = NULL;
319 return 0;
320}
321
322
323static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
324 void *ctx)
325{
326 struct wpa_authenticator *wpa_auth = ctx;
327 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
328}
329
330
1bdb7ab3
JM		 331static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
332 struct wpa_group *group)
333{
559cdabb 334 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 335 u8 rkey[32];
559cdabb 336 unsigned long ptr;
1bdb7ab3 337
3642c431 338 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 339 return -1;
340 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
341
342 /*
343 * Counter = PRF-256(Random number, "Init Counter",
344 * Local MAC Address || Time)
345 */
346 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
347 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 348 ptr = (unsigned long) group;
349 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
3642c431 350 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 351 return -1;
352
353 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
354 group->Counter, WPA_NONCE_LEN) < 0)
355 return -1;
356 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
357 group->Counter, WPA_NONCE_LEN);
358
359 return 0;
360}
361
362
e6965d4e 363static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 364 int vlan_id, int delay_init)
e6965d4e
JM		 365{
366 struct wpa_group *group;
e6965d4e
JM		 367
368 group = os_zalloc(sizeof(struct wpa_group));
369 if (group == NULL)
370 return NULL;
371
372 group->GTKAuthenticator = TRUE;
373 group->vlan_id = vlan_id;
c3550295 374 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 375
08704cd8
JM		 376 if (random_pool_ready() != 1) {
377 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
378 "for secure operations - update keys later when "
379 "the first station connects");
380 }
381
1bdb7ab3
JM		 382 /*
383 * Set initial GMK/Counter value here. The actual values that will be
384 * used in negotiations will be set once the first station tries to
385 * connect. This allows more time for collecting additional randomness
386 * on embedded devices.
6fc6879b 387 */
1bdb7ab3 388 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 389 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
390 "initialization.");
391 os_free(group);
392 return NULL;
393 }
6fc6879b
JM		 394
395 group->GInit = TRUE;
bdffdc5d
JM		 396 if (delay_init) {
397 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
398 "until Beacon frames have been configured");
399 /* Initialization is completed in wpa_init_keys(). */
400 } else {
401 wpa_group_sm_step(wpa_auth, group);
402 group->GInit = FALSE;
403 wpa_group_sm_step(wpa_auth, group);
404 }
6fc6879b
JM		 405
406 return group;
407}
408
409
410/**
411 * wpa_init - Initialize WPA authenticator
412 * @addr: Authenticator address
413 * @conf: Configuration for WPA authenticator
a17df5fb 414 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 415 * Returns: Pointer to WPA authenticator data or %NULL on failure
416 */
417struct wpa_authenticator * wpa_init(const u8 *addr,
418 struct wpa_auth_config *conf,
cef8fac0
JB		 419 const struct wpa_auth_callbacks *cb,
420 void *cb_ctx)
6fc6879b
JM		 421{
422 struct wpa_authenticator *wpa_auth;
423
424 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
425 if (wpa_auth == NULL)
426 return NULL;
427 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
428 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 429 wpa_auth->cb = cb;
430 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 431
432 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
433 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
434 os_free(wpa_auth);
435 return NULL;
436 }
437
bdffdc5d 438 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 439 if (wpa_auth->group == NULL) {
440 os_free(wpa_auth->wpa_ie);
441 os_free(wpa_auth);
442 return NULL;
443 }
444
4bb081f1
JM		 445 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
446 wpa_auth);
6fc6879b
JM		 447 if (wpa_auth->pmksa == NULL) {
448 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 449 os_free(wpa_auth->group);
6fc6879b
JM		 450 os_free(wpa_auth->wpa_ie);
451 os_free(wpa_auth);
452 return NULL;
453 }
454
4ec1fd8e 455#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 456 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
457 if (wpa_auth->ft_pmk_cache == NULL) {
458 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 459 os_free(wpa_auth->group);
6fc6879b 460 os_free(wpa_auth->wpa_ie);
4bb081f1 461 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 462 os_free(wpa_auth);
463 return NULL;
464 }
4ec1fd8e 465#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 466
467 if (wpa_auth->conf.wpa_gmk_rekey) {
468 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
469 wpa_rekey_gmk, wpa_auth, NULL);
470 }
471
472 if (wpa_auth->conf.wpa_group_rekey) {
473 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
474 wpa_rekey_gtk, wpa_auth, NULL);
475 }
476
25ef8529
JM		 477#ifdef CONFIG_P2P
478 if (WPA_GET_BE32(conf->ip_addr_start)) {
479 int count = WPA_GET_BE32(conf->ip_addr_end) -
480 WPA_GET_BE32(conf->ip_addr_start) + 1;
481 if (count > 1000)
482 count = 1000;
483 if (count > 0)
484 wpa_auth->ip_pool = bitfield_alloc(count);
485 }
486#endif /* CONFIG_P2P */
487
6fc6879b
JM		 488 return wpa_auth;
489}
490
491
bdffdc5d
JM		 492int wpa_init_keys(struct wpa_authenticator *wpa_auth)
493{
494 struct wpa_group *group = wpa_auth->group;
495
496 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
497 "keys");
498 wpa_group_sm_step(wpa_auth, group);
499 group->GInit = FALSE;
500 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 501 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
502 return -1;
bdffdc5d
JM		 503 return 0;
504}
505
506
6fc6879b
JM		 507/**
508 * wpa_deinit - Deinitialize WPA authenticator
509 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
510 */
511void wpa_deinit(struct wpa_authenticator *wpa_auth)
512{
513 struct wpa_group *group, *prev;
514
515 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
516 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
517
4bb081f1 518 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 519
4ec1fd8e 520#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 521 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
522 wpa_auth->ft_pmk_cache = NULL;
eefe8630 523 wpa_ft_deinit(wpa_auth);
4ec1fd8e 524#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 525
25ef8529
JM		 526#ifdef CONFIG_P2P
527 bitfield_free(wpa_auth->ip_pool);
528#endif /* CONFIG_P2P */
529
530
6fc6879b
JM		 531 os_free(wpa_auth->wpa_ie);
532
533 group = wpa_auth->group;
534 while (group) {
535 prev = group;
536 group = group->next;
537 os_free(prev);
538 }
539
540 os_free(wpa_auth);
541}
542
543
544/**
545 * wpa_reconfig - Update WPA authenticator configuration
546 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
547 * @conf: Configuration for WPA authenticator
548 */
549int wpa_reconfig(struct wpa_authenticator *wpa_auth,
550 struct wpa_auth_config *conf)
551{
e6965d4e 552 struct wpa_group *group;
6fc6879b
JM		 553 if (wpa_auth == NULL)
554 return 0;
555
556 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 557 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
558 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
559 return -1;
560 }
561
e6965d4e
JM		 562 /*
563 * Reinitialize GTK to make sure it is suitable for the new
564 * configuration.
565 */
566 group = wpa_auth->group;
c3550295 567 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 568 group->GInit = TRUE;
569 wpa_group_sm_step(wpa_auth, group);
570 group->GInit = FALSE;
571 wpa_group_sm_step(wpa_auth, group);
572
6fc6879b
JM		 573 return 0;
574}
575
576
577struct wpa_state_machine *
94ddef3e
JM		 578wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
579 const u8 *p2p_dev_addr)
6fc6879b
JM		 580{
581 struct wpa_state_machine *sm;
582
7d7f7be2
JM		 583 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
584 return NULL;
585
6fc6879b
JM		 586 sm = os_zalloc(sizeof(struct wpa_state_machine));
587 if (sm == NULL)
588 return NULL;
589 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 590 if (p2p_dev_addr)
591 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 592
593 sm->wpa_auth = wpa_auth;
594 sm->group = wpa_auth->group;
a0ad9e8c 595 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 596
597 return sm;
598}
599
600
6f9b5d16
JM		 601int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
602 struct wpa_state_machine *sm)
6fc6879b
JM		 603{
604 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 605 return -1;
6fc6879b 606
4ec1fd8e 607#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 608 if (sm->ft_completed) {
609 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
610 "FT authentication already completed - do not "
611 "start 4-way handshake");
3d4d2348
JM		 612 /* Go to PTKINITDONE state to allow GTK rekeying */
613 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 614 sm->Pair = TRUE;
6f9b5d16 615 return 0;
6fc6879b 616 }
4ec1fd8e 617#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 618
07e0117d
JM		 619#ifdef CONFIG_FILS
620 if (sm->fils_completed) {
621 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
622 "FILS authentication already completed - do not start 4-way handshake");
623 /* Go to PTKINITDONE state to allow GTK rekeying */
624 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 625 sm->Pair = TRUE;
07e0117d
JM		 626 return 0;
627 }
628#endif /* CONFIG_FILS */
629
6fc6879b 630 if (sm->started) {
22a299ee 631 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 632 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 633 return wpa_sm_step(sm);
6fc6879b
JM		 634 }
635
636 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
637 "start authentication");
638 sm->started = 1;
639
640 sm->Init = TRUE;
e4a6ea1d 641 if (wpa_sm_step(sm) == 1)
6f9b5d16 642 return 1; /* should not really happen */
6fc6879b
JM		 643 sm->Init = FALSE;
644 sm->AuthenticationRequest = TRUE;
6f9b5d16 645 return wpa_sm_step(sm);
6fc6879b
JM		 646}
647
648
a8d05fca
JM		 649void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
650{
651 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
652 * reassociates back to the same AP while the previous entry for the
653 * STA has not yet been removed. */
654 if (sm == NULL)
655 return;
656
657 sm->wpa_key_mgmt = 0;
658}
659
660
6fc6879b
JM		 661static void wpa_free_sta_sm(struct wpa_state_machine *sm)
662{
25ef8529
JM		 663#ifdef CONFIG_P2P
664 if (WPA_GET_BE32(sm->ip_addr)) {
665 u32 start;
666 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
667 "address %u.%u.%u.%u from " MACSTR,
668 sm->ip_addr[0], sm->ip_addr[1],
669 sm->ip_addr[2], sm->ip_addr[3],
670 MAC2STR(sm->addr));
671 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
672 bitfield_clear(sm->wpa_auth->ip_pool,
673 WPA_GET_BE32(sm->ip_addr) - start);
674 }
675#endif /* CONFIG_P2P */
2ade8ef2
JM		 676 if (sm->GUpdateStationKeys) {
677 sm->group->GKeyDoneStations--;
678 sm->GUpdateStationKeys = FALSE;
679 }
4ec1fd8e 680#ifdef CONFIG_IEEE80211R_AP
0f857f43 681 os_free(sm->assoc_resp_ftie);
692ec305 682 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 683#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 684 os_free(sm->last_rx_eapol_key);
685 os_free(sm->wpa_ie);
a0ad9e8c 686 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b
JM		 687 os_free(sm);
688}
689
690
691void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
692{
693 if (sm == NULL)
694 return;
695
696 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
697 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
698 "strict rekeying - force GTK rekey since STA "
699 "is leaving");
700 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
701 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
702 NULL);
703 }
704
705 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 706 sm->pending_1_of_4_timeout = 0;
6fc6879b 707 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 708 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3a46cf93
MB		 709#ifdef CONFIG_IEEE80211R_AP
710 wpa_ft_sta_deinit(sm);
711#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 712 if (sm->in_step_loop) {
713 /* Must not free state machine while wpa_sm_step() is running.
714 * Freeing will be completed in the end of wpa_sm_step(). */
715 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
716 "machine deinit for " MACSTR, MAC2STR(sm->addr));
717 sm->pending_deinit = 1;
718 } else
719 wpa_free_sta_sm(sm);
720}
721
722
723static void wpa_request_new_ptk(struct wpa_state_machine *sm)
724{
725 if (sm == NULL)
726 return;
727
728 sm->PTKRequest = TRUE;
729 sm->PTK_valid = 0;
730}
731
732
68921e24 733static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 734 const u8 *replay_counter)
735{
736 int i;
737 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 738 if (!ctr[i].valid)
22a299ee 739 break;
68921e24 740 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 741 WPA_REPLAY_COUNTER_LEN) == 0)
742 return 1;
743 }
744 return 0;
745}
746
747
68921e24
JM		 748static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
749 const u8 *replay_counter)
750{
751 int i;
752 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
753 if (ctr[i].valid &&
754 (replay_counter == NULL ||
755 os_memcmp(replay_counter, ctr[i].counter,
756 WPA_REPLAY_COUNTER_LEN) == 0))
757 ctr[i].valid = FALSE;
758 }
759}
760
761
4ec1fd8e 762#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 763static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
764 struct wpa_state_machine *sm,
765 struct wpa_eapol_ie_parse *kde)
766{
767 struct wpa_ie_data ie;
768 struct rsn_mdie *mdie;
769
770 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
771 ie.num_pmkid != 1 || ie.pmkid == NULL) {
772 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
773 "FT 4-way handshake message 2/4");
774 return -1;
775 }
776
777 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
778 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
779 sm->sup_pmk_r1_name, PMKID_LEN);
780
781 if (!kde->mdie || !kde->ftie) {
782 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
783 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
784 return -1;
785 }
786
787 mdie = (struct rsn_mdie *) (kde->mdie + 2);
788 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
789 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
790 MOBILITY_DOMAIN_ID_LEN) != 0) {
791 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
792 return -1;
793 }
794
795 if (sm->assoc_resp_ftie &&
796 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
797 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
798 2 + sm->assoc_resp_ftie[1]) != 0)) {
799 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
800 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
801 kde->ftie, kde->ftie_len);
802 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
803 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
804 return -1;
805 }
806
807 return 0;
808}
4ec1fd8e 809#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 810
811
c772d054
JM		 812static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
813 struct wpa_state_machine *sm, int group)
ec027805
JM		 814{
815 /* Supplicant reported a Michael MIC error */
816 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
817 "received EAPOL-Key Error Request "
818 "(STA detected Michael MIC failure (group=%d))",
819 group);
fbc72d32
JM		 820
821 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
822 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
823 "ignore Michael MIC failure report since "
824 "group cipher is not TKIP");
825 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
826 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
827 "ignore Michael MIC failure report since "
828 "pairwise cipher is not TKIP");
829 } else {
c772d054
JM		 830 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
831 return 1; /* STA entry was removed */
fbc72d32
JM		 832 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
833 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
834 }
ec027805
JM		 835
836 /*
837 * Error report is not a request for a new key handshake, but since
838 * Authenticator may do it, let's change the keys now anyway.
839 */
840 wpa_request_new_ptk(sm);
c772d054 841 return 0;
ec027805
JM		 842}
843
844
f23c5b17
JM		 845static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
846 size_t data_len)
847{
848 struct wpa_ptk PTK;
849 int ok = 0;
850 const u8 *pmk = NULL;
207976f0 851 unsigned int pmk_len;
f23c5b17 852
b729fd8d 853 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17
JM		 854 for (;;) {
855 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
856 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
857 sm->p2p_dev_addr, pmk);
858 if (pmk == NULL)
859 break;
207976f0
JM		 860 pmk_len = PMK_LEN;
861 } else {
f23c5b17 862 pmk = sm->PMK;
207976f0
JM		 863 pmk_len = sm->pmk_len;
864 }
f23c5b17 865
364c064a
JM		 866 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
867 break;
f23c5b17 868
567da5bb
JM		 869 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
870 data, data_len) == 0) {
f23c5b17
JM		 871 ok = 1;
872 break;
873 }
874
875 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
876 break;
877 }
878
879 if (!ok) {
880 wpa_printf(MSG_DEBUG,
881 "WPA: Earlier SNonce did not result in matching MIC");
882 return -1;
883 }
884
885 wpa_printf(MSG_DEBUG,
886 "WPA: Earlier SNonce resulted in matching MIC");
887 sm->alt_snonce_valid = 0;
888 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
889 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
890 sm->PTK_valid = TRUE;
891
892 return 0;
893}
894
895
6fc6879b
JM		 896void wpa_receive(struct wpa_authenticator *wpa_auth,
897 struct wpa_state_machine *sm,
898 u8 *data, size_t data_len)
899{
900 struct ieee802_1x_hdr *hdr;
901 struct wpa_eapol_key *key;
902 u16 key_info, key_data_length;
903 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
904 SMK_M1, SMK_M3, SMK_ERROR } msg;
905 char *msgtxt;
906 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 907 const u8 *key_data;
908 size_t keyhdrlen, mic_len;
6d014ffc 909 u8 *mic;
6fc6879b
JM		 910
911 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
912 return;
dc5bad48 913 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 914
567da5bb 915 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 916 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 917
dc5bad48
JM		 918 if (data_len < sizeof(*hdr) + keyhdrlen) {
919 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 920 return;
dc5bad48 921 }
6fc6879b
JM		 922
923 hdr = (struct ieee802_1x_hdr *) data;
924 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 925 mic = (u8 *) (key + 1);
6fc6879b 926 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 927 key_data = mic + mic_len + 2;
928 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 929 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 930 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
931 MAC2STR(sm->addr), key_info, key->type,
932 (unsigned int) mic_len, key_data_length);
933 wpa_hexdump(MSG_MSGDUMP,
934 "WPA: EAPOL-Key header (ending before Key MIC)",
935 key, sizeof(*key));
936 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
937 mic, mic_len);
5e3b5197 938 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 939 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
940 "key_data overflow (%d > %lu)",
941 key_data_length,
942 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 943 keyhdrlen));
6fc6879b
JM		 944 return;
945 }
946
f8e96eb6 947 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 948 if (key->type == EAPOL_KEY_TYPE_WPA) {
949 /*
950 * Some deployed station implementations seem to send
951 * msg 4/4 with incorrect type value in WPA2 mode.
952 */
953 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
954 "with unexpected WPA type in RSN mode");
955 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 956 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
957 "unexpected type %d in RSN mode",
958 key->type);
959 return;
960 }
961 } else {
962 if (key->type != EAPOL_KEY_TYPE_WPA) {
963 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
964 "unexpected type %d in WPA mode",
965 key->type);
966 return;
967 }
968 }
969
bc8318ac
JM		 970 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
971 WPA_NONCE_LEN);
972 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
973 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
974
6fc6879b
JM		 975 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
976 * are set */
977
978 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
979 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
980 if (key_info & WPA_KEY_INFO_ERROR) {
981 msg = SMK_ERROR;
982 msgtxt = "SMK Error";
983 } else {
984 msg = SMK_M1;
985 msgtxt = "SMK M1";
986 }
987 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
988 msg = SMK_M3;
989 msgtxt = "SMK M3";
990 } else if (key_info & WPA_KEY_INFO_REQUEST) {
991 msg = REQUEST;
992 msgtxt = "Request";
993 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
994 msg = GROUP_2;
995 msgtxt = "2/2 Group";
3b5b7aa8
JM		 996 } else if (key_data_length == 0 ||
997 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
998 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 999 msg = PAIRWISE_4;
1000 msgtxt = "4/4 Pairwise";
1001 } else {
1002 msg = PAIRWISE_2;
1003 msgtxt = "2/4 Pairwise";
1004 }
1005
1006 /* TODO: key_info type validation for PeerKey */
1007 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1008 msg == GROUP_2) {
1009 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1010 if (sm->pairwise == WPA_CIPHER_CCMP ||
1011 sm->pairwise == WPA_CIPHER_GCMP) {
6fc6879b 1012 if (wpa_use_aes_cmac(sm) &&
a14896e8 1013 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
929a2ea5 1014 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
b9866483 1015 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1016 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1017 wpa_auth_logger(wpa_auth, sm->addr,
1018 LOGGER_WARNING,
1019 "advertised support for "
1020 "AES-128-CMAC, but did not "
1021 "use it");
1022 return;
1023 }
1024
1025 if (!wpa_use_aes_cmac(sm) &&
2449791b 1026 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
07a5fe82 1027 sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE &&
567da5bb 1028 sm->wpa_key_mgmt != WPA_KEY_MGMT_DPP &&
6fc6879b
JM		 1029 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1030 wpa_auth_logger(wpa_auth, sm->addr,
1031 LOGGER_WARNING,
1032 "did not use HMAC-SHA1-AES "
eb7719ff 1033 "with CCMP/GCMP");
6fc6879b
JM		 1034 return;
1035 }
1036 }
929a2ea5 1037
2449791b 1038 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
07a5fe82 1039 wpa_key_mgmt_fils(sm->wpa_key_mgmt) ||
567da5bb 1040 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
07a5fe82 1041 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) &&
929a2ea5
JM		 1042 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1043 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1044 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1045 return;
1046 }
6fc6879b
JM		 1047 }
1048
1049 if (key_info & WPA_KEY_INFO_REQUEST) {
1050 if (sm->req_replay_counter_used &&
1051 os_memcmp(key->replay_counter, sm->req_replay_counter,
1052 WPA_REPLAY_COUNTER_LEN) <= 0) {
1053 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1054 "received EAPOL-Key request with "
1055 "replayed counter");
1056 return;
1057 }
1058 }
1059
1060 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1061 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1062 int i;
68921e24
JM		 1063
1064 if (msg == PAIRWISE_2 &&
1065 wpa_replay_counter_valid(sm->prev_key_replay,
1066 key->replay_counter) &&
1067 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1068 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1069 {
1070 /*
1071 * Some supplicant implementations (e.g., Windows XP
1072 * WZC) update SNonce for each EAPOL-Key 2/4. This
1073 * breaks the workaround on accepting any of the
1074 * pending requests, so allow the SNonce to be updated
1075 * even if we have already sent out EAPOL-Key 3/4.
1076 */
1077 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1078 "Process SNonce update from STA "
1079 "based on retransmitted EAPOL-Key "
1080 "1/4");
1081 sm->update_snonce = 1;
f23c5b17
JM		 1082 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1083 sm->alt_snonce_valid = TRUE;
1084 os_memcpy(sm->alt_replay_counter,
1085 sm->key_replay[0].counter,
1086 WPA_REPLAY_COUNTER_LEN);
1087 goto continue_processing;
1088 }
1089
1090 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1091 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1092 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1093 WPA_REPLAY_COUNTER_LEN) == 0) {
1094 /*
1095 * Supplicant may still be using the old SNonce since
1096 * there was two EAPOL-Key 2/4 messages and they had
1097 * different SNonce values.
1098 */
1099 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1100 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1101 goto continue_processing;
1102 }
1103
1104 if (msg == PAIRWISE_2 &&
1105 wpa_replay_counter_valid(sm->prev_key_replay,
1106 key->replay_counter) &&
1107 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1108 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1109 "ignore retransmitted EAPOL-Key %s - "
1110 "SNonce did not change", msgtxt);
1111 } else {
1112 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1113 "received EAPOL-Key %s with "
1114 "unexpected replay counter", msgtxt);
1115 }
22a299ee
JM		 1116 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1117 if (!sm->key_replay[i].valid)
1118 break;
1119 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1120 sm->key_replay[i].counter,
1121 WPA_REPLAY_COUNTER_LEN);
1122 }
6fc6879b
JM		 1123 wpa_hexdump(MSG_DEBUG, "received replay counter",
1124 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1125 return;
1126 }
1127
68921e24 1128continue_processing:
3b5b7aa8
JM		 1129#ifdef CONFIG_FILS
1130 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1131 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1132 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1133 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1134 return;
1135 }
1136#endif /* CONFIG_FILS */
1137
6fc6879b
JM		 1138 switch (msg) {
1139 case PAIRWISE_2:
1140 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1141 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1142 (!sm->update_snonce ||
1143 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1144 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1145 "received EAPOL-Key msg 2/4 in "
1146 "invalid state (%d) - dropped",
1147 sm->wpa_ptk_state);
1148 return;
1149 }
bbb921da 1150 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1151 if (sm->group->reject_4way_hs_for_entropy) {
1152 /*
1153 * The system did not have enough entropy to generate
1154 * strong random numbers. Reject the first 4-way
1155 * handshake(s) and collect some entropy based on the
1156 * information from it. Once enough entropy is
1157 * available, the next atempt will trigger GMK/Key
1158 * Counter update and the station will be allowed to
1159 * continue.
1160 */
1161 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1162 "collect more entropy for random number "
1163 "generation");
08704cd8 1164 random_mark_pool_ready();
567da5bb
JM		 1165 wpa_sta_disconnect(wpa_auth, sm->addr,
1166 WLAN_REASON_PREV_AUTH_NOT_VALID);
08704cd8
JM		 1167 return;
1168 }
6fc6879b
JM		 1169 break;
1170 case PAIRWISE_4:
1171 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1172 !sm->PTK_valid) {
1173 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1174 "received EAPOL-Key msg 4/4 in "
1175 "invalid state (%d) - dropped",
1176 sm->wpa_ptk_state);
1177 return;
1178 }
1179 break;
1180 case GROUP_2:
1181 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1182 || !sm->PTK_valid) {
1183 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1184 "received EAPOL-Key msg 2/2 in "
1185 "invalid state (%d) - dropped",
1186 sm->wpa_ptk_group_state);
1187 return;
1188 }
1189 break;
1190#ifdef CONFIG_PEERKEY
1191 case SMK_M1:
1192 case SMK_M3:
1193 case SMK_ERROR:
1194 if (!wpa_auth->conf.peerkey) {
1195 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1196 "PeerKey use disabled - ignoring message");
1197 return;
1198 }
1199 if (!sm->PTK_valid) {
1200 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1201 "received EAPOL-Key msg SMK in "
1202 "invalid state - dropped");
1203 return;
1204 }
1205 break;
1206#else /* CONFIG_PEERKEY */
1207 case SMK_M1:
1208 case SMK_M3:
1209 case SMK_ERROR:
1210 return; /* STSL disabled - ignore SMK messages */
1211#endif /* CONFIG_PEERKEY */
1212 case REQUEST:
1213 break;
1214 }
1215
1216 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1217 "received EAPOL-Key frame (%s)", msgtxt);
1218
1219 if (key_info & WPA_KEY_INFO_ACK) {
1220 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1221 "received invalid EAPOL-Key: Key Ack set");
1222 return;
1223 }
1224
b9866483
JM		 1225 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1226 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1227 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1228 "received invalid EAPOL-Key: Key MIC not set");
1229 return;
1230 }
1231
b9866483
JM		 1232#ifdef CONFIG_FILS
1233 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1234 (key_info & WPA_KEY_INFO_MIC)) {
1235 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1236 "received invalid EAPOL-Key: Key MIC set");
1237 return;
1238 }
1239#endif /* CONFIG_FILS */
1240
6fc6879b 1241 sm->MICVerified = FALSE;
68921e24 1242 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8 1243 if (mic_len &&
567da5bb
JM		 1244 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1245 data, data_len) &&
f23c5b17
JM		 1246 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1247 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1248 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1249 "received EAPOL-Key with invalid MIC");
1250 return;
1251 }
75c8563e
JM		 1252#ifdef CONFIG_FILS
1253 if (!mic_len &&
1254 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1255 &key_data_length) < 0) {
1256 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1257 "received EAPOL-Key with invalid MIC");
1258 return;
1259 }
1260#endif /* CONFIG_FILS */
6fc6879b
JM		 1261 sm->MICVerified = TRUE;
1262 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1263 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1264 }
1265
1266 if (key_info & WPA_KEY_INFO_REQUEST) {
1267 if (sm->MICVerified) {
1268 sm->req_replay_counter_used = 1;
1269 os_memcpy(sm->req_replay_counter, key->replay_counter,
1270 WPA_REPLAY_COUNTER_LEN);
1271 } else {
1272 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1273 "received EAPOL-Key request with "
1274 "invalid MIC");
1275 return;
1276 }
1277
1278 /*
1279 * TODO: should decrypt key data field if encryption was used;
1280 * even though MAC address KDE is not normally encrypted,
1281 * supplicant is allowed to encrypt it.
1282 */
1283 if (msg == SMK_ERROR) {
1284#ifdef CONFIG_PEERKEY
5e3b5197 1285 wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
6fc6879b
JM		 1286#endif /* CONFIG_PEERKEY */
1287 return;
1288 } else if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1289 if (wpa_receive_error_report(
1290 wpa_auth, sm,
1291 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1292 return; /* STA entry was removed */
6fc6879b
JM		 1293 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1294 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1295 "received EAPOL-Key Request for new "
1296 "4-Way Handshake");
1297 wpa_request_new_ptk(sm);
1298#ifdef CONFIG_PEERKEY
1299 } else if (msg == SMK_M1) {
5e3b5197 1300 wpa_smk_m1(wpa_auth, sm, key, key_data,
5c6787a6 1301 key_data_length);
6fc6879b
JM		 1302#endif /* CONFIG_PEERKEY */
1303 } else if (key_data_length > 0 &&
5e3b5197
JM		 1304 wpa_parse_kde_ies(key_data, key_data_length,
1305 &kde) == 0 &&
6fc6879b
JM		 1306 kde.mac_addr) {
1307 } else {
1308 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1309 "received EAPOL-Key Request for GTK "
1310 "rekeying");
6fc6879b
JM		 1311 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1312 wpa_rekey_gtk(wpa_auth, NULL);
1313 }
1314 } else {
68921e24
JM		 1315 /* Do not allow the same key replay counter to be reused. */
1316 wpa_replay_counter_mark_invalid(sm->key_replay,
1317 key->replay_counter);
1318
1319 if (msg == PAIRWISE_2) {
1320 /*
1321 * Maintain a copy of the pending EAPOL-Key frames in
1322 * case the EAPOL-Key frame was retransmitted. This is
1323 * needed to allow EAPOL-Key msg 2/4 reply to another
1324 * pending msg 1/4 to update the SNonce to work around
1325 * unexpected supplicant behavior.
1326 */
1327 os_memcpy(sm->prev_key_replay, sm->key_replay,
1328 sizeof(sm->key_replay));
1329 } else {
1330 os_memset(sm->prev_key_replay, 0,
1331 sizeof(sm->prev_key_replay));
1332 }
1333
1334 /*
1335 * Make sure old valid counters are not accepted anymore and
1336 * do not get copied again.
1337 */
1338 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1339 }
1340
1341#ifdef CONFIG_PEERKEY
1342 if (msg == SMK_M3) {
5e3b5197 1343 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
6fc6879b
JM		 1344 return;
1345 }
1346#endif /* CONFIG_PEERKEY */
1347
1348 os_free(sm->last_rx_eapol_key);
a1f11e34 1349 sm->last_rx_eapol_key = os_memdup(data, data_len);
6fc6879b
JM		 1350 if (sm->last_rx_eapol_key == NULL)
1351 return;
6fc6879b
JM		 1352 sm->last_rx_eapol_key_len = data_len;
1353
0d442aff 1354 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1355 sm->EAPOLKeyReceived = TRUE;
1356 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1357 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1358 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1359 wpa_sm_step(sm);
1360}
1361
1362
3c7302c2
JM		 1363static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1364 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1365{
5cb9d5c3
JM		 1366 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1367 u8 *pos;
3c7302c2 1368 int ret = 0;
6fc6879b 1369
5cb9d5c3
JM		 1370 /* GTK = PRF-X(GMK, "Group key expansion",
1371 * AA || GNonce || Time || random data)
1372 * The example described in the IEEE 802.11 standard uses only AA and
1373 * GNonce as inputs here. Add some more entropy since this derivation
1374 * is done only at the Authenticator and as such, does not need to be
1375 * exactly same.
1376 */
6fc6879b
JM		 1377 os_memcpy(data, addr, ETH_ALEN);
1378 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1379 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1380 wpa_get_ntp_timestamp(pos);
1381 pos += 8;
3642c431 1382 if (random_get_bytes(pos, 16) < 0)
3c7302c2 1383 ret = -1;
6fc6879b 1384
56586197 1385#ifdef CONFIG_IEEE80211W
5cb9d5c3 1386 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
56586197 1387#else /* CONFIG_IEEE80211W */
3c7302c2
JM		 1388 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1389 < 0)
1390 ret = -1;
56586197 1391#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 1392
1393 return ret;
6fc6879b
JM		 1394}
1395
1396
1397static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1398{
1399 struct wpa_authenticator *wpa_auth = eloop_ctx;
1400 struct wpa_state_machine *sm = timeout_ctx;
1401
e4bf4db9 1402 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1403 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1404 sm->TimeoutEvt = TRUE;
1405 wpa_sm_step(sm);
1406}
1407
1408
1409void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1410 struct wpa_state_machine *sm, int key_info,
1411 const u8 *key_rsc, const u8 *nonce,
1412 const u8 *kde, size_t kde_len,
1413 int keyidx, int encr, int force_version)
1414{
1415 struct ieee802_1x_hdr *hdr;
1416 struct wpa_eapol_key *key;
5e3b5197 1417 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1418 int alg;
1419 int key_data_len, pad_len = 0;
1420 u8 *buf, *pos;
1421 int version, pairwise;
22a299ee 1422 int i;
6d014ffc 1423 u8 *key_mic, *key_data;
6fc6879b 1424
567da5bb 1425 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
6d014ffc 1426 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1427
1428 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1429
1430 if (force_version)
1431 version = force_version;
929a2ea5 1432 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
07a5fe82 1433 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1434 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
36a50fd4
JM		 1435 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1436 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
a14896e8 1437 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
6fc6879b
JM		 1438 else if (wpa_use_aes_cmac(sm))
1439 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1440 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1441 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1442 else
1443 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1444
8543ed8a 1445 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1446
1447 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1448 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1449 "encr=%d)",
1450 version,
1451 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1452 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1453 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1454 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1455 pairwise, (unsigned long) kde_len, keyidx, encr);
1456
1457 key_data_len = kde_len;
1458
1459 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1460 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1461 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a14896e8 1462 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1463 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1464 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1465 pad_len = key_data_len % 8;
1466 if (pad_len)
1467 pad_len = 8 - pad_len;
1468 key_data_len += pad_len + 8;
1469 }
1470
1471 len += key_data_len;
b729fd8d
JM		 1472 if (!mic_len && encr)
1473 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1474
1475 hdr = os_zalloc(len);
1476 if (hdr == NULL)
1477 return;
1478 hdr->version = wpa_auth->conf.eapol_version;
1479 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1480 hdr->length = host_to_be16(len - sizeof(*hdr));
1481 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1482 key_mic = (u8 *) (key + 1);
5e3b5197 1483 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1484
1485 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1486 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1487 key_info |= version;
1488 if (encr && sm->wpa == WPA_VERSION_WPA2)
1489 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1490 if (sm->wpa != WPA_VERSION_WPA2)
1491 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1492 WPA_PUT_BE16(key->key_info, key_info);
1493
1494 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
caab23f1
JM		 1495 if ((key_info & WPA_KEY_INFO_SMK_MESSAGE) ||
1496 (sm->wpa == WPA_VERSION_WPA2 && !pairwise))
6fc6879b 1497 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1498 else
1499 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b
JM		 1500
1501 /* FIX: STSL: what to use as key_replay_counter? */
22a299ee
JM		 1502 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1503 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1504 os_memcpy(sm->key_replay[i].counter,
1505 sm->key_replay[i - 1].counter,
1506 WPA_REPLAY_COUNTER_LEN);
1507 }
1508 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1509 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1510 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1511 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1512 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1513 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1514
1515 if (nonce)
1516 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1517
1518 if (key_rsc)
1519 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1520
1521 if (kde && !encr) {
5e3b5197 1522 os_memcpy(key_data, kde, kde_len);
6d014ffc 1523 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d
JM		 1524#ifdef CONFIG_FILS
1525 } else if (!mic_len) {
1526 const u8 *aad[1];
1527 size_t aad_len[1];
1528
1529 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1530 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1531 kde, kde_len);
1532
1533 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1534 sm->PTK.kek, sm->PTK.kek_len);
1535 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1536 * to Key Data (exclusive). */
1537 aad[0] = (u8 *) hdr;
1538 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1539 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1540 1, aad, aad_len, key_mic + 2) < 0) {
1541 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1542 return;
1543 }
1544
1545 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1546 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1547#endif /* CONFIG_FILS */
6fc6879b
JM		 1548 } else if (encr && kde) {
1549 buf = os_zalloc(key_data_len);
1550 if (buf == NULL) {
1551 os_free(hdr);
1552 return;
1553 }
1554 pos = buf;
1555 os_memcpy(pos, kde, kde_len);
1556 pos += kde_len;
1557
1558 if (pad_len)
1559 *pos++ = 0xdd;
1560
1561 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1562 buf, key_data_len);
1563 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1564 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
567da5bb 1565 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a14896e8 1566 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1567 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b 1568 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
ef9627cb
JM		 1569 wpa_printf(MSG_DEBUG,
1570 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1571 (unsigned int) sm->PTK.kek_len);
98cd3d1c 1572 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1573 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1574 os_free(hdr);
1575 os_free(buf);
1576 return;
1577 }
6d014ffc 1578 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1579#ifndef CONFIG_NO_RC4
98cd3d1c 1580 } else if (sm->PTK.kek_len == 16) {
6fc6879b 1581 u8 ek[32];
ef9627cb
JM		 1582
1583 wpa_printf(MSG_DEBUG,
1584 "WPA: Encrypt Key Data using RC4");
6fc6879b
JM		 1585 os_memcpy(key->key_iv,
1586 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1587 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1588 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1589 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1590 os_memcpy(key_data, buf, key_data_len);
1591 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1592 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1593#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1594 } else {
1595 os_free(hdr);
1596 os_free(buf);
1597 return;
6fc6879b
JM		 1598 }
1599 os_free(buf);
1600 }
1601
1602 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1603 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1604 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1605 "PTK not valid when sending EAPOL-Key "
1606 "frame");
1607 os_free(hdr);
1608 return;
1609 }
5e3b5197 1610
98cd3d1c
JM		 1611 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1612 sm->wpa_key_mgmt, version,
5e3b5197 1613 (u8 *) hdr, len, key_mic);
7af092a0
JB		 1614#ifdef CONFIG_TESTING_OPTIONS
1615 if (!pairwise &&
06df2aa6 1616 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1617 drand48() <
1618 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1619 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1620 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1621 key_mic[0]++;
7af092a0
JB		 1622 }
1623#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1624 }
1625
1626 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1627 1);
1628 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1629 sm->pairwise_set);
1630 os_free(hdr);
1631}
1632
1633
1634static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1635 struct wpa_state_machine *sm, int key_info,
1636 const u8 *key_rsc, const u8 *nonce,
1637 const u8 *kde, size_t kde_len,
1638 int keyidx, int encr)
1639{
1640 int timeout_ms;
1641 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
41f140d3 1642 u32 ctr;
6fc6879b
JM		 1643
1644 if (sm == NULL)
1645 return;
1646
1647 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1648 keyidx, encr, 0);
1649
bae61562 1650 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1651 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1652 timeout_ms = pairwise ? eapol_key_timeout_first :
1653 eapol_key_timeout_first_group;
bae61562
JM		 1654 else
1655 timeout_ms = eapol_key_timeout_subseq;
e4bf4db9
JM		 1656 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1657 sm->pending_1_of_4_timeout = 1;
1658 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
41f140d3 1659 "counter %u)", timeout_ms, ctr);
6fc6879b
JM		 1660 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1661 wpa_send_eapol_timeout, wpa_auth, sm);
1662}
1663
1664
567da5bb
JM		 1665static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1666 u8 *data, size_t data_len)
6fc6879b
JM		 1667{
1668 struct ieee802_1x_hdr *hdr;
1669 struct wpa_eapol_key *key;
1670 u16 key_info;
1671 int ret = 0;
6d014ffc 1672 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
567da5bb 1673 size_t mic_len = wpa_mic_len(akmp, pmk_len);
6fc6879b
JM		 1674
1675 if (data_len < sizeof(*hdr) + sizeof(*key))
1676 return -1;
1677
1678 hdr = (struct ieee802_1x_hdr *) data;
1679 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1680 mic_pos = (u8 *) (key + 1);
6fc6879b 1681 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1682 os_memcpy(mic, mic_pos, mic_len);
1683 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1684 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1685 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1686 data, data_len, mic_pos) ||
1687 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1688 ret = -1;
6d014ffc 1689 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1690 return ret;
1691}
1692
1693
1694void wpa_remove_ptk(struct wpa_state_machine *sm)
1695{
1696 sm->PTK_valid = FALSE;
1697 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1698 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1699 0))
1700 wpa_printf(MSG_DEBUG,
1701 "RSN: PTK removal from the driver failed");
6fc6879b 1702 sm->pairwise_set = FALSE;
581a8cde 1703 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1704}
1705
1706
bb119228 1707int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1708{
5d22a1d5
JM		 1709 int remove_ptk = 1;
1710
6fc6879b 1711 if (sm == NULL)
6f9b5d16 1712 return -1;
6fc6879b
JM		 1713
1714 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1715 "event %d notification", event);
1716
1717 switch (event) {
1718 case WPA_AUTH:
c50d94f1
BC		 1719#ifdef CONFIG_MESH
1720 /* PTKs are derived through AMPE */
1721 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1722 /* not mesh */
1723 break;
1724 }
1725 return 0;
1726#endif /* CONFIG_MESH */
6fc6879b
JM		 1727 case WPA_ASSOC:
1728 break;
1729 case WPA_DEAUTH:
1730 case WPA_DISASSOC:
1731 sm->DeauthenticationRequest = TRUE;
1732 break;
1733 case WPA_REAUTH:
1734 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1735 if (!sm->started) {
1736 /*
1737 * When using WPS, we may end up here if the STA
1738 * manages to re-associate without the previous STA
1739 * entry getting removed. Consequently, we need to make
1740 * sure that the WPA state machines gets initialized
1741 * properly at this point.
1742 */
1743 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1744 "started - initialize now");
1745 sm->started = 1;
1746 sm->Init = TRUE;
1747 if (wpa_sm_step(sm) == 1)
1748 return 1; /* should not really happen */
1749 sm->Init = FALSE;
1750 sm->AuthenticationRequest = TRUE;
1751 break;
1752 }
9663596f
JM		 1753 if (sm->GUpdateStationKeys) {
1754 /*
1755 * Reauthentication cancels the pending group key
1756 * update for this STA.
1757 */
1758 sm->group->GKeyDoneStations--;
1759 sm->GUpdateStationKeys = FALSE;
1760 sm->PtkGroupInit = TRUE;
1761 }
6fc6879b
JM		 1762 sm->ReAuthenticationRequest = TRUE;
1763 break;
1764 case WPA_ASSOC_FT:
4ec1fd8e 1765#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1766 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1767 "after association");
1768 wpa_ft_install_ptk(sm);
1769
6fc6879b
JM		 1770 /* Using FT protocol, not WPA auth state machine */
1771 sm->ft_completed = 1;
6f9b5d16 1772 return 0;
4ec1fd8e 1773#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1774 break;
4ec1fd8e 1775#endif /* CONFIG_IEEE80211R_AP */
957bff83
JM		 1776 case WPA_ASSOC_FILS:
1777#ifdef CONFIG_FILS
1778 wpa_printf(MSG_DEBUG,
1779 "FILS: TK configuration after association");
1780 fils_set_tk(sm);
1781 sm->fils_completed = 1;
1782 return 0;
1783#else /* CONFIG_FILS */
1784 break;
1785#endif /* CONFIG_FILS */
6fc6879b
JM		 1786 }
1787
4ec1fd8e 1788#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1789 sm->ft_completed = 0;
4ec1fd8e 1790#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1791
5d22a1d5
JM		 1792#ifdef CONFIG_IEEE80211W
1793 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1794 remove_ptk = 0;
1795#endif /* CONFIG_IEEE80211W */
78815f3d 1796#ifdef CONFIG_FILS
da24c5aa
JM		 1797 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1798 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1799 remove_ptk = 0;
1800#endif /* CONFIG_FILS */
6fc6879b 1801
5d22a1d5
JM		 1802 if (remove_ptk) {
1803 sm->PTK_valid = FALSE;
1804 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1805
1806 if (event != WPA_REAUTH_EAPOL)
1807 wpa_remove_ptk(sm);
1808 }
6fc6879b 1809
43f49c37
JM		 1810 if (sm->in_step_loop) {
1811 /*
1812 * wpa_sm_step() is already running - avoid recursive call to
1813 * it by making the existing loop process the new update.
1814 */
1815 sm->changed = TRUE;
1816 return 0;
1817 }
6f9b5d16 1818 return wpa_sm_step(sm);
6fc6879b
JM		 1819}
1820
1821
6fc6879b
JM		 1822SM_STATE(WPA_PTK, INITIALIZE)
1823{
1824 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1825 if (sm->Init) {
1826 /* Init flag is not cleared here, so avoid busy
1827 * loop by claiming nothing changed. */
1828 sm->changed = FALSE;
1829 }
1830
1831 sm->keycount = 0;
1832 if (sm->GUpdateStationKeys)
1833 sm->group->GKeyDoneStations--;
1834 sm->GUpdateStationKeys = FALSE;
1835 if (sm->wpa == WPA_VERSION_WPA)
1836 sm->PInitAKeys = FALSE;
1837 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1838 * Local AA > Remote AA)) */) {
1839 sm->Pair = TRUE;
1840 }
1841 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1842 wpa_remove_ptk(sm);
1843 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1844 sm->TimeoutCtr = 0;
a1ea1b45 1845 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 1846 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 1847 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 1848 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1849 WPA_EAPOL_authorized, 0);
1850 }
1851}
1852
1853
1854SM_STATE(WPA_PTK, DISCONNECT)
1855{
567da5bb
JM		 1856 u16 reason = sm->disconnect_reason;
1857
6fc6879b
JM		 1858 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1859 sm->Disconnect = FALSE;
567da5bb
JM		 1860 sm->disconnect_reason = 0;
1861 if (!reason)
1862 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1863 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
6fc6879b
JM		 1864}
1865
1866
1867SM_STATE(WPA_PTK, DISCONNECTED)
1868{
1869 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1870 sm->DeauthenticationRequest = FALSE;
1871}
1872
1873
1874SM_STATE(WPA_PTK, AUTHENTICATION)
1875{
1876 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1877 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1878 sm->PTK_valid = FALSE;
1879 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1880 1);
1881 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1882 sm->AuthenticationRequest = FALSE;
1883}
1884
1885
40d00d2b
NC		 1886static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1887 struct wpa_group *group)
1bdb7ab3 1888{
40d00d2b
NC		 1889 if (group->first_sta_seen)
1890 return;
1bdb7ab3
JM		 1891 /*
1892 * System has run bit further than at the time hostapd was started
1893 * potentially very early during boot up. This provides better chances
1894 * of collecting more randomness on embedded systems. Re-initialize the
1895 * GMK and Counter here to improve their strength if there was not
1896 * enough entropy available immediately after system startup.
1897 */
1898 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1899 "station");
08704cd8
JM		 1900 if (random_pool_ready() != 1) {
1901 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1902 "to proceed - reject first 4-way handshake");
1903 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1904 } else {
1905 group->first_sta_seen = TRUE;
1906 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1907 }
40d00d2b 1908
aac1efec
JM		 1909 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1910 wpa_gtk_update(wpa_auth, group) < 0 ||
1911 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1912 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1913 group->first_sta_seen = FALSE;
1914 group->reject_4way_hs_for_entropy = TRUE;
1915 }
1bdb7ab3
JM		 1916}
1917
1918
6fc6879b
JM		 1919SM_STATE(WPA_PTK, AUTHENTICATION2)
1920{
1921 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1922
40d00d2b 1923 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1924 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1925
3825a19b
JM		 1926 /*
1927 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1928 * ambiguous. The Authenticator state machine uses a counter that is
1929 * incremented by one for each 4-way handshake. However, the security
1930 * analysis of 4-way handshake points out that unpredictable nonces
1931 * help in preventing precomputation attacks. Instead of the state
1932 * machine definition, use an unpredictable nonce value here to provide
1933 * stronger protection against potential precomputation attacks.
1934 */
1935 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1936 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1937 "ANonce.");
65a32cdb 1938 sm->Disconnect = TRUE;
3825a19b
JM		 1939 return;
1940 }
bc8318ac
JM		 1941 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1942 WPA_NONCE_LEN);
6fc6879b
JM		 1943 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1944 * logical place than INITIALIZE since AUTHENTICATION2 can be
1945 * re-entered on ReAuthenticationRequest without going through
1946 * INITIALIZE. */
1947 sm->TimeoutCtr = 0;
1948}
1949
1950
1951SM_STATE(WPA_PTK, INITPMK)
1952{
1953 u8 msk[2 * PMK_LEN];
1954 size_t len = 2 * PMK_LEN;
1955
1956 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1957#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1958 sm->xxkey_len = 0;
4ec1fd8e 1959#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1960 if (sm->pmksa) {
1961 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1962 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1963 sm->pmk_len = sm->pmksa->pmk_len;
567da5bb
JM		 1964#ifdef CONFIG_DPP
1965 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
1966 wpa_printf(MSG_DEBUG,
1967 "DPP: No PMKSA cache entry for STA - reject connection");
1968 sm->Disconnect = TRUE;
1969 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
1970 return;
1971#endif /* CONFIG_DPP */
6fc6879b 1972 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 1973 unsigned int pmk_len;
1974
834c5d68 1975 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
207976f0
JM		 1976 pmk_len = PMK_LEN_SUITE_B_192;
1977 else
1978 pmk_len = PMK_LEN;
6fc6879b 1979 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 1980 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1981 pmk_len);
1982 if (len < pmk_len) {
1983 wpa_printf(MSG_DEBUG,
1984 "WPA: MSK not long enough (%u) to create PMK (%u)",
1985 (unsigned int) len, (unsigned int) pmk_len);
1986 sm->Disconnect = TRUE;
1987 return;
1988 }
1989 os_memcpy(sm->PMK, msk, pmk_len);
1990 sm->pmk_len = pmk_len;
4ec1fd8e 1991#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 1992 if (len >= 2 * PMK_LEN) {
1993 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1994 sm->xxkey_len = PMK_LEN;
1995 }
4ec1fd8e 1996#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1997 } else {
400de9b1 1998 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 1999 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 2000 sm->Disconnect = TRUE;
2001 return;
6fc6879b 2002 }
40aaa64f 2003 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 2004
2005 sm->req_replay_counter_used = 0;
2006 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
2007 * will break reauthentication since EAPOL state machines may not be
2008 * get into AUTHENTICATING state that clears keyRun before WPA state
2009 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2010 * state and takes PMK from the previously used AAA Key. This will
2011 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2012 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
2013 * be good workaround for this issue. */
2014 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
2015}
2016
2017
2018SM_STATE(WPA_PTK, INITPSK)
2019{
2020 const u8 *psk;
2021 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
759fd76b 2022 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
6fc6879b
JM		 2023 if (psk) {
2024 os_memcpy(sm->PMK, psk, PMK_LEN);
207976f0 2025 sm->pmk_len = PMK_LEN;
4ec1fd8e 2026#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 2027 os_memcpy(sm->xxkey, psk, PMK_LEN);
2028 sm->xxkey_len = PMK_LEN;
4ec1fd8e 2029#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2030 }
2031 sm->req_replay_counter_used = 0;
2032}
2033
2034
2035SM_STATE(WPA_PTK, PTKSTART)
2036{
2037 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2038 size_t pmkid_len = 0;
2039
2040 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2041 sm->PTKRequest = FALSE;
2042 sm->TimeoutEvt = FALSE;
f23c5b17 2043 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2044
2045 sm->TimeoutCtr++;
41f140d3 2046 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2047 /* No point in sending the EAPOL-Key - we will disconnect
2048 * immediately following this. */
2049 return;
2050 }
2051
6fc6879b
JM		 2052 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2053 "sending 1/4 msg of 4-Way Handshake");
2054 /*
2055 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
2056 * one possible PSK for this STA.
2057 */
2058 if (sm->wpa == WPA_VERSION_WPA2 &&
a14896e8
JM		 2059 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2060 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2061 pmkid = buf;
2062 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2063 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2064 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2065 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2066 if (sm->pmksa) {
6fc6879b
JM		 2067 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2068 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2069 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2070 /* No KCK available to derive PMKID */
2071 pmkid = NULL;
2072 } else {
6fc6879b
JM		 2073 /*
2074 * Calculate PMKID since no PMKSA cache entry was
2075 * available with pre-calculated PMKID.
2076 */
207976f0 2077 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197
JM		 2078 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2079 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
6fc6879b
JM		 2080 }
2081 }
2082 wpa_send_eapol(sm->wpa_auth, sm,
2083 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2084 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2085}
2086
2087
f23c5b17 2088static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2089 const u8 *pmk, unsigned int pmk_len,
2090 struct wpa_ptk *ptk)
6fc6879b 2091{
4ec1fd8e 2092#ifdef CONFIG_IEEE80211R_AP
56586197 2093 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2094 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
4ec1fd8e 2095#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2096
207976f0 2097 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c
JM		 2098 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2099 ptk, sm->wpa_key_mgmt, sm->pairwise);
6fc6879b
JM		 2100}
2101
2102
3b5b7aa8 2103#ifdef CONFIG_FILS
c4fd6d8a
JM		 2104
2105int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
80ddf5d9
JM		 2106 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2107 struct wpabuf *g_sta, struct wpabuf *g_ap)
c4fd6d8a
JM		 2108{
2109 u8 ick[FILS_ICK_MAX_LEN];
2110 size_t ick_len;
2111 int res;
8fed47e0
JM		 2112 u8 fils_ft[FILS_FT_MAX_LEN];
2113 size_t fils_ft_len = 0;
c4fd6d8a
JM		 2114
2115 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2116 snonce, anonce, &sm->PTK, ick, &ick_len,
8fed47e0
JM		 2117 sm->wpa_key_mgmt, sm->pairwise,
2118 fils_ft, &fils_ft_len);
c4fd6d8a
JM		 2119 if (res < 0)
2120 return res;
2121 sm->PTK_valid = TRUE;
2122
8fed47e0
JM		 2123#ifdef CONFIG_IEEE80211R_AP
2124 if (fils_ft_len) {
2125 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2126 struct wpa_auth_config *conf = &wpa_auth->conf;
2127 u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
2128
2129 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2130 conf->ssid, conf->ssid_len,
2131 conf->mobility_domain,
2132 conf->r0_key_holder,
2133 conf->r0_key_holder_len,
2134 sm->addr, pmk_r0, pmk_r0_name) < 0)
2135 return -1;
2136
2137 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", pmk_r0, PMK_LEN);
2138 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2139 pmk_r0_name, WPA_PMK_NAME_LEN);
2140 wpa_ft_store_pmk_r0(wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
2141 sm->pairwise);
2142 os_memset(fils_ft, 0, sizeof(fils_ft));
2143 }
2144#endif /* CONFIG_IEEE80211R_AP */
2145
c4fd6d8a
JM		 2146 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2147 sm->addr, sm->wpa_auth->addr,
80ddf5d9
JM		 2148 g_sta ? wpabuf_head(g_sta) : NULL,
2149 g_sta ? wpabuf_len(g_sta) : 0,
2150 g_ap ? wpabuf_head(g_ap) : NULL,
2151 g_ap ? wpabuf_len(g_ap) : 0,
c4fd6d8a
JM		 2152 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2153 sm->fils_key_auth_ap,
2154 &sm->fils_key_auth_len);
2155 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2156
2157 /* Store nonces for (Re)Association Request/Response frame processing */
2158 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2159 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2160
c4fd6d8a
JM		 2161 return res;
2162}
2163
2164
3b5b7aa8 2165static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2166 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2167{
2168 struct ieee802_1x_hdr *hdr;
2169 struct wpa_eapol_key *key;
2170 u8 *pos;
2171 u16 key_data_len;
2172 u8 *tmp;
2173 const u8 *aad[1];
2174 size_t aad_len[1];
2175
75c8563e 2176 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2177 key = (struct wpa_eapol_key *) (hdr + 1);
2178 pos = (u8 *) (key + 1);
2179 key_data_len = WPA_GET_BE16(pos);
2180 if (key_data_len < AES_BLOCK_SIZE ||
2181 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2182 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2183 "No room for AES-SIV data in the frame");
2184 return -1;
2185 }
2186 pos += 2; /* Pointing at the Encrypted Key Data field */
2187
2188 tmp = os_malloc(key_data_len);
2189 if (!tmp)
2190 return -1;
2191
2192 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2193 * to Key Data (exclusive). */
75c8563e
JM		 2194 aad[0] = buf;
2195 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2196 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2197 1, aad, aad_len, tmp) < 0) {
2198 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2199 "Invalid AES-SIV data in the frame");
2200 bin_clear_free(tmp, key_data_len);
2201 return -1;
2202 }
2203
2204 /* AEAD decryption and validation completed successfully */
2205 key_data_len -= AES_BLOCK_SIZE;
2206 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2207 tmp, key_data_len);
2208
2209 /* Replace Key Data field with the decrypted version */
2210 os_memcpy(pos, tmp, key_data_len);
2211 pos -= 2; /* Key Data Length field */
2212 WPA_PUT_BE16(pos, key_data_len);
2213 bin_clear_free(tmp, key_data_len);
2214 if (_key_data_len)
2215 *_key_data_len = key_data_len;
2216 return 0;
2217}
78815f3d
JM		 2218
2219
087631b9
JM		 2220const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2221 const u8 *ies, size_t ies_len,
2222 const u8 *fils_session)
2223{
2224 const u8 *ie, *end;
2225 const u8 *session = NULL;
2226
2227 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2228 wpa_printf(MSG_DEBUG,
2229 "FILS: Not a FILS AKM - reject association");
2230 return NULL;
2231 }
2232
2233 /* Verify Session element */
2234 ie = ies;
2235 end = ((const u8 *) ie) + ies_len;
2236 while (ie + 1 < end) {
2237 if (ie + 2 + ie[1] > end)
2238 break;
2239 if (ie[0] == WLAN_EID_EXTENSION &&
2240 ie[1] >= 1 + FILS_SESSION_LEN &&
2241 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2242 session = ie;
2243 break;
2244 }
2245 ie += 2 + ie[1];
2246 }
2247
2248 if (!session) {
2249 wpa_printf(MSG_DEBUG,
2250 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2251 __func__);
2252 return NULL;
2253 }
2254
2255 if (!fils_session) {
2256 wpa_printf(MSG_DEBUG,
2257 "FILS: %s: Could not find FILS Session element in STA entry - reject",
2258 __func__);
2259 return NULL;
2260 }
2261
2262 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2263 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2264 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2265 fils_session, FILS_SESSION_LEN);
2266 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2267 session + 3, FILS_SESSION_LEN);
2268 return NULL;
2269 }
2270 return session;
2271}
2272
2273
bd599353
JM		 2274int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2275 size_t ies_len)
2276{
2277 struct ieee802_11_elems elems;
2278
2279 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2280 wpa_printf(MSG_DEBUG,
2281 "FILS: Failed to parse decrypted elements");
2282 return -1;
2283 }
2284
8b5ddda5
JM		 2285 if (!elems.fils_session) {
2286 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2287 return -1;
2288 }
2289
bd599353
JM		 2290 if (!elems.fils_key_confirm) {
2291 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2292 return -1;
2293 }
2294
2295 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2296 wpa_printf(MSG_DEBUG,
2297 "FILS: Unexpected Key-Auth length %d (expected %d)",
2298 elems.fils_key_confirm_len,
2299 (int) sm->fils_key_auth_len);
2300 return -1;
2301 }
2302
2303 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2304 sm->fils_key_auth_len) != 0) {
2305 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2306 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2307 elems.fils_key_confirm, elems.fils_key_confirm_len);
2308 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2309 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2310 return -1;
2311 }
2312
2313 return 0;
2314}
2315
2316
78815f3d
JM		 2317int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2318 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2319 u8 *pos, size_t left)
2320{
2321 u16 fc, stype;
2322 const u8 *end, *ie_start, *ie, *session, *crypt;
78815f3d
JM		 2323 const u8 *aad[5];
2324 size_t aad_len[5];
2325
2326 if (!sm || !sm->PTK_valid) {
2327 wpa_printf(MSG_DEBUG,
2328 "FILS: No KEK to decrypt Assocication Request frame");
2329 return -1;
2330 }
2331
2332 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2333 wpa_printf(MSG_DEBUG,
2334 "FILS: Not a FILS AKM - reject association");
2335 return -1;
2336 }
2337
2338 end = ((const u8 *) mgmt) + frame_len;
2339 fc = le_to_host16(mgmt->frame_control);
2340 stype = WLAN_FC_GET_STYPE(fc);
2341 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2342 ie_start = mgmt->u.reassoc_req.variable;
2343 else
2344 ie_start = mgmt->u.assoc_req.variable;
2345 ie = ie_start;
2346
2347 /*
2348 * Find FILS Session element which is the last unencrypted element in
2349 * the frame.
2350 */
087631b9
JM		 2351 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2352 fils_session);
78815f3d 2353 if (!session) {
087631b9 2354 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
78815f3d
JM		 2355 return -1;
2356 }
087631b9 2357
78815f3d
JM		 2358 crypt = session + 2 + session[1];
2359
2360 if (end - crypt < AES_BLOCK_SIZE) {
2361 wpa_printf(MSG_DEBUG,
2362 "FILS: Too short frame to include AES-SIV data");
2363 return -1;
2364 }
2365
2366 /* AES-SIV AAD vectors */
2367
2368 /* The STA's MAC address */
2369 aad[0] = mgmt->sa;
2370 aad_len[0] = ETH_ALEN;
2371 /* The AP's BSSID */
2372 aad[1] = mgmt->da;
2373 aad_len[1] = ETH_ALEN;
2374 /* The STA's nonce */
2375 aad[2] = sm->SNonce;
2376 aad_len[2] = FILS_NONCE_LEN;
2377 /* The AP's nonce */
2378 aad[3] = sm->ANonce;
2379 aad_len[3] = FILS_NONCE_LEN;
2380 /*
2381 * The (Re)Association Request frame from the Capability Information
2382 * field to the FILS Session element (both inclusive).
2383 */
2384 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2385 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2386
2387 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2388 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2389 wpa_printf(MSG_DEBUG,
2390 "FILS: Invalid AES-SIV data in the frame");
2391 return -1;
2392 }
2393 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2394 pos, left - AES_BLOCK_SIZE);
2395
bd599353
JM		 2396 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2397 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
78815f3d
JM		 2398 return -1;
2399 }
2400
2401 return left - AES_BLOCK_SIZE;
2402}
2403
e73ffa09
JM		 2404
2405int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2406 size_t current_len, size_t max_len,
2407 const struct wpabuf *hlp)
e73ffa09
JM		 2408{
2409 u8 *end = buf + max_len;
2410 u8 *pos = buf + current_len;
2411 struct ieee80211_mgmt *mgmt;
2412 struct wpabuf *plain;
e73ffa09
JM		 2413 const u8 *aad[5];
2414 size_t aad_len[5];
2415
2416 if (!sm || !sm->PTK_valid)
2417 return -1;
2418
2419 wpa_hexdump(MSG_DEBUG,
2420 "FILS: Association Response frame before FILS processing",
2421 buf, current_len);
2422
2423 mgmt = (struct ieee80211_mgmt *) buf;
2424
2425 /* AES-SIV AAD vectors */
2426
2427 /* The AP's BSSID */
2428 aad[0] = mgmt->sa;
2429 aad_len[0] = ETH_ALEN;
2430 /* The STA's MAC address */
2431 aad[1] = mgmt->da;
2432 aad_len[1] = ETH_ALEN;
2433 /* The AP's nonce */
2434 aad[2] = sm->ANonce;
2435 aad_len[2] = FILS_NONCE_LEN;
2436 /* The STA's nonce */
2437 aad[3] = sm->SNonce;
2438 aad_len[3] = FILS_NONCE_LEN;
2439 /*
2440 * The (Re)Association Response frame from the Capability Information
2441 * field (the same offset in both Association and Reassociation
2442 * Response frames) to the FILS Session element (both inclusive).
2443 */
2444 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2445 aad_len[4] = pos - aad[4];
2446
2447 /* The following elements will be encrypted with AES-SIV */
9392859d
JM		 2448 plain = fils_prepare_plainbuf(sm, hlp);
2449 if (!plain) {
2450 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2451 return -1;
2452 }
2453
2454 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2455 wpa_printf(MSG_DEBUG,
2456 "FILS: Not enough room for FILS elements");
2457 wpabuf_free(plain);
2458 return -1;
2459 }
2460
2461 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2462 plain);
2463
2464 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2465 wpabuf_head(plain), wpabuf_len(plain),
2466 5, aad, aad_len, pos) < 0) {
2467 wpabuf_free(plain);
2468 return -1;
2469 }
2470
2471 wpa_hexdump(MSG_DEBUG,
2472 "FILS: Encrypted Association Response elements",
2473 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2474 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2475 wpabuf_free(plain);
2476
2477 sm->fils_completed = 1;
2478
2479 return current_len;
2480}
2481
2482
2483static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2484 const struct wpabuf *hlp)
2485{
2486 struct wpabuf *plain;
2487 u8 *len, *tmp, *tmp2;
2488 u8 hdr[2];
2489 u8 *gtk, dummy_gtk[32];
2490 size_t gtk_len;
2491 struct wpa_group *gsm;
e73ffa09
JM		 2492
2493 plain = wpabuf_alloc(1000);
2494 if (!plain)
9392859d 2495 return NULL;
e73ffa09
JM		 2496
2497 /* TODO: FILS Public Key */
2498
2499 /* FILS Key Confirmation */
2500 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2501 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2502 /* Element ID Extension */
2503 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2504 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2505
91d91abf
JM		 2506 /* FILS HLP Container */
2507 if (hlp)
2508 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2509
2510 /* TODO: FILS IP Address Assignment */
2511
2512 /* Key Delivery */
2513 gsm = sm->group;
2514 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2515 len = wpabuf_put(plain, 1);
2516 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2517 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2518 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2519 /* GTK KDE */
2520 gtk = gsm->GTK[gsm->GN - 1];
2521 gtk_len = gsm->GTK_len;
2522 if (sm->wpa_auth->conf.disable_gtk) {
2523 /*
2524 * Provide unique random GTK to each STA to prevent use
2525 * of GTK in the BSS.
2526 */
2527 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2528 wpabuf_free(plain);
9392859d 2529 return NULL;
e73ffa09
JM		 2530 }
2531 gtk = dummy_gtk;
2532 }
2533 hdr[0] = gsm->GN & 0x03;
2534 hdr[1] = 0;
2535 tmp = wpabuf_put(plain, 0);
2536 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2537 gtk, gtk_len);
2538 wpabuf_put(plain, tmp2 - tmp);
2539
2540 /* IGTK KDE */
2541 tmp = wpabuf_put(plain, 0);
2542 tmp2 = ieee80211w_kde_add(sm, tmp);
2543 wpabuf_put(plain, tmp2 - tmp);
2544
2545 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
9392859d 2546 return plain;
e73ffa09
JM		 2547}
2548
da24c5aa
JM		 2549
2550int fils_set_tk(struct wpa_state_machine *sm)
2551{
2552 enum wpa_alg alg;
2553 int klen;
2554
2555 if (!sm || !sm->PTK_valid)
2556 return -1;
2557
2558 alg = wpa_cipher_to_alg(sm->pairwise);
2559 klen = wpa_cipher_key_len(sm->pairwise);
2560
2561 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2562 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2563 sm->PTK.tk, klen)) {
2564 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2565 return -1;
2566 }
2567
2568 return 0;
2569}
2570
fa61bff6
JM		 2571
2572u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
8b5ddda5 2573 const u8 *fils_session, struct wpabuf *hlp)
fa61bff6
JM		 2574{
2575 struct wpabuf *plain;
2576 u8 *pos = buf;
2577
2578 /* FILS Session */
2579 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
2580 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
2581 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2582 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2583 pos += FILS_SESSION_LEN;
2584
8b5ddda5 2585 plain = fils_prepare_plainbuf(sm, hlp);
fa61bff6
JM		 2586 if (!plain) {
2587 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2588 return NULL;
2589 }
2590
2591 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2592 pos += wpabuf_len(plain);
2593
2594 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2595 (unsigned int) wpabuf_len(plain));
2596 wpabuf_free(plain);
2597 sm->fils_completed = 1;
2598 return pos;
2599}
2600
3b5b7aa8
JM		 2601#endif /* CONFIG_FILS */
2602
2603
6fc6879b
JM		 2604SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2605{
3b5b7aa8 2606 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2607 struct wpa_ptk PTK;
2c502460 2608 int ok = 0, psk_found = 0;
6fc6879b 2609 const u8 *pmk = NULL;
207976f0 2610 unsigned int pmk_len;
3b5b7aa8
JM		 2611 int ft;
2612 const u8 *eapol_key_ie, *key_data, *mic;
2613 u16 key_data_length;
2614 size_t mic_len, eapol_key_ie_len;
2615 struct ieee802_1x_hdr *hdr;
2616 struct wpa_eapol_key *key;
2617 struct wpa_eapol_ie_parse kde;
6fc6879b
JM		 2618
2619 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2620 sm->EAPOLKeyReceived = FALSE;
68921e24 2621 sm->update_snonce = FALSE;
b729fd8d 2622 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2623
567da5bb 2624 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3b5b7aa8 2625
6fc6879b
JM		 2626 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2627 * WPA-PSK: iterate through possible PSKs and select the one matching
2628 * the packet */
2629 for (;;) {
56586197 2630 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
759fd76b
JM		 2631 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2632 sm->p2p_dev_addr, pmk);
6fc6879b
JM		 2633 if (pmk == NULL)
2634 break;
2c502460 2635 psk_found = 1;
207976f0
JM		 2636 pmk_len = PMK_LEN;
2637 } else {
6fc6879b 2638 pmk = sm->PMK;
207976f0
JM		 2639 pmk_len = sm->pmk_len;
2640 }
6fc6879b 2641
364c064a
JM		 2642 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2643 break;
6fc6879b 2644
3b5b7aa8 2645 if (mic_len &&
567da5bb 2646 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
929a2ea5 2647 sm->last_rx_eapol_key,
6fc6879b
JM		 2648 sm->last_rx_eapol_key_len) == 0) {
2649 ok = 1;
2650 break;
2651 }
2652
3b5b7aa8 2653#ifdef CONFIG_FILS
75c8563e
JM		 2654 if (!mic_len &&
2655 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2656 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2657 ok = 1;
2658 break;
2659 }
2660#endif /* CONFIG_FILS */
2661
56586197 2662 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
6fc6879b
JM		 2663 break;
2664 }
2665
2666 if (!ok) {
2667 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2668 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2669 if (psk_found)
2670 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2671 return;
2672 }
2673
3b5b7aa8
JM		 2674 /*
2675 * Note: last_rx_eapol_key length fields have already been validated in
2676 * wpa_receive().
2677 */
2678 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2679 key = (struct wpa_eapol_key *) (hdr + 1);
2680 mic = (u8 *) (key + 1);
2681 key_data = mic + mic_len + 2;
2682 key_data_length = WPA_GET_BE16(mic + mic_len);
2683 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2684 sizeof(*key) - mic_len - 2)
2685 return;
2686
2687 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2688 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2689 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2690 return;
2691 }
2692 if (kde.rsn_ie) {
2693 eapol_key_ie = kde.rsn_ie;
2694 eapol_key_ie_len = kde.rsn_ie_len;
2695 } else if (kde.osen) {
2696 eapol_key_ie = kde.osen;
2697 eapol_key_ie_len = kde.osen_len;
2698 } else {
2699 eapol_key_ie = kde.wpa_ie;
2700 eapol_key_ie_len = kde.wpa_ie_len;
2701 }
2702 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2703 if (sm->wpa_ie == NULL ||
2704 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2705 eapol_key_ie, eapol_key_ie_len)) {
2706 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2707 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2708 if (sm->wpa_ie) {
2709 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2710 sm->wpa_ie, sm->wpa_ie_len);
2711 }
2712 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2713 eapol_key_ie, eapol_key_ie_len);
2714 /* MLME-DEAUTHENTICATE.request */
567da5bb
JM		 2715 wpa_sta_disconnect(wpa_auth, sm->addr,
2716 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2717 return;
2718 }
4ec1fd8e 2719#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8 2720 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
567da5bb
JM		 2721 wpa_sta_disconnect(wpa_auth, sm->addr,
2722 WLAN_REASON_PREV_AUTH_NOT_VALID);
3b5b7aa8
JM		 2723 return;
2724 }
4ec1fd8e 2725#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2726#ifdef CONFIG_P2P
2727 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2728 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2729 int idx;
2730 wpa_printf(MSG_DEBUG,
2731 "P2P: IP address requested in EAPOL-Key exchange");
2732 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2733 if (idx >= 0) {
2734 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2735 bitfield_set(wpa_auth->ip_pool, idx);
2736 WPA_PUT_BE32(sm->ip_addr, start + idx);
2737 wpa_printf(MSG_DEBUG,
2738 "P2P: Assigned IP address %u.%u.%u.%u to "
2739 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2740 sm->ip_addr[2], sm->ip_addr[3],
2741 MAC2STR(sm->addr));
2742 }
2743 }
2744#endif /* CONFIG_P2P */
2745
4ec1fd8e 2746#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2747 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2748 /*
2749 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2750 * with the value we derived.
2751 */
870834a1
JM		 2752 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2753 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2754 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2755 "PMKR1Name mismatch in FT 4-way "
2756 "handshake");
2757 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2758 "Supplicant",
2759 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2760 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2761 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2762 return;
2763 }
2764 }
4ec1fd8e 2765#endif /* CONFIG_IEEE80211R_AP */
26e23750 2766
e4bf4db9 2767 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2768 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2769
56586197 2770 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2771 /* PSK may have changed from the previous choice, so update
2772 * state machine data based on whatever PSK was selected here.
2773 */
2774 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2775 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2776 }
2777
2778 sm->MICVerified = TRUE;
2779
2780 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2781 sm->PTK_valid = TRUE;
2782}
2783
2784
2785SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2786{
2787 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2788 sm->TimeoutCtr = 0;
2789}
2790
2791
2792#ifdef CONFIG_IEEE80211W
2793
2794static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2795{
2796 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 2797 size_t len;
2798 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2799 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 2800 }
2801
2802 return 0;
2803}
2804
2805
2806static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2807{
2808 struct wpa_igtk_kde igtk;
2809 struct wpa_group *gsm = sm->group;
03610ad2 2810 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 2811 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 2812
2813 if (!sm->mgmt_frame_prot)
2814 return pos;
2815
2816 igtk.keyid[0] = gsm->GN_igtk;
2817 igtk.keyid[1] = 0;
7b1080da 2818 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 2819 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 2820 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 2821 else
2822 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 2823 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
83421850
JM		 2824 if (sm->wpa_auth->conf.disable_gtk) {
2825 /*
2826 * Provide unique random IGTK to each STA to prevent use of
2827 * IGTK in the BSS.
2828 */
8dd9f9cd 2829 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 2830 return pos;
2831 }
6fc6879b 2832 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 2833 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2834 NULL, 0);
6fc6879b
JM		 2835
2836 return pos;
2837}
2838
2839#else /* CONFIG_IEEE80211W */
2840
2841static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2842{
2843 return 0;
2844}
2845
2846
2847static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2848{
2849 return pos;
2850}
2851
2852#endif /* CONFIG_IEEE80211W */
2853
2854
2855SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2856{
83421850 2857 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 2858 size_t gtk_len, kde_len;
2859 struct wpa_group *gsm = sm->group;
2860 u8 *wpa_ie;
2861 int wpa_ie_len, secure, keyidx, encr = 0;
2862
2863 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2864 sm->TimeoutEvt = FALSE;
bae61562
JM		 2865
2866 sm->TimeoutCtr++;
41f140d3 2867 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2868 /* No point in sending the EAPOL-Key - we will disconnect
2869 * immediately following this. */
2870 return;
2871 }
2872
86dfabb8
JM		 2873 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2874 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 2875 */
2876 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2877 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 2878 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 2879 wpa_ie = sm->wpa_auth->wpa_ie;
2880 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2881 if (sm->wpa == WPA_VERSION_WPA &&
2882 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2883 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 2884 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 2885 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 2886 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2887 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 2888 wpa_ie_len = wpa_ie[1] + 2;
2889 }
2890 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2891 "sending 3/4 msg of 4-Way Handshake");
2892 if (sm->wpa == WPA_VERSION_WPA2) {
2893 /* WPA2 send GTK in the 4-way handshake */
2894 secure = 1;
2895 gtk = gsm->GTK[gsm->GN - 1];
2896 gtk_len = gsm->GTK_len;
83421850
JM		 2897 if (sm->wpa_auth->conf.disable_gtk) {
2898 /*
2899 * Provide unique random GTK to each STA to prevent use
2900 * of GTK in the BSS.
2901 */
2902 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2903 return;
2904 gtk = dummy_gtk;
2905 }
6fc6879b
JM		 2906 keyidx = gsm->GN;
2907 _rsc = rsc;
2908 encr = 1;
2909 } else {
2910 /* WPA does not include GTK in msg 3/4 */
2911 secure = 0;
2912 gtk = NULL;
2913 gtk_len = 0;
2914 keyidx = 0;
2915 _rsc = NULL;
0d442aff
JM		 2916 if (sm->rx_eapol_key_secure) {
2917 /*
2918 * It looks like Windows 7 supplicant tries to use
2919 * Secure bit in msg 2/4 after having reported Michael
2920 * MIC failure and it then rejects the 4-way handshake
2921 * if msg 3/4 does not set Secure bit. Work around this
2922 * by setting the Secure bit here even in the case of
2923 * WPA if the supplicant used it first.
2924 */
2925 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 2926 "STA used Secure bit in WPA msg 2/4 - "
2927 "set Secure for 3/4 as workaround");
0d442aff
JM		 2928 secure = 1;
2929 }
6fc6879b
JM		 2930 }
2931
2932 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2933 if (gtk)
2934 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 2935#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2936 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2937 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2938 kde_len += 300; /* FTIE + 2 * TIE */
2939 }
4ec1fd8e 2940#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2941#ifdef CONFIG_P2P
2942 if (WPA_GET_BE32(sm->ip_addr) > 0)
2943 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2944#endif /* CONFIG_P2P */
6fc6879b
JM		 2945 kde = os_malloc(kde_len);
2946 if (kde == NULL)
2947 return;
2948
2949 pos = kde;
2950 os_memcpy(pos, wpa_ie, wpa_ie_len);
2951 pos += wpa_ie_len;
4ec1fd8e 2952#ifdef CONFIG_IEEE80211R_AP
26e23750 2953 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 2954 int res;
2955 size_t elen;
2956
2957 elen = pos - kde;
2958 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 2959 if (res < 0) {
2960 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2961 "PMKR1Name into RSN IE in EAPOL-Key data");
2962 os_free(kde);
2963 return;
2964 }
59e78c24
JM		 2965 pos -= wpa_ie_len;
2966 pos += elen;
26e23750 2967 }
4ec1fd8e 2968#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2969 if (gtk) {
2970 u8 hdr[2];
2971 hdr[0] = keyidx & 0x03;
2972 hdr[1] = 0;
2973 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2974 gtk, gtk_len);
2975 }
2976 pos = ieee80211w_kde_add(sm, pos);
2977
4ec1fd8e 2978#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2979 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2980 int res;
2981 struct wpa_auth_config *conf;
2982
2983 conf = &sm->wpa_auth->conf;
9257610a
JM		 2984 if (sm->assoc_resp_ftie &&
2985 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
2986 os_memcpy(pos, sm->assoc_resp_ftie,
2987 2 + sm->assoc_resp_ftie[1]);
2988 res = 2 + sm->assoc_resp_ftie[1];
2989 } else {
2990 res = wpa_write_ftie(conf, conf->r0_key_holder,
2991 conf->r0_key_holder_len,
2992 NULL, NULL, pos,
2993 kde + kde_len - pos,
2994 NULL, 0);
2995 }
86dfabb8
JM		 2996 if (res < 0) {
2997 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2998 "into EAPOL-Key Key Data");
2999 os_free(kde);
3000 return;
3001 }
3002 pos += res;
3003
3004 /* TIE[ReassociationDeadline] (TU) */
3005 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3006 *pos++ = 5;
3007 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3008 WPA_PUT_LE32(pos, conf->reassociation_deadline);
3009 pos += 4;
3010
3011 /* TIE[KeyLifetime] (seconds) */
3012 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3013 *pos++ = 5;
3014 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
3015 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
3016 pos += 4;
3017 }
4ec1fd8e 3018#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 3019#ifdef CONFIG_P2P
3020 if (WPA_GET_BE32(sm->ip_addr) > 0) {
3021 u8 addr[3 * 4];
3022 os_memcpy(addr, sm->ip_addr, 4);
3023 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3024 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3025 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3026 addr, sizeof(addr), NULL, 0);
3027 }
3028#endif /* CONFIG_P2P */
86dfabb8 3029
6fc6879b 3030 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3031 (secure ? WPA_KEY_INFO_SECURE : 0) |
567da5bb
JM		 3032 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3033 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3034 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3035 WPA_KEY_INFO_KEY_TYPE,
3036 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
3037 os_free(kde);
6fc6879b
JM		 3038}
3039
3040
3041SM_STATE(WPA_PTK, PTKINITDONE)
3042{
3043 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3044 sm->EAPOLKeyReceived = FALSE;
3045 if (sm->Pair) {
c3550295
JM		 3046 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3047 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 3048 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 3049 sm->PTK.tk, klen)) {
567da5bb
JM		 3050 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3051 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 3052 return;
3053 }
3054 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3055 sm->pairwise_set = TRUE;
3056
581a8cde
JM		 3057 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
3058 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3059 eloop_register_timeout(sm->wpa_auth->conf.
3060 wpa_ptk_rekey, 0, wpa_rekey_ptk,
3061 sm->wpa_auth, sm);
3062 }
3063
a1ea1b45 3064 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
567da5bb 3065 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
a1ea1b45 3066 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 3067 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3068 WPA_EAPOL_authorized, 1);
3069 }
3070 }
3071
3072 if (0 /* IBSS == TRUE */) {
3073 sm->keycount++;
3074 if (sm->keycount == 2) {
3075 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3076 WPA_EAPOL_portValid, 1);
3077 }
3078 } else {
3079 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3080 1);
3081 }
3082 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3083 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3084 if (sm->wpa == WPA_VERSION_WPA)
3085 sm->PInitAKeys = TRUE;
3086 else
3087 sm->has_GTK = TRUE;
3088 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3089 "pairwise key handshake completed (%s)",
3090 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3091
4ec1fd8e 3092#ifdef CONFIG_IEEE80211R_AP
6fc6879b 3093 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 3094#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 3095}
3096
3097
3098SM_STEP(WPA_PTK)
3099{
3100 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3101
3102 if (sm->Init)
3103 SM_ENTER(WPA_PTK, INITIALIZE);
3104 else if (sm->Disconnect
1aae01fc
BG		 3105 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3106 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3107 "WPA_PTK: sm->Disconnect");
6fc6879b 3108 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 3109 }
6fc6879b
JM		 3110 else if (sm->DeauthenticationRequest)
3111 SM_ENTER(WPA_PTK, DISCONNECTED);
3112 else if (sm->AuthenticationRequest)
3113 SM_ENTER(WPA_PTK, AUTHENTICATION);
3114 else if (sm->ReAuthenticationRequest)
3115 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3116 else if (sm->PTKRequest)
3117 SM_ENTER(WPA_PTK, PTKSTART);
3118 else switch (sm->wpa_ptk_state) {
3119 case WPA_PTK_INITIALIZE:
3120 break;
3121 case WPA_PTK_DISCONNECT:
3122 SM_ENTER(WPA_PTK, DISCONNECTED);
3123 break;
3124 case WPA_PTK_DISCONNECTED:
3125 SM_ENTER(WPA_PTK, INITIALIZE);
3126 break;
3127 case WPA_PTK_AUTHENTICATION:
3128 SM_ENTER(WPA_PTK, AUTHENTICATION2);
3129 break;
3130 case WPA_PTK_AUTHENTICATION2:
56586197 3131 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 3132 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3133 WPA_EAPOL_keyRun) > 0)
3134 SM_ENTER(WPA_PTK, INITPMK);
a1ea1b45
JM		 3135 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3136 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
6fc6879b
JM		 3137 /* FIX: && 802.1X::keyRun */)
3138 SM_ENTER(WPA_PTK, INITPSK);
567da5bb
JM		 3139 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3140 SM_ENTER(WPA_PTK, INITPMK);
6fc6879b
JM		 3141 break;
3142 case WPA_PTK_INITPMK:
3143 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
567da5bb 3144 WPA_EAPOL_keyAvailable) > 0) {
6fc6879b 3145 SM_ENTER(WPA_PTK, PTKSTART);
567da5bb
JM		 3146#ifdef CONFIG_DPP
3147 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3148 SM_ENTER(WPA_PTK, PTKSTART);
3149#endif /* CONFIG_DPP */
3150 } else {
6fc6879b 3151 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 3152 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3153 "INITPMK - keyAvailable = false");
6fc6879b
JM		 3154 SM_ENTER(WPA_PTK, DISCONNECT);
3155 }
3156 break;
3157 case WPA_PTK_INITPSK:
759fd76b
JM		 3158 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
3159 NULL))
6fc6879b
JM		 3160 SM_ENTER(WPA_PTK, PTKSTART);
3161 else {
3162 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3163 "no PSK configured for the STA");
3164 wpa_auth->dot11RSNA4WayHandshakeFailures++;
3165 SM_ENTER(WPA_PTK, DISCONNECT);
3166 }
3167 break;
3168 case WPA_PTK_PTKSTART:
3169 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3170 sm->EAPOLKeyPairwise)
3171 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3172 else if (sm->TimeoutCtr >
41f140d3 3173 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3174 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3175 wpa_auth_vlogger(
3176 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3177 "PTKSTART: Retry limit %u reached",
3178 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3179 SM_ENTER(WPA_PTK, DISCONNECT);
3180 } else if (sm->TimeoutEvt)
3181 SM_ENTER(WPA_PTK, PTKSTART);
3182 break;
3183 case WPA_PTK_PTKCALCNEGOTIATING:
3184 if (sm->MICVerified)
3185 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3186 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3187 sm->EAPOLKeyPairwise)
3188 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3189 else if (sm->TimeoutEvt)
3190 SM_ENTER(WPA_PTK, PTKSTART);
3191 break;
3192 case WPA_PTK_PTKCALCNEGOTIATING2:
3193 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3194 break;
3195 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3196 if (sm->update_snonce)
3197 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3198 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3199 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3200 SM_ENTER(WPA_PTK, PTKINITDONE);
3201 else if (sm->TimeoutCtr >
41f140d3 3202 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3203 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3204 wpa_auth_vlogger(
3205 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3206 "PTKINITNEGOTIATING: Retry limit %u reached",
3207 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3208 SM_ENTER(WPA_PTK, DISCONNECT);
3209 } else if (sm->TimeoutEvt)
3210 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3211 break;
3212 case WPA_PTK_PTKINITDONE:
3213 break;
3214 }
3215}
3216
3217
3218SM_STATE(WPA_PTK_GROUP, IDLE)
3219{
3220 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3221 if (sm->Init) {
3222 /* Init flag is not cleared here, so avoid busy
3223 * loop by claiming nothing changed. */
3224 sm->changed = FALSE;
3225 }
3226 sm->GTimeoutCtr = 0;
3227}
3228
3229
3230SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3231{
3232 u8 rsc[WPA_KEY_RSC_LEN];
3233 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3234 const u8 *kde;
3235 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3236 size_t kde_len;
83421850 3237 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3238
3239 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3240
3241 sm->GTimeoutCtr++;
41f140d3 3242 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
bae61562
JM		 3243 /* No point in sending the EAPOL-Key - we will disconnect
3244 * immediately following this. */
3245 return;
3246 }
3247
6fc6879b
JM		 3248 if (sm->wpa == WPA_VERSION_WPA)
3249 sm->PInitAKeys = FALSE;
3250 sm->TimeoutEvt = FALSE;
3251 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3252 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3253 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3254 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3255 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3256 "sending 1/2 msg of Group Key Handshake");
3257
83421850
JM		 3258 gtk = gsm->GTK[gsm->GN - 1];
3259 if (sm->wpa_auth->conf.disable_gtk) {
3260 /*
3261 * Provide unique random GTK to each STA to prevent use
3262 * of GTK in the BSS.
3263 */
3264 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3265 return;
3266 gtk = dummy_gtk;
3267 }
6fc6879b
JM		 3268 if (sm->wpa == WPA_VERSION_WPA2) {
3269 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3270 ieee80211w_kde_len(sm);
e41e4f9e
JM		 3271 kde_buf = os_malloc(kde_len);
3272 if (kde_buf == NULL)
6fc6879b
JM		 3273 return;
3274
e41e4f9e 3275 kde = pos = kde_buf;
6fc6879b
JM		 3276 hdr[0] = gsm->GN & 0x03;
3277 hdr[1] = 0;
3278 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3279 gtk, gsm->GTK_len);
6fc6879b 3280 pos = ieee80211w_kde_add(sm, pos);
e41e4f9e 3281 kde_len = pos - kde;
6fc6879b 3282 } else {
83421850 3283 kde = gtk;
e41e4f9e 3284 kde_len = gsm->GTK_len;
6fc6879b
JM		 3285 }
3286
3287 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d 3288 WPA_KEY_INFO_SECURE |
567da5bb
JM		 3289 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3290 WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3291 WPA_KEY_INFO_ACK |
3292 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3293 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3294
3295 os_free(kde_buf);
6fc6879b
JM		 3296}
3297
3298
3299SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3300{
3301 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3302 sm->EAPOLKeyReceived = FALSE;
3303 if (sm->GUpdateStationKeys)
3304 sm->group->GKeyDoneStations--;
3305 sm->GUpdateStationKeys = FALSE;
3306 sm->GTimeoutCtr = 0;
3307 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3308 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3309 "group key handshake completed (%s)",
3310 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3311 sm->has_GTK = TRUE;
3312}
3313
3314
3315SM_STATE(WPA_PTK_GROUP, KEYERROR)
3316{
3317 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3318 if (sm->GUpdateStationKeys)
3319 sm->group->GKeyDoneStations--;
3320 sm->GUpdateStationKeys = FALSE;
3321 sm->Disconnect = TRUE;
4bb9b674
GK		 3322 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3323 "group key handshake failed (%s) after %u tries",
3324 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3325 sm->wpa_auth->conf.wpa_group_update_count);
6fc6879b
JM		 3326}
3327
3328
3329SM_STEP(WPA_PTK_GROUP)
3330{
9663596f 3331 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3332 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3333 sm->PtkGroupInit = FALSE;
3334 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3335 case WPA_PTK_GROUP_IDLE:
3336 if (sm->GUpdateStationKeys ||
3337 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3338 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3339 break;
3340 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3341 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3342 !sm->EAPOLKeyPairwise && sm->MICVerified)
3343 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3344 else if (sm->GTimeoutCtr >
41f140d3 3345 sm->wpa_auth->conf.wpa_group_update_count)
6fc6879b
JM		 3346 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3347 else if (sm->TimeoutEvt)
3348 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3349 break;
3350 case WPA_PTK_GROUP_KEYERROR:
3351 SM_ENTER(WPA_PTK_GROUP, IDLE);
3352 break;
3353 case WPA_PTK_GROUP_REKEYESTABLISHED:
3354 SM_ENTER(WPA_PTK_GROUP, IDLE);
3355 break;
3356 }
3357}
3358
3359
3360static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3361 struct wpa_group *group)
3362{
3363 int ret = 0;
3364
6fc6879b
JM		 3365 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3366 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3367 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3368 wpa_auth->addr, group->GNonce,
3369 group->GTK[group->GN - 1], group->GTK_len) < 0)
3370 ret = -1;
5cb9d5c3
JM		 3371 wpa_hexdump_key(MSG_DEBUG, "GTK",
3372 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3373
3374#ifdef CONFIG_IEEE80211W
70f8cc8e 3375 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3376 size_t len;
3377 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3378 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3379 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3380 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3381 wpa_auth->addr, group->GNonce,
8dd9f9cd 3382 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3383 ret = -1;
6fc6879b 3384 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3385 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3386 }
3387#endif /* CONFIG_IEEE80211W */
3388
3389 return ret;
3390}
3391
3392
3393static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3394 struct wpa_group *group)
3395{
3396 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3397 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3398 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3399 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3400
3401 /* GTK[0..N] = 0 */
3402 os_memset(group->GTK, 0, sizeof(group->GTK));
3403 group->GN = 1;
3404 group->GM = 2;
3405#ifdef CONFIG_IEEE80211W
3406 group->GN_igtk = 4;
3407 group->GM_igtk = 5;
3408#endif /* CONFIG_IEEE80211W */
3409 /* GTK[GN] = CalcGTK() */
3410 wpa_gtk_update(wpa_auth, group);
3411}
3412
3413
3414static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3415{
473b6f22
MB		 3416 if (ctx != NULL && ctx != sm->group)
3417 return 0;
3418
6fc6879b
JM		 3419 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3420 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3421 "Not in PTKINITDONE; skip Group Key update");
3c183894 3422 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3423 return 0;
3424 }
9663596f
JM		 3425 if (sm->GUpdateStationKeys) {
3426 /*
3c183894
JM		 3427 * This should not really happen, so add a debug log entry.
3428 * Since we clear the GKeyDoneStations before the loop, the
3429 * station needs to be counted here anyway.
9663596f
JM		 3430 */
3431 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3432 "GUpdateStationKeys was already set when "
3433 "marking station for GTK rekeying");
9663596f 3434 }
3c183894 3435
ad3872a3 3436 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3437 if (sm->is_wnmsleep)
3438 return 0;
d32d94db 3439
3c183894
JM		 3440 sm->group->GKeyDoneStations++;
3441 sm->GUpdateStationKeys = TRUE;
3442
6fc6879b
JM		 3443 wpa_sm_step(sm);
3444 return 0;
3445}
3446
3447
b5bf84ba 3448#ifdef CONFIG_WNM_AP
ad3872a3 3449/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3450void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3451{
629edfef 3452 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3453 return;
3454
3455 wpa_group_update_sta(sm, NULL);
3456}
3457
3458
3459void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3460{
629edfef
JM		 3461 if (sm)
3462 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3463}
3464
3465
3466int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3467{
d32d94db 3468 struct wpa_group *gsm = sm->group;
835822d4 3469 u8 *start = pos;
d32d94db
XC		 3470
3471 /*
835822d4 3472 * GTK subelement:
d32d94db 3473 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3474 * Key[5..32]
d32d94db 3475 */
835822d4
JM		 3476 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3477 *pos++ = 11 + gsm->GTK_len;
d32d94db 3478 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3479 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3480 pos += 2;
3481 *pos++ = gsm->GTK_len;
3482 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3483 return 0;
835822d4
JM		 3484 pos += 8;
3485 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3486 pos += gsm->GTK_len;
d32d94db 3487
835822d4
JM		 3488 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3489 gsm->GN);
3490 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3491 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3492
835822d4 3493 return pos - start;
d32d94db
XC		 3494}
3495
3496
3497#ifdef CONFIG_IEEE80211W
3498int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3499{
d32d94db 3500 struct wpa_group *gsm = sm->group;
835822d4 3501 u8 *start = pos;
8dd9f9cd 3502 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3503
835822d4
JM		 3504 /*
3505 * IGTK subelement:
3506 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3507 */
3508 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3509 *pos++ = 2 + 6 + len;
835822d4
JM		 3510 WPA_PUT_LE16(pos, gsm->GN_igtk);
3511 pos += 2;
3512 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3513 return 0;
835822d4 3514 pos += 6;
d32d94db 3515
8dd9f9cd
JM		 3516 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3517 pos += len;
d32d94db 3518
835822d4
JM		 3519 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3520 gsm->GN_igtk);
3521 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3522 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3523
835822d4 3524 return pos - start;
d32d94db
XC		 3525}
3526#endif /* CONFIG_IEEE80211W */
b5bf84ba 3527#endif /* CONFIG_WNM_AP */
d32d94db
XC		 3528
3529
6fc6879b
JM		 3530static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3531 struct wpa_group *group)
3532{
3533 int tmp;
3534
3535 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3536 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3537 group->changed = TRUE;
3538 group->wpa_group_state = WPA_GROUP_SETKEYS;
3539 group->GTKReKey = FALSE;
3540 tmp = group->GM;
3541 group->GM = group->GN;
3542 group->GN = tmp;
3543#ifdef CONFIG_IEEE80211W
3544 tmp = group->GM_igtk;
3545 group->GM_igtk = group->GN_igtk;
3546 group->GN_igtk = tmp;
3547#endif /* CONFIG_IEEE80211W */
3548 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3549 * counting the STAs that are marked with GUpdateStationKeys instead of
3550 * including all STAs that could be in not-yet-completed state. */
3551 wpa_gtk_update(wpa_auth, group);
3552
3c183894
JM		 3553 if (group->GKeyDoneStations) {
3554 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3555 "GKeyDoneStations=%d when starting new GTK rekey",
3556 group->GKeyDoneStations);
3557 group->GKeyDoneStations = 0;
3558 }
473b6f22 3559 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3560 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3561 group->GKeyDoneStations);
3562}
3563
3564
1bdb7ab3
JM		 3565static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3566 struct wpa_group *group)
6fc6879b 3567{
3c7302c2
JM		 3568 int ret = 0;
3569
3c7302c2 3570 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3571 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3572 broadcast_ether_addr, group->GN,
3573 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3574 ret = -1;
6fc6879b
JM		 3575
3576#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3577 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3578 enum wpa_alg alg;
3579 size_t len;
3580
3581 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3582 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3583
3584 if (ret == 0 &&
3585 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3586 broadcast_ether_addr, group->GN_igtk,
3587 group->IGTK[group->GN_igtk - 4], len) < 0)
3588 ret = -1;
3589 }
6fc6879b 3590#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3591
3592 return ret;
6fc6879b
JM		 3593}
3594
3595
7d7f7be2
JM		 3596static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3597{
3598 if (sm->group == ctx) {
3599 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3600 " for discconnection due to fatal failure",
3601 MAC2STR(sm->addr));
3602 sm->Disconnect = TRUE;
3603 }
3604
3605 return 0;
3606}
3607
3608
3609static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3610 struct wpa_group *group)
3611{
3612 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3613 group->changed = TRUE;
3614 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3615 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3616}
3617
3618
1bdb7ab3
JM		 3619static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3620 struct wpa_group *group)
3621{
3622 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3623 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3624 group->changed = TRUE;
3625 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3626
7d7f7be2
JM		 3627 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3628 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3629 return -1;
7d7f7be2 3630 }
1bdb7ab3
JM		 3631
3632 return 0;
3633}
3634
3635
6fc6879b
JM		 3636static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3637 struct wpa_group *group)
3638{
3639 if (group->GInit) {
3640 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3641 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3642 /* Do not allow group operations */
6fc6879b
JM		 3643 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3644 group->GTKAuthenticator) {
3645 wpa_group_setkeysdone(wpa_auth, group);
3646 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3647 group->GTKReKey) {
3648 wpa_group_setkeys(wpa_auth, group);
3649 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3650 if (group->GKeyDoneStations == 0)
3651 wpa_group_setkeysdone(wpa_auth, group);
3652 else if (group->GTKReKey)
3653 wpa_group_setkeys(wpa_auth, group);
3654 }
3655}
3656
3657
e4a6ea1d 3658static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 3659{
3660 if (sm == NULL)
e4a6ea1d 3661 return 0;
6fc6879b
JM		 3662
3663 if (sm->in_step_loop) {
3664 /* This should not happen, but if it does, make sure we do not
3665 * end up freeing the state machine too early by exiting the
3666 * recursive call. */
3667 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 3668 return 0;
6fc6879b
JM		 3669 }
3670
3671 sm->in_step_loop = 1;
3672 do {
3673 if (sm->pending_deinit)
3674 break;
3675
3676 sm->changed = FALSE;
3677 sm->wpa_auth->group->changed = FALSE;
3678
3679 SM_STEP_RUN(WPA_PTK);
3680 if (sm->pending_deinit)
3681 break;
3682 SM_STEP_RUN(WPA_PTK_GROUP);
3683 if (sm->pending_deinit)
3684 break;
3685 wpa_group_sm_step(sm->wpa_auth, sm->group);
3686 } while (sm->changed || sm->wpa_auth->group->changed);
3687 sm->in_step_loop = 0;
3688
3689 if (sm->pending_deinit) {
3690 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3691 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3692 wpa_free_sta_sm(sm);
e4a6ea1d 3693 return 1;
6fc6879b 3694 }
e4a6ea1d 3695 return 0;
6fc6879b
JM		 3696}
3697
3698
3699static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3700{
3701 struct wpa_state_machine *sm = eloop_ctx;
3702 wpa_sm_step(sm);
3703}
3704
3705
3706void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3707{
3708 if (sm == NULL)
3709 return;
3710 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3711}
3712
3713
3714void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3715{
3716 int tmp, i;
3717 struct wpa_group *group;
3718
3719 if (wpa_auth == NULL)
3720 return;
3721
3722 group = wpa_auth->group;
3723
3724 for (i = 0; i < 2; i++) {
3725 tmp = group->GM;
3726 group->GM = group->GN;
3727 group->GN = tmp;
3728#ifdef CONFIG_IEEE80211W
3729 tmp = group->GM_igtk;
3730 group->GM_igtk = group->GN_igtk;
3731 group->GN_igtk = tmp;
3732#endif /* CONFIG_IEEE80211W */
3733 wpa_gtk_update(wpa_auth, group);
9354e594 3734 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 3735 }
3736}
3737
3738
a6da824b 3739static const char * wpa_bool_txt(int val)
6fc6879b 3740{
a6da824b 3741 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 3742}
3743
3744
6fc6879b
JM		 3745#define RSN_SUITE "%02x-%02x-%02x-%d"
3746#define RSN_SUITE_ARG(s) \
3747((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3748
3749int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3750{
3751 int len = 0, ret;
3752 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 3753#ifdef CONFIG_RSN_PREAUTH
3754 const int preauth = 1;
3755#else /* CONFIG_RSN_PREAUTH */
3756 const int preauth = 0;
3757#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 3758
3759 if (wpa_auth == NULL)
3760 return len;
3761
3762 ret = os_snprintf(buf + len, buflen - len,
3763 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 3764 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 3765 "dot11RSNAEnabled=%s\n"
3766 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 3767 wpa_bool_txt(preauth),
6fc6879b
JM		 3768 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3769 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 3770 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3771 return len;
3772 len += ret;
3773
3774 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3775 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3776
3777 ret = os_snprintf(
3778 buf + len, buflen - len,
3779 "dot11RSNAConfigVersion=%u\n"
3780 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3781 /* FIX: dot11RSNAConfigGroupCipher */
3782 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3783 /* FIX: dot11RSNAConfigGroupRekeyTime */
3784 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3785 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3786 "dot11RSNAConfigGroupUpdateCount=%u\n"
3787 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3788 "dot11RSNAConfigGroupCipherSize=%u\n"
3789 "dot11RSNAConfigPMKLifetime=%u\n"
3790 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3791 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3792 "dot11RSNAConfigSATimeout=%u\n"
3793 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3794 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3795 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3796 "dot11RSNAPMKIDUsed=%s\n"
3797 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3798 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3799 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3800 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3801 "dot11RSNA4WayHandshakeFailures=%u\n"
3802 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3803 RSN_VERSION,
3804 !!wpa_auth->conf.wpa_strict_rekey,
41f140d3
GK		 3805 wpa_auth->conf.wpa_group_update_count,
3806 wpa_auth->conf.wpa_pairwise_update_count,
c3550295 3807 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 3808 dot11RSNAConfigPMKLifetime,
3809 dot11RSNAConfigPMKReauthThreshold,
3810 dot11RSNAConfigSATimeout,
3811 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3812 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3813 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3814 pmkid_txt,
3815 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3816 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3817 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3818 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3819 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 3820 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3821 return len;
3822 len += ret;
3823
3824 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3825 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3826
3827 /* Private MIB */
3828 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3829 wpa_auth->group->wpa_group_state);
d85e1fc8 3830 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3831 return len;
3832 len += ret;
3833
3834 return len;
3835}
3836
3837
3838int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3839{
3840 int len = 0, ret;
3841 u32 pairwise = 0;
3842
3843 if (sm == NULL)
3844 return 0;
3845
3846 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3847
3848 /* dot11RSNAStatsEntry */
3849
c3550295
JM		 3850 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3851 WPA_PROTO_RSN : WPA_PROTO_WPA,
3852 sm->pairwise);
3853 if (pairwise == 0)
6fc6879b
JM		 3854 return 0;
3855
3856 ret = os_snprintf(
3857 buf + len, buflen - len,
3858 /* TODO: dot11RSNAStatsIndex */
3859 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3860 "dot11RSNAStatsVersion=1\n"
3861 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3862 /* TODO: dot11RSNAStatsTKIPICVErrors */
3863 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 3864 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 3865 /* TODO: dot11RSNAStatsCCMPReplays */
3866 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3867 /* TODO: dot11RSNAStatsTKIPReplays */,
3868 MAC2STR(sm->addr),
3869 RSN_SUITE_ARG(pairwise),
3870 sm->dot11RSNAStatsTKIPLocalMICFailures,
3871 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 3872 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3873 return len;
3874 len += ret;
3875
3876 /* Private MIB */
3877 ret = os_snprintf(buf + len, buflen - len,
3878 "hostapdWPAPTKState=%d\n"
3879 "hostapdWPAPTKGroupState=%d\n",
3880 sm->wpa_ptk_state,
3881 sm->wpa_ptk_group_state);
d85e1fc8 3882 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3883 return len;
3884 len += ret;
3885
3886 return len;
3887}
3888
3889
3890void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3891{
3892 if (wpa_auth)
3893 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3894}
3895
3896
3897int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3898{
3899 return sm && sm->pairwise_set;
3900}
3901
3902
ff36ff00
JM		 3903int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3904{
3905 return sm->pairwise;
3906}
3907
3908
6fc6879b
JM		 3909int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3910{
3911 if (sm == NULL)
3912 return -1;
3913 return sm->wpa_key_mgmt;
3914}
3915
3916
3917int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3918{
3919 if (sm == NULL)
3920 return 0;
3921 return sm->wpa;
3922}
3923
3924
3925int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3926 struct rsn_pmksa_cache_entry *entry)
3927{
3928 if (sm == NULL || sm->pmksa != entry)
3929 return -1;
3930 sm->pmksa = NULL;
3931 return 0;
3932}
3933
3934
3935struct rsn_pmksa_cache_entry *
3936wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3937{
3938 return sm ? sm->pmksa : NULL;
3939}
3940
3941
3942void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3943{
3944 if (sm)
3945 sm->dot11RSNAStatsTKIPLocalMICFailures++;
3946}
3947
3948
3949const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3950{
3951 if (wpa_auth == NULL)
3952 return NULL;
3953 *len = wpa_auth->wpa_ie_len;
3954 return wpa_auth->wpa_ie;
3955}
3956
3957
3958int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 3959 unsigned int pmk_len,
6fc6879b
JM		 3960 int session_timeout, struct eapol_state_machine *eapol)
3961{
cb465555
JM		 3962 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3963 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 3964 return -1;
3965
834c5d68 3966 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
207976f0
JM		 3967 if (pmk_len > PMK_LEN_SUITE_B_192)
3968 pmk_len = PMK_LEN_SUITE_B_192;
3969 } else if (pmk_len > PMK_LEN) {
3970 pmk_len = PMK_LEN;
3971 }
3972
70c93963 3973 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 3974 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 3975 sm->wpa_auth->addr, sm->addr, session_timeout,
3976 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 3977 return 0;
3978
3979 return -1;
3980}
3981
3982
3983int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3984 const u8 *pmk, size_t len, const u8 *sta_addr,
3985 int session_timeout,
3986 struct eapol_state_machine *eapol)
3987{
3988 if (wpa_auth == NULL)
3989 return -1;
3990
70c93963 3991 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 3992 NULL, 0,
3993 wpa_auth->addr,
4bb081f1
JM		 3994 sta_addr, session_timeout, eapol,
3995 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 3996 return 0;
3997
3998 return -1;
3999}
4000
4001
f2991170 4002int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 4003 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 4004{
4005 if (wpa_auth->conf.disable_pmksa_caching)
4006 return -1;
4007
70c93963 4008 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 4009 NULL, 0,
f2991170
JM		 4010 wpa_auth->addr, addr, 0, NULL,
4011 WPA_KEY_MGMT_SAE))
4012 return 0;
4013
4014 return -1;
4015}
4016
4017
0c52953b
JM		 4018int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4019 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4020 int session_timeout, int akmp)
4021{
4022 if (wpa_auth->conf.disable_pmksa_caching)
4023 return -1;
4024
4025 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4026 NULL, 0, wpa_auth->addr, addr, session_timeout,
4027 NULL, akmp))
4028 return 0;
4029
4030 return -1;
4031}
4032
4033
901d1fe1
JM		 4034void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4035 const u8 *sta_addr)
4036{
4037 struct rsn_pmksa_cache_entry *pmksa;
4038
4039 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4040 return;
4041 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4042 if (pmksa) {
4043 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4044 MACSTR " based on request", MAC2STR(sta_addr));
4045 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4046 }
4047}
4048
4049
b8daac18
MH		 4050int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4051 size_t len)
4052{
4053 if (!wpa_auth || !wpa_auth->pmksa)
4054 return 0;
4055 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4056}
4057
4058
4c522c77
MH		 4059void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4060{
4061 if (wpa_auth && wpa_auth->pmksa)
4062 pmksa_cache_auth_flush(wpa_auth->pmksa);
4063}
4064
4065
4d77d80e
MH		 4066#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4067#ifdef CONFIG_MESH
4068
4069int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4070 char *buf, size_t len)
4071{
4072 if (!wpa_auth || !wpa_auth->pmksa)
4073 return 0;
4074
4075 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4076}
4077
4078
4079struct rsn_pmksa_cache_entry *
4080wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4081 const u8 *pmkid, int expiration)
4082{
4083 struct rsn_pmksa_cache_entry *entry;
4084 struct os_reltime now;
4085
4086 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4087 spa, 0, NULL, WPA_KEY_MGMT_SAE);
4088 if (!entry)
4089 return NULL;
4090
4091 os_get_reltime(&now);
4092 entry->expiration = now.sec + expiration;
4093 return entry;
4094}
4095
4096
4097int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4098 struct rsn_pmksa_cache_entry *entry)
4099{
4100 int ret;
4101
4102 if (!wpa_auth || !wpa_auth->pmksa)
4103 return -1;
4104
4105 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4106 if (ret < 0)
4107 wpa_printf(MSG_DEBUG,
4108 "RSN: Failed to store external PMKSA cache for "
4109 MACSTR, MAC2STR(entry->spa));
4110
4111 return ret;
4112}
4113
4114#endif /* CONFIG_MESH */
4115#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4116
4117
9f2cf23e 4118struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 4119wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4120 const u8 *pmkid)
9f2cf23e
MH		 4121{
4122 if (!wpa_auth || !wpa_auth->pmksa)
4123 return NULL;
c1bd4bac 4124 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 4125}
4126
4127
4128void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4129 struct wpa_state_machine *sm,
4130 struct wpa_authenticator *wpa_auth,
4131 u8 *pmkid, u8 *pmk)
4132{
4133 if (!sm)
4134 return;
4135
4136 sm->pmksa = pmksa;
8854f90b
JM		 4137 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4138 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4139 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 4140}
4141
4142
a0ad9e8c
MB		 4143/*
4144 * Remove and free the group from wpa_authenticator. This is triggered by a
4145 * callback to make sure nobody is currently iterating the group list while it
4146 * gets modified.
4147 */
4148static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4149 struct wpa_group *group)
4150{
4151 struct wpa_group *prev = wpa_auth->group;
4152
4153 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4154 group->vlan_id);
4155
4156 while (prev) {
4157 if (prev->next == group) {
4158 /* This never frees the special first group as needed */
4159 prev->next = group->next;
4160 os_free(group);
4161 break;
4162 }
4163 prev = prev->next;
4164 }
4165
4166}
4167
4168
4169/* Increase the reference counter for group */
4170static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4171 struct wpa_group *group)
4172{
4173 /* Skip the special first group */
4174 if (wpa_auth->group == group)
4175 return;
4176
4177 group->references++;
4178}
4179
4180
4181/* Decrease the reference counter and maybe free the group */
4182static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4183 struct wpa_group *group)
4184{
4185 /* Skip the special first group */
4186 if (wpa_auth->group == group)
4187 return;
4188
4189 group->references--;
4190 if (group->references)
4191 return;
4192 wpa_group_free(wpa_auth, group);
4193}
4194
4195
4196/*
4197 * Add a group that has its references counter set to zero. Caller needs to
4198 * call wpa_group_get() on the return value to mark the entry in use.
4199 */
6fc6879b
JM		 4200static struct wpa_group *
4201wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4202{
4203 struct wpa_group *group;
4204
4205 if (wpa_auth == NULL || wpa_auth->group == NULL)
4206 return NULL;
4207
4208 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4209 vlan_id);
bdffdc5d 4210 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4211 if (group == NULL)
4212 return NULL;
4213
4214 group->next = wpa_auth->group->next;
4215 wpa_auth->group->next = group;
4216
4217 return group;
4218}
4219
4220
7cebc8e2
MB		 4221/*
4222 * Enforce that the group state machine for the VLAN is running, increase
4223 * reference counter as interface is up. References might have been increased
4224 * even if a negative value is returned.
4225 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4226 */
4227int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4228{
4229 struct wpa_group *group;
4230
4231 if (wpa_auth == NULL)
4232 return 0;
4233
4234 group = wpa_auth->group;
4235 while (group) {
4236 if (group->vlan_id == vlan_id)
4237 break;
4238 group = group->next;
4239 }
4240
4241 if (group == NULL) {
4242 group = wpa_auth_add_group(wpa_auth, vlan_id);
4243 if (group == NULL)
4244 return -1;
4245 }
4246
4247 wpa_printf(MSG_DEBUG,
4248 "WPA: Ensure group state machine running for VLAN ID %d",
4249 vlan_id);
4250
4251 wpa_group_get(wpa_auth, group);
4252 group->num_setup_iface++;
4253
4254 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4255 return -1;
4256
4257 return 0;
4258}
4259
4260
4261/*
4262 * Decrease reference counter, expected to be zero afterwards.
4263 * returns: -1 on error (group not found, group in fail state)
4264 * -2 if wpa_group is still referenced
4265 * 0 else
4266 */
4267int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4268{
4269 struct wpa_group *group;
4270 int ret = 0;
4271
4272 if (wpa_auth == NULL)
4273 return 0;
4274
4275 group = wpa_auth->group;
4276 while (group) {
4277 if (group->vlan_id == vlan_id)
4278 break;
4279 group = group->next;
4280 }
4281
4282 if (group == NULL)
4283 return -1;
4284
4285 wpa_printf(MSG_DEBUG,
4286 "WPA: Try stopping group state machine for VLAN ID %d",
4287 vlan_id);
4288
4289 if (group->num_setup_iface <= 0) {
4290 wpa_printf(MSG_ERROR,
4291 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4292 vlan_id);
4293 return -1;
4294 }
4295 group->num_setup_iface--;
4296
4297 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4298 ret = -1;
4299
4300 if (group->references > 1) {
4301 wpa_printf(MSG_DEBUG,
4302 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4303 vlan_id);
4304 ret = -2;
4305 }
4306
4307 wpa_group_put(wpa_auth, group);
4308
4309 return ret;
4310}
4311
4312
6fc6879b
JM		 4313int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4314{
4315 struct wpa_group *group;
4316
4317 if (sm == NULL || sm->wpa_auth == NULL)
4318 return 0;
4319
4320 group = sm->wpa_auth->group;
4321 while (group) {
4322 if (group->vlan_id == vlan_id)
4323 break;
4324 group = group->next;
4325 }
4326
4327 if (group == NULL) {
4328 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4329 if (group == NULL)
4330 return -1;
4331 }
4332
4333 if (sm->group == group)
4334 return 0;
4335
7d7f7be2
JM		 4336 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4337 return -1;
4338
6fc6879b
JM		 4339 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4340 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4341
a0ad9e8c
MB		 4342 wpa_group_get(sm->wpa_auth, group);
4343 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4344 sm->group = group;
a0ad9e8c 4345
6fc6879b
JM		 4346 return 0;
4347}
e4bf4db9
JM		 4348
4349
4350void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4351 struct wpa_state_machine *sm, int ack)
4352{
4353 if (wpa_auth == NULL || sm == NULL)
4354 return;
4355 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4356 " ack=%d", MAC2STR(sm->addr), ack);
4357 if (sm->pending_1_of_4_timeout && ack) {
4358 /*
4359 * Some deployed supplicant implementations update their SNonce
4360 * for each EAPOL-Key 2/4 message even within the same 4-way
4361 * handshake and then fail to use the first SNonce when
4362 * deriving the PTK. This results in unsuccessful 4-way
4363 * handshake whenever the relatively short initial timeout is
4364 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4365 * around this by increasing the timeout now that we know that
4366 * the station has received the frame.
4367 */
4368 int timeout_ms = eapol_key_timeout_subseq;
4369 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4370 "timeout by %u ms because of acknowledged frame",
4371 timeout_ms);
4372 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4373 eloop_register_timeout(timeout_ms / 1000,
4374 (timeout_ms % 1000) * 1000,
4375 wpa_send_eapol_timeout, wpa_auth, sm);
4376 }
4377}
c10347f2
JM		 4378
4379
4380int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4381{
4382 if (sm == NULL)
4383 return 0;
4384 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4385}
aa189ac9
JM		 4386
4387
4388int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4389{
4390 if (sm == NULL)
4391 return 0;
4392 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4393}
25ef8529
JM		 4394
4395
4396#ifdef CONFIG_P2P
4397int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4398{
4399 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4400 return -1;
4401 os_memcpy(addr, sm->ip_addr, 4);
4402 return 0;
4403}
4404#endif /* CONFIG_P2P */
cbc210de
JM		 4405
4406
4407int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4408 struct radius_das_attrs *attr)
4409{
4410 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4411}
34782730
JM		 4412
4413
4414void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4415{
4416 struct wpa_group *group;
4417
4418 if (!wpa_auth)
4419 return;
4420 for (group = wpa_auth->group; group; group = group->next)
4421 wpa_group_config_group_keys(wpa_auth, group);
4422}
7eace378
JM		 4423
4424
4425#ifdef CONFIG_FILS
4426
4427struct wpa_auth_fils_iter_data {
4428 struct wpa_authenticator *auth;
4429 const u8 *cache_id;
4430 struct rsn_pmksa_cache_entry *pmksa;
4431 const u8 *spa;
4432 const u8 *pmkid;
4433};
4434
4435
4436static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4437{
4438 struct wpa_auth_fils_iter_data *data = ctx;
4439
4cc6574d 4440 if (a == data->auth || !a->conf.fils_cache_id_set ||
7eace378
JM		 4441 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4442 FILS_CACHE_ID_LEN) != 0)
4443 return 0;
4444 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4445 return data->pmksa != NULL;
4446}
4447
4448
4449struct rsn_pmksa_cache_entry *
4450wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4451 const u8 *sta_addr, const u8 *pmkid)
4452{
4453 struct wpa_auth_fils_iter_data idata;
4454
4455 if (!wpa_auth->conf.fils_cache_id_set)
4456 return NULL;
4457 idata.auth = wpa_auth;
4458 idata.cache_id = wpa_auth->conf.fils_cache_id;
4459 idata.pmksa = NULL;
4460 idata.spa = sta_addr;
4461 idata.pmkid = pmkid;
4462 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4463 return idata.pmksa;
4464}
4465
5db997e3
JM		 4466
4467#ifdef CONFIG_IEEE80211R_AP
4468int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len)
4469{
4470 struct wpa_auth_config *conf = &wpa_auth->conf;
4471
4472 return wpa_write_ftie(conf, conf->r0_key_holder,
4473 conf->r0_key_holder_len,
4474 NULL, NULL, buf, len, NULL, 0);
4475}
4476#endif /* CONFIG_IEEE80211R_AP */
4477
8acbf85f
JM		 4478
4479void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4480 u8 *fils_anonce, u8 *fils_snonce,
4481 u8 *fils_kek, size_t *fils_kek_len)
4482{
4483 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4484 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4485 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4486 *fils_kek_len = sm->PTK.kek_len;
4487}
4488
7eace378 4489#endif /* CONFIG_FILS */
Unnamed repository; edit this file 'description' to name the repository.